* [PATCH 5.10 000/783] 5.10.163-rc1 review
@ 2023-01-12 13:45 Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 001/783] usb: musb: remove extra check in musb_gadget_vbus_draw Greg Kroah-Hartman
` (792 more replies)
0 siblings, 793 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
This is the start of the stable review cycle for the 5.10.163 release.
There are 783 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.10.163-rc1
Paolo Abeni <pabeni@redhat.com>
net/ulp: prevent ULP without clone op from entering the LISTEN status
Frederick Lawler <fred@cloudflare.com>
net: sched: disallow noqueue for qdisc classes
Mat Martineau <mathew.j.martineau@linux.intel.com>
mptcp: use proper req destructor for IPv6
Mat Martineau <mathew.j.martineau@linux.intel.com>
mptcp: dedicated request sock for subflow in v6
Mat Martineau <mathew.j.martineau@linux.intel.com>
mptcp: remove MPTCP 'ifdef' in TCP SYN cookies
Mat Martineau <mathew.j.martineau@linux.intel.com>
mptcp: mark ops structures as ro_after_init
Rasmus Villemoes <linux@rasmusvillemoes.dk>
serial: fixup backport of "serial: Deassert Transmit Enable on probe in driver-specific way"
Indan Zupancic <Indan.Zupancic@mep-info.com>
fsl_lpuart: Don't enable interrupts too early
Eric Biggers <ebiggers@google.com>
ext4: don't set up encryption key during jbd2 transaction
Eric Biggers <ebiggers@google.com>
ext4: disable fast-commit of encrypted dir operations
Helge Deller <deller@gmx.de>
parisc: Align parisc MADV_XXX constants with all other architectures
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
io_uring: Fix unsigned 'res' comparison with zero in io_fixup_rw_res()
Ard Biesheuvel <ardb@kernel.org>
efi: random: combine bootloader provided RNG seed with RNG protocol output
Jan Kara <jack@suse.cz>
mbcache: Avoid nesting of cache->c_list_lock under bit locks
Linus Torvalds <torvalds@linux-foundation.org>
hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
Arnd Bergmann <arnd@arndb.de>
hfs/hfsplus: use WARN_ON for sanity check
Muhammad Usama Anjum <usama.anjum@collabora.com>
selftests: set the BUILD variable to absolute path
Eric Biggers <ebiggers@google.com>
ext4: don't allow journal inode to have encrypt flag
Zhenyu Wang <zhenyuw@linux.intel.com>
drm/i915/gvt: fix vgpu debugfs clean in remove
Zhenyu Wang <zhenyuw@linux.intel.com>
drm/i915/gvt: fix gvt debugfs destroy
Ben Dooks <ben-linux@fluff.org>
riscv: uaccess: fix type of 0 variable on error in get_user()
Paul Menzel <pmenzel@molgen.mpg.de>
fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB
Jeff Layton <jlayton@kernel.org>
nfsd: fix handling of readdir in v4root vs. mount upcall timeout
Rodrigo Branco <bsdaemon@google.com>
x86/bugs: Flush IBP in ib_prctl_set()
Yanjun Zhang <zhangyanjun@cestc.cn>
nvme: fix multipath crash caused by flush request when blktrace is enabled
Hans de Goede <hdegoede@redhat.com>
ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet
Jan Kara <jack@suse.cz>
udf: Fix extension of the last extent in the file
Zhengchao Shao <shaozhengchao@huawei.com>
caif: fix memory leak in cfctrl_linkup_request()
Dan Carpenter <error27@gmail.com>
drm/i915: unpin on error in intel_vgpu_shadow_mm_pin()
Szymon Heidrich <szymon.heidrich@gmail.com>
usb: rndis_host: Secure rndis_query check against int overflow
Daniil Tatianin <d-tatianin@yandex-team.ru>
drivers/net/bonding/bond_3ad: return when there's no aggregator
Miaoqian Lin <linmq006@gmail.com>
perf tools: Fix resources leak in perf_data__open_dir()
Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: ipset: Rework long task execution when adding/deleting entries
Jozsef Kadlecsik <kadlec@netfilter.org>
netfilter: ipset: fix hash:net,port,net hang with /0 subnet
Jamal Hadi Salim <jhs@mojatatu.com>
net: sched: cbq: dont intepret cls results when asked to drop
Jamal Hadi Salim <jhs@mojatatu.com>
net: sched: atm: dont intepret cls results when asked to drop
Miaoqian Lin <linmq006@gmail.com>
gpio: sifive: Fix refcount leak in sifive_gpio_probe
Xiubo Li <xiubli@redhat.com>
ceph: switch to vfs_inode_has_locks() to fix file lock bug
Jeff Layton <jlayton@kernel.org>
filelock: new helper: vfs_inode_has_locks
Carlo Caione <ccaione@baylibre.com>
drm/meson: Reduce the FIFO lines held when AFBC is not used
Maor Gottlieb <maorg@nvidia.com>
RDMA/mlx5: Fix validation of max_rd_atomic caps for DC
Miaoqian Lin <linmq006@gmail.com>
net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
Jiguang Xiao <jiguang.xiao@windriver.com>
net: amd-xgbe: add missed tasklet_kill
Adham Faris <afaris@nvidia.com>
net/mlx5e: Fix hw mtu initializing at XDP SQ allocation
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: IPoIB, Don't allow CQE compression to be turned on by default
Shay Drory <shayd@nvidia.com>
net/mlx5: Avoid recovery in probe flows
Jiri Pirko <jiri@nvidia.com>
net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path
Stefano Garzarella <sgarzare@redhat.com>
vhost: fix range used in translate_desc()
Stefano Garzarella <sgarzare@redhat.com>
vringh: fix range used in iotlb_translate()
Yuan Can <yuancan@huawei.com>
vhost/vsock: Fix error handling in vhost_vsock_init()
Miaoqian Lin <linmq006@gmail.com>
nfc: Fix potential resource leaks
Daniil Tatianin <d-tatianin@yandex-team.ru>
qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
Hawkins Jiawei <yin31149@gmail.com>
net: sched: fix memory leak in tcindex_set_parms
Jie Wang <wangjie125@huawei.com>
net: hns3: add interrupts re-initialization while doing VF FLR
Jeff Layton <jlayton@kernel.org>
nfsd: shut down the NFSv4 state objects before the filecache
Shawn Bohrer <sbohrer@cloudflare.com>
veth: Fix race with AF_XDP exposing old or uninitialized descriptors
Ronak Doshi <doshir@vmware.com>
vmxnet3: correctly report csum_level for encapsulated packet
Steven Price <steven.price@arm.com>
drm/panfrost: Fix GEM handle creation ref-counting
Jakub Kicinski <kuba@kernel.org>
bpf: pull before calling skb_postpull_rcsum()
minoura makoto <minoura@valinux.co.jp>
SUNRPC: ensure the matching upcall is in-flight upon downcall
Jan Kara <jack@suse.cz>
ext4: fix deadlock due to mbcache entry corruption
Jan Kara <jack@suse.cz>
mbcache: automatically delete entries from cache on freeing
Jan Kara <jack@suse.cz>
ext4: fix race when reusing xattr blocks
Jan Kara <jack@suse.cz>
ext4: unindent codeblock in ext4_xattr_block_set()
Jan Kara <jack@suse.cz>
ext4: remove EA inode entry from mbcache on inode eviction
Jan Kara <jack@suse.cz>
mbcache: add functions to delete entry if unused
Jan Kara <jack@suse.cz>
mbcache: don't reclaim used entries
Shuqi Zhang <zhangshuqi3@huawei.com>
ext4: use kmemdup() to replace kmalloc + memcpy
Eric Biggers <ebiggers@google.com>
ext4: fix leaking uninitialized memory in fast-commit journal
Bhaskar Chowdhury <unixbhaskar@gmail.com>
ext4: fix various seppling typos
Jan Kara <jack@suse.cz>
ext4: simplify ext4 error translation
Jan Kara <jack@suse.cz>
ext4: move functions in super.c
Alexander Potapenko <glider@google.com>
fs: ext4: initialize fsdata in pagecache_write()
Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
ext4: use memcpy_to_page() in pagecache_write()
Ira Weiny <ira.weiny@intel.com>
mm/highmem: Lift memcpy_[to|from]_page to core
Baokun Li <libaokun1@huawei.com>
ext4: correct inconsistent error msg in nojournal mode
Jason Yan <yanaijie@huawei.com>
ext4: goto right label 'failed_mount3a'
Guo Ren <guoren@linux.alibaba.com>
riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument
Chen Huang <chenhuang5@huawei.com>
riscv/stacktrace: Fix stack output without ra on the stack top
Biju Das <biju.das.jz@bp.renesas.com>
ravb: Fix "failed to switch device to config mode" message during unbind
Luca Ceresoli <luca.ceresoli@bootlin.com>
staging: media: tegra-video: fix device_node use after free
Masami Hiramatsu (Google) <mhiramat@kernel.org>
x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK
Borislav Petkov <bp@suse.de>
x86/kprobes: Convert to insn_decode()
Masami Hiramatsu (Google) <mhiramat@kernel.org>
perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data
Masami Hiramatsu (Google) <mhiramat@kernel.org>
perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor
Smitha T Murthy <smitha.t@samsung.com>
media: s5p-mfc: Fix in register read and write for H264
Smitha T Murthy <smitha.t@samsung.com>
media: s5p-mfc: Clear workbit to handle error condition
Smitha T Murthy <smitha.t@samsung.com>
media: s5p-mfc: Fix to handle reference queue during finishing
Yazen Ghannam <yazen.ghannam@amd.com>
x86/MCE/AMD: Clear DFR errors found in THR handler
Borislav Petkov <bp@suse.de>
x86/mce: Get rid of msr_ops
Sasha Levin <sashal@kernel.org>
btrfs: replace strncpy() with strscpy()
Alexander Antonov <alexander.antonov@linux.intel.com>
perf/x86/intel/uncore: Clear attr_update properly
Alexander Antonov <alexander.antonov@linux.intel.com>
perf/x86/intel/uncore: Generalize I/O stacks to PMON mapping procedure
Jens Axboe <axboe@kernel.dk>
ARM: renumber bits related to _TIF_WORK_MASK
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: make display pinning more flexible (v2)
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu: handle polaris10/11 overlap asics (v2)
Ye Bin <yebin10@huawei.com>
ext4: allocate extended attribute value in vmalloc area
Jan Kara <jack@suse.cz>
ext4: avoid unaccounted block allocation when expanding inode
Jan Kara <jack@suse.cz>
ext4: initialize quota before expanding inode in setproject ioctl
Ye Bin <yebin10@huawei.com>
ext4: fix inode leak in ext4_xattr_inode_create() on an error path
Jan Kara <jack@suse.cz>
ext4: avoid BUG_ON when creating xattrs
Luís Henriques <lhenriques@suse.de>
ext4: fix error code return to user-space in ext4_get_branch()
Baokun Li <libaokun1@huawei.com>
ext4: fix corruption when online resizing a 1K bigalloc fs
Eric Whitney <enwlinux@gmail.com>
ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline
Ye Bin <yebin10@huawei.com>
ext4: init quota for 'old.inode' in 'ext4_rename'
Baokun Li <libaokun1@huawei.com>
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
Zhang Yi <yi.zhang@huawei.com>
ext4: check and assert if marking an no_delete evicting inode dirty
Ye Bin <yebin10@huawei.com>
ext4: fix reserved cluster accounting in __es_remove_extent()
Baokun Li <libaokun1@huawei.com>
ext4: fix bug_on in __es_tree_search caused by bad quota inode
Baokun Li <libaokun1@huawei.com>
ext4: add helper to check quota inums
Baokun Li <libaokun1@huawei.com>
ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode
Gaosheng Cui <cuigaosheng1@huawei.com>
ext4: fix undefined behavior in bit shift for ext4_check_flag_values
Baokun Li <libaokun1@huawei.com>
ext4: fix use-after-free in ext4_orphan_cleanup
Baokun Li <libaokun1@huawei.com>
ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
Zhang Yi <yi.zhang@huawei.com>
ext4: silence the warning when evicting inode with dioread_nolock
Yuan Can <yuancan@huawei.com>
drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init()
Mikko Kovanen <mikko.kovanen@aavamobile.com>
drm/i915/dsi: fix VBT send packet port selection for dual link DSI
Zack Rusin <zackr@vmware.com>
drm/vmwgfx: Validate the box size for the snooped cursor
Simon Ser <contact@emersion.fr>
drm/connector: send hotplug uevent on connector cleanup
Wang Weiyang <wangweiyang2@huawei.com>
device_cgroup: Roll back to original exceptions after copy failure
Shang XiaoJing <shangxiaojing@huawei.com>
parisc: led: Fix potential null-ptr-deref in start_task()
Maria Yu <quic_aiquny@quicinc.com>
remoteproc: core: Do pm_relax when in RPROC_OFFLINE state
Kim Phillips <kim.phillips@amd.com>
iommu/amd: Fix ivrs_acpihid cmdline parsing code
Isaac J. Manjarres <isaacmanjarres@google.com>
driver core: Fix bus_type.match() error handling in __driver_attach()
Corentin Labbe <clabbe@baylibre.com>
crypto: n2 - add missing hash statesize
Sascha Hauer <s.hauer@pengutronix.de>
PCI/sysfs: Fix double free in error path
Michael S. Tsirkin <mst@redhat.com>
PCI: Fix pci_device_is_present() for VFs by checking PF
Dan Carpenter <error27@gmail.com>
ipmi: fix use after free in _ipmi_destroy_user()
Huaxin Lu <luhuaxin1@huawei.com>
ima: Fix a potential NULL pointer access in ima_restore_measurement_list
Alexander Sverdlin <alexander.sverdlin@nokia.com>
mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type()
Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
ipmi: fix long wait in unload when IPMI disconnect
Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
ASoC: jz4740-i2s: Handle independent FIFO flush bits
Michael Walle <michael@walle.cc>
wifi: wilc1000: sdio: fix module autoloading
Aditya Garg <gargaditya08@live.com>
efi: Add iMac Pro 2017 to uefi skip cert quirk
Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
md/bitmap: Fix bitmap chunk size overflow issues
Ian Abbott <abbotti@mev.co.uk>
rtc: ds1347: fix value written to century register
Steve French <stfrench@microsoft.com>
cifs: fix missing display of three mount options
Paulo Alcantara <pc@cjr.nz>
cifs: fix confusing debug message
Takashi Iwai <tiwai@suse.de>
media: dvb-core: Fix UAF due to refcount races at releasing
Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
media: dvb-core: Fix double free in dvb_register_device()
Nick Desaulniers <ndesaulniers@google.com>
ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
Luca Ceresoli <luca.ceresoli@bootlin.com>
staging: media: tegra-video: fix chan->mipi value on error
Yang Jihong <yangjihong1@huawei.com>
tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
Zheng Yejian <zhengyejian1@huawei.com>
tracing/hist: Fix wrong return value in parse_action_params()
Masami Hiramatsu (Google) <mhiramat@kernel.org>
x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK
Steven Rostedt (Google) <rostedt@goodmis.org>
ftrace/x86: Add back ftrace_expected for ftrace bug reports
Ashok Raj <ashok.raj@intel.com>
x86/microcode/intel: Do not retry microcode reloading on the APs
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Inject #GP, not #UD, if "generic" VMXON CR0/CR4 check fails
Namhyung Kim <namhyung@kernel.org>
perf/core: Call LSM hook after copying perf_event_attr
Zheng Yejian <zhengyejian1@huawei.com>
tracing/hist: Fix out-of-bound write on 'action_data.var_ref_idx'
Mike Snitzer <snitzer@kernel.org>
dm cache: set needs_check flag after aborting metadata
Luo Meng <luomeng12@huawei.com>
dm cache: Fix UAF in destroy()
Luo Meng <luomeng12@huawei.com>
dm clone: Fix UAF in clone_dtr()
Luo Meng <luomeng12@huawei.com>
dm integrity: Fix UAF in dm_integrity_dtr()
Luo Meng <luomeng12@huawei.com>
dm thin: Fix UAF in run_timer_softirq()
Luo Meng <luomeng12@huawei.com>
dm thin: resume even if in FAIL mode
Zhihao Cheng <chengzhihao1@huawei.com>
dm thin: Use last transaction's pmd->root when commit failed
Zhihao Cheng <chengzhihao1@huawei.com>
dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata
Mike Snitzer <snitzer@kernel.org>
dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
Chris Chiu <chris.chiu@canonical.com>
ALSA: hda/realtek: Apply dual codec fixup for Dell Latitude laptops
Philipp Jungkamp <p.jungkamp@gmx.net>
ALSA: patch_realtek: Fix Dell Inspiron Plus 16
Yongqiang Liu <liuyongqiang13@huawei.com>
cpufreq: Init completion before kobject_init_and_add()
Kant Fan <kant@allwinnertech.com>
PM/devfreq: governor: Add a private governor_data for governor
Mickaël Salaün <mic@digikod.net>
selftests: Use optional USERCFLAGS and USERLDFLAGS
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength
Jason A. Donenfeld <Jason@zx2c4.com>
ARM: ux500: do not directly dereference __iomem
Boris Burkov <boris@bur.io>
btrfs: fix resolving backrefs for inline extent followed by prealloc
Wenchao Chen <wenchao.chen@unisoc.com>
mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: sdm845-db845c: correct SPI2 pins drive strength
Bixuan Cui <cuibixuan@linux.alibaba.com>
jbd2: use the correct print format
Steven Rostedt <rostedt@goodmis.org>
ktest.pl minconfig: Unset configs instead of just removing them
Steven Rostedt <rostedt@goodmis.org>
kest.pl: Fix grub2 menu handling for rebooting
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
soc: qcom: Select REMAP_MMIO for LLCC driver
Jason A. Donenfeld <Jason@zx2c4.com>
media: stv0288: use explicitly signed char
Eric Dumazet <edumazet@google.com>
net/af_packet: make sure to pull mac header
Hangbin Liu <liuhangbin@gmail.com>
net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO
Paul E. McKenney <paulmck@kernel.org>
rcu: Prevent lockdep-RCU splats on lock acquisition/release
Paul E. McKenney <paulmck@kernel.org>
torture: Exclude "NOHZ tick-stop error" from fatal errors
Ping-Ke Shih <pkshih@realtek.com>
wifi: rtlwifi: 8192de: correct checking of IQK reload
Jakub Kicinski <kuba@kernel.org>
wifi: rtlwifi: remove always-true condition pointed out by GCC 12
Dima Chumak <dchumak@nvidia.com>
net/mlx5e: Fix nullptr in mlx5e_tc_add_fdb_flow()
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ASoC/SoundWire: dai: expand 'stream' concept beyond SoundWire
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio
Marco Elver <elver@google.com>
kcsan: Instrument memcpy/memset/memmove with newer Clang
Chuck Lever <chuck.lever@oracle.com>
SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
Hanjun Guo <guohanjun@huawei.com>
tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
Hanjun Guo <guohanjun@huawei.com>
tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak
Hanjun Guo <guohanjun@huawei.com>
tpm: acpi: Call acpi_put_table() to fix memory leak
Deren Wu <deren.wu@mediatek.com>
mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
Pavel Machek <pavel@denx.de>
f2fs: should put a page when checking the summary info
NARIBAYASHI Akira <a.naribayashi@fujitsu.com>
mm, compaction: fix fast_isolate_around() to stay within boundaries
Mikulas Patocka <mpatocka@redhat.com>
md: fix a crash in mempool_free
Christian Brauner <brauner@kernel.org>
pnode: terminate at peers of source
Artem Egorkine <arteme@gmail.com>
ALSA: line6: fix stack overflow in line6_midi_transmit
Artem Egorkine <arteme@gmail.com>
ALSA: line6: correct midi status byte when receiving data from podxt
Zhang Tianci <zhangtianci.1997@bytedance.com>
ovl: Use ovl mounter's fsuid and fsgid in ovl_link()
Wang Yufen <wangyufen@huawei.com>
binfmt: Fix error return code in load_elf_fdpic_binary()
Aditya Garg <gargaditya08@live.com>
hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
Qiujun Huang <hqjagain@gmail.com>
pstore/zone: Use GFP_ATOMIC to allocate zone buffer
Terry Junge <linuxhid@cosmicgizmosystems.com>
HID: plantronics: Additional PIDs for double volume key presses quirk
José Expósito <jose.exposito89@gmail.com>
HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/rtas: avoid scheduling in rtas_os_term()
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/rtas: avoid device tree lookups in rtas_os_term()
Christophe Leroy <christophe.leroy@csgroup.eu>
objtool: Fix SEGFAULT
Christoph Hellwig <hch@lst.de>
nvmet: don't defer passthrough commands with trivial effects to the workqueue
Christoph Hellwig <hch@lst.de>
nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition
Adam Vodopjan <grozzly@protonmail.com>
ata: ahci: Fix PCS quirk application for suspend
Keith Busch <kbusch@kernel.org>
nvme-pci: fix page size checks
Keith Busch <kbusch@kernel.org>
nvme-pci: fix mempool alloc size
Klaus Jensen <k.jensen@samsung.com>
nvme-pci: fix doorbell buffer value endianness
Paulo Alcantara <pc@cjr.nz>
cifs: fix oops during encryption
Miaoqian Lin <linmq006@gmail.com>
usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
Steven Price <steven.price@arm.com>
pwm: tegra: Fix 32 bit build
Lin Ma <linma@zju.edu.cn>
media: dvbdev: fix refcnt bug
Lin Ma <linma@zju.edu.cn>
media: dvbdev: fix build warning due to comments
Chen Zhongjin <chenzhongjin@huawei.com>
ovl: fix use inode directly in rcu-walk mode
Rickard x Andersson <rickaran@axis.com>
gcov: add support for checksum field
Johan Hovold <johan+linaro@kernel.org>
regulator: core: fix deadlock on regulator enable
Rasmus Villemoes <linux@rasmusvillemoes.dk>
iio: adc128s052: add proper .data members in adc128_of_match table
Nuno Sá <nuno.sa@analog.com>
iio: adc: ad_sigma_delta: do not use internal iio_dev lock
Roberto Sassu <roberto.sassu@huawei.com>
reiserfs: Add missing calls to reiserfs_security_free()
Enrik Berkhan <Enrik.Berkhan@inka.de>
HID: mcp2221: don't connect hidraw
Jason Gerecke <killertofu@gmail.com>
HID: wacom: Ensure bootloader PID is usable in hidraw mode
Ferry Toth <ftoth@exalondelft.nl>
usb: dwc3: core: defer probe on ulpi_read_id timeout
Sven Peter <sven@svenpeter.dev>
usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
Jiao Zhou <jiaozhou@google.com>
ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list
Edward Pacman <edward@edward-p.xyz>
ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
wangdicheng <wangdicheng@kylinos.cn>
ALSA: usb-audio: add the quirk for KT0206 device
GUO Zihua <guozihua@huawei.com>
ima: Simplify ima_lsm_copy_rule
John Stultz <jstultz@google.com>
pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
David Howells <dhowells@redhat.com>
afs: Fix lost servers_outstanding count
Yang Jihong <yangjihong1@huawei.com>
perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option()
John Stultz <jstultz@google.com>
pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
Kees Cook <keescook@chromium.org>
LoadPin: Ignore the "contents" argument of the LSM hooks
Hans de Goede <hdegoede@redhat.com>
ASoC: rt5670: Remove unbalanced pm_runtime_put()
Wang Jingjin <wangjingjin1@huawei.com>
ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
Marek Szyprowski <m.szyprowski@samsung.com>
ASoC: wm8994: Fix potential deadlock
Wang Jingjin <wangjingjin1@huawei.com>
ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume()
Wang Yufen <wangyufen@huawei.com>
ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()
Wang Yufen <wangyufen@huawei.com>
ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: Skylake: Fix driver hang during shutdown
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ALSA: hda: add snd_hdac_stop_streams() helper
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c
Yang Yingliang <yangyingliang@huawei.com>
hwmon: (jc42) Fix missing unlock on error in jc42_write()
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
Nathan Chancellor <nathan@kernel.org>
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
Nathan Chancellor <nathan@kernel.org>
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
Hawkins Jiawei <yin31149@gmail.com>
hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
Xiu Jianfeng <xiujianfeng@huawei.com>
clk: st: Fix memory leak in st_of_quadfs_setup()
Shigeru Yoshida <syoshida@redhat.com>
media: si470x: Fix use-after-free in si470x_int_in_callback()
Wolfram Sang <wsa+renesas@sang-engineering.com>
mmc: renesas_sdhi: better reset from HS400 mode
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
mmc: f-sdh30: Add quirks for broken timeout clock capability
Rui Zhang <zr.zhang@vivo.com>
regulator: core: fix use_count leakage when handling boot-on
Andrii Nakryiko <andrii@kernel.org>
libbpf: Avoid enum forward-declarations in public API in C++ mode
Ye Bin <yebin10@huawei.com>
blk-mq: fix possible memleak when register 'hctx' failed
Mazin Al Haddad <mazinalhaddad05@gmail.com>
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
Lin Ma <linma@zju.edu.cn>
media: dvbdev: adopts refcnt to avoid UAF
Yan Lei <yan_lei@dahuatech.com>
media: dvb-frontends: fix leak of memory fw
Maxim Korotkov <korotkov.maxim.s@gmail.com>
ethtool: avoiding integer overflow in ethtool_phys_id()
Stanislav Fomichev <sdf@google.com>
bpf: Prevent decl_tag from being referenced in func_proto arg
Stanislav Fomichev <sdf@google.com>
ppp: associate skb with a device at tx
Schspa Shi <schspa@gmail.com>
mrp: introduce active flags to prevent UAF when applicant uninit
Eric Dumazet <edumazet@google.com>
net: add atomic_long_t to net_device_stats fields
Aurabindo Pillai <aurabindo.pillai@amd.com>
drm/amd/display: fix array index out of bound error in bios parser
Jiang Li <jiang.li@ugreen.com>
md/raid1: stop mdx_raid1 thread when raid1 array run failed
Li Zhong <floridsleeves@gmail.com>
drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/sti: Use drm_mode_copy()
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/rockchip: Use drm_mode_copy()
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/msm: Use drm_mode_copy()
Nathan Chancellor <nathan@kernel.org>
s390/lcs: Fix return type of lcs_start_xmit()
Nathan Chancellor <nathan@kernel.org>
s390/netiucv: Fix return type of netiucv_tx()
Nathan Chancellor <nathan@kernel.org>
s390/ctcm: Fix return type of ctc{mp,}m_tx()
Nathan Chancellor <nathan@kernel.org>
drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
Nathan Chancellor <nathan@kernel.org>
drm/amdgpu: Fix type of second parameter in trans_msg() callback
Kees Cook <keescook@chromium.org>
igb: Do not free q_vector unless new one was allocated
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
Nathan Chancellor <nathan@kernel.org>
hamradio: baycom_epp: Fix return type of baycom_send_packet()
Nathan Chancellor <nathan@kernel.org>
net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
Stanislav Fomichev <sdf@google.com>
bpf: make sure skb->len != 0 when redirecting to a tunneling device
Jiri Slaby (SUSE) <jirislaby@kernel.org>
qed (gcc13): use u16 for fid to be big enough
gehao <gehao@kylinos.cn>
drm/amd/display: prevent memory leak
Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
ipmi: fix memleak when unload ipmi driver
Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
Shigeru Yoshida <syoshida@redhat.com>
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: ath9k: verify the expected usb_endpoints are present
Wright Feng <wright.feng@cypress.com>
brcmfmac: return error when getting invalid max_flowrings from dongle
Doug Brown <doug@schmorgal.com>
drm/etnaviv: add missing quirks for GC300
ZhangPeng <zhangpeng362@huawei.com>
hfs: fix OOB Read in __hfs_brec_find
Zheng Yejian <zhengyejian1@huawei.com>
acct: fix potential integer overflow in encode_comp_t()
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix shift-out-of-bounds due to too large exponent of block size
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPICA: Fix error code path in acpi_ds_call_control_method()
Hoi Pok Wu <wuhoipok@gmail.com>
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
Shigeru Yoshida <syoshida@redhat.com>
udf: Avoid double brelse() in udf_rename()
Dongliang Mu <mudongliangabcd@gmail.com>
fs: jfs: fix shift-out-of-bounds in dbAllocAG
Liu Shixin <liushixin2@huawei.com>
binfmt_misc: fix shift-out-of-bounds in check_special_flags
Gaurav Kohli <gauravkohli@linux.microsoft.com>
x86/hyperv: Remove unregister syscore call from Hyper-V cleanup
Guilherme G. Piccoli <gpiccoli@igalia.com>
video: hyperv_fb: Avoid taking busy spinlock on panic path
Mark Rutland <mark.rutland@arm.com>
arm64: make is_ttbrX_addr() noinstr-safe
Zqiang <qiang1.zhang@intel.com>
rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()
Eric Dumazet <edumazet@google.com>
net: stream: purge sk_error_queue in sk_stream_kill_queues()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
myri10ge: Fix an error handling path in myri10ge_probe()
David Howells <dhowells@redhat.com>
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
Cong Wang <cong.wang@bytedance.com>
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
Yang Yingliang <yangyingliang@huawei.com>
mailbox: zynq-ipi: fix error handling while device_register() fails
Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
skbuff: Account for tail adjustment during pull operations
Eelco Chaudron <echaudro@redhat.com>
openvswitch: Fix flow lookup to use unmasked key
Jakub Kicinski <kuba@kernel.org>
selftests: devlink: fix the fd redirect in dummy_reporter_test
GUO Zihua <guozihua@huawei.com>
rtc: mxc_v2: Add missing clk_disable_unprepare()
Tan Tee Min <tee.min.tan@linux.intel.com>
igc: Set Qbv start_time and end_time to end_time if not being configured in GCL
Kurt Kanzenbach <kurt@linutronix.de>
igc: Lift TAPRIO schedule restriction
Tan Tee Min <tee.min.tan@linux.intel.com>
igc: recalculate Qbv end_time by considering cycle time
Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
igc: Add checking for basetime less than zero
Vinicius Costa Gomes <vinicius.gomes@intel.com>
igc: Use strict cycles for Qbv scheduling
Vinicius Costa Gomes <vinicius.gomes@intel.com>
igc: Enhance Qbv scheduling by using first flag bit
Vladimir Oltean <olteanv@gmail.com>
net: add a helper to avoid issues with HW TX timestamping and SO_TXTIME
Xin Long <lucien.xin@gmail.com>
net: igc: use skb_csum_is_sctp instead of protocol check
Xin Long <lucien.xin@gmail.com>
net: add inline function skb_csum_is_sctp
Marco Elver <elver@google.com>
net: switch to storing KCOV handle directly in sk_buff
Li Zetao <lizetao1@huawei.com>
r6040: Fix kmemleak in probe and remove
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
nfc: pn533: Clear nfc_target before being used
Yang Yingliang <yangyingliang@huawei.com>
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
Emeel Hakim <ehakim@nvidia.com>
net: macsec: fix net device access prior to holding a lock
Dan Aloni <dan.aloni@vastdata.com>
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
Chuck Lever <chuck.lever@oracle.com>
NFSD: Remove spurious cb_setup_err tracepoint
Alexandre Belloni <alexandre.belloni@bootlin.com>
rtc: pcf85063: fix pcf85063_clkout_control
Gaosheng Cui <cuigaosheng1@huawei.com>
rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe()
Gaosheng Cui <cuigaosheng1@huawei.com>
rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
Qingfang DENG <dqfext@gmail.com>
netfilter: flowtable: really fix NAT IPv6 offload
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/pseries/eeh: use correct API for error log size
Haowen Bai <baihaowen@meizu.com>
powerpc/eeh: Drop redundant spinlock initialization
Yuan Can <yuancan@huawei.com>
remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region()
Luca Weiss <luca.weiss@fairphone.com>
remoteproc: qcom_q6v5_pas: detach power domains on remove
Luca Weiss <luca.weiss@fairphone.com>
remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove
Gaosheng Cui <cuigaosheng1@huawei.com>
remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
pwm: sifive: Call pwm_sifive_update_clock() while mutex is held
Jason Gunthorpe <jgg@ziepe.ca>
iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY
Miaoqian Lin <linmq006@gmail.com>
selftests/powerpc: Fix resource leaks
Kajol Jain <kjain@linux.ibm.com>
powerpc/hv-gpci: Fix hv_gpci event list
Yang Yingliang <yangyingliang@huawei.com>
powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
Nicholas Piggin <npiggin@gmail.com>
powerpc/perf: callchain validate kernel stack pointer bounds
Masahiro Yamada <masahiroy@kernel.org>
kbuild: refactor single builds of *.ko
Masahiro Yamada <masahiroy@kernel.org>
kbuild: unify modules(_install) for in-tree and external modules
Masahiro Yamada <masahiroy@kernel.org>
kbuild: remove unneeded mkdir for external modules_install
Yang Yingliang <yangyingliang@huawei.com>
powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data()
Gustavo A. R. Silva <gustavoars@kernel.org>
powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/xmon: Enable breakpoints on 8xx
Miaoqian Lin <linmq006@gmail.com>
cxl: Fix refcount leak in cxl_calc_capp_routing
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
powerpc/52xx: Fix a resource leak in an error handling path
Xie Shaowen <studentxswpy@163.com>
macintosh/macio-adb: check the return value of ioremap()
Yang Yingliang <yangyingliang@huawei.com>
macintosh: fix possible memory leak in macio_add_one_device()
Yuan Can <yuancan@huawei.com>
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
Yang Yingliang <yangyingliang@huawei.com>
iommu/amd: Fix pci device refcount leak in ppr_notifier()
Alexander Stein <alexander.stein@ew.tq-group.com>
rtc: pcf85063: Fix reading alarm
Stefan Eichenberger <stefan.eichenberger@toradex.com>
rtc: snvs: Allow a time difference on clock register read
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: cmos: Disable ACPI RTC event on removal
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: cmos: Rename ACPI-related functions
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: cmos: Eliminate forward declarations of some functions
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: cmos: Call rtc_wake_setup() from cmos_do_probe()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: cmos: Call cmos_wake_setup() from cmos_do_probe()
Alexandre Belloni <alexandre.belloni@bootlin.com>
rtc: cmos: fix build on non-ACPI platforms
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: cmos: Fix wake alarm breakage
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: cmos: Fix event handler registration ordering issue
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0
Fenghua Yu <fenghua.yu@intel.com>
dmaengine: idxd: Fix crc_val field for completion record
Jon Hunter <jonathanh@nvidia.com>
pwm: tegra: Improve required rate calculation
Matt Redfearn <matt.redfearn@mips.com>
include/uapi/linux/swab: Fix potentially missing __always_inline
Al Cooper <alcooperx@gmail.com>
phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices
Jernej Skrabec <jernej.skrabec@gmail.com>
iommu/sun50i: Fix flush size
Jernej Skrabec <jernej.skrabec@gmail.com>
iommu/sun50i: Fix R/W permission check
Jernej Skrabec <jernej.skrabec@gmail.com>
iommu/sun50i: Consider all fault sources for reset
Jernej Skrabec <jernej.skrabec@gmail.com>
iommu/sun50i: Fix reset release
Arnd Bergmann <arnd@arndb.de>
RDMA/siw: Fix pointer cast warning
ruanjinjie <ruanjinjie@huawei.com>
power: supply: fix null pointer dereferencing in power_supply_get_battery_info
Yuan Can <yuancan@huawei.com>
HSI: omap_ssi_core: Fix error handling in ssi_init()
Ajay Kaher <akaher@vmware.com>
perf symbol: correction while adjusting symbol
Leo Yan <leo.yan@linaro.org>
perf trace: Handle failure when trace point folder is missed
Leo Yan <leo.yan@linaro.org>
perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number
Leo Yan <leo.yan@linaro.org>
perf trace: Return error if a system call doesn't exist
Zeng Heng <zengheng4@huawei.com>
power: supply: fix residue sysfs file in error handle route of __power_supply_register()
Yang Yingliang <yangyingliang@huawei.com>
HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
Yang Yingliang <yangyingliang@huawei.com>
HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
fbdev: vermilion: decrease reference count in error path
Shang XiaoJing <shangxiaojing@huawei.com>
fbdev: via: Fix error in via_core_init()
Yang Yingliang <yangyingliang@huawei.com>
fbdev: pm2fb: fix missing pci_disable_device()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
fbdev: ssd1307fb: Drop optional dependency
Marcus Folkesson <marcus.folkesson@gmail.com>
thermal/drivers/imx8mm_thermal: Validate temperature range
Shang XiaoJing <shangxiaojing@huawei.com>
samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe()
Zheng Yejian <zhengyejian1@huawei.com>
tracing/hist: Fix issue of losting command info in error_log
Jiasheng Jiang <jiasheng@iscas.ac.cn>
usb: storage: Add check for kcalloc
Zheyu Ma <zheyuma97@gmail.com>
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
Yang Yingliang <yangyingliang@huawei.com>
i2c: mux: reg: check return value after calling platform_get_resource()
Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
gpiolib: cdev: fix NULL-pointer dereferences
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
gpiolib: Get rid of redundant 'else'
Chen Zhongjin <chenzhongjin@huawei.com>
vme: Fix error not catched in fake_init()
YueHaibing <yuehaibing@huawei.com>
staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
Dan Carpenter <error27@gmail.com>
staging: rtl8192u: Fix use after free in ieee80211_rx()
Hui Tang <tanghui20@huawei.com>
i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
Yang Yingliang <yangyingliang@huawei.com>
chardev: fix error handling in cdev_device_add()
Yang Yingliang <yangyingliang@huawei.com>
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
Zhengchao Shao <shaozhengchao@huawei.com>
drivers: mcb: fix resource leak in mcb_probe()
John Keeping <john@metanate.com>
usb: gadget: f_hid: fix refcount leak on error path
John Keeping <john@metanate.com>
usb: gadget: f_hid: fix f_hidg lifetime vs cdev
Maxim Devaev <mdevaev@gmail.com>
usb: gadget: f_hid: optional SETUP/SET_REPORT mode
Yang Yingliang <yangyingliang@huawei.com>
usb: roles: fix of node refcount leak in usb_role_switch_is_parent()
Fabrice Gasnier <fabrice.gasnier@foss.st.com>
counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update
Ramona Bolboaca <ramona.bolboaca@analog.com>
iio: adis: add '__adis_enable_irq()' implementation
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio:imu:adis: Move exports into IIO_ADISLIB namespace
Nuno Sá <nuno.sa@analog.com>
iio: adis: stylistic changes
Nuno Sá <nuno.sa@analog.com>
iio: adis: handle devices that cannot unmask the drdy pin
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio:imu:adis: Use IRQF_NO_AUTOEN instead of irq request then disable
Barry Song <song.bao.hua@hisilicon.com>
genirq: Add IRQF_NO_AUTOEN for request_irq/nmi()
Cosmin Tanislav <cosmin.tanislav@analog.com>
iio: temperature: ltc2983: make bulk write buffer DMA-safe
Yang Yingliang <yangyingliang@huawei.com>
cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
Yang Yingliang <yangyingliang@huawei.com>
cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
Yang Yingliang <yangyingliang@huawei.com>
firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
Zheng Wang <zyytlz.wz@163.com>
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
ruanjinjie <ruanjinjie@huawei.com>
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
Yang Yingliang <yangyingliang@huawei.com>
ocxl: fix pci device refcount leak when calling get_function_0()
Yang Yingliang <yangyingliang@huawei.com>
misc: ocxl: fix possible name leak in ocxl_file_register_afu()
Zhengchao Shao <shaozhengchao@huawei.com>
test_firmware: fix memory leak in test_firmware_init()
Yuan Can <yuancan@huawei.com>
serial: sunsab: Fix error handling in sunsab_init()
Gabriel Somlo <gsomlo@gmail.com>
serial: altera_uart: fix locking in polling mode
Jiri Slaby <jirislaby@kernel.org>
tty: serial: altera_uart_{r,t}x_chars() need only uart_port
Jiri Slaby <jirislaby@kernel.org>
tty: serial: clean up stop-tx part in altera_uart_tx_chars()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
serial: pch: Fix PCI device refcount leak in pch_request_dma()
delisun <delisun@pateo.com.cn>
serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
Jiamei Xie <jiamei.xie@arm.com>
serial: amba-pl011: avoid SBSA UART accessing DMACR register
Sven Peter <sven@svenpeter.dev>
usb: typec: tipd: Fix spurious fwnode_handle_put in error path
Yang Yingliang <yangyingliang@huawei.com>
usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
Sven Peter <sven@svenpeter.dev>
usb: typec: Check for ops->exit instead of ops->enter in altmode_exit
Gaosheng Cui <cuigaosheng1@huawei.com>
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
Linus Walleij <linus.walleij@linaro.org>
usb: fotg210-udc: Fix ages old endianness issues
Rafael Mendonca <rafaelmendsr@gmail.com>
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
Rafael Mendonca <rafaelmendsr@gmail.com>
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
Rafael Mendonca <rafaelmendsr@gmail.com>
vfio: platform: Do not pass return buffer to ACPI _RST method
Yang Yingliang <yangyingliang@huawei.com>
class: fix possible memory leak in __class_register()
Kartik <kkartik@nvidia.com>
serial: tegra: Read DMA status before terminating
Yang Yingliang <yangyingliang@huawei.com>
drivers: dio: fix possible memory leak in dio_init()
Dragos Tatulea <dtatulea@nvidia.com>
IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
Xiongfeng Wang <wangxiongfeng2@huawei.com>
hwrng: geode - Fix PCI device refcount leak
Xiongfeng Wang <wangxiongfeng2@huawei.com>
hwrng: amd - Fix PCI device refcount leak
Gaosheng Cui <cuigaosheng1@huawei.com>
crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
Chengchang Tang <tangchengchang@huawei.com>
RDMA/hns: Fix page size cap from firmware
Chengchang Tang <tangchengchang@huawei.com>
RDMA/hns: Fix PBL page MTR find
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
orangefs: Fix sysfs not cleanup when dev init failed
Wang Yufen <wangyufen@huawei.com>
RDMA/srp: Fix error return code in srp_parse_options()
Wang Yufen <wangyufen@huawei.com>
RDMA/hfi1: Fix error return code in parse_platform_config()
Tong Tiangen <tongtiangen@huawei.com>
riscv/mm: add arch hook arch_clear_hugepage_flags
Shang XiaoJing <shangxiaojing@huawei.com>
crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
crypto: amlogic - Remove kcalloc without check
Mark Zhang <markzhang@nvidia.com>
RDMA/nldev: Fix failure to send large messages
Yonggil Song <yonggil.song@samsung.com>
f2fs: avoid victim selection from previous victim section
Yuan Can <yuancan@huawei.com>
RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps()
Gaosheng Cui <cuigaosheng1@huawei.com>
scsi: snic: Fix possible UAF in snic_tgt_create()
Chen Zhongjin <chenzhongjin@huawei.com>
scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
Shang XiaoJing <shangxiaojing@huawei.com>
scsi: ipr: Fix WARNING in ipr_init()
Yang Yingliang <yangyingliang@huawei.com>
scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper()
Yang Yingliang <yangyingliang@huawei.com>
scsi: fcoe: Fix possible name leak when device_register() fails
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
scsi: scsi_debug: Fix a warning in resp_report_zones()
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
scsi: scsi_debug: Fix a warning in resp_verify()
Yang Yingliang <yangyingliang@huawei.com>
scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
Yang Yingliang <yangyingliang@huawei.com>
scsi: hpsa: Fix error handling in hpsa_add_sas_host()
Yang Yingliang <yangyingliang@huawei.com>
scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
Daniel Jordan <daniel.m.jordan@oracle.com>
padata: Fix list iterator in padata_do_serial()
Daniel Jordan <daniel.m.jordan@oracle.com>
padata: Always leave BHs disabled when running ->parallel()
Zhang Yiqun <zhangyiqun@phytium.com.cn>
crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
Yuan Can <yuancan@huawei.com>
scsi: hpsa: Fix possible memory leak in hpsa_init_one()
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
Zhengchao Shao <shaozhengchao@huawei.com>
RDMA/hns: fix memory leak in hns_roce_alloc_mr()
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
crypto: ccree - Make cc_debugfs_global_fini() available for module init function
Xiongfeng Wang <wangxiongfeng2@huawei.com>
RDMA/hfi: Decrease PCI device reference count in error path
Zeng Heng <zengheng4@huawei.com>
PCI: Check for alloc failure in pci_request_irq()
Luoyouming <luoyouming@huawei.com>
RDMA/hns: Fix ext_sge num error when post send
Luoyouming <luoyouming@huawei.com>
RDMA/hns: Repacing 'dseg_len' by macros in fill_ext_sge_inl_data()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set()
Herbert Xu <herbert@gondor.apana.org.au>
crypto: cryptd - Use request context instead of stack for sub-request
Gaosheng Cui <cuigaosheng1@huawei.com>
crypto: ccree - Remove debugfs when platform_driver_register failed
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
scsi: scsi_debug: Fix a warning in resp_write_scat()
Bernard Metzler <bmt@zurich.ibm.com>
RDMA/siw: Set defined status for work completion with undefined status
Mark Zhang <markzhang@nvidia.com>
RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port
Bernard Metzler <bmt@zurich.ibm.com>
RDMA/siw: Fix immediate work request flush to completion queue
Dongdong Zhang <zhangdongdong1@oppo.com>
f2fs: fix normal discard process
Xiu Jianfeng <xiujianfeng@huawei.com>
apparmor: Fix memleak in alloc_ns()
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - rework by using crypto_engine
Kai Ye <yekai13@huawei.com>
crypto: rockchip - delete unneeded variable initialization
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - remove non-aligned handling
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - better handle cipher key
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - add fallback for ahash
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - add fallback for cipher
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - do not store mode globally
Corentin Labbe <clabbe@baylibre.com>
crypto: rockchip - do not do custom power management
Zhang Qilong <zhangqilong3@huawei.com>
f2fs: Fix the race condition of resize flag between resizefs
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled
Leon Romanovsky <leon@kernel.org>
RDMA/core: Fix order of nldev_exit call
Vidya Sagar <vidyas@nvidia.com>
PCI: dwc: Fix n_fts[] array overrun
Xiu Jianfeng <xiujianfeng@huawei.com>
apparmor: Use pointer to struct aa_label for lbs_cred
Bart Van Assche <bvanassche@acm.org>
scsi: core: Fix a race between scsi_done() and scsi_timeout()
Natalia Petrova <n.petrova@fintech.ru>
crypto: nitrox - avoid double free on error path in nitrox_sriov_init()
Corentin Labbe <clabbe@baylibre.com>
crypto: sun8i-ss - use dma_addr instead u32
John Johansen <john.johansen@canonical.com>
apparmor: Fix abi check to include v8 abi
John Johansen <john.johansen@canonical.com>
apparmor: fix lockdep warning when removing a namespace
Gaosheng Cui <cuigaosheng1@huawei.com>
apparmor: fix a memleak in multi_transaction_new()
Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
stmmac: fix potential division by 0
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
Firo Yang <firo.yang@suse.com>
sctp: sysctl: make extra pointers netns aware
Eric Pilmore <epilmore@gigaio.com>
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
Jerry Ray <jerry.ray@microchip.com>
net: lan9303: Fix read error execution path
Markus Schneider-Pargmann <msp@baylibre.com>
can: tcan4x5x: Remove invalid write in clear_interrupts
Tom Lendacky <thomas.lendacky@amd.com>
net: amd-xgbe: Check only the minimum speed for active/passive cables
Tom Lendacky <thomas.lendacky@amd.com>
net: amd-xgbe: Fix logic around active and passive cables
Yang Yingliang <yangyingliang@huawei.com>
net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
Yang Yingliang <yangyingliang@huawei.com>
net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
Hangbin Liu <liuhangbin@gmail.com>
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
Li Zetao <lizetao1@huawei.com>
net: farsync: Fix kmemleak when rmmods farsync
Yang Yingliang <yangyingliang@huawei.com>
ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
ruanjinjie <ruanjinjie@huawei.com>
of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()
Yuan Can <yuancan@huawei.com>
drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
Zhang Changzhong <zhangchangzhong@huawei.com>
net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload()
Yongqiang Liu <liuyongqiang13@huawei.com>
net: defxx: Fix missing err handling in dfx_init()
Artem Chernyshev <artem.chernyshev@red-soft.ru>
net: vmw_vsock: vmci: Check memcpy_from_msg()
Xiu Jianfeng <xiujianfeng@huawei.com>
clk: socfpga: Fix memory leak in socfpga_gate_init()
Dinh Nguyen <dinguyen@kernel.org>
clk: socfpga: use clk_hw_register for a5/c5
Lee Jones <lee.jones@linaro.org>
clk: socfpga: clk-pll: Remove unused variable 'rc'
Yang Jihong <yangjihong1@huawei.com>
blktrace: Fix output non-blktrace event when blk_classic option enabled
Wang Yufen <wangyufen@huawei.com>
wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Fix the channel width reporting
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
Kris Bahnsen <kris@embeddedTS.com>
spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode
Xiu Jianfeng <xiujianfeng@huawei.com>
clk: samsung: Fix memory leak in _samsung_clk_register_pll()
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: coda: Add check for kmalloc
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: coda: Add check for dcoda_iram_alloc
Liang He <windhl@126.com>
media: c8sectpfe: Add of_node_put() when breaking out of loop
Yang Yingliang <yangyingliang@huawei.com>
mmc: mmci: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: wbsd: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: via-sdmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: meson-gx: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: omap_hsmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: atmel-mci: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: wmt-sdmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: vub300: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: toshsd: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: pxamci: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: mxcmmc: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: moxart: fix return value check of mmc_add_host()
Yang Yingliang <yangyingliang@huawei.com>
mmc: alcor: fix return value check of mmc_add_host()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4.x: Fail client initialisation if state manager thread can't run
Wang ShaoBo <bobo.shaobowang@huawei.com>
SUNRPC: Fix missing release socket in rpc_sockname()
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
Gaosheng Cui <cuigaosheng1@huawei.com>
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
Liu Shixin <liushixin2@huawei.com>
media: saa7164: fix missing pci_disable_device()
Takashi Iwai <tiwai@suse.de>
ALSA: pcm: Set missing stop_operating flag at undoing trigger start
Eric Dumazet <edumazet@google.com>
bpf, sockmap: fix race in sock_map_free()
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
hwmon: (jc42) Restore the min/max/critical temperatures on resume
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
hwmon: (jc42) Convert register access and caching to regmap/regcache
Yang Yingliang <yangyingliang@huawei.com>
regulator: core: fix resource leak in regulator_register()
Chen Zhongjin <chenzhongjin@huawei.com>
configfs: fix possible memory leak in configfs_create_dir()
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
hsr: Synchronize sequence number updates.
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
hsr: Synchronize sending frames to have always incremented outgoing seq nr.
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
hsr: Disable netpoll.
George McCollister <george.mccollister@gmail.com>
net: hsr: generate supervision frame without HSR/PRP tag
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
hsr: Add a rcu-read lock to hsr_forward_skb().
Christian Marangi <ansuelsmth@gmail.com>
clk: qcom: clk-krait: fix wrong div2 functions
Yang Yingliang <yangyingliang@huawei.com>
regulator: core: fix module refcount leak in set_supply()
Deren Wu <deren.wu@mediatek.com>
wifi: mt76: fix coverity overrun-call in mt76_get_txpower()
Chen Zhongjin <chenzhongjin@huawei.com>
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
Zhengchao Shao <shaozhengchao@huawei.com>
wifi: mac80211: fix memory leak in ieee80211_if_add()
Alexander Sverdlin <alexander.sverdlin@siemens.com>
spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE
Dan Carpenter <error27@gmail.com>
bonding: uninitialized variable in bond_miimon_inspect()
Pengcheng Yang <yangpc@wangsu.com>
bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect
Pengcheng Yang <yangpc@wangsu.com>
bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
Florian Westphal <fw@strlen.de>
netfilter: conntrack: set icmpv6 redirects as RELATED
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
Xiongfeng Wang <wangxiongfeng2@huawei.com>
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
Guchun Chen <guchun.chen@amd.com>
drm/amd/pm/smu11: BACO is supported when it's in BACO state
Ricardo Ribalda <ribalda@chromium.org>
ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
ASoC: mediatek: mt8173: Fix debugfs registration for components
Ben Greear <greearb@candelatech.com>
wifi: iwlwifi: mvm: fix double free on tx path.
Liu Shixin <liushixin2@huawei.com>
ALSA: asihpi: fix missing pci_disable_device()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix an Oops in nfs_d_automount()
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4.2: Fix initialisation of struct nfs4_label
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4.2: Fix a memory stomp in decode_attr_security_label
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd
Dmitry Torokhov <dmitry.torokhov@gmail.com>
ASoC: dt-bindings: wcd9335: fix reset line polarity in example
Zhang Zekun <zhangzekun11@huawei.com>
drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
Aakarsh Jain <aakarsh.jain@samsung.com>
media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
Baisong Zhong <zhongbaisong@huawei.com>
media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
Chen Zhongjin <chenzhongjin@huawei.com>
media: dvb-core: Fix ignored return value in dvb_register_frontend()
ZhangPeng <zhangpeng362@huawei.com>
pinctrl: pinconf-generic: add missing of_node_put()
Dario Binacchi <dario.binacchi@amarulasolutions.com>
clk: imx: replace osc_hdmi with dummy
Gautam Menghani <gautammenghani201@gmail.com>
media: imon: fix a race condition in send_packet()
Chen Zhongjin <chenzhongjin@huawei.com>
media: vimc: Fix wrong function called when vimc_init() fails
Yuan Can <yuancan@huawei.com>
ASoC: qcom: Add checks for devm_kcalloc
Xiaomeng Tong <xiam0nd.tong@gmail.com>
drbd: fix an invalid memory access caused by incorrect use of list iterator
Zheng Yongjun <zhengyongjun3@huawei.com>
mtd: maps: pxa2xx-flash: fix memory leak in probe
Jonathan Toppins <jtoppins@redhat.com>
bonding: fix link recovery in mode 2 when updelay is nonzero
Yang Yingliang <yangyingliang@huawei.com>
drm/amdgpu: fix pci device refcount leak
Xiu Jianfeng <xiujianfeng@huawei.com>
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
Wang ShaoBo <bobo.shaobowang@huawei.com>
regulator: core: use kfree_const() to free space conditionally
Baisong Zhong <zhongbaisong@huawei.com>
ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
Baisong Zhong <zhongbaisong@huawei.com>
ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT
Marcus Folkesson <marcus.folkesson@gmail.com>
HID: hid-sensor-custom: set fixed size for custom attributes
Stanislav Fomichev <sdf@google.com>
bpf: Move skb->len == 0 checks into __bpf_redirect
Eric Dumazet <edumazet@google.com>
inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict()
Christoph Hellwig <hch@lst.de>
media: videobuf-dma-contig: use dma_mmap_coherent
Yuan Can <yuancan@huawei.com>
media: platform: exynos4-is: Fix error handling in fimc_md_init()
Yang Yingliang <yangyingliang@huawei.com>
media: solo6x10: fix possible memory leak in solo_sysfs_init()
Chen Zhongjin <chenzhongjin@huawei.com>
media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()
Douglas Anderson <dianders@chromium.org>
Input: elants_i2c - properly handle the reset GPIO when power is off
Hui Tang <tanghui20@huawei.com>
mtd: lpddr2_nvm: Fix possible null-ptr-deref
Xiu Jianfeng <xiujianfeng@huawei.com>
wifi: ath10k: Fix return value in ath10k_pci_init()
Xiu Jianfeng <xiujianfeng@huawei.com>
ima: Fix misuse of dereference of pointer in template_desc_init_fields()
GUO Zihua <guozihua@huawei.com>
integrity: Fix memory leakage in keyring allocation error path
Brian Starkey <brian.starkey@arm.com>
drm/fourcc: Fix vsub/hsub for Q410 and Q401
Dave Stevenson <dave.stevenson@raspberrypi.com>
drm/fourcc: Add packed 10bit YUV 4:2:0 format
Dan Carpenter <error27@gmail.com>
amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
Yang Yingliang <yangyingliang@huawei.com>
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
Zeng Heng <zengheng4@huawei.com>
ASoC: pxa: fix null-pointer dereference in filter()
Xinlei Lee <xinlei.lee@mediatek.com>
drm/mediatek: Modify dpi power on/off sequence.
Hanjun Guo <guohanjun@huawei.com>
drm/radeon: Add the missed acpi_put_table() to fix memory leak
David Howells <dhowells@redhat.com>
rxrpc: Fix ack.bufferSize to be 0 when generating an ack
David Howells <dhowells@redhat.com>
net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write()
Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
media: camss: Clean up received buffers on failed start of streaming
Marek Vasut <marex@denx.de>
wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
Randy Dunlap <rdunlap@infradead.org>
Input: joystick - fix Kconfig warning for JOYSTICK_ADC
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
mtd: Fix device name leak when register device failed in add_mtd_device()
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs
Andrii Nakryiko <andrii@kernel.org>
bpf: propagate precision across all frames, not just the last one
Martin KaFai Lau <kafai@fb.com>
bpf: Check the other end of slot_type for STACK_SPILL
Andrii Nakryiko <andrii@kernel.org>
bpf: propagate precision in ALU/ALU64 operations
Yang Yingliang <yangyingliang@huawei.com>
media: platform: exynos4-is: fix return value check in fimc_md_probe()
Liu Shixin <liushixin2@huawei.com>
media: vivid: fix compose size exceed boundary
Kumar Kartikeya Dwivedi <memxor@gmail.com>
bpf: Fix slot type check in check_stack_write_var_off
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/hdmi: drop unused GPIO support
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/hdmi: switch to drm_bridge_connector
GUO Zihua <guozihua@huawei.com>
ima: Handle -ESTALE returned by ima_filter_rule_match()
Gustavo A. R. Silva <gustavoars@kernel.org>
ima: Fix fall-through warnings for Clang
Marek Vasut <marex@denx.de>
drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
Jonathan Neuschäfer <j.neuschaefer@gmx.net>
spi: Update reference to struct spi_controller
Marek Vasut <marex@denx.de>
clk: renesas: r9a06g032: Repair grave increment error
Zhang Qilong <zhangqilong3@huawei.com>
drm/rockchip: lvds: fix PM usage counter unbalance in poweron
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_usb: Add struct kvaser_usb_busparams
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb_leaf: Fix bogus restart events
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb_leaf: Fix wrong CAN state after stopping
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb_leaf: Fix improved state not being reported
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb_leaf: Set Warning state even without bus errors
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
Vincent Mailhol <mailhol.vincent@wanadoo.fr>
can: kvaser_usb: do not increase tx statistics when sending error message frames
Marek Szyprowski <m.szyprowski@samsung.com>
media: exynos4-is: don't rely on the v4l2_async_subdev internals
Ezequiel Garcia <ezequiel@collabora.com>
media: exynos4-is: Use v4l2_async_notifier_add_fwnode_remote_subdev
Tang Bin <tangbin@cmss.chinamobile.com>
venus: pm_helpers: Fix error check in vcodec_domains_get()
Ricardo Ribalda <ribalda@chromium.org>
media: i2c: ad5820: Fix error path
Jiasheng Jiang <jiasheng@iscas.ac.cn>
media: coda: jpeg: Add check for kmalloc
Junlin Yang <yangjunlin@yulong.com>
pata_ipx4xx_cf: Fix unsigned comparison with less than zero
Shung-Hsi Yu <shung-hsi.yu@suse.com>
libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
Xu Kuohai <xukuohai@huawei.com>
libbpf: Fix use-after-free in btf_dump_name_dups
Abhinav Kumar <quic_abhinavk@quicinc.com>
drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Fix reading the vendor of combo chips
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
Fedor Pchelkin <pchelkin@ispras.ru>
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
Cai Xinchen <caixinchen1@huawei.com>
rapidio: devices: fix missing put_device in mport_cdev_open
ZhangPeng <zhangpeng362@huawei.com>
hfs: Fix OOB Write in hfs_asc2mac
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
relay: fix type mismatch when allocating memory in relay_create_buf()
Zhang Qilong <zhangqilong3@huawei.com>
eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
Wang Weiyang <wangweiyang2@huawei.com>
rapidio: fix possible UAF when kfifo_alloc() fails
Chen Zhongjin <chenzhongjin@huawei.com>
fs: sysv: Fix sysv_nblocks() returns wrong value
Ladislav Michl <ladis@linux-mips.org>
MIPS: OCTEON: warn only once if deprecated link status is being used
Anastasia Belova <abelova@astralinux.ru>
MIPS: BCM63xx: Add check for NULL for clk in clk_enable
Yang Yingliang <yangyingliang@huawei.com>
platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register()
Yu Liao <liaoyu15@huawei.com>
platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
PM: runtime: Do not call __rpm_callback() from rpm_idle()
Ulf Hansson <ulf.hansson@linaro.org>
PM: runtime: Improve path in rpm_idle() when no callback
Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
Xiu Jianfeng <xiujianfeng@huawei.com>
x86/xen: Fix memory leak in xen_init_lock_cpu()
Xiu Jianfeng <xiujianfeng@huawei.com>
x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
Oleg Nesterov <oleg@redhat.com>
uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
Li Zetao <lizetao1@huawei.com>
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
Yang Yingliang <yangyingliang@huawei.com>
clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock()
Phil Auld <pauld@redhat.com>
cpu/hotplug: Make target_store() a nop when target == state
Alexey Izbyshev <izbyshev@ispras.ru>
futex: Resend potentially swallowed owner death notification
Peter Zijlstra <peterz@infradead.org>
futex: Move to kernel/futex/
Wolfram Sang <wsa+renesas@sang-engineering.com>
clocksource/drivers/sh_cmt: Access registers according to spec
Geert Uytterhoeven <geert+renesas@glider.be>
clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled
Yang Yingliang <yangyingliang@huawei.com>
rapidio: rio: fix possible name leak in rio_register_mport()
Yang Yingliang <yangyingliang@huawei.com>
rapidio: fix possible name leaks when rio_add_device() fails
Li Zetao <ocfs2-devel@oss.oracle.com>
ocfs2: fix memory leak in ocfs2_mount_volume()
Heming Zhao via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
ocfs2: rewrite error handling of ocfs2_fill_super
Heming Zhao via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
ocfs2: ocfs2_mount_volume does cleanup job before return error
Akinobu Mita <akinobu.mita@gmail.com>
debugfs: fix error when writing negative value to atomic_t debugfs file
Wolfram Sang <wsa+renesas@sang-engineering.com>
docs: fault-injection: fix non-working usage of negative values
Akinobu Mita <akinobu.mita@gmail.com>
lib/notifier-error-inject: fix error when writing -errno to debugfs file
Akinobu Mita <akinobu.mita@gmail.com>
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
Xiongfeng Wang <wangxiongfeng2@huawei.com>
cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
Yang Yingliang <yangyingliang@huawei.com>
genirq/irqdesc: Don't try to remove non-existing sysfs files
Jeff Layton <jlayton@kernel.org>
nfsd: don't call nfsd_file_put from client states seqfile display
Yang Yingliang <yangyingliang@huawei.com>
EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
Shang XiaoJing <shangxiaojing@huawei.com>
irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
Yuan Can <yuancan@huawei.com>
platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
Xiongfeng Wang <wangxiongfeng2@huawei.com>
perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
Yang Yingliang <yangyingliang@huawei.com>
PNP: fix name memory leak in pnp_alloc_dev()
Zhao Gongyi <zhaogongyi@huawei.com>
selftests/efivarfs: Add checking of the test return value
Yang Yingliang <yangyingliang@huawei.com>
MIPS: vpe-cmp: fix possible memory leak while module exiting
Yang Yingliang <yangyingliang@huawei.com>
MIPS: vpe-mt: fix possible memory leak while module exiting
Shang XiaoJing <shangxiaojing@huawei.com>
ocfs2: fix memory leak in ocfs2_stack_glue_init()
Gaosheng Cui <cuigaosheng1@huawei.com>
lib/fonts: fix undefined behavior in bit shift for get_default_font
Alexey Dobriyan <adobriyan@gmail.com>
proc: fixup uptime selftest
Barnabás Pőcze <pobrn@protonmail.com>
timerqueue: Use rb_entry_safe() in timerqueue_getnext()
Barnabás Pőcze <pobrn@protonmail.com>
platform/x86: huawei-wmi: fix return value calculation
wuchi <wuchi.zero@gmail.com>
lib/debugobjects: fix stat count and optimize debug_objects_mem_init
Chen Zhongjin <chenzhongjin@huawei.com>
perf: Fix possible memleak in pmu_dev_alloc()
Yipeng Zou <zouyipeng@huawei.com>
selftests/ftrace: event_triggers: wait longer for test_event_enable
Chen Hui <judy.chenhui@huawei.com>
cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
Ondrej Mosnacek <omosnace@redhat.com>
fs: don't audit the capability check in simple_xattr_list()
xiongxin <xiongxin@kylinos.cn>
PM: hibernate: Fix mistake in kerneldoc comment
Al Viro <viro@zeniv.linux.org.uk>
alpha: fix syscall entry in !AUDUT_SYSCALL case
Ulf Hansson <ulf.hansson@linaro.org>
cpuidle: dt: Return the correct numbers of parsed idle states
Qais Yousef <qais.yousef@arm.com>
sched/uclamp: Fix relationship between uclamp and migration margin
Vincent Donnefort <vincent.donnefort@arm.com>
sched/fair: Cleanup task_util and capacity type
Michael Kelley <mikelley@microsoft.com>
tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
Yuan Can <yuancan@huawei.com>
tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init()
Stephen Boyd <swboyd@chromium.org>
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
Doug Brown <doug@schmorgal.com>
ARM: mmp: fix timer_read delay
Wang Yufen <wangyufen@huawei.com>
pstore/ram: Fix error return code in ramoops_probe()
Pali Rohár <pali@kernel.org>
arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC
Pali Rohár <pali@kernel.org>
ARM: dts: turris-omnia: Add switch port 6 node
Pali Rohár <pali@kernel.org>
ARM: dts: turris-omnia: Add ethernet aliases
Pali Rohár <pali@kernel.org>
ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
Pali Rohár <pali@kernel.org>
ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mt2712-evb: Fix usb vbus regulators unit names
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mt2712e: Fix unit address for pinctrl node
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators
Jayesh Choudhary <j-choudhary@ti.com>
arm64: dts: ti: k3-j721e-main: Drop dma-coherent in crypto node
Jayesh Choudhary <j-choudhary@ti.com>
arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node
Shang XiaoJing <shangxiaojing@huawei.com>
perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
Yuan Can <yuancan@huawei.com>
perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
Zhang Qilong <zhangqilong3@huawei.com>
soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
Zhang Qilong <zhangqilong3@huawei.com>
soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe
Minghao Chi <chi.minghao@zte.com.cn>
soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync
Kory Maincent <kory.maincent@bootlin.com>
arm: dts: spear600: Fix clcd interrupt
Jiasheng Jiang <jiasheng@iscas.ac.cn>
soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
soc: qcom: apr: make code more reuseable
Luca Weiss <luca.weiss@fairphone.com>
soc: qcom: llcc: make irq truly optional
Chen Jiahao <chenjiahao16@huawei.com>
drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
Marek Vasut <marex@denx.de>
ARM: dts: stm32: Fix AV96 WLAN regulator gpio property
Marek Vasut <marex@denx.de>
ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96
Marco Elver <elver@google.com>
objtool, kcsan: Add volatile read/write instrumentation to whitelist
Stephan Gerhold <stephan.gerhold@kernkonzept.com>
arm64: dts: qcom: msm8916: Drop MSS fallback compatible
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: sdm630: fix UART1 pin bias
Luca Weiss <luca@z3ntu.xyz>
ARM: dts: qcom: apq8064: fix coresight compatible
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
arm64: dts: qcom: msm8996: fix GPU OPP table
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins
Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
usb: musb: remove extra check in musb_gadget_vbus_draw
-------------
Diffstat:
.../devicetree/bindings/sound/qcom,wcd9335.txt | 2 +-
Documentation/driver-api/spi.rst | 4 +-
Documentation/fault-injection/fault-injection.rst | 16 +-
MAINTAINERS | 2 +-
Makefile | 107 ++---
arch/alpha/kernel/entry.S | 4 +-
arch/arm/boot/dts/armada-370.dtsi | 2 +-
arch/arm/boot/dts/armada-375.dtsi | 2 +-
arch/arm/boot/dts/armada-380.dtsi | 4 +-
arch/arm/boot/dts/armada-385-turris-omnia.dts | 18 +-
arch/arm/boot/dts/armada-385.dtsi | 6 +-
arch/arm/boot/dts/armada-39x.dtsi | 6 +-
arch/arm/boot/dts/armada-xp-mv78230.dtsi | 8 +-
arch/arm/boot/dts/armada-xp-mv78260.dtsi | 16 +-
arch/arm/boot/dts/dove.dtsi | 2 +-
arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +-
arch/arm/boot/dts/spear600.dtsi | 2 +-
arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts | 1 -
arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi | 2 +-
arch/arm/include/asm/thread_info.h | 13 +-
arch/arm/mach-mmp/time.c | 11 +-
arch/arm/nwfpe/Makefile | 6 +
.../boot/dts/marvell/armada-3720-turris-mox.dts | 3 +
arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 12 +-
arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 22 +-
arch/arm64/boot/dts/mediatek/mt6797.dtsi | 2 +-
arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 6 +-
arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts | 2 +
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +-
arch/arm64/boot/dts/qcom/msm8996.dtsi | 10 +-
arch/arm64/boot/dts/qcom/sdm630.dtsi | 2 +-
arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi | 4 +-
arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 5 +-
.../boot/dts/qcom/sdm850-lenovo-yoga-c630.dts | 6 +-
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 1 -
arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 1 -
arch/arm64/include/asm/processor.h | 4 +-
arch/mips/bcm63xx/clk.c | 2 +
.../cavium-octeon/executive/cvmx-helper-board.c | 2 +-
arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +-
arch/mips/kernel/vpe-cmp.c | 4 +-
arch/mips/kernel/vpe-mt.c | 4 +-
arch/parisc/include/uapi/asm/mman.h | 23 +-
arch/parisc/kernel/sys_parisc.c | 27 ++
arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
arch/powerpc/kernel/rtas.c | 20 +-
arch/powerpc/perf/callchain.c | 1 +
arch/powerpc/perf/hv-gpci-requests.h | 4 +
arch/powerpc/perf/hv-gpci.c | 33 +-
arch/powerpc/perf/hv-gpci.h | 1 +
arch/powerpc/perf/req-gen/perf.h | 20 +
arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c | 1 +
arch/powerpc/platforms/83xx/mpc832x_rdb.c | 2 +-
arch/powerpc/platforms/pseries/eeh_pseries.c | 14 +-
arch/powerpc/sysdev/xive/spapr.c | 1 +
arch/powerpc/xmon/xmon.c | 11 +-
arch/riscv/include/asm/hugetlb.h | 6 +
arch/riscv/include/asm/uaccess.h | 2 +-
arch/riscv/kernel/stacktrace.c | 12 +-
arch/x86/events/intel/uncore.h | 1 +
arch/x86/events/intel/uncore_snb.c | 3 +
arch/x86/events/intel/uncore_snbep.c | 48 ++-
arch/x86/hyperv/hv_init.c | 2 -
arch/x86/kernel/cpu/bugs.c | 2 +
arch/x86/kernel/cpu/mce/amd.c | 37 +-
arch/x86/kernel/cpu/mce/core.c | 95 ++---
arch/x86/kernel/cpu/mce/internal.h | 12 +-
arch/x86/kernel/cpu/microcode/intel.c | 8 +-
arch/x86/kernel/ftrace.c | 2 +
arch/x86/kernel/kprobes/core.c | 27 +-
arch/x86/kernel/kprobes/opt.c | 35 +-
arch/x86/kernel/uprobes.c | 4 +-
arch/x86/kvm/vmx/nested.c | 44 ++-
arch/x86/xen/smp.c | 24 +-
arch/x86/xen/smp_pv.c | 12 +-
arch/x86/xen/spinlock.c | 6 +-
block/blk-mq-sysfs.c | 11 +-
crypto/cryptd.c | 36 +-
crypto/tcrypt.c | 9 -
drivers/acpi/acpica/dsmethod.c | 10 +-
drivers/acpi/acpica/utcopy.c | 7 -
drivers/ata/ahci.c | 32 +-
drivers/ata/pata_ixp4xx_cf.c | 2 +-
drivers/base/class.c | 5 +
drivers/base/dd.c | 6 +-
drivers/base/power/runtime.c | 18 +-
drivers/block/drbd/drbd_main.c | 4 +-
drivers/bluetooth/btusb.c | 6 +-
drivers/bluetooth/hci_bcsp.c | 2 +-
drivers/bluetooth/hci_h5.c | 2 +-
drivers/bluetooth/hci_ll.c | 2 +-
drivers/bluetooth/hci_qca.c | 2 +-
drivers/char/hw_random/amd-rng.c | 18 +-
drivers/char/hw_random/geode-rng.c | 36 +-
drivers/char/ipmi/ipmi_msghandler.c | 12 +-
drivers/char/ipmi/ipmi_si_intf.c | 27 +-
drivers/char/tpm/eventlog/acpi.c | 12 +-
drivers/char/tpm/tpm_crb.c | 31 +-
drivers/char/tpm/tpm_ftpm_tee.c | 8 +-
drivers/char/tpm/tpm_tis.c | 9 +-
drivers/clk/imx/clk-imx8mn.c | 12 +-
drivers/clk/qcom/clk-krait.c | 2 +
drivers/clk/qcom/gcc-sm8250.c | 4 +-
drivers/clk/renesas/r9a06g032-clocks.c | 3 +-
drivers/clk/rockchip/clk-pll.c | 1 +
drivers/clk/samsung/clk-pll.c | 1 +
drivers/clk/socfpga/clk-gate.c | 16 +-
drivers/clk/socfpga/clk-periph.c | 8 +-
drivers/clk/socfpga/clk-pll.c | 17 +-
drivers/clk/st/clkgen-fsyn.c | 5 +-
drivers/clocksource/sh_cmt.c | 102 +++--
drivers/clocksource/timer-ti-dm-systimer.c | 4 +-
drivers/counter/stm32-lptimer-cnt.c | 2 +-
drivers/cpufreq/amd_freq_sensitivity.c | 2 +
drivers/cpufreq/cpufreq.c | 2 +-
drivers/cpufreq/qcom-cpufreq-hw.c | 1 +
drivers/cpuidle/dt_idle_states.c | 2 +-
drivers/crypto/Kconfig | 5 +
.../crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
drivers/crypto/amlogic/amlogic-gxl-core.c | 1 -
drivers/crypto/amlogic/amlogic-gxl.h | 2 +-
drivers/crypto/cavium/nitrox/nitrox_mbx.c | 1 +
drivers/crypto/ccree/cc_debugfs.c | 2 +-
drivers/crypto/ccree/cc_driver.c | 10 +-
drivers/crypto/hisilicon/qm.h | 6 +-
drivers/crypto/img-hash.c | 8 +-
drivers/crypto/n2_core.c | 6 +
drivers/crypto/omap-sham.c | 2 +-
drivers/crypto/rockchip/rk3288_crypto.c | 193 +--------
drivers/crypto/rockchip/rk3288_crypto.h | 53 +--
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 199 ++++++----
drivers/crypto/rockchip/rk3288_crypto_skcipher.c | 413 +++++++++++--------
drivers/devfreq/devfreq.c | 6 +-
drivers/devfreq/governor_userspace.c | 12 +-
drivers/dio/dio.c | 8 +
drivers/edac/i10nm_base.c | 3 +-
drivers/firmware/efi/efi.c | 4 +-
drivers/firmware/efi/libstub/efistub.h | 2 +
drivers/firmware/efi/libstub/random.c | 42 +-
drivers/firmware/raspberrypi.c | 1 +
drivers/gpio/gpio-sifive.c | 1 +
drivers/gpio/gpiolib-cdev.c | 93 +++--
drivers/gpio/gpiolib.c | 12 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 +
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 13 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 3 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 5 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 16 +-
.../gpu/drm/amd/display/dc/dce60/dce60_resource.c | 3 +
.../gpu/drm/amd/display/dc/dce80/dce80_resource.c | 2 +
drivers/gpu/drm/amd/include/kgd_pp_interface.h | 3 +-
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 3 +-
.../gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 3 +-
drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 4 +
drivers/gpu/drm/bridge/adv7511/adv7511.h | 3 +-
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 18 +-
drivers/gpu/drm/bridge/adv7511/adv7533.c | 25 +-
drivers/gpu/drm/drm_connector.c | 3 +
drivers/gpu/drm/drm_fourcc.c | 11 +-
drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 11 +-
drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +-
drivers/gpu/drm/i915/display/intel_dsi_vbt.c | 4 +-
drivers/gpu/drm/i915/gvt/debugfs.c | 17 +-
drivers/gpu/drm/i915/gvt/scheduler.c | 1 +
drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 6 +-
drivers/gpu/drm/mediatek/mtk_dpi.c | 12 +-
drivers/gpu/drm/meson/meson_viu.c | 5 +-
drivers/gpu/drm/msm/Makefile | 2 +-
drivers/gpu/drm/msm/dp/dp_display.c | 2 +-
drivers/gpu/drm/msm/hdmi/hdmi.c | 78 ++--
drivers/gpu/drm/msm/hdmi/hdmi.h | 30 +-
drivers/gpu/drm/msm/hdmi/hdmi_bridge.c | 81 +++-
.../drm/msm/hdmi/{hdmi_connector.c => hdmi_hpd.c} | 216 +---------
drivers/gpu/drm/panel/panel-sitronix-st7701.c | 10 +-
drivers/gpu/drm/panfrost/panfrost_drv.c | 27 +-
drivers/gpu/drm/panfrost/panfrost_gem.c | 16 +-
drivers/gpu/drm/panfrost/panfrost_gem.h | 5 +-
drivers/gpu/drm/radeon/radeon_bios.c | 19 +-
drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
drivers/gpu/drm/rockchip/inno_hdmi.c | 2 +-
drivers/gpu/drm/rockchip/rk3066_hdmi.c | 2 +-
drivers/gpu/drm/rockchip/rockchip_lvds.c | 10 +-
drivers/gpu/drm/sti/sti_dvo.c | 7 +-
drivers/gpu/drm/sti/sti_hda.c | 7 +-
drivers/gpu/drm/sti/sti_hdmi.c | 7 +-
drivers/gpu/drm/tegra/dc.c | 4 +-
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 +-
drivers/hid/hid-ids.h | 3 +
drivers/hid/hid-mcp2221.c | 12 +-
drivers/hid/hid-multitouch.c | 4 +
drivers/hid/hid-plantronics.c | 9 +
drivers/hid/hid-sensor-custom.c | 2 +-
drivers/hid/wacom_sys.c | 8 +
drivers/hid/wacom_wac.c | 4 +
drivers/hid/wacom_wac.h | 1 +
drivers/hsi/controllers/omap_ssi_core.c | 14 +-
drivers/hv/ring_buffer.c | 13 +
drivers/hwmon/Kconfig | 1 +
drivers/hwmon/jc42.c | 243 +++++++-----
drivers/i2c/busses/i2c-ismt.c | 3 +
drivers/i2c/busses/i2c-pxa-pci.c | 10 +-
drivers/i2c/muxes/i2c-mux-reg.c | 5 +-
drivers/iio/accel/adis16201.c | 1 +
drivers/iio/accel/adis16209.c | 1 +
drivers/iio/adc/ad_sigma_delta.c | 8 +-
drivers/iio/adc/ti-adc128s052.c | 14 +-
drivers/iio/gyro/adis16136.c | 1 +
drivers/iio/gyro/adis16260.c | 1 +
drivers/iio/imu/adis.c | 98 ++---
drivers/iio/imu/adis16400.c | 1 +
drivers/iio/imu/adis16460.c | 5 +-
drivers/iio/imu/adis16475.c | 6 +-
drivers/iio/imu/adis16480.c | 1 +
drivers/iio/imu/adis_buffer.c | 10 +-
drivers/iio/imu/adis_trigger.c | 20 +-
drivers/iio/temperature/ltc2983.c | 10 +-
drivers/infiniband/core/device.c | 2 +-
drivers/infiniband/core/nldev.c | 6 +-
drivers/infiniband/hw/hfi1/affinity.c | 2 +
drivers/infiniband/hw/hfi1/firmware.c | 6 +
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 24 +-
drivers/infiniband/hw/hns/hns_roce_mr.c | 4 +-
drivers/infiniband/hw/mlx5/qp.c | 49 ++-
drivers/infiniband/sw/rxe/rxe_qp.c | 6 +-
drivers/infiniband/sw/siw/siw_cq.c | 24 +-
drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
drivers/infiniband/sw/siw/siw_verbs.c | 40 +-
drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 7 +
drivers/infiniband/ulp/srp/ib_srp.c | 96 ++++-
drivers/input/joystick/Kconfig | 1 +
drivers/input/touchscreen/elants_i2c.c | 9 +-
drivers/iommu/amd/init.c | 7 +
drivers/iommu/amd/iommu_v2.c | 1 +
drivers/iommu/fsl_pamu.c | 2 +-
drivers/iommu/sun50i-iommu.c | 16 +-
drivers/irqchip/irq-gic-pm.c | 2 +-
drivers/isdn/hardware/mISDN/hfcmulti.c | 19 +-
drivers/isdn/hardware/mISDN/hfcpci.c | 13 +-
drivers/isdn/hardware/mISDN/hfcsusb.c | 12 +-
drivers/macintosh/macio-adb.c | 4 +
drivers/macintosh/macio_asic.c | 2 +-
drivers/mailbox/zynqmp-ipi-mailbox.c | 4 +-
drivers/mcb/mcb-core.c | 4 +-
drivers/mcb/mcb-parse.c | 2 +-
drivers/md/dm-cache-metadata.c | 54 ++-
drivers/md/dm-cache-target.c | 11 +-
drivers/md/dm-clone-target.c | 1 +
drivers/md/dm-integrity.c | 2 +
drivers/md/dm-thin-metadata.c | 60 ++-
drivers/md/dm-thin.c | 18 +-
drivers/md/md-bitmap.c | 47 ++-
drivers/md/md.c | 9 +-
drivers/md/raid1.c | 1 +
drivers/media/dvb-core/dmxdev.c | 8 +
drivers/media/dvb-core/dvb_ca_en50221.c | 2 +-
drivers/media/dvb-core/dvb_frontend.c | 10 +-
drivers/media/dvb-core/dvbdev.c | 33 +-
drivers/media/dvb-frontends/bcm3510.c | 1 +
drivers/media/dvb-frontends/stv0288.c | 5 +-
drivers/media/i2c/ad5820.c | 10 +-
drivers/media/pci/saa7164/saa7164-core.c | 4 +-
drivers/media/pci/solo6x10/solo6x10-core.c | 1 +
drivers/media/platform/coda/coda-bit.c | 14 +-
drivers/media/platform/coda/coda-jpeg.c | 10 +-
drivers/media/platform/exynos4-is/fimc-core.c | 2 +-
drivers/media/platform/exynos4-is/media-dev.c | 32 +-
drivers/media/platform/exynos4-is/media-dev.h | 2 +-
drivers/media/platform/qcom/camss/camss-video.c | 3 +-
drivers/media/platform/qcom/venus/pm_helpers.c | 4 +-
drivers/media/platform/s5p-mfc/s5p_mfc.c | 17 +-
drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c | 4 +-
drivers/media/platform/s5p-mfc/s5p_mfc_enc.c | 12 +-
drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c | 14 +-
.../media/platform/sti/c8sectpfe/c8sectpfe-core.c | 1 +
drivers/media/radio/si470x/radio-si470x-usb.c | 4 +-
drivers/media/rc/imon.c | 6 +-
drivers/media/test-drivers/vidtv/vidtv_bridge.c | 22 +-
drivers/media/test-drivers/vimc/vimc-core.c | 2 +-
drivers/media/test-drivers/vivid/vivid-vid-cap.c | 1 +
drivers/media/usb/dvb-usb/az6027.c | 4 +
drivers/media/usb/dvb-usb/dvb-usb-init.c | 4 +-
drivers/media/v4l2-core/videobuf-dma-contig.c | 22 +-
drivers/misc/cxl/guest.c | 24 +-
drivers/misc/cxl/pci.c | 21 +-
drivers/misc/ocxl/config.c | 20 +-
drivers/misc/ocxl/file.c | 7 +-
drivers/misc/sgi-gru/grufault.c | 13 +-
drivers/misc/sgi-gru/grumain.c | 22 +-
drivers/misc/sgi-gru/grutables.h | 2 +-
drivers/misc/tifm_7xx1.c | 2 +-
drivers/mmc/host/alcor.c | 5 +-
drivers/mmc/host/atmel-mci.c | 9 +-
drivers/mmc/host/meson-gx-mmc.c | 4 +-
drivers/mmc/host/mmci.c | 4 +-
drivers/mmc/host/moxart-mmc.c | 4 +-
drivers/mmc/host/mxcmmc.c | 4 +-
drivers/mmc/host/omap_hsmmc.c | 4 +-
drivers/mmc/host/pxamci.c | 7 +-
drivers/mmc/host/renesas_sdhi_core.c | 2 +-
drivers/mmc/host/rtsx_usb_sdmmc.c | 11 +-
drivers/mmc/host/sdhci-sprd.c | 16 +-
drivers/mmc/host/sdhci_f_sdh30.c | 3 +
drivers/mmc/host/toshsd.c | 6 +-
drivers/mmc/host/via-sdmmc.c | 4 +-
drivers/mmc/host/vub300.c | 13 +-
drivers/mmc/host/wbsd.c | 12 +-
drivers/mmc/host/wmt-sdmmc.c | 6 +-
drivers/mtd/lpddr/lpddr2_nvm.c | 2 +
drivers/mtd/maps/pxa2xx-flash.c | 2 +
drivers/mtd/mtdcore.c | 4 +-
drivers/mtd/spi-nor/core.c | 2 +
drivers/net/bonding/bond_3ad.c | 1 +
drivers/net/bonding/bond_main.c | 13 +-
drivers/net/can/m_can/tcan4x5x.c | 5 -
drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 30 +-
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 115 +++++-
drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 167 ++++++--
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 437 ++++++++++++++++++---
drivers/net/dsa/lan9303-core.c | 4 +-
drivers/net/ethernet/amd/atarilance.c | 2 +-
drivers/net/ethernet/amd/lance.c | 2 +-
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 3 +
drivers/net/ethernet/amd/xgbe/xgbe-i2c.c | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 +-
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 23 +-
drivers/net/ethernet/apple/bmac.c | 2 +-
drivers/net/ethernet/apple/mace.c | 2 +-
drivers/net/ethernet/dnet.c | 4 +-
drivers/net/ethernet/freescale/enetc/enetc.c | 8 +-
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 +-
drivers/net/ethernet/intel/igb/igb_main.c | 10 +-
drivers/net/ethernet/intel/igc/igc.h | 2 +
drivers/net/ethernet/intel/igc/igc_defines.h | 2 +
drivers/net/ethernet/intel/igc/igc_main.c | 245 +++++++++---
drivers/net/ethernet/intel/igc/igc_tsn.c | 11 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 +-
drivers/net/ethernet/mellanox/mlx5/core/health.c | 6 +
.../net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 4 +
drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +
drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
drivers/net/ethernet/neterion/s2io.c | 2 +-
drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 2 +-
drivers/net/ethernet/qlogic/qed/qed_debug.c | 3 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 8 +-
drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h | 10 +-
drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 8 +-
.../ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 +
drivers/net/ethernet/rdc/r6040.c | 5 +-
drivers/net/ethernet/renesas/ravb_main.c | 2 +-
.../net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 3 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 2 +-
.../net/ethernet/stmicro/stmmac/stmmac_selftests.c | 8 +-
drivers/net/ethernet/ti/netcp_core.c | 2 +-
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +-
drivers/net/fddi/defxx.c | 22 +-
drivers/net/hamradio/baycom_epp.c | 2 +-
drivers/net/hamradio/scc.c | 6 +-
drivers/net/macsec.c | 34 +-
drivers/net/ntb_netdev.c | 4 +-
drivers/net/phy/xilinx_gmii2rgmii.c | 1 +
drivers/net/ppp/ppp_generic.c | 2 +
drivers/net/usb/rndis_host.c | 3 +-
drivers/net/veth.c | 5 +-
drivers/net/vmxnet3/vmxnet3_drv.c | 8 +
drivers/net/wan/farsync.c | 2 +
drivers/net/wireless/ath/ar5523/ar5523.c | 6 +
drivers/net/wireless/ath/ath10k/pci.c | 20 +-
drivers/net/wireless/ath/ath9k/hif_usb.c | 46 ++-
.../broadcom/brcm80211/brcmfmac/firmware.c | 5 +
.../wireless/broadcom/brcm80211/brcmfmac/pcie.c | 6 +-
.../wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +-
drivers/net/wireless/mediatek/mt76/mt76.h | 3 +-
drivers/net/wireless/microchip/wilc1000/sdio.c | 1 +
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 2 +-
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 26 +-
.../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 10 +-
drivers/net/wireless/rsi/rsi_91x_core.c | 4 +-
drivers/net/wireless/rsi/rsi_91x_hal.c | 6 +-
drivers/nfc/pn533/pn533.c | 4 +
drivers/nvme/host/nvme.h | 2 +-
drivers/nvme/host/pci.c | 37 +-
drivers/nvme/target/passthru.c | 11 +-
drivers/of/overlay.c | 4 +-
drivers/parisc/led.c | 3 +
drivers/pci/controller/dwc/pcie-designware.c | 2 +-
drivers/pci/endpoint/functions/pci-epf-test.c | 2 +-
drivers/pci/irq.c | 2 +
drivers/pci/pci-sysfs.c | 13 +-
drivers/pci/pci.c | 2 +
drivers/perf/arm_dsu_pmu.c | 6 +-
drivers/perf/arm_smmuv3_pmu.c | 8 +-
drivers/phy/broadcom/phy-brcm-usb.c | 6 +-
drivers/pinctrl/pinconf-generic.c | 4 +-
drivers/platform/chrome/cros_usbpd_notify.c | 6 +-
drivers/platform/x86/huawei-wmi.c | 20 +-
drivers/platform/x86/intel_scu_ipc.c | 2 +-
drivers/platform/x86/mxm-wmi.c | 8 +-
drivers/pnp/core.c | 4 +-
drivers/power/supply/power_supply_core.c | 7 +-
drivers/pwm/pwm-sifive.c | 5 +-
drivers/pwm/pwm-tegra.c | 4 +-
drivers/rapidio/devices/rio_mport_cdev.c | 15 +-
drivers/rapidio/rio-scan.c | 8 +-
drivers/rapidio/rio.c | 9 +-
drivers/regulator/core.c | 15 +-
drivers/remoteproc/qcom_q6v5_pas.c | 4 +
drivers/remoteproc/qcom_sysmon.c | 5 +-
drivers/remoteproc/remoteproc_core.c | 9 +-
drivers/rtc/rtc-cmos.c | 366 ++++++++---------
drivers/rtc/rtc-ds1347.c | 2 +-
drivers/rtc/rtc-mxc_v2.c | 4 +-
drivers/rtc/rtc-pcf85063.c | 10 +-
drivers/rtc/rtc-pic32.c | 8 +-
drivers/rtc/rtc-snvs.c | 16 +-
drivers/rtc/rtc-st-lpc.c | 1 +
drivers/s390/net/ctcm_main.c | 11 +-
drivers/s390/net/lcs.c | 8 +-
drivers/s390/net/netiucv.c | 9 +-
drivers/scsi/fcoe/fcoe.c | 1 +
drivers/scsi/fcoe/fcoe_sysfs.c | 19 +-
drivers/scsi/hpsa.c | 9 +-
drivers/scsi/ipr.c | 10 +-
drivers/scsi/mpt3sas/mpt3sas_transport.c | 2 +
drivers/scsi/scsi_debug.c | 11 +-
drivers/scsi/scsi_error.c | 14 +-
drivers/scsi/snic/snic_disc.c | 3 +
drivers/soc/qcom/Kconfig | 1 +
drivers/soc/qcom/apr.c | 142 ++++---
drivers/soc/qcom/llcc-qcom.c | 2 +-
drivers/soc/ti/knav_qmss_queue.c | 6 +-
drivers/soc/ti/smartreflex.c | 1 +
drivers/soc/ux500/ux500-soc-id.c | 10 +-
drivers/soundwire/intel.c | 8 +-
drivers/soundwire/qcom.c | 8 +-
drivers/soundwire/stream.c | 4 +-
drivers/spi/spi-gpio.c | 16 +-
drivers/spi/spidev.c | 21 +-
drivers/staging/iio/accel/adis16203.c | 1 +
drivers/staging/iio/accel/adis16240.c | 1 +
drivers/staging/media/tegra-video/csi.c | 4 +-
drivers/staging/media/tegra-video/csi.h | 2 +-
drivers/staging/rtl8192e/rtllib_rx.c | 2 +-
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 4 +-
drivers/thermal/imx8mm_thermal.c | 8 +-
drivers/tty/serial/altera_uart.c | 21 +-
drivers/tty/serial/amba-pl011.c | 14 +-
drivers/tty/serial/fsl_lpuart.c | 18 +-
drivers/tty/serial/pch_uart.c | 4 +
drivers/tty/serial/serial-tegra.c | 6 +-
drivers/tty/serial/serial_core.c | 3 +-
drivers/tty/serial/sunsab.c | 8 +-
drivers/uio/uio_dmem_genirq.c | 13 +-
drivers/usb/dwc3/core.c | 23 +-
drivers/usb/dwc3/dwc3-qcom.c | 13 +-
drivers/usb/gadget/function/f_hid.c | 271 ++++++++++---
drivers/usb/gadget/function/u_hid.h | 1 +
drivers/usb/gadget/udc/fotg210-udc.c | 12 +-
drivers/usb/musb/musb_gadget.c | 2 -
drivers/usb/roles/class.c | 5 +-
drivers/usb/storage/alauda.c | 2 +
drivers/usb/typec/bus.c | 2 +-
drivers/usb/typec/tcpm/tcpci.c | 5 +-
drivers/usb/typec/tps6598x.c | 2 +-
drivers/vfio/platform/vfio_platform_common.c | 3 +-
drivers/vhost/vhost.c | 4 +-
drivers/vhost/vringh.c | 5 +-
drivers/vhost/vsock.c | 9 +-
drivers/video/fbdev/Kconfig | 1 -
drivers/video/fbdev/hyperv_fb.c | 8 +-
drivers/video/fbdev/matrox/matroxfb_base.c | 4 +-
drivers/video/fbdev/pm2fb.c | 9 +-
drivers/video/fbdev/uvesafb.c | 1 +
drivers/video/fbdev/vermilion/vermilion.c | 4 +-
drivers/video/fbdev/via/via-core.c | 9 +-
drivers/vme/bridges/vme_fake.c | 2 +
drivers/vme/bridges/vme_tsi148.c | 1 +
drivers/xen/privcmd.c | 2 +-
fs/afs/fs_probe.c | 5 +-
fs/binfmt_elf_fdpic.c | 5 +-
fs/binfmt_misc.c | 8 +-
fs/btrfs/backref.c | 4 +
fs/btrfs/ioctl.c | 9 +-
fs/btrfs/rcu-string.h | 6 +-
fs/ceph/caps.c | 2 +-
fs/ceph/locks.c | 4 -
fs/ceph/super.h | 1 -
fs/char_dev.c | 2 +-
fs/cifs/cifsfs.c | 8 +-
fs/cifs/cifsglob.h | 69 ++++
fs/cifs/cifsproto.h | 4 +-
fs/cifs/connect.c | 4 +-
fs/cifs/misc.c | 4 +-
fs/cifs/smb2ops.c | 143 ++++---
fs/configfs/dir.c | 2 +
fs/debugfs/file.c | 28 +-
fs/ext4/ext4.h | 9 +-
fs/ext4/extents.c | 8 +
fs/ext4/extents_status.c | 3 +-
fs/ext4/fast_commit.c | 49 ++-
fs/ext4/fast_commit.h | 1 +
fs/ext4/indirect.c | 11 +-
fs/ext4/inline.c | 2 +-
fs/ext4/inode.c | 49 ++-
fs/ext4/ioctl.c | 13 +-
fs/ext4/mballoc.h | 2 +-
fs/ext4/migrate.c | 6 +-
fs/ext4/namei.c | 49 ++-
fs/ext4/resize.c | 6 +-
fs/ext4/super.c | 230 +++++------
fs/ext4/verity.c | 7 +-
fs/ext4/xattr.c | 184 ++++-----
fs/ext4/xattr.h | 1 +
fs/f2fs/gc.c | 11 +-
fs/f2fs/segment.c | 2 +-
fs/hfs/inode.c | 13 +-
fs/hfs/trans.c | 2 +-
fs/hfsplus/hfsplus_fs.h | 2 +
fs/hfsplus/inode.c | 16 +-
fs/hfsplus/options.c | 4 +
fs/hugetlbfs/inode.c | 6 +-
fs/jfs/jfs_dmap.c | 27 +-
fs/libfs.c | 22 +-
fs/locks.c | 23 ++
fs/mbcache.c | 121 ++++--
fs/nfs/namespace.c | 2 +-
fs/nfs/nfs4proc.c | 34 +-
fs/nfs/nfs4state.c | 2 +
fs/nfs/nfs4xdr.c | 12 +-
fs/nfsd/nfs4callback.c | 8 +-
fs/nfsd/nfs4state.c | 51 ++-
fs/nfsd/nfs4xdr.c | 11 +
fs/nfsd/nfssvc.c | 2 +-
fs/nilfs2/the_nilfs.c | 73 +++-
fs/ocfs2/journal.c | 2 +-
fs/ocfs2/journal.h | 1 +
fs/ocfs2/stackglue.c | 8 +-
fs/ocfs2/super.c | 105 ++---
fs/orangefs/orangefs-debugfs.c | 29 +-
fs/orangefs/orangefs-mod.c | 8 +-
fs/overlayfs/dir.c | 46 ++-
fs/overlayfs/super.c | 7 +-
fs/pnode.c | 2 +-
fs/pstore/Kconfig | 1 +
fs/pstore/pmsg.c | 7 +-
fs/pstore/ram.c | 2 +
fs/pstore/ram_core.c | 6 +-
fs/pstore/zone.c | 2 +-
fs/quota/dquot.c | 2 +
fs/reiserfs/namei.c | 4 +
fs/reiserfs/xattr_security.c | 2 +-
fs/sysv/itree.c | 2 +-
fs/udf/inode.c | 2 +-
fs/udf/namei.c | 8 +-
fs/xattr.c | 2 +-
include/linux/debugfs.h | 19 +-
include/linux/devfreq.h | 7 +-
include/linux/efi.h | 2 -
include/linux/eventfd.h | 2 +-
include/linux/fs.h | 18 +-
include/linux/highmem.h | 18 +
include/linux/hyperv.h | 2 +
include/linux/iio/imu/adis.h | 63 +--
include/linux/interrupt.h | 4 +
include/linux/mbcache.h | 41 +-
include/linux/netdevice.h | 58 +--
include/linux/netfilter/ipset/ip_set.h | 2 +-
include/linux/nvme.h | 3 +-
include/linux/proc_fs.h | 2 +
include/linux/skbuff.h | 42 +-
include/linux/soc/qcom/apr.h | 12 +-
include/linux/sunrpc/rpc_pipe_fs.h | 5 +
include/linux/timerqueue.h | 2 +-
include/media/dvbdev.h | 32 +-
include/net/dst.h | 5 +-
include/net/mptcp.h | 12 +-
include/net/mrp.h | 1 +
include/net/pkt_sched.h | 9 +
include/sound/hdaudio.h | 2 +
include/sound/hdaudio_ext.h | 1 -
include/sound/pcm.h | 36 +-
include/sound/soc-dai.h | 32 +-
include/trace/events/ext4.h | 7 +-
include/trace/events/jbd2.h | 44 +--
include/uapi/drm/drm_fourcc.h | 11 +
include/uapi/linux/idxd.h | 2 +-
include/uapi/linux/swab.h | 2 +-
include/uapi/sound/asequencer.h | 8 +-
io_uring/io_uring.c | 2 +-
kernel/Makefile | 2 +-
kernel/acct.c | 2 +
kernel/bpf/btf.c | 5 +
kernel/bpf/verifier.c | 123 +++---
kernel/cpu.c | 4 +-
kernel/events/core.c | 14 +-
kernel/futex/Makefile | 3 +
kernel/{futex.c => futex/core.c} | 30 +-
kernel/gcov/gcc_4_7.c | 5 +
kernel/irq/internals.h | 2 +
kernel/irq/irqdesc.c | 15 +-
kernel/irq/manage.c | 11 +-
kernel/kcsan/core.c | 50 +++
kernel/padata.c | 15 +-
kernel/power/snapshot.c | 4 +-
kernel/rcu/tree.c | 23 +-
kernel/rcu/tree.h | 1 +
kernel/relay.c | 4 +-
kernel/sched/fair.c | 128 +++++-
kernel/trace/blktrace.c | 3 +-
kernel/trace/trace.c | 15 +-
kernel/trace/trace_events_hist.c | 13 +-
lib/Kconfig.debug | 1 -
lib/debugobjects.c | 10 +
lib/fonts/fonts.c | 4 +-
lib/iov_iter.c | 14 -
lib/notifier-error-inject.c | 2 +-
lib/test_firmware.c | 1 +
mm/compaction.c | 18 +-
net/802/mrp.c | 18 +-
net/bluetooth/hci_core.c | 2 +-
net/bluetooth/rfcomm/core.c | 2 +-
net/bpf/test_run.c | 3 -
net/caif/cfctrl.c | 6 +-
net/core/dev.c | 16 +-
net/core/filter.c | 18 +-
net/core/skbuff.c | 9 +-
net/core/sock_map.c | 2 +
net/core/stream.c | 6 +
net/ethtool/ioctl.c | 3 +-
net/hsr/hsr_device.c | 59 +--
net/hsr/hsr_forward.c | 15 +-
net/hsr/hsr_framereg.c | 9 +-
net/hsr/hsr_framereg.h | 2 +
net/ipv4/inet_connection_sock.c | 28 +-
net/ipv4/syncookies.c | 7 +-
net/ipv4/tcp_bpf.c | 8 +-
net/ipv4/tcp_ulp.c | 4 +
net/ipv4/udp_tunnel_core.c | 1 +
net/mac80211/iface.c | 1 +
net/mptcp/subflow.c | 76 +++-
net/netfilter/ipset/ip_set_core.c | 7 +-
net/netfilter/ipset/ip_set_hash_ip.c | 14 +-
net/netfilter/ipset/ip_set_hash_ipmark.c | 13 +-
net/netfilter/ipset/ip_set_hash_ipport.c | 13 +-
net/netfilter/ipset/ip_set_hash_ipportip.c | 13 +-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 13 +-
net/netfilter/ipset/ip_set_hash_net.c | 17 +-
net/netfilter/ipset/ip_set_hash_netiface.c | 15 +-
net/netfilter/ipset/ip_set_hash_netnet.c | 23 +-
net/netfilter/ipset/ip_set_hash_netport.c | 19 +-
net/netfilter/ipset/ip_set_hash_netportnet.c | 40 +-
net/netfilter/nf_conntrack_proto_icmpv6.c | 53 +++
net/netfilter/nf_flow_table_offload.c | 6 +-
net/nfc/netlink.c | 52 ++-
net/openvswitch/datapath.c | 25 +-
net/packet/af_packet.c | 20 +-
net/rxrpc/output.c | 2 +-
net/rxrpc/sendmsg.c | 2 +-
net/sched/cls_tcindex.c | 12 +-
net/sched/ematch.c | 2 +
net/sched/sch_api.c | 5 +
net/sched/sch_atm.c | 5 +-
net/sched/sch_cbq.c | 4 +-
net/sctp/sysctl.c | 73 ++--
net/sunrpc/auth_gss/auth_gss.c | 19 +-
net/sunrpc/auth_gss/svcauth_gss.c | 9 +-
net/sunrpc/clnt.c | 2 +-
net/sunrpc/xprtrdma/verbs.c | 2 +-
net/vmw_vsock/vmci_transport.c | 6 +-
net/wireless/reg.c | 4 +-
samples/vfio-mdev/mdpy-fb.c | 8 +-
security/apparmor/apparmorfs.c | 4 +-
security/apparmor/lsm.c | 4 +-
security/apparmor/policy.c | 2 +-
security/apparmor/policy_ns.c | 2 +-
security/apparmor/policy_unpack.c | 2 +-
security/device_cgroup.c | 33 +-
security/integrity/digsig.c | 6 +-
security/integrity/ima/ima_main.c | 1 +
security/integrity/ima/ima_policy.c | 53 ++-
security/integrity/ima/ima_template.c | 9 +-
security/integrity/platform_certs/load_uefi.c | 1 +
security/loadpin/loadpin.c | 30 +-
sound/core/pcm_native.c | 4 +-
sound/drivers/mts64.c | 3 +
sound/hda/ext/hdac_ext_stream.c | 17 -
sound/hda/hdac_stream.c | 27 ++
sound/pci/asihpi/hpioctl.c | 2 +-
sound/pci/hda/hda_controller.c | 4 +-
sound/pci/hda/patch_hdmi.c | 1 +
sound/pci/hda/patch_realtek.c | 77 ++++
sound/soc/codecs/hdac_hda.c | 22 +-
sound/soc/codecs/max98373-sdw.c | 2 +-
sound/soc/codecs/pcm512x.c | 8 +-
sound/soc/codecs/rt1308-sdw.c | 2 +-
sound/soc/codecs/rt298.c | 7 +
sound/soc/codecs/rt5670.c | 2 -
sound/soc/codecs/rt5682-sdw.c | 2 +-
sound/soc/codecs/rt700.c | 2 +-
sound/soc/codecs/rt711.c | 2 +-
sound/soc/codecs/rt715.c | 2 +-
sound/soc/codecs/wm8994.c | 5 +
sound/soc/codecs/wsa881x.c | 2 +-
sound/soc/generic/audio-graph-card.c | 4 +-
sound/soc/intel/boards/bytcr_rt5640.c | 15 +
sound/soc/intel/boards/sof_sdw.c | 6 +-
sound/soc/intel/skylake/skl-pcm.c | 7 +-
sound/soc/intel/skylake/skl.c | 7 +-
sound/soc/jz4740/jz4740-i2s.c | 39 +-
sound/soc/mediatek/common/mtk-btcvsd.c | 6 +-
sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 71 +++-
sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c | 7 +-
sound/soc/pxa/mmp-pcm.c | 2 +-
sound/soc/qcom/lpass-sc7180.c | 3 +
sound/soc/qcom/sdm845.c | 4 +-
sound/soc/rockchip/rockchip_pdm.c | 1 +
sound/soc/rockchip/rockchip_spdif.c | 1 +
sound/soc/sof/intel/hda-dai.c | 7 +-
sound/usb/line6/driver.c | 3 +-
sound/usb/line6/midi.c | 6 +-
sound/usb/line6/midibuf.c | 25 +-
sound/usb/line6/midibuf.h | 5 +-
sound/usb/line6/pod.c | 3 +-
sound/usb/quirks-table.h | 2 +
tools/arch/parisc/include/uapi/asm/mman.h | 12 +-
tools/lib/bpf/bpf.h | 7 +
tools/lib/bpf/btf_dump.c | 29 +-
tools/lib/bpf/libbpf.c | 3 +
tools/objtool/check.c | 12 +-
tools/perf/bench/bench.h | 12 -
tools/perf/builtin-trace.c | 32 +-
tools/perf/util/data.c | 2 +
tools/perf/util/debug.c | 4 +
tools/perf/util/dwarf-aux.c | 23 +-
tools/perf/util/symbol-elf.c | 2 +-
tools/testing/ktest/ktest.pl | 23 +-
tools/testing/selftests/Makefile | 26 +-
.../selftests/drivers/net/netdevsim/devlink.sh | 4 +-
tools/testing/selftests/efivarfs/efivarfs.sh | 5 +
.../ftrace/test.d/ftrace/func_event_triggers.tc | 15 +-
tools/testing/selftests/lib.mk | 5 +
.../selftests/netfilter/conntrack_icmp_related.sh | 36 +-
.../selftests/powerpc/dscr/dscr_sysfs_test.c | 5 +-
tools/testing/selftests/proc/proc-uptime-002.c | 3 +-
.../selftests/rcutorture/bin/console-badness.sh | 3 +-
747 files changed, 7705 insertions(+), 4186 deletions(-)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 001/783] usb: musb: remove extra check in musb_gadget_vbus_draw
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 002/783] arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins Greg Kroah-Hartman
` (791 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Ivaylo Dimitrov, Sasha Levin
From: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
[ Upstream commit ecec4b20d29c3d6922dafe7d2555254a454272d2 ]
The checks for musb->xceiv and musb->xceiv->set_power duplicate those in
usb_phy_set_power(), so there is no need of them. Moreover, not calling
usb_phy_set_power() results in usb_phy_set_charger_current() not being
called, so current USB config max current is not propagated through USB
charger framework and charger drivers may try to draw more current than
allowed or possible.
Fix that by removing those extra checks and calling usb_phy_set_power()
directly.
Tested on Motorola Droid4 and Nokia N900
Fixes: a9081a008f84 ("usb: phy: Add USB charger support")
Cc: stable <stable@kernel.org>
Signed-off-by: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Link: https://lore.kernel.org/r/1669400475-4762-1-git-send-email-ivo.g.dimitrov.75@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/musb/musb_gadget.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c
index c273eee35aaa..8dc657c71541 100644
--- a/drivers/usb/musb/musb_gadget.c
+++ b/drivers/usb/musb/musb_gadget.c
@@ -1628,8 +1628,6 @@ static int musb_gadget_vbus_draw(struct usb_gadget *gadget, unsigned mA)
{
struct musb *musb = gadget_to_musb(gadget);
- if (!musb->xceiv->set_power)
- return -EOPNOTSUPP;
return usb_phy_set_power(musb->xceiv, mA);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 002/783] arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 001/783] usb: musb: remove extra check in musb_gadget_vbus_draw Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 003/783] arm64: dts: qcom: msm8996: fix GPU OPP table Greg Kroah-Hartman
` (790 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Bjorn Andersson, Konrad Dybcio, Sasha Levin
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 4871d3c38893c8a585e3e96364b7fb91cda8322e ]
When BLSPI1 (originally SPI0, later renamed in commit f82c48d46852
("arm64: dts: qcom: ipq6018: correct QUP peripheral labels")) was added,
the device node lacked respective pin configuration assignment.
Fixes: 5bf635621245 ("arm64: dts: ipq6018: Add a few device nodes")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221006124659.217540-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts b/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts
index e8eaa958c199..b867506bc7e1 100644
--- a/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts
+++ b/arch/arm64/boot/dts/qcom/ipq6018-cp01-c1.dts
@@ -37,6 +37,8 @@ &i2c_1 {
&spi_0 {
cs-select = <0>;
+ pinctrl-0 = <&spi_0_pins>;
+ pinctrl-names = "default";
status = "okay";
m25p80@0 {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 003/783] arm64: dts: qcom: msm8996: fix GPU OPP table
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 001/783] usb: musb: remove extra check in musb_gadget_vbus_draw Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 002/783] arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 004/783] ARM: dts: qcom: apq8064: fix coresight compatible Greg Kroah-Hartman
` (789 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov,
Krzysztof Kozlowski, Bjorn Andersson, Sasha Levin
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 0d440d811e6e2f37093e54db55bc27fe66678170 ]
Fix Adreno OPP table according to the msm-3.18. Enable 624 MHz for the
speed bin 3 and 560 MHz for bins 2 and 3.
Fixes: 69cc3114ab0f ("arm64: dts: Add Adreno GPU definitions")
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20220724140421.1933004-7-dmitry.baryshkov@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8996.dtsi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
index ef5d03a15069..bc140269e4cc 100644
--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
@@ -651,17 +651,17 @@ gpu_opp_table: opp-table {
compatible ="operating-points-v2";
/*
- * 624Mhz and 560Mhz are only available on speed
- * bin (1 << 0). All the rest are available on
- * all bins of the hardware
+ * 624Mhz is only available on speed bins 0 and 3.
+ * 560Mhz is only available on speed bins 0, 2 and 3.
+ * All the rest are available on all bins of the hardware.
*/
opp-624000000 {
opp-hz = /bits/ 64 <624000000>;
- opp-supported-hw = <0x01>;
+ opp-supported-hw = <0x09>;
};
opp-560000000 {
opp-hz = /bits/ 64 <560000000>;
- opp-supported-hw = <0x01>;
+ opp-supported-hw = <0x0d>;
};
opp-510000000 {
opp-hz = /bits/ 64 <510000000>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 004/783] ARM: dts: qcom: apq8064: fix coresight compatible
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 003/783] arm64: dts: qcom: msm8996: fix GPU OPP table Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 005/783] arm64: dts: qcom: sdm630: fix UART1 pin bias Greg Kroah-Hartman
` (788 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Krzysztof Kozlowski,
Konrad Dybcio, Bjorn Andersson, Sasha Levin
From: Luca Weiss <luca@z3ntu.xyz>
[ Upstream commit a42b1ee868361f1cb0492f1bdaefb43e0751e468 ]
There's a typo missing the arm, prefix of arm,coresight-etb10. Fix it to
make devicetree validation happier.
Signed-off-by: Luca Weiss <luca@z3ntu.xyz>
Fixes: 7a5c275fd821 ("ARM: dts: qcom: Add apq8064 CoreSight components")
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221013190657.48499-3-luca@z3ntu.xyz
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/qcom-apq8064.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/qcom-apq8064.dtsi b/arch/arm/boot/dts/qcom-apq8064.dtsi
index 72c4a9fc41a2..fb25ede1ce9f 100644
--- a/arch/arm/boot/dts/qcom-apq8064.dtsi
+++ b/arch/arm/boot/dts/qcom-apq8064.dtsi
@@ -1571,7 +1571,7 @@ wifi {
};
etb@1a01000 {
- compatible = "coresight-etb10", "arm,primecell";
+ compatible = "arm,coresight-etb10", "arm,primecell";
reg = <0x1a01000 0x1000>;
clocks = <&rpmcc RPM_QDSS_CLK>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 005/783] arm64: dts: qcom: sdm630: fix UART1 pin bias
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 004/783] ARM: dts: qcom: apq8064: fix coresight compatible Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 006/783] arm64: dts: qcom: sdm845-cheza: fix AP suspend " Greg Kroah-Hartman
` (787 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Douglas Anderson, Bjorn Andersson, Sasha Levin
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 780f836fe071a9e8703fe6a05ae00129acf83391 ]
There is no "bias-no-pull" property. Assume intentions were disabling
bias.
Fixes: b190fb010664 ("arm64: dts: qcom: sdm630: Add sdm630 dts file")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221010114417.29859-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm630.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm630.dtsi b/arch/arm64/boot/dts/qcom/sdm630.dtsi
index f87054575ce7..79d260c2b3c3 100644
--- a/arch/arm64/boot/dts/qcom/sdm630.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm630.dtsi
@@ -593,7 +593,7 @@ rx-cts-rts {
pins = "gpio17", "gpio18", "gpio19";
function = "gpio";
drive-strength = <2>;
- bias-no-pull;
+ bias-disable;
};
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 006/783] arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 005/783] arm64: dts: qcom: sdm630: fix UART1 pin bias Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 007/783] arm64: dts: qcom: msm8916: Drop MSS fallback compatible Greg Kroah-Hartman
` (786 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Douglas Anderson, Bjorn Andersson, Sasha Levin
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 9bce41fab14da8f21027dc9847535ef5e22cbe8b ]
There is no "bias-no-pull" property. Assume intentions were disabling
bias.
Fixes: 79e7739f7b87 ("arm64: dts: qcom: sdm845-cheza: add initial cheza dt")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221010114417.29859-3-krzysztof.kozlowski@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
index 64fc1bfd66fa..26f6f193bd1b 100644
--- a/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
+++ b/arch/arm64/boot/dts/qcom/sdm845-cheza.dtsi
@@ -1292,7 +1292,7 @@ ap_suspend_l_assert: ap_suspend_l_assert {
config {
pins = "gpio126";
function = "gpio";
- bias-no-pull;
+ bias-disable;
drive-strength = <2>;
output-low;
};
@@ -1302,7 +1302,7 @@ ap_suspend_l_deassert: ap_suspend_l_deassert {
config {
pins = "gpio126";
function = "gpio";
- bias-no-pull;
+ bias-disable;
drive-strength = <2>;
output-high;
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 007/783] arm64: dts: qcom: msm8916: Drop MSS fallback compatible
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 006/783] arm64: dts: qcom: sdm845-cheza: fix AP suspend " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 008/783] objtool, kcsan: Add volatile read/write instrumentation to whitelist Greg Kroah-Hartman
` (785 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold,
Krzysztof Kozlowski, Bjorn Andersson, Sasha Levin
From: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
[ Upstream commit ff02ac621634e82c0c34d02a79d402ae700cdfd0 ]
MSM8916 was originally using the "qcom,q6v5-pil" compatible for the
MSS remoteproc. Later it was decided to use SoC-specific compatibles
instead, so "qcom,msm8916-mss-pil" is now the preferred compatible.
Commit 60a05ed059a0 ("arm64: dts: qcom: msm8916: Add MSM8916-specific
compatibles to SCM/MSS") updated the MSM8916 device tree to make use of
the new compatible but still kept the old "qcom,q6v5-pil" as fallback.
This is inconsistent with other SoCs and conflicts with the description
in the binding documentation (which says that only one compatible should
be present). Also, it has no functional advantage since older kernels
could not handle this DT anyway (e.g. "power-domains" in the MSS node is
only supported by kernels that also support "qcom,msm8916-mss-pil").
Make this consistent with other SoCs by using only the
"qcom,msm8916-mss-pil" compatible.
Fixes: 60a05ed059a0 ("arm64: dts: qcom: msm8916: Add MSM8916-specific compatibles to SCM/MSS")
Signed-off-by: Stephan Gerhold <stephan.gerhold@kernkonzept.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20220718140344.1831731-2-stephan.gerhold@kernkonzept.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
index 291276a38d7c..c32e4a3833f2 100644
--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
@@ -1249,7 +1249,7 @@ spmi_bus: spmi@200f000 {
};
mpss: remoteproc@4080000 {
- compatible = "qcom,msm8916-mss-pil", "qcom,q6v5-pil";
+ compatible = "qcom,msm8916-mss-pil";
reg = <0x04080000 0x100>,
<0x04020000 0x040>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 008/783] objtool, kcsan: Add volatile read/write instrumentation to whitelist
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 007/783] arm64: dts: qcom: msm8916: Drop MSS fallback compatible Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 009/783] ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96 Greg Kroah-Hartman
` (784 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marco Elver, Dmitry Vyukov,
Paul E. McKenney, Sasha Levin
From: Marco Elver <elver@google.com>
[ Upstream commit 63646fcba5bb4b59a19031c21913f94e46a3d0d4 ]
Adds KCSAN's volatile instrumentation to objtool's uaccess whitelist.
Recent kernel change have shown that this was missing from the uaccess
whitelist (since the first upstreamed version of KCSAN):
mm/gup.o: warning: objtool: fault_in_readable+0x101: call to __tsan_volatile_write1() with UACCESS enabled
Fixes: 75d75b7a4d54 ("kcsan: Support distinguishing volatile accesses")
Signed-off-by: Marco Elver <elver@google.com>
Reviewed-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/check.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index ea80b29b9913..5d64b673da2d 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -802,6 +802,16 @@ static const char *uaccess_safe_builtin[] = {
"__tsan_read_write4",
"__tsan_read_write8",
"__tsan_read_write16",
+ "__tsan_volatile_read1",
+ "__tsan_volatile_read2",
+ "__tsan_volatile_read4",
+ "__tsan_volatile_read8",
+ "__tsan_volatile_read16",
+ "__tsan_volatile_write1",
+ "__tsan_volatile_write2",
+ "__tsan_volatile_write4",
+ "__tsan_volatile_write8",
+ "__tsan_volatile_write16",
"__tsan_atomic8_load",
"__tsan_atomic16_load",
"__tsan_atomic32_load",
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 009/783] ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 008/783] objtool, kcsan: Add volatile read/write instrumentation to whitelist Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 010/783] ARM: dts: stm32: Fix AV96 WLAN regulator gpio property Greg Kroah-Hartman
` (783 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Patrice Chotard,
Manivannan Sadhasivam, Alexandre Torgue, Sasha Levin
From: Marek Vasut <marex@denx.de>
[ Upstream commit 3b835f1b8acef53c8882b25f40f48d7f5982c938 ]
The Avenger96 is populated with STM32MP157A DHCOR SoM, drop the
stm32mp15xc.dtsi which should only be included in DTs of devices
which are populated with STM32MP15xC/F SoC as the stm32mp15xc.dtsi
enables CRYP block not present in the STM32MP15xA/D SoC .
Fixes: 7e76f82acd9e1 ("ARM: dts: stm32: Split Avenger96 into DHCOR SoM and Avenger96 board")
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts b/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts
index 2e3c9fbb4eb3..275167f26fd9 100644
--- a/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts
+++ b/arch/arm/boot/dts/stm32mp157a-dhcor-avenger96.dts
@@ -13,7 +13,6 @@
/dts-v1/;
#include "stm32mp157.dtsi"
-#include "stm32mp15xc.dtsi"
#include "stm32mp15xx-dhcor-som.dtsi"
#include "stm32mp15xx-dhcor-avenger96.dtsi"
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 010/783] ARM: dts: stm32: Fix AV96 WLAN regulator gpio property
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 009/783] ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96 Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 011/783] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static Greg Kroah-Hartman
` (782 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Alexandre Torgue, Sasha Levin
From: Marek Vasut <marex@denx.de>
[ Upstream commit d5d577e3d50713ad11d98dbdaa48bb494346c26d ]
The WLAN regulator uses 'gpios' property instead of 'gpio' to specify
regulator enable GPIO. While the former is also currently handled by
the Linux kernel regulator-fixed driver, the later is the correct one
per DT bindings. Update the DT to use the later.
Fixes: 7dd5cbba42c93 ("ARM: dts: stm32: Enable WiFi on AV96")
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi
index f3e0c790a4b1..723b39bb2129 100644
--- a/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi
+++ b/arch/arm/boot/dts/stm32mp15xx-dhcor-avenger96.dtsi
@@ -100,7 +100,7 @@ wlan_pwr: regulator-wlan {
regulator-min-microvolt = <3300000>;
regulator-max-microvolt = <3300000>;
- gpios = <&gpioz 3 GPIO_ACTIVE_HIGH>;
+ gpio = <&gpioz 3 GPIO_ACTIVE_HIGH>;
enable-active-high;
};
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 011/783] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 010/783] ARM: dts: stm32: Fix AV96 WLAN regulator gpio property Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 012/783] soc: qcom: llcc: make irq truly optional Greg Kroah-Hartman
` (781 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Jiahao, Nishanth Menon, Sasha Levin
From: Chen Jiahao <chenjiahao16@huawei.com>
[ Upstream commit adf85adc2a7199b41e7a4da083bd17274a3d6969 ]
There is a sparse warning shown below:
drivers/soc/ti/knav_qmss_queue.c:70:12: warning: symbol
'knav_acc_firmwares' was not declared. Should it be static?
Since 'knav_acc_firmwares' is only called within knav_qmss_queue.c,
mark it as static to fix the warning.
Fixes: 96ee19becc3b ("soc: ti: add firmware file name as part of the driver")
Signed-off-by: Chen Jiahao <chenjiahao16@huawei.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20221019153212.72350-1-chenjiahao16@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/knav_qmss_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c
index 53e36d4328d1..baab7d558a69 100644
--- a/drivers/soc/ti/knav_qmss_queue.c
+++ b/drivers/soc/ti/knav_qmss_queue.c
@@ -67,7 +67,7 @@ static DEFINE_MUTEX(knav_dev_lock);
* Newest followed by older ones. Search is done from start of the array
* until a firmware file is found.
*/
-const char *knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"};
+static const char * const knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"};
static bool device_ready;
bool knav_qmss_device_ready(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 012/783] soc: qcom: llcc: make irq truly optional
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 011/783] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 013/783] soc: qcom: apr: make code more reuseable Greg Kroah-Hartman
` (780 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luca Weiss, Bjorn Andersson, Sasha Levin
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit c882c899ead3545102a4d71b5fbe73b9e4bc2657 ]
The function platform_get_irq prints an error message into the kernel
log when the irq isn't found.
Since the interrupt is actually optional and not provided by some SoCs,
use platform_get_irq_optional which does not print an error message.
Fixes: c081f3060fab ("soc: qcom: Add support to register LLCC EDAC driver")
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221104153041.412020-1-luca.weiss@fairphone.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/llcc-qcom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/soc/qcom/llcc-qcom.c b/drivers/soc/qcom/llcc-qcom.c
index 2e06f48d683d..c60fe98f03e3 100644
--- a/drivers/soc/qcom/llcc-qcom.c
+++ b/drivers/soc/qcom/llcc-qcom.c
@@ -476,7 +476,7 @@ static int qcom_llcc_probe(struct platform_device *pdev)
if (ret)
goto err;
- drv_data->ecc_irq = platform_get_irq(pdev, 0);
+ drv_data->ecc_irq = platform_get_irq_optional(pdev, 0);
if (drv_data->ecc_irq >= 0) {
llcc_edac = platform_device_register_data(&pdev->dev,
"qcom_llcc_edac", -1, drv_data,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 013/783] soc: qcom: apr: make code more reuseable
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 012/783] soc: qcom: llcc: make irq truly optional Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 014/783] soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index Greg Kroah-Hartman
` (779 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla,
Pierre-Louis Bossart, Bjorn Andersson, Sasha Levin
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
[ Upstream commit 99139b80c1b3d73026ed8be2de42c52e2976ab64 ]
APR and other packet routers like GPR are pretty much same and
interact with other drivers in similar way.
Ex: GPR ports can be considered as APR services, only difference
is they are allocated dynamically.
Other difference is packet layout, which should not matter
with the apis abstracted. Apart from this the rest of the
functionality is pretty much identical across APR and GPR.
Make the apr code more reusable by abstracting it service level,
rather than device level so that we do not need to write
new drivers for other new packet routers like GPR.
This patch is in preparation to add GPR support to this driver.
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Link: https://lore.kernel.org/r/20210927135559.738-4-srinivas.kandagatla@linaro.org
Stable-dep-of: 6d7860f5750d ("soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/apr.c | 129 +++++++++++++++++++++--------------
include/linux/soc/qcom/apr.h | 12 +++-
2 files changed, 90 insertions(+), 51 deletions(-)
diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
index f736d208362c..8fed91822cae 100644
--- a/drivers/soc/qcom/apr.c
+++ b/drivers/soc/qcom/apr.c
@@ -15,13 +15,18 @@
#include <linux/rpmsg.h>
#include <linux/of.h>
-struct apr {
+enum {
+ PR_TYPE_APR = 0,
+};
+
+struct packet_router {
struct rpmsg_endpoint *ch;
struct device *dev;
spinlock_t svcs_lock;
spinlock_t rx_lock;
struct idr svcs_idr;
int dest_domain_id;
+ int type;
struct pdr_handle *pdr;
struct workqueue_struct *rxwq;
struct work_struct rx_work;
@@ -44,21 +49,21 @@ struct apr_rx_buf {
*/
int apr_send_pkt(struct apr_device *adev, struct apr_pkt *pkt)
{
- struct apr *apr = dev_get_drvdata(adev->dev.parent);
+ struct packet_router *apr = dev_get_drvdata(adev->dev.parent);
struct apr_hdr *hdr;
unsigned long flags;
int ret;
- spin_lock_irqsave(&adev->lock, flags);
+ spin_lock_irqsave(&adev->svc.lock, flags);
hdr = &pkt->hdr;
hdr->src_domain = APR_DOMAIN_APPS;
- hdr->src_svc = adev->svc_id;
+ hdr->src_svc = adev->svc.id;
hdr->dest_domain = adev->domain_id;
- hdr->dest_svc = adev->svc_id;
+ hdr->dest_svc = adev->svc.id;
ret = rpmsg_trysend(apr->ch, pkt, hdr->pkt_size);
- spin_unlock_irqrestore(&adev->lock, flags);
+ spin_unlock_irqrestore(&adev->svc.lock, flags);
return ret ? ret : hdr->pkt_size;
}
@@ -74,7 +79,7 @@ static void apr_dev_release(struct device *dev)
static int apr_callback(struct rpmsg_device *rpdev, void *buf,
int len, void *priv, u32 addr)
{
- struct apr *apr = dev_get_drvdata(&rpdev->dev);
+ struct packet_router *apr = dev_get_drvdata(&rpdev->dev);
struct apr_rx_buf *abuf;
unsigned long flags;
@@ -100,11 +105,11 @@ static int apr_callback(struct rpmsg_device *rpdev, void *buf,
return 0;
}
-
-static int apr_do_rx_callback(struct apr *apr, struct apr_rx_buf *abuf)
+static int apr_do_rx_callback(struct packet_router *apr, struct apr_rx_buf *abuf)
{
uint16_t hdr_size, msg_type, ver, svc_id;
- struct apr_device *svc = NULL;
+ struct pkt_router_svc *svc;
+ struct apr_device *adev;
struct apr_driver *adrv = NULL;
struct apr_resp_pkt resp;
struct apr_hdr *hdr;
@@ -145,12 +150,15 @@ static int apr_do_rx_callback(struct apr *apr, struct apr_rx_buf *abuf)
svc_id = hdr->dest_svc;
spin_lock_irqsave(&apr->svcs_lock, flags);
svc = idr_find(&apr->svcs_idr, svc_id);
- if (svc && svc->dev.driver)
- adrv = to_apr_driver(svc->dev.driver);
+ if (svc && svc->dev->driver) {
+ adev = svc_to_apr_device(svc);
+ adrv = to_apr_driver(adev->dev.driver);
+ }
spin_unlock_irqrestore(&apr->svcs_lock, flags);
- if (!adrv) {
- dev_err(apr->dev, "APR: service is not registered\n");
+ if (!adrv || !adev) {
+ dev_err(apr->dev, "APR: service is not registered (%d)\n",
+ svc_id);
return -EINVAL;
}
@@ -164,20 +172,26 @@ static int apr_do_rx_callback(struct apr *apr, struct apr_rx_buf *abuf)
if (resp.payload_size > 0)
resp.payload = buf + hdr_size;
- adrv->callback(svc, &resp);
+ adrv->callback(adev, &resp);
return 0;
}
static void apr_rxwq(struct work_struct *work)
{
- struct apr *apr = container_of(work, struct apr, rx_work);
+ struct packet_router *apr = container_of(work, struct packet_router, rx_work);
struct apr_rx_buf *abuf, *b;
unsigned long flags;
if (!list_empty(&apr->rx_list)) {
list_for_each_entry_safe(abuf, b, &apr->rx_list, node) {
- apr_do_rx_callback(apr, abuf);
+ switch (apr->type) {
+ case PR_TYPE_APR:
+ apr_do_rx_callback(apr, abuf);
+ break;
+ default:
+ break;
+ }
spin_lock_irqsave(&apr->rx_lock, flags);
list_del(&abuf->node);
spin_unlock_irqrestore(&apr->rx_lock, flags);
@@ -201,7 +215,7 @@ static int apr_device_match(struct device *dev, struct device_driver *drv)
while (id->domain_id != 0 || id->svc_id != 0) {
if (id->domain_id == adev->domain_id &&
- id->svc_id == adev->svc_id)
+ id->svc_id == adev->svc.id)
return 1;
id++;
}
@@ -221,14 +235,14 @@ static int apr_device_remove(struct device *dev)
{
struct apr_device *adev = to_apr_device(dev);
struct apr_driver *adrv;
- struct apr *apr = dev_get_drvdata(adev->dev.parent);
+ struct packet_router *apr = dev_get_drvdata(adev->dev.parent);
if (dev->driver) {
adrv = to_apr_driver(dev->driver);
if (adrv->remove)
adrv->remove(adev);
spin_lock(&apr->svcs_lock);
- idr_remove(&apr->svcs_idr, adev->svc_id);
+ idr_remove(&apr->svcs_idr, adev->svc.id);
spin_unlock(&apr->svcs_lock);
}
@@ -257,28 +271,39 @@ struct bus_type aprbus = {
EXPORT_SYMBOL_GPL(aprbus);
static int apr_add_device(struct device *dev, struct device_node *np,
- const struct apr_device_id *id)
+ u32 svc_id, u32 domain_id)
{
- struct apr *apr = dev_get_drvdata(dev);
+ struct packet_router *apr = dev_get_drvdata(dev);
struct apr_device *adev = NULL;
+ struct pkt_router_svc *svc;
int ret;
adev = kzalloc(sizeof(*adev), GFP_KERNEL);
if (!adev)
return -ENOMEM;
- spin_lock_init(&adev->lock);
+ adev->svc_id = svc_id;
+ svc = &adev->svc;
+
+ svc->id = svc_id;
+ svc->pr = apr;
+ svc->priv = adev;
+ svc->dev = dev;
+ spin_lock_init(&svc->lock);
+
+ adev->domain_id = domain_id;
- adev->svc_id = id->svc_id;
- adev->domain_id = id->domain_id;
- adev->version = id->svc_version;
if (np)
snprintf(adev->name, APR_NAME_SIZE, "%pOFn", np);
- else
- strscpy(adev->name, id->name, APR_NAME_SIZE);
- dev_set_name(&adev->dev, "aprsvc:%s:%x:%x", adev->name,
- id->domain_id, id->svc_id);
+ switch (apr->type) {
+ case PR_TYPE_APR:
+ dev_set_name(&adev->dev, "aprsvc:%s:%x:%x", adev->name,
+ domain_id, svc_id);
+ break;
+ default:
+ break;
+ }
adev->dev.bus = &aprbus;
adev->dev.parent = dev;
@@ -287,8 +312,7 @@ static int apr_add_device(struct device *dev, struct device_node *np,
adev->dev.driver = NULL;
spin_lock(&apr->svcs_lock);
- idr_alloc(&apr->svcs_idr, adev, id->svc_id,
- id->svc_id + 1, GFP_ATOMIC);
+ idr_alloc(&apr->svcs_idr, svc, svc_id, svc_id + 1, GFP_ATOMIC);
spin_unlock(&apr->svcs_lock);
of_property_read_string_index(np, "qcom,protection-domain",
@@ -308,7 +332,7 @@ static int apr_add_device(struct device *dev, struct device_node *np,
static int of_apr_add_pd_lookups(struct device *dev)
{
const char *service_name, *service_path;
- struct apr *apr = dev_get_drvdata(dev);
+ struct packet_router *apr = dev_get_drvdata(dev);
struct device_node *node;
struct pdr_service *pds;
int ret;
@@ -340,13 +364,14 @@ static int of_apr_add_pd_lookups(struct device *dev)
static void of_register_apr_devices(struct device *dev, const char *svc_path)
{
- struct apr *apr = dev_get_drvdata(dev);
+ struct packet_router *apr = dev_get_drvdata(dev);
struct device_node *node;
const char *service_path;
int ret;
for_each_child_of_node(dev->of_node, node) {
- struct apr_device_id id = { {0} };
+ u32 svc_id;
+ u32 domain_id;
/*
* This function is called with svc_path NULL during
@@ -376,13 +401,13 @@ static void of_register_apr_devices(struct device *dev, const char *svc_path)
continue;
}
- if (of_property_read_u32(node, "reg", &id.svc_id))
+ if (of_property_read_u32(node, "reg", &svc_id))
continue;
- id.domain_id = apr->dest_domain_id;
+ domain_id = apr->dest_domain_id;
- if (apr_add_device(dev, node, &id))
- dev_err(dev, "Failed to add apr %d svc\n", id.svc_id);
+ if (apr_add_device(dev, node, svc_id, domain_id))
+ dev_err(dev, "Failed to add apr %d svc\n", svc_id);
}
}
@@ -402,7 +427,7 @@ static int apr_remove_device(struct device *dev, void *svc_path)
static void apr_pd_status(int state, char *svc_path, void *priv)
{
- struct apr *apr = (struct apr *)priv;
+ struct packet_router *apr = (struct packet_router *)priv;
switch (state) {
case SERVREG_SERVICE_STATE_UP:
@@ -417,16 +442,20 @@ static void apr_pd_status(int state, char *svc_path, void *priv)
static int apr_probe(struct rpmsg_device *rpdev)
{
struct device *dev = &rpdev->dev;
- struct apr *apr;
+ struct packet_router *apr;
int ret;
apr = devm_kzalloc(dev, sizeof(*apr), GFP_KERNEL);
if (!apr)
return -ENOMEM;
- ret = of_property_read_u32(dev->of_node, "qcom,apr-domain", &apr->dest_domain_id);
+ ret = of_property_read_u32(dev->of_node, "qcom,domain", &apr->dest_domain_id);
+ if (ret) /* try deprecated apr-domain property */
+ ret = of_property_read_u32(dev->of_node, "qcom,apr-domain",
+ &apr->dest_domain_id);
+ apr->type = PR_TYPE_APR;
if (ret) {
- dev_err(dev, "APR Domain ID not specified in DT\n");
+ dev_err(dev, "Domain ID not specified in DT\n");
return ret;
}
@@ -469,7 +498,7 @@ static int apr_probe(struct rpmsg_device *rpdev)
static void apr_remove(struct rpmsg_device *rpdev)
{
- struct apr *apr = dev_get_drvdata(&rpdev->dev);
+ struct packet_router *apr = dev_get_drvdata(&rpdev->dev);
pdr_handle_release(apr->pdr);
device_for_each_child(&rpdev->dev, NULL, apr_remove_device);
@@ -506,20 +535,20 @@ void apr_driver_unregister(struct apr_driver *drv)
}
EXPORT_SYMBOL_GPL(apr_driver_unregister);
-static const struct of_device_id apr_of_match[] = {
+static const struct of_device_id pkt_router_of_match[] = {
{ .compatible = "qcom,apr"},
{ .compatible = "qcom,apr-v2"},
{}
};
-MODULE_DEVICE_TABLE(of, apr_of_match);
+MODULE_DEVICE_TABLE(of, pkt_router_of_match);
-static struct rpmsg_driver apr_driver = {
+static struct rpmsg_driver packet_router_driver = {
.probe = apr_probe,
.remove = apr_remove,
.callback = apr_callback,
.drv = {
.name = "qcom,apr",
- .of_match_table = apr_of_match,
+ .of_match_table = pkt_router_of_match,
},
};
@@ -529,7 +558,7 @@ static int __init apr_init(void)
ret = bus_register(&aprbus);
if (!ret)
- ret = register_rpmsg_driver(&apr_driver);
+ ret = register_rpmsg_driver(&packet_router_driver);
else
bus_unregister(&aprbus);
@@ -539,7 +568,7 @@ static int __init apr_init(void)
static void __exit apr_exit(void)
{
bus_unregister(&aprbus);
- unregister_rpmsg_driver(&apr_driver);
+ unregister_rpmsg_driver(&packet_router_driver);
}
subsys_initcall(apr_init);
diff --git a/include/linux/soc/qcom/apr.h b/include/linux/soc/qcom/apr.h
index 7f0bc3cf4d61..6374763186c8 100644
--- a/include/linux/soc/qcom/apr.h
+++ b/include/linux/soc/qcom/apr.h
@@ -79,6 +79,15 @@ struct apr_resp_pkt {
#define APR_SVC_MAJOR_VERSION(v) ((v >> 16) & 0xFF)
#define APR_SVC_MINOR_VERSION(v) (v & 0xFF)
+struct packet_router;
+struct pkt_router_svc {
+ struct device *dev;
+ struct packet_router *pr;
+ spinlock_t lock;
+ int id;
+ void *priv;
+};
+
struct apr_device {
struct device dev;
uint16_t svc_id;
@@ -86,11 +95,12 @@ struct apr_device {
uint32_t version;
char name[APR_NAME_SIZE];
const char *service_path;
- spinlock_t lock;
+ struct pkt_router_svc svc;
struct list_head node;
};
#define to_apr_device(d) container_of(d, struct apr_device, dev)
+#define svc_to_apr_device(d) container_of(d, struct apr_device, svc)
struct apr_driver {
int (*probe)(struct apr_device *sl);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 014/783] soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 013/783] soc: qcom: apr: make code more reuseable Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 015/783] arm: dts: spear600: Fix clcd interrupt Greg Kroah-Hartman
` (778 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Bjorn Andersson,
Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 6d7860f5750d73da2fa1a1f6c9405058a593fa32 ]
As idr_alloc() and of_property_read_string_index() can return negative
numbers, it should be better to check the return value and deal with
the exception.
Therefore, it should be better to use goto statement to stop and return
error.
Fixes: 6adba21eb434 ("soc: qcom: Add APR bus driver")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221107014403.3606-1-jiasheng@iscas.ac.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/qcom/apr.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/soc/qcom/apr.c b/drivers/soc/qcom/apr.c
index 8fed91822cae..7063e0d42c5e 100644
--- a/drivers/soc/qcom/apr.c
+++ b/drivers/soc/qcom/apr.c
@@ -312,11 +312,19 @@ static int apr_add_device(struct device *dev, struct device_node *np,
adev->dev.driver = NULL;
spin_lock(&apr->svcs_lock);
- idr_alloc(&apr->svcs_idr, svc, svc_id, svc_id + 1, GFP_ATOMIC);
+ ret = idr_alloc(&apr->svcs_idr, svc, svc_id, svc_id + 1, GFP_ATOMIC);
spin_unlock(&apr->svcs_lock);
+ if (ret < 0) {
+ dev_err(dev, "idr_alloc failed: %d\n", ret);
+ goto out;
+ }
- of_property_read_string_index(np, "qcom,protection-domain",
- 1, &adev->service_path);
+ ret = of_property_read_string_index(np, "qcom,protection-domain",
+ 1, &adev->service_path);
+ if (ret < 0) {
+ dev_err(dev, "Failed to read second value of qcom,protection-domain\n");
+ goto out;
+ }
dev_info(dev, "Adding APR dev: %s\n", dev_name(&adev->dev));
@@ -326,6 +334,7 @@ static int apr_add_device(struct device *dev, struct device_node *np,
put_device(&adev->dev);
}
+out:
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 015/783] arm: dts: spear600: Fix clcd interrupt
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 014/783] soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 016/783] soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync Greg Kroah-Hartman
` (777 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kory Maincent, Viresh Kumar,
Arnd Bergmann, Sasha Levin
From: Kory Maincent <kory.maincent@bootlin.com>
[ Upstream commit 0336e2ce34e7a89832b6c214f924eb7bc58940be ]
Interrupt 12 of the Interrupt controller belongs to the SMI controller,
the right one for the display controller is the interrupt 13.
Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes")
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/spear600.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi
index fd41243a0b2c..9d5a04a46b14 100644
--- a/arch/arm/boot/dts/spear600.dtsi
+++ b/arch/arm/boot/dts/spear600.dtsi
@@ -47,7 +47,7 @@ clcd: clcd@fc200000 {
compatible = "arm,pl110", "arm,primecell";
reg = <0xfc200000 0x1000>;
interrupt-parent = <&vic1>;
- interrupts = <12>;
+ interrupts = <13>;
status = "disabled";
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 016/783] soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 015/783] arm: dts: spear600: Fix clcd interrupt Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 017/783] soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe Greg Kroah-Hartman
` (776 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zeal Robot, Minghao Chi,
Nishanth Menon, Sasha Levin
From: Minghao Chi <chi.minghao@zte.com.cn>
[ Upstream commit 12eeb74925da70eb39d90abead9de9793be3d4c8 ]
Using pm_runtime_resume_and_get is more appropriate for simplifying
code.
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Minghao Chi <chi.minghao@zte.com.cn>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20220418062955.2557949-1-chi.minghao@zte.com.cn
Stable-dep-of: e961c0f19450 ("soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/knav_qmss_queue.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c
index baab7d558a69..38e2630eec36 100644
--- a/drivers/soc/ti/knav_qmss_queue.c
+++ b/drivers/soc/ti/knav_qmss_queue.c
@@ -1782,9 +1782,8 @@ static int knav_queue_probe(struct platform_device *pdev)
INIT_LIST_HEAD(&kdev->pdsps);
pm_runtime_enable(&pdev->dev);
- ret = pm_runtime_get_sync(&pdev->dev);
+ ret = pm_runtime_resume_and_get(&pdev->dev);
if (ret < 0) {
- pm_runtime_put_noidle(&pdev->dev);
dev_err(dev, "Failed to enable QMSS\n");
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 017/783] soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 016/783] soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 018/783] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe Greg Kroah-Hartman
` (775 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Nishanth Menon, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit e961c0f19450fd4a26bd043dd2979990bf12caf6 ]
The pm_runtime_enable will increase power disable depth. Thus
a pairing decrement is needed on the error handling path to
keep it balanced according to context.
Fixes: 41f93af900a2 ("soc: ti: add Keystone Navigator QMSS driver")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20221108080322.52268-2-zhangqilong3@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/knav_qmss_queue.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c
index 38e2630eec36..20c84741639e 100644
--- a/drivers/soc/ti/knav_qmss_queue.c
+++ b/drivers/soc/ti/knav_qmss_queue.c
@@ -1784,6 +1784,7 @@ static int knav_queue_probe(struct platform_device *pdev)
pm_runtime_enable(&pdev->dev);
ret = pm_runtime_resume_and_get(&pdev->dev);
if (ret < 0) {
+ pm_runtime_disable(&pdev->dev);
dev_err(dev, "Failed to enable QMSS\n");
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 018/783] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 017/783] soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 019/783] perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() Greg Kroah-Hartman
` (774 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Nishanth Menon, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit 69460e68eb662064ab4188d4e129ff31c1f23ed9 ]
The pm_runtime_enable will increase power disable depth. Thus
a pairing decrement is needed on the error handling path to
keep it balanced according to context.
Fixes: 984aa6dbf4ca ("OMAP3: PM: Adding smartreflex driver support.")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Link: https://lore.kernel.org/r/20221108080322.52268-3-zhangqilong3@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/soc/ti/smartreflex.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/soc/ti/smartreflex.c b/drivers/soc/ti/smartreflex.c
index 5376f3d22f31..1228a0cba132 100644
--- a/drivers/soc/ti/smartreflex.c
+++ b/drivers/soc/ti/smartreflex.c
@@ -942,6 +942,7 @@ static int omap_sr_probe(struct platform_device *pdev)
err_debugfs:
debugfs_remove_recursive(sr_info->dbg_dir);
err_list_del:
+ pm_runtime_disable(&pdev->dev);
list_del(&sr_info->node);
pm_runtime_put_sync(&pdev->dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 019/783] perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 018/783] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 020/783] perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() Greg Kroah-Hartman
` (773 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Suzuki K Poulose,
Will Deacon, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit facafab7611f7b872c6b9eeaff53461ef11f482e ]
dsu_pmu_init() won't remove the callback added by cpuhp_setup_state_multi()
when platform_driver_register() failed. Remove the callback by
cpuhp_remove_multi_state() in fail path.
Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
arm-ccn: Prevent hotplug callback leak")
Fixes: 7520fa99246d ("perf: ARM DynamIQ Shared Unit PMU support")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Acked-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20221115070207.32634-2-yuancan@huawei.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/arm_dsu_pmu.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/perf/arm_dsu_pmu.c b/drivers/perf/arm_dsu_pmu.c
index 98e68ed7db85..1db8eccc9735 100644
--- a/drivers/perf/arm_dsu_pmu.c
+++ b/drivers/perf/arm_dsu_pmu.c
@@ -866,7 +866,11 @@ static int __init dsu_pmu_init(void)
if (ret < 0)
return ret;
dsu_pmu_cpuhp_state = ret;
- return platform_driver_register(&dsu_pmu_driver);
+ ret = platform_driver_register(&dsu_pmu_driver);
+ if (ret)
+ cpuhp_remove_multi_state(dsu_pmu_cpuhp_state);
+
+ return ret;
}
static void __exit dsu_pmu_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 020/783] perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 019/783] perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 021/783] arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node Greg Kroah-Hartman
` (772 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Punit Agrawal,
Will Deacon, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit 6f2d566b46436a50a80d6445e82879686b89588c ]
arm_smmu_pmu_init() won't remove the callback added by
cpuhp_setup_state_multi() when platform_driver_register() failed. Remove
the callback by cpuhp_remove_multi_state() in fail path.
Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus:
arm-ccn: Prevent hotplug callback leak")
Fixes: 7d839b4b9e00 ("perf/smmuv3: Add arm64 smmuv3 pmu driver")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Reviewed-by: Punit Agrawal <punit.agrawal@bytedance.com>
Link: https://lore.kernel.org/r/20221115115540.6245-3-shangxiaojing@huawei.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/arm_smmuv3_pmu.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/perf/arm_smmuv3_pmu.c b/drivers/perf/arm_smmuv3_pmu.c
index afa8efbdad8f..f5a33dbe7acb 100644
--- a/drivers/perf/arm_smmuv3_pmu.c
+++ b/drivers/perf/arm_smmuv3_pmu.c
@@ -870,6 +870,8 @@ static struct platform_driver smmu_pmu_driver = {
static int __init arm_smmu_pmu_init(void)
{
+ int ret;
+
cpuhp_state_num = cpuhp_setup_state_multi(CPUHP_AP_ONLINE_DYN,
"perf/arm/pmcg:online",
NULL,
@@ -877,7 +879,11 @@ static int __init arm_smmu_pmu_init(void)
if (cpuhp_state_num < 0)
return cpuhp_state_num;
- return platform_driver_register(&smmu_pmu_driver);
+ ret = platform_driver_register(&smmu_pmu_driver);
+ if (ret)
+ cpuhp_remove_multi_state(cpuhp_state_num);
+
+ return ret;
}
module_init(arm_smmu_pmu_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 021/783] arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 020/783] perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 022/783] arm64: dts: ti: k3-j721e-main: " Greg Kroah-Hartman
` (771 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jayesh Choudhary, Nishanth Menon,
Manorit Chawdhry, Sasha Levin
From: Jayesh Choudhary <j-choudhary@ti.com>
[ Upstream commit b86833ab3653dbb0dc453eec4eef8615e63de4e2 ]
crypto driver itself is not dma-coherent. So drop it.
Fixes: b366b2409c97 ("arm64: dts: ti: k3-am6: Add crypto accelarator node")
Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
Link: https://lore.kernel.org/r/20221031152520.355653-2-j-choudhary@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-am65-main.dtsi | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
index d04189771c77..4265f627ca16 100644
--- a/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-am65-main.dtsi
@@ -127,7 +127,6 @@ crypto: crypto@4e00000 {
dmas = <&main_udmap 0xc000>, <&main_udmap 0x4000>,
<&main_udmap 0x4001>;
dma-names = "tx", "rx1", "rx2";
- dma-coherent;
rng: rng@4e10000 {
compatible = "inside-secure,safexcel-eip76";
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 022/783] arm64: dts: ti: k3-j721e-main: Drop dma-coherent in crypto node
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 021/783] arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 023/783] arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators Greg Kroah-Hartman
` (770 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jayesh Choudhary, Nishanth Menon,
Manorit Chawdhry, Sasha Levin
From: Jayesh Choudhary <j-choudhary@ti.com>
[ Upstream commit 26c5012403f3f1fd3bf8f7d3389ee539ae5cc162 ]
crypto driver itself is not dma-coherent. So drop it.
Fixes: 8ebcaaae8017 ("arm64: dts: ti: k3-j721e-main: Add crypto accelerator node")
Signed-off-by: Jayesh Choudhary <j-choudhary@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>
Reviewed-by: Manorit Chawdhry <m-chawdhry@ti.com>
Link: https://lore.kernel.org/r/20221031152520.355653-3-j-choudhary@ti.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/ti/k3-j721e-main.dtsi | 1 -
1 file changed, 1 deletion(-)
diff --git a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
index 0350ddfe2c72..691d73f0f1e0 100644
--- a/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
+++ b/arch/arm64/boot/dts/ti/k3-j721e-main.dtsi
@@ -367,7 +367,6 @@ main_crypto: crypto@4e00000 {
dmas = <&main_udmap 0xc000>, <&main_udmap 0x4000>,
<&main_udmap 0x4001>;
dma-names = "tx", "rx1", "rx2";
- dma-coherent;
rng: rng@4e10000 {
compatible = "inside-secure,safexcel-eip76";
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 023/783] arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 022/783] arm64: dts: ti: k3-j721e-main: " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 024/783] arm64: dts: mt2712e: Fix unit address for pinctrl node Greg Kroah-Hartman
` (769 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Matthias Brugger, Sasha Levin
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit e4495a0a8b3d84816c9a46edf3ce060bbf267475 ]
Rename the fixed-clock oscillators to remove the unit address.
This solves unit_address_vs_reg warnings.
Fixes: 5d4839709c8e ("arm64: dts: mt2712: Add clock controller device nodes")
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20221013152212.416661-4-angelogioacchino.delregno@collabora.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
index db17d0a4ed57..e0b26cd67eb3 100644
--- a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
@@ -160,70 +160,70 @@ sys_clk: dummyclk {
#clock-cells = <0>;
};
- clk26m: oscillator@0 {
+ clk26m: oscillator-26m {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <26000000>;
clock-output-names = "clk26m";
};
- clk32k: oscillator@1 {
+ clk32k: oscillator-32k {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <32768>;
clock-output-names = "clk32k";
};
- clkfpc: oscillator@2 {
+ clkfpc: oscillator-50m {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <50000000>;
clock-output-names = "clkfpc";
};
- clkaud_ext_i_0: oscillator@3 {
+ clkaud_ext_i_0: oscillator-aud0 {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <6500000>;
clock-output-names = "clkaud_ext_i_0";
};
- clkaud_ext_i_1: oscillator@4 {
+ clkaud_ext_i_1: oscillator-aud1 {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <196608000>;
clock-output-names = "clkaud_ext_i_1";
};
- clkaud_ext_i_2: oscillator@5 {
+ clkaud_ext_i_2: oscillator-aud2 {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <180633600>;
clock-output-names = "clkaud_ext_i_2";
};
- clki2si0_mck_i: oscillator@6 {
+ clki2si0_mck_i: oscillator-i2s0 {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <30000000>;
clock-output-names = "clki2si0_mck_i";
};
- clki2si1_mck_i: oscillator@7 {
+ clki2si1_mck_i: oscillator-i2s1 {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <30000000>;
clock-output-names = "clki2si1_mck_i";
};
- clki2si2_mck_i: oscillator@8 {
+ clki2si2_mck_i: oscillator-i2s2 {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <30000000>;
clock-output-names = "clki2si2_mck_i";
};
- clktdmin_mclk_i: oscillator@9 {
+ clktdmin_mclk_i: oscillator-mclk {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <30000000>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 024/783] arm64: dts: mt2712e: Fix unit address for pinctrl node
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 023/783] arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 025/783] arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names Greg Kroah-Hartman
` (768 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Matthias Brugger, Sasha Levin
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 1d4516f53a611b362db7ba7a8889923d469f57e1 ]
The unit address for the pinctrl node is (0x)1000b000 and not
(0x)10005000, which is the syscfg_pctl_a address instead.
This fixes the following warning:
arch/arm64/boot/dts/mediatek/mt2712e.dtsi:264.40-267.4: Warning
(unique_unit_address): /syscfg_pctl_a@10005000: duplicate
unit-address (also used in node /pinctrl@10005000)
Fixes: f0c64340b748 ("arm64: dts: mt2712: add pintcrl device node.")
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20221013152212.416661-5-angelogioacchino.delregno@collabora.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt2712e.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
index e0b26cd67eb3..cc3d1c99517d 100644
--- a/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt2712e.dtsi
@@ -266,7 +266,7 @@ syscfg_pctl_a: syscfg_pctl_a@10005000 {
reg = <0 0x10005000 0 0x1000>;
};
- pio: pinctrl@10005000 {
+ pio: pinctrl@1000b000 {
compatible = "mediatek,mt2712-pinctrl";
reg = <0 0x1000b000 0 0x1000>;
mediatek,pctl-regmap = <&syscfg_pctl_a>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 025/783] arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 024/783] arm64: dts: mt2712e: Fix unit address for pinctrl node Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 026/783] arm64: dts: mt2712-evb: Fix usb vbus " Greg Kroah-Hartman
` (767 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Matthias Brugger, Sasha Levin
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 377063156893bf6c088309ac799fe5c6dce2822d ]
Update the names to regulator-vproc-buck{0,1} to fix unit_addres_vs_reg
warnings for those.
Fixes: f75dd8bdd344 ("arm64: dts: mediatek: add mt2712 cpufreq related device nodes")
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20221013152212.416661-6-angelogioacchino.delregno@collabora.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
index 7d369fdd3117..b78d441616b1 100644
--- a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
+++ b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
@@ -26,14 +26,14 @@ chosen {
stdout-path = "serial0:921600n8";
};
- cpus_fixed_vproc0: fixedregulator@0 {
+ cpus_fixed_vproc0: regulator-vproc-buck0 {
compatible = "regulator-fixed";
regulator-name = "vproc_buck0";
regulator-min-microvolt = <1000000>;
regulator-max-microvolt = <1000000>;
};
- cpus_fixed_vproc1: fixedregulator@1 {
+ cpus_fixed_vproc1: regulator-vproc-buck1 {
compatible = "regulator-fixed";
regulator-name = "vproc_buck1";
regulator-min-microvolt = <1000000>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 026/783] arm64: dts: mt2712-evb: Fix usb vbus regulators unit names
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 025/783] arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 027/783] arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings Greg Kroah-Hartman
` (766 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Matthias Brugger, Sasha Levin
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit ec1ae39a8d25cfb067b5459fac7c5b7b9bce6f6a ]
Update the names to regulator-usb-p{0-3}-vbus to fix unit_address_vs_reg
warnings for those.
Fixes: 1724f4cc5133 ("arm64: dts: Add USB3 related nodes for MT2712")
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20221013152212.416661-7-angelogioacchino.delregno@collabora.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt2712-evb.dts | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
index b78d441616b1..9d20cabf4f69 100644
--- a/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
+++ b/arch/arm64/boot/dts/mediatek/mt2712-evb.dts
@@ -50,7 +50,7 @@ extcon_usb1: extcon_iddig1 {
id-gpio = <&pio 14 GPIO_ACTIVE_HIGH>;
};
- usb_p0_vbus: regulator@2 {
+ usb_p0_vbus: regulator-usb-p0-vbus {
compatible = "regulator-fixed";
regulator-name = "p0_vbus";
regulator-min-microvolt = <5000000>;
@@ -59,7 +59,7 @@ usb_p0_vbus: regulator@2 {
enable-active-high;
};
- usb_p1_vbus: regulator@3 {
+ usb_p1_vbus: regulator-usb-p1-vbus {
compatible = "regulator-fixed";
regulator-name = "p1_vbus";
regulator-min-microvolt = <5000000>;
@@ -68,7 +68,7 @@ usb_p1_vbus: regulator@3 {
enable-active-high;
};
- usb_p2_vbus: regulator@4 {
+ usb_p2_vbus: regulator-usb-p2-vbus {
compatible = "regulator-fixed";
regulator-name = "p2_vbus";
regulator-min-microvolt = <5000000>;
@@ -77,7 +77,7 @@ usb_p2_vbus: regulator@4 {
enable-active-high;
};
- usb_p3_vbus: regulator@5 {
+ usb_p3_vbus: regulator-usb-p3-vbus {
compatible = "regulator-fixed";
regulator-name = "p3_vbus";
regulator-min-microvolt = <5000000>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 027/783] arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 026/783] arm64: dts: mt2712-evb: Fix usb vbus " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 028/783] arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name Greg Kroah-Hartman
` (765 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Matthias Brugger, Sasha Levin
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 509438336ce75c8b4e6ce8e8d507dc77d0783bdd ]
Fix the pinctrl submodes and optee node to remove unneeded unit address,
fixing all unit_address_vs_reg warnings.
Fixes: 9983822c8cf9 ("arm64: dts: mediatek: add pumpkin board dts")
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20221013152212.416661-8-angelogioacchino.delregno@collabora.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
index 99c2d6fd6304..d5059735c594 100644
--- a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
+++ b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
@@ -17,7 +17,7 @@ chosen {
};
firmware {
- optee: optee@4fd00000 {
+ optee: optee {
compatible = "linaro,optee-tz";
method = "smc";
};
@@ -209,7 +209,7 @@ pins_cmd_dat {
};
};
- i2c0_pins_a: i2c0@0 {
+ i2c0_pins_a: i2c0 {
pins1 {
pinmux = <MT8516_PIN_58_SDA0__FUNC_SDA0_0>,
<MT8516_PIN_59_SCL0__FUNC_SCL0_0>;
@@ -217,7 +217,7 @@ pins1 {
};
};
- i2c2_pins_a: i2c2@0 {
+ i2c2_pins_a: i2c2 {
pins1 {
pinmux = <MT8516_PIN_60_SDA2__FUNC_SDA2_0>,
<MT8516_PIN_61_SCL2__FUNC_SCL2_0>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 028/783] arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 027/783] arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 029/783] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port Greg Kroah-Hartman
` (764 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Matthias Brugger, Sasha Levin
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 5f535cc583759c9c60d4cc9b8d221762e2d75387 ]
Update its unit name to oscillator-26m and remove the unneeded unit
address to fix a unit_address_vs_reg warning.
Fixes: 464c510f60c6 ("arm64: dts: mediatek: add mt6797 support")
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20221013152212.416661-9-angelogioacchino.delregno@collabora.com
Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt6797.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt6797.dtsi b/arch/arm64/boot/dts/mediatek/mt6797.dtsi
index 15616231022a..c3677d77e0a4 100644
--- a/arch/arm64/boot/dts/mediatek/mt6797.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt6797.dtsi
@@ -95,7 +95,7 @@ cpu9: cpu@201 {
};
};
- clk26m: oscillator@0 {
+ clk26m: oscillator-26m {
compatible = "fixed-clock";
#clock-cells = <0>;
clock-frequency = <26000000>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 029/783] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 028/783] arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 030/783] ARM: dts: armada-370: " Greg Kroah-Hartman
` (763 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit dcc7d8c72b64a479b8017e4332d99179deb8802d ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 74ecaa403a74 ("ARM: dove: add PCIe controllers to SoC DT")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/dove.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi
index 89e0bdaf3a85..726d353eda68 100644
--- a/arch/arm/boot/dts/dove.dtsi
+++ b/arch/arm/boot/dts/dove.dtsi
@@ -129,7 +129,7 @@ pcie0: pcie@1 {
pcie1: pcie@2 {
device_type = "pci";
status = "disabled";
- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
clocks = <&gate_clk 5>;
marvell,pcie-port = <1>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 030/783] ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 029/783] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 031/783] ARM: dts: armada-xp: " Greg Kroah-Hartman
` (762 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit d9208b0fa2e803d16b28d91bf1d46b7ee9ea13c6 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: a09a0b7c6ff1 ("arm: mvebu: add PCIe Device Tree informations for Armada 370")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-370.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi
index 46e6d3ed8f35..c042c416a94a 100644
--- a/arch/arm/boot/dts/armada-370.dtsi
+++ b/arch/arm/boot/dts/armada-370.dtsi
@@ -74,7 +74,7 @@ pcie0: pcie@1,0 {
pcie2: pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 031/783] ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 030/783] ARM: dts: armada-370: " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 032/783] ARM: dts: armada-375: " Greg Kroah-Hartman
` (761 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit eab276787f456cbea89fabea110fe0728673d308 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 9d8f44f02d4a ("arm: mvebu: add PCIe Device Tree informations for Armada XP")
Fixes: 12b69a599745 ("ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable")
Fixes: 2163e61c92d9 ("ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-xp-mv78230.dtsi | 8 ++++----
arch/arm/boot/dts/armada-xp-mv78260.dtsi | 16 ++++++++--------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/arch/arm/boot/dts/armada-xp-mv78230.dtsi b/arch/arm/boot/dts/armada-xp-mv78230.dtsi
index 8558bf6bb54c..d55fe162fc7f 100644
--- a/arch/arm/boot/dts/armada-xp-mv78230.dtsi
+++ b/arch/arm/boot/dts/armada-xp-mv78230.dtsi
@@ -97,7 +97,7 @@ pcie1: pcie@1,0 {
pcie2: pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -115,7 +115,7 @@ pcie2: pcie@2,0 {
pcie3: pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -133,7 +133,7 @@ pcie3: pcie@3,0 {
pcie4: pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -151,7 +151,7 @@ pcie4: pcie@4,0 {
pcie5: pcie@5,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
reg = <0x2800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
diff --git a/arch/arm/boot/dts/armada-xp-mv78260.dtsi b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
index 2d85fe8ac327..fdcc81819940 100644
--- a/arch/arm/boot/dts/armada-xp-mv78260.dtsi
+++ b/arch/arm/boot/dts/armada-xp-mv78260.dtsi
@@ -112,7 +112,7 @@ pcie1: pcie@1,0 {
pcie2: pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -130,7 +130,7 @@ pcie2: pcie@2,0 {
pcie3: pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -148,7 +148,7 @@ pcie3: pcie@3,0 {
pcie4: pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -166,7 +166,7 @@ pcie4: pcie@4,0 {
pcie5: pcie@5,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>;
+ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>;
reg = <0x2800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -184,7 +184,7 @@ pcie5: pcie@5,0 {
pcie6: pcie@6,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x84000 0 0x2000>;
+ assigned-addresses = <0x82003000 0 0x84000 0 0x2000>;
reg = <0x3000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -202,7 +202,7 @@ pcie6: pcie@6,0 {
pcie7: pcie@7,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x88000 0 0x2000>;
+ assigned-addresses = <0x82003800 0 0x88000 0 0x2000>;
reg = <0x3800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -220,7 +220,7 @@ pcie7: pcie@7,0 {
pcie8: pcie@8,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x8c000 0 0x2000>;
+ assigned-addresses = <0x82004000 0 0x8c000 0 0x2000>;
reg = <0x4000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -238,7 +238,7 @@ pcie8: pcie@8,0 {
pcie9: pcie@9,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x42000 0 0x2000>;
+ assigned-addresses = <0x82004800 0 0x42000 0 0x2000>;
reg = <0x4800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 032/783] ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 031/783] ARM: dts: armada-xp: " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 033/783] ARM: dts: armada-38x: " Greg Kroah-Hartman
` (760 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 823956d2436f70ced74c0fe8ab99facd8abfc060 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 4de59085091f ("ARM: mvebu: add Device Tree description of the Armada 375 SoC")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-375.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/armada-375.dtsi b/arch/arm/boot/dts/armada-375.dtsi
index 9805e507c695..d117fc4ae6d9 100644
--- a/arch/arm/boot/dts/armada-375.dtsi
+++ b/arch/arm/boot/dts/armada-375.dtsi
@@ -582,7 +582,7 @@ pcie0: pcie@1,0 {
pcie1: pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 033/783] ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 032/783] ARM: dts: armada-375: " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 034/783] ARM: dts: armada-39x: " Greg Kroah-Hartman
` (759 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 44f47b7a8fa4678ce4c38ea74837e4996b9df6d6 ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-380.dtsi | 4 ++--
arch/arm/boot/dts/armada-385.dtsi | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm/boot/dts/armada-380.dtsi b/arch/arm/boot/dts/armada-380.dtsi
index cff1269f3fbf..7146cc8f082a 100644
--- a/arch/arm/boot/dts/armada-380.dtsi
+++ b/arch/arm/boot/dts/armada-380.dtsi
@@ -79,7 +79,7 @@ pcie@1,0 {
/* x1 port */
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -98,7 +98,7 @@ pcie@2,0 {
/* x1 port */
pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
diff --git a/arch/arm/boot/dts/armada-385.dtsi b/arch/arm/boot/dts/armada-385.dtsi
index f0022d10c715..f081f7cb66e5 100644
--- a/arch/arm/boot/dts/armada-385.dtsi
+++ b/arch/arm/boot/dts/armada-385.dtsi
@@ -84,7 +84,7 @@ pcie1: pcie@1,0 {
/* x1 port */
pcie2: pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -103,7 +103,7 @@ pcie2: pcie@2,0 {
/* x1 port */
pcie3: pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -125,7 +125,7 @@ pcie3: pcie@3,0 {
*/
pcie4: pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 034/783] ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 033/783] ARM: dts: armada-38x: " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 035/783] ARM: dts: turris-omnia: Add ethernet aliases Greg Kroah-Hartman
` (758 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 69236d2391b4d7324b11c3252921571577892e7b ]
BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port
(PCI-to-PCI bridge) should match BDF in address part in that DT node name
as specified resource belongs to Marvell PCIe Root Port itself.
Fixes: 538da83ddbea ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-39x.dtsi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi
index e0b7c2099831..9525e7b7f436 100644
--- a/arch/arm/boot/dts/armada-39x.dtsi
+++ b/arch/arm/boot/dts/armada-39x.dtsi
@@ -453,7 +453,7 @@ pcie@1,0 {
/* x1 port */
pcie@2,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>;
+ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>;
reg = <0x1000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -472,7 +472,7 @@ pcie@2,0 {
/* x1 port */
pcie@3,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>;
+ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>;
reg = <0x1800 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
@@ -494,7 +494,7 @@ pcie@3,0 {
*/
pcie@4,0 {
device_type = "pci";
- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>;
+ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>;
reg = <0x2000 0 0 0 0>;
#address-cells = <3>;
#size-cells = <2>;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 035/783] ARM: dts: turris-omnia: Add ethernet aliases
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 034/783] ARM: dts: armada-39x: " Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 036/783] ARM: dts: turris-omnia: Add switch port 6 node Greg Kroah-Hartman
` (757 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Gregory CLEMENT,
Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit f1f3e530c59a7e8c5f06172f4c28b945a6b4bfb8 ]
This allows bootloader to correctly pass MAC addresses used by bootloader
to individual interfaces into kernel device tree.
Signed-off-by: Pali Rohár <pali@kernel.org>
Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia")
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-385-turris-omnia.dts | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts
index 92e08486ec81..c0a026ac7be8 100644
--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts
+++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts
@@ -22,6 +22,12 @@ chosen {
stdout-path = &uart0;
};
+ aliases {
+ ethernet0 = ð0;
+ ethernet1 = ð1;
+ ethernet2 = ð2;
+ };
+
memory {
device_type = "memory";
reg = <0x00000000 0x40000000>; /* 1024 MB */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 036/783] ARM: dts: turris-omnia: Add switch port 6 node
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 035/783] ARM: dts: turris-omnia: Add ethernet aliases Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 037/783] arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC Greg Kroah-Hartman
` (756 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Andrew Lunn,
Gregory CLEMENT, Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit f87db2005f73876602211af0ee156817019b6bda ]
Switch port 6 is connected to eth0, so add appropriate device tree node for it.
Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia")
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/armada-385-turris-omnia.dts | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/armada-385-turris-omnia.dts b/arch/arm/boot/dts/armada-385-turris-omnia.dts
index c0a026ac7be8..320c759b4090 100644
--- a/arch/arm/boot/dts/armada-385-turris-omnia.dts
+++ b/arch/arm/boot/dts/armada-385-turris-omnia.dts
@@ -297,7 +297,17 @@ fixed-link {
};
};
- /* port 6 is connected to eth0 */
+ ports@6 {
+ reg = <6>;
+ label = "cpu";
+ ethernet = <ð0>;
+ phy-mode = "rgmii-id";
+
+ fixed-link {
+ speed = <1000>;
+ full-duplex;
+ };
+ };
};
};
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 037/783] arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 036/783] ARM: dts: turris-omnia: Add switch port 6 node Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 038/783] pstore/ram: Fix error return code in ramoops_probe() Greg Kroah-Hartman
` (755 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár, Andrew Lunn,
Gregory CLEMENT, Sasha Levin
From: Pali Rohár <pali@kernel.org>
[ Upstream commit 21aad8ba615e9c39cee6c5d0b76726f63791926c ]
MCP7940MT-I/MNY RTC has connected interrupt line to GPIO2_5.
Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox")
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
index 00e5dbf4b823..eea8d23683dc 100644
--- a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
+++ b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
@@ -124,9 +124,12 @@ &i2c0 {
/delete-property/ mrvl,i2c-fast-mode;
status = "okay";
+ /* MCP7940MT-I/MNY RTC */
rtc@6f {
compatible = "microchip,mcp7940x";
reg = <0x6f>;
+ interrupt-parent = <&gpiosb>;
+ interrupts = <5 0>; /* GPIO2_5 */
};
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 038/783] pstore/ram: Fix error return code in ramoops_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 037/783] arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 039/783] ARM: mmp: fix timer_read delay Greg Kroah-Hartman
` (754 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Yufen, Kees Cook, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit e1fce564900f8734edf15b87f028c57e14f6e28d ]
In the if (dev_of_node(dev) && !pdata) path, the "err" may be assigned a
value of 0, so the error return code -EINVAL may be incorrectly set
to 0. To fix set valid return code before calling to goto.
Fixes: 35da60941e44 ("pstore/ram: add Device Tree bindings")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/1669969374-46582-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/ram.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c
index ca6d8a867285..98e579ce0d63 100644
--- a/fs/pstore/ram.c
+++ b/fs/pstore/ram.c
@@ -730,6 +730,7 @@ static int ramoops_probe(struct platform_device *pdev)
/* Make sure we didn't get bogus platform data pointer. */
if (!pdata) {
pr_err("NULL platform data\n");
+ err = -EINVAL;
goto fail_out;
}
@@ -737,6 +738,7 @@ static int ramoops_probe(struct platform_device *pdev)
!pdata->ftrace_size && !pdata->pmsg_size)) {
pr_err("The memory size and the record/console size must be "
"non-zero\n");
+ err = -EINVAL;
goto fail_out;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 039/783] ARM: mmp: fix timer_read delay
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 038/783] pstore/ram: Fix error return code in ramoops_probe() Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 040/783] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP Greg Kroah-Hartman
` (753 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Brown, Arnd Bergmann, Sasha Levin
From: Doug Brown <doug@schmorgal.com>
[ Upstream commit e348b4014c31041e13ff370669ba3348c4d385e3 ]
timer_read() was using an empty 100-iteration loop to wait for the
TMR_CVWR register to capture the latest timer counter value. The delay
wasn't long enough. This resulted in CPU idle time being extremely
underreported on PXA168 with CONFIG_NO_HZ_IDLE=y.
Switch to the approach used in the vendor kernel, which implements the
capture delay by reading TMR_CVWR a few times instead.
Fixes: 49cbe78637eb ("[ARM] pxa: add base support for Marvell's PXA168 processor line")
Signed-off-by: Doug Brown <doug@schmorgal.com>
Link: https://lore.kernel.org/r/20221204005117.53452-3-doug@schmorgal.com
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-mmp/time.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c
index 41b2e8abc9e6..708816caf859 100644
--- a/arch/arm/mach-mmp/time.c
+++ b/arch/arm/mach-mmp/time.c
@@ -43,18 +43,21 @@
static void __iomem *mmp_timer_base = TIMERS_VIRT_BASE;
/*
- * FIXME: the timer needs some delay to stablize the counter capture
+ * Read the timer through the CVWR register. Delay is required after requesting
+ * a read. The CR register cannot be directly read due to metastability issues
+ * documented in the PXA168 software manual.
*/
static inline uint32_t timer_read(void)
{
- int delay = 100;
+ uint32_t val;
+ int delay = 3;
__raw_writel(1, mmp_timer_base + TMR_CVWR(1));
while (delay--)
- cpu_relax();
+ val = __raw_readl(mmp_timer_base + TMR_CVWR(1));
- return __raw_readl(mmp_timer_base + TMR_CVWR(1));
+ return val;
}
static u64 notrace mmp_read_sched_clock(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 040/783] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 039/783] ARM: mmp: fix timer_read delay Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 041/783] tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init() Greg Kroah-Hartman
` (752 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brian Geffon, Mike Rapoport,
Andrew Morton, Stephen Boyd, Kees Cook, Sasha Levin
From: Stephen Boyd <swboyd@chromium.org>
[ Upstream commit e6b842741b4f39007215fd7e545cb55aa3d358a2 ]
An oops can be induced by running 'cat /proc/kcore > /dev/null' on
devices using pstore with the ram backend because kmap_atomic() assumes
lowmem pages are accessible with __va().
Unable to handle kernel paging request at virtual address ffffff807ff2b000
Mem abort info:
ESR = 0x96000006
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x06: level 2 translation fault
Data abort info:
ISV = 0, ISS = 0x00000006
CM = 0, WnR = 0
swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000
[ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000
Internal error: Oops: 96000006 [#1] PREEMPT SMP
Modules linked in: dm_integrity
CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba
Hardware name: Google Lazor (rev3 - 8) (DT)
pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __memcpy+0x110/0x260
lr : vread+0x194/0x294
sp : ffffffc013ee39d0
x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000
x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000
x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000
x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60
x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001
x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b
x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78
x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000
Call trace:
__memcpy+0x110/0x260
read_kcore+0x584/0x778
proc_reg_read+0xb4/0xe4
During early boot, memblock reserves the pages for the ramoops reserved
memory node in DT that would otherwise be part of the direct lowmem
mapping. Pstore's ram backend reuses those reserved pages to change the
memory type (writeback or non-cached) by passing the pages to vmap()
(see pfn_to_page() usage in persistent_ram_vmap() for more details) with
specific flags. When read_kcore() starts iterating over the vmalloc
region, it runs over the virtual address that vmap() returned for
ramoops. In aligned_vread() the virtual address is passed to
vmalloc_to_page() which returns the page struct for the reserved lowmem
area. That lowmem page is passed to kmap_atomic(), which effectively
calls page_to_virt() that assumes a lowmem page struct must be directly
accessible with __va() and friends. These pages are mapped via vmap()
though, and the lowmem mapping was never made, so accessing them via the
lowmem virtual address oopses like above.
Let's side-step this problem by passing VM_IOREMAP to vmap(). This will
tell vread() to not include the ramoops region in the kcore. Instead the
area will look like a bunch of zeros. The alternative is to teach kmap()
about vmalloc areas that intersect with lowmem. Presumably such a change
isn't a one-liner, and there isn't much interest in inspecting the
ramoops region in kcore files anyway, so the most expedient route is
taken for now.
Cc: Brian Geffon <bgeffon@google.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221205233136.3420802-1-swboyd@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/ram_core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index aa8e0b65ff1a..184cb97c83bd 100644
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -425,7 +425,11 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size,
phys_addr_t addr = page_start + i * PAGE_SIZE;
pages[i] = pfn_to_page(addr >> PAGE_SHIFT);
}
- vaddr = vmap(pages, page_count, VM_MAP, prot);
+ /*
+ * VM_IOREMAP used here to bypass this region during vread()
+ * and kmap_atomic() (i.e. kcore) to avoid __va() failures.
+ */
+ vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot);
kfree(pages);
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 041/783] tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 040/783] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 042/783] tpm/tpm_crb: Fix error message in __crb_relinquish_locality() Greg Kroah-Hartman
` (751 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Maxim Uvarov,
Jarkko Sakkinen, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 2b7d07f7acaac2c7750e420dcf4414588ede6d03 ]
The ftpm_mod_init() returns the driver_register() directly without checking
its return value, if driver_register() failed, the ftpm_tee_plat_driver is
not unregistered.
Fix by unregister ftpm_tee_plat_driver when driver_register() failed.
Fixes: 9f1944c23c8c ("tpm_ftpm_tee: register driver on TEE bus")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Reviewed-by: Maxim Uvarov <maxim.uvarov@linaro.org>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_ftpm_tee.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm_ftpm_tee.c b/drivers/char/tpm/tpm_ftpm_tee.c
index 6e3235565a4d..d9daaafdd295 100644
--- a/drivers/char/tpm/tpm_ftpm_tee.c
+++ b/drivers/char/tpm/tpm_ftpm_tee.c
@@ -397,7 +397,13 @@ static int __init ftpm_mod_init(void)
if (rc)
return rc;
- return driver_register(&ftpm_tee_driver.driver);
+ rc = driver_register(&ftpm_tee_driver.driver);
+ if (rc) {
+ platform_driver_unregister(&ftpm_tee_plat_driver);
+ return rc;
+ }
+
+ return 0;
}
static void __exit ftpm_mod_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 042/783] tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 041/783] tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init() Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 043/783] sched/fair: Cleanup task_util and capacity type Greg Kroah-Hartman
` (750 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Kelley, Tomas Winkler,
Jarkko Sakkinen, Sasha Levin
From: Michael Kelley <mikelley@microsoft.com>
[ Upstream commit f5264068071964b56dc02c9dab3d11574aaca6ff ]
The error message in __crb_relinquish_locality() mentions requestAccess
instead of Relinquish. Fix it.
Fixes: 888d867df441 ("tpm: cmd_ready command can be issued only after granting locality")
Signed-off-by: Michael Kelley <mikelley@microsoft.com>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_crb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index a9dcf31eadd2..35c5227f3a88 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -252,7 +252,7 @@ static int __crb_relinquish_locality(struct device *dev,
iowrite32(CRB_LOC_CTRL_RELINQUISH, &priv->regs_h->loc_ctrl);
if (!crb_wait_for_reg_32(&priv->regs_h->loc_state, mask, value,
TPM2_TIMEOUT_C)) {
- dev_warn(dev, "TPM_LOC_STATE_x.requestAccess timed out\n");
+ dev_warn(dev, "TPM_LOC_STATE_x.Relinquish timed out\n");
return -ETIME;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 043/783] sched/fair: Cleanup task_util and capacity type
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 042/783] tpm/tpm_crb: Fix error message in __crb_relinquish_locality() Greg Kroah-Hartman
@ 2023-01-12 13:45 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 044/783] sched/uclamp: Fix relationship between uclamp and migration margin Greg Kroah-Hartman
` (749 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:45 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vincent Donnefort,
Peter Zijlstra (Intel),
Sasha Levin
From: Vincent Donnefort <vincent.donnefort@arm.com>
[ Upstream commit ef8df9798d469b7c45c66664550e93469749f1e8 ]
task_util and capacity are comparable unsigned long values. There is no
need for an intermidiate implicit signed cast.
Signed-off-by: Vincent Donnefort <vincent.donnefort@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20211207095755.859972-1-vincent.donnefort@arm.com
Stable-dep-of: 48d5e9daa8b7 ("sched/uclamp: Fix relationship between uclamp and migration margin")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index bca0efc03a51..2d3ea0679207 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -4074,7 +4074,8 @@ static inline void util_est_update(struct cfs_rq *cfs_rq,
trace_sched_util_est_se_tp(&p->se);
}
-static inline int task_fits_capacity(struct task_struct *p, long capacity)
+static inline int task_fits_capacity(struct task_struct *p,
+ unsigned long capacity)
{
return fits_capacity(uclamp_task_util(p), capacity);
}
@@ -6247,7 +6248,7 @@ select_idle_capacity(struct task_struct *p, struct sched_domain *sd, int target)
return best_cpu;
}
-static inline bool asym_fits_capacity(int task_util, int cpu)
+static inline bool asym_fits_capacity(unsigned long task_util, int cpu)
{
if (static_branch_unlikely(&sched_asym_cpucapacity))
return fits_capacity(task_util, capacity_of(cpu));
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 044/783] sched/uclamp: Fix relationship between uclamp and migration margin
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2023-01-12 13:45 ` [PATCH 5.10 043/783] sched/fair: Cleanup task_util and capacity type Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 045/783] cpuidle: dt: Return the correct numbers of parsed idle states Greg Kroah-Hartman
` (748 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qais Yousef, Peter Zijlstra (Intel),
Sasha Levin
From: Qais Yousef <qais.yousef@arm.com>
[ Upstream commit 48d5e9daa8b767e75ed9421665b037a49ce4bc04 ]
fits_capacity() verifies that a util is within 20% margin of the
capacity of a CPU, which is an attempt to speed up upmigration.
But when uclamp is used, this 20% margin is problematic because for
example if a task is boosted to 1024, then it will not fit on any CPU
according to fits_capacity() logic.
Or if a task is boosted to capacity_orig_of(medium_cpu). The task will
end up on big instead on the desired medium CPU.
Similar corner cases exist for uclamp and usage of capacity_of().
Slightest irq pressure on biggest CPU for example will make a 1024
boosted task look like it can't fit.
What we really want is for uclamp comparisons to ignore the migration
margin and capacity pressure, yet retain them for when checking the
_actual_ util signal.
For example, task p:
p->util_avg = 300
p->uclamp[UCLAMP_MIN] = 1024
Will fit a big CPU. But
p->util_avg = 900
p->uclamp[UCLAMP_MIN] = 1024
will not, this should trigger overutilized state because the big CPU is
now *actually* being saturated.
Similar reasoning applies to capping tasks with UCLAMP_MAX. For example:
p->util_avg = 1024
p->uclamp[UCLAMP_MAX] = capacity_orig_of(medium_cpu)
Should fit the task on medium cpus without triggering overutilized
state.
Inlined comments expand more on desired behavior in more scenarios.
Introduce new util_fits_cpu() function which encapsulates the new logic.
The new function is not used anywhere yet, but will be used to update
various users of fits_capacity() in later patches.
Fixes: af24bde8df202 ("sched/uclamp: Add uclamp support to energy_compute()")
Signed-off-by: Qais Yousef <qais.yousef@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20220804143609.515789-2-qais.yousef@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/fair.c | 123 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 123 insertions(+)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 2d3ea0679207..c39d2fc3f994 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -4074,6 +4074,129 @@ static inline void util_est_update(struct cfs_rq *cfs_rq,
trace_sched_util_est_se_tp(&p->se);
}
+static inline int util_fits_cpu(unsigned long util,
+ unsigned long uclamp_min,
+ unsigned long uclamp_max,
+ int cpu)
+{
+ unsigned long capacity_orig, capacity_orig_thermal;
+ unsigned long capacity = capacity_of(cpu);
+ bool fits, uclamp_max_fits;
+
+ /*
+ * Check if the real util fits without any uclamp boost/cap applied.
+ */
+ fits = fits_capacity(util, capacity);
+
+ if (!uclamp_is_used())
+ return fits;
+
+ /*
+ * We must use capacity_orig_of() for comparing against uclamp_min and
+ * uclamp_max. We only care about capacity pressure (by using
+ * capacity_of()) for comparing against the real util.
+ *
+ * If a task is boosted to 1024 for example, we don't want a tiny
+ * pressure to skew the check whether it fits a CPU or not.
+ *
+ * Similarly if a task is capped to capacity_orig_of(little_cpu), it
+ * should fit a little cpu even if there's some pressure.
+ *
+ * Only exception is for thermal pressure since it has a direct impact
+ * on available OPP of the system.
+ *
+ * We honour it for uclamp_min only as a drop in performance level
+ * could result in not getting the requested minimum performance level.
+ *
+ * For uclamp_max, we can tolerate a drop in performance level as the
+ * goal is to cap the task. So it's okay if it's getting less.
+ *
+ * In case of capacity inversion, which is not handled yet, we should
+ * honour the inverted capacity for both uclamp_min and uclamp_max all
+ * the time.
+ */
+ capacity_orig = capacity_orig_of(cpu);
+ capacity_orig_thermal = capacity_orig - arch_scale_thermal_pressure(cpu);
+
+ /*
+ * We want to force a task to fit a cpu as implied by uclamp_max.
+ * But we do have some corner cases to cater for..
+ *
+ *
+ * C=z
+ * | ___
+ * | C=y | |
+ * |_ _ _ _ _ _ _ _ _ ___ _ _ _ | _ | _ _ _ _ _ uclamp_max
+ * | C=x | | | |
+ * | ___ | | | |
+ * | | | | | | | (util somewhere in this region)
+ * | | | | | | |
+ * | | | | | | |
+ * +----------------------------------------
+ * cpu0 cpu1 cpu2
+ *
+ * In the above example if a task is capped to a specific performance
+ * point, y, then when:
+ *
+ * * util = 80% of x then it does not fit on cpu0 and should migrate
+ * to cpu1
+ * * util = 80% of y then it is forced to fit on cpu1 to honour
+ * uclamp_max request.
+ *
+ * which is what we're enforcing here. A task always fits if
+ * uclamp_max <= capacity_orig. But when uclamp_max > capacity_orig,
+ * the normal upmigration rules should withhold still.
+ *
+ * Only exception is when we are on max capacity, then we need to be
+ * careful not to block overutilized state. This is so because:
+ *
+ * 1. There's no concept of capping at max_capacity! We can't go
+ * beyond this performance level anyway.
+ * 2. The system is being saturated when we're operating near
+ * max capacity, it doesn't make sense to block overutilized.
+ */
+ uclamp_max_fits = (capacity_orig == SCHED_CAPACITY_SCALE) && (uclamp_max == SCHED_CAPACITY_SCALE);
+ uclamp_max_fits = !uclamp_max_fits && (uclamp_max <= capacity_orig);
+ fits = fits || uclamp_max_fits;
+
+ /*
+ *
+ * C=z
+ * | ___ (region a, capped, util >= uclamp_max)
+ * | C=y | |
+ * |_ _ _ _ _ _ _ _ _ ___ _ _ _ | _ | _ _ _ _ _ uclamp_max
+ * | C=x | | | |
+ * | ___ | | | | (region b, uclamp_min <= util <= uclamp_max)
+ * |_ _ _|_ _|_ _ _ _| _ | _ _ _| _ | _ _ _ _ _ uclamp_min
+ * | | | | | | |
+ * | | | | | | | (region c, boosted, util < uclamp_min)
+ * +----------------------------------------
+ * cpu0 cpu1 cpu2
+ *
+ * a) If util > uclamp_max, then we're capped, we don't care about
+ * actual fitness value here. We only care if uclamp_max fits
+ * capacity without taking margin/pressure into account.
+ * See comment above.
+ *
+ * b) If uclamp_min <= util <= uclamp_max, then the normal
+ * fits_capacity() rules apply. Except we need to ensure that we
+ * enforce we remain within uclamp_max, see comment above.
+ *
+ * c) If util < uclamp_min, then we are boosted. Same as (b) but we
+ * need to take into account the boosted value fits the CPU without
+ * taking margin/pressure into account.
+ *
+ * Cases (a) and (b) are handled in the 'fits' variable already. We
+ * just need to consider an extra check for case (c) after ensuring we
+ * handle the case uclamp_min > uclamp_max.
+ */
+ uclamp_min = min(uclamp_min, uclamp_max);
+ if (util < uclamp_min && capacity_orig != SCHED_CAPACITY_SCALE)
+ fits = fits && (uclamp_min <= capacity_orig_thermal);
+
+ return fits;
+}
+
static inline int task_fits_capacity(struct task_struct *p,
unsigned long capacity)
{
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 045/783] cpuidle: dt: Return the correct numbers of parsed idle states
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 044/783] sched/uclamp: Fix relationship between uclamp and migration margin Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 046/783] alpha: fix syscall entry in !AUDUT_SYSCALL case Greg Kroah-Hartman
` (747 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ulf Hansson, Sudeep Holla,
Rafael J. Wysocki, Sasha Levin
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit ee3c2c8ad6ba6785f14a60e4081d7c82e88162a2 ]
While we correctly skips to initialize an idle state from a disabled idle
state node in DT, the returned value from dt_init_idle_driver() don't get
adjusted accordingly. Instead the number of found idle state nodes are
returned, while the callers are expecting the number of successfully
initialized idle states from DT.
This leads to cpuidle drivers unnecessarily continues to initialize their
idle state specific data. Moreover, in the case when all idle states have
been disabled in DT, we would end up registering a cpuidle driver, rather
than relying on the default arch specific idle call.
Fixes: 9f14da345599 ("drivers: cpuidle: implement DT based idle states infrastructure")
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpuidle/dt_idle_states.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
index 252f2a9686a6..448bc796b0b4 100644
--- a/drivers/cpuidle/dt_idle_states.c
+++ b/drivers/cpuidle/dt_idle_states.c
@@ -223,6 +223,6 @@ int dt_init_idle_driver(struct cpuidle_driver *drv,
* also be 0 on platforms with missing DT idle states or legacy DT
* configuration predating the DT idle states bindings.
*/
- return i;
+ return state_idx - start_idx;
}
EXPORT_SYMBOL_GPL(dt_init_idle_driver);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 046/783] alpha: fix syscall entry in !AUDUT_SYSCALL case
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 045/783] cpuidle: dt: Return the correct numbers of parsed idle states Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 047/783] PM: hibernate: Fix mistake in kerneldoc comment Greg Kroah-Hartman
` (746 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro, Sasha Levin
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit f7b2431a6d22f7a91c567708e071dfcd6d66db14 ]
We only want to take the slow path if SYSCALL_TRACE or SYSCALL_AUDIT is
set; on !AUDIT_SYSCALL configs the current tree hits it whenever _any_
thread flag (including NEED_RESCHED, NOTIFY_SIGNAL, etc.) happens to
be set.
Fixes: a9302e843944 "alpha: Enable system-call auditing support"
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/alpha/kernel/entry.S | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S
index 2e09248f8324..c27d01232799 100644
--- a/arch/alpha/kernel/entry.S
+++ b/arch/alpha/kernel/entry.S
@@ -469,8 +469,10 @@ entSys:
#ifdef CONFIG_AUDITSYSCALL
lda $6, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
and $3, $6, $3
-#endif
bne $3, strace
+#else
+ blbs $3, strace /* check for SYSCALL_TRACE in disguise */
+#endif
beq $4, 1f
ldq $27, 0($5)
1: jsr $26, ($27), sys_ni_syscall
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 047/783] PM: hibernate: Fix mistake in kerneldoc comment
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 046/783] alpha: fix syscall entry in !AUDUT_SYSCALL case Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 048/783] fs: dont audit the capability check in simple_xattr_list() Greg Kroah-Hartman
` (745 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xiongxin, Rafael J. Wysocki, Sasha Levin
From: xiongxin <xiongxin@kylinos.cn>
[ Upstream commit 6e5d7300cbe7c3541bc31f16db3e9266e6027b4b ]
The actual maximum image size formula in hibernate_preallocate_memory()
is as follows:
max_size = (count - (size + PAGES_FOR_IO)) / 2
- 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE);
but the one in the kerneldoc comment of the function is different and
incorrect.
Fixes: ddeb64870810 ("PM / Hibernate: Add sysfs knob to control size of memory for drivers")
Signed-off-by: xiongxin <xiongxin@kylinos.cn>
[ rjw: Subject and changelog rewrite ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/power/snapshot.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c
index 1da013f50059..f5dccd445d36 100644
--- a/kernel/power/snapshot.c
+++ b/kernel/power/snapshot.c
@@ -1677,8 +1677,8 @@ static unsigned long minimum_image_size(unsigned long saveable)
* /sys/power/reserved_size, respectively). To make this happen, we compute the
* total number of available page frames and allocate at least
*
- * ([page frames total] + PAGES_FOR_IO + [metadata pages]) / 2
- * + 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE)
+ * ([page frames total] - PAGES_FOR_IO - [metadata pages]) / 2
+ * - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE)
*
* of them, which corresponds to the maximum size of a hibernation image.
*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 048/783] fs: dont audit the capability check in simple_xattr_list()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 047/783] PM: hibernate: Fix mistake in kerneldoc comment Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 049/783] cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() Greg Kroah-Hartman
` (744 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Pitt,
Christian Brauner (Microsoft),
Ondrej Mosnacek, Paul Moore, Sasha Levin
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit e7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46 ]
The check being unconditional may lead to unwanted denials reported by
LSMs when a process has the capability granted by DAC, but denied by an
LSM. In the case of SELinux such denials are a problem, since they can't
be effectively filtered out via the policy and when not silenced, they
produce noise that may hide a true problem or an attack.
Checking for the capability only if any trusted xattr is actually
present wouldn't really address the issue, since calling listxattr(2) on
such node on its own doesn't indicate an explicit attempt to see the
trusted xattrs. Additionally, it could potentially leak the presence of
trusted xattrs to an unprivileged user if they can check for the denials
(e.g. through dmesg).
Therefore, it's best (and simplest) to keep the check unconditional and
instead use ns_capable_noaudit() that will silence any associated LSM
denials.
Fixes: 38f38657444d ("xattr: extract simple_xattr code from tmpfs")
Reported-by: Martin Pitt <mpitt@redhat.com>
Suggested-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Reviewed-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xattr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xattr.c b/fs/xattr.c
index cd7a563e8bcd..5a03eaadf029 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -1049,7 +1049,7 @@ static int xattr_list_one(char **buffer, ssize_t *remaining_size,
ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs,
char *buffer, size_t size)
{
- bool trusted = capable(CAP_SYS_ADMIN);
+ bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN);
struct simple_xattr *xattr;
ssize_t remaining_size = size;
int err = 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 049/783] cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 048/783] fs: dont audit the capability check in simple_xattr_list() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 050/783] selftests/ftrace: event_triggers: wait longer for test_event_enable Greg Kroah-Hartman
` (743 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Hui, Sibi Sankar, Viresh Kumar,
Sasha Levin
From: Chen Hui <judy.chenhui@huawei.com>
[ Upstream commit 9901c21bcaf2f01fe5078f750d624f4ddfa8f81b ]
If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(),
the program will return, resulting in "table" resource is not released.
Fixes: 51c843cf77bb ("cpufreq: qcom: Update the bandwidth levels on frequency change")
Signed-off-by: Chen Hui <judy.chenhui@huawei.com>
Reviewed-by: Sibi Sankar <quic_sibis@quicinc.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/qcom-cpufreq-hw.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c
index 6de07556665b..a9880998f8ba 100644
--- a/drivers/cpufreq/qcom-cpufreq-hw.c
+++ b/drivers/cpufreq/qcom-cpufreq-hw.c
@@ -158,6 +158,7 @@ static int qcom_cpufreq_hw_read_lut(struct device *cpu_dev,
}
} else if (ret != -ENODEV) {
dev_err(cpu_dev, "Invalid opp table in device tree\n");
+ kfree(table);
return ret;
} else {
policy->fast_switch_possible = true;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 050/783] selftests/ftrace: event_triggers: wait longer for test_event_enable
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 049/783] cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 051/783] perf: Fix possible memleak in pmu_dev_alloc() Greg Kroah-Hartman
` (742 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yipeng Zou,
Masami Hiramatsu (Google), Steven Rostedt (Google),
Shuah Khan, Sasha Levin
From: Yipeng Zou <zouyipeng@huawei.com>
[ Upstream commit a1d6cd88c8973cfb08ee85722488b1d6d5d16327 ]
In some platform, the schedule event may came slowly, delay 100ms can't
cover it.
I was notice that on my board which running in low cpu_freq,and this
selftests allways gose fail.
So maybe we can check more times here to wait longer.
Fixes: 43bb45da82f9 ("selftests: ftrace: Add a selftest to test event enable/disable func trigger")
Signed-off-by: Yipeng Zou <zouyipeng@huawei.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ftrace/test.d/ftrace/func_event_triggers.tc | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc
index 3145b0f1835c..27a68bbe778b 100644
--- a/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc
+++ b/tools/testing/selftests/ftrace/test.d/ftrace/func_event_triggers.tc
@@ -38,11 +38,18 @@ cnt_trace() {
test_event_enabled() {
val=$1
+ check_times=10 # wait for 10 * SLEEP_TIME at most
- e=`cat $EVENT_ENABLE`
- if [ "$e" != $val ]; then
- fail "Expected $val but found $e"
- fi
+ while [ $check_times -ne 0 ]; do
+ e=`cat $EVENT_ENABLE`
+ if [ "$e" == $val ]; then
+ return 0
+ fi
+ sleep $SLEEP_TIME
+ check_times=$((check_times - 1))
+ done
+
+ fail "Expected $val but found $e"
}
run_enable_disable() {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 051/783] perf: Fix possible memleak in pmu_dev_alloc()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 050/783] selftests/ftrace: event_triggers: wait longer for test_event_enable Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 052/783] lib/debugobjects: fix stat count and optimize debug_objects_mem_init Greg Kroah-Hartman
` (741 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin,
Peter Zijlstra (Intel),
Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit e8d7a90c08ce963c592fb49845f2ccc606a2ac21 ]
In pmu_dev_alloc(), when dev_set_name() failed, it will goto free_dev
and call put_device(pmu->dev) to release it.
However pmu->dev->release is assigned after this, which makes warning
and memleak.
Call dev_set_name() after pmu->dev->release = pmu_dev_release to fix it.
Device '(null)' does not have a release() function...
WARNING: CPU: 2 PID: 441 at drivers/base/core.c:2332 device_release+0x1b9/0x240
...
Call Trace:
<TASK>
kobject_put+0x17f/0x460
put_device+0x20/0x30
pmu_dev_alloc+0x152/0x400
perf_pmu_register+0x96b/0xee0
...
kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
unreferenced object 0xffff888014759000 (size 2048):
comm "modprobe", pid 441, jiffies 4294931444 (age 38.332s)
backtrace:
[<0000000005aed3b4>] kmalloc_trace+0x27/0x110
[<000000006b38f9b8>] pmu_dev_alloc+0x50/0x400
[<00000000735f17be>] perf_pmu_register+0x96b/0xee0
[<00000000e38477f1>] 0xffffffffc0ad8603
[<000000004e162216>] do_one_initcall+0xd0/0x4e0
...
Fixes: abe43400579d ("perf: Sysfs enumeration")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20221111103653.91058-1-chenzhongjin@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index e9b354d521a3..979d7946a772 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -10810,13 +10810,15 @@ static int pmu_dev_alloc(struct pmu *pmu)
pmu->dev->groups = pmu->attr_groups;
device_initialize(pmu->dev);
- ret = dev_set_name(pmu->dev, "%s", pmu->name);
- if (ret)
- goto free_dev;
dev_set_drvdata(pmu->dev, pmu);
pmu->dev->bus = &pmu_bus;
pmu->dev->release = pmu_dev_release;
+
+ ret = dev_set_name(pmu->dev, "%s", pmu->name);
+ if (ret)
+ goto free_dev;
+
ret = device_add(pmu->dev);
if (ret)
goto free_dev;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 052/783] lib/debugobjects: fix stat count and optimize debug_objects_mem_init
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 051/783] perf: Fix possible memleak in pmu_dev_alloc() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 053/783] platform/x86: huawei-wmi: fix return value calculation Greg Kroah-Hartman
` (740 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wuchi, Waiman Long, Thomas Gleixner,
Christoph Hellwig, Kees Cook, Andrew Morton, Sasha Levin
From: wuchi <wuchi.zero@gmail.com>
[ Upstream commit eabb7f1ace53e127309407b2b5e74e8199e85270 ]
1. Var debug_objects_allocated tracks valid kmem_cache_alloc calls, so
track it in debug_objects_replace_static_objects. Do similar things in
object_cpu_offline.
2. In debug_objects_mem_init, there is no need to call function
cpuhp_setup_state_nocalls when debug_objects_enabled = 0 (out of
memory).
Link: https://lkml.kernel.org/r/20220611130634.99741-1-wuchi.zero@gmail.com
Fixes: 634d61f45d6f ("debugobjects: Percpu pool lookahead freeing/allocation")
Fixes: c4b73aabd098 ("debugobjects: Track number of kmem_cache_alloc/kmem_cache_free done")
Signed-off-by: wuchi <wuchi.zero@gmail.com>
Reviewed-by: Waiman Long <longman@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/debugobjects.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/lib/debugobjects.c b/lib/debugobjects.c
index 9e14ae02306b..71bdc167a9ee 100644
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -440,6 +440,7 @@ static int object_cpu_offline(unsigned int cpu)
struct debug_percpu_free *percpu_pool;
struct hlist_node *tmp;
struct debug_obj *obj;
+ unsigned long flags;
/* Remote access is safe as the CPU is dead already */
percpu_pool = per_cpu_ptr(&percpu_obj_pool, cpu);
@@ -447,6 +448,12 @@ static int object_cpu_offline(unsigned int cpu)
hlist_del(&obj->node);
kmem_cache_free(obj_cache, obj);
}
+
+ raw_spin_lock_irqsave(&pool_lock, flags);
+ obj_pool_used -= percpu_pool->obj_free;
+ debug_objects_freed += percpu_pool->obj_free;
+ raw_spin_unlock_irqrestore(&pool_lock, flags);
+
percpu_pool->obj_free = 0;
return 0;
@@ -1316,6 +1323,8 @@ static int __init debug_objects_replace_static_objects(void)
hlist_add_head(&obj->node, &objects);
}
+ debug_objects_allocated += i;
+
/*
* debug_objects_mem_init() is now called early that only one CPU is up
* and interrupts have been disabled, so it is safe to replace the
@@ -1384,6 +1393,7 @@ void __init debug_objects_mem_init(void)
debug_objects_enabled = 0;
kmem_cache_destroy(obj_cache);
pr_warn("out of memory.\n");
+ return;
} else
debug_objects_selftest();
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 053/783] platform/x86: huawei-wmi: fix return value calculation
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 052/783] lib/debugobjects: fix stat count and optimize debug_objects_mem_init Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 054/783] timerqueue: Use rb_entry_safe() in timerqueue_getnext() Greg Kroah-Hartman
` (739 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Pőcze,
Hans de Goede, Sasha Levin
From: Barnabás Pőcze <pobrn@protonmail.com>
[ Upstream commit 0b9a1dcdb6a2c841899389bf2dd7a3e0e2aa0e99 ]
Previously, `huawei_wmi_input_setup()` returned the result of
logical or-ing the return values of two functions that return negative
errno-style error codes and one that returns `acpi_status`. If this
returned value was non-zero, then it was propagated from the platform
driver's probe function. That function should return a negative
errno-style error code, so the result of the logical or that
`huawei_wmi_input_setup()` returned was not appropriate.
Fix that by checking each function separately and returning the
error code unmodified.
Fixes: 1ac9abeb2e5b ("platform/x86: huawei-wmi: Move to platform driver")
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
Link: https://lore.kernel.org/r/20221005150032.173198-2-pobrn@protonmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/huawei-wmi.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/drivers/platform/x86/huawei-wmi.c b/drivers/platform/x86/huawei-wmi.c
index eac3e6b4ea11..935562c870c3 100644
--- a/drivers/platform/x86/huawei-wmi.c
+++ b/drivers/platform/x86/huawei-wmi.c
@@ -760,6 +760,9 @@ static int huawei_wmi_input_setup(struct device *dev,
const char *guid,
struct input_dev **idev)
{
+ acpi_status status;
+ int err;
+
*idev = devm_input_allocate_device(dev);
if (!*idev)
return -ENOMEM;
@@ -769,10 +772,19 @@ static int huawei_wmi_input_setup(struct device *dev,
(*idev)->id.bustype = BUS_HOST;
(*idev)->dev.parent = dev;
- return sparse_keymap_setup(*idev, huawei_wmi_keymap, NULL) ||
- input_register_device(*idev) ||
- wmi_install_notify_handler(guid, huawei_wmi_input_notify,
- *idev);
+ err = sparse_keymap_setup(*idev, huawei_wmi_keymap, NULL);
+ if (err)
+ return err;
+
+ err = input_register_device(*idev);
+ if (err)
+ return err;
+
+ status = wmi_install_notify_handler(guid, huawei_wmi_input_notify, *idev);
+ if (ACPI_FAILURE(status))
+ return -EIO;
+
+ return 0;
}
static void huawei_wmi_input_exit(struct device *dev, const char *guid)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 054/783] timerqueue: Use rb_entry_safe() in timerqueue_getnext()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 053/783] platform/x86: huawei-wmi: fix return value calculation Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 055/783] proc: fixup uptime selftest Greg Kroah-Hartman
` (738 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Pőcze,
Thomas Gleixner, Sasha Levin
From: Barnabás Pőcze <pobrn@protonmail.com>
[ Upstream commit 2f117484329b233455ee278f2d9b0a4356835060 ]
When `timerqueue_getnext()` is called on an empty timer queue, it will
use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using
`rb_entry_safe()` which handles NULL pointers.
This has not caused any issues so far because the offset of the `rb_node`
member in `timerqueue_node` is 0, so `rb_entry()` is essentially a no-op.
Fixes: 511885d7061e ("lib/timerqueue: Rely on rbtree semantics for next timer")
Signed-off-by: Barnabás Pőcze <pobrn@protonmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20221114195421.342929-1-pobrn@protonmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/timerqueue.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h
index 93884086f392..adc80e29168e 100644
--- a/include/linux/timerqueue.h
+++ b/include/linux/timerqueue.h
@@ -35,7 +35,7 @@ struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head)
{
struct rb_node *leftmost = rb_first_cached(&head->rb_root);
- return rb_entry(leftmost, struct timerqueue_node, node);
+ return rb_entry_safe(leftmost, struct timerqueue_node, node);
}
static inline void timerqueue_init(struct timerqueue_node *node)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 055/783] proc: fixup uptime selftest
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 054/783] timerqueue: Use rb_entry_safe() in timerqueue_getnext() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 056/783] lib/fonts: fix undefined behavior in bit shift for get_default_font Greg Kroah-Hartman
` (737 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Dobriyan, Andrew Morton, Sasha Levin
From: Alexey Dobriyan <adobriyan@gmail.com>
[ Upstream commit 5cc81d5c81af0dee54da9a67a3ebe4be076a13db ]
syscall(3) returns -1 and sets errno on error, unlike "syscall"
instruction.
Systems which have <= 32/64 CPUs are unaffected. Test won't bounce
to all CPUs before completing if there are more of them.
Link: https://lkml.kernel.org/r/Y1bUiT7VRXlXPQa1@p183
Fixes: 1f5bd0547654 ("proc: selftests: test /proc/uptime")
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/proc/proc-uptime-002.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/proc/proc-uptime-002.c b/tools/testing/selftests/proc/proc-uptime-002.c
index e7ceabed7f51..7d0aa22bdc12 100644
--- a/tools/testing/selftests/proc/proc-uptime-002.c
+++ b/tools/testing/selftests/proc/proc-uptime-002.c
@@ -17,6 +17,7 @@
// while shifting across CPUs.
#undef NDEBUG
#include <assert.h>
+#include <errno.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <stdlib.h>
@@ -54,7 +55,7 @@ int main(void)
len += sizeof(unsigned long);
free(m);
m = malloc(len);
- } while (sys_sched_getaffinity(0, len, m) == -EINVAL);
+ } while (sys_sched_getaffinity(0, len, m) == -1 && errno == EINVAL);
fd = open("/proc/uptime", O_RDONLY);
assert(fd >= 0);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 056/783] lib/fonts: fix undefined behavior in bit shift for get_default_font
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 055/783] proc: fixup uptime selftest Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 057/783] ocfs2: fix memory leak in ocfs2_stack_glue_init() Greg Kroah-Hartman
` (736 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Andrew Morton, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 6fe888c4d2fb174408e4540bb2d5602b9f507f90 ]
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20
left shift of 1 by 31 places cannot be represented in type 'int'
<TASK>
dump_stack_lvl+0x7d/0xa5
dump_stack+0x15/0x1b
ubsan_epilogue+0xe/0x4e
__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
get_default_font+0x1c7/0x1f0
fbcon_startup+0x347/0x3a0
do_take_over_console+0xce/0x270
do_fbcon_takeover+0xa1/0x170
do_fb_registered+0x2a8/0x340
fbcon_fb_registered+0x47/0xe0
register_framebuffer+0x294/0x4a0
__drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper]
drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper]
drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper]
drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper]
bochs_pci_probe+0x6ca/0x772 [bochs]
local_pci_probe+0x4d/0xb0
pci_device_probe+0x119/0x320
really_probe+0x181/0x550
__driver_probe_device+0xc6/0x220
driver_probe_device+0x32/0x100
__driver_attach+0x195/0x200
bus_for_each_dev+0xbb/0x120
driver_attach+0x27/0x30
bus_add_driver+0x22e/0x2f0
driver_register+0xa9/0x190
__pci_register_driver+0x90/0xa0
bochs_pci_driver_init+0x52/0x1000 [bochs]
do_one_initcall+0x76/0x430
do_init_module+0x61/0x28a
load_module+0x1f82/0x2e50
__do_sys_finit_module+0xf8/0x190
__x64_sys_finit_module+0x23/0x30
do_syscall_64+0x58/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Link: https://lkml.kernel.org/r/20221031113829.4183153-1-cuigaosheng1@huawei.com
Fixes: c81f717cb9e0 ("fbcon: Fix typo and bogus logic in get_default_font")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/fonts/fonts.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/fonts/fonts.c b/lib/fonts/fonts.c
index 5f4b07b56cd9..973866438608 100644
--- a/lib/fonts/fonts.c
+++ b/lib/fonts/fonts.c
@@ -135,8 +135,8 @@ const struct font_desc *get_default_font(int xres, int yres, u32 font_w,
if (res > 20)
c += 20 - res;
- if ((font_w & (1 << (f->width - 1))) &&
- (font_h & (1 << (f->height - 1))))
+ if ((font_w & (1U << (f->width - 1))) &&
+ (font_h & (1U << (f->height - 1))))
c += 1000;
if (c > cc) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 057/783] ocfs2: fix memory leak in ocfs2_stack_glue_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 056/783] lib/fonts: fix undefined behavior in bit shift for get_default_font Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 058/783] MIPS: vpe-mt: fix possible memory leak while module exiting Greg Kroah-Hartman
` (735 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Gang He,
Jun Piao, Andrew Morton, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit 13b6269dd022aaa69ca8d1df374ab327504121cf ]
ocfs2_table_header should be free in ocfs2_stack_glue_init() if
ocfs2_sysfs_init() failed, otherwise kmemleak will report memleak.
BUG: memory leak
unreferenced object 0xffff88810eeb5800 (size 128):
comm "modprobe", pid 4507, jiffies 4296182506 (age 55.888s)
hex dump (first 32 bytes):
c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@..............
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0
[<00000000c04f70f7>] 0xffffffffa0050037
[<000000001bd12912>] do_one_initcall+0xdb/0x480
[<0000000064f766c9>] do_init_module+0x1cf/0x680
[<000000002ba52db0>] load_module+0x6441/0x6f20
[<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0
[<00000000380c1f22>] do_syscall_64+0x3f/0x90
[<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link: https://lkml.kernel.org/r/41651ca1-432a-db34-eb97-d35744559de1@linux.alibaba.com
Fixes: 3878f110f71a ("ocfs2: Move the hb_ctl_path sysctl into the stack glue.")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/stackglue.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c
index 03eacb249f37..5e272e257b0b 100644
--- a/fs/ocfs2/stackglue.c
+++ b/fs/ocfs2/stackglue.c
@@ -705,6 +705,8 @@ static struct ctl_table_header *ocfs2_table_header;
static int __init ocfs2_stack_glue_init(void)
{
+ int ret;
+
strcpy(cluster_stack_name, OCFS2_STACK_PLUGIN_O2CB);
ocfs2_table_header = register_sysctl_table(ocfs2_root_table);
@@ -714,7 +716,11 @@ static int __init ocfs2_stack_glue_init(void)
return -ENOMEM; /* or something. */
}
- return ocfs2_sysfs_init();
+ ret = ocfs2_sysfs_init();
+ if (ret)
+ unregister_sysctl_table(ocfs2_table_header);
+
+ return ret;
}
static void __exit ocfs2_stack_glue_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 058/783] MIPS: vpe-mt: fix possible memory leak while module exiting
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 057/783] ocfs2: fix memory leak in ocfs2_stack_glue_init() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 059/783] MIPS: vpe-cmp: " Greg Kroah-Hartman
` (734 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Thomas Bogendoerfer,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 5822e8cc84ee37338ab0bdc3124f6eec04dc232d ]
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically,
it need be freed when module exiting, call put_device() to give up
reference, so that it can be freed in kobject_cleanup() when the
refcount hit to 0. The vpe_device is static, so remove kfree() from
vpe_device_release().
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/kernel/vpe-mt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c
index 2e003b11a098..9fd7cd48ea1d 100644
--- a/arch/mips/kernel/vpe-mt.c
+++ b/arch/mips/kernel/vpe-mt.c
@@ -313,7 +313,6 @@ ATTRIBUTE_GROUPS(vpe);
static void vpe_device_release(struct device *cd)
{
- kfree(cd);
}
static struct class vpe_class = {
@@ -497,6 +496,7 @@ int __init vpe_module_init(void)
device_del(&vpe_device);
out_class:
+ put_device(&vpe_device);
class_unregister(&vpe_class);
out_chrdev:
@@ -509,7 +509,7 @@ void __exit vpe_module_exit(void)
{
struct vpe *v, *n;
- device_del(&vpe_device);
+ device_unregister(&vpe_device);
class_unregister(&vpe_class);
unregister_chrdev(major, VPE_MODULE_NAME);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 059/783] MIPS: vpe-cmp: fix possible memory leak while module exiting
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 058/783] MIPS: vpe-mt: fix possible memory leak while module exiting Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 060/783] selftests/efivarfs: Add checking of the test return value Greg Kroah-Hartman
` (733 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Thomas Bogendoerfer,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit c5ed1fe0801f0c66b0fbce2785239a5664629057 ]
dev_set_name() allocates memory for name, it need be freed
when module exiting, call put_device() to give up reference,
so that it can be freed in kobject_cleanup() when the refcount
hit to 0. The vpe_device is static, so remove kfree() from
vpe_device_release().
Fixes: 17a1d523aa58 ("MIPS: APRP: Add VPE loader support for CMP platforms.")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/kernel/vpe-cmp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/kernel/vpe-cmp.c b/arch/mips/kernel/vpe-cmp.c
index 9268ebc0f61e..903c07bdc92d 100644
--- a/arch/mips/kernel/vpe-cmp.c
+++ b/arch/mips/kernel/vpe-cmp.c
@@ -75,7 +75,6 @@ ATTRIBUTE_GROUPS(vpe);
static void vpe_device_release(struct device *cd)
{
- kfree(cd);
}
static struct class vpe_class = {
@@ -157,6 +156,7 @@ int __init vpe_module_init(void)
device_del(&vpe_device);
out_class:
+ put_device(&vpe_device);
class_unregister(&vpe_class);
out_chrdev:
@@ -169,7 +169,7 @@ void __exit vpe_module_exit(void)
{
struct vpe *v, *n;
- device_del(&vpe_device);
+ device_unregister(&vpe_device);
class_unregister(&vpe_class);
unregister_chrdev(major, VPE_MODULE_NAME);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 060/783] selftests/efivarfs: Add checking of the test return value
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 059/783] MIPS: vpe-cmp: " Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 061/783] PNP: fix name memory leak in pnp_alloc_dev() Greg Kroah-Hartman
` (732 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhao Gongyi, Shuah Khan, Sasha Levin
From: Zhao Gongyi <zhaogongyi@huawei.com>
[ Upstream commit c93924267fe6f2b44af1849f714ae9cd8117a9cd ]
Add checking of the test return value, otherwise it will report success
forever for test_create_read().
Fixes: dff6d2ae56d0 ("selftests/efivarfs: clean up test files from test_create*()")
Signed-off-by: Zhao Gongyi <zhaogongyi@huawei.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/efivarfs/efivarfs.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/testing/selftests/efivarfs/efivarfs.sh b/tools/testing/selftests/efivarfs/efivarfs.sh
index a90f394f9aa9..d374878cc0ba 100755
--- a/tools/testing/selftests/efivarfs/efivarfs.sh
+++ b/tools/testing/selftests/efivarfs/efivarfs.sh
@@ -87,6 +87,11 @@ test_create_read()
{
local file=$efivarfs_mount/$FUNCNAME-$test_guid
./create-read $file
+ if [ $? -ne 0 ]; then
+ echo "create and read $file failed"
+ file_cleanup $file
+ exit 1
+ fi
file_cleanup $file
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 061/783] PNP: fix name memory leak in pnp_alloc_dev()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 060/783] selftests/efivarfs: Add checking of the test return value Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 062/783] perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() Greg Kroah-Hartman
` (731 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Hanjun Guo,
Rafael J. Wysocki, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 110d7b0325c55ff3620073ba4201845f59e22ebf ]
After commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically,
move dev_set_name() after pnp_add_id() to avoid memory leak.
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pnp/core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pnp/core.c b/drivers/pnp/core.c
index a50ab002e9e4..14bf75ba941d 100644
--- a/drivers/pnp/core.c
+++ b/drivers/pnp/core.c
@@ -160,14 +160,14 @@ struct pnp_dev *pnp_alloc_dev(struct pnp_protocol *protocol, int id,
dev->dev.coherent_dma_mask = dev->dma_mask;
dev->dev.release = &pnp_release_device;
- dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number);
-
dev_id = pnp_add_id(dev, pnpid);
if (!dev_id) {
kfree(dev);
return NULL;
}
+ dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number);
+
return dev;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 062/783] perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 061/783] PNP: fix name memory leak in pnp_alloc_dev() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 063/783] perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() Greg Kroah-Hartman
` (730 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang,
Peter Zijlstra (Intel),
Kan Liang, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 1ff9dd6e7071a561f803135c1d684b13c7a7d01d ]
pci_get_device() will increase the reference count for the returned
'dev'. We need to call pci_dev_put() to decrease the reference count.
Since 'dev' is only used in pci_read_config_dword(), let's add
pci_dev_put() right after it.
Fixes: 9d480158ee86 ("perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Link: https://lore.kernel.org/r/20221118063137.121512-3-wangxiongfeng2@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/uncore_snbep.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index 03c8047bebb3..aa5da42ff948 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -2828,6 +2828,7 @@ static bool hswep_has_limit_sbox(unsigned int device)
return false;
pci_read_config_dword(dev, HSWEP_PCU_CAPID4_OFFET, &capid4);
+ pci_dev_put(dev);
if (!hswep_get_chop(capid4))
return true;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 063/783] perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 062/783] perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 064/783] perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box() Greg Kroah-Hartman
` (729 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang,
Peter Zijlstra (Intel),
Kan Liang, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 8ebd16c11c346751b3944d708e6c181ed4746c39 ]
pci_get_device() will increase the reference count for the returned
pci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its
reference count increased. We need to call pci_dev_put() to decrease the
reference count. Let's add the missing pci_dev_put().
Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Link: https://lore.kernel.org/r/20221118063137.121512-4-wangxiongfeng2@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/uncore_snbep.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index aa5da42ff948..2fd49cd515f5 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -4681,6 +4681,8 @@ static void __snr_uncore_mmio_init_box(struct intel_uncore_box *box,
addr += box_ctl;
+ pci_dev_put(pdev);
+
box->io_addr = ioremap(addr, type->mmio_map_size);
if (!box->io_addr) {
pr_warn("perf uncore: Failed to ioremap for %s.\n", type->name);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 064/783] perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 063/783] perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 065/783] platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init() Greg Kroah-Hartman
` (728 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang,
Peter Zijlstra (Intel),
Kan Liang, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 17b8d847b92d815d1638f0de154654081d66b281 ]
pci_get_device() will increase the reference count for the returned
pci_dev, so tgl_uncore_get_mc_dev() will return a pci_dev with its
reference count increased. We need to call pci_dev_put() to decrease the
reference count before exiting from __uncore_imc_init_box(). Add
pci_dev_put() for both normal and error path.
Fixes: fdb64822443e ("perf/x86: Add Intel Tiger Lake uncore support")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Link: https://lore.kernel.org/r/20221118063137.121512-5-wangxiongfeng2@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/uncore_snb.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/events/intel/uncore_snb.c b/arch/x86/events/intel/uncore_snb.c
index fa9289718147..a4c20e37bec2 100644
--- a/arch/x86/events/intel/uncore_snb.c
+++ b/arch/x86/events/intel/uncore_snb.c
@@ -1274,6 +1274,7 @@ static void tgl_uncore_imc_freerunning_init_box(struct intel_uncore_box *box)
/* MCHBAR is disabled */
if (!(mch_bar & BIT(0))) {
pr_warn("perf uncore: MCHBAR is disabled. Failed to map IMC free-running counters.\n");
+ pci_dev_put(pdev);
return;
}
mch_bar &= ~BIT(0);
@@ -1287,6 +1288,8 @@ static void tgl_uncore_imc_freerunning_init_box(struct intel_uncore_box *box)
box->io_addr = ioremap(addr, type->mmio_map_size);
if (!box->io_addr)
pr_warn("perf uncore: Failed to ioremap for %s.\n", type->name);
+
+ pci_dev_put(pdev);
}
static struct intel_uncore_ops tgl_uncore_imc_freerunning_ops = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 065/783] platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 064/783] perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 066/783] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() Greg Kroah-Hartman
` (727 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Brian Norris,
Prashant Malani, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 5a2d96623670155d94aca72c320c0ac27bdc6bd2 ]
The following WARNING message was given when rmmod cros_usbpd_notify:
Unexpected driver unregister!
WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0
Modules linked in: cros_usbpd_notify(-)
CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24
...
Call Trace:
<TASK>
cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify]
__x64_sys_delete_module+0x3c7/0x570
? __ia32_sys_delete_module+0x570/0x570
? lock_is_held_type+0xe3/0x140
? syscall_enter_from_user_mode+0x17/0x50
? rcu_read_lock_sched_held+0xa0/0xd0
? syscall_enter_from_user_mode+0x1c/0x50
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f333fe9b1b7
The reason is that the cros_usbpd_notify_init() does not check the return
value of platform_driver_register(), and the cros_usbpd_notify can
install successfully even if platform_driver_register() failed.
Fix by checking the return value of platform_driver_register() and
unregister cros_usbpd_notify_plat_driver when it failed.
Fixes: ec2daf6e33f9 ("platform: chrome: Add cros-usbpd-notify driver")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Link: https://lore.kernel.org/r/20221117080823.77549-1-yuancan@huawei.com
Signed-off-by: Prashant Malani <pmalani@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/chrome/cros_usbpd_notify.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/chrome/cros_usbpd_notify.c b/drivers/platform/chrome/cros_usbpd_notify.c
index 7f36142ab12a..19390147ac9d 100644
--- a/drivers/platform/chrome/cros_usbpd_notify.c
+++ b/drivers/platform/chrome/cros_usbpd_notify.c
@@ -284,7 +284,11 @@ static int __init cros_usbpd_notify_init(void)
return ret;
#ifdef CONFIG_ACPI
- platform_driver_register(&cros_usbpd_notify_acpi_driver);
+ ret = platform_driver_register(&cros_usbpd_notify_acpi_driver);
+ if (ret) {
+ platform_driver_unregister(&cros_usbpd_notify_plat_driver);
+ return ret;
+ }
#endif
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 066/783] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 065/783] platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 067/783] EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() Greg Kroah-Hartman
` (726 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Marc Zyngier, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit f9ee20c85b3a3ba0afd3672630ec4f93d339f015 ]
gic_probe() calls pm_runtime_get_sync() and added fail path as
rpm_put to put usage_counter. However, pm_runtime_get_sync()
will increment usage_counter even it failed. Fix it by replacing it with
pm_runtime_resume_and_get() to keep usage counter balanced.
Fixes: 9c8edddfc992 ("irqchip/gic: Add platform driver for non-root GICs that require RPM")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20221124065150.22809-1-shangxiaojing@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/irqchip/irq-gic-pm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-gic-pm.c b/drivers/irqchip/irq-gic-pm.c
index 1337ceceb59b..8be7d136c3bf 100644
--- a/drivers/irqchip/irq-gic-pm.c
+++ b/drivers/irqchip/irq-gic-pm.c
@@ -104,7 +104,7 @@ static int gic_probe(struct platform_device *pdev)
pm_runtime_enable(dev);
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
goto rpm_disable;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 067/783] EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 066/783] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 068/783] nfsd: dont call nfsd_file_put from client states seqfile display Greg Kroah-Hartman
` (725 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Qiuxu Zhuo,
Tony Luck, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 9c8921555907f4d723f01ed2d859b66f2d14f08e ]
As the comment of pci_get_domain_bus_and_slot() says, it returns
a PCI device with refcount incremented, so it doesn't need to
call an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI
device needs to be put in the error path.
Fixes: d4dc89d069aa ("EDAC, i10nm: Add a driver for Intel 10nm server processors")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Link: https://lore.kernel.org/r/20221128065512.3572550-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/edac/i10nm_base.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/edac/i10nm_base.c b/drivers/edac/i10nm_base.c
index 3a7362f968c9..43dbea6b6e30 100644
--- a/drivers/edac/i10nm_base.c
+++ b/drivers/edac/i10nm_base.c
@@ -53,11 +53,10 @@ static struct pci_dev *pci_get_dev_wrapper(int dom, unsigned int bus,
if (unlikely(pci_enable_device(pdev) < 0)) {
edac_dbg(2, "Failed to enable device %02x:%02x.%x\n",
bus, dev, fun);
+ pci_dev_put(pdev);
return NULL;
}
- pci_dev_get(pdev);
-
return pdev;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 068/783] nfsd: dont call nfsd_file_put from client states seqfile display
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 067/783] EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 069/783] genirq/irqdesc: Dont try to remove non-existing sysfs files Greg Kroah-Hartman
` (724 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhi Li, Jeff Layton, Chuck Lever,
Sasha Levin
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit e0aa651068bfd520afcd357af8ecd2de005fc83d ]
We had a report of this:
BUG: sleeping function called from invalid context at fs/nfsd/filecache.c:440
...with a stack trace showing nfsd_file_put being called from
nfs4_show_open. This code has always tried to call fput while holding a
spinlock, but we recently changed this to use the filecache, and that
started triggering the might_sleep() in nfsd_file_put.
states_start takes and holds the cl_lock while iterating over the
client's states, and we can't sleep with that held.
Have the various nfs4_show_* functions instead hold the fi_lock instead
of taking a nfsd_file reference.
Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens")
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2138357
Reported-by: Zhi Li <yieli@redhat.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 51 +++++++++++++++++++++++++++++----------------
1 file changed, 33 insertions(+), 18 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 665d0eaeb8db..9a47cc66963f 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -507,15 +507,26 @@ find_any_file(struct nfs4_file *f)
return ret;
}
-static struct nfsd_file *find_deleg_file(struct nfs4_file *f)
+static struct nfsd_file *find_any_file_locked(struct nfs4_file *f)
{
- struct nfsd_file *ret = NULL;
+ lockdep_assert_held(&f->fi_lock);
+
+ if (f->fi_fds[O_RDWR])
+ return f->fi_fds[O_RDWR];
+ if (f->fi_fds[O_WRONLY])
+ return f->fi_fds[O_WRONLY];
+ if (f->fi_fds[O_RDONLY])
+ return f->fi_fds[O_RDONLY];
+ return NULL;
+}
+
+static struct nfsd_file *find_deleg_file_locked(struct nfs4_file *f)
+{
+ lockdep_assert_held(&f->fi_lock);
- spin_lock(&f->fi_lock);
if (f->fi_deleg_file)
- ret = nfsd_file_get(f->fi_deleg_file);
- spin_unlock(&f->fi_lock);
- return ret;
+ return f->fi_deleg_file;
+ return NULL;
}
static atomic_long_t num_delegations;
@@ -2462,9 +2473,11 @@ static int nfs4_show_open(struct seq_file *s, struct nfs4_stid *st)
ols = openlockstateid(st);
oo = ols->st_stateowner;
nf = st->sc_file;
- file = find_any_file(nf);
+
+ spin_lock(&nf->fi_lock);
+ file = find_any_file_locked(nf);
if (!file)
- return 0;
+ goto out;
seq_printf(s, "- ");
nfs4_show_stateid(s, &st->sc_stateid);
@@ -2486,8 +2499,8 @@ static int nfs4_show_open(struct seq_file *s, struct nfs4_stid *st)
seq_printf(s, ", ");
nfs4_show_owner(s, oo);
seq_printf(s, " }\n");
- nfsd_file_put(file);
-
+out:
+ spin_unlock(&nf->fi_lock);
return 0;
}
@@ -2501,9 +2514,10 @@ static int nfs4_show_lock(struct seq_file *s, struct nfs4_stid *st)
ols = openlockstateid(st);
oo = ols->st_stateowner;
nf = st->sc_file;
- file = find_any_file(nf);
+ spin_lock(&nf->fi_lock);
+ file = find_any_file_locked(nf);
if (!file)
- return 0;
+ goto out;
seq_printf(s, "- ");
nfs4_show_stateid(s, &st->sc_stateid);
@@ -2523,8 +2537,8 @@ static int nfs4_show_lock(struct seq_file *s, struct nfs4_stid *st)
seq_printf(s, ", ");
nfs4_show_owner(s, oo);
seq_printf(s, " }\n");
- nfsd_file_put(file);
-
+out:
+ spin_unlock(&nf->fi_lock);
return 0;
}
@@ -2536,9 +2550,10 @@ static int nfs4_show_deleg(struct seq_file *s, struct nfs4_stid *st)
ds = delegstateid(st);
nf = st->sc_file;
- file = find_deleg_file(nf);
+ spin_lock(&nf->fi_lock);
+ file = find_deleg_file_locked(nf);
if (!file)
- return 0;
+ goto out;
seq_printf(s, "- ");
nfs4_show_stateid(s, &st->sc_stateid);
@@ -2554,8 +2569,8 @@ static int nfs4_show_deleg(struct seq_file *s, struct nfs4_stid *st)
seq_printf(s, ", ");
nfs4_show_fname(s, file);
seq_printf(s, " }\n");
- nfsd_file_put(file);
-
+out:
+ spin_unlock(&nf->fi_lock);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 069/783] genirq/irqdesc: Dont try to remove non-existing sysfs files
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 068/783] nfsd: dont call nfsd_file_put from client states seqfile display Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 070/783] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() Greg Kroah-Hartman
` (723 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Thomas Gleixner,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 9049e1ca41983ab773d7ea244bee86d7835ec9f5 ]
Fault injection tests trigger warnings like this:
kernfs: can not remove 'chip_name', no directory
WARNING: CPU: 0 PID: 253 at fs/kernfs/dir.c:1616 kernfs_remove_by_name_ns+0xce/0xe0
RIP: 0010:kernfs_remove_by_name_ns+0xce/0xe0
Call Trace:
<TASK>
remove_files.isra.1+0x3f/0xb0
sysfs_remove_group+0x68/0xe0
sysfs_remove_groups+0x41/0x70
__kobject_del+0x45/0xc0
kobject_del+0x29/0x40
free_desc+0x42/0x70
irq_free_descs+0x5e/0x90
The reason is that the interrupt descriptor sysfs handling does not roll
back on a failing kobject_add() during allocation. If the descriptor is
freed later on, kobject_del() is invoked with a not added kobject resulting
in the above warnings.
A proper rollback in case of a kobject_add() failure would be the straight
forward solution. But this is not possible due to the way how interrupt
descriptor sysfs handling works.
Interrupt descriptors are allocated before sysfs becomes available. So the
sysfs files for the early allocated descriptors are added later in the boot
process. At this point there can be nothing useful done about a failing
kobject_add(). For consistency the interrupt descriptor allocation always
treats kobject_add() failures as non-critical and just emits a warning.
To solve this problem, keep track in the interrupt descriptor whether
kobject_add() was successful or not and make the invocation of
kobject_del() conditional on that.
[ tglx: Massage changelog, comments and use a state bit. ]
Fixes: ecb3f394c5db ("genirq: Expose interrupt information through sysfs")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20221128151612.1786122-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/irq/internals.h | 2 ++
kernel/irq/irqdesc.c | 15 +++++++++------
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h
index e58342ace11f..f1d83a8b4417 100644
--- a/kernel/irq/internals.h
+++ b/kernel/irq/internals.h
@@ -52,6 +52,7 @@ enum {
* IRQS_PENDING - irq is pending and replayed later
* IRQS_SUSPENDED - irq is suspended
* IRQS_NMI - irq line is used to deliver NMIs
+ * IRQS_SYSFS - descriptor has been added to sysfs
*/
enum {
IRQS_AUTODETECT = 0x00000001,
@@ -64,6 +65,7 @@ enum {
IRQS_SUSPENDED = 0x00000800,
IRQS_TIMINGS = 0x00001000,
IRQS_NMI = 0x00002000,
+ IRQS_SYSFS = 0x00004000,
};
#include "debug.h"
diff --git a/kernel/irq/irqdesc.c b/kernel/irq/irqdesc.c
index ca36c6179aa7..9b0914a063f9 100644
--- a/kernel/irq/irqdesc.c
+++ b/kernel/irq/irqdesc.c
@@ -288,22 +288,25 @@ static void irq_sysfs_add(int irq, struct irq_desc *desc)
if (irq_kobj_base) {
/*
* Continue even in case of failure as this is nothing
- * crucial.
+ * crucial and failures in the late irq_sysfs_init()
+ * cannot be rolled back.
*/
if (kobject_add(&desc->kobj, irq_kobj_base, "%d", irq))
pr_warn("Failed to add kobject for irq %d\n", irq);
+ else
+ desc->istate |= IRQS_SYSFS;
}
}
static void irq_sysfs_del(struct irq_desc *desc)
{
/*
- * If irq_sysfs_init() has not yet been invoked (early boot), then
- * irq_kobj_base is NULL and the descriptor was never added.
- * kobject_del() complains about a object with no parent, so make
- * it conditional.
+ * Only invoke kobject_del() when kobject_add() was successfully
+ * invoked for the descriptor. This covers both early boot, where
+ * sysfs is not initialized yet, and the case of a failed
+ * kobject_add() invocation.
*/
- if (irq_kobj_base)
+ if (desc->istate & IRQS_SYSFS)
kobject_del(&desc->kobj);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 070/783] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 069/783] genirq/irqdesc: Dont try to remove non-existing sysfs files Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 071/783] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value Greg Kroah-Hartman
` (722 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Rafael J. Wysocki,
Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 91fda1f88c0968f1491ab150bb01690525af150a ]
pci_get_device() will increase the reference count for the returned
pci_dev. We need to use pci_dev_put() to decrease the reference count
after using pci_get_device(). Let's add it.
Fixes: 59a3b3a8db16 ("cpufreq: AMD: Ignore the check for ProcFeedback in ST/CZ")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/amd_freq_sensitivity.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/cpufreq/amd_freq_sensitivity.c b/drivers/cpufreq/amd_freq_sensitivity.c
index d0b10baf039a..151771129c7b 100644
--- a/drivers/cpufreq/amd_freq_sensitivity.c
+++ b/drivers/cpufreq/amd_freq_sensitivity.c
@@ -124,6 +124,8 @@ static int __init amd_freq_sensitivity_init(void)
if (!pcidev) {
if (!boot_cpu_has(X86_FEATURE_PROC_FEEDBACK))
return -ENODEV;
+ } else {
+ pci_dev_put(pcidev);
}
if (rdmsrl_safe(MSR_AMD64_FREQ_SENSITIVITY_ACTUAL, &val))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 071/783] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 070/783] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 072/783] lib/notifier-error-inject: fix error when writing -errno to debugfs file Greg Kroah-Hartman
` (721 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akinobu Mita, Zhao Gongyi,
David Hildenbrand, Alexander Viro, Jonathan Corbet,
Oscar Salvador, Rafael J. Wysocki, Shuah Khan, Wei Yongjun,
Yicong Yang, Andrew Morton, Sasha Levin
From: Akinobu Mita <akinobu.mita@gmail.com>
[ Upstream commit 2e41f274f9aa71cdcc69dc1f26a3f9304a651804 ]
Patch series "fix error when writing negative value to simple attribute
files".
The simple attribute files do not accept a negative value since the commit
488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()"), but some attribute files want to accept a negative
value.
This patch (of 3):
The simple attribute files do not accept a negative value since the commit
488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()"), so we have to use a 64-bit value to write a
negative value.
This adds DEFINE_SIMPLE_ATTRIBUTE_SIGNED for a signed value.
Link: https://lkml.kernel.org/r/20220919172418.45257-1-akinobu.mita@gmail.com
Link: https://lkml.kernel.org/r/20220919172418.45257-2-akinobu.mita@gmail.com
Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/libfs.c | 22 +++++++++++++++++++---
include/linux/fs.h | 12 ++++++++++--
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/fs/libfs.c b/fs/libfs.c
index 7124c2e8df2f..aa0fbd720409 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -955,8 +955,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
EXPORT_SYMBOL_GPL(simple_attr_read);
/* interpret the buffer as a number to call the set function with */
-ssize_t simple_attr_write(struct file *file, const char __user *buf,
- size_t len, loff_t *ppos)
+static ssize_t simple_attr_write_xsigned(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos, bool is_signed)
{
struct simple_attr *attr;
unsigned long long val;
@@ -977,7 +977,10 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf,
goto out;
attr->set_buf[size] = '\0';
- ret = kstrtoull(attr->set_buf, 0, &val);
+ if (is_signed)
+ ret = kstrtoll(attr->set_buf, 0, &val);
+ else
+ ret = kstrtoull(attr->set_buf, 0, &val);
if (ret)
goto out;
ret = attr->set(attr->data, val);
@@ -987,8 +990,21 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf,
mutex_unlock(&attr->mutex);
return ret;
}
+
+ssize_t simple_attr_write(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos)
+{
+ return simple_attr_write_xsigned(file, buf, len, ppos, false);
+}
EXPORT_SYMBOL_GPL(simple_attr_write);
+ssize_t simple_attr_write_signed(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos)
+{
+ return simple_attr_write_xsigned(file, buf, len, ppos, true);
+}
+EXPORT_SYMBOL_GPL(simple_attr_write_signed);
+
/**
* generic_fh_to_dentry - generic helper for the fh_to_dentry export operation
* @sb: filesystem to do the file handle conversion on
diff --git a/include/linux/fs.h b/include/linux/fs.h
index ebfc0b2b4969..9a477e537361 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -3345,7 +3345,7 @@ void simple_transaction_set(struct file *file, size_t n);
* All attributes contain a text representation of a numeric value
* that are accessed with the get() and set() functions.
*/
-#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \
+#define DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \
static int __fops ## _open(struct inode *inode, struct file *file) \
{ \
__simple_attr_check_format(__fmt, 0ull); \
@@ -3356,10 +3356,16 @@ static const struct file_operations __fops = { \
.open = __fops ## _open, \
.release = simple_attr_release, \
.read = simple_attr_read, \
- .write = simple_attr_write, \
+ .write = (__is_signed) ? simple_attr_write_signed : simple_attr_write, \
.llseek = generic_file_llseek, \
}
+#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \
+ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false)
+
+#define DEFINE_SIMPLE_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \
+ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true)
+
static inline __printf(1, 2)
void __simple_attr_check_format(const char *fmt, ...)
{
@@ -3374,6 +3380,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos);
ssize_t simple_attr_write(struct file *file, const char __user *buf,
size_t len, loff_t *ppos);
+ssize_t simple_attr_write_signed(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos);
struct ctl_table;
int proc_nr_files(struct ctl_table *table, int write,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 072/783] lib/notifier-error-inject: fix error when writing -errno to debugfs file
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 071/783] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 073/783] docs: fault-injection: fix non-working usage of negative values Greg Kroah-Hartman
` (720 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akinobu Mita, Zhao Gongyi,
David Hildenbrand, Alexander Viro, Jonathan Corbet,
Oscar Salvador, Rafael J. Wysocki, Shuah Khan, Wei Yongjun,
Yicong Yang, Andrew Morton, Sasha Levin
From: Akinobu Mita <akinobu.mita@gmail.com>
[ Upstream commit f883c3edd2c432a2931ec8773c70a570115a50fe ]
The simple attribute files do not accept a negative value since the commit
488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()").
This restores the previous behaviour by using newly introduced
DEFINE_SIMPLE_ATTRIBUTE_SIGNED instead of DEFINE_SIMPLE_ATTRIBUTE.
Link: https://lkml.kernel.org/r/20220919172418.45257-3-akinobu.mita@gmail.com
Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/notifier-error-inject.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/notifier-error-inject.c b/lib/notifier-error-inject.c
index 21016b32d313..2b24ea6c9497 100644
--- a/lib/notifier-error-inject.c
+++ b/lib/notifier-error-inject.c
@@ -15,7 +15,7 @@ static int debugfs_errno_get(void *data, u64 *val)
return 0;
}
-DEFINE_SIMPLE_ATTRIBUTE(fops_errno, debugfs_errno_get, debugfs_errno_set,
+DEFINE_SIMPLE_ATTRIBUTE_SIGNED(fops_errno, debugfs_errno_get, debugfs_errno_set,
"%lld\n");
static struct dentry *debugfs_create_errno(const char *name, umode_t mode,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 073/783] docs: fault-injection: fix non-working usage of negative values
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 072/783] lib/notifier-error-inject: fix error when writing -errno to debugfs file Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 074/783] debugfs: fix error when writing negative value to atomic_t debugfs file Greg Kroah-Hartman
` (719 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Jonathan Corbet, Sasha Levin
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 005747526d4f3c2ec995891e95cb7625161022f9 ]
Fault injection uses debugfs in a way that the provided values via sysfs
are interpreted as u64. Providing negative numbers results in an error:
/sys/kernel/debug/fail_function# echo -1 > times
sh: write error: Invalid argument
Update the docs and examples to use "printf %#x <val>" in these cases.
For "retval", reword the paragraph a little and fix a typo.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Link: https://lore.kernel.org/r/20210603125841.27436-1-wsa+renesas@sang-engineering.com
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Stable-dep-of: d472cf797c4e ("debugfs: fix error when writing negative value to atomic_t debugfs file")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../fault-injection/fault-injection.rst | 24 +++++++++++--------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/Documentation/fault-injection/fault-injection.rst b/Documentation/fault-injection/fault-injection.rst
index 31ecfe44e5b4..f47d05ed0d94 100644
--- a/Documentation/fault-injection/fault-injection.rst
+++ b/Documentation/fault-injection/fault-injection.rst
@@ -78,8 +78,10 @@ configuration of fault-injection capabilities.
- /sys/kernel/debug/fail*/times:
- specifies how many times failures may happen at most.
- A value of -1 means "no limit".
+ specifies how many times failures may happen at most. A value of -1
+ means "no limit". Note, though, that this file only accepts unsigned
+ values. So, if you want to specify -1, you better use 'printf' instead
+ of 'echo', e.g.: $ printf %#x -1 > times
- /sys/kernel/debug/fail*/space:
@@ -167,11 +169,13 @@ configuration of fault-injection capabilities.
- ERRNO: retval must be -1 to -MAX_ERRNO (-4096).
- ERR_NULL: retval must be 0 or -1 to -MAX_ERRNO (-4096).
-- /sys/kernel/debug/fail_function/<functiuon-name>/retval:
+- /sys/kernel/debug/fail_function/<function-name>/retval:
- specifies the "error" return value to inject to the given
- function for given function. This will be created when
- user specifies new injection entry.
+ specifies the "error" return value to inject to the given function.
+ This will be created when the user specifies a new injection entry.
+ Note that this file only accepts unsigned values. So, if you want to
+ use a negative errno, you better use 'printf' instead of 'echo', e.g.:
+ $ printf %#x -12 > retval
Boot option
^^^^^^^^^^^
@@ -255,7 +259,7 @@ Application Examples
echo Y > /sys/kernel/debug/$FAILTYPE/task-filter
echo 10 > /sys/kernel/debug/$FAILTYPE/probability
echo 100 > /sys/kernel/debug/$FAILTYPE/interval
- echo -1 > /sys/kernel/debug/$FAILTYPE/times
+ printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
echo 0 > /sys/kernel/debug/$FAILTYPE/space
echo 2 > /sys/kernel/debug/$FAILTYPE/verbose
echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait
@@ -309,7 +313,7 @@ Application Examples
echo N > /sys/kernel/debug/$FAILTYPE/task-filter
echo 10 > /sys/kernel/debug/$FAILTYPE/probability
echo 100 > /sys/kernel/debug/$FAILTYPE/interval
- echo -1 > /sys/kernel/debug/$FAILTYPE/times
+ printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
echo 0 > /sys/kernel/debug/$FAILTYPE/space
echo 2 > /sys/kernel/debug/$FAILTYPE/verbose
echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait
@@ -336,11 +340,11 @@ Application Examples
FAILTYPE=fail_function
FAILFUNC=open_ctree
echo $FAILFUNC > /sys/kernel/debug/$FAILTYPE/inject
- echo -12 > /sys/kernel/debug/$FAILTYPE/$FAILFUNC/retval
+ printf %#x -12 > /sys/kernel/debug/$FAILTYPE/$FAILFUNC/retval
echo N > /sys/kernel/debug/$FAILTYPE/task-filter
echo 100 > /sys/kernel/debug/$FAILTYPE/probability
echo 0 > /sys/kernel/debug/$FAILTYPE/interval
- echo -1 > /sys/kernel/debug/$FAILTYPE/times
+ printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
echo 0 > /sys/kernel/debug/$FAILTYPE/space
echo 1 > /sys/kernel/debug/$FAILTYPE/verbose
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 074/783] debugfs: fix error when writing negative value to atomic_t debugfs file
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 073/783] docs: fault-injection: fix non-working usage of negative values Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 075/783] ocfs2: ocfs2_mount_volume does cleanup job before return error Greg Kroah-Hartman
` (718 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akinobu Mita, Zhao Gongyi,
David Hildenbrand, Alexander Viro, Jonathan Corbet,
Oscar Salvador, Rafael J. Wysocki, Shuah Khan, Wei Yongjun,
Yicong Yang, Andrew Morton, Sasha Levin
From: Akinobu Mita <akinobu.mita@gmail.com>
[ Upstream commit d472cf797c4e268613dbce5ec9b95d0bcae19ecb ]
The simple attribute files do not accept a negative value since the commit
488dac0c9237 ("libfs: fix error cast of negative value in
simple_attr_write()"), so we have to use a 64-bit value to write a
negative value for a debugfs file created by debugfs_create_atomic_t().
This restores the previous behaviour by introducing
DEFINE_DEBUGFS_ATTRIBUTE_SIGNED for a signed value.
Link: https://lkml.kernel.org/r/20220919172418.45257-4-akinobu.mita@gmail.com
Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()")
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Reported-by: Zhao Gongyi <zhaogongyi@huawei.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Rafael J. Wysocki <rafael@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: Yicong Yang <yangyicong@hisilicon.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../fault-injection/fault-injection.rst | 10 +++----
fs/debugfs/file.c | 28 +++++++++++++++----
include/linux/debugfs.h | 19 +++++++++++--
3 files changed, 43 insertions(+), 14 deletions(-)
diff --git a/Documentation/fault-injection/fault-injection.rst b/Documentation/fault-injection/fault-injection.rst
index f47d05ed0d94..47de5006f645 100644
--- a/Documentation/fault-injection/fault-injection.rst
+++ b/Documentation/fault-injection/fault-injection.rst
@@ -79,9 +79,7 @@ configuration of fault-injection capabilities.
- /sys/kernel/debug/fail*/times:
specifies how many times failures may happen at most. A value of -1
- means "no limit". Note, though, that this file only accepts unsigned
- values. So, if you want to specify -1, you better use 'printf' instead
- of 'echo', e.g.: $ printf %#x -1 > times
+ means "no limit".
- /sys/kernel/debug/fail*/space:
@@ -259,7 +257,7 @@ Application Examples
echo Y > /sys/kernel/debug/$FAILTYPE/task-filter
echo 10 > /sys/kernel/debug/$FAILTYPE/probability
echo 100 > /sys/kernel/debug/$FAILTYPE/interval
- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
+ echo -1 > /sys/kernel/debug/$FAILTYPE/times
echo 0 > /sys/kernel/debug/$FAILTYPE/space
echo 2 > /sys/kernel/debug/$FAILTYPE/verbose
echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait
@@ -313,7 +311,7 @@ Application Examples
echo N > /sys/kernel/debug/$FAILTYPE/task-filter
echo 10 > /sys/kernel/debug/$FAILTYPE/probability
echo 100 > /sys/kernel/debug/$FAILTYPE/interval
- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
+ echo -1 > /sys/kernel/debug/$FAILTYPE/times
echo 0 > /sys/kernel/debug/$FAILTYPE/space
echo 2 > /sys/kernel/debug/$FAILTYPE/verbose
echo 1 > /sys/kernel/debug/$FAILTYPE/ignore-gfp-wait
@@ -344,7 +342,7 @@ Application Examples
echo N > /sys/kernel/debug/$FAILTYPE/task-filter
echo 100 > /sys/kernel/debug/$FAILTYPE/probability
echo 0 > /sys/kernel/debug/$FAILTYPE/interval
- printf %#x -1 > /sys/kernel/debug/$FAILTYPE/times
+ echo -1 > /sys/kernel/debug/$FAILTYPE/times
echo 0 > /sys/kernel/debug/$FAILTYPE/space
echo 1 > /sys/kernel/debug/$FAILTYPE/verbose
diff --git a/fs/debugfs/file.c b/fs/debugfs/file.c
index 96059af28f50..42bab9270e7d 100644
--- a/fs/debugfs/file.c
+++ b/fs/debugfs/file.c
@@ -378,8 +378,8 @@ ssize_t debugfs_attr_read(struct file *file, char __user *buf,
}
EXPORT_SYMBOL_GPL(debugfs_attr_read);
-ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
- size_t len, loff_t *ppos)
+static ssize_t debugfs_attr_write_xsigned(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos, bool is_signed)
{
struct dentry *dentry = F_DENTRY(file);
ssize_t ret;
@@ -387,12 +387,28 @@ ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
ret = debugfs_file_get(dentry);
if (unlikely(ret))
return ret;
- ret = simple_attr_write(file, buf, len, ppos);
+ if (is_signed)
+ ret = simple_attr_write_signed(file, buf, len, ppos);
+ else
+ ret = simple_attr_write(file, buf, len, ppos);
debugfs_file_put(dentry);
return ret;
}
+
+ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos)
+{
+ return debugfs_attr_write_xsigned(file, buf, len, ppos, false);
+}
EXPORT_SYMBOL_GPL(debugfs_attr_write);
+ssize_t debugfs_attr_write_signed(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos)
+{
+ return debugfs_attr_write_xsigned(file, buf, len, ppos, true);
+}
+EXPORT_SYMBOL_GPL(debugfs_attr_write_signed);
+
static struct dentry *debugfs_create_mode_unsafe(const char *name, umode_t mode,
struct dentry *parent, void *value,
const struct file_operations *fops,
@@ -748,11 +764,11 @@ static int debugfs_atomic_t_get(void *data, u64 *val)
*val = atomic_read((atomic_t *)data);
return 0;
}
-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t, debugfs_atomic_t_get,
+DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t, debugfs_atomic_t_get,
debugfs_atomic_t_set, "%lld\n");
-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t_ro, debugfs_atomic_t_get, NULL,
+DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t_ro, debugfs_atomic_t_get, NULL,
"%lld\n");
-DEFINE_DEBUGFS_ATTRIBUTE(fops_atomic_t_wo, NULL, debugfs_atomic_t_set,
+DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(fops_atomic_t_wo, NULL, debugfs_atomic_t_set,
"%lld\n");
/**
diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h
index 2357109a8901..9a87215b5526 100644
--- a/include/linux/debugfs.h
+++ b/include/linux/debugfs.h
@@ -45,7 +45,7 @@ struct debugfs_u32_array {
extern struct dentry *arch_debugfs_dir;
-#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \
+#define DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \
static int __fops ## _open(struct inode *inode, struct file *file) \
{ \
__simple_attr_check_format(__fmt, 0ull); \
@@ -56,10 +56,16 @@ static const struct file_operations __fops = { \
.open = __fops ## _open, \
.release = simple_attr_release, \
.read = debugfs_attr_read, \
- .write = debugfs_attr_write, \
+ .write = (__is_signed) ? debugfs_attr_write_signed : debugfs_attr_write, \
.llseek = no_llseek, \
}
+#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \
+ DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false)
+
+#define DEFINE_DEBUGFS_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \
+ DEFINE_DEBUGFS_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true)
+
typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *);
#if defined(CONFIG_DEBUG_FS)
@@ -102,6 +108,8 @@ ssize_t debugfs_attr_read(struct file *file, char __user *buf,
size_t len, loff_t *ppos);
ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
size_t len, loff_t *ppos);
+ssize_t debugfs_attr_write_signed(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos);
struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
struct dentry *new_dir, const char *new_name);
@@ -249,6 +257,13 @@ static inline ssize_t debugfs_attr_write(struct file *file,
return -ENODEV;
}
+static inline ssize_t debugfs_attr_write_signed(struct file *file,
+ const char __user *buf,
+ size_t len, loff_t *ppos)
+{
+ return -ENODEV;
+}
+
static inline struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
struct dentry *new_dir, char *new_name)
{
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 075/783] ocfs2: ocfs2_mount_volume does cleanup job before return error
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 074/783] debugfs: fix error when writing negative value to atomic_t debugfs file Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 076/783] ocfs2: rewrite error handling of ocfs2_fill_super Greg Kroah-Hartman
` (717 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heming Zhao, Joseph Qi, Changwei Ge,
Gang He, Joel Becker, Jun Piao, Junxiao Bi, Mark Fasheh,
Andrew Morton, Sasha Levin
From: Heming Zhao via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
[ Upstream commit 0737e01de9c411e4db87dcedf4a9789d41b1c5c1 ]
After this patch, when error, ocfs2_fill_super doesn't take care to
release resources which are allocated in ocfs2_mount_volume.
Link: https://lkml.kernel.org/r/20220424130952.2436-5-heming.zhao@suse.com
Signed-off-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: ce2fcf1516d6 ("ocfs2: fix memory leak in ocfs2_mount_volume()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/super.c | 35 +++++++++++++++++++++++------------
1 file changed, 23 insertions(+), 12 deletions(-)
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index c0e5f1bad499..ca0d6debae97 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -1787,11 +1787,10 @@ static int ocfs2_get_sector(struct super_block *sb,
static int ocfs2_mount_volume(struct super_block *sb)
{
int status = 0;
- int unlock_super = 0;
struct ocfs2_super *osb = OCFS2_SB(sb);
if (ocfs2_is_hard_readonly(osb))
- goto leave;
+ goto out;
mutex_init(&osb->obs_trim_fs_mutex);
@@ -1801,44 +1800,56 @@ static int ocfs2_mount_volume(struct super_block *sb)
if (status == -EBADR && ocfs2_userspace_stack(osb))
mlog(ML_ERROR, "couldn't mount because cluster name on"
" disk does not match the running cluster name.\n");
- goto leave;
+ goto out;
}
status = ocfs2_super_lock(osb, 1);
if (status < 0) {
mlog_errno(status);
- goto leave;
+ goto out_dlm;
}
- unlock_super = 1;
/* This will load up the node map and add ourselves to it. */
status = ocfs2_find_slot(osb);
if (status < 0) {
mlog_errno(status);
- goto leave;
+ goto out_super_lock;
}
/* load all node-local system inodes */
status = ocfs2_init_local_system_inodes(osb);
if (status < 0) {
mlog_errno(status);
- goto leave;
+ goto out_super_lock;
}
status = ocfs2_check_volume(osb);
if (status < 0) {
mlog_errno(status);
- goto leave;
+ goto out_system_inodes;
}
status = ocfs2_truncate_log_init(osb);
- if (status < 0)
+ if (status < 0) {
mlog_errno(status);
+ goto out_system_inodes;
+ }
-leave:
- if (unlock_super)
- ocfs2_super_unlock(osb, 1);
+ ocfs2_super_unlock(osb, 1);
+ return 0;
+out_system_inodes:
+ if (osb->local_alloc_state == OCFS2_LA_ENABLED)
+ ocfs2_shutdown_local_alloc(osb);
+ ocfs2_release_system_inodes(osb);
+ /* before journal shutdown, we should release slot_info */
+ ocfs2_free_slot_info(osb);
+ ocfs2_journal_shutdown(osb);
+out_super_lock:
+ ocfs2_super_unlock(osb, 1);
+out_dlm:
+ ocfs2_dlm_shutdown(osb, 0);
+out:
return status;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 076/783] ocfs2: rewrite error handling of ocfs2_fill_super
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 075/783] ocfs2: ocfs2_mount_volume does cleanup job before return error Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 077/783] ocfs2: fix memory leak in ocfs2_mount_volume() Greg Kroah-Hartman
` (716 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heming Zhao, Joseph Qi, Changwei Ge,
Gang He, Joel Becker, Jun Piao, Junxiao Bi, Mark Fasheh,
Andrew Morton, Sasha Levin
From: Heming Zhao via Ocfs2-devel <ocfs2-devel@oss.oracle.com>
[ Upstream commit f1e75d128b46e3b066e7b2e7cfca10491109d44d ]
Current ocfs2_fill_super() uses one goto label "read_super_error" to
handle all error cases. And with previous serial patches, the error
handling should fork more branches to handle different error cases. This
patch rewrite the error handling of ocfs2_fill_super.
Link: https://lkml.kernel.org/r/20220424130952.2436-6-heming.zhao@suse.com
Signed-off-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: ce2fcf1516d6 ("ocfs2: fix memory leak in ocfs2_mount_volume()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/super.c | 67 +++++++++++++++++++++++-------------------------
1 file changed, 32 insertions(+), 35 deletions(-)
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index ca0d6debae97..72c44f7d7bd4 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -984,28 +984,27 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
if (!ocfs2_parse_options(sb, data, &parsed_options, 0)) {
status = -EINVAL;
- goto read_super_error;
+ goto out;
}
/* probe for superblock */
status = ocfs2_sb_probe(sb, &bh, §or_size, &stats);
if (status < 0) {
mlog(ML_ERROR, "superblock probe failed!\n");
- goto read_super_error;
+ goto out;
}
status = ocfs2_initialize_super(sb, bh, sector_size, &stats);
- osb = OCFS2_SB(sb);
- if (status < 0) {
- mlog_errno(status);
- goto read_super_error;
- }
brelse(bh);
bh = NULL;
+ if (status < 0)
+ goto out;
+
+ osb = OCFS2_SB(sb);
if (!ocfs2_check_set_options(sb, &parsed_options)) {
status = -EINVAL;
- goto read_super_error;
+ goto out_super;
}
osb->s_mount_opt = parsed_options.mount_opt;
osb->s_atime_quantum = parsed_options.atime_quantum;
@@ -1022,7 +1021,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
status = ocfs2_verify_userspace_stack(osb, &parsed_options);
if (status)
- goto read_super_error;
+ goto out_super;
sb->s_magic = OCFS2_SUPER_MAGIC;
@@ -1036,7 +1035,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
status = -EACCES;
mlog(ML_ERROR, "Readonly device detected but readonly "
"mount was not specified.\n");
- goto read_super_error;
+ goto out_super;
}
/* You should not be able to start a local heartbeat
@@ -1045,7 +1044,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
status = -EROFS;
mlog(ML_ERROR, "Local heartbeat specified on readonly "
"device.\n");
- goto read_super_error;
+ goto out_super;
}
status = ocfs2_check_journals_nolocks(osb);
@@ -1054,9 +1053,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
mlog(ML_ERROR, "Recovery required on readonly "
"file system, but write access is "
"unavailable.\n");
- else
- mlog_errno(status);
- goto read_super_error;
+ goto out_super;
}
ocfs2_set_ro_flag(osb, 1);
@@ -1072,10 +1069,8 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
}
status = ocfs2_verify_heartbeat(osb);
- if (status < 0) {
- mlog_errno(status);
- goto read_super_error;
- }
+ if (status < 0)
+ goto out_super;
osb->osb_debug_root = debugfs_create_dir(osb->uuid_str,
ocfs2_debugfs_root);
@@ -1089,15 +1084,14 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
status = ocfs2_mount_volume(sb);
if (status < 0)
- goto read_super_error;
+ goto out_debugfs;
if (osb->root_inode)
inode = igrab(osb->root_inode);
if (!inode) {
status = -EIO;
- mlog_errno(status);
- goto read_super_error;
+ goto out_dismount;
}
osb->osb_dev_kset = kset_create_and_add(sb->s_id, NULL,
@@ -1105,7 +1099,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
if (!osb->osb_dev_kset) {
status = -ENOMEM;
mlog(ML_ERROR, "Unable to create device kset %s.\n", sb->s_id);
- goto read_super_error;
+ goto out_dismount;
}
/* Create filecheck sysfs related directories/files at
@@ -1114,14 +1108,13 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
status = -ENOMEM;
mlog(ML_ERROR, "Unable to create filecheck sysfs directory at "
"/sys/fs/ocfs2/%s/filecheck.\n", sb->s_id);
- goto read_super_error;
+ goto out_dismount;
}
root = d_make_root(inode);
if (!root) {
status = -ENOMEM;
- mlog_errno(status);
- goto read_super_error;
+ goto out_dismount;
}
sb->s_root = root;
@@ -1168,17 +1161,21 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
return status;
-read_super_error:
- brelse(bh);
-
- if (status)
- mlog_errno(status);
+out_dismount:
+ atomic_set(&osb->vol_state, VOLUME_DISABLED);
+ wake_up(&osb->osb_mount_event);
+ ocfs2_dismount_volume(sb, 1);
+ goto out;
- if (osb) {
- atomic_set(&osb->vol_state, VOLUME_DISABLED);
- wake_up(&osb->osb_mount_event);
- ocfs2_dismount_volume(sb, 1);
- }
+out_debugfs:
+ debugfs_remove_recursive(osb->osb_debug_root);
+out_super:
+ ocfs2_release_system_inodes(osb);
+ kfree(osb->recovery_map);
+ ocfs2_delete_osb(osb);
+ kfree(osb);
+out:
+ mlog_errno(status);
return status;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 077/783] ocfs2: fix memory leak in ocfs2_mount_volume()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 076/783] ocfs2: rewrite error handling of ocfs2_fill_super Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 078/783] rapidio: fix possible name leaks when rio_add_device() fails Greg Kroah-Hartman
` (715 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Joseph Qi, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Gang He, Jun Piao,
Andrew Morton, Sasha Levin
From: Li Zetao <ocfs2-devel@oss.oracle.com>
[ Upstream commit ce2fcf1516d674a174d9b34d1e1024d64de9fba3 ]
There is a memory leak reported by kmemleak:
unreferenced object 0xffff88810cc65e60 (size 32):
comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s)
hex dump (first 32 bytes):
10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................
01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff8170f73d>] __kmalloc+0x4d/0x150
[<ffffffffa0ac3f51>] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2]
[<ffffffffa0b65165>] ocfs2_check_volume+0x485/0x900 [ocfs2]
[<ffffffffa0b68129>] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2]
[<ffffffffa0b7160b>] ocfs2_fill_super+0xe0b/0x1740 [ocfs2]
[<ffffffff818e1fe2>] mount_bdev+0x312/0x400
[<ffffffff819a086d>] legacy_get_tree+0xed/0x1d0
[<ffffffff818de82d>] vfs_get_tree+0x7d/0x230
[<ffffffff81957f92>] path_mount+0xd62/0x1760
[<ffffffff81958a5a>] do_mount+0xca/0xe0
[<ffffffff81958d3c>] __x64_sys_mount+0x12c/0x1a0
[<ffffffff82f26f15>] do_syscall_64+0x35/0x80
[<ffffffff8300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
This call stack is related to two problems. Firstly, the ocfs2 super uses
"replay_map" to trace online/offline slots, in order to recover offline
slots during recovery and mount. But when ocfs2_truncate_log_init()
returns an error in ocfs2_mount_volume(), the memory of "replay_map" will
not be freed in error handling path. Secondly, the memory of "replay_map"
will not be freed if d_make_root() returns an error in ocfs2_fill_super().
But the memory of "replay_map" will be freed normally when completing
recovery and mount in ocfs2_complete_mount_recovery().
Fix the first problem by adding error handling path to free "replay_map"
when ocfs2_truncate_log_init() fails. And fix the second problem by
calling ocfs2_free_replay_slots(osb) in the error handling path
"out_dismount". In addition, since ocfs2_free_replay_slots() is static,
it is necessary to remove its static attribute and declare it in header
file.
Link: https://lkml.kernel.org/r/20221109074627.2303950-1-lizetao1@huawei.com
Fixes: 9140db04ef18 ("ocfs2: recover orphans in offline slots during recovery and mount")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ocfs2/journal.c | 2 +-
fs/ocfs2/journal.h | 1 +
fs/ocfs2/super.c | 5 ++++-
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/ocfs2/journal.c b/fs/ocfs2/journal.c
index db52e843002a..0534800a472a 100644
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -159,7 +159,7 @@ static void ocfs2_queue_replay_slots(struct ocfs2_super *osb,
replay_map->rm_state = REPLAY_DONE;
}
-static void ocfs2_free_replay_slots(struct ocfs2_super *osb)
+void ocfs2_free_replay_slots(struct ocfs2_super *osb)
{
struct ocfs2_replay_map *replay_map = osb->replay_map;
diff --git a/fs/ocfs2/journal.h b/fs/ocfs2/journal.h
index bfe611ed1b1d..eb7a21bac71e 100644
--- a/fs/ocfs2/journal.h
+++ b/fs/ocfs2/journal.h
@@ -152,6 +152,7 @@ int ocfs2_recovery_init(struct ocfs2_super *osb);
void ocfs2_recovery_exit(struct ocfs2_super *osb);
int ocfs2_compute_replay_slots(struct ocfs2_super *osb);
+void ocfs2_free_replay_slots(struct ocfs2_super *osb);
/*
* Journal Control:
* Initialize, Load, Shutdown, Wipe a journal.
diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index 72c44f7d7bd4..3e0b2e3e00ad 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -1164,6 +1164,7 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent)
out_dismount:
atomic_set(&osb->vol_state, VOLUME_DISABLED);
wake_up(&osb->osb_mount_event);
+ ocfs2_free_replay_slots(osb);
ocfs2_dismount_volume(sb, 1);
goto out;
@@ -1829,12 +1830,14 @@ static int ocfs2_mount_volume(struct super_block *sb)
status = ocfs2_truncate_log_init(osb);
if (status < 0) {
mlog_errno(status);
- goto out_system_inodes;
+ goto out_check_volume;
}
ocfs2_super_unlock(osb, 1);
return 0;
+out_check_volume:
+ ocfs2_free_replay_slots(osb);
out_system_inodes:
if (osb->local_alloc_state == OCFS2_LA_ENABLED)
ocfs2_shutdown_local_alloc(osb);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 078/783] rapidio: fix possible name leaks when rio_add_device() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 077/783] ocfs2: fix memory leak in ocfs2_mount_volume() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 079/783] rapidio: rio: fix possible name leak in rio_register_mport() Greg Kroah-Hartman
` (714 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexandre Bounine,
Matt Porter, Andrew Morton, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f9574cd48679926e2a569e1957a5a1bcc8a719ac ]
Patch series "rapidio: fix three possible memory leaks".
This patchset fixes three name leaks in error handling.
- patch #1 fixes two name leaks while rio_add_device() fails.
- patch #2 fixes a name leak while rio_register_mport() fails.
This patch (of 2):
If rio_add_device() returns error, the name allocated by dev_set_name()
need be freed. It should use put_device() to give up the reference in the
error path, so that the name can be freed in kobject_cleanup(), and the
'rdev' can be freed in rio_release_dev().
Link: https://lkml.kernel.org/r/20221114152636.2939035-1-yangyingliang@huawei.com
Link: https://lkml.kernel.org/r/20221114152636.2939035-2-yangyingliang@huawei.com
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 7 +++++--
drivers/rapidio/rio-scan.c | 8 ++++++--
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 94331d999d27..48cd9b7f3b89 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1803,8 +1803,11 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv,
rio_init_dbell_res(&rdev->riores[RIO_DOORBELL_RESOURCE],
0, 0xffff);
err = rio_add_device(rdev);
- if (err)
- goto cleanup;
+ if (err) {
+ put_device(&rdev->dev);
+ return err;
+ }
+
rio_dev_get(rdev);
return 0;
diff --git a/drivers/rapidio/rio-scan.c b/drivers/rapidio/rio-scan.c
index 19b0c33f4a62..fdcf742b2adb 100644
--- a/drivers/rapidio/rio-scan.c
+++ b/drivers/rapidio/rio-scan.c
@@ -454,8 +454,12 @@ static struct rio_dev *rio_setup_device(struct rio_net *net,
0, 0xffff);
ret = rio_add_device(rdev);
- if (ret)
- goto cleanup;
+ if (ret) {
+ if (rswitch)
+ kfree(rswitch->route_table);
+ put_device(&rdev->dev);
+ return NULL;
+ }
rio_dev_get(rdev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 079/783] rapidio: rio: fix possible name leak in rio_register_mport()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 078/783] rapidio: fix possible name leaks when rio_add_device() fails Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 080/783] clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled Greg Kroah-Hartman
` (713 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexandre Bounine,
Matt Porter, Andrew Morton, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e92a216d16bde65d21a3227e0fb2aa0794576525 ]
If device_register() returns error, the name allocated by dev_set_name()
need be freed. It should use put_device() to give up the reference in the
error path, so that the name can be freed in kobject_cleanup(), and
list_del() is called to delete the port from rio_mports.
Link: https://lkml.kernel.org/r/20221114152636.2939035-3-yangyingliang@huawei.com
Fixes: 2aaf308b95b2 ("rapidio: rework device hierarchy and introduce mport class of devices")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/rio.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
index 606986c5ba2c..fcab174e5888 100644
--- a/drivers/rapidio/rio.c
+++ b/drivers/rapidio/rio.c
@@ -2267,11 +2267,16 @@ int rio_register_mport(struct rio_mport *port)
atomic_set(&port->state, RIO_DEVICE_RUNNING);
res = device_register(&port->dev);
- if (res)
+ if (res) {
dev_err(&port->dev, "RIO: mport%d registration failed ERR=%d\n",
port->id, res);
- else
+ mutex_lock(&rio_mport_list_lock);
+ list_del(&port->node);
+ mutex_unlock(&rio_mport_list_lock);
+ put_device(&port->dev);
+ } else {
dev_dbg(&port->dev, "RIO: registered mport%d\n", port->id);
+ }
return res;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 080/783] clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 079/783] rapidio: rio: fix possible name leak in rio_register_mport() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 081/783] clocksource/drivers/sh_cmt: Access registers according to spec Greg Kroah-Hartman
` (712 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Niklas Söderlund, Daniel Lezcano, Sasha Levin
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 2a97d55333e4299f32c98cca6dc5c4db1c5855fc ]
The Renesas Compare Match Timer 0 and 1 (CMT0/1) variants have a
register to control the clock supply to the individual channels.
Currently the driver does not touch this register, and relies on the
documented initial value, which has the clock supply enabled for all
channels present.
However, when Linux starts on the APE6-EVM development board, only the
clock supply to the first CMT1 channel is enabled. Hence the first
channel (used as a clockevent) works, while the second channel (used as
a clocksource) does not. Note that the default system clocksource is
the Cortex-A15 architectured timer, and the user needs to manually
switch to the CMT1 clocksource to trigger the broken behavior.
Fix this by removing the fragile dependency on implicit reset and/or
boot loader state, and by enabling the clock supply explicitly for all
channels used instead. This requires postponing the clk_disable() call,
else the timer's registers cannot be accessed in sh_cmt_setup_channel().
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20201210194648.2901899-1-geert+renesas@glider.be
Stable-dep-of: 3f44f7156f59 ("clocksource/drivers/sh_cmt: Access registers according to spec")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/sh_cmt.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c
index 2acfcc966bb5..65a1e2416402 100644
--- a/drivers/clocksource/sh_cmt.c
+++ b/drivers/clocksource/sh_cmt.c
@@ -235,6 +235,8 @@ static const struct sh_cmt_info sh_cmt_info[] = {
#define CMCNT 1 /* channel register */
#define CMCOR 2 /* channel register */
+#define CMCLKE 0x1000 /* CLK Enable Register (R-Car Gen2) */
+
static inline u32 sh_cmt_read_cmstr(struct sh_cmt_channel *ch)
{
if (ch->iostart)
@@ -849,6 +851,7 @@ static int sh_cmt_setup_channel(struct sh_cmt_channel *ch, unsigned int index,
unsigned int hwidx, bool clockevent,
bool clocksource, struct sh_cmt_device *cmt)
{
+ u32 value;
int ret;
/* Skip unused channels. */
@@ -878,6 +881,11 @@ static int sh_cmt_setup_channel(struct sh_cmt_channel *ch, unsigned int index,
ch->iostart = cmt->mapbase + ch->hwidx * 0x100;
ch->ioctrl = ch->iostart + 0x10;
ch->timer_bit = 0;
+
+ /* Enable the clock supply to the channel */
+ value = ioread32(cmt->mapbase + CMCLKE);
+ value |= BIT(hwidx);
+ iowrite32(value, cmt->mapbase + CMCLKE);
break;
}
@@ -1010,12 +1018,10 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev)
else
cmt->rate = clk_get_rate(cmt->clk) / 8;
- clk_disable(cmt->clk);
-
/* Map the memory resource(s). */
ret = sh_cmt_map_memory(cmt);
if (ret < 0)
- goto err_clk_unprepare;
+ goto err_clk_disable;
/* Allocate and setup the channels. */
cmt->num_channels = hweight8(cmt->hw_channels);
@@ -1043,6 +1049,8 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev)
mask &= ~(1 << hwidx);
}
+ clk_disable(cmt->clk);
+
platform_set_drvdata(pdev, cmt);
return 0;
@@ -1050,6 +1058,8 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev)
err_unmap:
kfree(cmt->channels);
iounmap(cmt->mapbase);
+err_clk_disable:
+ clk_disable(cmt->clk);
err_clk_unprepare:
clk_unprepare(cmt->clk);
err_clk_put:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 081/783] clocksource/drivers/sh_cmt: Access registers according to spec
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 080/783] clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 082/783] futex: Move to kernel/futex/ Greg Kroah-Hartman
` (711 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Thomas Gleixner, Sasha Levin
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 3f44f7156f59cae06e9160eafb5d8b2dfd09e639 ]
Documentation for most CMTs say that it takes two input clocks before
changes propagate to the timer. This is especially relevant when the timer
is stopped to change further settings.
Implement the delays according to the spec. To avoid unnecessary delays in
atomic mode, also check if the to-be-written value actually differs.
CMCNT is a bit special because testing showed that it requires 3 cycles to
propagate, which affects all CMTs. Also, the WRFLAG needs to be checked
before writing. This fixes "cannot clear CMCNT" messages which occur often
on R-Car Gen4 SoCs, but only very rarely on older SoCs for some reason.
Fixes: 81b3b2711072 ("clocksource: sh_cmt: Add support for multiple channels per device")
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/20221130210609.7718-1-wsa+renesas@sang-engineering.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/sh_cmt.c | 88 ++++++++++++++++++++++--------------
1 file changed, 55 insertions(+), 33 deletions(-)
diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c
index 65a1e2416402..66e4872ab34f 100644
--- a/drivers/clocksource/sh_cmt.c
+++ b/drivers/clocksource/sh_cmt.c
@@ -13,6 +13,7 @@
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/io.h>
+#include <linux/iopoll.h>
#include <linux/ioport.h>
#include <linux/irq.h>
#include <linux/module.h>
@@ -116,6 +117,7 @@ struct sh_cmt_device {
void __iomem *mapbase;
struct clk *clk;
unsigned long rate;
+ unsigned int reg_delay;
raw_spinlock_t lock; /* Protect the shared start/stop register */
@@ -247,10 +249,17 @@ static inline u32 sh_cmt_read_cmstr(struct sh_cmt_channel *ch)
static inline void sh_cmt_write_cmstr(struct sh_cmt_channel *ch, u32 value)
{
- if (ch->iostart)
- ch->cmt->info->write_control(ch->iostart, 0, value);
- else
- ch->cmt->info->write_control(ch->cmt->mapbase, 0, value);
+ u32 old_value = sh_cmt_read_cmstr(ch);
+
+ if (value != old_value) {
+ if (ch->iostart) {
+ ch->cmt->info->write_control(ch->iostart, 0, value);
+ udelay(ch->cmt->reg_delay);
+ } else {
+ ch->cmt->info->write_control(ch->cmt->mapbase, 0, value);
+ udelay(ch->cmt->reg_delay);
+ }
+ }
}
static inline u32 sh_cmt_read_cmcsr(struct sh_cmt_channel *ch)
@@ -260,7 +269,12 @@ static inline u32 sh_cmt_read_cmcsr(struct sh_cmt_channel *ch)
static inline void sh_cmt_write_cmcsr(struct sh_cmt_channel *ch, u32 value)
{
- ch->cmt->info->write_control(ch->ioctrl, CMCSR, value);
+ u32 old_value = sh_cmt_read_cmcsr(ch);
+
+ if (value != old_value) {
+ ch->cmt->info->write_control(ch->ioctrl, CMCSR, value);
+ udelay(ch->cmt->reg_delay);
+ }
}
static inline u32 sh_cmt_read_cmcnt(struct sh_cmt_channel *ch)
@@ -268,14 +282,33 @@ static inline u32 sh_cmt_read_cmcnt(struct sh_cmt_channel *ch)
return ch->cmt->info->read_count(ch->ioctrl, CMCNT);
}
-static inline void sh_cmt_write_cmcnt(struct sh_cmt_channel *ch, u32 value)
+static inline int sh_cmt_write_cmcnt(struct sh_cmt_channel *ch, u32 value)
{
+ /* Tests showed that we need to wait 3 clocks here */
+ unsigned int cmcnt_delay = DIV_ROUND_UP(3 * ch->cmt->reg_delay, 2);
+ u32 reg;
+
+ if (ch->cmt->info->model > SH_CMT_16BIT) {
+ int ret = read_poll_timeout_atomic(sh_cmt_read_cmcsr, reg,
+ !(reg & SH_CMT32_CMCSR_WRFLG),
+ 1, cmcnt_delay, false, ch);
+ if (ret < 0)
+ return ret;
+ }
+
ch->cmt->info->write_count(ch->ioctrl, CMCNT, value);
+ udelay(cmcnt_delay);
+ return 0;
}
static inline void sh_cmt_write_cmcor(struct sh_cmt_channel *ch, u32 value)
{
- ch->cmt->info->write_count(ch->ioctrl, CMCOR, value);
+ u32 old_value = ch->cmt->info->read_count(ch->ioctrl, CMCOR);
+
+ if (value != old_value) {
+ ch->cmt->info->write_count(ch->ioctrl, CMCOR, value);
+ udelay(ch->cmt->reg_delay);
+ }
}
static u32 sh_cmt_get_counter(struct sh_cmt_channel *ch, u32 *has_wrapped)
@@ -319,7 +352,7 @@ static void sh_cmt_start_stop_ch(struct sh_cmt_channel *ch, int start)
static int sh_cmt_enable(struct sh_cmt_channel *ch)
{
- int k, ret;
+ int ret;
pm_runtime_get_sync(&ch->cmt->pdev->dev);
dev_pm_syscore_device(&ch->cmt->pdev->dev, true);
@@ -347,26 +380,9 @@ static int sh_cmt_enable(struct sh_cmt_channel *ch)
}
sh_cmt_write_cmcor(ch, 0xffffffff);
- sh_cmt_write_cmcnt(ch, 0);
-
- /*
- * According to the sh73a0 user's manual, as CMCNT can be operated
- * only by the RCLK (Pseudo 32 kHz), there's one restriction on
- * modifying CMCNT register; two RCLK cycles are necessary before
- * this register is either read or any modification of the value
- * it holds is reflected in the LSI's actual operation.
- *
- * While at it, we're supposed to clear out the CMCNT as of this
- * moment, so make sure it's processed properly here. This will
- * take RCLKx2 at maximum.
- */
- for (k = 0; k < 100; k++) {
- if (!sh_cmt_read_cmcnt(ch))
- break;
- udelay(1);
- }
+ ret = sh_cmt_write_cmcnt(ch, 0);
- if (sh_cmt_read_cmcnt(ch)) {
+ if (ret || sh_cmt_read_cmcnt(ch)) {
dev_err(&ch->cmt->pdev->dev, "ch%u: cannot clear CMCNT\n",
ch->index);
ret = -ETIMEDOUT;
@@ -976,8 +992,8 @@ MODULE_DEVICE_TABLE(of, sh_cmt_of_table);
static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev)
{
- unsigned int mask;
- unsigned int i;
+ unsigned int mask, i;
+ unsigned long rate;
int ret;
cmt->pdev = pdev;
@@ -1013,10 +1029,16 @@ static int sh_cmt_setup(struct sh_cmt_device *cmt, struct platform_device *pdev)
if (ret < 0)
goto err_clk_unprepare;
- if (cmt->info->width == 16)
- cmt->rate = clk_get_rate(cmt->clk) / 512;
- else
- cmt->rate = clk_get_rate(cmt->clk) / 8;
+ rate = clk_get_rate(cmt->clk);
+ if (!rate) {
+ ret = -EINVAL;
+ goto err_clk_disable;
+ }
+
+ /* We shall wait 2 input clks after register writes */
+ if (cmt->info->model >= SH_CMT_48BIT)
+ cmt->reg_delay = DIV_ROUND_UP(2UL * USEC_PER_SEC, rate);
+ cmt->rate = rate / (cmt->info->width == 16 ? 512 : 8);
/* Map the memory resource(s). */
ret = sh_cmt_map_memory(cmt);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 082/783] futex: Move to kernel/futex/
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 081/783] clocksource/drivers/sh_cmt: Access registers according to spec Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 083/783] futex: Resend potentially swallowed owner death notification Greg Kroah-Hartman
` (710 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel),
Thomas Gleixner, André Almeida, Sasha Levin
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 77e52ae35463521041906c510fe580d15663bb93 ]
In preparation for splitup..
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Suggested-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: André Almeida <andrealmeid@collabora.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: André Almeida <andrealmeid@collabora.com>
Link: https://lore.kernel.org/r/20210923171111.300673-2-andrealmeid@collabora.com
Stable-dep-of: 90d758896787 ("futex: Resend potentially swallowed owner death notification")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
MAINTAINERS | 2 +-
kernel/Makefile | 2 +-
kernel/futex/Makefile | 3 +++
kernel/{futex.c => futex/core.c} | 2 +-
4 files changed, 6 insertions(+), 3 deletions(-)
create mode 100644 kernel/futex/Makefile
rename kernel/{futex.c => futex/core.c} (99%)
diff --git a/MAINTAINERS b/MAINTAINERS
index 4d10e79030a9..f6c6b403a1b7 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7280,7 +7280,7 @@ F: Documentation/locking/*futex*
F: include/asm-generic/futex.h
F: include/linux/futex.h
F: include/uapi/linux/futex.h
-F: kernel/futex.c
+F: kernel/futex/*
F: tools/perf/bench/futex*
F: tools/testing/selftests/futex/
diff --git a/kernel/Makefile b/kernel/Makefile
index e7905bdf6e97..82e9c843617f 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -53,7 +53,7 @@ obj-$(CONFIG_FREEZER) += freezer.o
obj-$(CONFIG_PROFILING) += profile.o
obj-$(CONFIG_STACKTRACE) += stacktrace.o
obj-y += time/
-obj-$(CONFIG_FUTEX) += futex.o
+obj-$(CONFIG_FUTEX) += futex/
obj-$(CONFIG_GENERIC_ISA_DMA) += dma.o
obj-$(CONFIG_SMP) += smp.o
ifneq ($(CONFIG_SMP),y)
diff --git a/kernel/futex/Makefile b/kernel/futex/Makefile
new file mode 100644
index 000000000000..b89ba3fba343
--- /dev/null
+++ b/kernel/futex/Makefile
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: GPL-2.0
+
+obj-y += core.o
diff --git a/kernel/futex.c b/kernel/futex/core.c
similarity index 99%
rename from kernel/futex.c
rename to kernel/futex/core.c
index 98a6e1b80bfe..26ca79c47480 100644
--- a/kernel/futex.c
+++ b/kernel/futex/core.c
@@ -42,7 +42,7 @@
#include <asm/futex.h>
-#include "locking/rtmutex_common.h"
+#include "../locking/rtmutex_common.h"
/*
* READ this before attempting to hack on futexes!
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 083/783] futex: Resend potentially swallowed owner death notification
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 082/783] futex: Move to kernel/futex/ Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 084/783] cpu/hotplug: Make target_store() a nop when target == state Greg Kroah-Hartman
` (709 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Izbyshev, Thomas Gleixner,
Peter Zijlstra (Intel),
Sasha Levin
From: Alexey Izbyshev <izbyshev@ispras.ru>
[ Upstream commit 90d758896787048fa3d4209309d4800f3920e66f ]
Commit ca16d5bee598 ("futex: Prevent robust futex exit race") addressed
two cases when tasks waiting on a robust non-PI futex remained blocked
despite the futex not being owned anymore:
* if the owner died after writing zero to the futex word, but before
waking up a waiter
* if a task waiting on the futex was woken up, but died before updating
the futex word (effectively swallowing the notification without acting
on it)
In the second case, the task could be woken up either by the previous
owner (after the futex word was reset to zero) or by the kernel (after
the OWNER_DIED bit was set and the TID part of the futex word was reset
to zero) if the previous owner died without the resetting the futex.
Because the referenced commit wakes up a potential waiter only if the
whole futex word is zero, the latter subcase remains unaddressed.
Fix this by looking only at the TID part of the futex when deciding
whether a wake up is needed.
Fixes: ca16d5bee598 ("futex: Prevent robust futex exit race")
Signed-off-by: Alexey Izbyshev <izbyshev@ispras.ru>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20221111215439.248185-1-izbyshev@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/futex/core.c | 28 ++++++++++++++++++----------
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index 26ca79c47480..8dd0bc50ac36 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -3405,6 +3405,7 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
bool pi, bool pending_op)
{
u32 uval, nval, mval;
+ pid_t owner;
int err;
/* Futex address must be 32bit aligned */
@@ -3426,6 +3427,10 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
* 2. A woken up waiter is killed before it can acquire the
* futex in user space.
*
+ * In the second case, the wake up notification could be generated
+ * by the unlock path in user space after setting the futex value
+ * to zero or by the kernel after setting the OWNER_DIED bit below.
+ *
* In both cases the TID validation below prevents a wakeup of
* potential waiters which can cause these waiters to block
* forever.
@@ -3434,24 +3439,27 @@ static int handle_futex_death(u32 __user *uaddr, struct task_struct *curr,
*
* 1) task->robust_list->list_op_pending != NULL
* @pending_op == true
- * 2) User space futex value == 0
+ * 2) The owner part of user space futex value == 0
* 3) Regular futex: @pi == false
*
* If these conditions are met, it is safe to attempt waking up a
* potential waiter without touching the user space futex value and
- * trying to set the OWNER_DIED bit. The user space futex value is
- * uncontended and the rest of the user space mutex state is
- * consistent, so a woken waiter will just take over the
- * uncontended futex. Setting the OWNER_DIED bit would create
- * inconsistent state and malfunction of the user space owner died
- * handling.
- */
- if (pending_op && !pi && !uval) {
+ * trying to set the OWNER_DIED bit. If the futex value is zero,
+ * the rest of the user space mutex state is consistent, so a woken
+ * waiter will just take over the uncontended futex. Setting the
+ * OWNER_DIED bit would create inconsistent state and malfunction
+ * of the user space owner died handling. Otherwise, the OWNER_DIED
+ * bit is already set, and the woken waiter is expected to deal with
+ * this.
+ */
+ owner = uval & FUTEX_TID_MASK;
+
+ if (pending_op && !pi && !owner) {
futex_wake(uaddr, 1, 1, FUTEX_BITSET_MATCH_ANY);
return 0;
}
- if ((uval & FUTEX_TID_MASK) != task_pid_vnr(curr))
+ if (owner != task_pid_vnr(curr))
return 0;
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 084/783] cpu/hotplug: Make target_store() a nop when target == state
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 083/783] futex: Resend potentially swallowed owner death notification Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 085/783] clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() Greg Kroah-Hartman
` (708 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Auld, Thomas Gleixner,
Valentin Schneider, Sasha Levin
From: Phil Auld <pauld@redhat.com>
[ Upstream commit 64ea6e44f85b9b75925ebe1ba0e6e8430cc4e06f ]
Writing the current state back in hotplug/target calls cpu_down()
which will set cpu dying even when it isn't and then nothing will
ever clear it. A stress test that reads values and writes them back
for all cpu device files in sysfs will trigger the BUG() in
select_fallback_rq once all cpus are marked as dying.
kernel/cpu.c::target_store()
...
if (st->state < target)
ret = cpu_up(dev->id, target);
else
ret = cpu_down(dev->id, target);
cpu_down() -> cpu_set_state()
bool bringup = st->state < target;
...
if (cpu_dying(cpu) != !bringup)
set_cpu_dying(cpu, !bringup);
Fix this by letting state==target fall through in the target_store()
conditional. Also make sure st->target == target in that case.
Fixes: 757c989b9994 ("cpu/hotplug: Make target state writeable")
Signed-off-by: Phil Auld <pauld@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Valentin Schneider <vschneid@redhat.com>
Link: https://lore.kernel.org/r/20221117162329.3164999-2-pauld@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cpu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/cpu.c b/kernel/cpu.c
index 3c9ee966c56a..008b50da2224 100644
--- a/kernel/cpu.c
+++ b/kernel/cpu.c
@@ -2231,8 +2231,10 @@ static ssize_t write_cpuhp_target(struct device *dev,
if (st->state < target)
ret = cpu_up(dev->id, target);
- else
+ else if (st->state > target)
ret = cpu_down(dev->id, target);
+ else if (WARN_ON(st->target != target))
+ st->target = target;
out:
unlock_device_hotplug();
return ret ? ret : count;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 085/783] clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 084/783] cpu/hotplug: Make target_store() a nop when target == state Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 086/783] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() Greg Kroah-Hartman
` (707 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Tony Lindgren,
Daniel Lezcano, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 180d35a7c05d520314a590c99ad8643d0213f28b ]
If clk_get_rate() fails which is called after clk_prepare_enable(),
clk_disable_unprepare() need be called in error path to disable the
clock in dmtimer_systimer_init_clock().
Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Tony Lindgren <tony@atomide.com>
Link: https://lore.kernel.org/r/20221029114427.946520-1-yangyingliang@huawei.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/timer-ti-dm-systimer.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clocksource/timer-ti-dm-systimer.c b/drivers/clocksource/timer-ti-dm-systimer.c
index 2737407ff069..632523c1232f 100644
--- a/drivers/clocksource/timer-ti-dm-systimer.c
+++ b/drivers/clocksource/timer-ti-dm-systimer.c
@@ -345,8 +345,10 @@ static int __init dmtimer_systimer_init_clock(struct dmtimer_systimer *t,
return error;
r = clk_get_rate(clock);
- if (!r)
+ if (!r) {
+ clk_disable_unprepare(clock);
return -ENODEV;
+ }
if (is_ick)
t->ick = clock;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 086/783] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 085/783] clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 087/783] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix Greg Kroah-Hartman
` (706 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Rafael J. Wysocki, Sasha Levin
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 ]
There is an use-after-free reported by KASAN:
BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82
Read of size 1 at addr ffff888112afc460 by task modprobe/2111
CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
Call Trace:
<TASK>
kasan_report+0xae/0xe0
acpi_ut_remove_reference+0x3b/0x82
acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5
acpi_ds_store_object_to_local+0x15d/0x3a0
acpi_ex_store+0x78d/0x7fd
acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b
acpi_ps_parse_aml+0x217/0x8d5
...
</TASK>
The root cause of the problem is that the acpi_operand_object
is freed when acpi_ut_walk_package_tree() fails in
acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in
acpi_ut_copy_iobject_to_iobject(). The problem was introduced
by "8aa5e56eeb61" commit, this commit is to fix memory leak in
acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove
operation, lead to "acpi_operand_object" used after free.
Fix it by removing acpi_ut_remove_reference() in
acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage()
is called to copy an internal package object into another internal
package object, when it fails, the memory of acpi_operand_object
should be freed by the caller.
Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/utcopy.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c
index 41bdd0278dd8..9a7cc679e544 100644
--- a/drivers/acpi/acpica/utcopy.c
+++ b/drivers/acpi/acpica/utcopy.c
@@ -916,13 +916,6 @@ acpi_ut_copy_ipackage_to_ipackage(union acpi_operand_object *source_obj,
status = acpi_ut_walk_package_tree(source_obj, dest_obj,
acpi_ut_copy_ielement_to_ielement,
walk_state);
- if (ACPI_FAILURE(status)) {
-
- /* On failure, delete the destination package object */
-
- acpi_ut_remove_reference(dest_obj);
- }
-
return_ACPI_STATUS(status);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 087/783] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 086/783] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 088/783] x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() Greg Kroah-Hartman
` (705 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seiji Nishikawa, Denys Vlasenko,
Oleg Nesterov, Thomas Gleixner, Masami Hiramatsu (Google),
Sasha Levin
From: Oleg Nesterov <oleg@redhat.com>
[ Upstream commit cefa72129e45313655d53a065b8055aaeb01a0c9 ]
Intel ICC -hotpatch inserts 2-byte "0x66 0x90" NOP at the start of each
function to reserve extra space for hot-patching, and currently it is not
possible to probe these functions because branch_setup_xol_ops() wrongly
rejects NOP with REP prefix as it treats them like word-sized branch
instructions.
Fixes: 250bbd12c2fe ("uprobes/x86: Refuse to attach uprobe to "word-sized" branch insns")
Reported-by: Seiji Nishikawa <snishika@redhat.com>
Suggested-by: Denys Vlasenko <dvlasenk@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Link: https://lore.kernel.org/r/20221204173933.GA31544@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/uprobes.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
index 138bdb1fd136..9f948b2d26f6 100644
--- a/arch/x86/kernel/uprobes.c
+++ b/arch/x86/kernel/uprobes.c
@@ -722,8 +722,9 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
switch (opc1) {
case 0xeb: /* jmp 8 */
case 0xe9: /* jmp 32 */
- case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
break;
+ case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */
+ goto setup;
case 0xe8: /* call relative */
branch_clear_offset(auprobe, insn);
@@ -753,6 +754,7 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn)
return -ENOTSUPP;
}
+setup:
auprobe->branch.opc1 = opc1;
auprobe->branch.ilen = insn->length;
auprobe->branch.offs = insn->immediate.value;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 088/783] x86/xen: Fix memory leak in xen_smp_intr_init{_pv}()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 087/783] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 089/783] x86/xen: Fix memory leak in xen_init_lock_cpu() Greg Kroah-Hartman
` (704 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Juergen Gross, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 69143f60868b3939ddc89289b29db593b647295e ]
These local variables @{resched|pmu|callfunc...}_name saves the new
string allocated by kasprintf(), and when bind_{v}ipi_to_irqhandler()
fails, it goes to the @fail tag, and calls xen_smp_intr_free{_pv}() to
free resource, however the new string is not saved, which cause a memory
leak issue. fix it.
Fixes: 9702785a747a ("i386: move xen")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20221123155858.11382-2-xiujianfeng@huawei.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/smp.c | 24 ++++++++++++------------
arch/x86/xen/smp_pv.c | 12 ++++++------
2 files changed, 18 insertions(+), 18 deletions(-)
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index c1b2f764b29a..cdec892b28e2 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -32,30 +32,30 @@ static irqreturn_t xen_reschedule_interrupt(int irq, void *dev_id)
void xen_smp_intr_free(unsigned int cpu)
{
+ kfree(per_cpu(xen_resched_irq, cpu).name);
+ per_cpu(xen_resched_irq, cpu).name = NULL;
if (per_cpu(xen_resched_irq, cpu).irq >= 0) {
unbind_from_irqhandler(per_cpu(xen_resched_irq, cpu).irq, NULL);
per_cpu(xen_resched_irq, cpu).irq = -1;
- kfree(per_cpu(xen_resched_irq, cpu).name);
- per_cpu(xen_resched_irq, cpu).name = NULL;
}
+ kfree(per_cpu(xen_callfunc_irq, cpu).name);
+ per_cpu(xen_callfunc_irq, cpu).name = NULL;
if (per_cpu(xen_callfunc_irq, cpu).irq >= 0) {
unbind_from_irqhandler(per_cpu(xen_callfunc_irq, cpu).irq, NULL);
per_cpu(xen_callfunc_irq, cpu).irq = -1;
- kfree(per_cpu(xen_callfunc_irq, cpu).name);
- per_cpu(xen_callfunc_irq, cpu).name = NULL;
}
+ kfree(per_cpu(xen_debug_irq, cpu).name);
+ per_cpu(xen_debug_irq, cpu).name = NULL;
if (per_cpu(xen_debug_irq, cpu).irq >= 0) {
unbind_from_irqhandler(per_cpu(xen_debug_irq, cpu).irq, NULL);
per_cpu(xen_debug_irq, cpu).irq = -1;
- kfree(per_cpu(xen_debug_irq, cpu).name);
- per_cpu(xen_debug_irq, cpu).name = NULL;
}
+ kfree(per_cpu(xen_callfuncsingle_irq, cpu).name);
+ per_cpu(xen_callfuncsingle_irq, cpu).name = NULL;
if (per_cpu(xen_callfuncsingle_irq, cpu).irq >= 0) {
unbind_from_irqhandler(per_cpu(xen_callfuncsingle_irq, cpu).irq,
NULL);
per_cpu(xen_callfuncsingle_irq, cpu).irq = -1;
- kfree(per_cpu(xen_callfuncsingle_irq, cpu).name);
- per_cpu(xen_callfuncsingle_irq, cpu).name = NULL;
}
}
@@ -65,6 +65,7 @@ int xen_smp_intr_init(unsigned int cpu)
char *resched_name, *callfunc_name, *debug_name;
resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu);
+ per_cpu(xen_resched_irq, cpu).name = resched_name;
rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR,
cpu,
xen_reschedule_interrupt,
@@ -74,9 +75,9 @@ int xen_smp_intr_init(unsigned int cpu)
if (rc < 0)
goto fail;
per_cpu(xen_resched_irq, cpu).irq = rc;
- per_cpu(xen_resched_irq, cpu).name = resched_name;
callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu);
+ per_cpu(xen_callfunc_irq, cpu).name = callfunc_name;
rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR,
cpu,
xen_call_function_interrupt,
@@ -86,10 +87,10 @@ int xen_smp_intr_init(unsigned int cpu)
if (rc < 0)
goto fail;
per_cpu(xen_callfunc_irq, cpu).irq = rc;
- per_cpu(xen_callfunc_irq, cpu).name = callfunc_name;
if (!xen_fifo_events) {
debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu);
+ per_cpu(xen_debug_irq, cpu).name = debug_name;
rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu,
xen_debug_interrupt,
IRQF_PERCPU | IRQF_NOBALANCING,
@@ -97,10 +98,10 @@ int xen_smp_intr_init(unsigned int cpu)
if (rc < 0)
goto fail;
per_cpu(xen_debug_irq, cpu).irq = rc;
- per_cpu(xen_debug_irq, cpu).name = debug_name;
}
callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu);
+ per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name;
rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR,
cpu,
xen_call_function_single_interrupt,
@@ -110,7 +111,6 @@ int xen_smp_intr_init(unsigned int cpu)
if (rc < 0)
goto fail;
per_cpu(xen_callfuncsingle_irq, cpu).irq = rc;
- per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name;
return 0;
diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c
index 35b6d15d874d..64873937cd1d 100644
--- a/arch/x86/xen/smp_pv.c
+++ b/arch/x86/xen/smp_pv.c
@@ -98,18 +98,18 @@ asmlinkage __visible void cpu_bringup_and_idle(void)
void xen_smp_intr_free_pv(unsigned int cpu)
{
+ kfree(per_cpu(xen_irq_work, cpu).name);
+ per_cpu(xen_irq_work, cpu).name = NULL;
if (per_cpu(xen_irq_work, cpu).irq >= 0) {
unbind_from_irqhandler(per_cpu(xen_irq_work, cpu).irq, NULL);
per_cpu(xen_irq_work, cpu).irq = -1;
- kfree(per_cpu(xen_irq_work, cpu).name);
- per_cpu(xen_irq_work, cpu).name = NULL;
}
+ kfree(per_cpu(xen_pmu_irq, cpu).name);
+ per_cpu(xen_pmu_irq, cpu).name = NULL;
if (per_cpu(xen_pmu_irq, cpu).irq >= 0) {
unbind_from_irqhandler(per_cpu(xen_pmu_irq, cpu).irq, NULL);
per_cpu(xen_pmu_irq, cpu).irq = -1;
- kfree(per_cpu(xen_pmu_irq, cpu).name);
- per_cpu(xen_pmu_irq, cpu).name = NULL;
}
}
@@ -119,6 +119,7 @@ int xen_smp_intr_init_pv(unsigned int cpu)
char *callfunc_name, *pmu_name;
callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu);
+ per_cpu(xen_irq_work, cpu).name = callfunc_name;
rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR,
cpu,
xen_irq_work_interrupt,
@@ -128,10 +129,10 @@ int xen_smp_intr_init_pv(unsigned int cpu)
if (rc < 0)
goto fail;
per_cpu(xen_irq_work, cpu).irq = rc;
- per_cpu(xen_irq_work, cpu).name = callfunc_name;
if (is_xen_pmu) {
pmu_name = kasprintf(GFP_KERNEL, "pmu%d", cpu);
+ per_cpu(xen_pmu_irq, cpu).name = pmu_name;
rc = bind_virq_to_irqhandler(VIRQ_XENPMU, cpu,
xen_pmu_irq_handler,
IRQF_PERCPU|IRQF_NOBALANCING,
@@ -139,7 +140,6 @@ int xen_smp_intr_init_pv(unsigned int cpu)
if (rc < 0)
goto fail;
per_cpu(xen_pmu_irq, cpu).irq = rc;
- per_cpu(xen_pmu_irq, cpu).name = pmu_name;
}
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 089/783] x86/xen: Fix memory leak in xen_init_lock_cpu()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 088/783] x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 090/783] xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() Greg Kroah-Hartman
` (703 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Juergen Gross, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit ca84ce153d887b1dc8b118029976cc9faf2a9b40 ]
In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(),
if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead
to a memory leak issue, fix it.
Fixes: 2d9e1e2f58b5 ("xen: implement Xen-specific spinlocks")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20221123155858.11382-3-xiujianfeng@huawei.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/xen/spinlock.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
index 043c73dfd2c9..5c6fc16e4b92 100644
--- a/arch/x86/xen/spinlock.c
+++ b/arch/x86/xen/spinlock.c
@@ -75,6 +75,7 @@ void xen_init_lock_cpu(int cpu)
cpu, per_cpu(lock_kicker_irq, cpu));
name = kasprintf(GFP_KERNEL, "spinlock%d", cpu);
+ per_cpu(irq_name, cpu) = name;
irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR,
cpu,
dummy_handler,
@@ -85,7 +86,6 @@ void xen_init_lock_cpu(int cpu)
if (irq >= 0) {
disable_irq(irq); /* make sure it's never delivered */
per_cpu(lock_kicker_irq, cpu) = irq;
- per_cpu(irq_name, cpu) = name;
}
printk("cpu %d spinlock event irq %d\n", cpu, irq);
@@ -98,6 +98,8 @@ void xen_uninit_lock_cpu(int cpu)
if (!xen_pvspin)
return;
+ kfree(per_cpu(irq_name, cpu));
+ per_cpu(irq_name, cpu) = NULL;
/*
* When booting the kernel with 'mitigations=auto,nosmt', the secondary
* CPUs are not activated, and lock_kicker_irq is not initialized.
@@ -108,8 +110,6 @@ void xen_uninit_lock_cpu(int cpu)
unbind_from_irqhandler(irq, NULL);
per_cpu(lock_kicker_irq, cpu) = -1;
- kfree(per_cpu(irq_name, cpu));
- per_cpu(irq_name, cpu) = NULL;
}
PV_CALLEE_SAVE_REGS_THUNK(xen_vcpu_stolen);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 090/783] xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 089/783] x86/xen: Fix memory leak in xen_init_lock_cpu() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 091/783] PM: runtime: Improve path in rpm_idle() when no callback Greg Kroah-Hartman
` (702 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshit Mogalapalli, Juergen Gross,
Sasha Levin
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
[ Upstream commit 8b997b2bb2c53b76a6db6c195930e9ab8e4b0c79 ]
As 'kdata.num' is user-controlled data, if user tries to allocate
memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it
creates a stack trace and messes up dmesg with a warning.
Call trace:
-> privcmd_ioctl
--> privcmd_ioctl_mmap_resource
Add __GFP_NOWARN in order to avoid too large allocation warning.
This is detected by static analysis using smatch.
Fixes: 3ad0876554ca ("xen/privcmd: add IOCTL_PRIVCMD_MMAP_RESOURCE")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20221126050745.778967-1-harshit.m.mogalapalli@oracle.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/xen/privcmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/xen/privcmd.c b/drivers/xen/privcmd.c
index cd5f2f09468e..28537a1a0e0b 100644
--- a/drivers/xen/privcmd.c
+++ b/drivers/xen/privcmd.c
@@ -760,7 +760,7 @@ static long privcmd_ioctl_mmap_resource(struct file *file,
goto out;
}
- pfns = kcalloc(kdata.num, sizeof(*pfns), GFP_KERNEL);
+ pfns = kcalloc(kdata.num, sizeof(*pfns), GFP_KERNEL | __GFP_NOWARN);
if (!pfns) {
rc = -ENOMEM;
goto out;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 091/783] PM: runtime: Improve path in rpm_idle() when no callback
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 090/783] xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 092/783] PM: runtime: Do not call __rpm_callback() from rpm_idle() Greg Kroah-Hartman
` (701 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ulf Hansson, Alan Stern,
Rafael J. Wysocki, Sasha Levin
From: Ulf Hansson <ulf.hansson@linaro.org>
[ Upstream commit 5a2bd1b1c64e1ac5627db3767ac465f18606315c ]
When pm_runtime_no_callbacks() has been called for a struct device to set
the dev->power.no_callbacks flag for it, it enables rpm_idle() to take a
slightly quicker path by assuming that a ->runtime_idle() callback would
have returned 0 to indicate success.
A device that does not have the dev->power.no_callbacks flag set for it,
may still be missing a corresponding ->runtime_idle() callback, in which
case the slower path in rpm_idle() is taken. Let's improve the behaviour
for this case, by aligning code to the quicker path.
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Stable-dep-of: bc80c2e438dc ("PM: runtime: Do not call __rpm_callback() from rpm_idle()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/runtime.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index 835a39e84c1d..532d910fe1cf 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -464,7 +464,10 @@ static int rpm_idle(struct device *dev, int rpmflags)
/* Pending requests need to be canceled. */
dev->power.request = RPM_REQ_NONE;
- if (dev->power.no_callbacks)
+ callback = RPM_GET_CALLBACK(dev, runtime_idle);
+
+ /* If no callback assume success. */
+ if (!callback || dev->power.no_callbacks)
goto out;
/* Carry out an asynchronous or a synchronous idle notification. */
@@ -480,10 +483,7 @@ static int rpm_idle(struct device *dev, int rpmflags)
dev->power.idle_notification = true;
- callback = RPM_GET_CALLBACK(dev, runtime_idle);
-
- if (callback)
- retval = __rpm_callback(callback, dev);
+ retval = __rpm_callback(callback, dev);
dev->power.idle_notification = false;
wake_up_all(&dev->power.wait_queue);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 092/783] PM: runtime: Do not call __rpm_callback() from rpm_idle()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 091/783] PM: runtime: Improve path in rpm_idle() when no callback Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 093/783] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() Greg Kroah-Hartman
` (700 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Adrian Hunter,
Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit bc80c2e438dcbfcf748452ec0f7ad5b79ff3ad88 ]
Calling __rpm_callback() from rpm_idle() after adding device links
support to the former is a clear mistake.
Not only it causes rpm_idle() to carry out unnecessary actions, but it
is also against the assumption regarding the stability of PM-runtime
status across __rpm_callback() invocations, because rpm_suspend() and
rpm_resume() may run in parallel with __rpm_callback() when it is called
by rpm_idle() and the device's PM-runtime status can be updated by any
of them.
Fixes: 21d5c57b3726 ("PM / runtime: Use device links")
Link: https://lore.kernel.org/linux-pm/36aed941-a73e-d937-2721-4f0decd61ce0@quicinc.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/runtime.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/base/power/runtime.c b/drivers/base/power/runtime.c
index 532d910fe1cf..360094692d29 100644
--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -483,7 +483,17 @@ static int rpm_idle(struct device *dev, int rpmflags)
dev->power.idle_notification = true;
- retval = __rpm_callback(callback, dev);
+ if (dev->power.irq_safe)
+ spin_unlock(&dev->power.lock);
+ else
+ spin_unlock_irq(&dev->power.lock);
+
+ retval = callback(dev);
+
+ if (dev->power.irq_safe)
+ spin_lock(&dev->power.lock);
+ else
+ spin_lock_irq(&dev->power.lock);
dev->power.idle_notification = false;
wake_up_all(&dev->power.wait_queue);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 093/783] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 092/783] PM: runtime: Do not call __rpm_callback() from rpm_idle() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 094/783] platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register() Greg Kroah-Hartman
` (699 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yu Liao, Hans de Goede, Sasha Levin
From: Yu Liao <liaoyu15@huawei.com>
[ Upstream commit 727cc0147f5066e359aca65cc6cc5e6d64cc15d8 ]
The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method()
is not freed after the call, so it leads to memory leak.
The method results in ACPI buffer is not used, so just pass NULL to
wmi_evaluate_method() which fixes the memory leak.
Fixes: 99b38b4acc0d ("platform/x86: add MXM WMI driver.")
Signed-off-by: Yu Liao <liaoyu15@huawei.com>
Link: https://lore.kernel.org/r/20221129011101.2042315-1-liaoyu15@huawei.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/mxm-wmi.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/platform/x86/mxm-wmi.c b/drivers/platform/x86/mxm-wmi.c
index 9a19fbd2f734..9a457956025a 100644
--- a/drivers/platform/x86/mxm-wmi.c
+++ b/drivers/platform/x86/mxm-wmi.c
@@ -35,13 +35,11 @@ int mxm_wmi_call_mxds(int adapter)
.xarg = 1,
};
struct acpi_buffer input = { (acpi_size)sizeof(args), &args };
- struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
acpi_status status;
printk("calling mux switch %d\n", adapter);
- status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input,
- &output);
+ status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL);
if (ACPI_FAILURE(status))
return status;
@@ -60,13 +58,11 @@ int mxm_wmi_call_mxmx(int adapter)
.xarg = 1,
};
struct acpi_buffer input = { (acpi_size)sizeof(args), &args };
- struct acpi_buffer output = { ACPI_ALLOCATE_BUFFER, NULL };
acpi_status status;
printk("calling mux switch %d\n", adapter);
- status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input,
- &output);
+ status = wmi_evaluate_method(MXM_WMMX_GUID, 0x0, adapter, &input, NULL);
if (ACPI_FAILURE(status))
return status;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 094/783] platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 093/783] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 095/783] MIPS: BCM63xx: Add check for NULL for clk in clk_enable Greg Kroah-Hartman
` (698 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Hans de Goede, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 0b3d0cb7c0bed2fd6454f77ed75e7a662c6efd12 ]
In some error paths before device_register(), the names allocated
by dev_set_name() are not freed. Move dev_set_name() front to
device_register(), so the name can be freed while calling
put_device().
Fixes: 54b34aa0a729 ("platform/x86: intel_scu_ipc: Split out SCU IPC functionality from the SCU driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221208151916.2404977-1-yangyingliang@huawei.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/intel_scu_ipc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/platform/x86/intel_scu_ipc.c b/drivers/platform/x86/intel_scu_ipc.c
index 69d706039cb2..bdeb888c0fea 100644
--- a/drivers/platform/x86/intel_scu_ipc.c
+++ b/drivers/platform/x86/intel_scu_ipc.c
@@ -583,7 +583,6 @@ __intel_scu_ipc_register(struct device *parent,
scu->dev.parent = parent;
scu->dev.class = &intel_scu_ipc_class;
scu->dev.release = intel_scu_ipc_release;
- dev_set_name(&scu->dev, "intel_scu_ipc");
if (!request_mem_region(scu_data->mem.start, resource_size(&scu_data->mem),
"intel_scu_ipc")) {
@@ -612,6 +611,7 @@ __intel_scu_ipc_register(struct device *parent,
* After this point intel_scu_ipc_release() takes care of
* releasing the SCU IPC resources once refcount drops to zero.
*/
+ dev_set_name(&scu->dev, "intel_scu_ipc");
err = device_register(&scu->dev);
if (err) {
put_device(&scu->dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 095/783] MIPS: BCM63xx: Add check for NULL for clk in clk_enable
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 094/783] platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 096/783] MIPS: OCTEON: warn only once if deprecated link status is being used Greg Kroah-Hartman
` (697 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anastasia Belova,
Philippe Mathieu-Daudé,
Florian Fainelli, Thomas Bogendoerfer, Sasha Levin
From: Anastasia Belova <abelova@astralinux.ru>
[ Upstream commit ee9ef11bd2a59c2fefaa0959e5efcdf040d7c654 ]
Check clk for NULL before calling clk_enable_unlocked where clk
is dereferenced. There is such check in other implementations
of clk_enable.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.")
Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/bcm63xx/clk.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c
index dcfa0ea912fe..f183c45503ce 100644
--- a/arch/mips/bcm63xx/clk.c
+++ b/arch/mips/bcm63xx/clk.c
@@ -361,6 +361,8 @@ static struct clk clk_periph = {
*/
int clk_enable(struct clk *clk)
{
+ if (!clk)
+ return 0;
mutex_lock(&clocks_mutex);
clk_enable_unlocked(clk);
mutex_unlock(&clocks_mutex);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 096/783] MIPS: OCTEON: warn only once if deprecated link status is being used
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 095/783] MIPS: BCM63xx: Add check for NULL for clk in clk_enable Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 097/783] fs: sysv: Fix sysv_nblocks() returns wrong value Greg Kroah-Hartman
` (696 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ladislav Michl,
Philippe Mathieu-Daudé,
Thomas Bogendoerfer, Sasha Levin
From: Ladislav Michl <ladis@linux-mips.org>
[ Upstream commit 4c587a982603d7e7e751b4925809a1512099a690 ]
Avoid flooding kernel log with warnings.
Fixes: 2c0756d306c2 ("MIPS: OCTEON: warn if deprecated link status is being used")
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/cavium-octeon/executive/cvmx-helper-board.c | 2 +-
arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper-board.c b/arch/mips/cavium-octeon/executive/cvmx-helper-board.c
index abd11b7af22f..9b791ccf874f 100644
--- a/arch/mips/cavium-octeon/executive/cvmx-helper-board.c
+++ b/arch/mips/cavium-octeon/executive/cvmx-helper-board.c
@@ -211,7 +211,7 @@ union cvmx_helper_link_info __cvmx_helper_board_link_get(int ipd_port)
{
union cvmx_helper_link_info result;
- WARN(!octeon_is_simulation(),
+ WARN_ONCE(!octeon_is_simulation(),
"Using deprecated link status - please update your DT");
/* Unless we fix it later, all links are defaulted to down */
diff --git a/arch/mips/cavium-octeon/executive/cvmx-helper.c b/arch/mips/cavium-octeon/executive/cvmx-helper.c
index 6044ff471002..a18ad2daf005 100644
--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c
+++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c
@@ -1100,7 +1100,7 @@ union cvmx_helper_link_info cvmx_helper_link_get(int ipd_port)
if (index == 0)
result = __cvmx_helper_rgmii_link_get(ipd_port);
else {
- WARN(1, "Using deprecated link status - please update your DT");
+ WARN_ONCE(1, "Using deprecated link status - please update your DT");
result.s.full_duplex = 1;
result.s.link_up = 1;
result.s.speed = 1000;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 097/783] fs: sysv: Fix sysv_nblocks() returns wrong value
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 096/783] MIPS: OCTEON: warn only once if deprecated link status is being used Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 098/783] rapidio: fix possible UAF when kfifo_alloc() fails Greg Kroah-Hartman
` (695 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Al Viro, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit e0c49bd2b4d3cd1751491eb2d940bce968ac65e9 ]
sysv_nblocks() returns 'blocks' rather than 'res', which only counting
the number of triple-indirect blocks and causing sysv_getattr() gets a
wrong result.
[AV: this is actually a sysv counterpart of minixfs fix -
0fcd426de9d0 "[PATCH] minix block usage counting fix" in
historical tree; mea culpa, should've thought to check
fs/sysv back then...]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/sysv/itree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c
index bcb67b0cabe7..31f66053e239 100644
--- a/fs/sysv/itree.c
+++ b/fs/sysv/itree.c
@@ -438,7 +438,7 @@ static unsigned sysv_nblocks(struct super_block *s, loff_t size)
res += blocks;
direct = 1;
}
- return blocks;
+ return res;
}
int sysv_getattr(const struct path *path, struct kstat *stat,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 098/783] rapidio: fix possible UAF when kfifo_alloc() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 097/783] fs: sysv: Fix sysv_nblocks() returns wrong value Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 099/783] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD Greg Kroah-Hartman
` (694 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Weiyang, Alexandre Bounine,
Dan Carpenter, Jakob Koschel, John Hubbard, Matt Porter,
Yang Yingliang, Andrew Morton, Sasha Levin
From: Wang Weiyang <wangweiyang2@huawei.com>
[ Upstream commit 02d7d89f816951e0862147d751b1150d67aaebdd ]
If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free
priv. But priv is still in the chdev->file_list, then list traversal
may cause UAF. This fixes the following smatch warning:
drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list
Link: https://lkml.kernel.org/r/20221123095147.52408-1-wangweiyang2@huawei.com
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Dan Carpenter <error27@gmail.com>
Cc: Jakob Koschel <jakobkoschel@gmail.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 48cd9b7f3b89..b8c09eaa23b5 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1903,10 +1903,6 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
priv->md = chdev;
- mutex_lock(&chdev->file_mutex);
- list_add_tail(&priv->list, &chdev->file_list);
- mutex_unlock(&chdev->file_mutex);
-
INIT_LIST_HEAD(&priv->db_filters);
INIT_LIST_HEAD(&priv->pw_filters);
spin_lock_init(&priv->fifo_lock);
@@ -1925,6 +1921,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
spin_lock_init(&priv->req_lock);
mutex_init(&priv->dma_lock);
#endif
+ mutex_lock(&chdev->file_mutex);
+ list_add_tail(&priv->list, &chdev->file_list);
+ mutex_unlock(&chdev->file_mutex);
filp->private_data = priv;
goto out;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 099/783] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 098/783] rapidio: fix possible UAF when kfifo_alloc() fails Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 100/783] relay: fix type mismatch when allocating memory in relay_create_buf() Greg Kroah-Hartman
` (693 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Dylan Yudaken,
Jens Axboe, Sha Zhengju, Andrew Morton, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit fd4e60bf0ef8eb9edcfa12dda39e8b6ee9060492 ]
Commit ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()")
forgot to change int to __u64 in the CONFIG_EVENTFD=n stub function.
Link: https://lkml.kernel.org/r/20221124140154.104680-1-zhangqilong3@huawei.com
Fixes: ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Cc: Dylan Yudaken <dylany@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Sha Zhengju <handai.szj@taobao.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/eventfd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/eventfd.h
+++ b/include/linux/eventfd.h
@@ -62,7 +62,7 @@ static inline struct eventfd_ctx *eventf
return ERR_PTR(-ENOSYS);
}
-static inline int eventfd_signal(struct eventfd_ctx *ctx, int n)
+static inline int eventfd_signal(struct eventfd_ctx *ctx, __u64 n)
{
return -ENOSYS;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 100/783] relay: fix type mismatch when allocating memory in relay_create_buf()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 099/783] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 101/783] hfs: Fix OOB Write in hfs_asc2mac Greg Kroah-Hartman
` (692 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilia.Gavrilov, Colin Ian King,
Jens Axboe, wuchi, Andrew Morton, Sasha Levin
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
[ Upstream commit 4d8586e04602fe42f0a782d2005956f8b6302678 ]
The 'padding' field of the 'rchan_buf' structure is an array of 'size_t'
elements, but the memory is allocated for an array of 'size_t *' elements.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Link: https://lkml.kernel.org/r/20221129092002.3538384-1-Ilia.Gavrilov@infotecs.ru
Fixes: b86ff981a825 ("[PATCH] relay: migrate from relayfs to a generic relay API")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
Cc: Colin Ian King <colin.i.king@gmail.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: wuchi <wuchi.zero@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/relay.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/relay.c b/kernel/relay.c
index b08d936d5fa7..067769b80d4a 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -163,13 +163,13 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
{
struct rchan_buf *buf;
- if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
+ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t))
return NULL;
buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
if (!buf)
return NULL;
- buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t *),
+ buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t),
GFP_KERNEL);
if (!buf->padding)
goto free_buf;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 101/783] hfs: Fix OOB Write in hfs_asc2mac
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 100/783] relay: fix type mismatch when allocating memory in relay_create_buf() Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 102/783] rapidio: devices: fix missing put_device in mport_cdev_open Greg Kroah-Hartman
` (691 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhangPeng, Viacheslav Dubeyko,
syzbot+dc3b1cf9111ab5fe98e7, Andrew Morton, Sasha Levin
From: ZhangPeng <zhangpeng362@huawei.com>
[ Upstream commit c53ed55cb275344086e32a7080a6b19cb183650b ]
Syzbot reported a OOB Write bug:
loop0: detected capacity change from 0 to 64
==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0
fs/hfs/trans.c:133
Write of size 1 at addr ffff88801848314e by task syz-executor391/3632
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133
hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28
hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31
lookup_open fs/namei.c:3391 [inline]
open_last_lookups fs/namei.c:3481 [inline]
path_openat+0x10e6/0x2df0 fs/namei.c:3710
do_filp_open+0x264/0x4f0 fs/namei.c:3740
If in->len is much larger than HFS_NAMELEN(31) which is the maximum
length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In
that case, when the dst reaches the boundary, the srclen is still
greater than 0, which causes a OOB write.
Fix this by adding a check on dstlen in while() before writing to dst
address.
Link: https://lkml.kernel.org/r/20221202030038.1391945-1-zhangpeng362@huawei.com
Fixes: 328b92278650 ("[PATCH] hfs: NLS support")
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Reported-by: <syzbot+dc3b1cf9111ab5fe98e7@syzkaller.appspotmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/trans.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c
index 39f5e343bf4d..fdb0edb8a607 100644
--- a/fs/hfs/trans.c
+++ b/fs/hfs/trans.c
@@ -109,7 +109,7 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr
if (nls_io) {
wchar_t ch;
- while (srclen > 0) {
+ while (srclen > 0 && dstlen > 0) {
size = nls_io->char2uni(src, srclen, &ch);
if (size < 0) {
ch = '?';
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 102/783] rapidio: devices: fix missing put_device in mport_cdev_open
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 101/783] hfs: Fix OOB Write in hfs_asc2mac Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 103/783] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Greg Kroah-Hartman
` (690 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cai Xinchen, Alexandre Bounine,
Dan Carpenter, Jakob Koschel, John Hubbard, Matt Porter,
Wang Weiyang, Yang Yingliang, Andrew Morton, Sasha Levin
From: Cai Xinchen <caixinchen1@huawei.com>
[ Upstream commit d5b6e6eba3af11cb2a2791fa36a2524990fcde1a ]
When kfifo_alloc fails, the refcount of chdev->dev is left incremental.
We should use put_device(&chdev->dev) to decrease the ref count of
chdev->dev to avoid refcount leak.
Link: https://lkml.kernel.org/r/20221203085721.13146-1-caixinchen1@huawei.com
Fixes: e8de370188d0 ("rapidio: add mport char device driver")
Signed-off-by: Cai Xinchen <caixinchen1@huawei.com>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Dan Carpenter <error27@gmail.com>
Cc: Jakob Koschel <jakobkoschel@gmail.com>
Cc: John Hubbard <jhubbard@nvidia.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Wang Weiyang <wangweiyang2@huawei.com>
Cc: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index b8c09eaa23b5..5ac2dc1e2abd 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -1911,6 +1911,7 @@ static int mport_cdev_open(struct inode *inode, struct file *filp)
sizeof(struct rio_event) * MPORT_EVENT_DEPTH,
GFP_KERNEL);
if (ret < 0) {
+ put_device(&chdev->dev);
dev_err(&chdev->dev, DRV_NAME ": kfifo_alloc failed\n");
ret = -ENOMEM;
goto err_fifo;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 103/783] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 102/783] rapidio: devices: fix missing put_device in mport_cdev_open Greg Kroah-Hartman
@ 2023-01-12 13:46 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 104/783] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() Greg Kroah-Hartman
` (689 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:46 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Alexey Khoroshilov,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit c2a94de38c74e86f49124ac14f093d6a5c377a90 ]
Syzkaller reports a long-known leak of urbs in
ath9k_hif_usb_dealloc_tx_urbs().
The cause of the leak is that usb_get_urb() is called but usb_free_urb()
(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or
urb->ep fields have not been initialized and usb_kill_urb() returns
immediately.
The patch removes trying to kill urbs located in hif_dev->tx.tx_buf
because hif_dev->tx.tx_buf is not supposed to contain urbs which are in
pending state (the pending urbs are stored in hif_dev->tx.tx_pending).
The tx.tx_lock is acquired so there should not be any changes in the list.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220725151359.283704-1-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index f06eec99de68..e66518d86882 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -781,14 +781,10 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
list_for_each_entry_safe(tx_buf, tx_buf_tmp,
&hif_dev->tx.tx_buf, list) {
- usb_get_urb(tx_buf->urb);
- spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
- usb_kill_urb(tx_buf->urb);
list_del(&tx_buf->list);
usb_free_urb(tx_buf->urb);
kfree(tx_buf->buf);
kfree(tx_buf);
- spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
}
spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 104/783] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2023-01-12 13:46 ` [PATCH 5.10 103/783] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 105/783] wifi: rtl8xxxu: Fix reading the vendor of combo chips Greg Kroah-Hartman
` (688 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fedor Pchelkin, Alexey Khoroshilov,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit dd95f2239fc846795fc926787c3ae0ca701c9840 ]
It is possible that skb is freed in ath9k_htc_rx_msg(), then
usb_submit_urb() fails and we try to free skb again. It causes
use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes
NULL but rx_buf is not freed and there can be a memory leak.
The patch removes unnecessary nskb and makes skb processing more clear: it
is supposed that ath9k_htc_rx_msg() either frees old skb or passes its
managing to another callback function.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: 3deff76095c4 ("ath9k_htc: Increase URB count for REG_IN pipe")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221008114917.21404-1-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 28 +++++++++++++-----------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index e66518d86882..e5d5b0761881 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -709,14 +709,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
struct rx_buf *rx_buf = (struct rx_buf *)urb->context;
struct hif_device_usb *hif_dev = rx_buf->hif_dev;
struct sk_buff *skb = rx_buf->skb;
- struct sk_buff *nskb;
int ret;
if (!skb)
return;
if (!hif_dev)
- goto free;
+ goto free_skb;
switch (urb->status) {
case 0:
@@ -725,7 +724,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
case -ECONNRESET:
case -ENODEV:
case -ESHUTDOWN:
- goto free;
+ goto free_skb;
default:
skb_reset_tail_pointer(skb);
skb_trim(skb, 0);
@@ -736,25 +735,27 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
if (likely(urb->actual_length != 0)) {
skb_put(skb, urb->actual_length);
- /* Process the command first */
+ /*
+ * Process the command first.
+ * skb is either freed here or passed to be
+ * managed to another callback function.
+ */
ath9k_htc_rx_msg(hif_dev->htc_handle, skb,
skb->len, USB_REG_IN_PIPE);
-
- nskb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC);
- if (!nskb) {
+ skb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC);
+ if (!skb) {
dev_err(&hif_dev->udev->dev,
"ath9k_htc: REG_IN memory allocation failure\n");
- urb->context = NULL;
- return;
+ goto free_rx_buf;
}
- rx_buf->skb = nskb;
+ rx_buf->skb = skb;
usb_fill_int_urb(urb, hif_dev->udev,
usb_rcvintpipe(hif_dev->udev,
USB_REG_IN_PIPE),
- nskb->data, MAX_REG_IN_BUF_SIZE,
+ skb->data, MAX_REG_IN_BUF_SIZE,
ath9k_hif_usb_reg_in_cb, rx_buf, 1);
}
@@ -763,12 +764,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
ret = usb_submit_urb(urb, GFP_ATOMIC);
if (ret) {
usb_unanchor_urb(urb);
- goto free;
+ goto free_skb;
}
return;
-free:
+free_skb:
kfree_skb(skb);
+free_rx_buf:
kfree(rx_buf);
urb->context = NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 105/783] wifi: rtl8xxxu: Fix reading the vendor of combo chips
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 104/783] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 106/783] drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge Greg Kroah-Hartman
` (687 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Kalle Valo, Sasha Levin
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit 6f103aeb5e985ac08f3a4a049a2c17294f40cff9 ]
The wifi + bluetooth combo chips (RTL8723AU and RTL8723BU) read the
chip vendor from the wrong register because the val32 variable gets
overwritten. Add one more variable to avoid this.
This had no real effect on RTL8723BU. It may have had an effect on
RTL8723AU.
Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/24af8024-2f07-552b-93d8-38823d8e3cb0@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index e34cd6fed7e8..43898f105bb7 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -1607,18 +1607,18 @@ static void rtl8xxxu_print_chipinfo(struct rtl8xxxu_priv *priv)
static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
{
struct device *dev = &priv->udev->dev;
- u32 val32, bonding;
+ u32 val32, bonding, sys_cfg;
u16 val16;
- val32 = rtl8xxxu_read32(priv, REG_SYS_CFG);
- priv->chip_cut = (val32 & SYS_CFG_CHIP_VERSION_MASK) >>
+ sys_cfg = rtl8xxxu_read32(priv, REG_SYS_CFG);
+ priv->chip_cut = (sys_cfg & SYS_CFG_CHIP_VERSION_MASK) >>
SYS_CFG_CHIP_VERSION_SHIFT;
- if (val32 & SYS_CFG_TRP_VAUX_EN) {
+ if (sys_cfg & SYS_CFG_TRP_VAUX_EN) {
dev_info(dev, "Unsupported test chip\n");
return -ENOTSUPP;
}
- if (val32 & SYS_CFG_BT_FUNC) {
+ if (sys_cfg & SYS_CFG_BT_FUNC) {
if (priv->chip_cut >= 3) {
sprintf(priv->chip_name, "8723BU");
priv->rtl_chip = RTL8723B;
@@ -1640,7 +1640,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
if (val32 & MULTI_GPS_FUNC_EN)
priv->has_gps = 1;
priv->is_multi_func = 1;
- } else if (val32 & SYS_CFG_TYPE_ID) {
+ } else if (sys_cfg & SYS_CFG_TYPE_ID) {
bonding = rtl8xxxu_read32(priv, REG_HPON_FSM);
bonding &= HPON_FSM_BONDING_MASK;
if (priv->fops->tx_desc_size ==
@@ -1688,7 +1688,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
case RTL8188E:
case RTL8192E:
case RTL8723B:
- switch (val32 & SYS_CFG_VENDOR_EXT_MASK) {
+ switch (sys_cfg & SYS_CFG_VENDOR_EXT_MASK) {
case SYS_CFG_VENDOR_ID_TSMC:
sprintf(priv->chip_vendor, "TSMC");
break;
@@ -1705,7 +1705,7 @@ static int rtl8xxxu_identify_chip(struct rtl8xxxu_priv *priv)
}
break;
default:
- if (val32 & SYS_CFG_VENDOR_ID) {
+ if (sys_cfg & SYS_CFG_VENDOR_ID) {
sprintf(priv->chip_vendor, "UMC");
priv->vendor_umc = 1;
} else {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 106/783] drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 105/783] wifi: rtl8xxxu: Fix reading the vendor of combo chips Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 107/783] libbpf: Fix use-after-free in btf_dump_name_dups Greg Kroah-Hartman
` (686 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abhinav Kumar,
Robert Foss, Sasha Levin
From: Abhinav Kumar <quic_abhinavk@quicinc.com>
[ Upstream commit 9a0cdcd6649b76f0b7ceec0e55b0a718321e34d3 ]
adv7533 bridge tries to dynamically switch lanes based on the
mode by detaching and attaching the mipi dsi device.
This approach is incorrect because this method of dynamic switch of
detaching and attaching the mipi dsi device also results in removing
and adding the component which is not necessary.
This approach is also prone to deadlocks. So for example, on the
db410c whenever this path is executed with lockdep enabled,
this results in a deadlock due to below ordering of locks.
-> #1 (crtc_ww_class_acquire){+.+.}-{0:0}:
lock_acquire+0x6c/0x90
drm_modeset_acquire_init+0xf4/0x150
drmm_mode_config_init+0x220/0x770
msm_drm_bind+0x13c/0x654
try_to_bring_up_aggregate_device+0x164/0x1d0
__component_add+0xa8/0x174
component_add+0x18/0x2c
dsi_dev_attach+0x24/0x30
dsi_host_attach+0x98/0x14c
devm_mipi_dsi_attach+0x38/0xb0
adv7533_attach_dsi+0x8c/0x110
adv7511_probe+0x5a0/0x930
i2c_device_probe+0x30c/0x350
really_probe.part.0+0x9c/0x2b0
__driver_probe_device+0x98/0x144
driver_probe_device+0xac/0x14c
__device_attach_driver+0xbc/0x124
bus_for_each_drv+0x78/0xd0
__device_attach+0xa8/0x1c0
device_initial_probe+0x18/0x24
bus_probe_device+0xa0/0xac
deferred_probe_work_func+0x90/0xd0
process_one_work+0x28c/0x6b0
worker_thread+0x240/0x444
kthread+0x110/0x114
ret_from_fork+0x10/0x20
-> #0 (component_mutex){+.+.}-{3:3}:
__lock_acquire+0x1280/0x20ac
lock_acquire.part.0+0xe0/0x230
lock_acquire+0x6c/0x90
__mutex_lock+0x84/0x400
mutex_lock_nested+0x3c/0x70
component_del+0x34/0x170
dsi_dev_detach+0x24/0x30
dsi_host_detach+0x20/0x64
mipi_dsi_detach+0x2c/0x40
adv7533_mode_set+0x64/0x90
adv7511_bridge_mode_set+0x210/0x214
drm_bridge_chain_mode_set+0x5c/0x84
crtc_set_mode+0x18c/0x1dc
drm_atomic_helper_commit_modeset_disables+0x40/0x50
msm_atomic_commit_tail+0x1d0/0x6e0
commit_tail+0xa4/0x180
drm_atomic_helper_commit+0x178/0x3b0
drm_atomic_commit+0xa4/0xe0
drm_client_modeset_commit_atomic+0x228/0x284
drm_client_modeset_commit_locked+0x64/0x1d0
drm_client_modeset_commit+0x34/0x60
drm_fb_helper_lastclose+0x74/0xcc
drm_lastclose+0x3c/0x80
drm_release+0xfc/0x114
__fput+0x70/0x224
____fput+0x14/0x20
task_work_run+0x88/0x1a0
do_exit+0x350/0xa50
do_group_exit+0x38/0xa4
__wake_up_parent+0x0/0x34
invoke_syscall+0x48/0x114
el0_svc_common.constprop.0+0x60/0x11c
do_el0_svc+0x30/0xc0
el0_svc+0x58/0x100
el0t_64_sync_handler+0x1b0/0x1bc
el0t_64_sync+0x18c/0x190
Due to above reasons, remove the dynamic lane switching
code from adv7533 bridge chip and filter out the modes
which would need different number of lanes as compared
to the initialization time using the mode_valid callback.
This can be potentially re-introduced by using the pre_enable()
callback but this needs to be evaluated first whether such an
approach will work so this will be done with a separate change.
changes since RFC:
- Fix commit text and add TODO comment
changes in v2:
- Fix checkpatch formatting errors
Fixes: 62b2f026cd8e ("drm/bridge: adv7533: Change number of DSI lanes dynamically")
Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/16
Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Reviewed-by: Robert Foss <robert.foss@linaro.org>
Link: https://lore.kernel.org/r/1661797363-7564-1-git-send-email-quic_abhinavk@quicinc.com
Signed-off-by: Robert Foss <robert.foss@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/1665522649-3423-1-git-send-email-quic_abhinavk@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/adv7511/adv7511.h | 3 ++-
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 18 ++++++++++----
drivers/gpu/drm/bridge/adv7511/adv7533.c | 25 ++++++++++----------
3 files changed, 29 insertions(+), 17 deletions(-)
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511.h b/drivers/gpu/drm/bridge/adv7511/adv7511.h
index 711061bf3eb7..e95abeb64b93 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511.h
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511.h
@@ -394,7 +394,8 @@ static inline int adv7511_cec_init(struct device *dev, struct adv7511 *adv7511)
void adv7533_dsi_power_on(struct adv7511 *adv);
void adv7533_dsi_power_off(struct adv7511 *adv);
-void adv7533_mode_set(struct adv7511 *adv, const struct drm_display_mode *mode);
+enum drm_mode_status adv7533_mode_valid(struct adv7511 *adv,
+ const struct drm_display_mode *mode);
int adv7533_patch_registers(struct adv7511 *adv);
int adv7533_patch_cec_registers(struct adv7511 *adv);
int adv7533_attach_dsi(struct adv7511 *adv);
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
index 430c5e8f0388..6ba860a16e96 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -697,7 +697,7 @@ adv7511_detect(struct adv7511 *adv7511, struct drm_connector *connector)
}
static enum drm_mode_status adv7511_mode_valid(struct adv7511 *adv7511,
- struct drm_display_mode *mode)
+ const struct drm_display_mode *mode)
{
if (mode->clock > 165000)
return MODE_CLOCK_HIGH;
@@ -791,9 +791,6 @@ static void adv7511_mode_set(struct adv7511 *adv7511,
regmap_update_bits(adv7511->regmap, 0x17,
0x60, (vsync_polarity << 6) | (hsync_polarity << 5));
- if (adv7511->type == ADV7533 || adv7511->type == ADV7535)
- adv7533_mode_set(adv7511, adj_mode);
-
drm_mode_copy(&adv7511->curr_mode, adj_mode);
/*
@@ -913,6 +910,18 @@ static void adv7511_bridge_mode_set(struct drm_bridge *bridge,
adv7511_mode_set(adv, mode, adj_mode);
}
+static enum drm_mode_status adv7511_bridge_mode_valid(struct drm_bridge *bridge,
+ const struct drm_display_info *info,
+ const struct drm_display_mode *mode)
+{
+ struct adv7511 *adv = bridge_to_adv7511(bridge);
+
+ if (adv->type == ADV7533 || adv->type == ADV7535)
+ return adv7533_mode_valid(adv, mode);
+ else
+ return adv7511_mode_valid(adv, mode);
+}
+
static int adv7511_bridge_attach(struct drm_bridge *bridge,
enum drm_bridge_attach_flags flags)
{
@@ -963,6 +972,7 @@ static const struct drm_bridge_funcs adv7511_bridge_funcs = {
.enable = adv7511_bridge_enable,
.disable = adv7511_bridge_disable,
.mode_set = adv7511_bridge_mode_set,
+ .mode_valid = adv7511_bridge_mode_valid,
.attach = adv7511_bridge_attach,
.detect = adv7511_bridge_detect,
.get_edid = adv7511_bridge_get_edid,
diff --git a/drivers/gpu/drm/bridge/adv7511/adv7533.c b/drivers/gpu/drm/bridge/adv7511/adv7533.c
index aa19d5a40e31..f304a5ff8e59 100644
--- a/drivers/gpu/drm/bridge/adv7511/adv7533.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7533.c
@@ -100,26 +100,27 @@ void adv7533_dsi_power_off(struct adv7511 *adv)
regmap_write(adv->regmap_cec, 0x27, 0x0b);
}
-void adv7533_mode_set(struct adv7511 *adv, const struct drm_display_mode *mode)
+enum drm_mode_status adv7533_mode_valid(struct adv7511 *adv,
+ const struct drm_display_mode *mode)
{
+ int lanes;
struct mipi_dsi_device *dsi = adv->dsi;
- int lanes, ret;
-
- if (adv->num_dsi_lanes != 4)
- return;
if (mode->clock > 80000)
lanes = 4;
else
lanes = 3;
- if (lanes != dsi->lanes) {
- mipi_dsi_detach(dsi);
- dsi->lanes = lanes;
- ret = mipi_dsi_attach(dsi);
- if (ret)
- dev_err(&dsi->dev, "failed to change host lanes\n");
- }
+ /*
+ * TODO: add support for dynamic switching of lanes
+ * by using the bridge pre_enable() op . Till then filter
+ * out the modes which shall need different number of lanes
+ * than what was configured in the device tree.
+ */
+ if (lanes != dsi->lanes)
+ return MODE_BAD;
+
+ return MODE_OK;
}
int adv7533_patch_registers(struct adv7511 *adv)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 107/783] libbpf: Fix use-after-free in btf_dump_name_dups
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 106/783] drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 108/783] libbpf: Fix null-pointer dereference in find_prog_by_sec_insn() Greg Kroah-Hartman
` (685 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xu Kuohai, Andrii Nakryiko,
Martin KaFai Lau, Sasha Levin
From: Xu Kuohai <xukuohai@huawei.com>
[ Upstream commit 93c660ca40b5d2f7c1b1626e955a8e9fa30e0749 ]
ASAN reports an use-after-free in btf_dump_name_dups:
ERROR: AddressSanitizer: heap-use-after-free on address 0xffff927006db at pc 0xaaaab5dfb618 bp 0xffffdd89b890 sp 0xffffdd89b928
READ of size 2 at 0xffff927006db thread T0
#0 0xaaaab5dfb614 in __interceptor_strcmp.part.0 (test_progs+0x21b614)
#1 0xaaaab635f144 in str_equal_fn tools/lib/bpf/btf_dump.c:127
#2 0xaaaab635e3e0 in hashmap_find_entry tools/lib/bpf/hashmap.c:143
#3 0xaaaab635e72c in hashmap__find tools/lib/bpf/hashmap.c:212
#4 0xaaaab6362258 in btf_dump_name_dups tools/lib/bpf/btf_dump.c:1525
#5 0xaaaab636240c in btf_dump_resolve_name tools/lib/bpf/btf_dump.c:1552
#6 0xaaaab6362598 in btf_dump_type_name tools/lib/bpf/btf_dump.c:1567
#7 0xaaaab6360b48 in btf_dump_emit_struct_def tools/lib/bpf/btf_dump.c:912
#8 0xaaaab6360630 in btf_dump_emit_type tools/lib/bpf/btf_dump.c:798
#9 0xaaaab635f720 in btf_dump__dump_type tools/lib/bpf/btf_dump.c:282
#10 0xaaaab608523c in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:236
#11 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
#12 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
#13 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
#14 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
#15 0xaaaab5d65990 (test_progs+0x185990)
0xffff927006db is located 11 bytes inside of 16-byte region [0xffff927006d0,0xffff927006e0)
freed by thread T0 here:
#0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
#1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
#2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
#3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
#4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
#5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
#6 0xaaaab6353e10 in btf__add_field tools/lib/bpf/btf.c:2032
#7 0xaaaab6084fcc in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:232
#8 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
#9 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
#10 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
#11 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
#12 0xaaaab5d65990 (test_progs+0x185990)
previously allocated by thread T0 here:
#0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
#1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
#2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
#3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
#4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
#5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
#6 0xaaaab6353ff0 in btf_add_enum_common tools/lib/bpf/btf.c:2070
#7 0xaaaab6354080 in btf__add_enum tools/lib/bpf/btf.c:2102
#8 0xaaaab6082f50 in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:162
#9 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
#10 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
#11 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
#12 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
#13 0xaaaab5d65990 (test_progs+0x185990)
The reason is that the key stored in hash table name_map is a string
address, and the string memory is allocated by realloc() function, when
the memory is resized by realloc() later, the old memory may be freed,
so the address stored in name_map references to a freed memory, causing
use-after-free.
Fix it by storing duplicated string address in name_map.
Fixes: 919d2b1dbb07 ("libbpf: Allow modification of BTF and add btf__add_str API")
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://lore.kernel.org/bpf/20221011120108.782373-2-xukuohai@huaweicloud.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/btf_dump.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
index bd22853be4a6..0e2d63da24e9 100644
--- a/tools/lib/bpf/btf_dump.c
+++ b/tools/lib/bpf/btf_dump.c
@@ -188,6 +188,17 @@ static int btf_dump_resize(struct btf_dump *d)
return 0;
}
+static void btf_dump_free_names(struct hashmap *map)
+{
+ size_t bkt;
+ struct hashmap_entry *cur;
+
+ hashmap__for_each_entry(map, cur, bkt)
+ free((void *)cur->key);
+
+ hashmap__free(map);
+}
+
void btf_dump__free(struct btf_dump *d)
{
int i;
@@ -206,8 +217,8 @@ void btf_dump__free(struct btf_dump *d)
free(d->cached_names);
free(d->emit_queue);
free(d->decl_stack);
- hashmap__free(d->type_names);
- hashmap__free(d->ident_names);
+ btf_dump_free_names(d->type_names);
+ btf_dump_free_names(d->ident_names);
free(d);
}
@@ -1392,11 +1403,23 @@ static void btf_dump_emit_type_chain(struct btf_dump *d,
static size_t btf_dump_name_dups(struct btf_dump *d, struct hashmap *name_map,
const char *orig_name)
{
+ char *old_name, *new_name;
size_t dup_cnt = 0;
+ int err;
+
+ new_name = strdup(orig_name);
+ if (!new_name)
+ return 1;
hashmap__find(name_map, orig_name, (void **)&dup_cnt);
dup_cnt++;
- hashmap__set(name_map, orig_name, (void *)dup_cnt, NULL, NULL);
+
+ err = hashmap__set(name_map, new_name, (void *)dup_cnt,
+ (const void **)&old_name, NULL);
+ if (err)
+ free(new_name);
+
+ free(old_name);
return dup_cnt;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 108/783] libbpf: Fix null-pointer dereference in find_prog_by_sec_insn()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 107/783] libbpf: Fix use-after-free in btf_dump_name_dups Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 109/783] pata_ipx4xx_cf: Fix unsigned comparison with less than zero Greg Kroah-Hartman
` (684 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shung-Hsi Yu, Andrii Nakryiko, Sasha Levin
From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
[ Upstream commit d0d382f95a9270dcf803539d6781d6bd67e3f5b2 ]
When there are no program sections, obj->programs is left unallocated,
and find_prog_by_sec_insn()'s search lands on &obj->programs[0] == NULL,
and will cause null-pointer dereference in the following access to
prog->sec_idx.
Guard the search with obj->nr_programs similar to what's being done in
__bpf_program__iter() to prevent null-pointer access from happening.
Fixes: db2b8b06423c ("libbpf: Support CO-RE relocations for multi-prog sections")
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20221012022353.7350-4-shung-hsi.yu@suse.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/libbpf.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
index 66d7f8d494de..015ed8253f73 100644
--- a/tools/lib/bpf/libbpf.c
+++ b/tools/lib/bpf/libbpf.c
@@ -3479,6 +3479,9 @@ static struct bpf_program *find_prog_by_sec_insn(const struct bpf_object *obj,
int l = 0, r = obj->nr_programs - 1, m;
struct bpf_program *prog;
+ if (!obj->nr_programs)
+ return NULL;
+
while (l < r) {
m = l + (r - l + 1) / 2;
prog = &obj->programs[m];
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 109/783] pata_ipx4xx_cf: Fix unsigned comparison with less than zero
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 108/783] libbpf: Fix null-pointer dereference in find_prog_by_sec_insn() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 110/783] media: coda: jpeg: Add check for kmalloc Greg Kroah-Hartman
` (683 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Junlin Yang, Jens Axboe, Sasha Levin
From: Junlin Yang <yangjunlin@yulong.com>
[ Upstream commit c38ae56ee034623c59e39c0130ca0dec086c1a39 ]
The return from the call to platform_get_irq() is int, it can be
a negative error code, however this is being assigned to an unsigned
int variable 'irq', so making 'irq' an int, and change the position to
keep the code format.
./drivers/ata/pata_ixp4xx_cf.c:168:5-8:
WARNING: Unsigned expression compared with zero: irq > 0
Signed-off-by: Junlin Yang <yangjunlin@yulong.com>
Link: https://lore.kernel.org/r/20210409135426.1773-1-angkery@163.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/pata_ixp4xx_cf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ata/pata_ixp4xx_cf.c b/drivers/ata/pata_ixp4xx_cf.c
index abc0e87ca1a8..43215a4c1e54 100644
--- a/drivers/ata/pata_ixp4xx_cf.c
+++ b/drivers/ata/pata_ixp4xx_cf.c
@@ -135,12 +135,12 @@ static void ixp4xx_setup_port(struct ata_port *ap,
static int ixp4xx_pata_probe(struct platform_device *pdev)
{
- unsigned int irq;
struct resource *cs0, *cs1;
struct ata_host *host;
struct ata_port *ap;
struct ixp4xx_pata_data *data = dev_get_platdata(&pdev->dev);
int ret;
+ int irq;
cs0 = platform_get_resource(pdev, IORESOURCE_MEM, 0);
cs1 = platform_get_resource(pdev, IORESOURCE_MEM, 1);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 110/783] media: coda: jpeg: Add check for kmalloc
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 109/783] pata_ipx4xx_cf: Fix unsigned comparison with less than zero Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 111/783] media: i2c: ad5820: Fix error path Greg Kroah-Hartman
` (682 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit f30ce3d3760b22ee33c8d9c2e223764ad30bdc5f ]
As kmalloc can return NULL pointer, it should be better to
check the return value and return error, same as
coda_jpeg_decode_header.
Fixes: 96f6f62c4656 ("media: coda: jpeg: add CODA960 JPEG encoder support")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/coda/coda-jpeg.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/coda/coda-jpeg.c b/drivers/media/platform/coda/coda-jpeg.c
index a72f4655e5ad..b7bf529f18f7 100644
--- a/drivers/media/platform/coda/coda-jpeg.c
+++ b/drivers/media/platform/coda/coda-jpeg.c
@@ -1052,10 +1052,16 @@ static int coda9_jpeg_start_encoding(struct coda_ctx *ctx)
v4l2_err(&dev->v4l2_dev, "error loading Huffman tables\n");
return ret;
}
- if (!ctx->params.jpeg_qmat_tab[0])
+ if (!ctx->params.jpeg_qmat_tab[0]) {
ctx->params.jpeg_qmat_tab[0] = kmalloc(64, GFP_KERNEL);
- if (!ctx->params.jpeg_qmat_tab[1])
+ if (!ctx->params.jpeg_qmat_tab[0])
+ return -ENOMEM;
+ }
+ if (!ctx->params.jpeg_qmat_tab[1]) {
ctx->params.jpeg_qmat_tab[1] = kmalloc(64, GFP_KERNEL);
+ if (!ctx->params.jpeg_qmat_tab[1])
+ return -ENOMEM;
+ }
coda_set_jpeg_compression_quality(ctx, ctx->params.jpeg_quality);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 111/783] media: i2c: ad5820: Fix error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 110/783] media: coda: jpeg: Add check for kmalloc Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 112/783] venus: pm_helpers: Fix error check in vcodec_domains_get() Greg Kroah-Hartman
` (681 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Sakari Ailus, Sasha Levin
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 9fce241660f37d9e95e93c0ae6fba8cfefa5797b ]
Error path seems to be swaped. Fix the order and provide some meaningful
names.
Fixes: bee3d5115611 ("[media] ad5820: Add driver for auto-focus coil")
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/ad5820.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/media/i2c/ad5820.c b/drivers/media/i2c/ad5820.c
index 19c74db0649f..f55322eebf6d 100644
--- a/drivers/media/i2c/ad5820.c
+++ b/drivers/media/i2c/ad5820.c
@@ -329,18 +329,18 @@ static int ad5820_probe(struct i2c_client *client,
ret = media_entity_pads_init(&coil->subdev.entity, 0, NULL);
if (ret < 0)
- goto cleanup2;
+ goto clean_mutex;
ret = v4l2_async_register_subdev(&coil->subdev);
if (ret < 0)
- goto cleanup;
+ goto clean_entity;
return ret;
-cleanup2:
- mutex_destroy(&coil->power_lock);
-cleanup:
+clean_entity:
media_entity_cleanup(&coil->subdev.entity);
+clean_mutex:
+ mutex_destroy(&coil->power_lock);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 112/783] venus: pm_helpers: Fix error check in vcodec_domains_get()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 111/783] media: i2c: ad5820: Fix error path Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 113/783] media: exynos4-is: Use v4l2_async_notifier_add_fwnode_remote_subdev Greg Kroah-Hartman
` (680 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tang Bin, Sasha Levin
From: Tang Bin <tangbin@cmss.chinamobile.com>
[ Upstream commit 0f6e8d8c94a82e85e1b9b62a7671990740dc6f70 ]
In the function vcodec_domains_get(), dev_pm_domain_attach_by_name()
may return NULL in some cases, so IS_ERR() doesn't meet the
requirements. Thus fix it.
Fixes: 7482a983dea3 ("media: venus: redesign clocks and pm domains control")
Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/venus/pm_helpers.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/qcom/venus/pm_helpers.c b/drivers/media/platform/qcom/venus/pm_helpers.c
index 710f9a2b132b..f7de02352f1b 100644
--- a/drivers/media/platform/qcom/venus/pm_helpers.c
+++ b/drivers/media/platform/qcom/venus/pm_helpers.c
@@ -764,8 +764,8 @@ static int vcodec_domains_get(struct venus_core *core)
for (i = 0; i < res->vcodec_pmdomains_num; i++) {
pd = dev_pm_domain_attach_by_name(dev,
res->vcodec_pmdomains[i]);
- if (IS_ERR(pd))
- return PTR_ERR(pd);
+ if (IS_ERR_OR_NULL(pd))
+ return PTR_ERR(pd) ? : -ENODATA;
core->pmdomains[i] = pd;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 113/783] media: exynos4-is: Use v4l2_async_notifier_add_fwnode_remote_subdev
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 112/783] venus: pm_helpers: Fix error check in vcodec_domains_get() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 114/783] media: exynos4-is: dont rely on the v4l2_async_subdev internals Greg Kroah-Hartman
` (679 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ezequiel Garcia, Jacopo Mondi,
Helen Koike, Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin
From: Ezequiel Garcia <ezequiel@collabora.com>
[ Upstream commit 3a2822bfe45c50abd9f76a8547a77a1f6a0e8c8d ]
The use of v4l2_async_notifier_add_subdev will be discouraged.
Drivers are instead encouraged to use a helper such as
v4l2_async_notifier_add_fwnode_remote_subdev.
This fixes a misuse of the API, as v4l2_async_notifier_add_subdev
should get a kmalloc'ed struct v4l2_async_subdev,
removing some boilerplate code while at it.
Use the appropriate helper v4l2_async_notifier_add_fwnode_remote_subdev,
which handles the needed setup, instead of open-coding it.
Signed-off-by: Ezequiel Garcia <ezequiel@collabora.com>
Reviewed-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
Reviewed-by: Helen Koike <helen.koike@collabora.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Stable-dep-of: f98a5c2e1c43 ("media: exynos4-is: don't rely on the v4l2_async_subdev internals")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/exynos4-is/media-dev.c | 24 ++++++++++---------
drivers/media/platform/exynos4-is/media-dev.h | 2 +-
2 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
index a9a8f0433fb2..3d877c5ae290 100644
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -401,6 +401,7 @@ static int fimc_md_parse_one_endpoint(struct fimc_md *fmd,
int index = fmd->num_sensors;
struct fimc_source_info *pd = &fmd->sensor[index].pdata;
struct device_node *rem, *np;
+ struct v4l2_async_subdev *asd;
struct v4l2_fwnode_endpoint endpoint = { .bus_type = 0 };
int ret;
@@ -418,10 +419,10 @@ static int fimc_md_parse_one_endpoint(struct fimc_md *fmd,
pd->mux_id = (endpoint.base.port - 1) & 0x1;
rem = of_graph_get_remote_port_parent(ep);
- of_node_put(ep);
if (rem == NULL) {
v4l2_info(&fmd->v4l2_dev, "Remote device at %pOF not found\n",
ep);
+ of_node_put(ep);
return 0;
}
@@ -450,6 +451,7 @@ static int fimc_md_parse_one_endpoint(struct fimc_md *fmd,
* checking parent's node name.
*/
np = of_get_parent(rem);
+ of_node_put(rem);
if (of_node_name_eq(np, "i2c-isp"))
pd->fimc_bus_type = FIMC_BUS_TYPE_ISP_WRITEBACK;
@@ -458,20 +460,19 @@ static int fimc_md_parse_one_endpoint(struct fimc_md *fmd,
of_node_put(np);
if (WARN_ON(index >= ARRAY_SIZE(fmd->sensor))) {
- of_node_put(rem);
+ of_node_put(ep);
return -EINVAL;
}
- fmd->sensor[index].asd.match_type = V4L2_ASYNC_MATCH_FWNODE;
- fmd->sensor[index].asd.match.fwnode = of_fwnode_handle(rem);
+ asd = v4l2_async_notifier_add_fwnode_remote_subdev(
+ &fmd->subdev_notifier, of_fwnode_handle(ep), sizeof(*asd));
- ret = v4l2_async_notifier_add_subdev(&fmd->subdev_notifier,
- &fmd->sensor[index].asd);
- if (ret) {
- of_node_put(rem);
- return ret;
- }
+ of_node_put(ep);
+
+ if (IS_ERR(asd))
+ return PTR_ERR(asd);
+ fmd->sensor[index].asd = asd;
fmd->num_sensors++;
return 0;
@@ -1377,7 +1378,8 @@ static int subdev_notifier_bound(struct v4l2_async_notifier *notifier,
/* Find platform data for this sensor subdev */
for (i = 0; i < ARRAY_SIZE(fmd->sensor); i++)
- if (fmd->sensor[i].asd.match.fwnode ==
+ if (fmd->sensor[i].asd &&
+ fmd->sensor[i].asd->match.fwnode ==
of_fwnode_handle(subdev->dev->of_node))
si = &fmd->sensor[i];
diff --git a/drivers/media/platform/exynos4-is/media-dev.h b/drivers/media/platform/exynos4-is/media-dev.h
index 9447fafe23c6..a3876d668ea6 100644
--- a/drivers/media/platform/exynos4-is/media-dev.h
+++ b/drivers/media/platform/exynos4-is/media-dev.h
@@ -83,7 +83,7 @@ struct fimc_camclk_info {
*/
struct fimc_sensor_info {
struct fimc_source_info pdata;
- struct v4l2_async_subdev asd;
+ struct v4l2_async_subdev *asd;
struct v4l2_subdev *subdev;
struct fimc_dev *host;
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 114/783] media: exynos4-is: dont rely on the v4l2_async_subdev internals
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 113/783] media: exynos4-is: Use v4l2_async_notifier_add_fwnode_remote_subdev Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 115/783] can: kvaser_usb: do not increase tx statistics when sending error message frames Greg Kroah-Hartman
` (678 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Scally, Marek Szyprowski,
Sakari Ailus, Sasha Levin
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit f98a5c2e1c4396488c27274ba82afc11725a4bcc ]
Commit 1f391df44607 ("media: v4l2-async: Use endpoints in
__v4l2_async_nf_add_fwnode_remote()") changed the data that is stored in
the v4l2_async_subdev internals from the fwnode pointer to the parent
device to the fwnode pointer to the matched endpoint. This broke the
sensor matching code, which relied on the particular fwnode data in the
v4l2_async_subdev internals. Fix this by simply matching the
v4l2_async_subdev pointer, which is already available there.
Reported-by: Daniel Scally <djrscally@gmail.com>
Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Daniel Scally <djrscally@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/exynos4-is/media-dev.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
index 3d877c5ae290..8603c578f55f 100644
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -1378,9 +1378,7 @@ static int subdev_notifier_bound(struct v4l2_async_notifier *notifier,
/* Find platform data for this sensor subdev */
for (i = 0; i < ARRAY_SIZE(fmd->sensor); i++)
- if (fmd->sensor[i].asd &&
- fmd->sensor[i].asd->match.fwnode ==
- of_fwnode_handle(subdev->dev->of_node))
+ if (fmd->sensor[i].asd == asd)
si = &fmd->sensor[i];
if (si == NULL)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 115/783] can: kvaser_usb: do not increase tx statistics when sending error message frames
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 114/783] media: exynos4-is: dont rely on the v4l2_async_subdev internals Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 116/783] can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device Greg Kroah-Hartman
` (677 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Vincent Mailhol,
Marc Kleine-Budde, Sasha Levin
From: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
[ Upstream commit 0b0ce2c67795672115ac6ca28351a78799cd114b ]
The CAN error message frames (i.e. error skb) are an interface
specific to socket CAN. The payload of the CAN error message frames
does not correspond to any actual data sent on the wire. Only an error
flag and a delimiter are transmitted when an error occurs (c.f. ISO
11898-1 section 10.4.4.2 "Error flag").
For this reason, it makes no sense to increment the tx_packets and
tx_bytes fields of struct net_device_stats when sending an error
message frame because no actual payload will be transmitted on the
wire.
N.B. Sending error message frames is a very specific feature which, at
the moment, is only supported by the Kvaser Hydra hardware. Please
refer to [1] for more details on the topic.
[1] https://lore.kernel.org/linux-can/CAMZ6RqK0rTNg3u3mBpZOoY51jLZ-et-J01tY6-+mWsM4meVw-A@mail.gmail.com/t/#u
Link: https://lore.kernel.org/all/20211207121531.42941-3-mailhol.vincent@wanadoo.fr
Co-developed-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Stable-dep-of: 35364f5b41a4 ("can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
index 45d278724883..9588efbfae71 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
@@ -293,6 +293,7 @@ struct kvaser_cmd {
#define KVASER_USB_HYDRA_CF_FLAG_OVERRUN BIT(1)
#define KVASER_USB_HYDRA_CF_FLAG_REMOTE_FRAME BIT(4)
#define KVASER_USB_HYDRA_CF_FLAG_EXTENDED_ID BIT(5)
+#define KVASER_USB_HYDRA_CF_FLAG_TX_ACK BIT(6)
/* CAN frame flags. Used in ext_rx_can and ext_tx_can */
#define KVASER_USB_HYDRA_CF_FLAG_OSM_NACK BIT(12)
#define KVASER_USB_HYDRA_CF_FLAG_ABL BIT(13)
@@ -1099,6 +1100,7 @@ static void kvaser_usb_hydra_tx_acknowledge(const struct kvaser_usb *dev,
struct kvaser_usb_net_priv *priv;
unsigned long irq_flags;
bool one_shot_fail = false;
+ bool is_err_frame = false;
u16 transid = kvaser_usb_hydra_get_cmd_transid(cmd);
priv = kvaser_usb_hydra_net_priv_from_cmd(dev, cmd);
@@ -1117,10 +1119,13 @@ static void kvaser_usb_hydra_tx_acknowledge(const struct kvaser_usb *dev,
kvaser_usb_hydra_one_shot_fail(priv, cmd_ext);
one_shot_fail = true;
}
+
+ is_err_frame = flags & KVASER_USB_HYDRA_CF_FLAG_TX_ACK &&
+ flags & KVASER_USB_HYDRA_CF_FLAG_ERROR_FRAME;
}
context = &priv->tx_contexts[transid % dev->max_tx_urbs];
- if (!one_shot_fail) {
+ if (!one_shot_fail && !is_err_frame) {
struct net_device_stats *stats = &priv->netdev->stats;
stats->tx_packets++;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 116/783] can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 115/783] can: kvaser_usb: do not increase tx statistics when sending error message frames Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 117/783] can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event Greg Kroah-Hartman
` (676 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anssi Hannula, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
From: Jimmy Assarsson <extja@kvaser.com>
[ Upstream commit 35364f5b41a4917fe94a3f393d149b63ec583297 ]
Use the CMD_GET_CAPABILITIES_REQ command to query the device for certain
capabilities. We are only interested in LISTENONLY mode and wither the
device reports CAN error counters.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Reported-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-3-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 144 +++++++++++++++++-
1 file changed, 143 insertions(+), 1 deletion(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index 15380cc08ee6..26f32828f905 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -73,6 +73,8 @@
#define CMD_TX_ACKNOWLEDGE 50
#define CMD_CAN_ERROR_EVENT 51
#define CMD_FLUSH_QUEUE_REPLY 68
+#define CMD_GET_CAPABILITIES_REQ 95
+#define CMD_GET_CAPABILITIES_RESP 96
#define CMD_LEAF_LOG_MESSAGE 106
@@ -82,6 +84,8 @@
#define KVASER_USB_LEAF_SWOPTION_FREQ_32_MHZ_CLK BIT(5)
#define KVASER_USB_LEAF_SWOPTION_FREQ_24_MHZ_CLK BIT(6)
+#define KVASER_USB_LEAF_SWOPTION_EXT_CAP BIT(12)
+
/* error factors */
#define M16C_EF_ACKE BIT(0)
#define M16C_EF_CRCE BIT(1)
@@ -277,6 +281,28 @@ struct leaf_cmd_log_message {
u8 data[8];
} __packed;
+/* Sub commands for cap_req and cap_res */
+#define KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE 0x02
+#define KVASER_USB_LEAF_CAP_CMD_ERR_REPORT 0x05
+struct kvaser_cmd_cap_req {
+ __le16 padding0;
+ __le16 cap_cmd;
+ __le16 padding1;
+ __le16 channel;
+} __packed;
+
+/* Status codes for cap_res */
+#define KVASER_USB_LEAF_CAP_STAT_OK 0x00
+#define KVASER_USB_LEAF_CAP_STAT_NOT_IMPL 0x01
+#define KVASER_USB_LEAF_CAP_STAT_UNAVAIL 0x02
+struct kvaser_cmd_cap_res {
+ __le16 padding;
+ __le16 cap_cmd;
+ __le16 status;
+ __le32 mask;
+ __le32 value;
+} __packed;
+
struct kvaser_cmd {
u8 len;
u8 id;
@@ -294,6 +320,8 @@ struct kvaser_cmd {
struct leaf_cmd_chip_state_event chip_state_event;
struct leaf_cmd_error_event error_event;
struct leaf_cmd_log_message log_message;
+ struct kvaser_cmd_cap_req cap_req;
+ struct kvaser_cmd_cap_res cap_res;
} __packed leaf;
union {
@@ -323,6 +351,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
[CMD_LEAF_LOG_MESSAGE] = kvaser_fsize(u.leaf.log_message),
[CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
[CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
+ [CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
/* ignored events: */
[CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
};
@@ -607,6 +636,9 @@ static void kvaser_usb_leaf_get_software_info_leaf(struct kvaser_usb *dev,
dev->fw_version = le32_to_cpu(softinfo->fw_version);
dev->max_tx_urbs = le16_to_cpu(softinfo->max_outstanding_tx);
+ if (sw_options & KVASER_USB_LEAF_SWOPTION_EXT_CAP)
+ dev->card_data.capabilities |= KVASER_USB_CAP_EXT_CAP;
+
if (dev->driver_info->quirks & KVASER_USB_QUIRK_IGNORE_CLK_FREQ) {
/* Firmware expects bittiming parameters calculated for 16MHz
* clock, regardless of the actual clock
@@ -694,6 +726,116 @@ static int kvaser_usb_leaf_get_card_info(struct kvaser_usb *dev)
return 0;
}
+static int kvaser_usb_leaf_get_single_capability(struct kvaser_usb *dev,
+ u16 cap_cmd_req, u16 *status)
+{
+ struct kvaser_usb_dev_card_data *card_data = &dev->card_data;
+ struct kvaser_cmd *cmd;
+ u32 value = 0;
+ u32 mask = 0;
+ u16 cap_cmd_res;
+ int err;
+ int i;
+
+ cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
+ if (!cmd)
+ return -ENOMEM;
+
+ cmd->id = CMD_GET_CAPABILITIES_REQ;
+ cmd->u.leaf.cap_req.cap_cmd = cpu_to_le16(cap_cmd_req);
+ cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_cap_req);
+
+ err = kvaser_usb_send_cmd(dev, cmd, cmd->len);
+ if (err)
+ goto end;
+
+ err = kvaser_usb_leaf_wait_cmd(dev, CMD_GET_CAPABILITIES_RESP, cmd);
+ if (err)
+ goto end;
+
+ *status = le16_to_cpu(cmd->u.leaf.cap_res.status);
+
+ if (*status != KVASER_USB_LEAF_CAP_STAT_OK)
+ goto end;
+
+ cap_cmd_res = le16_to_cpu(cmd->u.leaf.cap_res.cap_cmd);
+ switch (cap_cmd_res) {
+ case KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE:
+ case KVASER_USB_LEAF_CAP_CMD_ERR_REPORT:
+ value = le32_to_cpu(cmd->u.leaf.cap_res.value);
+ mask = le32_to_cpu(cmd->u.leaf.cap_res.mask);
+ break;
+ default:
+ dev_warn(&dev->intf->dev, "Unknown capability command %u\n",
+ cap_cmd_res);
+ break;
+ }
+
+ for (i = 0; i < dev->nchannels; i++) {
+ if (BIT(i) & (value & mask)) {
+ switch (cap_cmd_res) {
+ case KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE:
+ card_data->ctrlmode_supported |=
+ CAN_CTRLMODE_LISTENONLY;
+ break;
+ case KVASER_USB_LEAF_CAP_CMD_ERR_REPORT:
+ card_data->capabilities |=
+ KVASER_USB_CAP_BERR_CAP;
+ break;
+ }
+ }
+ }
+
+end:
+ kfree(cmd);
+
+ return err;
+}
+
+static int kvaser_usb_leaf_get_capabilities_leaf(struct kvaser_usb *dev)
+{
+ int err;
+ u16 status;
+
+ if (!(dev->card_data.capabilities & KVASER_USB_CAP_EXT_CAP)) {
+ dev_info(&dev->intf->dev,
+ "No extended capability support. Upgrade device firmware.\n");
+ return 0;
+ }
+
+ err = kvaser_usb_leaf_get_single_capability(dev,
+ KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE,
+ &status);
+ if (err)
+ return err;
+ if (status)
+ dev_info(&dev->intf->dev,
+ "KVASER_USB_LEAF_CAP_CMD_LISTEN_MODE failed %u\n",
+ status);
+
+ err = kvaser_usb_leaf_get_single_capability(dev,
+ KVASER_USB_LEAF_CAP_CMD_ERR_REPORT,
+ &status);
+ if (err)
+ return err;
+ if (status)
+ dev_info(&dev->intf->dev,
+ "KVASER_USB_LEAF_CAP_CMD_ERR_REPORT failed %u\n",
+ status);
+
+ return 0;
+}
+
+static int kvaser_usb_leaf_get_capabilities(struct kvaser_usb *dev)
+{
+ int err = 0;
+
+ if (dev->driver_info->family == KVASER_LEAF)
+ err = kvaser_usb_leaf_get_capabilities_leaf(dev);
+
+ return err;
+}
+
static void kvaser_usb_leaf_tx_acknowledge(const struct kvaser_usb *dev,
const struct kvaser_cmd *cmd)
{
@@ -1490,7 +1632,7 @@ const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = {
.dev_get_software_info = kvaser_usb_leaf_get_software_info,
.dev_get_software_details = NULL,
.dev_get_card_info = kvaser_usb_leaf_get_card_info,
- .dev_get_capabilities = NULL,
+ .dev_get_capabilities = kvaser_usb_leaf_get_capabilities,
.dev_set_opt_mode = kvaser_usb_leaf_set_opt_mode,
.dev_start_chip = kvaser_usb_leaf_start_chip,
.dev_stop_chip = kvaser_usb_leaf_stop_chip,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 117/783] can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 116/783] can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 118/783] can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT Greg Kroah-Hartman
` (675 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anssi Hannula, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
From: Jimmy Assarsson <extja@kvaser.com>
[ Upstream commit 7ea56128dbf904a3359bcf9289cccdfa3c85c7e8 ]
Prepare for handling CMD_ERROR_EVENT. Rename struct
{leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Reported-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-4-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 38 +++++++++----------
1 file changed, 19 insertions(+), 19 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index 26f32828f905..4f3d1150b2b2 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -233,7 +233,7 @@ struct kvaser_cmd_tx_acknowledge_header {
u8 tid;
} __packed;
-struct leaf_cmd_error_event {
+struct leaf_cmd_can_error_event {
u8 tid;
u8 flags;
__le16 time[3];
@@ -245,7 +245,7 @@ struct leaf_cmd_error_event {
u8 error_factor;
} __packed;
-struct usbcan_cmd_error_event {
+struct usbcan_cmd_can_error_event {
u8 tid;
u8 padding;
u8 tx_errors_count_ch0;
@@ -318,7 +318,7 @@ struct kvaser_cmd {
struct leaf_cmd_softinfo softinfo;
struct leaf_cmd_rx_can rx_can;
struct leaf_cmd_chip_state_event chip_state_event;
- struct leaf_cmd_error_event error_event;
+ struct leaf_cmd_can_error_event can_error_event;
struct leaf_cmd_log_message log_message;
struct kvaser_cmd_cap_req cap_req;
struct kvaser_cmd_cap_res cap_res;
@@ -328,7 +328,7 @@ struct kvaser_cmd {
struct usbcan_cmd_softinfo softinfo;
struct usbcan_cmd_rx_can rx_can;
struct usbcan_cmd_chip_state_event chip_state_event;
- struct usbcan_cmd_error_event error_event;
+ struct usbcan_cmd_can_error_event can_error_event;
} __packed usbcan;
struct kvaser_cmd_tx_can tx_can;
@@ -350,7 +350,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
[CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.leaf.rx_can),
[CMD_LEAF_LOG_MESSAGE] = kvaser_fsize(u.leaf.log_message),
[CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
- [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event),
[CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
/* ignored events: */
[CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
@@ -365,7 +365,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_usbcan[] = {
[CMD_RX_STD_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
[CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
[CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.usbcan.chip_state_event),
- [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.error_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.can_error_event),
/* ignored events: */
[CMD_USBCAN_CLOCK_OVERFLOW_EVENT] = CMD_SIZE_ANY,
};
@@ -1137,11 +1137,11 @@ static void kvaser_usb_leaf_usbcan_rx_error(const struct kvaser_usb *dev,
case CMD_CAN_ERROR_EVENT:
es.channel = 0;
- es.status = cmd->u.usbcan.error_event.status_ch0;
- es.txerr = cmd->u.usbcan.error_event.tx_errors_count_ch0;
- es.rxerr = cmd->u.usbcan.error_event.rx_errors_count_ch0;
+ es.status = cmd->u.usbcan.can_error_event.status_ch0;
+ es.txerr = cmd->u.usbcan.can_error_event.tx_errors_count_ch0;
+ es.rxerr = cmd->u.usbcan.can_error_event.rx_errors_count_ch0;
es.usbcan.other_ch_status =
- cmd->u.usbcan.error_event.status_ch1;
+ cmd->u.usbcan.can_error_event.status_ch1;
kvaser_usb_leaf_usbcan_conditionally_rx_error(dev, &es);
/* The USBCAN firmware supports up to 2 channels.
@@ -1149,13 +1149,13 @@ static void kvaser_usb_leaf_usbcan_rx_error(const struct kvaser_usb *dev,
*/
if (dev->nchannels == MAX_USBCAN_NET_DEVICES) {
es.channel = 1;
- es.status = cmd->u.usbcan.error_event.status_ch1;
+ es.status = cmd->u.usbcan.can_error_event.status_ch1;
es.txerr =
- cmd->u.usbcan.error_event.tx_errors_count_ch1;
+ cmd->u.usbcan.can_error_event.tx_errors_count_ch1;
es.rxerr =
- cmd->u.usbcan.error_event.rx_errors_count_ch1;
+ cmd->u.usbcan.can_error_event.rx_errors_count_ch1;
es.usbcan.other_ch_status =
- cmd->u.usbcan.error_event.status_ch0;
+ cmd->u.usbcan.can_error_event.status_ch0;
kvaser_usb_leaf_usbcan_conditionally_rx_error(dev, &es);
}
break;
@@ -1172,11 +1172,11 @@ static void kvaser_usb_leaf_leaf_rx_error(const struct kvaser_usb *dev,
switch (cmd->id) {
case CMD_CAN_ERROR_EVENT:
- es.channel = cmd->u.leaf.error_event.channel;
- es.status = cmd->u.leaf.error_event.status;
- es.txerr = cmd->u.leaf.error_event.tx_errors_count;
- es.rxerr = cmd->u.leaf.error_event.rx_errors_count;
- es.leaf.error_factor = cmd->u.leaf.error_event.error_factor;
+ es.channel = cmd->u.leaf.can_error_event.channel;
+ es.status = cmd->u.leaf.can_error_event.status;
+ es.txerr = cmd->u.leaf.can_error_event.tx_errors_count;
+ es.rxerr = cmd->u.leaf.can_error_event.rx_errors_count;
+ es.leaf.error_factor = cmd->u.leaf.can_error_event.error_factor;
break;
case CMD_LEAF_LOG_MESSAGE:
es.channel = cmd->u.leaf.log_message.channel;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 118/783] can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 117/783] can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 119/783] can: kvaser_usb_leaf: Set Warning state even without bus errors Greg Kroah-Hartman
` (674 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anssi Hannula, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
From: Jimmy Assarsson <extja@kvaser.com>
[ Upstream commit b24cb2d169e0c9dce664a959e1f2aa9781285dc9 ]
The device will send an error event command, to indicate certain errors.
This indicates a misbehaving driver, and should never occur.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Co-developed-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-5-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 99 +++++++++++++++++++
1 file changed, 99 insertions(+)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index 4f3d1150b2b2..3c3e78992b55 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -69,6 +69,7 @@
#define CMD_GET_CARD_INFO_REPLY 35
#define CMD_GET_SOFTWARE_INFO 38
#define CMD_GET_SOFTWARE_INFO_REPLY 39
+#define CMD_ERROR_EVENT 45
#define CMD_FLUSH_QUEUE 48
#define CMD_TX_ACKNOWLEDGE 50
#define CMD_CAN_ERROR_EVENT 51
@@ -257,6 +258,28 @@ struct usbcan_cmd_can_error_event {
__le16 time;
} __packed;
+/* CMD_ERROR_EVENT error codes */
+#define KVASER_USB_LEAF_ERROR_EVENT_TX_QUEUE_FULL 0x8
+#define KVASER_USB_LEAF_ERROR_EVENT_PARAM 0x9
+
+struct leaf_cmd_error_event {
+ u8 tid;
+ u8 error_code;
+ __le16 timestamp[3];
+ __le16 padding;
+ __le16 info1;
+ __le16 info2;
+} __packed;
+
+struct usbcan_cmd_error_event {
+ u8 tid;
+ u8 error_code;
+ __le16 info1;
+ __le16 info2;
+ __le16 timestamp;
+ __le16 padding;
+} __packed;
+
struct kvaser_cmd_ctrl_mode {
u8 tid;
u8 channel;
@@ -320,6 +343,7 @@ struct kvaser_cmd {
struct leaf_cmd_chip_state_event chip_state_event;
struct leaf_cmd_can_error_event can_error_event;
struct leaf_cmd_log_message log_message;
+ struct leaf_cmd_error_event error_event;
struct kvaser_cmd_cap_req cap_req;
struct kvaser_cmd_cap_res cap_res;
} __packed leaf;
@@ -329,6 +353,7 @@ struct kvaser_cmd {
struct usbcan_cmd_rx_can rx_can;
struct usbcan_cmd_chip_state_event chip_state_event;
struct usbcan_cmd_can_error_event can_error_event;
+ struct usbcan_cmd_error_event error_event;
} __packed usbcan;
struct kvaser_cmd_tx_can tx_can;
@@ -352,6 +377,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
[CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
[CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event),
[CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
+ [CMD_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
/* ignored events: */
[CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
};
@@ -366,6 +392,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_usbcan[] = {
[CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
[CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.usbcan.chip_state_event),
[CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.can_error_event),
+ [CMD_ERROR_EVENT] = kvaser_fsize(u.usbcan.error_event),
/* ignored events: */
[CMD_USBCAN_CLOCK_OVERFLOW_EVENT] = CMD_SIZE_ANY,
};
@@ -1308,6 +1335,74 @@ static void kvaser_usb_leaf_rx_can_msg(const struct kvaser_usb *dev,
netif_rx(skb);
}
+static void kvaser_usb_leaf_error_event_parameter(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+{
+ u16 info1 = 0;
+
+ switch (dev->driver_info->family) {
+ case KVASER_LEAF:
+ info1 = le16_to_cpu(cmd->u.leaf.error_event.info1);
+ break;
+ case KVASER_USBCAN:
+ info1 = le16_to_cpu(cmd->u.usbcan.error_event.info1);
+ break;
+ }
+
+ /* info1 will contain the offending cmd_no */
+ switch (info1) {
+ case CMD_SET_CTRL_MODE:
+ dev_warn(&dev->intf->dev,
+ "CMD_SET_CTRL_MODE error in parameter\n");
+ break;
+
+ case CMD_SET_BUS_PARAMS:
+ dev_warn(&dev->intf->dev,
+ "CMD_SET_BUS_PARAMS error in parameter\n");
+ break;
+
+ default:
+ dev_warn(&dev->intf->dev,
+ "Unhandled parameter error event cmd_no (%u)\n",
+ info1);
+ break;
+ }
+}
+
+static void kvaser_usb_leaf_error_event(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+{
+ u8 error_code = 0;
+
+ switch (dev->driver_info->family) {
+ case KVASER_LEAF:
+ error_code = cmd->u.leaf.error_event.error_code;
+ break;
+ case KVASER_USBCAN:
+ error_code = cmd->u.usbcan.error_event.error_code;
+ break;
+ }
+
+ switch (error_code) {
+ case KVASER_USB_LEAF_ERROR_EVENT_TX_QUEUE_FULL:
+ /* Received additional CAN message, when firmware TX queue is
+ * already full. Something is wrong with the driver.
+ * This should never happen!
+ */
+ dev_err(&dev->intf->dev,
+ "Received error event TX_QUEUE_FULL\n");
+ break;
+ case KVASER_USB_LEAF_ERROR_EVENT_PARAM:
+ kvaser_usb_leaf_error_event_parameter(dev, cmd);
+ break;
+
+ default:
+ dev_warn(&dev->intf->dev,
+ "Unhandled error event (%d)\n", error_code);
+ break;
+ }
+}
+
static void kvaser_usb_leaf_start_chip_reply(const struct kvaser_usb *dev,
const struct kvaser_cmd *cmd)
{
@@ -1386,6 +1481,10 @@ static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev,
kvaser_usb_leaf_tx_acknowledge(dev, cmd);
break;
+ case CMD_ERROR_EVENT:
+ kvaser_usb_leaf_error_event(dev, cmd);
+ break;
+
/* Ignored commands */
case CMD_USBCAN_CLOCK_OVERFLOW_EVENT:
if (dev->driver_info->family != KVASER_USBCAN)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 119/783] can: kvaser_usb_leaf: Set Warning state even without bus errors
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 118/783] can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 120/783] can: kvaser_usb_leaf: Fix improved state not being reported Greg Kroah-Hartman
` (673 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde, Sasha Levin
From: Anssi Hannula <anssi.hannula@bitwise.fi>
[ Upstream commit df1b7af2761b935f63b4a53e789d41ed859edf61 ]
kvaser_usb_leaf_rx_error_update_can_state() sets error state according
to error counters when the hardware does not indicate a specific state
directly.
However, this is currently gated behind a check for
M16C_STATE_BUS_ERROR which does not always seem to be set when error
counters are increasing, and may not be set when error counters are
decreasing.
This causes the CAN_STATE_ERROR_WARNING state to not be set in some
cases even when appropriate.
Change the code to set error state from counters even without
M16C_STATE_BUS_ERROR.
The Error-Passive case seems superfluous as it is already set via
M16C_STATE_BUS_PASSIVE flag above, but it is kept for now.
Tested with 0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-6-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 20 ++++++++-----------
1 file changed, 8 insertions(+), 12 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index 3c3e78992b55..b43631eaccf1 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -965,20 +965,16 @@ kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv,
new_state = CAN_STATE_BUS_OFF;
} else if (es->status & M16C_STATE_BUS_PASSIVE) {
new_state = CAN_STATE_ERROR_PASSIVE;
- } else if (es->status & M16C_STATE_BUS_ERROR) {
+ } else if ((es->status & M16C_STATE_BUS_ERROR) &&
+ cur_state >= CAN_STATE_BUS_OFF) {
/* Guard against spurious error events after a busoff */
- if (cur_state < CAN_STATE_BUS_OFF) {
- if (es->txerr >= 128 || es->rxerr >= 128)
- new_state = CAN_STATE_ERROR_PASSIVE;
- else if (es->txerr >= 96 || es->rxerr >= 96)
- new_state = CAN_STATE_ERROR_WARNING;
- else if (cur_state > CAN_STATE_ERROR_ACTIVE)
- new_state = CAN_STATE_ERROR_ACTIVE;
- }
- }
-
- if (!es->status)
+ } else if (es->txerr >= 128 || es->rxerr >= 128) {
+ new_state = CAN_STATE_ERROR_PASSIVE;
+ } else if (es->txerr >= 96 || es->rxerr >= 96) {
+ new_state = CAN_STATE_ERROR_WARNING;
+ } else {
new_state = CAN_STATE_ERROR_ACTIVE;
+ }
if (new_state != cur_state) {
tx_state = (es->txerr >= es->rxerr) ? new_state : 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 120/783] can: kvaser_usb_leaf: Fix improved state not being reported
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 119/783] can: kvaser_usb_leaf: Set Warning state even without bus errors Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 121/783] can: kvaser_usb_leaf: Fix wrong CAN state after stopping Greg Kroah-Hartman
` (672 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde, Sasha Levin
From: Anssi Hannula <anssi.hannula@bitwise.fi>
[ Upstream commit 8d21f5927ae604881f98587fabf6753f88730968 ]
The tested 0bfd:0017 Kvaser Memorator Professional HS/HS FW 2.0.50 and
0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 do not seem to send
any unsolicited events when error counters decrease or when the device
transitions from ERROR_PASSIVE to ERROR_ACTIVE (or WARNING).
This causes the interface to e.g. indefinitely stay in the ERROR_PASSIVE
state.
Fix that by asking for chip state (inc. counters) event every 0.5 secs
when error counters are non-zero.
Since there are non-error-counter devices, also always poll in
ERROR_PASSIVE even if the counters show zero.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-7-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 7 +++
.../net/can/usb/kvaser_usb/kvaser_usb_core.c | 19 +++++-
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 58 +++++++++++++++++++
3 files changed, 81 insertions(+), 3 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
index 62958f04a2f2..1f4583f1dae2 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
@@ -104,6 +104,9 @@ struct kvaser_usb_net_priv {
struct can_priv can;
struct can_berr_counter bec;
+ /* subdriver-specific data */
+ void *sub_priv;
+
struct kvaser_usb *dev;
struct net_device *netdev;
int channel;
@@ -125,6 +128,8 @@ struct kvaser_usb_net_priv {
*
* @dev_setup_endpoints: setup USB in and out endpoints
* @dev_init_card: initialize card
+ * @dev_init_channel: initialize channel
+ * @dev_remove_channel: uninitialize channel
* @dev_get_software_info: get software info
* @dev_get_software_details: get software details
* @dev_get_card_info: get card info
@@ -146,6 +151,8 @@ struct kvaser_usb_dev_ops {
struct can_berr_counter *bec);
int (*dev_setup_endpoints)(struct kvaser_usb *dev);
int (*dev_init_card)(struct kvaser_usb *dev);
+ int (*dev_init_channel)(struct kvaser_usb_net_priv *priv);
+ void (*dev_remove_channel)(struct kvaser_usb_net_priv *priv);
int (*dev_get_software_info)(struct kvaser_usb *dev);
int (*dev_get_software_details)(struct kvaser_usb *dev);
int (*dev_get_card_info)(struct kvaser_usb *dev);
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
index 7491f85e85b3..2c816d8929da 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
@@ -645,6 +645,7 @@ static const struct net_device_ops kvaser_usb_netdev_ops = {
static void kvaser_usb_remove_interfaces(struct kvaser_usb *dev)
{
+ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops;
int i;
for (i = 0; i < dev->nchannels; i++) {
@@ -660,6 +661,9 @@ static void kvaser_usb_remove_interfaces(struct kvaser_usb *dev)
if (!dev->nets[i])
continue;
+ if (ops->dev_remove_channel)
+ ops->dev_remove_channel(dev->nets[i]);
+
free_candev(dev->nets[i]->netdev);
}
}
@@ -727,17 +731,26 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
dev->nets[channel] = priv;
+ if (ops->dev_init_channel) {
+ err = ops->dev_init_channel(priv);
+ if (err)
+ goto err;
+ }
+
err = register_candev(netdev);
if (err) {
dev_err(&dev->intf->dev, "Failed to register CAN device\n");
- free_candev(netdev);
- dev->nets[channel] = NULL;
- return err;
+ goto err;
}
netdev_dbg(netdev, "device registered\n");
return 0;
+
+err:
+ free_candev(netdev);
+ dev->nets[channel] = NULL;
+ return err;
}
static int kvaser_usb_probe(struct usb_interface *intf,
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index b43631eaccf1..6d45ae6f2a08 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -20,6 +20,7 @@
#include <linux/string.h>
#include <linux/types.h>
#include <linux/usb.h>
+#include <linux/workqueue.h>
#include <linux/can.h>
#include <linux/can/dev.h>
@@ -55,6 +56,7 @@
#define CMD_RX_EXT_MESSAGE 14
#define CMD_TX_EXT_MESSAGE 15
#define CMD_SET_BUS_PARAMS 16
+#define CMD_GET_CHIP_STATE 19
#define CMD_CHIP_STATE_EVENT 20
#define CMD_SET_CTRL_MODE 21
#define CMD_RESET_CHIP 24
@@ -420,6 +422,12 @@ struct kvaser_usb_err_summary {
};
};
+struct kvaser_usb_net_leaf_priv {
+ struct kvaser_usb_net_priv *net;
+
+ struct delayed_work chip_state_req_work;
+};
+
static const struct can_bittiming_const kvaser_usb_leaf_m16c_bittiming_const = {
.name = "kvaser_usb_ucii",
.tseg1_min = 4,
@@ -947,6 +955,16 @@ static int kvaser_usb_leaf_simple_cmd_async(struct kvaser_usb_net_priv *priv,
return err;
}
+static void kvaser_usb_leaf_chip_state_req_work(struct work_struct *work)
+{
+ struct kvaser_usb_net_leaf_priv *leaf =
+ container_of(work, struct kvaser_usb_net_leaf_priv,
+ chip_state_req_work.work);
+ struct kvaser_usb_net_priv *priv = leaf->net;
+
+ kvaser_usb_leaf_simple_cmd_async(priv, CMD_GET_CHIP_STATE);
+}
+
static void
kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv,
const struct kvaser_usb_err_summary *es,
@@ -1018,6 +1036,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
struct sk_buff *skb;
struct net_device_stats *stats;
struct kvaser_usb_net_priv *priv;
+ struct kvaser_usb_net_leaf_priv *leaf;
enum can_state old_state, new_state;
if (es->channel >= dev->nchannels) {
@@ -1027,6 +1046,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
}
priv = dev->nets[es->channel];
+ leaf = priv->sub_priv;
stats = &priv->netdev->stats;
/* Update all of the CAN interface's state and error counters before
@@ -1043,6 +1063,14 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
kvaser_usb_leaf_rx_error_update_can_state(priv, es, &tmp_cf);
new_state = priv->can.state;
+ /* If there are errors, request status updates periodically as we do
+ * not get automatic notifications of improved state.
+ */
+ if (new_state < CAN_STATE_BUS_OFF &&
+ (es->rxerr || es->txerr || new_state == CAN_STATE_ERROR_PASSIVE))
+ schedule_delayed_work(&leaf->chip_state_req_work,
+ msecs_to_jiffies(500));
+
skb = alloc_can_err_skb(priv->netdev, &cf);
if (!skb) {
stats->rx_dropped++;
@@ -1577,10 +1605,13 @@ static int kvaser_usb_leaf_start_chip(struct kvaser_usb_net_priv *priv)
static int kvaser_usb_leaf_stop_chip(struct kvaser_usb_net_priv *priv)
{
+ struct kvaser_usb_net_leaf_priv *leaf = priv->sub_priv;
int err;
reinit_completion(&priv->stop_comp);
+ cancel_delayed_work(&leaf->chip_state_req_work);
+
err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_STOP_CHIP,
priv->channel);
if (err)
@@ -1627,6 +1658,31 @@ static int kvaser_usb_leaf_init_card(struct kvaser_usb *dev)
return 0;
}
+static int kvaser_usb_leaf_init_channel(struct kvaser_usb_net_priv *priv)
+{
+ struct kvaser_usb_net_leaf_priv *leaf;
+
+ leaf = devm_kzalloc(&priv->dev->intf->dev, sizeof(*leaf), GFP_KERNEL);
+ if (!leaf)
+ return -ENOMEM;
+
+ leaf->net = priv;
+ INIT_DELAYED_WORK(&leaf->chip_state_req_work,
+ kvaser_usb_leaf_chip_state_req_work);
+
+ priv->sub_priv = leaf;
+
+ return 0;
+}
+
+static void kvaser_usb_leaf_remove_channel(struct kvaser_usb_net_priv *priv)
+{
+ struct kvaser_usb_net_leaf_priv *leaf = priv->sub_priv;
+
+ if (leaf)
+ cancel_delayed_work_sync(&leaf->chip_state_req_work);
+}
+
static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
{
struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
@@ -1724,6 +1780,8 @@ const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = {
.dev_get_berr_counter = kvaser_usb_leaf_get_berr_counter,
.dev_setup_endpoints = kvaser_usb_leaf_setup_endpoints,
.dev_init_card = kvaser_usb_leaf_init_card,
+ .dev_init_channel = kvaser_usb_leaf_init_channel,
+ .dev_remove_channel = kvaser_usb_leaf_remove_channel,
.dev_get_software_info = kvaser_usb_leaf_get_software_info,
.dev_get_software_details = NULL,
.dev_get_card_info = kvaser_usb_leaf_get_card_info,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 121/783] can: kvaser_usb_leaf: Fix wrong CAN state after stopping
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 120/783] can: kvaser_usb_leaf: Fix improved state not being reported Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 122/783] can: kvaser_usb_leaf: Fix bogus restart events Greg Kroah-Hartman
` (671 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde, Sasha Levin
From: Anssi Hannula <anssi.hannula@bitwise.fi>
[ Upstream commit a11249acf802341294557895d8e5f6aef080253f ]
0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 sends a
CMD_CHIP_STATE_EVENT indicating bus-off after stopping the device,
causing a stopped device to appear as CAN_STATE_BUS_OFF instead of
CAN_STATE_STOPPED.
Fix that by not handling error events on stopped devices.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-8-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index 6d45ae6f2a08..52ac6446634d 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -1049,6 +1049,10 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
leaf = priv->sub_priv;
stats = &priv->netdev->stats;
+ /* Ignore e.g. state change to bus-off reported just after stopping */
+ if (!netif_running(priv->netdev))
+ return;
+
/* Update all of the CAN interface's state and error counters before
* trying any memory allocation that can actually fail with -ENOMEM.
*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 122/783] can: kvaser_usb_leaf: Fix bogus restart events
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 121/783] can: kvaser_usb_leaf: Fix wrong CAN state after stopping Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 123/783] can: kvaser_usb: Add struct kvaser_usb_busparams Greg Kroah-Hartman
` (670 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde, Sasha Levin
From: Anssi Hannula <anssi.hannula@bitwise.fi>
[ Upstream commit 90904d326269a38fe5dd895fb2db7c03199654c4 ]
When auto-restart is enabled, the kvaser_usb_leaf driver considers
transition from any state >= CAN_STATE_BUS_OFF as a bus-off recovery
event (restart).
However, these events may occur at interface startup time before
kvaser_usb_open() has set the state to CAN_STATE_ERROR_ACTIVE, causing
restarts counter to increase and CAN_ERR_RESTARTED to be sent despite no
actual restart having occurred.
Fix that by making the auto-restart condition checks more strict so that
they only trigger when the interface was actually in the BUS_OFF state.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-10-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index 52ac6446634d..d1877ff2ff71 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -899,7 +899,7 @@ static void kvaser_usb_leaf_tx_acknowledge(const struct kvaser_usb *dev,
context = &priv->tx_contexts[tid % dev->max_tx_urbs];
/* Sometimes the state change doesn't come after a bus-off event */
- if (priv->can.restart_ms && priv->can.state >= CAN_STATE_BUS_OFF) {
+ if (priv->can.restart_ms && priv->can.state == CAN_STATE_BUS_OFF) {
struct sk_buff *skb;
struct can_frame *cf;
@@ -1002,7 +1002,7 @@ kvaser_usb_leaf_rx_error_update_can_state(struct kvaser_usb_net_priv *priv,
}
if (priv->can.restart_ms &&
- cur_state >= CAN_STATE_BUS_OFF &&
+ cur_state == CAN_STATE_BUS_OFF &&
new_state < CAN_STATE_BUS_OFF)
priv->can.can_stats.restarts++;
@@ -1092,7 +1092,7 @@ static void kvaser_usb_leaf_rx_error(const struct kvaser_usb *dev,
}
if (priv->can.restart_ms &&
- old_state >= CAN_STATE_BUS_OFF &&
+ old_state == CAN_STATE_BUS_OFF &&
new_state < CAN_STATE_BUS_OFF) {
cf->can_id |= CAN_ERR_RESTARTED;
netif_carrier_on(priv->netdev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 123/783] can: kvaser_usb: Add struct kvaser_usb_busparams
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 122/783] can: kvaser_usb_leaf: Fix bogus restart events Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 124/783] can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming Greg Kroah-Hartman
` (669 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anssi Hannula, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
From: Jimmy Assarsson <extja@kvaser.com>
[ Upstream commit 00e5786177649c1e3110f9454fdd34e336597265 ]
Add struct kvaser_usb_busparams containing the busparameters used in
CMD_{SET,GET}_BUSPARAMS* commands.
Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-11-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Stable-dep-of: 39d3df6b0ea8 ("can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 8 +++++
.../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 32 +++++++------------
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 18 ++++-------
3 files changed, 27 insertions(+), 31 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
index 1f4583f1dae2..cb8018723748 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
@@ -76,6 +76,14 @@ struct kvaser_usb_tx_urb_context {
int dlc;
};
+struct kvaser_usb_busparams {
+ __le32 bitrate;
+ u8 tseg1;
+ u8 tseg2;
+ u8 sjw;
+ u8 nsamples;
+} __packed;
+
struct kvaser_usb {
struct usb_device *udev;
struct usb_interface *intf;
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
index 9588efbfae71..72c37dc50b6b 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
@@ -193,17 +193,9 @@ struct kvaser_cmd_chip_state_event {
#define KVASER_USB_HYDRA_BUS_MODE_CANFD_ISO 0x01
#define KVASER_USB_HYDRA_BUS_MODE_NONISO 0x02
struct kvaser_cmd_set_busparams {
- __le32 bitrate;
- u8 tseg1;
- u8 tseg2;
- u8 sjw;
- u8 nsamples;
+ struct kvaser_usb_busparams busparams_arb;
u8 reserved0[4];
- __le32 bitrate_d;
- u8 tseg1_d;
- u8 tseg2_d;
- u8 sjw_d;
- u8 nsamples_d;
+ struct kvaser_usb_busparams busparams_data;
u8 canfd_mode;
u8 reserved1[7];
} __packed;
@@ -1515,11 +1507,11 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
return -ENOMEM;
cmd->header.cmd_no = CMD_SET_BUSPARAMS_REQ;
- cmd->set_busparams_req.bitrate = cpu_to_le32(bt->bitrate);
- cmd->set_busparams_req.sjw = (u8)sjw;
- cmd->set_busparams_req.tseg1 = (u8)tseg1;
- cmd->set_busparams_req.tseg2 = (u8)tseg2;
- cmd->set_busparams_req.nsamples = 1;
+ cmd->set_busparams_req.busparams_arb.bitrate = cpu_to_le32(bt->bitrate);
+ cmd->set_busparams_req.busparams_arb.sjw = (u8)sjw;
+ cmd->set_busparams_req.busparams_arb.tseg1 = (u8)tseg1;
+ cmd->set_busparams_req.busparams_arb.tseg2 = (u8)tseg2;
+ cmd->set_busparams_req.busparams_arb.nsamples = 1;
kvaser_usb_hydra_set_cmd_dest_he
(cmd, dev->card_data.hydra.channel_to_he[priv->channel]);
@@ -1549,11 +1541,11 @@ static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev)
return -ENOMEM;
cmd->header.cmd_no = CMD_SET_BUSPARAMS_FD_REQ;
- cmd->set_busparams_req.bitrate_d = cpu_to_le32(dbt->bitrate);
- cmd->set_busparams_req.sjw_d = (u8)sjw;
- cmd->set_busparams_req.tseg1_d = (u8)tseg1;
- cmd->set_busparams_req.tseg2_d = (u8)tseg2;
- cmd->set_busparams_req.nsamples_d = 1;
+ cmd->set_busparams_req.busparams_data.bitrate = cpu_to_le32(dbt->bitrate);
+ cmd->set_busparams_req.busparams_data.sjw = (u8)sjw;
+ cmd->set_busparams_req.busparams_data.tseg1 = (u8)tseg1;
+ cmd->set_busparams_req.busparams_data.tseg2 = (u8)tseg2;
+ cmd->set_busparams_req.busparams_data.nsamples = 1;
if (priv->can.ctrlmode & CAN_CTRLMODE_FD) {
if (priv->can.ctrlmode & CAN_CTRLMODE_FD_NON_ISO)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index d1877ff2ff71..1e2f727a1efb 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -163,11 +163,7 @@ struct usbcan_cmd_softinfo {
struct kvaser_cmd_busparams {
u8 tid;
u8 channel;
- __le32 bitrate;
- u8 tseg1;
- u8 tseg2;
- u8 sjw;
- u8 no_samp;
+ struct kvaser_usb_busparams busparams;
} __packed;
struct kvaser_cmd_tx_can {
@@ -1703,15 +1699,15 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_busparams);
cmd->u.busparams.channel = priv->channel;
cmd->u.busparams.tid = 0xff;
- cmd->u.busparams.bitrate = cpu_to_le32(bt->bitrate);
- cmd->u.busparams.sjw = bt->sjw;
- cmd->u.busparams.tseg1 = bt->prop_seg + bt->phase_seg1;
- cmd->u.busparams.tseg2 = bt->phase_seg2;
+ cmd->u.busparams.busparams.bitrate = cpu_to_le32(bt->bitrate);
+ cmd->u.busparams.busparams.sjw = bt->sjw;
+ cmd->u.busparams.busparams.tseg1 = bt->prop_seg + bt->phase_seg1;
+ cmd->u.busparams.busparams.tseg2 = bt->phase_seg2;
if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES)
- cmd->u.busparams.no_samp = 3;
+ cmd->u.busparams.busparams.nsamples = 3;
else
- cmd->u.busparams.no_samp = 1;
+ cmd->u.busparams.busparams.nsamples = 1;
rc = kvaser_usb_send_cmd(dev, cmd, cmd->len);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 124/783] can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 123/783] can: kvaser_usb: Add struct kvaser_usb_busparams Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 125/783] drm/rockchip: lvds: fix PM usage counter unbalance in poweron Greg Kroah-Hartman
` (668 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anssi Hannula, Jimmy Assarsson,
Marc Kleine-Budde, Sasha Levin
From: Jimmy Assarsson <extja@kvaser.com>
[ Upstream commit 39d3df6b0ea80f9b515c632ca07b39b1c156edee ]
The device will respond with a CMD_ERROR_EVENT command, with error_code
KVASER_USB_{LEAF,HYDRA}_ERROR_EVENT_PARAM, if the CMD_SET_BUSPARAMS_REQ
contains invalid bittiming parameters.
However, this command does not contain any channel reference.
To check if the CMD_SET_BUSPARAMS_REQ was successful, redback and compare
the requested bittiming parameters with the device reported parameters.
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family")
Tested-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Co-developed-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010185237.319219-12-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 15 +-
.../net/can/usb/kvaser_usb/kvaser_usb_core.c | 96 ++++++++++-
.../net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 150 +++++++++++++++---
.../net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 64 ++++++--
4 files changed, 284 insertions(+), 41 deletions(-)
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
index cb8018723748..5699531f8787 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
@@ -119,9 +119,12 @@ struct kvaser_usb_net_priv {
struct net_device *netdev;
int channel;
- struct completion start_comp, stop_comp, flush_comp;
+ struct completion start_comp, stop_comp, flush_comp,
+ get_busparams_comp;
struct usb_anchor tx_submitted;
+ struct kvaser_usb_busparams busparams_nominal, busparams_data;
+
spinlock_t tx_contexts_lock; /* lock for active_tx_contexts */
int active_tx_contexts;
struct kvaser_usb_tx_urb_context tx_contexts[];
@@ -131,7 +134,9 @@ struct kvaser_usb_net_priv {
* struct kvaser_usb_dev_ops - Device specific functions
* @dev_set_mode: used for can.do_set_mode
* @dev_set_bittiming: used for can.do_set_bittiming
+ * @dev_get_busparams: readback arbitration busparams
* @dev_set_data_bittiming: used for can.do_set_data_bittiming
+ * @dev_get_data_busparams: readback data busparams
* @dev_get_berr_counter: used for can.do_get_berr_counter
*
* @dev_setup_endpoints: setup USB in and out endpoints
@@ -153,8 +158,12 @@ struct kvaser_usb_net_priv {
*/
struct kvaser_usb_dev_ops {
int (*dev_set_mode)(struct net_device *netdev, enum can_mode mode);
- int (*dev_set_bittiming)(struct net_device *netdev);
- int (*dev_set_data_bittiming)(struct net_device *netdev);
+ int (*dev_set_bittiming)(const struct net_device *netdev,
+ const struct kvaser_usb_busparams *busparams);
+ int (*dev_get_busparams)(struct kvaser_usb_net_priv *priv);
+ int (*dev_set_data_bittiming)(const struct net_device *netdev,
+ const struct kvaser_usb_busparams *busparams);
+ int (*dev_get_data_busparams)(struct kvaser_usb_net_priv *priv);
int (*dev_get_berr_counter)(const struct net_device *netdev,
struct can_berr_counter *bec);
int (*dev_setup_endpoints)(struct kvaser_usb *dev);
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
index 2c816d8929da..1f015b496a47 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
@@ -416,10 +416,6 @@ static int kvaser_usb_open(struct net_device *netdev)
if (err)
return err;
- err = kvaser_usb_setup_rx_urbs(dev);
- if (err)
- goto error;
-
err = ops->dev_set_opt_mode(priv);
if (err)
goto error;
@@ -510,6 +506,93 @@ static int kvaser_usb_close(struct net_device *netdev)
return 0;
}
+static int kvaser_usb_set_bittiming(struct net_device *netdev)
+{
+ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
+ struct kvaser_usb *dev = priv->dev;
+ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops;
+ struct can_bittiming *bt = &priv->can.bittiming;
+
+ struct kvaser_usb_busparams busparams;
+ int tseg1 = bt->prop_seg + bt->phase_seg1;
+ int tseg2 = bt->phase_seg2;
+ int sjw = bt->sjw;
+ int err = -EOPNOTSUPP;
+
+ busparams.bitrate = cpu_to_le32(bt->bitrate);
+ busparams.sjw = (u8)sjw;
+ busparams.tseg1 = (u8)tseg1;
+ busparams.tseg2 = (u8)tseg2;
+ if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES)
+ busparams.nsamples = 3;
+ else
+ busparams.nsamples = 1;
+
+ err = ops->dev_set_bittiming(netdev, &busparams);
+ if (err)
+ return err;
+
+ err = kvaser_usb_setup_rx_urbs(priv->dev);
+ if (err)
+ return err;
+
+ err = ops->dev_get_busparams(priv);
+ if (err) {
+ /* Treat EOPNOTSUPP as success */
+ if (err == -EOPNOTSUPP)
+ err = 0;
+ return err;
+ }
+
+ if (memcmp(&busparams, &priv->busparams_nominal,
+ sizeof(priv->busparams_nominal)) != 0)
+ err = -EINVAL;
+
+ return err;
+}
+
+static int kvaser_usb_set_data_bittiming(struct net_device *netdev)
+{
+ struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
+ struct kvaser_usb *dev = priv->dev;
+ const struct kvaser_usb_dev_ops *ops = dev->driver_info->ops;
+ struct can_bittiming *dbt = &priv->can.data_bittiming;
+
+ struct kvaser_usb_busparams busparams;
+ int tseg1 = dbt->prop_seg + dbt->phase_seg1;
+ int tseg2 = dbt->phase_seg2;
+ int sjw = dbt->sjw;
+ int err;
+
+ if (!ops->dev_set_data_bittiming ||
+ !ops->dev_get_data_busparams)
+ return -EOPNOTSUPP;
+
+ busparams.bitrate = cpu_to_le32(dbt->bitrate);
+ busparams.sjw = (u8)sjw;
+ busparams.tseg1 = (u8)tseg1;
+ busparams.tseg2 = (u8)tseg2;
+ busparams.nsamples = 1;
+
+ err = ops->dev_set_data_bittiming(netdev, &busparams);
+ if (err)
+ return err;
+
+ err = kvaser_usb_setup_rx_urbs(priv->dev);
+ if (err)
+ return err;
+
+ err = ops->dev_get_data_busparams(priv);
+ if (err)
+ return err;
+
+ if (memcmp(&busparams, &priv->busparams_data,
+ sizeof(priv->busparams_data)) != 0)
+ err = -EINVAL;
+
+ return err;
+}
+
static void kvaser_usb_write_bulk_callback(struct urb *urb)
{
struct kvaser_usb_tx_urb_context *context = urb->context;
@@ -695,6 +778,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
init_completion(&priv->start_comp);
init_completion(&priv->stop_comp);
init_completion(&priv->flush_comp);
+ init_completion(&priv->get_busparams_comp);
priv->can.ctrlmode_supported = 0;
priv->dev = dev;
@@ -707,7 +791,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
priv->can.state = CAN_STATE_STOPPED;
priv->can.clock.freq = dev->cfg->clock.freq;
priv->can.bittiming_const = dev->cfg->bittiming_const;
- priv->can.do_set_bittiming = ops->dev_set_bittiming;
+ priv->can.do_set_bittiming = kvaser_usb_set_bittiming;
priv->can.do_set_mode = ops->dev_set_mode;
if ((driver_info->quirks & KVASER_USB_QUIRK_HAS_TXRX_ERRORS) ||
(priv->dev->card_data.capabilities & KVASER_USB_CAP_BERR_CAP))
@@ -719,7 +803,7 @@ static int kvaser_usb_init_one(struct kvaser_usb *dev, int channel)
if (priv->can.ctrlmode_supported & CAN_CTRLMODE_FD) {
priv->can.data_bittiming_const = dev->cfg->data_bittiming_const;
- priv->can.do_set_data_bittiming = ops->dev_set_data_bittiming;
+ priv->can.do_set_data_bittiming = kvaser_usb_set_data_bittiming;
}
netdev->flags |= IFF_ECHO;
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
index 72c37dc50b6b..2764fdd7e84b 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
@@ -43,6 +43,8 @@ static const struct kvaser_usb_dev_cfg kvaser_usb_hydra_dev_cfg_flexc;
/* Minihydra command IDs */
#define CMD_SET_BUSPARAMS_REQ 16
+#define CMD_GET_BUSPARAMS_REQ 17
+#define CMD_GET_BUSPARAMS_RESP 18
#define CMD_GET_CHIP_STATE_REQ 19
#define CMD_CHIP_STATE_EVENT 20
#define CMD_SET_DRIVERMODE_REQ 21
@@ -193,13 +195,26 @@ struct kvaser_cmd_chip_state_event {
#define KVASER_USB_HYDRA_BUS_MODE_CANFD_ISO 0x01
#define KVASER_USB_HYDRA_BUS_MODE_NONISO 0x02
struct kvaser_cmd_set_busparams {
- struct kvaser_usb_busparams busparams_arb;
+ struct kvaser_usb_busparams busparams_nominal;
u8 reserved0[4];
struct kvaser_usb_busparams busparams_data;
u8 canfd_mode;
u8 reserved1[7];
} __packed;
+/* Busparam type */
+#define KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN 0x00
+#define KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD 0x01
+struct kvaser_cmd_get_busparams_req {
+ u8 type;
+ u8 reserved[27];
+} __packed;
+
+struct kvaser_cmd_get_busparams_res {
+ struct kvaser_usb_busparams busparams;
+ u8 reserved[20];
+} __packed;
+
/* Ctrl modes */
#define KVASER_USB_HYDRA_CTRLMODE_NORMAL 0x01
#define KVASER_USB_HYDRA_CTRLMODE_LISTEN 0x02
@@ -270,6 +285,8 @@ struct kvaser_cmd {
struct kvaser_cmd_error_event error_event;
struct kvaser_cmd_set_busparams set_busparams_req;
+ struct kvaser_cmd_get_busparams_req get_busparams_req;
+ struct kvaser_cmd_get_busparams_res get_busparams_res;
struct kvaser_cmd_chip_state_event chip_state_event;
@@ -352,6 +369,10 @@ struct kvaser_cmd_ext {
} __packed;
} __packed;
+struct kvaser_usb_net_hydra_priv {
+ int pending_get_busparams_type;
+};
+
static const struct can_bittiming_const kvaser_usb_hydra_kcan_bittiming_c = {
.name = "kvaser_usb_kcan",
.tseg1_min = 1,
@@ -805,6 +826,39 @@ static void kvaser_usb_hydra_flush_queue_reply(const struct kvaser_usb *dev,
complete(&priv->flush_comp);
}
+static void kvaser_usb_hydra_get_busparams_reply(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+{
+ struct kvaser_usb_net_priv *priv;
+ struct kvaser_usb_net_hydra_priv *hydra;
+
+ priv = kvaser_usb_hydra_net_priv_from_cmd(dev, cmd);
+ if (!priv)
+ return;
+
+ hydra = priv->sub_priv;
+ if (!hydra)
+ return;
+
+ switch (hydra->pending_get_busparams_type) {
+ case KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN:
+ memcpy(&priv->busparams_nominal, &cmd->get_busparams_res.busparams,
+ sizeof(priv->busparams_nominal));
+ break;
+ case KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD:
+ memcpy(&priv->busparams_data, &cmd->get_busparams_res.busparams,
+ sizeof(priv->busparams_nominal));
+ break;
+ default:
+ dev_warn(&dev->intf->dev, "Unknown get_busparams_type %d\n",
+ hydra->pending_get_busparams_type);
+ break;
+ }
+ hydra->pending_get_busparams_type = -1;
+
+ complete(&priv->get_busparams_comp);
+}
+
static void
kvaser_usb_hydra_bus_status_to_can_state(const struct kvaser_usb_net_priv *priv,
u8 bus_status,
@@ -1291,6 +1345,10 @@ static void kvaser_usb_hydra_handle_cmd_std(const struct kvaser_usb *dev,
kvaser_usb_hydra_state_event(dev, cmd);
break;
+ case CMD_GET_BUSPARAMS_RESP:
+ kvaser_usb_hydra_get_busparams_reply(dev, cmd);
+ break;
+
case CMD_ERROR_EVENT:
kvaser_usb_hydra_error_event(dev, cmd);
break;
@@ -1491,15 +1549,58 @@ static int kvaser_usb_hydra_set_mode(struct net_device *netdev,
return err;
}
-static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
+static int kvaser_usb_hydra_get_busparams(struct kvaser_usb_net_priv *priv,
+ int busparams_type)
+{
+ struct kvaser_usb *dev = priv->dev;
+ struct kvaser_usb_net_hydra_priv *hydra = priv->sub_priv;
+ struct kvaser_cmd *cmd;
+ int err;
+
+ if (!hydra)
+ return -EINVAL;
+
+ cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL);
+ if (!cmd)
+ return -ENOMEM;
+
+ cmd->header.cmd_no = CMD_GET_BUSPARAMS_REQ;
+ kvaser_usb_hydra_set_cmd_dest_he
+ (cmd, dev->card_data.hydra.channel_to_he[priv->channel]);
+ kvaser_usb_hydra_set_cmd_transid
+ (cmd, kvaser_usb_hydra_get_next_transid(dev));
+ cmd->get_busparams_req.type = busparams_type;
+ hydra->pending_get_busparams_type = busparams_type;
+
+ reinit_completion(&priv->get_busparams_comp);
+
+ err = kvaser_usb_send_cmd(dev, cmd, kvaser_usb_hydra_cmd_size(cmd));
+ if (err)
+ return err;
+
+ if (!wait_for_completion_timeout(&priv->get_busparams_comp,
+ msecs_to_jiffies(KVASER_USB_TIMEOUT)))
+ return -ETIMEDOUT;
+
+ return err;
+}
+
+static int kvaser_usb_hydra_get_nominal_busparams(struct kvaser_usb_net_priv *priv)
+{
+ return kvaser_usb_hydra_get_busparams(priv, KVASER_USB_HYDRA_BUSPARAM_TYPE_CAN);
+}
+
+static int kvaser_usb_hydra_get_data_busparams(struct kvaser_usb_net_priv *priv)
+{
+ return kvaser_usb_hydra_get_busparams(priv, KVASER_USB_HYDRA_BUSPARAM_TYPE_CANFD);
+}
+
+static int kvaser_usb_hydra_set_bittiming(const struct net_device *netdev,
+ const struct kvaser_usb_busparams *busparams)
{
struct kvaser_cmd *cmd;
struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
- struct can_bittiming *bt = &priv->can.bittiming;
struct kvaser_usb *dev = priv->dev;
- int tseg1 = bt->prop_seg + bt->phase_seg1;
- int tseg2 = bt->phase_seg2;
- int sjw = bt->sjw;
int err;
cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL);
@@ -1507,11 +1608,8 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
return -ENOMEM;
cmd->header.cmd_no = CMD_SET_BUSPARAMS_REQ;
- cmd->set_busparams_req.busparams_arb.bitrate = cpu_to_le32(bt->bitrate);
- cmd->set_busparams_req.busparams_arb.sjw = (u8)sjw;
- cmd->set_busparams_req.busparams_arb.tseg1 = (u8)tseg1;
- cmd->set_busparams_req.busparams_arb.tseg2 = (u8)tseg2;
- cmd->set_busparams_req.busparams_arb.nsamples = 1;
+ memcpy(&cmd->set_busparams_req.busparams_nominal, busparams,
+ sizeof(cmd->set_busparams_req.busparams_nominal));
kvaser_usb_hydra_set_cmd_dest_he
(cmd, dev->card_data.hydra.channel_to_he[priv->channel]);
@@ -1525,15 +1623,12 @@ static int kvaser_usb_hydra_set_bittiming(struct net_device *netdev)
return err;
}
-static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev)
+static int kvaser_usb_hydra_set_data_bittiming(const struct net_device *netdev,
+ const struct kvaser_usb_busparams *busparams)
{
struct kvaser_cmd *cmd;
struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
- struct can_bittiming *dbt = &priv->can.data_bittiming;
struct kvaser_usb *dev = priv->dev;
- int tseg1 = dbt->prop_seg + dbt->phase_seg1;
- int tseg2 = dbt->phase_seg2;
- int sjw = dbt->sjw;
int err;
cmd = kcalloc(1, sizeof(struct kvaser_cmd), GFP_KERNEL);
@@ -1541,11 +1636,8 @@ static int kvaser_usb_hydra_set_data_bittiming(struct net_device *netdev)
return -ENOMEM;
cmd->header.cmd_no = CMD_SET_BUSPARAMS_FD_REQ;
- cmd->set_busparams_req.busparams_data.bitrate = cpu_to_le32(dbt->bitrate);
- cmd->set_busparams_req.busparams_data.sjw = (u8)sjw;
- cmd->set_busparams_req.busparams_data.tseg1 = (u8)tseg1;
- cmd->set_busparams_req.busparams_data.tseg2 = (u8)tseg2;
- cmd->set_busparams_req.busparams_data.nsamples = 1;
+ memcpy(&cmd->set_busparams_req.busparams_data, busparams,
+ sizeof(cmd->set_busparams_req.busparams_data));
if (priv->can.ctrlmode & CAN_CTRLMODE_FD) {
if (priv->can.ctrlmode & CAN_CTRLMODE_FD_NON_ISO)
@@ -1652,6 +1744,19 @@ static int kvaser_usb_hydra_init_card(struct kvaser_usb *dev)
return 0;
}
+static int kvaser_usb_hydra_init_channel(struct kvaser_usb_net_priv *priv)
+{
+ struct kvaser_usb_net_hydra_priv *hydra;
+
+ hydra = devm_kzalloc(&priv->dev->intf->dev, sizeof(*hydra), GFP_KERNEL);
+ if (!hydra)
+ return -ENOMEM;
+
+ priv->sub_priv = hydra;
+
+ return 0;
+}
+
static int kvaser_usb_hydra_get_software_info(struct kvaser_usb *dev)
{
struct kvaser_cmd cmd;
@@ -1994,10 +2099,13 @@ kvaser_usb_hydra_frame_to_cmd(const struct kvaser_usb_net_priv *priv,
const struct kvaser_usb_dev_ops kvaser_usb_hydra_dev_ops = {
.dev_set_mode = kvaser_usb_hydra_set_mode,
.dev_set_bittiming = kvaser_usb_hydra_set_bittiming,
+ .dev_get_busparams = kvaser_usb_hydra_get_nominal_busparams,
.dev_set_data_bittiming = kvaser_usb_hydra_set_data_bittiming,
+ .dev_get_data_busparams = kvaser_usb_hydra_get_data_busparams,
.dev_get_berr_counter = kvaser_usb_hydra_get_berr_counter,
.dev_setup_endpoints = kvaser_usb_hydra_setup_endpoints,
.dev_init_card = kvaser_usb_hydra_init_card,
+ .dev_init_channel = kvaser_usb_hydra_init_channel,
.dev_get_software_info = kvaser_usb_hydra_get_software_info,
.dev_get_software_details = kvaser_usb_hydra_get_software_details,
.dev_get_card_info = kvaser_usb_hydra_get_card_info,
diff --git a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
index 1e2f727a1efb..f06d63db9077 100644
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -56,6 +56,8 @@
#define CMD_RX_EXT_MESSAGE 14
#define CMD_TX_EXT_MESSAGE 15
#define CMD_SET_BUS_PARAMS 16
+#define CMD_GET_BUS_PARAMS 17
+#define CMD_GET_BUS_PARAMS_REPLY 18
#define CMD_GET_CHIP_STATE 19
#define CMD_CHIP_STATE_EVENT 20
#define CMD_SET_CTRL_MODE 21
@@ -375,6 +377,7 @@ static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
[CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
[CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.can_error_event),
[CMD_GET_CAPABILITIES_RESP] = kvaser_fsize(u.leaf.cap_res),
+ [CMD_GET_BUS_PARAMS_REPLY] = kvaser_fsize(u.busparams),
[CMD_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
/* ignored events: */
[CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
@@ -1467,6 +1470,25 @@ static void kvaser_usb_leaf_stop_chip_reply(const struct kvaser_usb *dev,
complete(&priv->stop_comp);
}
+static void kvaser_usb_leaf_get_busparams_reply(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+{
+ struct kvaser_usb_net_priv *priv;
+ u8 channel = cmd->u.busparams.channel;
+
+ if (channel >= dev->nchannels) {
+ dev_err(&dev->intf->dev,
+ "Invalid channel number (%d)\n", channel);
+ return;
+ }
+
+ priv = dev->nets[channel];
+ memcpy(&priv->busparams_nominal, &cmd->u.busparams.busparams,
+ sizeof(priv->busparams_nominal));
+
+ complete(&priv->get_busparams_comp);
+}
+
static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev,
const struct kvaser_cmd *cmd)
{
@@ -1509,6 +1531,10 @@ static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev,
kvaser_usb_leaf_error_event(dev, cmd);
break;
+ case CMD_GET_BUS_PARAMS_REPLY:
+ kvaser_usb_leaf_get_busparams_reply(dev, cmd);
+ break;
+
/* Ignored commands */
case CMD_USBCAN_CLOCK_OVERFLOW_EVENT:
if (dev->driver_info->family != KVASER_USBCAN)
@@ -1683,10 +1709,10 @@ static void kvaser_usb_leaf_remove_channel(struct kvaser_usb_net_priv *priv)
cancel_delayed_work_sync(&leaf->chip_state_req_work);
}
-static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
+static int kvaser_usb_leaf_set_bittiming(const struct net_device *netdev,
+ const struct kvaser_usb_busparams *busparams)
{
struct kvaser_usb_net_priv *priv = netdev_priv(netdev);
- struct can_bittiming *bt = &priv->can.bittiming;
struct kvaser_usb *dev = priv->dev;
struct kvaser_cmd *cmd;
int rc;
@@ -1699,15 +1725,8 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
cmd->len = CMD_HEADER_LEN + sizeof(struct kvaser_cmd_busparams);
cmd->u.busparams.channel = priv->channel;
cmd->u.busparams.tid = 0xff;
- cmd->u.busparams.busparams.bitrate = cpu_to_le32(bt->bitrate);
- cmd->u.busparams.busparams.sjw = bt->sjw;
- cmd->u.busparams.busparams.tseg1 = bt->prop_seg + bt->phase_seg1;
- cmd->u.busparams.busparams.tseg2 = bt->phase_seg2;
-
- if (priv->can.ctrlmode & CAN_CTRLMODE_3_SAMPLES)
- cmd->u.busparams.busparams.nsamples = 3;
- else
- cmd->u.busparams.busparams.nsamples = 1;
+ memcpy(&cmd->u.busparams.busparams, busparams,
+ sizeof(cmd->u.busparams.busparams));
rc = kvaser_usb_send_cmd(dev, cmd, cmd->len);
@@ -1715,6 +1734,27 @@ static int kvaser_usb_leaf_set_bittiming(struct net_device *netdev)
return rc;
}
+static int kvaser_usb_leaf_get_busparams(struct kvaser_usb_net_priv *priv)
+{
+ int err;
+
+ if (priv->dev->driver_info->family == KVASER_USBCAN)
+ return -EOPNOTSUPP;
+
+ reinit_completion(&priv->get_busparams_comp);
+
+ err = kvaser_usb_leaf_send_simple_cmd(priv->dev, CMD_GET_BUS_PARAMS,
+ priv->channel);
+ if (err)
+ return err;
+
+ if (!wait_for_completion_timeout(&priv->get_busparams_comp,
+ msecs_to_jiffies(KVASER_USB_TIMEOUT)))
+ return -ETIMEDOUT;
+
+ return 0;
+}
+
static int kvaser_usb_leaf_set_mode(struct net_device *netdev,
enum can_mode mode)
{
@@ -1776,7 +1816,9 @@ static int kvaser_usb_leaf_setup_endpoints(struct kvaser_usb *dev)
const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops = {
.dev_set_mode = kvaser_usb_leaf_set_mode,
.dev_set_bittiming = kvaser_usb_leaf_set_bittiming,
+ .dev_get_busparams = kvaser_usb_leaf_get_busparams,
.dev_set_data_bittiming = NULL,
+ .dev_get_data_busparams = NULL,
.dev_get_berr_counter = kvaser_usb_leaf_get_berr_counter,
.dev_setup_endpoints = kvaser_usb_leaf_setup_endpoints,
.dev_init_card = kvaser_usb_leaf_init_card,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 125/783] drm/rockchip: lvds: fix PM usage counter unbalance in poweron
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 124/783] can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 126/783] clk: renesas: r9a06g032: Repair grave increment error Greg Kroah-Hartman
` (667 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Heiko Stuebner, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit 4dba27f1a14592ac4cf71c3bc1cc1fd05dea8015 ]
pm_runtime_get_sync will increment pm usage counter even it failed.
Forgetting to putting operation will result in reference leak here.
We fix it by replacing it with the newest pm_runtime_resume_and_get
to keep usage counter balanced.
Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS")
Fixes: cca1705c3d89 ("drm/rockchip: lvds: Add PX30 support")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220922132107.105419-3-zhangqilong3@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/rockchip_lvds.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c b/drivers/gpu/drm/rockchip/rockchip_lvds.c
index 7c20b4a24a7e..e2487937c4e3 100644
--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c
+++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c
@@ -145,7 +145,7 @@ static int rk3288_lvds_poweron(struct rockchip_lvds *lvds)
DRM_DEV_ERROR(lvds->dev, "failed to enable lvds pclk %d\n", ret);
return ret;
}
- ret = pm_runtime_get_sync(lvds->dev);
+ ret = pm_runtime_resume_and_get(lvds->dev);
if (ret < 0) {
DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
clk_disable(lvds->pclk);
@@ -329,16 +329,20 @@ static int px30_lvds_poweron(struct rockchip_lvds *lvds)
{
int ret;
- ret = pm_runtime_get_sync(lvds->dev);
+ ret = pm_runtime_resume_and_get(lvds->dev);
if (ret < 0) {
DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
return ret;
}
/* Enable LVDS mode */
- return regmap_update_bits(lvds->grf, PX30_LVDS_GRF_PD_VO_CON1,
+ ret = regmap_update_bits(lvds->grf, PX30_LVDS_GRF_PD_VO_CON1,
PX30_LVDS_MODE_EN(1) | PX30_LVDS_P2S_EN(1),
PX30_LVDS_MODE_EN(1) | PX30_LVDS_P2S_EN(1));
+ if (ret)
+ pm_runtime_put(lvds->dev);
+
+ return ret;
}
static void px30_lvds_poweroff(struct rockchip_lvds *lvds)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 126/783] clk: renesas: r9a06g032: Repair grave increment error
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 125/783] drm/rockchip: lvds: fix PM usage counter unbalance in poweron Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 127/783] spi: Update reference to struct spi_controller Greg Kroah-Hartman
` (666 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ralph Siemsen, Marek Vasut,
Gareth Williams, Geert Uytterhoeven, Sasha Levin
From: Marek Vasut <marex@denx.de>
[ Upstream commit 02693e11611e082e3c4d8653e8af028e43d31164 ]
If condition (clkspec.np != pd->dev.of_node) is true, then the driver
ends up in an endless loop, forever, locking up the machine.
Fixes: aad03a66f902 ("clk: renesas: r9a06g032: Add clock domain support")
Reviewed-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Gareth Williams <gareth.williams.jx@renesas.com>
Link: https://lore.kernel.org/r/20221028113834.7496-1-marex@denx.de
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/renesas/r9a06g032-clocks.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/clk/renesas/r9a06g032-clocks.c b/drivers/clk/renesas/r9a06g032-clocks.c
index 245150a5484a..285f6ac25372 100644
--- a/drivers/clk/renesas/r9a06g032-clocks.c
+++ b/drivers/clk/renesas/r9a06g032-clocks.c
@@ -386,7 +386,7 @@ static int r9a06g032_attach_dev(struct generic_pm_domain *pd,
int error;
int index;
- while (!of_parse_phandle_with_args(np, "clocks", "#clock-cells", i,
+ while (!of_parse_phandle_with_args(np, "clocks", "#clock-cells", i++,
&clkspec)) {
if (clkspec.np != pd->dev.of_node)
continue;
@@ -399,7 +399,6 @@ static int r9a06g032_attach_dev(struct generic_pm_domain *pd,
if (error)
return error;
}
- i++;
}
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 127/783] spi: Update reference to struct spi_controller
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 126/783] clk: renesas: r9a06g032: Repair grave increment error Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 128/783] drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure Greg Kroah-Hartman
` (665 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Neuschäfer,
Mark Brown, Sasha Levin
From: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
[ Upstream commit bf585ccee22faf469d82727cf375868105b362f7 ]
struct spi_master has been renamed to struct spi_controller. Update the
reference in spi.rst to make it clickable again.
Fixes: 8caab75fd2c2 ("spi: Generalize SPI "master" to "controller"")
Signed-off-by: Jonathan Neuschäfer <j.neuschaefer@gmx.net>
Link: https://lore.kernel.org/r/20221101173252.1069294-1-j.neuschaefer@gmx.net
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/driver-api/spi.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Documentation/driver-api/spi.rst b/Documentation/driver-api/spi.rst
index f64cb666498a..f28887045049 100644
--- a/Documentation/driver-api/spi.rst
+++ b/Documentation/driver-api/spi.rst
@@ -25,8 +25,8 @@ hardware, which may be as simple as a set of GPIO pins or as complex as
a pair of FIFOs connected to dual DMA engines on the other side of the
SPI shift register (maximizing throughput). Such drivers bridge between
whatever bus they sit on (often the platform bus) and SPI, and expose
-the SPI side of their device as a :c:type:`struct spi_master
-<spi_master>`. SPI devices are children of that master,
+the SPI side of their device as a :c:type:`struct spi_controller
+<spi_controller>`. SPI devices are children of that master,
represented as a :c:type:`struct spi_device <spi_device>` and
manufactured from :c:type:`struct spi_board_info
<spi_board_info>` descriptors which are usually provided by
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 128/783] drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 127/783] spi: Update reference to struct spi_controller Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 129/783] ima: Fix fall-through warnings for Clang Greg Kroah-Hartman
` (664 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Vasut, Linus Walleij, Sasha Levin
From: Marek Vasut <marex@denx.de>
[ Upstream commit c62102165dd79284d42383d2f7ed17301bd8e629 ]
In case mipi_dsi_attach() fails, call drm_panel_remove() to
avoid memory leak.
Fixes: 849b2e3ff969 ("drm/panel: Add Sitronix ST7701 panel driver")
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20221014231106.468063-1-marex@denx.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-sitronix-st7701.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-sitronix-st7701.c b/drivers/gpu/drm/panel/panel-sitronix-st7701.c
index 4d2a149b202c..cd9f01940b17 100644
--- a/drivers/gpu/drm/panel/panel-sitronix-st7701.c
+++ b/drivers/gpu/drm/panel/panel-sitronix-st7701.c
@@ -384,7 +384,15 @@ static int st7701_dsi_probe(struct mipi_dsi_device *dsi)
st7701->dsi = dsi;
st7701->desc = desc;
- return mipi_dsi_attach(dsi);
+ ret = mipi_dsi_attach(dsi);
+ if (ret)
+ goto err_attach;
+
+ return 0;
+
+err_attach:
+ drm_panel_remove(&st7701->panel);
+ return ret;
}
static int st7701_dsi_remove(struct mipi_dsi_device *dsi)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 129/783] ima: Fix fall-through warnings for Clang
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 128/783] drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 130/783] ima: Handle -ESTALE returned by ima_filter_rule_match() Greg Kroah-Hartman
` (663 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva, Mimi Zohar,
Sasha Levin
From: Gustavo A. R. Silva <gustavoars@kernel.org>
[ Upstream commit 28073eb09c5aa29e879490edb88cfd3e7073821e ]
In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple
warnings by explicitly adding multiple break statements instead of just
letting the code fall through to the next case.
Link: https://github.com/KSPP/linux/issues/115
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Stable-dep-of: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_main.c | 1 +
security/integrity/ima/ima_policy.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 2d1af8899cab..600b97677085 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -743,6 +743,7 @@ int ima_load_data(enum kernel_load_data_id id, bool contents)
pr_err("impossible to appraise a module without a file descriptor. sig_enforce kernel parameter might help\n");
return -EACCES; /* INTEGRITY_UNKNOWN */
}
+ break;
default:
break;
}
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 18569adcb4fe..4c937ff2e4dd 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -566,6 +566,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
rc = ima_filter_rule_match(secid, rule->lsm[i].type,
Audit_equal,
rule->lsm[i].rule);
+ break;
default:
break;
}
@@ -802,6 +803,7 @@ void __init ima_init_policy(void)
add_rules(default_measurement_rules,
ARRAY_SIZE(default_measurement_rules),
IMA_DEFAULT_POLICY);
+ break;
default:
break;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 130/783] ima: Handle -ESTALE returned by ima_filter_rule_match()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 129/783] ima: Fix fall-through warnings for Clang Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 131/783] drm/msm/hdmi: switch to drm_bridge_connector Greg Kroah-Hartman
` (662 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, GUO Zihua, Roberto Sassu,
Mimi Zohar, Sasha Levin
From: GUO Zihua <guozihua@huawei.com>
[ Upstream commit c7423dbdbc9ecef7fff5239d144cad4b9887f4de ]
IMA relies on the blocking LSM policy notifier callback to update the
LSM based IMA policy rules.
When SELinux update its policies, IMA would be notified and starts
updating all its lsm rules one-by-one. During this time, -ESTALE would
be returned by ima_filter_rule_match() if it is called with a LSM rule
that has not yet been updated. In ima_match_rules(), -ESTALE is not
handled, and the LSM rule is considered a match, causing extra files
to be measured by IMA.
Fix it by re-initializing a temporary rule if -ESTALE is returned by
ima_filter_rule_match(). The origin rule in the rule list would be
updated by the LSM policy notifier callback.
Fixes: b16942455193 ("ima: use the lsm policy update notifier")
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_policy.c | 41 ++++++++++++++++++++++-------
1 file changed, 32 insertions(+), 9 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index 4c937ff2e4dd..a83ce111cf50 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -503,6 +503,9 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
const char *keyring)
{
int i;
+ bool result = false;
+ struct ima_rule_entry *lsm_rule = rule;
+ bool rule_reinitialized = false;
if (func == KEY_CHECK) {
return (rule->flags & IMA_FUNC) && (rule->func == func) &&
@@ -545,35 +548,55 @@ static bool ima_match_rules(struct ima_rule_entry *rule, struct inode *inode,
int rc = 0;
u32 osid;
- if (!rule->lsm[i].rule) {
- if (!rule->lsm[i].args_p)
+ if (!lsm_rule->lsm[i].rule) {
+ if (!lsm_rule->lsm[i].args_p)
continue;
else
return false;
}
+
+retry:
switch (i) {
case LSM_OBJ_USER:
case LSM_OBJ_ROLE:
case LSM_OBJ_TYPE:
security_inode_getsecid(inode, &osid);
- rc = ima_filter_rule_match(osid, rule->lsm[i].type,
+ rc = ima_filter_rule_match(osid, lsm_rule->lsm[i].type,
Audit_equal,
- rule->lsm[i].rule);
+ lsm_rule->lsm[i].rule);
break;
case LSM_SUBJ_USER:
case LSM_SUBJ_ROLE:
case LSM_SUBJ_TYPE:
- rc = ima_filter_rule_match(secid, rule->lsm[i].type,
+ rc = ima_filter_rule_match(secid, lsm_rule->lsm[i].type,
Audit_equal,
- rule->lsm[i].rule);
+ lsm_rule->lsm[i].rule);
break;
default:
break;
}
- if (!rc)
- return false;
+
+ if (rc == -ESTALE && !rule_reinitialized) {
+ lsm_rule = ima_lsm_copy_rule(rule);
+ if (lsm_rule) {
+ rule_reinitialized = true;
+ goto retry;
+ }
+ }
+ if (!rc) {
+ result = false;
+ goto out;
+ }
}
- return true;
+ result = true;
+
+out:
+ if (rule_reinitialized) {
+ for (i = 0; i < MAX_LSM_RULES; i++)
+ ima_filter_rule_free(lsm_rule->lsm[i].rule);
+ kfree(lsm_rule);
+ }
+ return result;
}
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 131/783] drm/msm/hdmi: switch to drm_bridge_connector
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 130/783] ima: Handle -ESTALE returned by ima_filter_rule_match() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 132/783] drm/msm/hdmi: drop unused GPIO support Greg Kroah-Hartman
` (661 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Abhinav Kumar,
Rob Clark, Sasha Levin
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit caa24223463dfd75702a24daac13c93edb4aafac ]
Merge old hdmi_bridge and hdmi_connector implementations. Use
drm_bridge_connector instead.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Link: https://lore.kernel.org/r/20211015001100.4193241-2-dmitry.baryshkov@linaro.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Stable-dep-of: b964444b2b64 ("drm/msm/hdmi: use devres helper for runtime PM management")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/Makefile | 2 +-
drivers/gpu/drm/msm/hdmi/hdmi.c | 12 +-
drivers/gpu/drm/msm/hdmi/hdmi.h | 19 ++-
drivers/gpu/drm/msm/hdmi/hdmi_bridge.c | 81 ++++++++-
.../msm/hdmi/{hdmi_connector.c => hdmi_hpd.c} | 154 ++----------------
5 files changed, 109 insertions(+), 159 deletions(-)
rename drivers/gpu/drm/msm/hdmi/{hdmi_connector.c => hdmi_hpd.c} (63%)
diff --git a/drivers/gpu/drm/msm/Makefile b/drivers/gpu/drm/msm/Makefile
index 340682cd0f32..2457ef9851bb 100644
--- a/drivers/gpu/drm/msm/Makefile
+++ b/drivers/gpu/drm/msm/Makefile
@@ -19,7 +19,7 @@ msm-y := \
hdmi/hdmi.o \
hdmi/hdmi_audio.o \
hdmi/hdmi_bridge.o \
- hdmi/hdmi_connector.o \
+ hdmi/hdmi_hpd.o \
hdmi/hdmi_i2c.o \
hdmi/hdmi_phy.o \
hdmi/hdmi_phy_8960.o \
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c
index bd65dc9b8892..f6b09e8eca67 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
@@ -8,6 +8,8 @@
#include <linux/of_irq.h>
#include <linux/of_gpio.h>
+#include <drm/drm_bridge_connector.h>
+
#include <sound/hdmi-codec.h>
#include "hdmi.h"
@@ -41,7 +43,7 @@ static irqreturn_t msm_hdmi_irq(int irq, void *dev_id)
struct hdmi *hdmi = dev_id;
/* Process HPD: */
- msm_hdmi_connector_irq(hdmi->connector);
+ msm_hdmi_hpd_irq(hdmi->bridge);
/* Process DDC: */
msm_hdmi_i2c_irq(hdmi->i2c);
@@ -311,7 +313,7 @@ int msm_hdmi_modeset_init(struct hdmi *hdmi,
goto fail;
}
- hdmi->connector = msm_hdmi_connector_init(hdmi);
+ hdmi->connector = drm_bridge_connector_init(hdmi->dev, encoder);
if (IS_ERR(hdmi->connector)) {
ret = PTR_ERR(hdmi->connector);
DRM_DEV_ERROR(dev->dev, "failed to create HDMI connector: %d\n", ret);
@@ -319,6 +321,8 @@ int msm_hdmi_modeset_init(struct hdmi *hdmi,
goto fail;
}
+ drm_connector_attach_encoder(hdmi->connector, hdmi->encoder);
+
hdmi->irq = irq_of_parse_and_map(pdev->dev.of_node, 0);
if (!hdmi->irq) {
ret = -EINVAL;
@@ -335,7 +339,9 @@ int msm_hdmi_modeset_init(struct hdmi *hdmi,
goto fail;
}
- ret = msm_hdmi_hpd_enable(hdmi->connector);
+ drm_bridge_connector_enable_hpd(hdmi->connector);
+
+ ret = msm_hdmi_hpd_enable(hdmi->bridge);
if (ret < 0) {
DRM_DEV_ERROR(&hdmi->pdev->dev, "failed to enable HPD: %d\n", ret);
goto fail;
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.h b/drivers/gpu/drm/msm/hdmi/hdmi.h
index d0b84f0abee1..8d2706bec3b9 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi.h
+++ b/drivers/gpu/drm/msm/hdmi/hdmi.h
@@ -114,6 +114,13 @@ struct hdmi_platform_config {
struct hdmi_gpio_data gpios[HDMI_MAX_NUM_GPIO];
};
+struct hdmi_bridge {
+ struct drm_bridge base;
+ struct hdmi *hdmi;
+ struct work_struct hpd_work;
+};
+#define to_hdmi_bridge(x) container_of(x, struct hdmi_bridge, base)
+
void msm_hdmi_set_mode(struct hdmi *hdmi, bool power_on);
static inline void hdmi_write(struct hdmi *hdmi, u32 reg, u32 data)
@@ -230,13 +237,11 @@ void msm_hdmi_audio_set_sample_rate(struct hdmi *hdmi, int rate);
struct drm_bridge *msm_hdmi_bridge_init(struct hdmi *hdmi);
void msm_hdmi_bridge_destroy(struct drm_bridge *bridge);
-/*
- * hdmi connector:
- */
-
-void msm_hdmi_connector_irq(struct drm_connector *connector);
-struct drm_connector *msm_hdmi_connector_init(struct hdmi *hdmi);
-int msm_hdmi_hpd_enable(struct drm_connector *connector);
+void msm_hdmi_hpd_irq(struct drm_bridge *bridge);
+enum drm_connector_status msm_hdmi_bridge_detect(
+ struct drm_bridge *bridge);
+int msm_hdmi_hpd_enable(struct drm_bridge *bridge);
+void msm_hdmi_hpd_disable(struct hdmi_bridge *hdmi_bridge);
/*
* i2c adapter for ddc:
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi_bridge.c b/drivers/gpu/drm/msm/hdmi/hdmi_bridge.c
index 6e380db9287b..efcfdd70a02e 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi_bridge.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi_bridge.c
@@ -5,17 +5,16 @@
*/
#include <linux/delay.h>
+#include <drm/drm_bridge_connector.h>
+#include "msm_kms.h"
#include "hdmi.h"
-struct hdmi_bridge {
- struct drm_bridge base;
- struct hdmi *hdmi;
-};
-#define to_hdmi_bridge(x) container_of(x, struct hdmi_bridge, base)
-
void msm_hdmi_bridge_destroy(struct drm_bridge *bridge)
{
+ struct hdmi_bridge *hdmi_bridge = to_hdmi_bridge(bridge);
+
+ msm_hdmi_hpd_disable(hdmi_bridge);
}
static void msm_hdmi_power_on(struct drm_bridge *bridge)
@@ -259,14 +258,76 @@ static void msm_hdmi_bridge_mode_set(struct drm_bridge *bridge,
msm_hdmi_audio_update(hdmi);
}
+static struct edid *msm_hdmi_bridge_get_edid(struct drm_bridge *bridge,
+ struct drm_connector *connector)
+{
+ struct hdmi_bridge *hdmi_bridge = to_hdmi_bridge(bridge);
+ struct hdmi *hdmi = hdmi_bridge->hdmi;
+ struct edid *edid;
+ uint32_t hdmi_ctrl;
+
+ hdmi_ctrl = hdmi_read(hdmi, REG_HDMI_CTRL);
+ hdmi_write(hdmi, REG_HDMI_CTRL, hdmi_ctrl | HDMI_CTRL_ENABLE);
+
+ edid = drm_get_edid(connector, hdmi->i2c);
+
+ hdmi_write(hdmi, REG_HDMI_CTRL, hdmi_ctrl);
+
+ hdmi->hdmi_mode = drm_detect_hdmi_monitor(edid);
+
+ return edid;
+}
+
+static enum drm_mode_status msm_hdmi_bridge_mode_valid(struct drm_bridge *bridge,
+ const struct drm_display_info *info,
+ const struct drm_display_mode *mode)
+{
+ struct hdmi_bridge *hdmi_bridge = to_hdmi_bridge(bridge);
+ struct hdmi *hdmi = hdmi_bridge->hdmi;
+ const struct hdmi_platform_config *config = hdmi->config;
+ struct msm_drm_private *priv = bridge->dev->dev_private;
+ struct msm_kms *kms = priv->kms;
+ long actual, requested;
+
+ requested = 1000 * mode->clock;
+ actual = kms->funcs->round_pixclk(kms,
+ requested, hdmi_bridge->hdmi->encoder);
+
+ /* for mdp5/apq8074, we manage our own pixel clk (as opposed to
+ * mdp4/dtv stuff where pixel clk is assigned to mdp/encoder
+ * instead):
+ */
+ if (config->pwr_clk_cnt > 0)
+ actual = clk_round_rate(hdmi->pwr_clks[0], actual);
+
+ DBG("requested=%ld, actual=%ld", requested, actual);
+
+ if (actual != requested)
+ return MODE_CLOCK_RANGE;
+
+ return 0;
+}
+
static const struct drm_bridge_funcs msm_hdmi_bridge_funcs = {
.pre_enable = msm_hdmi_bridge_pre_enable,
.enable = msm_hdmi_bridge_enable,
.disable = msm_hdmi_bridge_disable,
.post_disable = msm_hdmi_bridge_post_disable,
.mode_set = msm_hdmi_bridge_mode_set,
+ .mode_valid = msm_hdmi_bridge_mode_valid,
+ .get_edid = msm_hdmi_bridge_get_edid,
+ .detect = msm_hdmi_bridge_detect,
};
+static void
+msm_hdmi_hotplug_work(struct work_struct *work)
+{
+ struct hdmi_bridge *hdmi_bridge =
+ container_of(work, struct hdmi_bridge, hpd_work);
+ struct drm_bridge *bridge = &hdmi_bridge->base;
+
+ drm_bridge_hpd_notify(bridge, drm_bridge_detect(bridge));
+}
/* initialize bridge */
struct drm_bridge *msm_hdmi_bridge_init(struct hdmi *hdmi)
@@ -283,11 +344,17 @@ struct drm_bridge *msm_hdmi_bridge_init(struct hdmi *hdmi)
}
hdmi_bridge->hdmi = hdmi;
+ INIT_WORK(&hdmi_bridge->hpd_work, msm_hdmi_hotplug_work);
bridge = &hdmi_bridge->base;
bridge->funcs = &msm_hdmi_bridge_funcs;
+ bridge->ddc = hdmi->i2c;
+ bridge->type = DRM_MODE_CONNECTOR_HDMIA;
+ bridge->ops = DRM_BRIDGE_OP_HPD |
+ DRM_BRIDGE_OP_DETECT |
+ DRM_BRIDGE_OP_EDID;
- ret = drm_bridge_attach(hdmi->encoder, bridge, NULL, 0);
+ ret = drm_bridge_attach(hdmi->encoder, bridge, NULL, DRM_BRIDGE_ATTACH_NO_CONNECTOR);
if (ret)
goto fail;
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi_connector.c b/drivers/gpu/drm/msm/hdmi/hdmi_hpd.c
similarity index 63%
rename from drivers/gpu/drm/msm/hdmi/hdmi_connector.c
rename to drivers/gpu/drm/msm/hdmi/hdmi_hpd.c
index 58707a1f3878..c3a236bb952c 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi_connector.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi_hpd.c
@@ -11,13 +11,6 @@
#include "msm_kms.h"
#include "hdmi.h"
-struct hdmi_connector {
- struct drm_connector base;
- struct hdmi *hdmi;
- struct work_struct hpd_work;
-};
-#define to_hdmi_connector(x) container_of(x, struct hdmi_connector, base)
-
static void msm_hdmi_phy_reset(struct hdmi *hdmi)
{
unsigned int val;
@@ -139,10 +132,10 @@ static void enable_hpd_clocks(struct hdmi *hdmi, bool enable)
}
}
-int msm_hdmi_hpd_enable(struct drm_connector *connector)
+int msm_hdmi_hpd_enable(struct drm_bridge *bridge)
{
- struct hdmi_connector *hdmi_connector = to_hdmi_connector(connector);
- struct hdmi *hdmi = hdmi_connector->hdmi;
+ struct hdmi_bridge *hdmi_bridge = to_hdmi_bridge(bridge);
+ struct hdmi *hdmi = hdmi_bridge->hdmi;
const struct hdmi_platform_config *config = hdmi->config;
struct device *dev = &hdmi->pdev->dev;
uint32_t hpd_ctrl;
@@ -202,9 +195,9 @@ int msm_hdmi_hpd_enable(struct drm_connector *connector)
return ret;
}
-static void hdp_disable(struct hdmi_connector *hdmi_connector)
+void msm_hdmi_hpd_disable(struct hdmi_bridge *hdmi_bridge)
{
- struct hdmi *hdmi = hdmi_connector->hdmi;
+ struct hdmi *hdmi = hdmi_bridge->hdmi;
const struct hdmi_platform_config *config = hdmi->config;
struct device *dev = &hdmi->pdev->dev;
int i, ret = 0;
@@ -233,19 +226,10 @@ static void hdp_disable(struct hdmi_connector *hdmi_connector)
}
}
-static void
-msm_hdmi_hotplug_work(struct work_struct *work)
-{
- struct hdmi_connector *hdmi_connector =
- container_of(work, struct hdmi_connector, hpd_work);
- struct drm_connector *connector = &hdmi_connector->base;
- drm_helper_hpd_irq_event(connector->dev);
-}
-
-void msm_hdmi_connector_irq(struct drm_connector *connector)
+void msm_hdmi_hpd_irq(struct drm_bridge *bridge)
{
- struct hdmi_connector *hdmi_connector = to_hdmi_connector(connector);
- struct hdmi *hdmi = hdmi_connector->hdmi;
+ struct hdmi_bridge *hdmi_bridge = to_hdmi_bridge(bridge);
+ struct hdmi *hdmi = hdmi_bridge->hdmi;
uint32_t hpd_int_status, hpd_int_ctrl;
/* Process HPD: */
@@ -268,7 +252,7 @@ void msm_hdmi_connector_irq(struct drm_connector *connector)
hpd_int_ctrl |= HDMI_HPD_INT_CTRL_INT_CONNECT;
hdmi_write(hdmi, REG_HDMI_HPD_INT_CTRL, hpd_int_ctrl);
- queue_work(hdmi->workq, &hdmi_connector->hpd_work);
+ queue_work(hdmi->workq, &hdmi_bridge->hpd_work);
}
}
@@ -299,11 +283,11 @@ static enum drm_connector_status detect_gpio(struct hdmi *hdmi)
connector_status_disconnected;
}
-static enum drm_connector_status hdmi_connector_detect(
- struct drm_connector *connector, bool force)
+enum drm_connector_status msm_hdmi_bridge_detect(
+ struct drm_bridge *bridge)
{
- struct hdmi_connector *hdmi_connector = to_hdmi_connector(connector);
- struct hdmi *hdmi = hdmi_connector->hdmi;
+ struct hdmi_bridge *hdmi_bridge = to_hdmi_bridge(bridge);
+ struct hdmi *hdmi = hdmi_bridge->hdmi;
const struct hdmi_platform_config *config = hdmi->config;
struct hdmi_gpio_data hpd_gpio = config->gpios[HPD_GPIO_INDEX];
enum drm_connector_status stat_gpio, stat_reg;
@@ -337,115 +321,3 @@ static enum drm_connector_status hdmi_connector_detect(
return stat_gpio;
}
-
-static void hdmi_connector_destroy(struct drm_connector *connector)
-{
- struct hdmi_connector *hdmi_connector = to_hdmi_connector(connector);
-
- hdp_disable(hdmi_connector);
-
- drm_connector_cleanup(connector);
-
- kfree(hdmi_connector);
-}
-
-static int msm_hdmi_connector_get_modes(struct drm_connector *connector)
-{
- struct hdmi_connector *hdmi_connector = to_hdmi_connector(connector);
- struct hdmi *hdmi = hdmi_connector->hdmi;
- struct edid *edid;
- uint32_t hdmi_ctrl;
- int ret = 0;
-
- hdmi_ctrl = hdmi_read(hdmi, REG_HDMI_CTRL);
- hdmi_write(hdmi, REG_HDMI_CTRL, hdmi_ctrl | HDMI_CTRL_ENABLE);
-
- edid = drm_get_edid(connector, hdmi->i2c);
-
- hdmi_write(hdmi, REG_HDMI_CTRL, hdmi_ctrl);
-
- hdmi->hdmi_mode = drm_detect_hdmi_monitor(edid);
- drm_connector_update_edid_property(connector, edid);
-
- if (edid) {
- ret = drm_add_edid_modes(connector, edid);
- kfree(edid);
- }
-
- return ret;
-}
-
-static int msm_hdmi_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
-{
- struct hdmi_connector *hdmi_connector = to_hdmi_connector(connector);
- struct hdmi *hdmi = hdmi_connector->hdmi;
- const struct hdmi_platform_config *config = hdmi->config;
- struct msm_drm_private *priv = connector->dev->dev_private;
- struct msm_kms *kms = priv->kms;
- long actual, requested;
-
- requested = 1000 * mode->clock;
- actual = kms->funcs->round_pixclk(kms,
- requested, hdmi_connector->hdmi->encoder);
-
- /* for mdp5/apq8074, we manage our own pixel clk (as opposed to
- * mdp4/dtv stuff where pixel clk is assigned to mdp/encoder
- * instead):
- */
- if (config->pwr_clk_cnt > 0)
- actual = clk_round_rate(hdmi->pwr_clks[0], actual);
-
- DBG("requested=%ld, actual=%ld", requested, actual);
-
- if (actual != requested)
- return MODE_CLOCK_RANGE;
-
- return 0;
-}
-
-static const struct drm_connector_funcs hdmi_connector_funcs = {
- .detect = hdmi_connector_detect,
- .fill_modes = drm_helper_probe_single_connector_modes,
- .destroy = hdmi_connector_destroy,
- .reset = drm_atomic_helper_connector_reset,
- .atomic_duplicate_state = drm_atomic_helper_connector_duplicate_state,
- .atomic_destroy_state = drm_atomic_helper_connector_destroy_state,
-};
-
-static const struct drm_connector_helper_funcs msm_hdmi_connector_helper_funcs = {
- .get_modes = msm_hdmi_connector_get_modes,
- .mode_valid = msm_hdmi_connector_mode_valid,
-};
-
-/* initialize connector */
-struct drm_connector *msm_hdmi_connector_init(struct hdmi *hdmi)
-{
- struct drm_connector *connector = NULL;
- struct hdmi_connector *hdmi_connector;
-
- hdmi_connector = kzalloc(sizeof(*hdmi_connector), GFP_KERNEL);
- if (!hdmi_connector)
- return ERR_PTR(-ENOMEM);
-
- hdmi_connector->hdmi = hdmi;
- INIT_WORK(&hdmi_connector->hpd_work, msm_hdmi_hotplug_work);
-
- connector = &hdmi_connector->base;
-
- drm_connector_init_with_ddc(hdmi->dev, connector,
- &hdmi_connector_funcs,
- DRM_MODE_CONNECTOR_HDMIA,
- hdmi->i2c);
- drm_connector_helper_add(connector, &msm_hdmi_connector_helper_funcs);
-
- connector->polled = DRM_CONNECTOR_POLL_CONNECT |
- DRM_CONNECTOR_POLL_DISCONNECT;
-
- connector->interlace_allowed = 0;
- connector->doublescan_allowed = 0;
-
- drm_connector_attach_encoder(connector, hdmi->encoder);
-
- return connector;
-}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 132/783] drm/msm/hdmi: drop unused GPIO support
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 131/783] drm/msm/hdmi: switch to drm_bridge_connector Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 133/783] bpf: Fix slot type check in check_stack_write_var_off Greg Kroah-Hartman
` (660 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Dmitry Baryshkov,
Stephen Boyd, Sasha Levin
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 68e674b13b17ed41aac2763d12ece6deaae8df58 ]
The HDMI driver has code to configure extra GPIOs, which predates
pinctrl support. Nowadays all platforms should use pinctrl instead.
Neither of upstreamed Qualcomm platforms uses these properties, so it's
safe to drop them.
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Patchwork: https://patchwork.freedesktop.org/patch/488858/
Link: https://lore.kernel.org/r/20220609122350.3157529-7-dmitry.baryshkov@linaro.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Stable-dep-of: b964444b2b64 ("drm/msm/hdmi: use devres helper for runtime PM management")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/hdmi/hdmi.c | 66 +++++++----------------------
drivers/gpu/drm/msm/hdmi/hdmi.h | 13 +-----
drivers/gpu/drm/msm/hdmi/hdmi_hpd.c | 62 ++-------------------------
3 files changed, 21 insertions(+), 120 deletions(-)
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c
index f6b09e8eca67..efb14043a6ec 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi.c
@@ -247,6 +247,20 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev)
hdmi->pwr_clks[i] = clk;
}
+ hdmi->hpd_gpiod = devm_gpiod_get_optional(&pdev->dev, "hpd", GPIOD_IN);
+ /* This will catch e.g. -EPROBE_DEFER */
+ if (IS_ERR(hdmi->hpd_gpiod)) {
+ ret = PTR_ERR(hdmi->hpd_gpiod);
+ DRM_DEV_ERROR(&pdev->dev, "failed to get hpd gpio: (%d)\n", ret);
+ goto fail;
+ }
+
+ if (!hdmi->hpd_gpiod)
+ DBG("failed to get HPD gpio");
+
+ if (hdmi->hpd_gpiod)
+ gpiod_set_consumer_name(hdmi->hpd_gpiod, "HDMI_HPD");
+
pm_runtime_enable(&pdev->dev);
hdmi->workq = alloc_ordered_workqueue("msm_hdmi", 0);
@@ -429,20 +443,6 @@ static struct hdmi_platform_config hdmi_tx_8996_config = {
.hpd_freq = hpd_clk_freq_8x74,
};
-static const struct {
- const char *name;
- const bool output;
- const int value;
- const char *label;
-} msm_hdmi_gpio_pdata[] = {
- { "qcom,hdmi-tx-ddc-clk", true, 1, "HDMI_DDC_CLK" },
- { "qcom,hdmi-tx-ddc-data", true, 1, "HDMI_DDC_DATA" },
- { "qcom,hdmi-tx-hpd", false, 1, "HDMI_HPD" },
- { "qcom,hdmi-tx-mux-en", true, 1, "HDMI_MUX_EN" },
- { "qcom,hdmi-tx-mux-sel", true, 0, "HDMI_MUX_SEL" },
- { "qcom,hdmi-tx-mux-lpm", true, 1, "HDMI_MUX_LPM" },
-};
-
/*
* HDMI audio codec callbacks
*/
@@ -555,7 +555,7 @@ static int msm_hdmi_bind(struct device *dev, struct device *master, void *data)
struct hdmi_platform_config *hdmi_cfg;
struct hdmi *hdmi;
struct device_node *of_node = dev->of_node;
- int i, err;
+ int err;
hdmi_cfg = (struct hdmi_platform_config *)
of_device_get_match_data(dev);
@@ -567,42 +567,6 @@ static int msm_hdmi_bind(struct device *dev, struct device *master, void *data)
hdmi_cfg->mmio_name = "core_physical";
hdmi_cfg->qfprom_mmio_name = "qfprom_physical";
- for (i = 0; i < HDMI_MAX_NUM_GPIO; i++) {
- const char *name = msm_hdmi_gpio_pdata[i].name;
- struct gpio_desc *gpiod;
-
- /*
- * We are fetching the GPIO lines "as is" since the connector
- * code is enabling and disabling the lines. Until that point
- * the power-on default value will be kept.
- */
- gpiod = devm_gpiod_get_optional(dev, name, GPIOD_ASIS);
- /* This will catch e.g. -PROBE_DEFER */
- if (IS_ERR(gpiod))
- return PTR_ERR(gpiod);
- if (!gpiod) {
- /* Try a second time, stripping down the name */
- char name3[32];
-
- /*
- * Try again after stripping out the "qcom,hdmi-tx"
- * prefix. This is mainly to match "hpd-gpios" used
- * in the upstream bindings.
- */
- if (sscanf(name, "qcom,hdmi-tx-%s", name3))
- gpiod = devm_gpiod_get_optional(dev, name3, GPIOD_ASIS);
- if (IS_ERR(gpiod))
- return PTR_ERR(gpiod);
- if (!gpiod)
- DBG("failed to get gpio: %s", name);
- }
- hdmi_cfg->gpios[i].gpiod = gpiod;
- if (gpiod)
- gpiod_set_consumer_name(gpiod, msm_hdmi_gpio_pdata[i].label);
- hdmi_cfg->gpios[i].output = msm_hdmi_gpio_pdata[i].output;
- hdmi_cfg->gpios[i].value = msm_hdmi_gpio_pdata[i].value;
- }
-
dev->platform_data = hdmi_cfg;
hdmi = msm_hdmi_init(to_platform_device(dev));
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.h b/drivers/gpu/drm/msm/hdmi/hdmi.h
index 8d2706bec3b9..20f554312b17 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi.h
+++ b/drivers/gpu/drm/msm/hdmi/hdmi.h
@@ -19,17 +19,9 @@
#include "msm_drv.h"
#include "hdmi.xml.h"
-#define HDMI_MAX_NUM_GPIO 6
-
struct hdmi_phy;
struct hdmi_platform_config;
-struct hdmi_gpio_data {
- struct gpio_desc *gpiod;
- bool output;
- int value;
-};
-
struct hdmi_audio {
bool enabled;
struct hdmi_audio_infoframe infoframe;
@@ -61,6 +53,8 @@ struct hdmi {
struct clk **hpd_clks;
struct clk **pwr_clks;
+ struct gpio_desc *hpd_gpiod;
+
struct hdmi_phy *phy;
struct device *phy_dev;
@@ -109,9 +103,6 @@ struct hdmi_platform_config {
/* clks that need to be on for screen pwr (ie pixel clk): */
const char **pwr_clk_names;
int pwr_clk_cnt;
-
- /* gpio's: */
- struct hdmi_gpio_data gpios[HDMI_MAX_NUM_GPIO];
};
struct hdmi_bridge {
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi_hpd.c b/drivers/gpu/drm/msm/hdmi/hdmi_hpd.c
index c3a236bb952c..52ebe562ca9b 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi_hpd.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi_hpd.c
@@ -60,48 +60,6 @@ static void msm_hdmi_phy_reset(struct hdmi *hdmi)
}
}
-static int gpio_config(struct hdmi *hdmi, bool on)
-{
- const struct hdmi_platform_config *config = hdmi->config;
- int i;
-
- if (on) {
- for (i = 0; i < HDMI_MAX_NUM_GPIO; i++) {
- struct hdmi_gpio_data gpio = config->gpios[i];
-
- if (gpio.gpiod) {
- if (gpio.output) {
- gpiod_direction_output(gpio.gpiod,
- gpio.value);
- } else {
- gpiod_direction_input(gpio.gpiod);
- gpiod_set_value_cansleep(gpio.gpiod,
- gpio.value);
- }
- }
- }
-
- DBG("gpio on");
- } else {
- for (i = 0; i < HDMI_MAX_NUM_GPIO; i++) {
- struct hdmi_gpio_data gpio = config->gpios[i];
-
- if (!gpio.gpiod)
- continue;
-
- if (gpio.output) {
- int value = gpio.value ? 0 : 1;
-
- gpiod_set_value_cansleep(gpio.gpiod, value);
- }
- }
-
- DBG("gpio off");
- }
-
- return 0;
-}
-
static void enable_hpd_clocks(struct hdmi *hdmi, bool enable)
{
const struct hdmi_platform_config *config = hdmi->config;
@@ -157,11 +115,8 @@ int msm_hdmi_hpd_enable(struct drm_bridge *bridge)
goto fail;
}
- ret = gpio_config(hdmi, true);
- if (ret) {
- DRM_DEV_ERROR(dev, "failed to configure GPIOs: %d\n", ret);
- goto fail;
- }
+ if (hdmi->hpd_gpiod)
+ gpiod_set_value_cansleep(hdmi->hpd_gpiod, 1);
pm_runtime_get_sync(dev);
enable_hpd_clocks(hdmi, true);
@@ -210,10 +165,6 @@ void msm_hdmi_hpd_disable(struct hdmi_bridge *hdmi_bridge)
enable_hpd_clocks(hdmi, false);
pm_runtime_put_autosuspend(dev);
- ret = gpio_config(hdmi, false);
- if (ret)
- dev_warn(dev, "failed to unconfigure GPIOs: %d\n", ret);
-
ret = pinctrl_pm_select_sleep_state(dev);
if (ret)
dev_warn(dev, "pinctrl state chg failed: %d\n", ret);
@@ -275,10 +226,7 @@ static enum drm_connector_status detect_reg(struct hdmi *hdmi)
#define HPD_GPIO_INDEX 2
static enum drm_connector_status detect_gpio(struct hdmi *hdmi)
{
- const struct hdmi_platform_config *config = hdmi->config;
- struct hdmi_gpio_data hpd_gpio = config->gpios[HPD_GPIO_INDEX];
-
- return gpiod_get_value(hpd_gpio.gpiod) ?
+ return gpiod_get_value(hdmi->hpd_gpiod) ?
connector_status_connected :
connector_status_disconnected;
}
@@ -288,8 +236,6 @@ enum drm_connector_status msm_hdmi_bridge_detect(
{
struct hdmi_bridge *hdmi_bridge = to_hdmi_bridge(bridge);
struct hdmi *hdmi = hdmi_bridge->hdmi;
- const struct hdmi_platform_config *config = hdmi->config;
- struct hdmi_gpio_data hpd_gpio = config->gpios[HPD_GPIO_INDEX];
enum drm_connector_status stat_gpio, stat_reg;
int retry = 20;
@@ -297,7 +243,7 @@ enum drm_connector_status msm_hdmi_bridge_detect(
* some platforms may not have hpd gpio. Rely only on the status
* provided by REG_HDMI_HPD_INT_STATUS in this case.
*/
- if (!hpd_gpio.gpiod)
+ if (!hdmi->hpd_gpiod)
return detect_reg(hdmi);
do {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 133/783] bpf: Fix slot type check in check_stack_write_var_off
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 132/783] drm/msm/hdmi: drop unused GPIO support Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 134/783] media: vivid: fix compose size exceed boundary Greg Kroah-Hartman
` (659 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kumar Kartikeya Dwivedi,
Alexei Starovoitov, Sasha Levin
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
[ Upstream commit f5e477a861e4a20d8a1c5f7a245f3a3c3c376b03 ]
For the case where allow_ptr_leaks is false, code is checking whether
slot type is STACK_INVALID and STACK_SPILL and rejecting other cases.
This is a consequence of incorrectly checking for register type instead
of the slot type (NOT_INIT and SCALAR_VALUE respectively). Fix the
check.
Fixes: 01f810ace9ed ("bpf: Allow variable-offset stack access")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20221103191013.1236066-5-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 50364031eb4d..4d62822f5502 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2439,14 +2439,17 @@ static int check_stack_write_var_off(struct bpf_verifier_env *env,
spi = slot / BPF_REG_SIZE;
stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
- if (!env->allow_ptr_leaks
- && *stype != NOT_INIT
- && *stype != SCALAR_VALUE) {
- /* Reject the write if there's are spilled pointers in
- * range. If we didn't reject here, the ptr status
- * would be erased below (even though not all slots are
- * actually overwritten), possibly opening the door to
- * leaks.
+ if (!env->allow_ptr_leaks && *stype != STACK_MISC && *stype != STACK_ZERO) {
+ /* Reject the write if range we may write to has not
+ * been initialized beforehand. If we didn't reject
+ * here, the ptr status would be erased below (even
+ * though not all slots are actually overwritten),
+ * possibly opening the door to leaks.
+ *
+ * We do however catch STACK_INVALID case below, and
+ * only allow reading possibly uninitialized memory
+ * later for CAP_PERFMON, as the write may not happen to
+ * that slot.
*/
verbose(env, "spilled ptr in range of var-offset stack write; insn %d, ptr off: %d",
insn_idx, i);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 134/783] media: vivid: fix compose size exceed boundary
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 133/783] bpf: Fix slot type check in check_stack_write_var_off Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 135/783] media: platform: exynos4-is: fix return value check in fimc_md_probe() Greg Kroah-Hartman
` (658 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Shixin, Hans Verkuil, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 94a7ad9283464b75b12516c5512541d467cefcf8 ]
syzkaller found a bug:
BUG: unable to handle page fault for address: ffffc9000a3b1000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0
Oops: 0002 [#1] PREEMPT SMP
CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:memcpy_erms+0x6/0x10
[...]
Call Trace:
<TASK>
? tpg_fill_plane_buffer+0x856/0x15b0
vivid_fillbuff+0x8ac/0x1110
vivid_thread_vid_cap_tick+0x361/0xc90
vivid_thread_vid_cap+0x21a/0x3a0
kthread+0x143/0x180
ret_from_fork+0x1f/0x30
</TASK>
This is because we forget to check boundary after adjust compose->height
int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem
for this case.
Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/test-drivers/vivid/vivid-vid-cap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
index d493bd17481b..437889e51ca0 100644
--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
@@ -961,6 +961,7 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection
if (dev->has_compose_cap) {
v4l2_rect_set_min_size(compose, &min_rect);
v4l2_rect_set_max_size(compose, &max_rect);
+ v4l2_rect_map_inside(compose, &fmt);
}
dev->fmt_cap_rect = fmt;
tpg_s_buf_height(&dev->tpg, fmt.height);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 135/783] media: platform: exynos4-is: fix return value check in fimc_md_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 134/783] media: vivid: fix compose size exceed boundary Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 136/783] bpf: propagate precision in ALU/ALU64 operations Greg Kroah-Hartman
` (657 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Hans Verkuil, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e38e42c078da4af962d322b97e726dcb2f184e3f ]
devm_pinctrl_get() may return ERR_PTR(-EPROBE_DEFER), add a minus sign
to fix it.
Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/exynos4-is/media-dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
index 8603c578f55f..a9ab2a28fc26 100644
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -1470,7 +1470,7 @@ static int fimc_md_probe(struct platform_device *pdev)
pinctrl = devm_pinctrl_get(dev);
if (IS_ERR(pinctrl)) {
ret = PTR_ERR(pinctrl);
- if (ret != EPROBE_DEFER)
+ if (ret != -EPROBE_DEFER)
dev_err(dev, "Failed to get pinctrl: %d\n", ret);
goto err_clk;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 136/783] bpf: propagate precision in ALU/ALU64 operations
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 135/783] media: platform: exynos4-is: fix return value check in fimc_md_probe() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 137/783] bpf: Check the other end of slot_type for STACK_SPILL Greg Kroah-Hartman
` (656 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Alexei Starovoitov,
Sasha Levin
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit a3b666bfa9c9edc05bca62a87abafe0936bd7f97 ]
When processing ALU/ALU64 operations (apart from BPF_MOV, which is
handled correctly already; and BPF_NEG and BPF_END are special and don't
have source register), if destination register is already marked
precise, this causes problem with potentially missing precision tracking
for the source register. E.g., when we have r1 >>= r5 and r1 is marked
precise, but r5 isn't, this will lead to r5 staying as imprecise. This
is due to the precision backtracking logic stopping early when it sees
r1 is already marked precise. If r1 wasn't precise, we'd keep
backtracking and would add r5 to the set of registers that need to be
marked precise. So there is a discrepancy here which can lead to invalid
and incompatible states matched due to lack of precision marking on r5.
If r1 wasn't precise, precision backtracking would correctly mark both
r1 and r5 as precise.
This is simple to fix, though. During the forward instruction simulation
pass, for arithmetic operations of `scalar <op>= scalar` form (where
<op> is ALU or ALU64 operations), if destination register is already
precise, mark source register as precise. This applies only when both
involved registers are SCALARs. `ptr += scalar` and `scalar += ptr`
cases are already handled correctly.
This does have (negative) effect on some selftest programs and few
Cilium programs. ~/baseline-tmp-results.csv are veristat results with
this patch, while ~/baseline-results.csv is without it. See post
scriptum for instructions on how to make Cilium programs testable with
veristat. Correctness has a price.
$ ./veristat -C -e file,prog,insns,states ~/baseline-results.csv ~/baseline-tmp-results.csv | grep -v '+0'
File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF)
----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- -------------------
bpf_cubic.bpf.linked1.o bpf_cubic_cong_avoid 997 1700 +703 (+70.51%) 62 90 +28 (+45.16%)
test_l4lb.bpf.linked1.o balancer_ingress 4559 5469 +910 (+19.96%) 118 126 +8 (+6.78%)
----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- -------------------
$ ./veristat -C -e file,prog,verdict,insns,states ~/baseline-results-cilium.csv ~/baseline-tmp-results-cilium.csv | grep -v '+0'
File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF)
------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- -------------------
bpf_host.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
bpf_host.o tail_nodeport_nat_ipv6_egress 3396 3446 +50 (+1.47%) 201 203 +2 (+1.00%)
bpf_lxc.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
bpf_overlay.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%)
bpf_xdp.o tail_lb_ipv4 71736 73442 +1706 (+2.38%) 4295 4370 +75 (+1.75%)
------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- -------------------
P.S. To make Cilium ([0]) programs libbpf-compatible and thus
veristat-loadable, apply changes from topmost commit in [1], which does
minimal changes to Cilium source code, mostly around SEC() annotations
and BPF map definitions.
[0] https://github.com/cilium/cilium/
[1] https://github.com/anakryiko/cilium/commits/libbpf-friendliness
Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20221104163649.121784-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4d62822f5502..30e0fa1bd83c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6992,6 +6992,11 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
return err;
return adjust_ptr_min_max_vals(env, insn,
dst_reg, src_reg);
+ } else if (dst_reg->precise) {
+ /* if dst_reg is precise, src_reg should be precise as well */
+ err = mark_chain_precision(env, insn->src_reg);
+ if (err)
+ return err;
}
} else {
/* Pretend the src is a reg with a known value, since we only
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 137/783] bpf: Check the other end of slot_type for STACK_SPILL
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 136/783] bpf: propagate precision in ALU/ALU64 operations Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 138/783] bpf: propagate precision across all frames, not just the last one Greg Kroah-Hartman
` (655 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin KaFai Lau,
Alexei Starovoitov, Sasha Levin
From: Martin KaFai Lau <kafai@fb.com>
[ Upstream commit 27113c59b6d0a587b29ae72d4ff3f832f58b0651 ]
Every 8 bytes of the stack is tracked by a bpf_stack_state.
Within each bpf_stack_state, there is a 'u8 slot_type[8]' to track
the type of each byte. Verifier tests slot_type[0] == STACK_SPILL
to decide if the spilled reg state is saved. Verifier currently only
saves the reg state if the whole 8 bytes are spilled to the stack,
so checking the slot_type[7] is the same as checking slot_type[0].
The later patch will allow verifier to save the bounded scalar
reg also for <8 bytes spill. There is a llvm patch [1] to ensure
the <8 bytes spill will be 8-byte aligned, so checking
slot_type[7] instead of slot_type[0] is required.
While at it, this patch refactors the slot_type[0] == STACK_SPILL
test into a new function is_spilled_reg() and change the
slot_type[0] check to slot_type[7] check in there also.
[1] https://reviews.llvm.org/D109073
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210922004934.624194-1-kafai@fb.com
Stable-dep-of: 529409ea92d5 ("bpf: propagate precision across all frames, not just the last one")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 30e0fa1bd83c..034eb3030ce9 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -562,6 +562,14 @@ const char *kernel_type_name(u32 id)
btf_type_by_id(btf_vmlinux, id)->name_off);
}
+/* The reg state of a pointer or a bounded scalar was saved when
+ * it was spilled to the stack.
+ */
+static bool is_spilled_reg(const struct bpf_stack_state *stack)
+{
+ return stack->slot_type[BPF_REG_SIZE - 1] == STACK_SPILL;
+}
+
static void print_verifier_state(struct bpf_verifier_env *env,
const struct bpf_func_state *state)
{
@@ -666,7 +674,7 @@ static void print_verifier_state(struct bpf_verifier_env *env,
continue;
verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE);
print_liveness(env, state->stack[i].spilled_ptr.live);
- if (state->stack[i].slot_type[0] == STACK_SPILL) {
+ if (is_spilled_reg(&state->stack[i])) {
reg = &state->stack[i].spilled_ptr;
t = reg->type;
verbose(env, "=%s", reg_type_str[t]);
@@ -2009,7 +2017,7 @@ static void mark_all_scalars_precise(struct bpf_verifier_env *env,
reg->precise = true;
}
for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {
- if (func->stack[j].slot_type[0] != STACK_SPILL)
+ if (!is_spilled_reg(&func->stack[j]))
continue;
reg = &func->stack[j].spilled_ptr;
if (reg->type != SCALAR_VALUE)
@@ -2051,7 +2059,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
}
while (spi >= 0) {
- if (func->stack[spi].slot_type[0] != STACK_SPILL) {
+ if (!is_spilled_reg(&func->stack[spi])) {
stack_mask = 0;
break;
}
@@ -2150,7 +2158,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
return 0;
}
- if (func->stack[i].slot_type[0] != STACK_SPILL) {
+ if (!is_spilled_reg(&func->stack[i])) {
stack_mask &= ~(1ull << i);
continue;
}
@@ -2348,7 +2356,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
/* regular write of data into stack destroys any spilled ptr */
state->stack[spi].spilled_ptr.type = NOT_INIT;
/* Mark slots as STACK_MISC if they belonged to spilled ptr. */
- if (state->stack[spi].slot_type[0] == STACK_SPILL)
+ if (is_spilled_reg(&state->stack[spi]))
for (i = 0; i < BPF_REG_SIZE; i++)
state->stack[spi].slot_type[i] = STACK_MISC;
@@ -2562,7 +2570,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
stype = reg_state->stack[spi].slot_type;
reg = ®_state->stack[spi].spilled_ptr;
- if (stype[0] == STACK_SPILL) {
+ if (is_spilled_reg(®_state->stack[spi])) {
if (size != BPF_REG_SIZE) {
if (reg->type != SCALAR_VALUE) {
verbose_linfo(env, env->insn_idx, "; ");
@@ -4081,11 +4089,11 @@ static int check_stack_range_initialized(
goto mark;
}
- if (state->stack[spi].slot_type[0] == STACK_SPILL &&
+ if (is_spilled_reg(&state->stack[spi]) &&
state->stack[spi].spilled_ptr.type == PTR_TO_BTF_ID)
goto mark;
- if (state->stack[spi].slot_type[0] == STACK_SPILL &&
+ if (is_spilled_reg(&state->stack[spi]) &&
(state->stack[spi].spilled_ptr.type == SCALAR_VALUE ||
env->allow_ptr_leaks)) {
if (clobber) {
@@ -9282,9 +9290,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old,
* return false to continue verification of this path
*/
return false;
- if (i % BPF_REG_SIZE)
+ if (i % BPF_REG_SIZE != BPF_REG_SIZE - 1)
continue;
- if (old->stack[spi].slot_type[0] != STACK_SPILL)
+ if (!is_spilled_reg(&old->stack[spi]))
continue;
if (!regsafe(env, &old->stack[spi].spilled_ptr,
&cur->stack[spi].spilled_ptr, idmap))
@@ -9491,7 +9499,7 @@ static int propagate_precision(struct bpf_verifier_env *env,
}
for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
- if (state->stack[i].slot_type[0] != STACK_SPILL)
+ if (!is_spilled_reg(&state->stack[i]))
continue;
state_reg = &state->stack[i].spilled_ptr;
if (state_reg->type != SCALAR_VALUE ||
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 138/783] bpf: propagate precision across all frames, not just the last one
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 137/783] bpf: Check the other end of slot_type for STACK_SPILL Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 139/783] clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs Greg Kroah-Hartman
` (654 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Alexei Starovoitov,
Sasha Levin
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 529409ea92d590659be487ba0839710329bd8074 ]
When equivalent completed state is found and it has additional precision
restrictions, BPF verifier propagates precision to
currently-being-verified state chain (i.e., including parent states) so
that if some of the states in the chain are not yet completed, necessary
precision restrictions are enforced.
Unfortunately, right now this happens only for the last frame (deepest
active subprogram's frame), not all the frames. This can lead to
incorrect matching of states due to missing precision marker. Currently
this doesn't seem possible as BPF verifier forces everything to precise
when validated BPF program has any subprograms. But with the next patch
lifting this restriction, this becomes problematic.
In fact, without this fix, we'll start getting failure in one of the
existing test_verifier test cases:
#906/p precise: cross frame pruning FAIL
Unexpected success to load!
verification time 48 usec
stack depth 0+0
processed 26 insns (limit 1000000) max_states_per_insn 3 total_states 17 peak_states 17 mark_read 8
This patch adds precision propagation across all frames.
Fixes: a3ce685dd01a ("bpf: fix precision tracking")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20221104163649.121784-3-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 71 ++++++++++++++++++++++++-------------------
1 file changed, 39 insertions(+), 32 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 034eb3030ce9..232c93357b90 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2027,7 +2027,7 @@ static void mark_all_scalars_precise(struct bpf_verifier_env *env,
}
}
-static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
+static int __mark_chain_precision(struct bpf_verifier_env *env, int frame, int regno,
int spi)
{
struct bpf_verifier_state *st = env->cur_state;
@@ -2044,7 +2044,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
if (!env->bpf_capable)
return 0;
- func = st->frame[st->curframe];
+ func = st->frame[frame];
if (regno >= 0) {
reg = &func->regs[regno];
if (reg->type != SCALAR_VALUE) {
@@ -2125,7 +2125,7 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
break;
new_marks = false;
- func = st->frame[st->curframe];
+ func = st->frame[frame];
bitmap_from_u64(mask, reg_mask);
for_each_set_bit(i, mask, 32) {
reg = &func->regs[i];
@@ -2191,12 +2191,17 @@ static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
static int mark_chain_precision(struct bpf_verifier_env *env, int regno)
{
- return __mark_chain_precision(env, regno, -1);
+ return __mark_chain_precision(env, env->cur_state->curframe, regno, -1);
}
-static int mark_chain_precision_stack(struct bpf_verifier_env *env, int spi)
+static int mark_chain_precision_frame(struct bpf_verifier_env *env, int frame, int regno)
{
- return __mark_chain_precision(env, -1, spi);
+ return __mark_chain_precision(env, frame, regno, -1);
+}
+
+static int mark_chain_precision_stack_frame(struct bpf_verifier_env *env, int frame, int spi)
+{
+ return __mark_chain_precision(env, frame, -1, spi);
}
static bool is_spillable_regtype(enum bpf_reg_type type)
@@ -9483,34 +9488,36 @@ static int propagate_precision(struct bpf_verifier_env *env,
{
struct bpf_reg_state *state_reg;
struct bpf_func_state *state;
- int i, err = 0;
+ int i, err = 0, fr;
- state = old->frame[old->curframe];
- state_reg = state->regs;
- for (i = 0; i < BPF_REG_FP; i++, state_reg++) {
- if (state_reg->type != SCALAR_VALUE ||
- !state_reg->precise)
- continue;
- if (env->log.level & BPF_LOG_LEVEL2)
- verbose(env, "propagating r%d\n", i);
- err = mark_chain_precision(env, i);
- if (err < 0)
- return err;
- }
+ for (fr = old->curframe; fr >= 0; fr--) {
+ state = old->frame[fr];
+ state_reg = state->regs;
+ for (i = 0; i < BPF_REG_FP; i++, state_reg++) {
+ if (state_reg->type != SCALAR_VALUE ||
+ !state_reg->precise)
+ continue;
+ if (env->log.level & BPF_LOG_LEVEL2)
+ verbose(env, "frame %d: propagating r%d\n", i, fr);
+ err = mark_chain_precision_frame(env, fr, i);
+ if (err < 0)
+ return err;
+ }
- for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
- if (!is_spilled_reg(&state->stack[i]))
- continue;
- state_reg = &state->stack[i].spilled_ptr;
- if (state_reg->type != SCALAR_VALUE ||
- !state_reg->precise)
- continue;
- if (env->log.level & BPF_LOG_LEVEL2)
- verbose(env, "propagating fp%d\n",
- (-i - 1) * BPF_REG_SIZE);
- err = mark_chain_precision_stack(env, i);
- if (err < 0)
- return err;
+ for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
+ if (!is_spilled_reg(&state->stack[i]))
+ continue;
+ state_reg = &state->stack[i].spilled_ptr;
+ if (state_reg->type != SCALAR_VALUE ||
+ !state_reg->precise)
+ continue;
+ if (env->log.level & BPF_LOG_LEVEL2)
+ verbose(env, "frame %d: propagating fp%d\n",
+ (-i - 1) * BPF_REG_SIZE, fr);
+ err = mark_chain_precision_stack_frame(env, fr, i);
+ if (err < 0)
+ return err;
+ }
}
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 139/783] clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 138/783] bpf: propagate precision across all frames, not just the last one Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 140/783] mtd: Fix device name leak when register device failed in add_mtd_device() Greg Kroah-Hartman
` (653 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Bjorn Andersson, Sasha Levin
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
[ Upstream commit ac1c5a03d3772b1db25e8092f771aa33f6ae2f7e ]
USB controllers on SM8250 doesn't work after coming back from suspend.
This can be fixed by keeping the USB GDSCs in retention mode so that
hardware can keep them ON and put into rentention mode once the parent
domain goes to a low power state.
Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221102091320.66007-1-manivannan.sadhasivam@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sm8250.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/qcom/gcc-sm8250.c b/drivers/clk/qcom/gcc-sm8250.c
index ab594a0f0c40..7ec11acc8298 100644
--- a/drivers/clk/qcom/gcc-sm8250.c
+++ b/drivers/clk/qcom/gcc-sm8250.c
@@ -3268,7 +3268,7 @@ static struct gdsc usb30_prim_gdsc = {
.pd = {
.name = "usb30_prim_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
};
static struct gdsc usb30_sec_gdsc = {
@@ -3276,7 +3276,7 @@ static struct gdsc usb30_sec_gdsc = {
.pd = {
.name = "usb30_sec_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
};
static struct gdsc hlos1_vote_mmnoc_mmu_tbu_hf0_gdsc = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 140/783] mtd: Fix device name leak when register device failed in add_mtd_device()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 139/783] clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 141/783] Input: joystick - fix Kconfig warning for JOYSTICK_ADC Greg Kroah-Hartman
` (652 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Miquel Raynal, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit 895d68a39481a75c680aa421546931fb11942fa6 ]
There is a kmemleak when register device failed:
unreferenced object 0xffff888101aab550 (size 8):
comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s)
hex dump (first 8 bytes):
6d 74 64 30 00 88 ff ff mtd0....
backtrace:
[<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150
[<000000003c32b416>] kvasprintf+0xb0/0x130
[<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0
[<000000006e781163>] dev_set_name+0xab/0xe0
[<00000000e30d0c78>] add_mtd_device+0x4bb/0x700
[<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0
[<00000000c0d88488>] 0xffffffffa0238457
[<00000000b40d0922>] 0xffffffffa02a008f
[<0000000023d17b9d>] do_one_initcall+0x87/0x2a0
[<00000000770f6ca6>] do_init_module+0xdf/0x320
[<000000007b6768fe>] load_module+0x2f98/0x3330
[<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0
[<00000000674c2290>] do_syscall_64+0x35/0x80
[<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
If register device failed, should call put_device() to give up the
reference.
Fixes: 1f24b5a8ecbb ("[MTD] driver model updates")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221022121352.2534682-1-zhangxiaoxu5@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/mtdcore.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
index a5197a481902..b2d88ff90e93 100644
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -667,8 +667,10 @@ int add_mtd_device(struct mtd_info *mtd)
dev_set_drvdata(&mtd->dev, mtd);
of_node_get(mtd_get_of_node(mtd));
error = device_register(&mtd->dev);
- if (error)
+ if (error) {
+ put_device(&mtd->dev);
goto fail_added;
+ }
/* Add the nvmem provider */
error = mtd_nvmem_add(mtd);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 141/783] Input: joystick - fix Kconfig warning for JOYSTICK_ADC
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 140/783] mtd: Fix device name leak when register device failed in add_mtd_device() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 142/783] wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port Greg Kroah-Hartman
` (651 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Randy Dunlap,
Dmitry Torokhov, Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 6100a19c4fcfe154dd32f8a8ef4e8c0b1f607c75 ]
Fix a Kconfig warning for JOYSTICK_ADC by also selecting
IIO_BUFFER.
WARNING: unmet direct dependencies detected for IIO_BUFFER_CB
Depends on [n]: IIO [=y] && IIO_BUFFER [=n]
Selected by [y]:
- JOYSTICK_ADC [=y] && INPUT [=y] && INPUT_JOYSTICK [=y] && IIO [=y]
Fixes: 2c2b364fddd5 ("Input: joystick - add ADC attached joystick driver.")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://lore.kernel.org/r/20221104201238.31628-1-rdunlap@infradead.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/joystick/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/input/joystick/Kconfig b/drivers/input/joystick/Kconfig
index b080f0cfb068..d8ec5193a941 100644
--- a/drivers/input/joystick/Kconfig
+++ b/drivers/input/joystick/Kconfig
@@ -45,6 +45,7 @@ config JOYSTICK_A3D
config JOYSTICK_ADC
tristate "Simple joystick connected over ADC"
depends on IIO
+ select IIO_BUFFER
select IIO_BUFFER_CB
help
Say Y here if you have a simple joystick connected over ADC.
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 142/783] wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 141/783] Input: joystick - fix Kconfig warning for JOYSTICK_ADC Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 143/783] media: camss: Clean up received buffers on failed start of streaming Greg Kroah-Hartman
` (650 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marek Vasut, Kalle Valo, Sasha Levin
From: Marek Vasut <marex@denx.de>
[ Upstream commit b8f6efccbb9dc0ff5dee7e20d69a4747298ee603 ]
When using wpa_supplicant v2.10, this driver is no longer able to
associate with any AP and fails in the EAPOL 4-way handshake while
sending the 2/4 message to the AP. The problem is not present in
wpa_supplicant v2.9 or older. The problem stems from HostAP commit
144314eaa ("wpa_supplicant: Send EAPOL frames over nl80211 where available")
which changes the way EAPOL frames are sent, from them being send
at L2 frames to them being sent via nl80211 control port.
An EAPOL frame sent as L2 frame is passed to the WiFi driver with
skb->protocol ETH_P_PAE, while EAPOL frame sent via nl80211 control
port has skb->protocol set to ETH_P_802_3 . The later happens in
ieee80211_tx_control_port(), where the EAPOL frame is encapsulated
into 802.3 frame.
The rsi_91x driver handles ETH_P_PAE EAPOL frames as high-priority
frames and sends them via highest-priority transmit queue, while
the ETH_P_802_3 frames are sent as regular frames. The EAPOL 4-way
handshake frames must be sent as highest-priority, otherwise the
4-way handshake times out.
Therefore, to fix this problem, inspect the skb control flags and
if flag IEEE80211_TX_CTRL_PORT_CTRL_PROTO is set, assume this is
an EAPOL frame and transmit the frame via high-priority queue just
like other ETH_P_PAE frames.
Fixes: 0eb42586cf87 ("rsi: data packet descriptor enhancements")
Signed-off-by: Marek Vasut <marex@denx.de>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221104163339.227432-1-marex@denx.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/rsi/rsi_91x_core.c | 4 +++-
drivers/net/wireless/rsi/rsi_91x_hal.c | 6 +++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/rsi/rsi_91x_core.c b/drivers/net/wireless/rsi/rsi_91x_core.c
index 9c4c58557248..b7fa03813da1 100644
--- a/drivers/net/wireless/rsi/rsi_91x_core.c
+++ b/drivers/net/wireless/rsi/rsi_91x_core.c
@@ -466,7 +466,9 @@ void rsi_core_xmit(struct rsi_common *common, struct sk_buff *skb)
tid, 0);
}
}
- if (skb->protocol == cpu_to_be16(ETH_P_PAE)) {
+
+ if (IEEE80211_SKB_CB(skb)->control.flags &
+ IEEE80211_TX_CTRL_PORT_CTRL_PROTO) {
q_num = MGMT_SOFT_Q;
skb->priority = q_num;
}
diff --git a/drivers/net/wireless/rsi/rsi_91x_hal.c b/drivers/net/wireless/rsi/rsi_91x_hal.c
index dca81a4bbdd7..30d2eccbcadd 100644
--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -162,12 +162,16 @@ int rsi_prepare_data_desc(struct rsi_common *common, struct sk_buff *skb)
u8 header_size;
u8 vap_id = 0;
u8 dword_align_bytes;
+ bool tx_eapol;
u16 seq_num;
info = IEEE80211_SKB_CB(skb);
vif = info->control.vif;
tx_params = (struct skb_info *)info->driver_data;
+ tx_eapol = IEEE80211_SKB_CB(skb)->control.flags &
+ IEEE80211_TX_CTRL_PORT_CTRL_PROTO;
+
header_size = FRAME_DESC_SZ + sizeof(struct rsi_xtended_desc);
if (header_size > skb_headroom(skb)) {
rsi_dbg(ERR_ZONE, "%s: Unable to send pkt\n", __func__);
@@ -231,7 +235,7 @@ int rsi_prepare_data_desc(struct rsi_common *common, struct sk_buff *skb)
}
}
- if (skb->protocol == cpu_to_be16(ETH_P_PAE)) {
+ if (tx_eapol) {
rsi_dbg(INFO_ZONE, "*** Tx EAPOL ***\n");
data_desc->frame_info = cpu_to_le16(RATE_INFO_ENABLE);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 143/783] media: camss: Clean up received buffers on failed start of streaming
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 142/783] wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 144/783] net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write() Greg Kroah-Hartman
` (649 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Zapolskiy, Robert Foss,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
From: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
[ Upstream commit c8f3582345e6a69da65ab588f7c4c2d1685b0e80 ]
It is required to return the received buffers, if streaming can not be
started. For instance media_pipeline_start() may fail with EPIPE, if
a link validation between entities is not passed, and in such a case
a user gets a kernel warning:
WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160
<snip>
Call trace:
vb2_start_streaming+0xec/0x160
vb2_core_streamon+0x9c/0x1a0
vb2_ioctl_streamon+0x68/0xbc
v4l_streamon+0x30/0x3c
__video_do_ioctl+0x184/0x3e0
video_usercopy+0x37c/0x7b0
video_ioctl2+0x24/0x40
v4l2_ioctl+0x4c/0x70
The fix is to correct the error path in video_start_streaming() of camss.
Fixes: 0ac2586c410f ("media: camss: Add files which handle the video device nodes")
Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Reviewed-by: Robert Foss <robert.foss@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/qcom/camss/camss-video.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/qcom/camss/camss-video.c b/drivers/media/platform/qcom/camss/camss-video.c
index 15965e63cb61..9333a7a33d4d 100644
--- a/drivers/media/platform/qcom/camss/camss-video.c
+++ b/drivers/media/platform/qcom/camss/camss-video.c
@@ -444,7 +444,7 @@ static int video_start_streaming(struct vb2_queue *q, unsigned int count)
ret = media_pipeline_start(&vdev->entity, &video->pipe);
if (ret < 0)
- return ret;
+ goto flush_buffers;
ret = video_check_format(video);
if (ret < 0)
@@ -473,6 +473,7 @@ static int video_start_streaming(struct vb2_queue *q, unsigned int count)
error:
media_pipeline_stop(&vdev->entity);
+flush_buffers:
video->ops->flush_buffers(video, VB2_BUF_STATE_QUEUED);
return ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 144/783] net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 143/783] media: camss: Clean up received buffers on failed start of streaming Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 145/783] rxrpc: Fix ack.bufferSize to be 0 when generating an ack Greg Kroah-Hartman
` (648 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, David Howells,
Marc Dionne, linux-afs, netdev, Sasha Levin
From: David Howells <dhowells@redhat.com>
[ Upstream commit c3d96f690a790074b508fe183a41e36a00cd7ddd ]
Provide a CONFIG_PROC_FS=n fallback for proc_create_net_single_write().
Also provide a fallback for proc_create_net_data_write().
Fixes: 564def71765c ("proc: Add a way to make network proc files writable")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/proc_fs.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
index 000cc0533c33..8c892730a1f1 100644
--- a/include/linux/proc_fs.h
+++ b/include/linux/proc_fs.h
@@ -190,8 +190,10 @@ static inline void proc_remove(struct proc_dir_entry *de) {}
static inline int remove_proc_subtree(const char *name, struct proc_dir_entry *parent) { return 0; }
#define proc_create_net_data(name, mode, parent, ops, state_size, data) ({NULL;})
+#define proc_create_net_data_write(name, mode, parent, ops, write, state_size, data) ({NULL;})
#define proc_create_net(name, mode, parent, state_size, ops) ({NULL;})
#define proc_create_net_single(name, mode, parent, show, data) ({NULL;})
+#define proc_create_net_single_write(name, mode, parent, show, write, data) ({NULL;})
static inline struct pid *tgid_pidfd_to_pid(const struct file *file)
{
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 145/783] rxrpc: Fix ack.bufferSize to be 0 when generating an ack
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 144/783] net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 146/783] drm/radeon: Add the missed acpi_put_table() to fix memory leak Greg Kroah-Hartman
` (647 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeffrey Altman, David Howells,
Marc Dionne, linux-afs, Sasha Levin
From: David Howells <dhowells@redhat.com>
[ Upstream commit 8889a711f9b4dcf4dd1330fa493081beebd118c9 ]
ack.bufferSize should be set to 0 when generating an ack.
Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs")
Reported-by: Jeffrey Altman <jaltman@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
index 9683617db704..08c117bc083e 100644
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@@ -93,7 +93,7 @@ static size_t rxrpc_fill_out_ack(struct rxrpc_connection *conn,
*_hard_ack = hard_ack;
*_top = top;
- pkt->ack.bufferSpace = htons(8);
+ pkt->ack.bufferSpace = htons(0);
pkt->ack.maxSkew = htons(0);
pkt->ack.firstPacket = htonl(hard_ack + 1);
pkt->ack.previousPacket = htonl(call->ackr_highest_seq);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 146/783] drm/radeon: Add the missed acpi_put_table() to fix memory leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 145/783] rxrpc: Fix ack.bufferSize to be 0 when generating an ack Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 147/783] drm/mediatek: Modify dpi power on/off sequence Greg Kroah-Hartman
` (646 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hanjun Guo, Alex Deucher, Sasha Levin
From: Hanjun Guo <guohanjun@huawei.com>
[ Upstream commit 10276a20be1115e1f76c189330da2992df980eee ]
When the radeon driver reads the bios information from ACPI
table in radeon_acpi_vfct_bios(), it misses to call acpi_put_table()
to release the ACPI memory after the init, so add acpi_put_table()
properly to fix the memory leak.
v2: fix text formatting (Alex)
Fixes: 268ba0a99f89 ("drm/radeon: implement ACPI VFCT vbios fetch (v3)")
Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_bios.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
index bb29cf02974d..34d2cb929c06 100644
--- a/drivers/gpu/drm/radeon/radeon_bios.c
+++ b/drivers/gpu/drm/radeon/radeon_bios.c
@@ -612,13 +612,14 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
acpi_size tbl_size;
UEFI_ACPI_VFCT *vfct;
unsigned offset;
+ bool r = false;
if (!ACPI_SUCCESS(acpi_get_table("VFCT", 1, &hdr)))
return false;
tbl_size = hdr->length;
if (tbl_size < sizeof(UEFI_ACPI_VFCT)) {
DRM_ERROR("ACPI VFCT table present but broken (too short #1)\n");
- return false;
+ goto out;
}
vfct = (UEFI_ACPI_VFCT *)hdr;
@@ -631,13 +632,13 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
offset += sizeof(VFCT_IMAGE_HEADER);
if (offset > tbl_size) {
DRM_ERROR("ACPI VFCT image header truncated\n");
- return false;
+ goto out;
}
offset += vhdr->ImageLength;
if (offset > tbl_size) {
DRM_ERROR("ACPI VFCT image truncated\n");
- return false;
+ goto out;
}
if (vhdr->ImageLength &&
@@ -649,15 +650,18 @@ static bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
rdev->bios = kmemdup(&vbios->VbiosContent,
vhdr->ImageLength,
GFP_KERNEL);
+ if (rdev->bios)
+ r = true;
- if (!rdev->bios)
- return false;
- return true;
+ goto out;
}
}
DRM_ERROR("ACPI VFCT table present but broken (too short #2)\n");
- return false;
+
+out:
+ acpi_put_table(hdr);
+ return r;
}
#else
static inline bool radeon_acpi_vfct_bios(struct radeon_device *rdev)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 147/783] drm/mediatek: Modify dpi power on/off sequence.
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 146/783] drm/radeon: Add the missed acpi_put_table() to fix memory leak Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 148/783] ASoC: pxa: fix null-pointer dereference in filter() Greg Kroah-Hartman
` (645 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xinlei Lee, Chun-Kuang Hu, Sasha Levin
From: Xinlei Lee <xinlei.lee@mediatek.com>
[ Upstream commit ff446c0f6290185cefafe3b376bb86063a3a9f6a ]
Modify dpi power on/off sequence so that the first gpio operation will
take effect.
Fixes: 6bd4763fd532 ("drm/mediatek: set dpi pin mode to gpio low to avoid leakage current")
Signed-off-by: Xinlei Lee <xinlei.lee@mediatek.com>
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/mediatek/mtk_dpi.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
index c1ae336df683..aa3d472c79d7 100644
--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
+++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
@@ -367,9 +367,6 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi)
if (--dpi->refcount != 0)
return;
- if (dpi->pinctrl && dpi->pins_gpio)
- pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio);
-
mtk_dpi_disable(dpi);
clk_disable_unprepare(dpi->pixel_clk);
clk_disable_unprepare(dpi->engine_clk);
@@ -394,9 +391,6 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
goto err_pixel;
}
- if (dpi->pinctrl && dpi->pins_dpi)
- pinctrl_select_state(dpi->pinctrl, dpi->pins_dpi);
-
return 0;
err_pixel:
@@ -525,12 +519,18 @@ static void mtk_dpi_bridge_disable(struct drm_bridge *bridge)
struct mtk_dpi *dpi = bridge_to_dpi(bridge);
mtk_dpi_power_off(dpi);
+
+ if (dpi->pinctrl && dpi->pins_gpio)
+ pinctrl_select_state(dpi->pinctrl, dpi->pins_gpio);
}
static void mtk_dpi_bridge_enable(struct drm_bridge *bridge)
{
struct mtk_dpi *dpi = bridge_to_dpi(bridge);
+ if (dpi->pinctrl && dpi->pins_dpi)
+ pinctrl_select_state(dpi->pinctrl, dpi->pins_dpi);
+
mtk_dpi_power_on(dpi);
mtk_dpi_set_display_mode(dpi, &dpi->mode);
mtk_dpi_enable(dpi);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 148/783] ASoC: pxa: fix null-pointer dereference in filter()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 147/783] drm/mediatek: Modify dpi power on/off sequence Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 149/783] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() Greg Kroah-Hartman
` (644 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zeng Heng, Mark Brown, Sasha Levin
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 ]
kasprintf() would return NULL pointer when kmalloc() fail to allocate.
Need to check the return pointer before calling strcmp().
Fixes: 7a824e214e25 ("ASoC: mmp: add audio dma support")
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Link: https://lore.kernel.org/r/20221114085629.1910435-1-zengheng4@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/pxa/mmp-pcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/pxa/mmp-pcm.c b/sound/soc/pxa/mmp-pcm.c
index 53fc49e32fbc..0791737c3bf3 100644
--- a/sound/soc/pxa/mmp-pcm.c
+++ b/sound/soc/pxa/mmp-pcm.c
@@ -98,7 +98,7 @@ static bool filter(struct dma_chan *chan, void *param)
devname = kasprintf(GFP_KERNEL, "%s.%d", dma_data->dma_res->name,
dma_data->ssp_id);
- if ((strcmp(dev_name(chan->device->dev), devname) == 0) &&
+ if (devname && (strcmp(dev_name(chan->device->dev), devname) == 0) &&
(chan->chan_id == dma_data->dma_res->start)) {
found = true;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 149/783] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 148/783] ASoC: pxa: fix null-pointer dereference in filter() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 150/783] amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() Greg Kroah-Hartman
` (643 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 ]
I got the the following report:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@62/regulators/exten
In of_get_regulator(), the node is returned from of_parse_phandle()
with refcount incremented, after using it, of_node_put() need be called.
Fixes: 69511a452e6d ("regulator: map consumer regulator based on device tree")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221115091508.900752-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index eb083b26ab4f..876afa3919c1 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1775,6 +1775,7 @@ static struct regulator_dev *regulator_dev_lookup(struct device *dev,
node = of_get_regulator(dev, supply);
if (node) {
r = of_find_regulator_by_node(node);
+ of_node_put(node);
if (r)
return r;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 150/783] amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 149/783] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 151/783] drm/fourcc: Add packed 10bit YUV 4:2:0 format Greg Kroah-Hartman
` (642 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Alex Deucher, Sasha Levin
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit d27252b5706e51188aed7647126e44dcf9e940c1 ]
In the PP_OD_EDIT_VDDC_CURVE case the "input_index" variable is capped at
2 but not checked for negative values so it results in an out of bounds
read. This value comes from the user via sysfs.
Fixes: d5bf26539494 ("drm/amd/powerplay: added vega20 overdrive support V3")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
index 60cde0c52825..57a354a03e8a 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/vega20_hwmgr.c
@@ -2962,7 +2962,8 @@ static int vega20_odn_edit_dpm_table(struct pp_hwmgr *hwmgr,
data->od8_settings.od8_settings_array;
OverDriveTable_t *od_table =
&(data->smc_state_table.overdrive_table);
- int32_t input_index, input_clk, input_vol, i;
+ int32_t input_clk, input_vol, i;
+ uint32_t input_index;
int od8_id;
int ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 151/783] drm/fourcc: Add packed 10bit YUV 4:2:0 format
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 150/783] amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 152/783] drm/fourcc: Fix vsub/hsub for Q410 and Q401 Greg Kroah-Hartman
` (641 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Stevenson, Maxime Ripard,
Thomas Zimmermann, Sasha Levin
From: Dave Stevenson <dave.stevenson@raspberrypi.com>
[ Upstream commit 006ea1b5822f9019bd722ffc6242bc0880879e3d ]
Adds a format that is 3 10bit YUV 4:2:0 samples packed into
a 32bit word (with 2 spare bits).
Supported on Broadcom BCM2711 chips.
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20211215091739.135042-2-maxime@cerno.tech
Stable-dep-of: b230555f3257 ("drm/fourcc: Fix vsub/hsub for Q410 and Q401")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_fourcc.c | 3 +++
include/uapi/drm/drm_fourcc.h | 11 +++++++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/gpu/drm/drm_fourcc.c b/drivers/gpu/drm/drm_fourcc.c
index 722c7ebe4e88..4d4b65a88bd1 100644
--- a/drivers/gpu/drm/drm_fourcc.c
+++ b/drivers/gpu/drm/drm_fourcc.c
@@ -286,6 +286,9 @@ const struct drm_format_info *__drm_format_info(u32 format)
.num_planes = 3, .char_per_block = { 2, 2, 2 },
.block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 0,
.vsub = 0, .is_yuv = true },
+ { .format = DRM_FORMAT_P030, .depth = 0, .num_planes = 2,
+ .char_per_block = { 4, 8, 0 }, .block_w = { 3, 3, 0 }, .block_h = { 1, 1, 0 },
+ .hsub = 2, .vsub = 2, .is_yuv = true},
};
unsigned int i;
diff --git a/include/uapi/drm/drm_fourcc.h b/include/uapi/drm/drm_fourcc.h
index 5498d7a6556a..dad9d3b4a97a 100644
--- a/include/uapi/drm/drm_fourcc.h
+++ b/include/uapi/drm/drm_fourcc.h
@@ -271,6 +271,13 @@ extern "C" {
*/
#define DRM_FORMAT_P016 fourcc_code('P', '0', '1', '6') /* 2x2 subsampled Cr:Cb plane 16 bits per channel */
+/* 2 plane YCbCr420.
+ * 3 10 bit components and 2 padding bits packed into 4 bytes.
+ * index 0 = Y plane, [31:0] x:Y2:Y1:Y0 2:10:10:10 little endian
+ * index 1 = Cr:Cb plane, [63:0] x:Cr2:Cb2:Cr1:x:Cb1:Cr0:Cb0 [2:10:10:10:2:10:10:10] little endian
+ */
+#define DRM_FORMAT_P030 fourcc_code('P', '0', '3', '0') /* 2x2 subsampled Cr:Cb plane 10 bits per channel packed */
+
/* 3 plane non-subsampled (444) YCbCr
* 16 bits per component, but only 10 bits are used and 6 bits are padded
* index 0: Y plane, [15:0] Y:x [10:6] little endian
@@ -777,6 +784,10 @@ drm_fourcc_canonicalize_nvidia_format_mod(__u64 modifier)
* and UV. Some SAND-using hardware stores UV in a separate tiled
* image from Y to reduce the column height, which is not supported
* with these modifiers.
+ *
+ * The DRM_FORMAT_MOD_BROADCOM_SAND128_COL_HEIGHT modifier is also
+ * supported for DRM_FORMAT_P030 where the columns remain as 128 bytes
+ * wide, but as this is a 10 bpp format that translates to 96 pixels.
*/
#define DRM_FORMAT_MOD_BROADCOM_SAND32_COL_HEIGHT(v) \
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 152/783] drm/fourcc: Fix vsub/hsub for Q410 and Q401
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 151/783] drm/fourcc: Add packed 10bit YUV 4:2:0 format Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 153/783] integrity: Fix memory leakage in keyring allocation error path Greg Kroah-Hartman
` (640 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, George Kennedy, butt3rflyh4ck,
Brian Starkey, Liviu Dudau, Sasha Levin
From: Brian Starkey <brian.starkey@arm.com>
[ Upstream commit b230555f3257f197dd98641ef6ebaf778b52dd51 ]
These formats are not subsampled, but that means hsub and vsub should be
1, not 0.
Fixes: 94b292b27734 ("drm: drm_fourcc: add NV15, Q410, Q401 YUV formats")
Reported-by: George Kennedy <george.kennedy@oracle.com>
Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Signed-off-by: Brian Starkey <brian.starkey@arm.com>
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220913144306.17279-1-brian.starkey@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_fourcc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/drm_fourcc.c b/drivers/gpu/drm/drm_fourcc.c
index 4d4b65a88bd1..92152c06b75b 100644
--- a/drivers/gpu/drm/drm_fourcc.c
+++ b/drivers/gpu/drm/drm_fourcc.c
@@ -280,12 +280,12 @@ const struct drm_format_info *__drm_format_info(u32 format)
.vsub = 2, .is_yuv = true },
{ .format = DRM_FORMAT_Q410, .depth = 0,
.num_planes = 3, .char_per_block = { 2, 2, 2 },
- .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 0,
- .vsub = 0, .is_yuv = true },
+ .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 1,
+ .vsub = 1, .is_yuv = true },
{ .format = DRM_FORMAT_Q401, .depth = 0,
.num_planes = 3, .char_per_block = { 2, 2, 2 },
- .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 0,
- .vsub = 0, .is_yuv = true },
+ .block_w = { 1, 1, 1 }, .block_h = { 1, 1, 1 }, .hsub = 1,
+ .vsub = 1, .is_yuv = true },
{ .format = DRM_FORMAT_P030, .depth = 0, .num_planes = 2,
.char_per_block = { 4, 8, 0 }, .block_w = { 3, 3, 0 }, .block_h = { 1, 1, 0 },
.hsub = 2, .vsub = 2, .is_yuv = true},
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 153/783] integrity: Fix memory leakage in keyring allocation error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 152/783] drm/fourcc: Fix vsub/hsub for Q410 and Q401 Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 154/783] ima: Fix misuse of dereference of pointer in template_desc_init_fields() Greg Kroah-Hartman
` (639 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, GUO Zihua, Mimi Zohar, Sasha Levin
From: GUO Zihua <guozihua@huawei.com>
[ Upstream commit 39419ef7af0916cc3620ecf1ed42d29659109bf3 ]
Key restriction is allocated in integrity_init_keyring(). However, if
keyring allocation failed, it is not freed, causing memory leaks.
Fixes: 2b6aa412ff23 ("KEYS: Use structure to capture key restriction function and data")
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/digsig.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index 0f518dcfde05..de442af7b336 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -120,6 +120,7 @@ int __init integrity_init_keyring(const unsigned int id)
{
struct key_restriction *restriction;
key_perm_t perm;
+ int ret;
perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW
| KEY_USR_READ | KEY_USR_SEARCH;
@@ -140,7 +141,10 @@ int __init integrity_init_keyring(const unsigned int id)
perm |= KEY_USR_WRITE;
out:
- return __integrity_init_keyring(id, perm, restriction);
+ ret = __integrity_init_keyring(id, perm, restriction);
+ if (ret)
+ kfree(restriction);
+ return ret;
}
int __init integrity_add_key(const unsigned int id, const void *data,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 154/783] ima: Fix misuse of dereference of pointer in template_desc_init_fields()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 153/783] integrity: Fix memory leakage in keyring allocation error path Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 155/783] wifi: ath10k: Fix return value in ath10k_pci_init() Greg Kroah-Hartman
` (638 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Roberto Sassu,
Mimi Zohar, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 25369175ce84813dd99d6604e710dc2491f68523 ]
The input parameter @fields is type of struct ima_template_field ***, so
when allocates array memory for @fields, the size of element should be
sizeof(**field) instead of sizeof(*field).
Actually the original code would not cause any runtime error, but it's
better to make it logically right.
Fixes: adf53a778a0a ("ima: new templates management mechanism")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_template.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c
index f64c01d53e96..e053c741997b 100644
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -220,11 +220,11 @@ int template_desc_init_fields(const char *template_fmt,
}
if (fields && num_fields) {
- *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL);
+ *fields = kmalloc_array(i, sizeof(**fields), GFP_KERNEL);
if (*fields == NULL)
return -ENOMEM;
- memcpy(*fields, found_fields, i * sizeof(*fields));
+ memcpy(*fields, found_fields, i * sizeof(**fields));
*num_fields = i;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 155/783] wifi: ath10k: Fix return value in ath10k_pci_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 154/783] ima: Fix misuse of dereference of pointer in template_desc_init_fields() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 156/783] mtd: lpddr2_nvm: Fix possible null-ptr-deref Greg Kroah-Hartman
` (637 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Jeff Johnson,
Kalle Valo, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 2af7749047d8d6ad43feff69f555a13a6a6c2831 ]
This driver is attempting to register to support two different buses.
if either of these is successful then ath10k_pci_init() should return 0
so that hardware attached to the successful bus can be probed and
supported. only if both of these are unsuccessful should ath10k_pci_init()
return an errno.
Fixes: 0b523ced9a3c ("ath10k: add basic skeleton to support ahb")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221110061926.18163-1-xiujianfeng@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/pci.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c
index 86f52bcb3e4d..67e240327fb3 100644
--- a/drivers/net/wireless/ath/ath10k/pci.c
+++ b/drivers/net/wireless/ath/ath10k/pci.c
@@ -3799,18 +3799,22 @@ static struct pci_driver ath10k_pci_driver = {
static int __init ath10k_pci_init(void)
{
- int ret;
+ int ret1, ret2;
- ret = pci_register_driver(&ath10k_pci_driver);
- if (ret)
+ ret1 = pci_register_driver(&ath10k_pci_driver);
+ if (ret1)
printk(KERN_ERR "failed to register ath10k pci driver: %d\n",
- ret);
+ ret1);
- ret = ath10k_ahb_init();
- if (ret)
- printk(KERN_ERR "ahb init failed: %d\n", ret);
+ ret2 = ath10k_ahb_init();
+ if (ret2)
+ printk(KERN_ERR "ahb init failed: %d\n", ret2);
- return ret;
+ if (ret1 && ret2)
+ return ret1;
+
+ /* registered to at least one bus */
+ return 0;
}
module_init(ath10k_pci_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 156/783] mtd: lpddr2_nvm: Fix possible null-ptr-deref
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 155/783] wifi: ath10k: Fix return value in ath10k_pci_init() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 157/783] Input: elants_i2c - properly handle the reset GPIO when power is off Greg Kroah-Hartman
` (636 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hui Tang, Uwe Kleine-König,
Miquel Raynal, Sasha Levin
From: Hui Tang <tanghui20@huawei.com>
[ Upstream commit 6bdd45d795adf9e73b38ced5e7f750cd199499ff ]
It will cause null-ptr-deref when resource_size(add_range) invoked,
if platform_get_resource() returns NULL.
Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories")
Signed-off-by: Hui Tang <tanghui20@huawei.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221114090240.244172-1-tanghui20@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/lpddr/lpddr2_nvm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c
index 72f5c7b30079..add4386f99f0 100644
--- a/drivers/mtd/lpddr/lpddr2_nvm.c
+++ b/drivers/mtd/lpddr/lpddr2_nvm.c
@@ -433,6 +433,8 @@ static int lpddr2_nvm_probe(struct platform_device *pdev)
/* lpddr2_nvm address range */
add_range = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!add_range)
+ return -ENODEV;
/* Populate map_info data structure */
*map = (struct map_info) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 157/783] Input: elants_i2c - properly handle the reset GPIO when power is off
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 156/783] mtd: lpddr2_nvm: Fix possible null-ptr-deref Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 158/783] media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init() Greg Kroah-Hartman
` (635 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Dmitry Torokhov,
Sasha Levin
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit a85fbd6498441694475716a4d5c65f9d3e073faf ]
As can be seen in elants_i2c_power_off(), we want the reset GPIO
asserted when power is off. The reset GPIO is active low so we need
the reset line logic low when power is off to avoid leakage.
We have a problem, though, at probe time. At probe time we haven't
powered the regulators on yet but we have:
devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW);
While that _looks_ right, it turns out that it's not. The
GPIOD_OUT_LOW doesn't mean to init the GPIO to low. It means init the
GPIO to "not asserted". Since this is an active low GPIO that inits it
to be high.
Let's fix this to properly init the GPIO. Now after both probe and
power off the state of the GPIO is consistent (it's "asserted" or
level low).
Once we fix this, we can see that at power on time we no longer to
assert the reset GPIO as the first thing. The reset GPIO is _always_
asserted before powering on. Let's fix powering on to account for
this.
Fixes: afe10358e47a ("Input: elants_i2c - wire up regulator support")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://lore.kernel.org/r/20221117123805.1.I9959ac561dd6e1e8e1ce7085e4de6167b27c574f@changeid
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/touchscreen/elants_i2c.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c
index c09aefa2661d..ca9cee5851a0 100644
--- a/drivers/input/touchscreen/elants_i2c.c
+++ b/drivers/input/touchscreen/elants_i2c.c
@@ -1219,14 +1219,12 @@ static int elants_i2c_power_on(struct elants_data *ts)
if (IS_ERR_OR_NULL(ts->reset_gpio))
return 0;
- gpiod_set_value_cansleep(ts->reset_gpio, 1);
-
error = regulator_enable(ts->vcc33);
if (error) {
dev_err(&ts->client->dev,
"failed to enable vcc33 regulator: %d\n",
error);
- goto release_reset_gpio;
+ return error;
}
error = regulator_enable(ts->vccio);
@@ -1235,7 +1233,7 @@ static int elants_i2c_power_on(struct elants_data *ts)
"failed to enable vccio regulator: %d\n",
error);
regulator_disable(ts->vcc33);
- goto release_reset_gpio;
+ return error;
}
/*
@@ -1244,7 +1242,6 @@ static int elants_i2c_power_on(struct elants_data *ts)
*/
udelay(ELAN_POWERON_DELAY_USEC);
-release_reset_gpio:
gpiod_set_value_cansleep(ts->reset_gpio, 0);
if (error)
return error;
@@ -1352,7 +1349,7 @@ static int elants_i2c_probe(struct i2c_client *client,
return error;
}
- ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW);
+ ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_HIGH);
if (IS_ERR(ts->reset_gpio)) {
error = PTR_ERR(ts->reset_gpio);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 158/783] media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 157/783] Input: elants_i2c - properly handle the reset GPIO when power is off Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 159/783] media: solo6x10: fix possible memory leak in solo_sysfs_init() Greg Kroah-Hartman
` (634 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Hans Verkuil, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit ba8d9405935097e296bcf7a942c3a01df0edb865 ]
KASAN reports a use-after-free:
BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core]
Call Trace:
...
dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core]
vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge]
platform_probe+0xb6/0x170
...
Allocated by task 1238:
...
dvb_register_device+0x1a7/0xa70 [dvb_core]
dvb_dmxdev_init+0x2af/0x4a0 [dvb_core]
vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge]
...
Freed by task 1238:
dvb_register_device+0x6d2/0xa70 [dvb_core]
dvb_dmxdev_init+0x2af/0x4a0 [dvb_core]
vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge]
...
It is because the error handling in vidtv_bridge_dvb_init() is wrong.
First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but
goto fail_dmx(_dev): calls release functions again, which causes
use-after-free.
Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause
out-of-bound when i finished its loop (i == NUM_FE). And the loop
releasing is wrong, although now NUM_FE is 1 so it won't cause problem.
Fix this by correctly releasing everything.
Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../media/test-drivers/vidtv/vidtv_bridge.c | 22 +++++++------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
index fc64d0c8492a..3c281265a9ec 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
@@ -456,26 +456,20 @@ static int vidtv_bridge_dvb_init(struct vidtv_dvb *dvb)
for (j = j - 1; j >= 0; --j)
dvb->demux.dmx.remove_frontend(&dvb->demux.dmx,
&dvb->dmx_fe[j]);
-fail_dmx_dev:
dvb_dmxdev_release(&dvb->dmx_dev);
-fail_dmx:
+fail_dmx_dev:
dvb_dmx_release(&dvb->demux);
+fail_dmx:
+fail_demod_probe:
+ for (i = i - 1; i >= 0; --i) {
+ dvb_unregister_frontend(dvb->fe[i]);
fail_fe:
- for (j = i; j >= 0; --j)
- dvb_unregister_frontend(dvb->fe[j]);
+ dvb_module_release(dvb->i2c_client_tuner[i]);
fail_tuner_probe:
- for (j = i; j >= 0; --j)
- if (dvb->i2c_client_tuner[j])
- dvb_module_release(dvb->i2c_client_tuner[j]);
-
-fail_demod_probe:
- for (j = i; j >= 0; --j)
- if (dvb->i2c_client_demod[j])
- dvb_module_release(dvb->i2c_client_demod[j]);
-
+ dvb_module_release(dvb->i2c_client_demod[i]);
+ }
fail_adapter:
dvb_unregister_adapter(&dvb->adapter);
-
fail_i2c:
i2c_del_adapter(&dvb->i2c_adapter);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 159/783] media: solo6x10: fix possible memory leak in solo_sysfs_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 158/783] media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 160/783] media: platform: exynos4-is: Fix error handling in fimc_md_init() Greg Kroah-Hartman
` (633 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Hans Verkuil, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 7f5866dd96d95b74e439f6ee17b8abd8195179fb ]
If device_register() returns error in solo_sysfs_init(), the
name allocated by dev_set_name() need be freed. As comment of
device_register() says, it should use put_device() to give up
the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanup().
Fixes: dcae5dacbce5 ("[media] solo6x10: sync to latest code from Bluecherry's git repo")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/solo6x10/solo6x10-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c
index d497afc7e7b7..4ebb1e020fad 100644
--- a/drivers/media/pci/solo6x10/solo6x10-core.c
+++ b/drivers/media/pci/solo6x10/solo6x10-core.c
@@ -420,6 +420,7 @@ static int solo_sysfs_init(struct solo_dev *solo_dev)
solo_dev->nr_chans);
if (device_register(dev)) {
+ put_device(dev);
dev->parent = NULL;
return -ENOMEM;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 160/783] media: platform: exynos4-is: Fix error handling in fimc_md_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 159/783] media: solo6x10: fix possible memory leak in solo_sysfs_init() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 161/783] media: videobuf-dma-contig: use dma_mmap_coherent Greg Kroah-Hartman
` (632 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Hans Verkuil, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit b434422c45282a0573d8123239abc41fa72665d4 ]
A problem about modprobe s5p_fimc failed is triggered with the
following log given:
[ 272.075275] Error: Driver 'exynos4-fimc' is already registered, aborting...
modprobe: ERROR: could not insert 's5p_fimc': Device or resource busy
The reason is that fimc_md_init() returns platform_driver_register()
directly without checking its return value, if platform_driver_register()
failed, it returns without unregister fimc_driver, resulting the
s5p_fimc can never be installed later.
A simple call graph is shown as below:
fimc_md_init()
fimc_register_driver() # register fimc_driver
platform_driver_register()
platform_driver_register()
driver_register()
bus_add_driver()
dev = kzalloc(...) # OOM happened
# return without unregister fimc_driver
Fix by unregister fimc_driver when platform_driver_register() returns
error.
Fixes: d3953223b090 ("[media] s5p-fimc: Add the media device driver")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/exynos4-is/fimc-core.c | 2 +-
drivers/media/platform/exynos4-is/media-dev.c | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/exynos4-is/fimc-core.c b/drivers/media/platform/exynos4-is/fimc-core.c
index 08d1f39a914c..60b28e6f739e 100644
--- a/drivers/media/platform/exynos4-is/fimc-core.c
+++ b/drivers/media/platform/exynos4-is/fimc-core.c
@@ -1174,7 +1174,7 @@ int __init fimc_register_driver(void)
return platform_driver_register(&fimc_driver);
}
-void __exit fimc_unregister_driver(void)
+void fimc_unregister_driver(void)
{
platform_driver_unregister(&fimc_driver);
}
diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
index a9ab2a28fc26..bd37011fb671 100644
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -1582,7 +1582,11 @@ static int __init fimc_md_init(void)
if (ret)
return ret;
- return platform_driver_register(&fimc_md_driver);
+ ret = platform_driver_register(&fimc_md_driver);
+ if (ret)
+ fimc_unregister_driver();
+
+ return ret;
}
static void __exit fimc_md_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 161/783] media: videobuf-dma-contig: use dma_mmap_coherent
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 160/783] media: platform: exynos4-is: Fix error handling in fimc_md_init() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 162/783] inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict() Greg Kroah-Hartman
` (631 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Sasha Levin
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit b3dc3f8e49577840dc8ac8a365c5b3da4edb10b8 ]
dma_alloc_coherent does not return a physical address, but a DMA address,
which might be remapped or have an offset. Passing the DMA address to
vm_iomap_memory is thus broken.
Use the proper dma_mmap_coherent helper instead, and stop passing
__GFP_COMP to dma_alloc_coherent, as the memory management inside the
DMA allocator is hidden from the callers and does not require it.
With this the gfp_t argument to __videobuf_dc_alloc can be removed and
hard coded to GFP_KERNEL.
Fixes: a8f3c203e19b ("[media] videobuf-dma-contig: add cache support")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/v4l2-core/videobuf-dma-contig.c | 22 +++++++------------
1 file changed, 8 insertions(+), 14 deletions(-)
diff --git a/drivers/media/v4l2-core/videobuf-dma-contig.c b/drivers/media/v4l2-core/videobuf-dma-contig.c
index 52312ce2ba05..f2c439359557 100644
--- a/drivers/media/v4l2-core/videobuf-dma-contig.c
+++ b/drivers/media/v4l2-core/videobuf-dma-contig.c
@@ -36,12 +36,11 @@ struct videobuf_dma_contig_memory {
static int __videobuf_dc_alloc(struct device *dev,
struct videobuf_dma_contig_memory *mem,
- unsigned long size, gfp_t flags)
+ unsigned long size)
{
mem->size = size;
- mem->vaddr = dma_alloc_coherent(dev, mem->size,
- &mem->dma_handle, flags);
-
+ mem->vaddr = dma_alloc_coherent(dev, mem->size, &mem->dma_handle,
+ GFP_KERNEL);
if (!mem->vaddr) {
dev_err(dev, "memory alloc size %ld failed\n", mem->size);
return -ENOMEM;
@@ -258,8 +257,7 @@ static int __videobuf_iolock(struct videobuf_queue *q,
return videobuf_dma_contig_user_get(mem, vb);
/* allocate memory for the read() method */
- if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(vb->size),
- GFP_KERNEL))
+ if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(vb->size)))
return -ENOMEM;
break;
case V4L2_MEMORY_OVERLAY:
@@ -295,22 +293,18 @@ static int __videobuf_mmap_mapper(struct videobuf_queue *q,
BUG_ON(!mem);
MAGIC_CHECK(mem->magic, MAGIC_DC_MEM);
- if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(buf->bsize),
- GFP_KERNEL | __GFP_COMP))
+ if (__videobuf_dc_alloc(q->dev, mem, PAGE_ALIGN(buf->bsize)))
goto error;
- /* Try to remap memory */
- vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
-
/* the "vm_pgoff" is just used in v4l2 to find the
* corresponding buffer data structure which is allocated
* earlier and it does not mean the offset from the physical
* buffer start address as usual. So set it to 0 to pass
- * the sanity check in vm_iomap_memory().
+ * the sanity check in dma_mmap_coherent().
*/
vma->vm_pgoff = 0;
-
- retval = vm_iomap_memory(vma, mem->dma_handle, mem->size);
+ retval = dma_mmap_coherent(q->dev, vma, mem->vaddr, mem->dma_handle,
+ mem->size);
if (retval) {
dev_err(q->dev, "mmap: remap failed with error %d. ",
retval);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 162/783] inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 161/783] media: videobuf-dma-contig: use dma_mmap_coherent Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 163/783] bpf: Move skb->len == 0 checks into __bpf_redirect Greg Kroah-Hartman
` (630 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d2c135619cb89d1d5693df81ab408c5e8e97e898 ]
inet_csk_bind_conflict() can access sk->sk_bound_dev_if for
unlocked sockets.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/inet_connection_sock.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 4d9713324003..e54abccdffd0 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -147,10 +147,14 @@ static int inet_csk_bind_conflict(const struct sock *sk,
*/
sk_for_each_bound(sk2, &tb->owners) {
- if (sk != sk2 &&
- (!sk->sk_bound_dev_if ||
- !sk2->sk_bound_dev_if ||
- sk->sk_bound_dev_if == sk2->sk_bound_dev_if)) {
+ int bound_dev_if2;
+
+ if (sk == sk2)
+ continue;
+ bound_dev_if2 = READ_ONCE(sk2->sk_bound_dev_if);
+ if ((!sk->sk_bound_dev_if ||
+ !bound_dev_if2 ||
+ sk->sk_bound_dev_if == bound_dev_if2)) {
if (reuse && sk2->sk_reuse &&
sk2->sk_state != TCP_LISTEN) {
if ((!relax ||
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 163/783] bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 162/783] inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict() Greg Kroah-Hartman
@ 2023-01-12 13:47 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 164/783] HID: hid-sensor-custom: set fixed size for custom attributes Greg Kroah-Hartman
` (629 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:47 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanislav Fomichev,
Martin KaFai Lau, Sasha Levin
From: Stanislav Fomichev <sdf@google.com>
[ Upstream commit 114039b342014680911c35bd6b72624180fd669a ]
To avoid potentially breaking existing users.
Both mac/no-mac cases have to be amended; mac_header >= network_header
is not enough (verified with a new test, see next patch).
Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len")
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221121180340.1983627-1-sdf@google.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bpf/test_run.c | 3 ---
net/core/filter.c | 7 ++++++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 717b01ff9b2b..7df14a0e380c 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -442,9 +442,6 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb)
{
struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb;
- if (!skb->len)
- return -EINVAL;
-
if (!__skb)
return 0;
diff --git a/net/core/filter.c b/net/core/filter.c
index 4c22e6d1da74..ef7e74260afc 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2125,6 +2125,11 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
{
unsigned int mlen = skb_network_offset(skb);
+ if (unlikely(skb->len <= mlen)) {
+ kfree_skb(skb);
+ return -ERANGE;
+ }
+
if (mlen) {
__skb_pull(skb, mlen);
@@ -2146,7 +2151,7 @@ static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
u32 flags)
{
/* Verify that a link layer header is carried */
- if (unlikely(skb->mac_header >= skb->network_header)) {
+ if (unlikely(skb->mac_header >= skb->network_header || skb->len == 0)) {
kfree_skb(skb);
return -ERANGE;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 164/783] HID: hid-sensor-custom: set fixed size for custom attributes
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2023-01-12 13:47 ` [PATCH 5.10 163/783] bpf: Move skb->len == 0 checks into __bpf_redirect Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 165/783] ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT Greg Kroah-Hartman
` (628 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcus Folkesson, Jonathan Cameron,
Jiri Kosina, Sasha Levin
From: Marcus Folkesson <marcus.folkesson@gmail.com>
[ Upstream commit 9d013910df22de91333a0acc81d1dbb115bd76f6 ]
This is no bugfix (so no Fixes: tag is necessary) as it is
taken care of in hid_sensor_custom_add_attributes().
The motivation for this patch is that:
hid_sensor_custom_field.attr_name and
hid_sensor_custom_field.attrs
has the size of HID_CUSTOM_TOTAL_ATTRS and used in same context.
We compare against HID_CUSTOM_TOTAL_ATTRS when
looping through hid_custom_attrs.
We will silent the smatch error:
hid_sensor_custom_add_attributes() error: buffer overflow
'hid_custom_attrs' 8 <= 10
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-sensor-custom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
index 4d25577a8573..971600a6397a 100644
--- a/drivers/hid/hid-sensor-custom.c
+++ b/drivers/hid/hid-sensor-custom.c
@@ -59,7 +59,7 @@ struct hid_sensor_sample {
u32 raw_len;
} __packed;
-static struct attribute hid_custom_attrs[] = {
+static struct attribute hid_custom_attrs[HID_CUSTOM_TOTAL_ATTRS] = {
{.name = "name", .mode = S_IRUGO},
{.name = "units", .mode = S_IRUGO},
{.name = "unit-expo", .mode = S_IRUGO},
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 165/783] ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 164/783] HID: hid-sensor-custom: set fixed size for custom attributes Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 166/783] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT Greg Kroah-Hartman
` (627 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baisong Zhong, Takashi Iwai, Sasha Levin
From: Baisong Zhong <zhongbaisong@huawei.com>
[ Upstream commit b5172e62458f8e6ff359e5f096044a488db90ac5 ]
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in sound/core/pcm_native.c:2676:21
left shift of 1 by 31 places cannot be represented in type 'int'
...
Call Trace:
<TASK>
dump_stack_lvl+0x8d/0xcf
ubsan_epilogue+0xa/0x44
__ubsan_handle_shift_out_of_bounds+0x1e7/0x208
snd_pcm_open_substream+0x9f0/0xa90
snd_pcm_oss_open.part.26+0x313/0x670
snd_pcm_oss_open+0x30/0x40
soundcore_open+0x18b/0x2e0
chrdev_open+0xe2/0x270
do_dentry_open+0x2f7/0x620
path_openat+0xd66/0xe70
do_filp_open+0xe3/0x170
do_sys_openat2+0x357/0x4a0
do_sys_open+0x87/0xd0
do_syscall_64+0x34/0x80
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
Link: https://lore.kernel.org/r/20221121110044.3115686-1-zhongbaisong@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/pcm.h | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/include/sound/pcm.h b/include/sound/pcm.h
index 5ffc2efedd9f..6554a9f71c62 100644
--- a/include/sound/pcm.h
+++ b/include/sound/pcm.h
@@ -106,24 +106,24 @@ struct snd_pcm_ops {
#define SNDRV_PCM_POS_XRUN ((snd_pcm_uframes_t)-1)
/* If you change this don't forget to change rates[] table in pcm_native.c */
-#define SNDRV_PCM_RATE_5512 (1<<0) /* 5512Hz */
-#define SNDRV_PCM_RATE_8000 (1<<1) /* 8000Hz */
-#define SNDRV_PCM_RATE_11025 (1<<2) /* 11025Hz */
-#define SNDRV_PCM_RATE_16000 (1<<3) /* 16000Hz */
-#define SNDRV_PCM_RATE_22050 (1<<4) /* 22050Hz */
-#define SNDRV_PCM_RATE_32000 (1<<5) /* 32000Hz */
-#define SNDRV_PCM_RATE_44100 (1<<6) /* 44100Hz */
-#define SNDRV_PCM_RATE_48000 (1<<7) /* 48000Hz */
-#define SNDRV_PCM_RATE_64000 (1<<8) /* 64000Hz */
-#define SNDRV_PCM_RATE_88200 (1<<9) /* 88200Hz */
-#define SNDRV_PCM_RATE_96000 (1<<10) /* 96000Hz */
-#define SNDRV_PCM_RATE_176400 (1<<11) /* 176400Hz */
-#define SNDRV_PCM_RATE_192000 (1<<12) /* 192000Hz */
-#define SNDRV_PCM_RATE_352800 (1<<13) /* 352800Hz */
-#define SNDRV_PCM_RATE_384000 (1<<14) /* 384000Hz */
-
-#define SNDRV_PCM_RATE_CONTINUOUS (1<<30) /* continuous range */
-#define SNDRV_PCM_RATE_KNOT (1<<31) /* supports more non-continuos rates */
+#define SNDRV_PCM_RATE_5512 (1U<<0) /* 5512Hz */
+#define SNDRV_PCM_RATE_8000 (1U<<1) /* 8000Hz */
+#define SNDRV_PCM_RATE_11025 (1U<<2) /* 11025Hz */
+#define SNDRV_PCM_RATE_16000 (1U<<3) /* 16000Hz */
+#define SNDRV_PCM_RATE_22050 (1U<<4) /* 22050Hz */
+#define SNDRV_PCM_RATE_32000 (1U<<5) /* 32000Hz */
+#define SNDRV_PCM_RATE_44100 (1U<<6) /* 44100Hz */
+#define SNDRV_PCM_RATE_48000 (1U<<7) /* 48000Hz */
+#define SNDRV_PCM_RATE_64000 (1U<<8) /* 64000Hz */
+#define SNDRV_PCM_RATE_88200 (1U<<9) /* 88200Hz */
+#define SNDRV_PCM_RATE_96000 (1U<<10) /* 96000Hz */
+#define SNDRV_PCM_RATE_176400 (1U<<11) /* 176400Hz */
+#define SNDRV_PCM_RATE_192000 (1U<<12) /* 192000Hz */
+#define SNDRV_PCM_RATE_352800 (1U<<13) /* 352800Hz */
+#define SNDRV_PCM_RATE_384000 (1U<<14) /* 384000Hz */
+
+#define SNDRV_PCM_RATE_CONTINUOUS (1U<<30) /* continuous range */
+#define SNDRV_PCM_RATE_KNOT (1U<<31) /* supports more non-continuos rates */
#define SNDRV_PCM_RATE_8000_44100 (SNDRV_PCM_RATE_8000|SNDRV_PCM_RATE_11025|\
SNDRV_PCM_RATE_16000|SNDRV_PCM_RATE_22050|\
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 166/783] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 165/783] ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 167/783] regulator: core: use kfree_const() to free space conditionally Greg Kroah-Hartman
` (626 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baisong Zhong, Takashi Iwai, Sasha Levin
From: Baisong Zhong <zhongbaisong@huawei.com>
[ Upstream commit cf59e1e4c79bf741905484cdb13c130b53576a16 ]
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22
left shift of 1 by 31 places cannot be represented in type 'int'
...
Call Trace:
<TASK>
dump_stack_lvl+0x8d/0xcf
ubsan_epilogue+0xa/0x44
__ubsan_handle_shift_out_of_bounds+0x1e7/0x208
snd_seq_deliver_single_event.constprop.21+0x191/0x2f0
snd_seq_deliver_event+0x1a2/0x350
snd_seq_kernel_client_dispatch+0x8b/0xb0
snd_seq_client_notify_subscription+0x72/0xa0
snd_seq_ioctl_subscribe_port+0x128/0x160
snd_seq_kernel_client_ctl+0xce/0xf0
snd_seq_oss_create_client+0x109/0x15b
alsa_seq_oss_init+0x11c/0x1aa
do_one_initcall+0x80/0x440
kernel_init_freeable+0x370/0x3c3
kernel_init+0x1b/0x190
ret_from_fork+0x1f/0x30
</TASK>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
Link: https://lore.kernel.org/r/20221121111630.3119259-1-zhongbaisong@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/sound/asequencer.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h
index a75e14edc957..dbd60f48b4b0 100644
--- a/include/uapi/sound/asequencer.h
+++ b/include/uapi/sound/asequencer.h
@@ -344,10 +344,10 @@ typedef int __bitwise snd_seq_client_type_t;
#define KERNEL_CLIENT ((__force snd_seq_client_type_t) 2)
/* event filter flags */
-#define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */
-#define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */
-#define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */
-#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */
+#define SNDRV_SEQ_FILTER_BROADCAST (1U<<0) /* accept broadcast messages */
+#define SNDRV_SEQ_FILTER_MULTICAST (1U<<1) /* accept multicast messages */
+#define SNDRV_SEQ_FILTER_BOUNCE (1U<<2) /* accept bounce event in error */
+#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */
struct snd_seq_client_info {
int client; /* client number to inquire */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 167/783] regulator: core: use kfree_const() to free space conditionally
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 166/783] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 168/783] clk: rockchip: Fix memory leak in rockchip_clk_register_pll() Greg Kroah-Hartman
` (625 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang ShaoBo, Mark Brown, Sasha Levin
From: Wang ShaoBo <bobo.shaobowang@huawei.com>
[ Upstream commit dc8d006d15b623c1d80b90b45d6dcb6e890dad09 ]
Use kfree_const() to free supply_name conditionally in create_regulator()
as supply_name may be allocated from kmalloc() or directly from .rodata
section.
Fixes: 87fe29b61f95 ("regulator: push allocations in create_regulator() outside of lock")
Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
Link: https://lore.kernel.org/r/20221123034616.3609537-1-bobo.shaobowang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 876afa3919c1..60c0be2ea5c5 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1645,7 +1645,7 @@ static struct regulator *create_regulator(struct regulator_dev *rdev,
regulator = kzalloc(sizeof(*regulator), GFP_KERNEL);
if (regulator == NULL) {
- kfree(supply_name);
+ kfree_const(supply_name);
return NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 168/783] clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 167/783] regulator: core: use kfree_const() to free space conditionally Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 169/783] drm/amdgpu: fix pci device refcount leak Greg Kroah-Hartman
` (624 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Heiko Stuebner, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 739a6a6bbdb793bd57938cb24aa5a6df89983546 ]
If clk_register() fails, @pll->rate_table may have allocated memory by
kmemdup(), so it needs to be freed, otherwise will cause memory leak
issue, this patch fixes it.
Fixes: 90c590254051 ("clk: rockchip: add clock type for pll clocks and pll used on rk3066")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Link: https://lore.kernel.org/r/20221123091201.199819-1-xiujianfeng@huawei.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/rockchip/clk-pll.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/rockchip/clk-pll.c b/drivers/clk/rockchip/clk-pll.c
index bbbf9ce42867..d0bd513ff3c3 100644
--- a/drivers/clk/rockchip/clk-pll.c
+++ b/drivers/clk/rockchip/clk-pll.c
@@ -981,6 +981,7 @@ struct clk *rockchip_clk_register_pll(struct rockchip_clk_provider *ctx,
return mux_clk;
err_pll:
+ kfree(pll->rate_table);
clk_unregister(mux_clk);
mux_clk = pll_clk;
err_mux:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 169/783] drm/amdgpu: fix pci device refcount leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 168/783] clk: rockchip: Fix memory leak in rockchip_clk_register_pll() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 170/783] bonding: fix link recovery in mode 2 when updelay is nonzero Greg Kroah-Hartman
` (623 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Evan Quan, Yang Yingliang,
Alex Deucher, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit b85e285e3d6352b02947fc1b72303673dfacb0aa ]
As comment of pci_get_domain_bus_and_slot() says, it returns
a pci device with refcount increment, when finish using it,
the caller must decrement the reference count by calling
pci_dev_put().
So before returning from amdgpu_device_resume|suspend_display_audio(),
pci_dev_put() is called to avoid refcount leak.
Fixes: 3f12acc8d6d4 ("drm/amdgpu: put the audio codec into suspend state before gpu reset V3")
Reviewed-by: Evan Quan <evan.quan@amd.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
index bde0496d2f15..8bd887fb6e63 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
@@ -4443,6 +4443,8 @@ static void amdgpu_device_resume_display_audio(struct amdgpu_device *adev)
pm_runtime_enable(&(p->dev));
pm_runtime_resume(&(p->dev));
}
+
+ pci_dev_put(p);
}
static int amdgpu_device_suspend_display_audio(struct amdgpu_device *adev)
@@ -4481,6 +4483,7 @@ static int amdgpu_device_suspend_display_audio(struct amdgpu_device *adev)
if (expires < ktime_get_mono_fast_ns()) {
dev_warn(adev->dev, "failed to suspend display audio\n");
+ pci_dev_put(p);
/* TODO: abort the succeeding gpu reset? */
return -ETIMEDOUT;
}
@@ -4488,6 +4491,7 @@ static int amdgpu_device_suspend_display_audio(struct amdgpu_device *adev)
pm_runtime_disable(&(p->dev));
+ pci_dev_put(p);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 170/783] bonding: fix link recovery in mode 2 when updelay is nonzero
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 169/783] drm/amdgpu: fix pci device refcount leak Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 171/783] mtd: maps: pxa2xx-flash: fix memory leak in probe Greg Kroah-Hartman
` (622 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Toppins, Jay Vosburgh,
Jakub Kicinski, Sasha Levin
From: Jonathan Toppins <jtoppins@redhat.com>
[ Upstream commit f8a65ab2f3ff7410921ebbf0dc55453102c33c56 ]
Before this change when a bond in mode 2 lost link, all of its slaves
lost link, the bonding device would never recover even after the
expiration of updelay. This change removes the updelay when the bond
currently has no usable links. Conforming to bonding.txt section 13.1
paragraph 4.
Fixes: 41f891004063 ("bonding: ignore updelay param when there is no active slave")
Signed-off-by: Jonathan Toppins <jtoppins@redhat.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index f38a6ce5749b..e66092518fdd 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2398,7 +2398,16 @@ static int bond_miimon_inspect(struct bonding *bond)
struct slave *slave;
bool ignore_updelay;
- ignore_updelay = !rcu_dereference(bond->curr_active_slave);
+ if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP) {
+ ignore_updelay = !rcu_dereference(bond->curr_active_slave);
+ } else {
+ struct bond_up_slave *usable_slaves;
+
+ usable_slaves = rcu_dereference(bond->usable_slaves);
+
+ if (usable_slaves && usable_slaves->count == 0)
+ ignore_updelay = true;
+ }
bond_for_each_slave_rcu(bond, slave, iter) {
bond_propose_link_state(slave, BOND_LINK_NOCHANGE);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 171/783] mtd: maps: pxa2xx-flash: fix memory leak in probe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 170/783] bonding: fix link recovery in mode 2 when updelay is nonzero Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 172/783] drbd: fix an invalid memory access caused by incorrect use of list iterator Greg Kroah-Hartman
` (621 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Yongjun, Miquel Raynal, Sasha Levin
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit 2399401feee27c639addc5b7e6ba519d3ca341bf ]
Free 'info' upon remapping error to avoid a memory leak.
Fixes: e644f7d62894 ("[MTD] MAPS: Merge Lubbock and Mainstone drivers into common PXA2xx driver")
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
[<miquel.raynal@bootlin.com>: Reword the commit log]
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221119073307.22929-1-zhengyongjun3@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/maps/pxa2xx-flash.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/mtd/maps/pxa2xx-flash.c b/drivers/mtd/maps/pxa2xx-flash.c
index 7d96758a8f04..6e5e55755970 100644
--- a/drivers/mtd/maps/pxa2xx-flash.c
+++ b/drivers/mtd/maps/pxa2xx-flash.c
@@ -66,6 +66,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev)
if (!info->map.virt) {
printk(KERN_WARNING "Failed to ioremap %s\n",
info->map.name);
+ kfree(info);
return -ENOMEM;
}
info->map.cached = ioremap_cache(info->map.phys, info->map.size);
@@ -87,6 +88,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev)
iounmap((void *)info->map.virt);
if (info->map.cached)
iounmap(info->map.cached);
+ kfree(info);
return -EIO;
}
info->mtd->dev.parent = &pdev->dev;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 172/783] drbd: fix an invalid memory access caused by incorrect use of list iterator
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 171/783] mtd: maps: pxa2xx-flash: fix memory leak in probe Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 173/783] ASoC: qcom: Add checks for devm_kcalloc Greg Kroah-Hartman
` (620 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaomeng Tong,
Christoph Böhmwalder, Lars Ellenberg, Jens Axboe,
Sasha Levin
From: Xiaomeng Tong <xiam0nd.tong@gmail.com>
[ Upstream commit ae4d37b5df749926891583d42a6801b5da11e3c1 ]
The bug is here:
idr_remove(&connection->peer_devices, vnr);
If the previous for_each_connection() don't exit early (no goto hit
inside the loop), the iterator 'connection' after the loop will be a
bogus pointer to an invalid structure object containing the HEAD
(&resource->connections). As a result, the use of 'connection' above
will lead to a invalid memory access (including a possible invalid free
as idr_remove could call free_layer).
The original intention should have been to remove all peer_devices,
but the following lines have already done the work. So just remove
this line and the unneeded label, to fix this bug.
Cc: stable@vger.kernel.org
Fixes: c06ece6ba6f1b ("drbd: Turn connection->volumes into connection->peer_devices")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
Reviewed-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/drbd/drbd_main.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
index 51450f7c81af..420bdaf8c356 100644
--- a/drivers/block/drbd/drbd_main.c
+++ b/drivers/block/drbd/drbd_main.c
@@ -2819,7 +2819,7 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig
if (init_submitter(device)) {
err = ERR_NOMEM;
- goto out_idr_remove_vol;
+ goto out_idr_remove_from_resource;
}
add_disk(disk);
@@ -2836,8 +2836,6 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig
drbd_debugfs_device_add(device);
return NO_ERROR;
-out_idr_remove_vol:
- idr_remove(&connection->peer_devices, vnr);
out_idr_remove_from_resource:
for_each_connection_safe(connection, n, resource) {
peer_device = idr_remove(&connection->peer_devices, vnr);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 173/783] ASoC: qcom: Add checks for devm_kcalloc
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 172/783] drbd: fix an invalid memory access caused by incorrect use of list iterator Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 174/783] media: vimc: Fix wrong function called when vimc_init() fails Greg Kroah-Hartman
` (619 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Mark Brown, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 1bf5ee979076ceb121ee51c95197d890b1cee7f4 ]
As the devm_kcalloc may return NULL, the return value needs to be checked
to avoid NULL poineter dereference.
Fixes: 24caf8d9eb10 ("ASoC: qcom: lpass-sc7180: Add platform driver for lpass audio")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221124140510.63468-1-yuancan@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/qcom/lpass-sc7180.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/qcom/lpass-sc7180.c b/sound/soc/qcom/lpass-sc7180.c
index c647e627897a..cb4e9017cd77 100644
--- a/sound/soc/qcom/lpass-sc7180.c
+++ b/sound/soc/qcom/lpass-sc7180.c
@@ -129,6 +129,9 @@ static int sc7180_lpass_init(struct platform_device *pdev)
drvdata->clks = devm_kcalloc(dev, variant->num_clks,
sizeof(*drvdata->clks), GFP_KERNEL);
+ if (!drvdata->clks)
+ return -ENOMEM;
+
drvdata->num_clks = variant->num_clks;
for (i = 0; i < drvdata->num_clks; i++)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 174/783] media: vimc: Fix wrong function called when vimc_init() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 173/783] ASoC: qcom: Add checks for devm_kcalloc Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 175/783] media: imon: fix a race condition in send_packet() Greg Kroah-Hartman
` (618 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Shuah Khan,
Mauro Carvalho Chehab, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit f74d3f326d1d5b8951ce263c59a121ecfa65e7c0 ]
In vimc_init(), when platform_driver_register(&vimc_pdrv) fails,
platform_driver_unregister(&vimc_pdrv) is wrongly called rather than
platform_device_unregister(&vimc_pdev), which causes kernel warning:
Unexpected driver unregister!
WARNING: CPU: 1 PID: 14517 at drivers/base/driver.c:270 driver_unregister+0x8f/0xb0
RIP: 0010:driver_unregister+0x8f/0xb0
Call Trace:
<TASK>
vimc_init+0x7d/0x1000 [vimc]
do_one_initcall+0xd0/0x4e0
do_init_module+0x1cf/0x6b0
load_module+0x65c2/0x7820
Fixes: 4a29b7090749 ("[media] vimc: Subdevices as modules")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/test-drivers/vimc/vimc-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/test-drivers/vimc/vimc-core.c b/drivers/media/test-drivers/vimc/vimc-core.c
index 4b0ae6f51d76..857529ce3638 100644
--- a/drivers/media/test-drivers/vimc/vimc-core.c
+++ b/drivers/media/test-drivers/vimc/vimc-core.c
@@ -357,7 +357,7 @@ static int __init vimc_init(void)
if (ret) {
dev_err(&vimc_pdev.dev,
"platform driver registration failed (err=%d)\n", ret);
- platform_driver_unregister(&vimc_pdrv);
+ platform_device_unregister(&vimc_pdev);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 175/783] media: imon: fix a race condition in send_packet()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 174/783] media: vimc: Fix wrong function called when vimc_init() fails Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 176/783] clk: imx: replace osc_hdmi with dummy Greg Kroah-Hartman
` (617 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+0c3cb6dc05fbbdc3ad66,
Gautam Menghani, Sean Young, Mauro Carvalho Chehab, Sasha Levin
From: Gautam Menghani <gautammenghani201@gmail.com>
[ Upstream commit 813ceef062b53d68f296aa3cb944b21a091fabdb ]
The function send_packet() has a race condition as follows:
func send_packet()
{
// do work
call usb_submit_urb()
mutex_unlock()
wait_for_event_interruptible() <-- lock gone
mutex_lock()
}
func vfd_write()
{
mutex_lock()
call send_packet() <- prev call is not completed
mutex_unlock()
}
When the mutex is unlocked and the function send_packet() waits for the
call to complete, vfd_write() can start another call, which leads to the
"URB submitted while active" warning in usb_submit_urb().
Fix this by removing the mutex_unlock() call in send_packet() and using
mutex_lock_interruptible().
Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e
Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver")
Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com
Signed-off-by: Gautam Menghani <gautammenghani201@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/rc/imon.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index bc9ac6002e25..98a38755c694 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -646,15 +646,14 @@ static int send_packet(struct imon_context *ictx)
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
/* Wait for transmission to complete (or abort) */
- mutex_unlock(&ictx->lock);
retval = wait_for_completion_interruptible(
&ictx->tx.finished);
if (retval) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
}
- mutex_lock(&ictx->lock);
+ ictx->tx.busy = false;
retval = ictx->tx.status;
if (retval)
pr_err_ratelimited("packet tx failed (%d)\n", retval);
@@ -958,7 +957,8 @@ static ssize_t vfd_write(struct file *file, const char __user *buf,
if (ictx->disconnected)
return -ENODEV;
- mutex_lock(&ictx->lock);
+ if (mutex_lock_interruptible(&ictx->lock))
+ return -ERESTARTSYS;
if (!ictx->dev_present_intf0) {
pr_err_ratelimited("no iMON device present\n");
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 176/783] clk: imx: replace osc_hdmi with dummy
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 175/783] media: imon: fix a race condition in send_packet() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 177/783] pinctrl: pinconf-generic: add missing of_node_put() Greg Kroah-Hartman
` (616 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dario Binacchi, Marco Felsch,
Abel Vesa, Sasha Levin
From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
[ Upstream commit e7fa365ff66f16772dc06b480cd78f858d10856b ]
There is no occurrence of the hdmi oscillator in the reference manual
(document IMX8MNRM Rev 2, 07/2022). Further, if we consider the indexes
76-81 and 134 of the "Clock Root" table of chapter 5 of the RM, there is
no entry for the source select bits 101b, which is the setting referenced
by "osc_hdmi".
Fix by renaming "osc_hdmi" with "dummy", a clock which has already been
used for missing source select bits.
Tested on the BSH SystemMaster (SMM) S2 board.
Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver")
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Acked-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Link: https://lore.kernel.org/r/20221117113637.1978703-3-dario.binacchi@amarulasolutions.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/imx/clk-imx8mn.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/clk/imx/clk-imx8mn.c b/drivers/clk/imx/clk-imx8mn.c
index db122d94db58..8a49e072d6e8 100644
--- a/drivers/clk/imx/clk-imx8mn.c
+++ b/drivers/clk/imx/clk-imx8mn.c
@@ -105,27 +105,27 @@ static const char * const imx8mn_disp_pixel_sels[] = {"osc_24m", "video_pll1_out
"sys_pll3_out", "clk_ext4", };
static const char * const imx8mn_sai2_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
+ "video_pll1_out", "sys_pll1_133m", "dummy",
"clk_ext3", "clk_ext4", };
static const char * const imx8mn_sai3_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
+ "video_pll1_out", "sys_pll1_133m", "dummy",
"clk_ext3", "clk_ext4", };
static const char * const imx8mn_sai5_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
+ "video_pll1_out", "sys_pll1_133m", "dummy",
"clk_ext2", "clk_ext3", };
static const char * const imx8mn_sai6_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
+ "video_pll1_out", "sys_pll1_133m", "dummy",
"clk_ext3", "clk_ext4", };
static const char * const imx8mn_sai7_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
+ "video_pll1_out", "sys_pll1_133m", "dummy",
"clk_ext3", "clk_ext4", };
static const char * const imx8mn_spdif1_sels[] = {"osc_24m", "audio_pll1_out", "audio_pll2_out",
- "video_pll1_out", "sys_pll1_133m", "osc_hdmi",
+ "video_pll1_out", "sys_pll1_133m", "dummy",
"clk_ext2", "clk_ext3", };
static const char * const imx8mn_enet_ref_sels[] = {"osc_24m", "sys_pll2_125m", "sys_pll2_50m",
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 177/783] pinctrl: pinconf-generic: add missing of_node_put()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 176/783] clk: imx: replace osc_hdmi with dummy Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 178/783] media: dvb-core: Fix ignored return value in dvb_register_frontend() Greg Kroah-Hartman
` (615 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZhangPeng, Linus Walleij, Sasha Levin
From: ZhangPeng <zhangpeng362@huawei.com>
[ Upstream commit 5ead93289815a075d43c415e35c8beafafb801c9 ]
of_node_put() needs to be called when jumping out of the loop, since
for_each_available_child_of_node() will increase the refcount of node.
Fixes: c7289500e29d ("pinctrl: pinconf-generic: scan also referenced phandle node")
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Link: https://lore.kernel.org/r/20221125070156.3535855-1-zhangpeng362@huawei.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinconf-generic.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinconf-generic.c b/drivers/pinctrl/pinconf-generic.c
index 42e27dba62e2..762abb0dfebb 100644
--- a/drivers/pinctrl/pinconf-generic.c
+++ b/drivers/pinctrl/pinconf-generic.c
@@ -393,8 +393,10 @@ int pinconf_generic_dt_node_to_map(struct pinctrl_dev *pctldev,
for_each_available_child_of_node(np_config, np) {
ret = pinconf_generic_dt_subnode_to_map(pctldev, np, map,
&reserved_maps, num_maps, type);
- if (ret < 0)
+ if (ret < 0) {
+ of_node_put(np);
goto exit;
+ }
}
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 178/783] media: dvb-core: Fix ignored return value in dvb_register_frontend()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 177/783] pinctrl: pinconf-generic: add missing of_node_put() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 179/783] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
` (614 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin,
Mauro Carvalho Chehab, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit a574359e2e71ce16be212df3a082ed60a4bd2c5f ]
In dvb_register_frontend(), dvb_register_device() is possible to fail
but its return value is ignored.
It will cause use-after-free when module is removed, because in
dvb_unregister_frontend() it tries to unregister a not registered
device.
BUG: KASAN: use-after-free in dvb_remove_device+0x18b/0x1f0 [dvb_core]
Read of size 4 at addr ffff88800dff4824 by task rmmod/428
CPU: 3 PID: 428 Comm: rmmod
Call Trace:
<TASK>
...
dvb_remove_device+0x18b/0x1f0 [dvb_core]
dvb_unregister_frontend+0x7b/0x130 [dvb_core]
vidtv_bridge_remove+0x6e/0x160 [dvb_vidtv_bridge]
...
Fix this by catching return value of dvb_register_device().
However the fe->refcount can't be put to zero immediately, because
there are still modules calling dvb_frontend_detach() when
dvb_register_frontend() fails.
Link: https://lore.kernel.org/linux-media/20221108033005.169095-1-chenzhongjin@huawei.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-core/dvb_frontend.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index 06ea30a689d7..b28ea7204f23 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -2961,6 +2961,7 @@ int dvb_register_frontend(struct dvb_adapter *dvb,
.name = fe->ops.info.name,
#endif
};
+ int ret;
dev_dbg(dvb->device, "%s:\n", __func__);
@@ -2994,8 +2995,13 @@ int dvb_register_frontend(struct dvb_adapter *dvb,
"DVB: registering adapter %i frontend %i (%s)...\n",
fe->dvb->num, fe->id, fe->ops.info.name);
- dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template,
+ ret = dvb_register_device(fe->dvb, &fepriv->dvbdev, &dvbdev_template,
fe, DVB_DEVICE_FRONTEND, 0);
+ if (ret) {
+ dvb_frontend_put(fe);
+ mutex_unlock(&frontend_mutex);
+ return ret;
+ }
/*
* Initialize the cache to the proper values according with the
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 179/783] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 178/783] media: dvb-core: Fix ignored return value in dvb_register_frontend() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 180/783] media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC Greg Kroah-Hartman
` (613 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Chen, Baisong Zhong,
Mauro Carvalho Chehab, Sasha Levin
From: Baisong Zhong <zhongbaisong@huawei.com>
[ Upstream commit 0ed554fd769a19ea8464bb83e9ac201002ef74ad ]
Wei Chen reports a kernel bug as blew:
general protection fault, probably for non-canonical address
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
...
Call Trace:
<TASK>
__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109
i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170
i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297
i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd834a8bded
In az6027_i2c_xfer(), if msg[i].addr is 0x99,
a null-ptr-deref will caused when accessing msg[i].buf.
For msg[i].len is 0 and msg[i].buf is null.
Fix this by checking msg[i].len in az6027_i2c_xfer().
Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/
Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com
Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver")
Reported-by: Wei Chen <harperchen1110@gmail.com>
Signed-off-by: Baisong Zhong <zhongbaisong@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb/az6027.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c
index 86788771175b..32b4ee65c280 100644
--- a/drivers/media/usb/dvb-usb/az6027.c
+++ b/drivers/media/usb/dvb-usb/az6027.c
@@ -975,6 +975,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n
if (msg[i].addr == 0x99) {
req = 0xBE;
index = 0;
+ if (msg[i].len < 1) {
+ i = -EOPNOTSUPP;
+ break;
+ }
value = msg[i].buf[0] & 0x00ff;
length = 1;
az6027_usb_out_op(d, req, value, index, data, length);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 180/783] media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 179/783] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 181/783] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() Greg Kroah-Hartman
` (612 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alim Akhtar, Aakarsh Jain,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
From: Aakarsh Jain <aakarsh.jain@samsung.com>
[ Upstream commit f50ebe10f5d8092c37e2bd430c78e03bf38b1e20 ]
Commit 5441e9dafdfc6dc40 ("[media] s5p-mfc: Core support for MFC v7")
which adds mfc v7 support for Exynos3250 and use the same compatible
string as used by Exynos5240 but both the IPs are a bit different in
terms of IP clock.
Add variant driver data based on the new compatible string
"samsung,exynos3250-mfc" for Exynos3250 SoC.
Suggested-by: Alim Akhtar <alim.akhtar@samsung.com>
Fixes: 5441e9dafdfc ("[media] s5p-mfc: Core support for MFC v7")
Signed-off-by: Aakarsh Jain <aakarsh.jain@samsung.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/s5p-mfc/s5p_mfc.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c
index f336a9543273..6cbec3bbfce6 100644
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -1584,8 +1584,18 @@ static struct s5p_mfc_variant mfc_drvdata_v7 = {
.port_num = MFC_NUM_PORTS_V7,
.buf_size = &buf_size_v7,
.fw_name[0] = "s5p-mfc-v7.fw",
- .clk_names = {"mfc", "sclk_mfc"},
- .num_clocks = 2,
+ .clk_names = {"mfc"},
+ .num_clocks = 1,
+};
+
+static struct s5p_mfc_variant mfc_drvdata_v7_3250 = {
+ .version = MFC_VERSION_V7,
+ .version_bit = MFC_V7_BIT,
+ .port_num = MFC_NUM_PORTS_V7,
+ .buf_size = &buf_size_v7,
+ .fw_name[0] = "s5p-mfc-v7.fw",
+ .clk_names = {"mfc", "sclk_mfc"},
+ .num_clocks = 2,
};
static struct s5p_mfc_buf_size_v6 mfc_buf_size_v8 = {
@@ -1655,6 +1665,9 @@ static const struct of_device_id exynos_mfc_match[] = {
}, {
.compatible = "samsung,mfc-v7",
.data = &mfc_drvdata_v7,
+ }, {
+ .compatible = "samsung,exynos3250-mfc",
+ .data = &mfc_drvdata_v7_3250,
}, {
.compatible = "samsung,mfc-v8",
.data = &mfc_drvdata_v8,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 181/783] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 180/783] media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 182/783] ASoC: dt-bindings: wcd9335: fix reset line polarity in example Greg Kroah-Hartman
` (611 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Zekun, Thierry Reding, Sasha Levin
From: Zhang Zekun <zhangzekun11@huawei.com>
[ Upstream commit 7ad4384d53c67672a8720cdc2ef638d7d1710ab8 ]
Add the missing clk_disable_unprepare() before return from
tegra_dc_probe() in the error handling path.
Fixes: f68ba6912bd2 ("drm/tegra: dc: Link DC1 to DC0 on Tegra20")
Signed-off-by: Zhang Zekun <zhangzekun11@huawei.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tegra/dc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
index ceb86338c003..958d12da902d 100644
--- a/drivers/gpu/drm/tegra/dc.c
+++ b/drivers/gpu/drm/tegra/dc.c
@@ -2564,8 +2564,10 @@ static int tegra_dc_probe(struct platform_device *pdev)
usleep_range(2000, 4000);
err = reset_control_assert(dc->rst);
- if (err < 0)
+ if (err < 0) {
+ clk_disable_unprepare(dc->clk);
return err;
+ }
usleep_range(2000, 4000);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 182/783] ASoC: dt-bindings: wcd9335: fix reset line polarity in example
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 181/783] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 183/783] ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd Greg Kroah-Hartman
` (610 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Torokhov,
Krzysztof Kozlowski, Mark Brown, Sasha Levin
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[ Upstream commit 34cb111f8a7b98b5fec809dd194003bca20ef1b2 ]
When resetting the block, the reset line is being driven low and then
high, which means that the line in DTS should be annotated as "active
low".
Fixes: 1877c9fda1b7 ("ASoC: dt-bindings: add dt bindings for wcd9335 audio codec")
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20221027074652.1044235-2-dmitry.torokhov@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/sound/qcom,wcd9335.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt b/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt
index 5d6ea66a863f..1f75feec3dec 100644
--- a/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt
+++ b/Documentation/devicetree/bindings/sound/qcom,wcd9335.txt
@@ -109,7 +109,7 @@ audio-codec@1{
reg = <1 0>;
interrupts = <&msmgpio 54 IRQ_TYPE_LEVEL_HIGH>;
interrupt-names = "intr2"
- reset-gpios = <&msmgpio 64 0>;
+ reset-gpios = <&msmgpio 64 GPIO_ACTIVE_LOW>;
slim-ifc-dev = <&wc9335_ifd>;
clock-names = "mclk", "native";
clocks = <&rpmcc RPM_SMD_DIV_CLK1>,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 183/783] ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 182/783] ASoC: dt-bindings: wcd9335: fix reset line polarity in example Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 184/783] NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding Greg Kroah-Hartman
` (609 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Mark Brown, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit d067b3378a78c9c3048ac535e31c171b6f5b5846 ]
As the mtk_btcvsd_snd_write and mtk_btcvsd_snd_read may return error,
it should be better to catch the exception.
Fixes: 4bd8597dc36c ("ASoC: mediatek: add btcvsd driver")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://lore.kernel.org/r/20221116030750.40500-1-jiasheng@iscas.ac.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/mediatek/common/mtk-btcvsd.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/sound/soc/mediatek/common/mtk-btcvsd.c b/sound/soc/mediatek/common/mtk-btcvsd.c
index 86e982e3209e..e1f57b0dedd0 100644
--- a/sound/soc/mediatek/common/mtk-btcvsd.c
+++ b/sound/soc/mediatek/common/mtk-btcvsd.c
@@ -1038,11 +1038,9 @@ static int mtk_pcm_btcvsd_copy(struct snd_soc_component *component,
struct mtk_btcvsd_snd *bt = snd_soc_component_get_drvdata(component);
if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
- mtk_btcvsd_snd_write(bt, buf, count);
+ return mtk_btcvsd_snd_write(bt, buf, count);
else
- mtk_btcvsd_snd_read(bt, buf, count);
-
- return 0;
+ return mtk_btcvsd_snd_read(bt, buf, count);
}
/* kcontrol */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 184/783] NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 183/783] ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 185/783] NFSv4.2: Fix a memory stomp in decode_attr_security_label Greg Kroah-Hartman
` (608 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit eef7314caf2d73a94b68ba293cd105154d3a664e ]
We need to clear the FATTR4_WORD2_SECURITY_LABEL bitmap flag
irrespective of whether or not the label is too long.
Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4xdr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index e2f0e3446e22..f8c89f9f4d52 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -4166,6 +4166,7 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
p = xdr_inline_decode(xdr, len);
if (unlikely(!p))
return -EIO;
+ bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
if (len < NFS4_MAXLABELLEN) {
if (label) {
if (label->len) {
@@ -4178,7 +4179,6 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
label->lfs = lfs;
status = NFS_ATTR_FATTR_V4_SECURITY_LABEL;
}
- bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
} else
printk(KERN_WARNING "%s: label too long (%u)!\n",
__func__, len);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 185/783] NFSv4.2: Fix a memory stomp in decode_attr_security_label
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 184/783] NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 186/783] NFSv4.2: Fix initialisation of struct nfs4_label Greg Kroah-Hartman
` (607 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 43c1031f7110967c240cb6e922adcfc4b8899183 ]
We must not change the value of label->len if it is zero, since that
indicates we stored a label.
Fixes: b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4xdr.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index f8c89f9f4d52..f1e599553f2b 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -4168,12 +4168,10 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap,
return -EIO;
bitmap[2] &= ~FATTR4_WORD2_SECURITY_LABEL;
if (len < NFS4_MAXLABELLEN) {
- if (label) {
- if (label->len) {
- if (label->len < len)
- return -ERANGE;
- memcpy(label->label, p, len);
- }
+ if (label && label->len) {
+ if (label->len < len)
+ return -ERANGE;
+ memcpy(label->label, p, len);
label->len = len;
label->pi = pi;
label->lfs = lfs;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 186/783] NFSv4.2: Fix initialisation of struct nfs4_label
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 185/783] NFSv4.2: Fix a memory stomp in decode_attr_security_label Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 187/783] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn Greg Kroah-Hartman
` (606 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit c528f70f504434eaff993a5ddd52203a2010d51f ]
The call to nfs4_label_init_security() should return a fully initialised
label.
Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 36af3734ac87..15550d673e61 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -130,6 +130,11 @@ nfs4_label_init_security(struct inode *dir, struct dentry *dentry,
if (nfs_server_capable(dir, NFS_CAP_SECURITY_LABEL) == 0)
return NULL;
+ label->lfs = 0;
+ label->pi = 0;
+ label->len = 0;
+ label->label = NULL;
+
err = security_dentry_init_security(dentry, sattr->ia_mode,
&dentry->d_name, (void **)&label->label, &label->len);
if (err == 0)
@@ -3793,7 +3798,7 @@ nfs4_atomic_open(struct inode *dir, struct nfs_open_context *ctx,
int open_flags, struct iattr *attr, int *opened)
{
struct nfs4_state *state;
- struct nfs4_label l = {0, 0, 0, NULL}, *label = NULL;
+ struct nfs4_label l, *label;
label = nfs4_label_init_security(dir, ctx->dentry, attr, &l);
@@ -4557,7 +4562,7 @@ nfs4_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
int flags)
{
struct nfs_server *server = NFS_SERVER(dir);
- struct nfs4_label l, *ilabel = NULL;
+ struct nfs4_label l, *ilabel;
struct nfs_open_context *ctx;
struct nfs4_state *state;
int status = 0;
@@ -4916,7 +4921,7 @@ static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
struct nfs4_exception exception = {
.interruptible = true,
};
- struct nfs4_label l, *label = NULL;
+ struct nfs4_label l, *label;
int err;
label = nfs4_label_init_security(dir, dentry, sattr, &l);
@@ -4957,7 +4962,7 @@ static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
struct nfs4_exception exception = {
.interruptible = true,
};
- struct nfs4_label l, *label = NULL;
+ struct nfs4_label l, *label;
int err;
label = nfs4_label_init_security(dir, dentry, sattr, &l);
@@ -5078,7 +5083,7 @@ static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
struct nfs4_exception exception = {
.interruptible = true,
};
- struct nfs4_label l, *label = NULL;
+ struct nfs4_label l, *label;
int err;
label = nfs4_label_init_security(dir, dentry, sattr, &l);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 187/783] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 186/783] NFSv4.2: Fix initialisation of struct nfs4_label Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 188/783] NFS: Fix an Oops in nfs_d_automount() Greg Kroah-Hartman
` (605 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 51069e4aef6257b0454057359faed0ab0c9af083 ]
If we're asked to recover open state while a delegation return is
outstanding, then the state manager thread cannot use a cached open, so
if the server returns a delegation, we can end up deadlocked behind the
pending delegreturn.
To avoid this problem, let's just ask the server not to give us a
delegation unless we're explicitly reclaiming one.
Fixes: be36e185bd26 ("NFSv4: nfs4_open_recover_helper() must set share access")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4proc.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 15550d673e61..ee46ab09e330 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2126,18 +2126,18 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context
}
static int nfs4_open_recover_helper(struct nfs4_opendata *opendata,
- fmode_t fmode)
+ fmode_t fmode)
{
struct nfs4_state *newstate;
+ struct nfs_server *server = NFS_SB(opendata->dentry->d_sb);
+ int openflags = opendata->o_arg.open_flags;
int ret;
if (!nfs4_mode_match_open_stateid(opendata->state, fmode))
return 0;
- opendata->o_arg.open_flags = 0;
opendata->o_arg.fmode = fmode;
- opendata->o_arg.share_access = nfs4_map_atomic_open_share(
- NFS_SB(opendata->dentry->d_sb),
- fmode, 0);
+ opendata->o_arg.share_access =
+ nfs4_map_atomic_open_share(server, fmode, openflags);
memset(&opendata->o_res, 0, sizeof(opendata->o_res));
memset(&opendata->c_res, 0, sizeof(opendata->c_res));
nfs4_init_opendata_res(opendata);
@@ -2713,10 +2713,15 @@ static int _nfs4_open_expired(struct nfs_open_context *ctx, struct nfs4_state *s
struct nfs4_opendata *opendata;
int ret;
- opendata = nfs4_open_recoverdata_alloc(ctx, state,
- NFS4_OPEN_CLAIM_FH);
+ opendata = nfs4_open_recoverdata_alloc(ctx, state, NFS4_OPEN_CLAIM_FH);
if (IS_ERR(opendata))
return PTR_ERR(opendata);
+ /*
+ * We're not recovering a delegation, so ask for no delegation.
+ * Otherwise the recovery thread could deadlock with an outstanding
+ * delegation return.
+ */
+ opendata->o_arg.open_flags = O_DIRECT;
ret = nfs4_open_recover(opendata, state);
if (ret == -ESTALE)
d_drop(ctx->dentry);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 188/783] NFS: Fix an Oops in nfs_d_automount()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 187/783] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 189/783] ALSA: asihpi: fix missing pci_disable_device() Greg Kroah-Hartman
` (604 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 35e3b6ae84935d0d7ff76cbdaa83411b0ad5e471 ]
When mounting from a NFSv4 referral, path->dentry can end up being a
negative dentry, so derive the struct nfs_server from the dentry
itself instead.
Fixes: 2b0143b5c986 ("VFS: normal filesystems (and lustre): d_inode() annotations")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/namespace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 2bcbe38afe2e..1f03445b5cb4 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -147,7 +147,7 @@ struct vfsmount *nfs_d_automount(struct path *path)
struct nfs_fs_context *ctx;
struct fs_context *fc;
struct vfsmount *mnt = ERR_PTR(-ENOMEM);
- struct nfs_server *server = NFS_SERVER(d_inode(path->dentry));
+ struct nfs_server *server = NFS_SB(path->dentry->d_sb);
struct nfs_client *client = server->nfs_client;
int timeout = READ_ONCE(nfs_mountpoint_expiry_timeout);
int ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 189/783] ALSA: asihpi: fix missing pci_disable_device()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 188/783] NFS: Fix an Oops in nfs_d_automount() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 190/783] wifi: iwlwifi: mvm: fix double free on tx path Greg Kroah-Hartman
` (603 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Shixin, Takashi Iwai, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 9d86515c3d4c0564a0c31a2df87d735353a1971e ]
pci_disable_device() need be called while module exiting, switch to use
pcim_enable(), pci_disable_device() will be called in pcim_release().
Fixes: 3285ea10e9b0 ("ALSA: asihpi - Interrelated HPI tidy up.")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Link: https://lore.kernel.org/r/20221126021429.3029562-1-liushixin2@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/asihpi/hpioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index bb31b7fe867d..477a5b4b50bc 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -361,7 +361,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
pci_dev->device, pci_dev->subsystem_vendor,
pci_dev->subsystem_device, pci_dev->devfn);
- if (pci_enable_device(pci_dev) < 0) {
+ if (pcim_enable_device(pci_dev) < 0) {
dev_err(&pci_dev->dev,
"pci_enable_device failed, disabling device\n");
return -EIO;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 190/783] wifi: iwlwifi: mvm: fix double free on tx path.
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 189/783] ALSA: asihpi: fix missing pci_disable_device() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 191/783] ASoC: mediatek: mt8173: Fix debugfs registration for components Greg Kroah-Hartman
` (602 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amol Jawale, Ben Greear,
Gregory Greenman, Sasha Levin
From: Ben Greear <greearb@candelatech.com>
[ Upstream commit 0473cbae2137b963bd0eaa74336131cb1d3bc6c3 ]
We see kernel crashes and lockups and KASAN errors related to ax210
firmware crashes. One of the KASAN dumps pointed at the tx path,
and it appears there is indeed a way to double-free an skb.
If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the
method will be freed. But, in case where we build TSO skb buffer,
the skb may also be freed in error case. So, return 0 in that particular
error case and do cleanup manually.
BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90
iwlwifi 0000:06:00.0: 0x00000000 | tsf hi
Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650
CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5
iwlwifi 0000:06:00.0: 0x00000000 | time gp1
Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019
Call Trace:
<TASK>
dump_stack_lvl+0x55/0x6d
print_report.cold.12+0xf2/0x684
iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2
? __list_del_entry_valid+0x12/0x90
kasan_report+0x8b/0x180
iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type
? __list_del_entry_valid+0x12/0x90
__list_del_entry_valid+0x12/0x90
iwlwifi 0000:06:00.0: 0x00000048 | uCode version major
tcp_update_skb_after_send+0x5d/0x170
__tcp_transmit_skb+0xb61/0x15c0
iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor
? __tcp_select_window+0x490/0x490
iwlwifi 0000:06:00.0: 0x00000420 | hw version
? trace_kmalloc_node+0x29/0xd0
? __kmalloc_node_track_caller+0x12a/0x260
? memset+0x1f/0x40
? __build_skb_around+0x125/0x150
? __alloc_skb+0x1d4/0x220
? skb_zerocopy_clone+0x55/0x230
iwlwifi 0000:06:00.0: 0x00489002 | board version
? kmalloc_reserve+0x80/0x80
? rcu_read_lock_bh_held+0x60/0xb0
tcp_write_xmit+0x3f1/0x24d0
iwlwifi 0000:06:00.0: 0x034E001C | hcmd
? __check_object_size+0x180/0x350
iwlwifi 0000:06:00.0: 0x24020000 | isr0
tcp_sendmsg_locked+0x8a9/0x1520
iwlwifi 0000:06:00.0: 0x01400000 | isr1
? tcp_sendpage+0x50/0x50
iwlwifi 0000:06:00.0: 0x48F0000A | isr2
? lock_release+0xb9/0x400
? tcp_sendmsg+0x14/0x40
iwlwifi 0000:06:00.0: 0x00C3080C | isr3
? lock_downgrade+0x390/0x390
? do_raw_spin_lock+0x114/0x1d0
iwlwifi 0000:06:00.0: 0x00200000 | isr4
? rwlock_bug.part.2+0x50/0x50
iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id
? rwlock_bug.part.2+0x50/0x50
? lockdep_hardirqs_on_prepare+0xe/0x200
iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event
? __local_bh_enable_ip+0x87/0xe0
? inet_send_prepare+0x220/0x220
iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control
tcp_sendmsg+0x22/0x40
sock_sendmsg+0x5f/0x70
iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration
__sys_sendto+0x19d/0x250
iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid
? __ia32_sys_getpeername+0x40/0x40
iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match
? rcu_read_lock_held_common+0x12/0x50
? rcu_read_lock_sched_held+0x5a/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? rcu_read_lock_sched_held+0x5a/0xd0
? rcu_read_lock_sched_held+0x5a/0xd0
? lock_release+0xb9/0x400
? lock_downgrade+0x390/0x390
? ktime_get+0x64/0x130
? ktime_get+0x8d/0x130
? rcu_read_lock_held_common+0x12/0x50
? rcu_read_lock_sched_held+0x5a/0xd0
? rcu_read_lock_held_common+0x12/0x50
? rcu_read_lock_sched_held+0x5a/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? rcu_read_lock_bh_held+0xb0/0xb0
__x64_sys_sendto+0x6f/0x80
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f1d126e4531
Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89
RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531
RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014
RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
</TASK>
Allocated by task 9650:
kasan_save_stack+0x1c/0x40
__kasan_slab_alloc+0x6d/0x90
kmem_cache_alloc_node+0xf3/0x2b0
__alloc_skb+0x191/0x220
tcp_stream_alloc_skb+0x3f/0x330
tcp_sendmsg_locked+0x67c/0x1520
tcp_sendmsg+0x22/0x40
sock_sendmsg+0x5f/0x70
__sys_sendto+0x19d/0x250
__x64_sys_sendto+0x6f/0x80
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 9650:
kasan_save_stack+0x1c/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x102/0x170
kmem_cache_free+0xc8/0x3e0
iwl_mvm_mac_itxq_xmit+0x124/0x270 [iwlmvm]
ieee80211_queue_skb+0x874/0xd10 [mac80211]
ieee80211_xmit_fast+0xf80/0x1180 [mac80211]
__ieee80211_subif_start_xmit+0x287/0x680 [mac80211]
ieee80211_subif_start_xmit+0xcd/0x730 [mac80211]
dev_hard_start_xmit+0xf6/0x420
__dev_queue_xmit+0x165b/0x1b50
ip_finish_output2+0x66e/0xfb0
__ip_finish_output+0x487/0x6d0
ip_output+0x11c/0x350
__ip_queue_xmit+0x36b/0x9d0
__tcp_transmit_skb+0xb35/0x15c0
tcp_write_xmit+0x3f1/0x24d0
tcp_sendmsg_locked+0x8a9/0x1520
tcp_sendmsg+0x22/0x40
sock_sendmsg+0x5f/0x70
__sys_sendto+0x19d/0x250
__x64_sys_sendto+0x6f/0x80
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The buggy address belongs to the object at ffff88813cfa4b40
which belongs to the cache skbuff_fclone_cache of size 472
The buggy address is located 96 bytes inside of
472-byte region [ffff88813cfa4b40, ffff88813cfa4d18)
The buggy address belongs to the physical page:
page:ffffea0004f3e900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813cfa6c40 pfn:0x13cfa4
head:ffffea0004f3e900 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5fff8000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff)
raw: 005fff8000010200 ffffea0004656b08 ffffea0008e8cf08 ffff8881081a5240
raw: ffff88813cfa6c40 0000000000170015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88813cfa4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88813cfa4b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88813cfa4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88813cfa4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88813cfa4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code")
Link: https://lore.kernel.org/linux-wireless/20220928193057.16132-1-greearb@candelatech.com/
Tested-by: Amol Jawale <amol.jawale@candelatech.com>
Signed-off-by: Ben Greear <greearb@candelatech.com>
Link: https://lore.kernel.org/r/20221123225313.21b1ee31d666.I3b3ba184433dd2a544d91eeeda29b467021824ae@changeid
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 7186e1dbbd6b..d310337b1625 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1203,6 +1203,7 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
struct sk_buff_head mpdus_skbs;
unsigned int payload_len;
int ret;
+ struct sk_buff *orig_skb = skb;
if (WARN_ON_ONCE(!mvmsta))
return -1;
@@ -1235,8 +1236,17 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
ret = iwl_mvm_tx_mpdu(mvm, skb, &info, sta);
if (ret) {
+ /* Free skbs created as part of TSO logic that have not yet been dequeued */
__skb_queue_purge(&mpdus_skbs);
- return ret;
+ /* skb here is not necessarily same as skb that entered this method,
+ * so free it explicitly.
+ */
+ if (skb == orig_skb)
+ ieee80211_free_txskb(mvm->hw, skb);
+ else
+ kfree_skb(skb);
+ /* there was error, but we consumed skb one way or another, so return 0 */
+ return 0;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 191/783] ASoC: mediatek: mt8173: Fix debugfs registration for components
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 190/783] wifi: iwlwifi: mvm: fix double free on tx path Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 192/783] ASoC: mediatek: mt8173: Enable IRQ when pdata is ready Greg Kroah-Hartman
` (601 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, AngeloGioacchino Del Regno,
Mark Brown, Sasha Levin
From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
[ Upstream commit 8c32984bc7da29828260ac514d5d4967f7e8f62d ]
When registering the mt8173-afe-pcm driver, we are also adding two
components: one is for the PCM DAIs and one is for the HDMI DAIs, but
when debugfs is enabled, we're getting the following issue:
[ 17.279176] debugfs: Directory '11220000.audio-controller' with parent 'mtk-rt5650' already present!
[ 17.288345] debugfs: Directory '11220000.audio-controller' with parent 'mtk-rt5650' already present!
To overcome to that without any potentially big rewrite of this driver,
similarly to what was done in mt8195-afe-pcm, add a debugfs_prefix to
the components before actually adding them.
Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20211111161108.502344-1-angelogioacchino.delregno@collabora.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 4cbb264d4e91 ("ASoC: mediatek: mt8173: Enable IRQ when pdata is ready")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 51 ++++++++++++++++++----
1 file changed, 43 insertions(+), 8 deletions(-)
diff --git a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
index 7e7bda70d12e..a8c7617978a6 100644
--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
@@ -1054,6 +1054,7 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
int irq_id;
struct mtk_base_afe *afe;
struct mt8173_afe_private *afe_priv;
+ struct snd_soc_component *comp_pcm, *comp_hdmi;
ret = dma_set_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(33));
if (ret)
@@ -1142,23 +1143,55 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
if (ret)
goto err_pm_disable;
- ret = devm_snd_soc_register_component(&pdev->dev,
- &mt8173_afe_pcm_dai_component,
- mt8173_afe_pcm_dais,
- ARRAY_SIZE(mt8173_afe_pcm_dais));
+ comp_pcm = devm_kzalloc(&pdev->dev, sizeof(*comp_pcm), GFP_KERNEL);
+ if (!comp_pcm) {
+ ret = -ENOMEM;
+ goto err_pm_disable;
+ }
+
+ ret = snd_soc_component_initialize(comp_pcm,
+ &mt8173_afe_pcm_dai_component,
+ &pdev->dev);
if (ret)
goto err_pm_disable;
- ret = devm_snd_soc_register_component(&pdev->dev,
- &mt8173_afe_hdmi_dai_component,
- mt8173_afe_hdmi_dais,
- ARRAY_SIZE(mt8173_afe_hdmi_dais));
+#ifdef CONFIG_DEBUG_FS
+ comp_pcm->debugfs_prefix = "pcm";
+#endif
+
+ ret = snd_soc_add_component(comp_pcm,
+ mt8173_afe_pcm_dais,
+ ARRAY_SIZE(mt8173_afe_pcm_dais));
+ if (ret)
+ goto err_pm_disable;
+
+ comp_hdmi = devm_kzalloc(&pdev->dev, sizeof(*comp_hdmi), GFP_KERNEL);
+ if (!comp_hdmi) {
+ ret = -ENOMEM;
+ goto err_pm_disable;
+ }
+
+ ret = snd_soc_component_initialize(comp_hdmi,
+ &mt8173_afe_hdmi_dai_component,
+ &pdev->dev);
if (ret)
goto err_pm_disable;
+#ifdef CONFIG_DEBUG_FS
+ comp_hdmi->debugfs_prefix = "hdmi";
+#endif
+
+ ret = snd_soc_add_component(comp_hdmi,
+ mt8173_afe_hdmi_dais,
+ ARRAY_SIZE(mt8173_afe_hdmi_dais));
+ if (ret)
+ goto err_cleanup_components;
+
dev_info(&pdev->dev, "MT8173 AFE driver initialized.\n");
return 0;
+err_cleanup_components:
+ snd_soc_unregister_component(&pdev->dev);
err_pm_disable:
pm_runtime_disable(&pdev->dev);
return ret;
@@ -1166,6 +1199,8 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
static int mt8173_afe_pcm_dev_remove(struct platform_device *pdev)
{
+ snd_soc_unregister_component(&pdev->dev);
+
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
mt8173_afe_runtime_suspend(&pdev->dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 192/783] ASoC: mediatek: mt8173: Enable IRQ when pdata is ready
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 191/783] ASoC: mediatek: mt8173: Fix debugfs registration for components Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 193/783] drm/amd/pm/smu11: BACO is supported when its in BACO state Greg Kroah-Hartman
` (600 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ricardo Ribalda, Mark Brown, Sasha Levin
From: Ricardo Ribalda <ribalda@chromium.org>
[ Upstream commit 4cbb264d4e9136acab2c8fd39e39ab1b1402b84b ]
If the device does not come straight from reset, we might receive an IRQ
before we are ready to handle it.
Fixes:
[ 2.334737] Unable to handle kernel read from unreadable memory at virtual address 00000000000001e4
[ 2.522601] Call trace:
[ 2.525040] regmap_read+0x1c/0x80
[ 2.528434] mt8173_afe_irq_handler+0x40/0xf0
...
[ 2.598921] start_kernel+0x338/0x42c
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Fixes: ee0bcaff109f ("ASoC: mediatek: Add AFE platform driver")
Link: https://lore.kernel.org/r/20221128-mt8173-afe-v1-0-70728221628f@chromium.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/mediatek/mt8173/mt8173-afe-pcm.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
index a8c7617978a6..619d6733091c 100644
--- a/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
+++ b/sound/soc/mediatek/mt8173/mt8173-afe-pcm.c
@@ -1072,16 +1072,6 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
afe->dev = &pdev->dev;
- irq_id = platform_get_irq(pdev, 0);
- if (irq_id <= 0)
- return irq_id < 0 ? irq_id : -ENXIO;
- ret = devm_request_irq(afe->dev, irq_id, mt8173_afe_irq_handler,
- 0, "Afe_ISR_Handle", (void *)afe);
- if (ret) {
- dev_err(afe->dev, "could not request_irq\n");
- return ret;
- }
-
afe->base_addr = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(afe->base_addr))
return PTR_ERR(afe->base_addr);
@@ -1187,6 +1177,16 @@ static int mt8173_afe_pcm_dev_probe(struct platform_device *pdev)
if (ret)
goto err_cleanup_components;
+ irq_id = platform_get_irq(pdev, 0);
+ if (irq_id <= 0)
+ return irq_id < 0 ? irq_id : -ENXIO;
+ ret = devm_request_irq(afe->dev, irq_id, mt8173_afe_irq_handler,
+ 0, "Afe_ISR_Handle", (void *)afe);
+ if (ret) {
+ dev_err(afe->dev, "could not request_irq\n");
+ goto err_pm_disable;
+ }
+
dev_info(&pdev->dev, "MT8173 AFE driver initialized.\n");
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 193/783] drm/amd/pm/smu11: BACO is supported when its in BACO state
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 192/783] ASoC: mediatek: mt8173: Enable IRQ when pdata is ready Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 194/783] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() Greg Kroah-Hartman
` (599 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lijo Lazar, Guchun Chen, Evan Quan,
Alex Deucher, Sasha Levin
From: Guchun Chen <guchun.chen@amd.com>
[ Upstream commit 6dca7efe6e522bf213c7dab691fa580d82f48f74 ]
Return true early if ASIC is in BACO state already, no need
to talk to SMU. It can fix the issue that driver was not
calling BACO exit at all in runtime pm resume, and a timing
issue leading to a PCI AER error happened eventually.
Fixes: 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()")
Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Guchun Chen <guchun.chen@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Reviewed-by: Evan Quan <evan.quan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
index e646f5931d79..89f20497c14f 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/smu_v11_0.c
@@ -1476,6 +1476,10 @@ bool smu_v11_0_baco_is_support(struct smu_context *smu)
if (!smu_baco->platform_support)
return false;
+ /* return true if ASIC is in BACO state already */
+ if (smu_v11_0_baco_get_state(smu) == SMU_BACO_STATE_ENTER)
+ return true;
+
/* Arcturus does not support this bit mask */
if (smu_cmn_feature_is_supported(smu, SMU_FEATURE_BACO_BIT) &&
!smu_cmn_feature_is_enabled(smu, SMU_FEATURE_BACO_BIT))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 194/783] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 193/783] drm/amd/pm/smu11: BACO is supported when its in BACO state Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 195/783] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() Greg Kroah-Hartman
` (598 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Alex Deucher, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 725a521a18734f65de05b8d353b5bd0d3ca4c37a ]
As comment of pci_get_class() says, it returns a pci_device with its
refcount increased and decreased the refcount for the input parameter
@from if it is not NULL.
If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we
need to call pci_dev_put() to decrease the refcount. Add the missing
pci_dev_put() to avoid refcount leak.
Fixes: d8ade3526b2a ("drm/radeon: handle non-VGA class pci devices with ATRM")
Fixes: c61e2775873f ("drm/radeon: split ATRM support out from the ATPX handler (v3)")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/radeon_bios.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
index 34d2cb929c06..0c94147f7625 100644
--- a/drivers/gpu/drm/radeon/radeon_bios.c
+++ b/drivers/gpu/drm/radeon/radeon_bios.c
@@ -227,6 +227,7 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev)
if (!found)
return false;
+ pci_dev_put(pdev);
rdev->bios = kmalloc(size, GFP_KERNEL);
if (!rdev->bios) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 195/783] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 194/783] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 196/783] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe Greg Kroah-Hartman
` (597 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Alex Deucher, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit ca54639c7752edf1304d92ff4d0c049d4efc9ba0 ]
As comment of pci_get_class() says, it returns a pci_device with its
refcount increased and decreased the refcount for the input parameter
@from if it is not NULL.
If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we
need to call pci_dev_put() to decrease the refcount. Add the missing
pci_dev_put() to avoid refcount leak.
Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
index 6333cada1e09..4b568ee93243 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
@@ -313,6 +313,7 @@ static bool amdgpu_atrm_get_bios(struct amdgpu_device *adev)
if (!found)
return false;
+ pci_dev_put(pdev);
adev->bios = kmalloc(size, GFP_KERNEL);
if (!adev->bios) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 196/783] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 195/783] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 197/783] netfilter: conntrack: set icmpv6 redirects as RELATED Greg Kroah-Hartman
` (596 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Qilong, Mark Brown, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit 97b801be6f8e53676b9f2b105f54e35c745c1b22 ]
The pm_runtime_enable will increase power disable depth. Thus
a pairing decrement is needed on the error handling path to
keep it balanced according to context. We fix it by going to
err_pm instead of err_clk.
Fixes:f086ba9d5389c ("ASoC: pcm512x: Support mastering BCLK/LRCLK using the PLL")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Link: https://lore.kernel.org/r/20220928160402.126140-1-zhangqilong3@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/pcm512x.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c
index 8153d3d01654..3677e9029f91 100644
--- a/sound/soc/codecs/pcm512x.c
+++ b/sound/soc/codecs/pcm512x.c
@@ -1599,7 +1599,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
if (val > 6) {
dev_err(dev, "Invalid pll-in\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
pcm512x->pll_in = val;
}
@@ -1608,7 +1608,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
if (val > 6) {
dev_err(dev, "Invalid pll-out\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
pcm512x->pll_out = val;
}
@@ -1617,12 +1617,12 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap)
dev_err(dev,
"Error: both pll-in and pll-out, or none\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
if (pcm512x->pll_in && pcm512x->pll_in == pcm512x->pll_out) {
dev_err(dev, "Error: pll-in == pll-out\n");
ret = -EINVAL;
- goto err_clk;
+ goto err_pm;
}
}
#endif
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 197/783] netfilter: conntrack: set icmpv6 redirects as RELATED
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 196/783] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 198/783] bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data Greg Kroah-Hartman
` (595 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Garver, Florian Westphal,
Pablo Neira Ayuso, Sasha Levin
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 7d7cfb48d81353e826493d24c7cec7360950968f ]
icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not
do this.
For icmpv6, only icmp errors (code <= 128) are examined for RELATED state.
ICMPV6 Redirects are part of neighbour discovery mechanism, those are
handled by marking a selected subset (e.g. neighbour solicitations) as
UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID.
Add minimal support for REDIRECTs. No parsing of neighbour options is
added for simplicity, so this will only check that we have the embeeded
original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow
lookup for this tuple.
Also extend the existing test case to cover redirects.
Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.")
Reported-by: Eric Garver <eric@garver.life>
Link: https://github.com/firewalld/firewalld/issues/1046
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_conntrack_proto_icmpv6.c | 53 +++++++++++++++++++
.../netfilter/conntrack_icmp_related.sh | 36 ++++++++++++-
2 files changed, 87 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
index facd8c64ec4e..f1a87de1c60e 100644
--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
@@ -130,6 +130,56 @@ static void icmpv6_error_log(const struct sk_buff *skb,
IPPROTO_ICMPV6, "%s", msg);
}
+static noinline_for_stack int
+nf_conntrack_icmpv6_redirect(struct nf_conn *tmpl, struct sk_buff *skb,
+ unsigned int dataoff,
+ const struct nf_hook_state *state)
+{
+ u8 hl = ipv6_hdr(skb)->hop_limit;
+ union nf_inet_addr outer_daddr;
+ union {
+ struct nd_opt_hdr nd_opt;
+ struct rd_msg rd_msg;
+ } tmp;
+ const struct nd_opt_hdr *nd_opt;
+ const struct rd_msg *rd_msg;
+
+ rd_msg = skb_header_pointer(skb, dataoff, sizeof(*rd_msg), &tmp.rd_msg);
+ if (!rd_msg) {
+ icmpv6_error_log(skb, state, "short redirect");
+ return -NF_ACCEPT;
+ }
+
+ if (rd_msg->icmph.icmp6_code != 0)
+ return NF_ACCEPT;
+
+ if (hl != 255 || !(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
+ icmpv6_error_log(skb, state, "invalid saddr or hoplimit for redirect");
+ return -NF_ACCEPT;
+ }
+
+ dataoff += sizeof(*rd_msg);
+
+ /* warning: rd_msg no longer usable after this call */
+ nd_opt = skb_header_pointer(skb, dataoff, sizeof(*nd_opt), &tmp.nd_opt);
+ if (!nd_opt || nd_opt->nd_opt_len == 0) {
+ icmpv6_error_log(skb, state, "redirect without options");
+ return -NF_ACCEPT;
+ }
+
+ /* We could call ndisc_parse_options(), but it would need
+ * skb_linearize() and a bit more work.
+ */
+ if (nd_opt->nd_opt_type != ND_OPT_REDIRECT_HDR)
+ return NF_ACCEPT;
+
+ memcpy(&outer_daddr.ip6, &ipv6_hdr(skb)->daddr,
+ sizeof(outer_daddr.ip6));
+ dataoff += 8;
+ return nf_conntrack_inet_error(tmpl, skb, dataoff, state,
+ IPPROTO_ICMPV6, &outer_daddr);
+}
+
int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
struct sk_buff *skb,
unsigned int dataoff,
@@ -160,6 +210,9 @@ int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
return NF_ACCEPT;
}
+ if (icmp6h->icmp6_type == NDISC_REDIRECT)
+ return nf_conntrack_icmpv6_redirect(tmpl, skb, dataoff, state);
+
/* is not error message ? */
if (icmp6h->icmp6_type >= 128)
return NF_ACCEPT;
diff --git a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
index b48e1833bc89..76645aaf2b58 100755
--- a/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
+++ b/tools/testing/selftests/netfilter/conntrack_icmp_related.sh
@@ -35,6 +35,8 @@ cleanup() {
for i in 1 2;do ip netns del nsrouter$i;done
}
+trap cleanup EXIT
+
ipv4() {
echo -n 192.168.$1.2
}
@@ -146,11 +148,17 @@ ip netns exec nsclient1 nft -f - <<EOF
table inet filter {
counter unknown { }
counter related { }
+ counter redir4 { }
+ counter redir6 { }
chain input {
type filter hook input priority 0; policy accept;
- meta l4proto { icmp, icmpv6 } ct state established,untracked accept
+ icmp type "redirect" ct state "related" counter name "redir4" accept
+ icmpv6 type "nd-redirect" ct state "related" counter name "redir6" accept
+
+ meta l4proto { icmp, icmpv6 } ct state established,untracked accept
meta l4proto { icmp, icmpv6 } ct state "related" counter name "related" accept
+
counter name "unknown" drop
}
}
@@ -279,5 +287,29 @@ else
echo "ERROR: icmp error RELATED state test has failed"
fi
-cleanup
+# add 'bad' route, expect icmp REDIRECT to be generated
+ip netns exec nsclient1 ip route add 192.168.1.42 via 192.168.1.1
+ip netns exec nsclient1 ip route add dead:1::42 via dead:1::1
+
+ip netns exec "nsclient1" ping -q -c 2 192.168.1.42 > /dev/null
+
+expect="packets 1 bytes 112"
+check_counter nsclient1 "redir4" "$expect"
+if [ $? -ne 0 ];then
+ ret=1
+fi
+
+ip netns exec "nsclient1" ping -c 1 dead:1::42 > /dev/null
+expect="packets 1 bytes 192"
+check_counter nsclient1 "redir6" "$expect"
+if [ $? -ne 0 ];then
+ ret=1
+fi
+
+if [ $ret -eq 0 ];then
+ echo "PASS: icmp redirects had RELATED state"
+else
+ echo "ERROR: icmp redirect RELATED state test has failed"
+fi
+
exit $ret
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 198/783] bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 197/783] netfilter: conntrack: set icmpv6 redirects as RELATED Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 199/783] bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect Greg Kroah-Hartman
` (594 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengcheng Yang, Daniel Borkmann,
Jakub Sitnicki, Sasha Levin
From: Pengcheng Yang <yangpc@wangsu.com>
[ Upstream commit 7a9841ca025275b5b0edfb0b618934abb6ceec15 ]
In tcp_bpf_send_verdict() redirection, the eval variable is assigned to
__SK_REDIRECT after the apply_bytes data is sent, if msg has more_data,
sock_put() will be called multiple times.
We should reset the eval variable to __SK_NONE every time more_data
starts.
This causes:
IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110
Modules linked in:
CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1
Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014
Call Trace:
<TASK>
__tcp_transmit_skb+0xa1b/0xb90
? __alloc_skb+0x8c/0x1a0
? __kmalloc_node_track_caller+0x184/0x320
tcp_write_xmit+0x22a/0x1110
__tcp_push_pending_frames+0x32/0xf0
do_tcp_sendpages+0x62d/0x640
tcp_bpf_push+0xae/0x2c0
tcp_bpf_sendmsg_redir+0x260/0x410
? preempt_count_add+0x70/0xa0
tcp_bpf_send_verdict+0x386/0x4b0
tcp_bpf_sendmsg+0x21b/0x3b0
sock_sendmsg+0x58/0x70
__sys_sendto+0xfa/0x170
? xfd_validate_state+0x1d/0x80
? switch_fpu_return+0x59/0xe0
__x64_sys_sendto+0x24/0x30
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: cd9733f5d75c ("tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function")
Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/1669718441-2654-2-git-send-email-yangpc@wangsu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_bpf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 809ee0f32d59..027f7f9256e1 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -316,7 +316,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
bool cork = false, enospc = sk_msg_full(msg);
struct sock *sk_redir;
u32 tosend, origsize, sent, delta = 0;
- u32 eval = __SK_NONE;
+ u32 eval;
int ret;
more_data:
@@ -347,6 +347,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
tosend = msg->sg.size;
if (psock->apply_bytes && psock->apply_bytes < tosend)
tosend = psock->apply_bytes;
+ eval = __SK_NONE;
switch (psock->eval) {
case __SK_PASS:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 199/783] bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 198/783] bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 200/783] bonding: uninitialized variable in bond_miimon_inspect() Greg Kroah-Hartman
` (593 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengcheng Yang, Daniel Borkmann,
Jakub Sitnicki, Sasha Levin
From: Pengcheng Yang <yangpc@wangsu.com>
[ Upstream commit 9072931f020bfd907d6d89ee21ff1481cd78b407 ]
Use apply_bytes on ingress redirect, when apply_bytes is less than
the length of msg data, some data may be skipped and lost in
bpf_tcp_ingress().
If there is still data in the scatterlist that has not been consumed,
we cannot move the msg iter.
Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/1669718441-2654-4-git-send-email-yangpc@wangsu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_bpf.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 027f7f9256e1..6a1685461f89 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -125,8 +125,11 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock,
tmp->sg.end = i;
if (apply) {
apply_bytes -= size;
- if (!apply_bytes)
+ if (!apply_bytes) {
+ if (sge->length)
+ sk_msg_iter_var_prev(i);
break;
+ }
}
} while (i != msg->sg.end);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 200/783] bonding: uninitialized variable in bond_miimon_inspect()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 199/783] bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 201/783] spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE Greg Kroah-Hartman
` (592 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Pavan Chebbi,
Jay Vosburgh, Paolo Abeni, Sasha Levin
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit e5214f363dabca240446272dac54d404501ad5e5 ]
The "ignore_updelay" variable needs to be initialized to false.
Fixes: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Link: https://lore.kernel.org/r/Y4SWJlh3ohJ6EPTL@kili
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index e66092518fdd..c40b92f8d16b 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2393,10 +2393,10 @@ static int bond_slave_info_query(struct net_device *bond_dev, struct ifslave *in
/* called with rcu_read_lock() */
static int bond_miimon_inspect(struct bonding *bond)
{
+ bool ignore_updelay = false;
int link_state, commit = 0;
struct list_head *iter;
struct slave *slave;
- bool ignore_updelay;
if (BOND_MODE(bond) == BOND_MODE_ACTIVEBACKUP) {
ignore_updelay = !rcu_dereference(bond->curr_active_slave);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 201/783] spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 200/783] bonding: uninitialized variable in bond_miimon_inspect() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 202/783] wifi: mac80211: fix memory leak in ieee80211_if_add() Greg Kroah-Hartman
` (591 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Mark Brown, Sasha Levin
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
[ Upstream commit 7dbfa445ff7393d1c4c066c1727c9e0af1251958 ]
Commit f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs")
has changed the user-space interface so that bogus SPI_CS_HIGH started
to appear in the mask returned by SPI_IOC_RD_MODE even for active-low CS
pins. Commit 138c9c32f090
("spi: spidev: Fix CS polarity if GPIO descriptors are used") fixed only
SPI_IOC_WR_MODE part of the problem. Let's fix SPI_IOC_RD_MODE
symmetrically.
Test case:
#include <sys/ioctl.h>
#include <fcntl.h>
#include <linux/spi/spidev.h>
int main(int argc, char **argv)
{
char modew = SPI_CPHA;
char moder;
int f = open("/dev/spidev0.0", O_RDWR);
if (f < 0)
return 1;
ioctl(f, SPI_IOC_WR_MODE, &modew);
ioctl(f, SPI_IOC_RD_MODE, &moder);
return moder == modew ? 0 : 2;
}
Fixes: f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Link: https://lore.kernel.org/r/20221130162927.539512-1-alexander.sverdlin@siemens.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spidev.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index 859910ec8d9f..9c5ec99431d2 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -376,12 +376,23 @@ spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
switch (cmd) {
/* read requests */
case SPI_IOC_RD_MODE:
- retval = put_user(spi->mode & SPI_MODE_MASK,
- (__u8 __user *)arg);
- break;
case SPI_IOC_RD_MODE32:
- retval = put_user(spi->mode & SPI_MODE_MASK,
- (__u32 __user *)arg);
+ tmp = spi->mode;
+
+ {
+ struct spi_controller *ctlr = spi->controller;
+
+ if (ctlr->use_gpio_descriptors && ctlr->cs_gpiods &&
+ ctlr->cs_gpiods[spi->chip_select])
+ tmp &= ~SPI_CS_HIGH;
+ }
+
+ if (cmd == SPI_IOC_RD_MODE)
+ retval = put_user(tmp & SPI_MODE_MASK,
+ (__u8 __user *)arg);
+ else
+ retval = put_user(tmp & SPI_MODE_MASK,
+ (__u32 __user *)arg);
break;
case SPI_IOC_RD_LSB_FIRST:
retval = put_user((spi->mode & SPI_LSB_FIRST) ? 1 : 0,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 202/783] wifi: mac80211: fix memory leak in ieee80211_if_add()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 201/783] spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 203/783] wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails Greg Kroah-Hartman
` (590 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Johannes Berg, Sasha Levin
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293 ]
When register_netdevice() failed in ieee80211_if_add(), ndev->tstats
isn't released. Fix it.
Fixes: 5a490510ba5f ("mac80211: use per-CPU TX/RX statistics")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Link: https://lore.kernel.org/r/20221117064500.319983-1-shaozhengchao@huawei.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/iface.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 3a15ef8dd322..d04e5a1a7e0e 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -2013,6 +2013,7 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
ret = register_netdevice(ndev);
if (ret) {
+ ieee80211_if_free(ndev);
free_netdev(ndev);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 203/783] wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 202/783] wifi: mac80211: fix memory leak in ieee80211_if_add() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 204/783] wifi: mt76: fix coverity overrun-call in mt76_get_txpower() Greg Kroah-Hartman
` (589 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Johannes Berg, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit 833a9fd28c9b7ccb39a334721379e992dc1c0c89 ]
In regulatory_init_db(), when it's going to return a error, reg_pdev
should be unregistered. When load_builtin_regdb_keys() fails it doesn't
do it and makes cfg80211 can't be reload with report:
sysfs: cannot create duplicate filename '/devices/platform/regulatory.0'
...
<TASK>
dump_stack_lvl+0x79/0x9b
sysfs_warn_dup.cold+0x1c/0x29
sysfs_create_dir_ns+0x22d/0x290
kobject_add_internal+0x247/0x800
kobject_add+0x135/0x1b0
device_add+0x389/0x1be0
platform_device_add+0x28f/0x790
platform_device_register_full+0x376/0x4b0
regulatory_init+0x9a/0x4b2 [cfg80211]
cfg80211_init+0x84/0x113 [cfg80211]
...
Fixes: 90a53e4432b1 ("cfg80211: implement regdb signature checking")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Link: https://lore.kernel.org/r/20221109090237.214127-1-chenzhongjin@huawei.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/reg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index a1e64d967bd3..90297264d8ae 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -4185,8 +4185,10 @@ static int __init regulatory_init_db(void)
return -EINVAL;
err = load_builtin_regdb_keys();
- if (err)
+ if (err) {
+ platform_device_unregister(reg_pdev);
return err;
+ }
/* We always try to get an update for the static regdomain */
err = regulatory_hint_core(cfg80211_world_regdom->alpha2);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 204/783] wifi: mt76: fix coverity overrun-call in mt76_get_txpower()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 203/783] wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 205/783] regulator: core: fix module refcount leak in set_supply() Greg Kroah-Hartman
` (588 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Deren Wu, Felix Fietkau, Sasha Levin
From: Deren Wu <deren.wu@mediatek.com>
[ Upstream commit 03dd0d49de7db680a856fa566963bb8421f46368 ]
Make sure the nss is valid for nss_delta array. Return zero
if the index is invalid.
Coverity message:
Event overrun-call: Overrunning callee's array of size 4 by passing
argument "n_chains" (which evaluates to 15) in call to
"mt76_tx_power_nss_delta".
int delta = mt76_tx_power_nss_delta(n_chains);
Fixes: 07cda406308b ("mt76: fix rounding issues on converting per-chain and combined txpower")
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt76.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
index a5be66de1cff..5a8060790a61 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
@@ -884,8 +884,9 @@ static inline bool mt76_is_skb_pktid(u8 pktid)
static inline u8 mt76_tx_power_nss_delta(u8 nss)
{
static const u8 nss_delta[4] = { 0, 6, 9, 12 };
+ u8 idx = nss - 1;
- return nss_delta[nss - 1];
+ return (idx < ARRAY_SIZE(nss_delta)) ? nss_delta[idx] : 0;
}
static inline bool mt76_testmode_enabled(struct mt76_dev *dev)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 205/783] regulator: core: fix module refcount leak in set_supply()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 204/783] wifi: mt76: fix coverity overrun-call in mt76_get_txpower() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 206/783] clk: qcom: clk-krait: fix wrong div2 functions Greg Kroah-Hartman
` (587 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit da46ee19cbd8344d6860816b4827a7ce95764867 ]
If create_regulator() fails in set_supply(), the module refcount
needs be put to keep refcount balanced.
Fixes: e2c09ae7a74d ("regulator: core: Increase refcount for regulator supply's module")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221201122706.4055992-2-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 60c0be2ea5c5..830a9be4432e 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1472,6 +1472,7 @@ static int set_supply(struct regulator_dev *rdev,
rdev->supply = create_regulator(supply_rdev, &rdev->dev, "SUPPLY");
if (rdev->supply == NULL) {
+ module_put(supply_rdev->owner);
err = -ENOMEM;
return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 206/783] clk: qcom: clk-krait: fix wrong div2 functions
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 205/783] regulator: core: fix module refcount leak in set_supply() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 207/783] hsr: Add a rcu-read lock to hsr_forward_skb() Greg Kroah-Hartman
` (586 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Marangi, Bjorn Andersson,
Sasha Levin
From: Christian Marangi <ansuelsmth@gmail.com>
[ Upstream commit d676d3a3717cf726d3affedbe5ba98fc4ccad7b3 ]
Currently div2 value is applied to the wrong bits. This is caused by a
bug in the code where the shift is done only for lpl, for anything
else the mask is not shifted to the correct bits.
Fix this by correctly shift if lpl is not supported.
Fixes: 4d7dc77babfe ("clk: qcom: Add support for Krait clocks")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221108215625.30186-1-ansuelsmth@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/clk-krait.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/qcom/clk-krait.c b/drivers/clk/qcom/clk-krait.c
index 90046428693c..e74fc81a14d0 100644
--- a/drivers/clk/qcom/clk-krait.c
+++ b/drivers/clk/qcom/clk-krait.c
@@ -98,6 +98,8 @@ static int krait_div2_set_rate(struct clk_hw *hw, unsigned long rate,
if (d->lpl)
mask = mask << (d->shift + LPL_SHIFT) | mask << d->shift;
+ else
+ mask <<= d->shift;
spin_lock_irqsave(&krait_clock_reg_lock, flags);
val = krait_get_l2_indirect_reg(d->offset);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 207/783] hsr: Add a rcu-read lock to hsr_forward_skb().
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 206/783] clk: qcom: clk-krait: fix wrong div2 functions Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 208/783] net: hsr: generate supervision frame without HSR/PRP tag Greg Kroah-Hartman
` (585 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Jakub Kicinski, Sasha Levin
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 5aa2820177af650293b2f9f1873c1f6f8e4ad7a4 ]
hsr_forward_skb() a skb and keeps information in an on-stack
hsr_frame_info. hsr_get_node() assigns hsr_frame_info::node_src which is
from a RCU list. This pointer is used later in hsr_forward_do().
I don't see a reason why this pointer can't vanish midway since there is
no guarantee that hsr_forward_skb() is invoked from an RCU read section.
Use rcu_read_lock() to protect hsr_frame_info::node_src from its
assignment until it is no longer used.
Fixes: f266a683a4804 ("net/hsr: Better frame dispatch")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_forward.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index cb9b54a7abd2..90b0ed16552b 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -545,11 +545,13 @@ void hsr_forward_skb(struct sk_buff *skb, struct hsr_port *port)
{
struct hsr_frame_info frame;
+ rcu_read_lock();
if (fill_frame_info(&frame, skb, port) < 0)
goto out_drop;
hsr_register_frame_in(frame.node_src, port, frame.sequence_nr);
hsr_forward_do(&frame);
+ rcu_read_unlock();
/* Gets called for ingress frames as well as egress from master port.
* So check and increment stats for master port only here.
*/
@@ -564,6 +566,7 @@ void hsr_forward_skb(struct sk_buff *skb, struct hsr_port *port)
return;
out_drop:
+ rcu_read_unlock();
port->dev->stats.tx_dropped++;
kfree_skb(skb);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 208/783] net: hsr: generate supervision frame without HSR/PRP tag
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 207/783] hsr: Add a rcu-read lock to hsr_forward_skb() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 209/783] hsr: Disable netpoll Greg Kroah-Hartman
` (584 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, George McCollister, Vladimir Oltean,
David S. Miller, Sasha Levin
From: George McCollister <george.mccollister@gmail.com>
[ Upstream commit 78be9217c4014cebac4d549cc2db1f2886d5a8fb ]
For a switch to offload insertion of HSR/PRP tags, frames must not be
sent to the CPU facing switch port with a tag. Generate supervision frames
(eth type ETH_P_PRP) without HSR v1 (ETH_P_HSR)/PRP tag and rely on
create_tagged_frame which inserts it later. This will allow skipping the
tag insertion for all outgoing frames in the future which is required for
HSR v1/PRP tag insertions to be offloaded.
HSR v0 supervision frames always contain tag information so insertion of
the tag can't be offloaded. IEC 62439-3 Ed.2.0 (HSR v1) specifically
notes that this was changed since v0 to allow offloading.
Signed-off-by: George McCollister <george.mccollister@gmail.com>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Tested-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: d5c7652eb16f ("hsr: Disable netpoll.")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_device.c | 39 +++++++--------------------------------
net/hsr/hsr_forward.c | 8 +++++++-
2 files changed, 14 insertions(+), 33 deletions(-)
diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
index fec1b014c0a2..7449c3c95317 100644
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -232,7 +232,7 @@ static const struct header_ops hsr_header_ops = {
.parse = eth_header_parse,
};
-static struct sk_buff *hsr_init_skb(struct hsr_port *master, u16 proto)
+static struct sk_buff *hsr_init_skb(struct hsr_port *master)
{
struct hsr_priv *hsr = master->hsr;
struct sk_buff *skb;
@@ -244,8 +244,7 @@ static struct sk_buff *hsr_init_skb(struct hsr_port *master, u16 proto)
* being, for PRP it is a trailer and for HSR it is a
* header
*/
- skb = dev_alloc_skb(sizeof(struct hsr_tag) +
- sizeof(struct hsr_sup_tag) +
+ skb = dev_alloc_skb(sizeof(struct hsr_sup_tag) +
sizeof(struct hsr_sup_payload) + hlen + tlen);
if (!skb)
@@ -253,10 +252,9 @@ static struct sk_buff *hsr_init_skb(struct hsr_port *master, u16 proto)
skb_reserve(skb, hlen);
skb->dev = master->dev;
- skb->protocol = htons(proto);
skb->priority = TC_PRIO_CONTROL;
- if (dev_hard_header(skb, skb->dev, proto,
+ if (dev_hard_header(skb, skb->dev, ETH_P_PRP,
hsr->sup_multicast_addr,
skb->dev->dev_addr, skb->len) <= 0)
goto out;
@@ -278,12 +276,10 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
{
struct hsr_priv *hsr = master->hsr;
__u8 type = HSR_TLV_LIFE_CHECK;
- struct hsr_tag *hsr_tag = NULL;
struct hsr_sup_payload *hsr_sp;
struct hsr_sup_tag *hsr_stag;
unsigned long irqflags;
struct sk_buff *skb;
- u16 proto;
*interval = msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL);
if (hsr->announce_count < 3 && hsr->prot_version == 0) {
@@ -292,23 +288,12 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
hsr->announce_count++;
}
- if (!hsr->prot_version)
- proto = ETH_P_PRP;
- else
- proto = ETH_P_HSR;
-
- skb = hsr_init_skb(master, proto);
+ skb = hsr_init_skb(master);
if (!skb) {
WARN_ONCE(1, "HSR: Could not send supervision frame\n");
return;
}
- if (hsr->prot_version > 0) {
- hsr_tag = skb_put(skb, sizeof(struct hsr_tag));
- hsr_tag->encap_proto = htons(ETH_P_PRP);
- set_hsr_tag_LSDU_size(hsr_tag, HSR_V1_SUP_LSDUSIZE);
- }
-
hsr_stag = skb_put(skb, sizeof(struct hsr_sup_tag));
set_hsr_stag_path(hsr_stag, (hsr->prot_version ? 0x0 : 0xf));
set_hsr_stag_HSR_ver(hsr_stag, hsr->prot_version);
@@ -318,8 +303,6 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
if (hsr->prot_version > 0) {
hsr_stag->sequence_nr = htons(hsr->sup_sequence_nr);
hsr->sup_sequence_nr++;
- hsr_tag->sequence_nr = htons(hsr->sequence_nr);
- hsr->sequence_nr++;
} else {
hsr_stag->sequence_nr = htons(hsr->sequence_nr);
hsr->sequence_nr++;
@@ -335,7 +318,7 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
hsr_sp = skb_put(skb, sizeof(struct hsr_sup_payload));
ether_addr_copy(hsr_sp->macaddress_A, master->dev->dev_addr);
- if (skb_put_padto(skb, ETH_ZLEN + HSR_HLEN))
+ if (skb_put_padto(skb, ETH_ZLEN))
return;
hsr_forward_skb(skb, master);
@@ -351,10 +334,8 @@ static void send_prp_supervision_frame(struct hsr_port *master,
struct hsr_sup_tag *hsr_stag;
unsigned long irqflags;
struct sk_buff *skb;
- struct prp_rct *rct;
- u8 *tail;
- skb = hsr_init_skb(master, ETH_P_PRP);
+ skb = hsr_init_skb(master);
if (!skb) {
WARN_ONCE(1, "PRP: Could not send supervision frame\n");
return;
@@ -376,17 +357,11 @@ static void send_prp_supervision_frame(struct hsr_port *master,
hsr_sp = skb_put(skb, sizeof(struct hsr_sup_payload));
ether_addr_copy(hsr_sp->macaddress_A, master->dev->dev_addr);
- if (skb_put_padto(skb, ETH_ZLEN + HSR_HLEN)) {
+ if (skb_put_padto(skb, ETH_ZLEN)) {
spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
return;
}
- tail = skb_tail_pointer(skb) - HSR_HLEN;
- rct = (struct prp_rct *)tail;
- rct->PRP_suffix = htons(ETH_P_PRP);
- set_prp_LSDU_size(rct, HSR_V1_SUP_LSDUSIZE);
- rct->sequence_nr = htons(hsr->sequence_nr);
- hsr->sequence_nr++;
spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
hsr_forward_skb(skb, master);
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 90b0ed16552b..15653d3bb6ac 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -186,6 +186,7 @@ static struct sk_buff *prp_fill_rct(struct sk_buff *skb,
set_prp_LSDU_size(trailer, lsdu_size);
trailer->sequence_nr = htons(frame->sequence_nr);
trailer->PRP_suffix = htons(ETH_P_PRP);
+ skb->protocol = eth_hdr(skb)->h_proto;
return skb;
}
@@ -226,6 +227,7 @@ static struct sk_buff *hsr_fill_tag(struct sk_buff *skb,
hsr_ethhdr->hsr_tag.encap_proto = hsr_ethhdr->ethhdr.h_proto;
hsr_ethhdr->ethhdr.h_proto = htons(proto_version ?
ETH_P_HSR : ETH_P_PRP);
+ skb->protocol = hsr_ethhdr->ethhdr.h_proto;
return skb;
}
@@ -455,7 +457,11 @@ static void handle_std_frame(struct sk_buff *skb,
int hsr_fill_frame_info(__be16 proto, struct sk_buff *skb,
struct hsr_frame_info *frame)
{
- if (proto == htons(ETH_P_PRP) ||
+ struct hsr_port *port = frame->port_rcv;
+ struct hsr_priv *hsr = port->hsr;
+
+ /* HSRv0 supervisory frames double as a tag so treat them as tagged. */
+ if ((!hsr->prot_version && proto == htons(ETH_P_PRP)) ||
proto == htons(ETH_P_HSR)) {
/* Check if skb contains hsr_ethhdr */
if (skb->mac_len < sizeof(struct hsr_ethhdr))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 209/783] hsr: Disable netpoll.
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 208/783] net: hsr: generate supervision frame without HSR/PRP tag Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 210/783] hsr: Synchronize sending frames to have always incremented outgoing seq nr Greg Kroah-Hartman
` (583 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Jakub Kicinski, Sasha Levin
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit d5c7652eb16fa203d82546e0285136d7b321ffa9 ]
The hsr device is a software device. Its
net_device_ops::ndo_start_xmit() routine will process the packet and
then pass the resulting skb to dev_queue_xmit().
During processing, hsr acquires a lock with spin_lock_bh()
(hsr_add_node()) which needs to be promoted to the _irq() suffix in
order to avoid a potential deadlock.
Then there are the warnings in dev_queue_xmit() (due to
local_bh_disable() with disabled interrupts) left.
Instead trying to address those (there is qdisc and…) for netpoll sake,
just disable netpoll on hsr.
Disable netpoll on hsr and replace the _irqsave() locking with _bh().
Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_device.c | 14 ++++++--------
net/hsr/hsr_forward.c | 5 ++---
2 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
index 7449c3c95317..037ad39564a4 100644
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -278,7 +278,6 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
__u8 type = HSR_TLV_LIFE_CHECK;
struct hsr_sup_payload *hsr_sp;
struct hsr_sup_tag *hsr_stag;
- unsigned long irqflags;
struct sk_buff *skb;
*interval = msecs_to_jiffies(HSR_LIFE_CHECK_INTERVAL);
@@ -299,7 +298,7 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
set_hsr_stag_HSR_ver(hsr_stag, hsr->prot_version);
/* From HSRv1 on we have separate supervision sequence numbers. */
- spin_lock_irqsave(&master->hsr->seqnr_lock, irqflags);
+ spin_lock_bh(&hsr->seqnr_lock);
if (hsr->prot_version > 0) {
hsr_stag->sequence_nr = htons(hsr->sup_sequence_nr);
hsr->sup_sequence_nr++;
@@ -307,7 +306,7 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
hsr_stag->sequence_nr = htons(hsr->sequence_nr);
hsr->sequence_nr++;
}
- spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
+ spin_unlock_bh(&hsr->seqnr_lock);
hsr_stag->HSR_TLV_type = type;
/* TODO: Why 12 in HSRv0? */
@@ -332,7 +331,6 @@ static void send_prp_supervision_frame(struct hsr_port *master,
struct hsr_priv *hsr = master->hsr;
struct hsr_sup_payload *hsr_sp;
struct hsr_sup_tag *hsr_stag;
- unsigned long irqflags;
struct sk_buff *skb;
skb = hsr_init_skb(master);
@@ -347,7 +345,7 @@ static void send_prp_supervision_frame(struct hsr_port *master,
set_hsr_stag_HSR_ver(hsr_stag, (hsr->prot_version ? 1 : 0));
/* From HSRv1 on we have separate supervision sequence numbers. */
- spin_lock_irqsave(&master->hsr->seqnr_lock, irqflags);
+ spin_lock_bh(&hsr->seqnr_lock);
hsr_stag->sequence_nr = htons(hsr->sup_sequence_nr);
hsr->sup_sequence_nr++;
hsr_stag->HSR_TLV_type = PRP_TLV_LIFE_CHECK_DD;
@@ -358,11 +356,11 @@ static void send_prp_supervision_frame(struct hsr_port *master,
ether_addr_copy(hsr_sp->macaddress_A, master->dev->dev_addr);
if (skb_put_padto(skb, ETH_ZLEN)) {
- spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
+ spin_unlock_bh(&hsr->seqnr_lock);
return;
}
- spin_unlock_irqrestore(&master->hsr->seqnr_lock, irqflags);
+ spin_unlock_bh(&hsr->seqnr_lock);
hsr_forward_skb(skb, master);
}
@@ -443,7 +441,7 @@ void hsr_dev_setup(struct net_device *dev)
dev->header_ops = &hsr_header_ops;
dev->netdev_ops = &hsr_device_ops;
SET_NETDEV_DEVTYPE(dev, &hsr_type);
- dev->priv_flags |= IFF_NO_QUEUE;
+ dev->priv_flags |= IFF_NO_QUEUE | IFF_DISABLE_NETPOLL;
dev->needs_free_netdev = true;
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 15653d3bb6ac..142bed7f1fea 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -437,7 +437,6 @@ static void handle_std_frame(struct sk_buff *skb,
{
struct hsr_port *port = frame->port_rcv;
struct hsr_priv *hsr = port->hsr;
- unsigned long irqflags;
frame->skb_hsr = NULL;
frame->skb_prp = NULL;
@@ -447,10 +446,10 @@ static void handle_std_frame(struct sk_buff *skb,
frame->is_from_san = true;
} else {
/* Sequence nr for the master node */
- spin_lock_irqsave(&hsr->seqnr_lock, irqflags);
+ spin_lock_bh(&hsr->seqnr_lock);
frame->sequence_nr = hsr->sequence_nr;
hsr->sequence_nr++;
- spin_unlock_irqrestore(&hsr->seqnr_lock, irqflags);
+ spin_unlock_bh(&hsr->seqnr_lock);
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 210/783] hsr: Synchronize sending frames to have always incremented outgoing seq nr.
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 209/783] hsr: Disable netpoll Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 211/783] hsr: Synchronize sequence number updates Greg Kroah-Hartman
` (582 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Jakub Kicinski, Sasha Levin
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 06afd2c31d338fa762548580c1bf088703dd1e03 ]
Sending frames via the hsr (master) device requires a sequence number
which is tracked in hsr_priv::sequence_nr and protected by
hsr_priv::seqnr_lock. Each time a new frame is sent, it will obtain a
new id and then send it via the slave devices.
Each time a packet is sent (via hsr_forward_do()) the sequence number is
checked via hsr_register_frame_out() to ensure that a frame is not
handled twice. This make sense for the receiving side to ensure that the
frame is not injected into the stack twice after it has been received
from both slave ports.
There is no locking to cover the sending path which means the following
scenario is possible:
CPU0 CPU1
hsr_dev_xmit(skb1) hsr_dev_xmit(skb2)
fill_frame_info() fill_frame_info()
hsr_fill_frame_info() hsr_fill_frame_info()
handle_std_frame() handle_std_frame()
skb1's sequence_nr = 1
skb2's sequence_nr = 2
hsr_forward_do() hsr_forward_do()
hsr_register_frame_out(, 2) // okay, send)
hsr_register_frame_out(, 1) // stop, lower seq duplicate
Both skbs (or their struct hsr_frame_info) received an unique id.
However since skb2 was sent before skb1, the higher sequence number was
recorded in hsr_register_frame_out() and the late arriving skb1 was
dropped and never sent.
This scenario has been observed in a three node HSR setup, with node1 +
node2 having ping and iperf running in parallel. From time to time ping
reported a missing packet. Based on tracing that missing ping packet did
not leave the system.
It might be possible (didn't check) to drop the sequence number check on
the sending side. But if the higher sequence number leaves on wire
before the lower does and the destination receives them in that order
and it will drop the packet with the lower sequence number and never
inject into the stack.
Therefore it seems the only way is to lock the whole path from obtaining
the sequence number and sending via dev_queue_xmit() and assuming the
packets leave on wire in the same order (and don't get reordered by the
NIC).
Cover the whole path for the master interface from obtaining the ID
until after it has been forwarded via hsr_forward_skb() to ensure the
skbs are sent to the NIC in the order of the assigned sequence numbers.
Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_device.c | 12 +++++++-----
net/hsr/hsr_forward.c | 3 +--
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/net/hsr/hsr_device.c b/net/hsr/hsr_device.c
index 037ad39564a4..84e6ef4f3525 100644
--- a/net/hsr/hsr_device.c
+++ b/net/hsr/hsr_device.c
@@ -219,7 +219,9 @@ static netdev_tx_t hsr_dev_xmit(struct sk_buff *skb, struct net_device *dev)
skb->dev = master->dev;
skb_reset_mac_header(skb);
skb_reset_mac_len(skb);
+ spin_lock_bh(&hsr->seqnr_lock);
hsr_forward_skb(skb, master);
+ spin_unlock_bh(&hsr->seqnr_lock);
} else {
atomic_long_inc(&dev->tx_dropped);
dev_kfree_skb_any(skb);
@@ -306,7 +308,6 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
hsr_stag->sequence_nr = htons(hsr->sequence_nr);
hsr->sequence_nr++;
}
- spin_unlock_bh(&hsr->seqnr_lock);
hsr_stag->HSR_TLV_type = type;
/* TODO: Why 12 in HSRv0? */
@@ -317,11 +318,13 @@ static void send_hsr_supervision_frame(struct hsr_port *master,
hsr_sp = skb_put(skb, sizeof(struct hsr_sup_payload));
ether_addr_copy(hsr_sp->macaddress_A, master->dev->dev_addr);
- if (skb_put_padto(skb, ETH_ZLEN))
+ if (skb_put_padto(skb, ETH_ZLEN)) {
+ spin_unlock_bh(&hsr->seqnr_lock);
return;
+ }
hsr_forward_skb(skb, master);
-
+ spin_unlock_bh(&hsr->seqnr_lock);
return;
}
@@ -360,9 +363,8 @@ static void send_prp_supervision_frame(struct hsr_port *master,
return;
}
- spin_unlock_bh(&hsr->seqnr_lock);
-
hsr_forward_skb(skb, master);
+ spin_unlock_bh(&hsr->seqnr_lock);
}
/* Announce (supervision frame) timer function
diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
index 142bed7f1fea..aec48e670fb6 100644
--- a/net/hsr/hsr_forward.c
+++ b/net/hsr/hsr_forward.c
@@ -446,10 +446,9 @@ static void handle_std_frame(struct sk_buff *skb,
frame->is_from_san = true;
} else {
/* Sequence nr for the master node */
- spin_lock_bh(&hsr->seqnr_lock);
+ lockdep_assert_held(&hsr->seqnr_lock);
frame->sequence_nr = hsr->sequence_nr;
hsr->sequence_nr++;
- spin_unlock_bh(&hsr->seqnr_lock);
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 211/783] hsr: Synchronize sequence number updates.
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 210/783] hsr: Synchronize sending frames to have always incremented outgoing seq nr Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 212/783] configfs: fix possible memory leak in configfs_create_dir() Greg Kroah-Hartman
` (581 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sebastian Andrzej Siewior,
Jakub Kicinski, Sasha Levin
From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
[ Upstream commit 5c7aa13210c3abdd34fd421f62347665ec6eb551 ]
hsr_register_frame_out() compares new sequence_nr vs the old one
recorded in hsr_node::seq_out and if the new sequence_nr is higher then
it will be written to hsr_node::seq_out as the new value.
This operation isn't locked so it is possible that two frames with the
same sequence number arrive (via the two slave devices) and are fed to
hsr_register_frame_out() at the same time. Both will pass the check and
update the sequence counter later to the same value. As a result the
content of the same packet is fed into the stack twice.
This was noticed by running ping and observing DUP being reported from
time to time.
Instead of using the hsr_priv::seqnr_lock for the whole receive path (as
it is for sending in the master node) add an additional lock that is only
used for sequence number checks and updates.
Add a per-node lock that is used during sequence number reads and
updates.
Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)")
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/hsr/hsr_framereg.c | 9 ++++++++-
net/hsr/hsr_framereg.h | 2 ++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c
index 805f974923b9..20cb6b7dbc69 100644
--- a/net/hsr/hsr_framereg.c
+++ b/net/hsr/hsr_framereg.c
@@ -159,6 +159,7 @@ static struct hsr_node *hsr_add_node(struct hsr_priv *hsr,
return NULL;
ether_addr_copy(new_node->macaddress_A, addr);
+ spin_lock_init(&new_node->seq_out_lock);
/* We are only interested in time diffs here, so use current jiffies
* as initialization. (0 could trigger an spurious ring error warning).
@@ -311,6 +312,7 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
goto done;
ether_addr_copy(node_real->macaddress_B, ethhdr->h_source);
+ spin_lock_bh(&node_real->seq_out_lock);
for (i = 0; i < HSR_PT_PORTS; i++) {
if (!node_curr->time_in_stale[i] &&
time_after(node_curr->time_in[i], node_real->time_in[i])) {
@@ -321,6 +323,7 @@ void hsr_handle_sup_frame(struct hsr_frame_info *frame)
if (seq_nr_after(node_curr->seq_out[i], node_real->seq_out[i]))
node_real->seq_out[i] = node_curr->seq_out[i];
}
+ spin_unlock_bh(&node_real->seq_out_lock);
node_real->addr_B_port = port_rcv->type;
spin_lock_bh(&hsr->list_lock);
@@ -413,13 +416,17 @@ void hsr_register_frame_in(struct hsr_node *node, struct hsr_port *port,
int hsr_register_frame_out(struct hsr_port *port, struct hsr_node *node,
u16 sequence_nr)
{
+ spin_lock_bh(&node->seq_out_lock);
if (seq_nr_before_or_eq(sequence_nr, node->seq_out[port->type]) &&
time_is_after_jiffies(node->time_out[port->type] +
- msecs_to_jiffies(HSR_ENTRY_FORGET_TIME)))
+ msecs_to_jiffies(HSR_ENTRY_FORGET_TIME))) {
+ spin_unlock_bh(&node->seq_out_lock);
return 1;
+ }
node->time_out[port->type] = jiffies;
node->seq_out[port->type] = sequence_nr;
+ spin_unlock_bh(&node->seq_out_lock);
return 0;
}
diff --git a/net/hsr/hsr_framereg.h b/net/hsr/hsr_framereg.h
index d9628e7a5f05..5a771cb3f032 100644
--- a/net/hsr/hsr_framereg.h
+++ b/net/hsr/hsr_framereg.h
@@ -69,6 +69,8 @@ void prp_update_san_info(struct hsr_node *node, bool is_sup);
struct hsr_node {
struct list_head mac_list;
+ /* Protect R/W access to seq_out */
+ spinlock_t seq_out_lock;
unsigned char macaddress_A[ETH_ALEN];
unsigned char macaddress_B[ETH_ALEN];
/* Local slave through which AddrB frames are received from this node */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 212/783] configfs: fix possible memory leak in configfs_create_dir()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 211/783] hsr: Synchronize sequence number updates Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 213/783] regulator: core: fix resource leak in regulator_register() Greg Kroah-Hartman
` (580 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Christoph Hellwig,
Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit c65234b283a65cfbfc94619655e820a5e55199eb ]
kmemleak reported memory leaks in configfs_create_dir():
unreferenced object 0xffff888009f6af00 (size 192):
comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
backtrace:
kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163)
configfs_register_subsystem (fs/configfs/dir.c:1857)
basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
do_one_initcall (init/main.c:1296)
do_init_module (kernel/module/main.c:2455)
...
unreferenced object 0xffff888003ba7180 (size 96):
comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s)
backtrace:
kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273)
configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194)
configfs_make_dirent (fs/configfs/dir.c:248)
configfs_create_dir (fs/configfs/dir.c:296)
configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852)
configfs_register_subsystem (fs/configfs/dir.c:1881)
basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic
do_one_initcall (init/main.c:1296)
do_init_module (kernel/module/main.c:2455)
...
This is because the refcount is not correct in configfs_make_dirent().
For normal stage, the refcount is changing as:
configfs_register_subsystem()
configfs_create_dir()
configfs_make_dirent()
configfs_new_dirent() # set s_count = 1
dentry->d_fsdata = configfs_get(sd); # s_count = 2
...
configfs_unregister_subsystem()
configfs_remove_dir()
remove_dir()
configfs_remove_dirent() # s_count = 1
dput() ...
*dentry_unlink_inode()*
configfs_d_iput() # s_count = 0, release
However, if we failed in configfs_create():
configfs_register_subsystem()
configfs_create_dir()
configfs_make_dirent() # s_count = 2
...
configfs_create() # fail
->out_remove:
configfs_remove_dirent(dentry)
configfs_put(sd) # s_count = 1
return PTR_ERR(inode);
There is no inode in the error path, so the configfs_d_iput() is lost
and makes sd and fragment memory leaked.
To fix this, when we failed in configfs_create(), manually call
configfs_put(sd) to keep the refcount correct.
Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/configfs/dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index 5ad27e484014..12388ed4faa5 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -317,6 +317,7 @@ static int configfs_create_dir(struct config_item *item, struct dentry *dentry,
return 0;
out_remove:
+ configfs_put(dentry->d_fsdata);
configfs_remove_dirent(dentry);
return PTR_ERR(inode);
}
@@ -383,6 +384,7 @@ int configfs_create_link(struct configfs_dirent *target, struct dentry *parent,
return 0;
out_remove:
+ configfs_put(dentry->d_fsdata);
configfs_remove_dirent(dentry);
return PTR_ERR(inode);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 213/783] regulator: core: fix resource leak in regulator_register()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 212/783] configfs: fix possible memory leak in configfs_create_dir() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 214/783] hwmon: (jc42) Convert register access and caching to regmap/regcache Greg Kroah-Hartman
` (579 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Mark Brown, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit ba62319a42c50e6254e98b3f316464fac8e77968 ]
I got some resource leak reports while doing fault injection test:
OF: ERROR: memory leak, expected refcount 1 instead of 100,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@64/regulators/buck1
unreferenced object 0xffff88810deea000 (size 512):
comm "490-i2c-rt5190a", pid 253, jiffies 4294859840 (age 5061.046s)
hex dump (first 32 bytes):
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................
backtrace:
[<00000000d78541e2>] kmalloc_trace+0x21/0x110
[<00000000b343d153>] device_private_init+0x32/0xd0
[<00000000be1f0c70>] device_add+0xb2d/0x1030
[<00000000e3e6344d>] regulator_register+0xaf2/0x12a0
[<00000000e2f5e754>] devm_regulator_register+0x57/0xb0
[<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]
unreferenced object 0xffff88810b617b80 (size 32):
comm "490-i2c-rt5190a", pid 253, jiffies 4294859904 (age 5060.983s)
hex dump (first 32 bytes):
72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S
55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+...
backtrace:
[<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0
[<0000000025c6a4e5>] kstrdup+0x3a/0x70
[<00000000790efb69>] create_regulator+0xc0/0x4e0
[<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440
[<0000000045796214>] regulator_register+0x10b3/0x12a0
[<00000000e2f5e754>] devm_regulator_register+0x57/0xb0
[<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator]
After calling regulator_resolve_supply(), the 'rdev->supply' is set
by set_supply(), after this set, in the error path, the resources
need be released, so call regulator_put() to avoid the leaks.
Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator")
Fixes: 8a866d527ac0 ("regulator: core: Resolve supply name earlier to prevent double-init")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221202025111.496402-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 830a9be4432e..4472c31b9b00 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -5400,6 +5400,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
regulator_remove_coupling(rdev);
mutex_unlock(®ulator_list_mutex);
wash:
+ regulator_put(rdev->supply);
kfree(rdev->coupling_desc.coupled_rdevs);
mutex_lock(®ulator_list_mutex);
regulator_ena_gpio_free(rdev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 214/783] hwmon: (jc42) Convert register access and caching to regmap/regcache
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 213/783] regulator: core: fix resource leak in regulator_register() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 215/783] hwmon: (jc42) Restore the min/max/critical temperatures on resume Greg Kroah-Hartman
` (578 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Blumenstingl, Guenter Roeck,
Sasha Levin
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit 8f2fa4726faf01094d7a5be7bd0c120c565f54d9 ]
Switch the jc42 driver to use an I2C regmap to access the registers.
Also move over to regmap's built-in caching instead of adding a
custom caching implementation. This works for JC42_REG_TEMP_UPPER,
JC42_REG_TEMP_LOWER and JC42_REG_TEMP_CRITICAL as these values never
change except when explicitly written. The cache For JC42_REG_TEMP is
dropped (regmap can't cache it because it's volatile, meaning it can
change at any time) as well for simplicity and consistency with other
drivers.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20221023213157.11078-2-martin.blumenstingl@googlemail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Stable-dep-of: 084ed144c448 ("hwmon: (jc42) Restore the min/max/critical temperatures on resume")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/Kconfig | 1 +
drivers/hwmon/jc42.c | 233 ++++++++++++++++++++++++------------------
2 files changed, 132 insertions(+), 102 deletions(-)
diff --git a/drivers/hwmon/Kconfig b/drivers/hwmon/Kconfig
index f741c7492ee4..8a427467a842 100644
--- a/drivers/hwmon/Kconfig
+++ b/drivers/hwmon/Kconfig
@@ -766,6 +766,7 @@ config SENSORS_IT87
config SENSORS_JC42
tristate "JEDEC JC42.4 compliant memory module temperature sensors"
depends on I2C
+ select REGMAP_I2C
help
If you say yes here, you get support for JEDEC JC42.4 compliant
temperature sensors, which are used on many DDR3 memory modules for
diff --git a/drivers/hwmon/jc42.c b/drivers/hwmon/jc42.c
index 4a03d010ec5a..9a2a062eb7b8 100644
--- a/drivers/hwmon/jc42.c
+++ b/drivers/hwmon/jc42.c
@@ -19,6 +19,7 @@
#include <linux/err.h>
#include <linux/mutex.h>
#include <linux/of.h>
+#include <linux/regmap.h>
/* Addresses to scan */
static const unsigned short normal_i2c[] = {
@@ -189,31 +190,14 @@ static struct jc42_chips jc42_chips[] = {
{ STM_MANID, STTS3000_DEVID, STTS3000_DEVID_MASK },
};
-enum temp_index {
- t_input = 0,
- t_crit,
- t_min,
- t_max,
- t_num_temp
-};
-
-static const u8 temp_regs[t_num_temp] = {
- [t_input] = JC42_REG_TEMP,
- [t_crit] = JC42_REG_TEMP_CRITICAL,
- [t_min] = JC42_REG_TEMP_LOWER,
- [t_max] = JC42_REG_TEMP_UPPER,
-};
-
/* Each client has this additional data */
struct jc42_data {
- struct i2c_client *client;
struct mutex update_lock; /* protect register access */
+ struct regmap *regmap;
bool extended; /* true if extended range supported */
bool valid;
- unsigned long last_updated; /* In jiffies */
u16 orig_config; /* original configuration */
u16 config; /* current configuration */
- u16 temp[t_num_temp];/* Temperatures */
};
#define JC42_TEMP_MIN_EXTENDED (-40000)
@@ -238,85 +222,102 @@ static int jc42_temp_from_reg(s16 reg)
return reg * 125 / 2;
}
-static struct jc42_data *jc42_update_device(struct device *dev)
-{
- struct jc42_data *data = dev_get_drvdata(dev);
- struct i2c_client *client = data->client;
- struct jc42_data *ret = data;
- int i, val;
-
- mutex_lock(&data->update_lock);
-
- if (time_after(jiffies, data->last_updated + HZ) || !data->valid) {
- for (i = 0; i < t_num_temp; i++) {
- val = i2c_smbus_read_word_swapped(client, temp_regs[i]);
- if (val < 0) {
- ret = ERR_PTR(val);
- goto abort;
- }
- data->temp[i] = val;
- }
- data->last_updated = jiffies;
- data->valid = true;
- }
-abort:
- mutex_unlock(&data->update_lock);
- return ret;
-}
-
static int jc42_read(struct device *dev, enum hwmon_sensor_types type,
u32 attr, int channel, long *val)
{
- struct jc42_data *data = jc42_update_device(dev);
- int temp, hyst;
+ struct jc42_data *data = dev_get_drvdata(dev);
+ unsigned int regval;
+ int ret, temp, hyst;
- if (IS_ERR(data))
- return PTR_ERR(data);
+ mutex_lock(&data->update_lock);
switch (attr) {
case hwmon_temp_input:
- *val = jc42_temp_from_reg(data->temp[t_input]);
- return 0;
+ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
+ if (ret)
+ break;
+
+ *val = jc42_temp_from_reg(regval);
+ break;
case hwmon_temp_min:
- *val = jc42_temp_from_reg(data->temp[t_min]);
- return 0;
+ ret = regmap_read(data->regmap, JC42_REG_TEMP_LOWER, ®val);
+ if (ret)
+ break;
+
+ *val = jc42_temp_from_reg(regval);
+ break;
case hwmon_temp_max:
- *val = jc42_temp_from_reg(data->temp[t_max]);
- return 0;
+ ret = regmap_read(data->regmap, JC42_REG_TEMP_UPPER, ®val);
+ if (ret)
+ break;
+
+ *val = jc42_temp_from_reg(regval);
+ break;
case hwmon_temp_crit:
- *val = jc42_temp_from_reg(data->temp[t_crit]);
- return 0;
+ ret = regmap_read(data->regmap, JC42_REG_TEMP_CRITICAL,
+ ®val);
+ if (ret)
+ break;
+
+ *val = jc42_temp_from_reg(regval);
+ break;
case hwmon_temp_max_hyst:
- temp = jc42_temp_from_reg(data->temp[t_max]);
+ ret = regmap_read(data->regmap, JC42_REG_TEMP_UPPER, ®val);
+ if (ret)
+ break;
+
+ temp = jc42_temp_from_reg(regval);
hyst = jc42_hysteresis[(data->config & JC42_CFG_HYST_MASK)
>> JC42_CFG_HYST_SHIFT];
*val = temp - hyst;
- return 0;
+ break;
case hwmon_temp_crit_hyst:
- temp = jc42_temp_from_reg(data->temp[t_crit]);
+ ret = regmap_read(data->regmap, JC42_REG_TEMP_CRITICAL,
+ ®val);
+ if (ret)
+ break;
+
+ temp = jc42_temp_from_reg(regval);
hyst = jc42_hysteresis[(data->config & JC42_CFG_HYST_MASK)
>> JC42_CFG_HYST_SHIFT];
*val = temp - hyst;
- return 0;
+ break;
case hwmon_temp_min_alarm:
- *val = (data->temp[t_input] >> JC42_ALARM_MIN_BIT) & 1;
- return 0;
+ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
+ if (ret)
+ break;
+
+ *val = (regval >> JC42_ALARM_MIN_BIT) & 1;
+ break;
case hwmon_temp_max_alarm:
- *val = (data->temp[t_input] >> JC42_ALARM_MAX_BIT) & 1;
- return 0;
+ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
+ if (ret)
+ break;
+
+ *val = (regval >> JC42_ALARM_MAX_BIT) & 1;
+ break;
case hwmon_temp_crit_alarm:
- *val = (data->temp[t_input] >> JC42_ALARM_CRIT_BIT) & 1;
- return 0;
+ ret = regmap_read(data->regmap, JC42_REG_TEMP, ®val);
+ if (ret)
+ break;
+
+ *val = (regval >> JC42_ALARM_CRIT_BIT) & 1;
+ break;
default:
- return -EOPNOTSUPP;
+ ret = -EOPNOTSUPP;
+ break;
}
+
+ mutex_unlock(&data->update_lock);
+
+ return ret;
}
static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
u32 attr, int channel, long val)
{
struct jc42_data *data = dev_get_drvdata(dev);
- struct i2c_client *client = data->client;
+ unsigned int regval;
int diff, hyst;
int ret;
@@ -324,21 +325,23 @@ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
switch (attr) {
case hwmon_temp_min:
- data->temp[t_min] = jc42_temp_to_reg(val, data->extended);
- ret = i2c_smbus_write_word_swapped(client, temp_regs[t_min],
- data->temp[t_min]);
+ ret = regmap_write(data->regmap, JC42_REG_TEMP_LOWER,
+ jc42_temp_to_reg(val, data->extended));
break;
case hwmon_temp_max:
- data->temp[t_max] = jc42_temp_to_reg(val, data->extended);
- ret = i2c_smbus_write_word_swapped(client, temp_regs[t_max],
- data->temp[t_max]);
+ ret = regmap_write(data->regmap, JC42_REG_TEMP_UPPER,
+ jc42_temp_to_reg(val, data->extended));
break;
case hwmon_temp_crit:
- data->temp[t_crit] = jc42_temp_to_reg(val, data->extended);
- ret = i2c_smbus_write_word_swapped(client, temp_regs[t_crit],
- data->temp[t_crit]);
+ ret = regmap_write(data->regmap, JC42_REG_TEMP_CRITICAL,
+ jc42_temp_to_reg(val, data->extended));
break;
case hwmon_temp_crit_hyst:
+ ret = regmap_read(data->regmap, JC42_REG_TEMP_CRITICAL,
+ ®val);
+ if (ret)
+ return ret;
+
/*
* JC42.4 compliant chips only support four hysteresis values.
* Pick best choice and go from there.
@@ -346,7 +349,7 @@ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
val = clamp_val(val, (data->extended ? JC42_TEMP_MIN_EXTENDED
: JC42_TEMP_MIN) - 6000,
JC42_TEMP_MAX);
- diff = jc42_temp_from_reg(data->temp[t_crit]) - val;
+ diff = jc42_temp_from_reg(regval) - val;
hyst = 0;
if (diff > 0) {
if (diff < 2250)
@@ -358,9 +361,8 @@ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
}
data->config = (data->config & ~JC42_CFG_HYST_MASK) |
(hyst << JC42_CFG_HYST_SHIFT);
- ret = i2c_smbus_write_word_swapped(data->client,
- JC42_REG_CONFIG,
- data->config);
+ ret = regmap_write(data->regmap, JC42_REG_CONFIG,
+ data->config);
break;
default:
ret = -EOPNOTSUPP;
@@ -458,51 +460,80 @@ static const struct hwmon_chip_info jc42_chip_info = {
.info = jc42_info,
};
+static bool jc42_readable_reg(struct device *dev, unsigned int reg)
+{
+ return (reg >= JC42_REG_CAP && reg <= JC42_REG_DEVICEID) ||
+ reg == JC42_REG_SMBUS;
+}
+
+static bool jc42_writable_reg(struct device *dev, unsigned int reg)
+{
+ return (reg >= JC42_REG_CONFIG && reg <= JC42_REG_TEMP_CRITICAL) ||
+ reg == JC42_REG_SMBUS;
+}
+
+static bool jc42_volatile_reg(struct device *dev, unsigned int reg)
+{
+ return reg == JC42_REG_CONFIG || reg == JC42_REG_TEMP;
+}
+
+static const struct regmap_config jc42_regmap_config = {
+ .reg_bits = 8,
+ .val_bits = 16,
+ .val_format_endian = REGMAP_ENDIAN_BIG,
+ .max_register = JC42_REG_SMBUS,
+ .writeable_reg = jc42_writable_reg,
+ .readable_reg = jc42_readable_reg,
+ .volatile_reg = jc42_volatile_reg,
+ .cache_type = REGCACHE_RBTREE,
+};
+
static int jc42_probe(struct i2c_client *client)
{
struct device *dev = &client->dev;
struct device *hwmon_dev;
+ unsigned int config, cap;
struct jc42_data *data;
- int config, cap;
+ int ret;
data = devm_kzalloc(dev, sizeof(struct jc42_data), GFP_KERNEL);
if (!data)
return -ENOMEM;
- data->client = client;
+ data->regmap = devm_regmap_init_i2c(client, &jc42_regmap_config);
+ if (IS_ERR(data->regmap))
+ return PTR_ERR(data->regmap);
+
i2c_set_clientdata(client, data);
mutex_init(&data->update_lock);
- cap = i2c_smbus_read_word_swapped(client, JC42_REG_CAP);
- if (cap < 0)
- return cap;
+ ret = regmap_read(data->regmap, JC42_REG_CAP, &cap);
+ if (ret)
+ return ret;
data->extended = !!(cap & JC42_CAP_RANGE);
if (device_property_read_bool(dev, "smbus-timeout-disable")) {
- int smbus;
-
/*
* Not all chips support this register, but from a
* quick read of various datasheets no chip appears
* incompatible with the below attempt to disable
* the timeout. And the whole thing is opt-in...
*/
- smbus = i2c_smbus_read_word_swapped(client, JC42_REG_SMBUS);
- if (smbus < 0)
- return smbus;
- i2c_smbus_write_word_swapped(client, JC42_REG_SMBUS,
- smbus | SMBUS_STMOUT);
+ ret = regmap_set_bits(data->regmap, JC42_REG_SMBUS,
+ SMBUS_STMOUT);
+ if (ret)
+ return ret;
}
- config = i2c_smbus_read_word_swapped(client, JC42_REG_CONFIG);
- if (config < 0)
- return config;
+ ret = regmap_read(data->regmap, JC42_REG_CONFIG, &config);
+ if (ret)
+ return ret;
data->orig_config = config;
if (config & JC42_CFG_SHUTDOWN) {
config &= ~JC42_CFG_SHUTDOWN;
- i2c_smbus_write_word_swapped(client, JC42_REG_CONFIG, config);
+ regmap_write(data->regmap, JC42_REG_CONFIG, config);
}
data->config = config;
@@ -523,7 +554,7 @@ static int jc42_remove(struct i2c_client *client)
config = (data->orig_config & ~JC42_CFG_HYST_MASK)
| (data->config & JC42_CFG_HYST_MASK);
- i2c_smbus_write_word_swapped(client, JC42_REG_CONFIG, config);
+ regmap_write(data->regmap, JC42_REG_CONFIG, config);
}
return 0;
}
@@ -535,8 +566,7 @@ static int jc42_suspend(struct device *dev)
struct jc42_data *data = dev_get_drvdata(dev);
data->config |= JC42_CFG_SHUTDOWN;
- i2c_smbus_write_word_swapped(data->client, JC42_REG_CONFIG,
- data->config);
+ regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
return 0;
}
@@ -545,8 +575,7 @@ static int jc42_resume(struct device *dev)
struct jc42_data *data = dev_get_drvdata(dev);
data->config &= ~JC42_CFG_SHUTDOWN;
- i2c_smbus_write_word_swapped(data->client, JC42_REG_CONFIG,
- data->config);
+ regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 215/783] hwmon: (jc42) Restore the min/max/critical temperatures on resume
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 214/783] hwmon: (jc42) Convert register access and caching to regmap/regcache Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 216/783] bpf, sockmap: fix race in sock_map_free() Greg Kroah-Hartman
` (577 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Martin Blumenstingl,
Sasha Levin
From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
[ Upstream commit 084ed144c448fd5bc8ed5a58247153fbbfd115c3 ]
The JC42 compatible thermal sensor on Kingston KSM32ES8/16ME DIMMs
(using Micron E-Die) is an ST Microelectronics STTS2004 (manufacturer
0x104a, device 0x2201). It does not keep the previously programmed
minimum, maximum and critical temperatures after system suspend and
resume (which is a shutdown / startup cycle for the JC42 temperature
sensor). This results in an alarm on system resume because the hardware
default for these values is 0°C (so any environment temperature greater
than 0°C will trigger the alarm).
Example before system suspend:
jc42-i2c-0-1a
Adapter: SMBus PIIX4 adapter port 0 at 0b00
temp1: +34.8°C (low = +0.0°C)
(high = +85.0°C, hyst = +85.0°C)
(crit = +95.0°C, hyst = +95.0°C)
Example after system resume (without this change):
jc42-i2c-0-1a
Adapter: SMBus PIIX4 adapter port 0 at 0b00
temp1: +34.8°C (low = +0.0°C) ALARM (HIGH, CRIT)
(high = +0.0°C, hyst = +0.0°C)
(crit = +0.0°C, hyst = +0.0°C)
Apply the cached values from the JC42_REG_TEMP_UPPER,
JC42_REG_TEMP_LOWER, JC42_REG_TEMP_CRITICAL and JC42_REG_SMBUS (where
the SMBUS register is not related to this issue but a side-effect of
using regcache_sync() during system resume with the previously
cached/programmed values. This fixes the alarm due to the hardware
defaults of 0°C because the previously applied limits (set by userspace)
are re-applied on system resume.
Fixes: 175c490c9e7f ("hwmon: (jc42) Add support for STTS2004 and AT30TSE004")
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20221023213157.11078-3-martin.blumenstingl@googlemail.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/jc42.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/jc42.c b/drivers/hwmon/jc42.c
index 9a2a062eb7b8..5240bfdfcf2e 100644
--- a/drivers/hwmon/jc42.c
+++ b/drivers/hwmon/jc42.c
@@ -567,6 +567,10 @@ static int jc42_suspend(struct device *dev)
data->config |= JC42_CFG_SHUTDOWN;
regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
+
+ regcache_cache_only(data->regmap, true);
+ regcache_mark_dirty(data->regmap);
+
return 0;
}
@@ -574,9 +578,13 @@ static int jc42_resume(struct device *dev)
{
struct jc42_data *data = dev_get_drvdata(dev);
+ regcache_cache_only(data->regmap, false);
+
data->config &= ~JC42_CFG_SHUTDOWN;
regmap_write(data->regmap, JC42_REG_CONFIG, data->config);
- return 0;
+
+ /* Restore cached register values to hardware */
+ return regcache_sync(data->regmap);
}
static const struct dev_pm_ops jc42_dev_pm_ops = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 216/783] bpf, sockmap: fix race in sock_map_free()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 215/783] hwmon: (jc42) Restore the min/max/critical temperatures on resume Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 217/783] ALSA: pcm: Set missing stop_operating flag at undoing trigger start Greg Kroah-Hartman
` (576 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, syzbot,
Jakub Sitnicki, John Fastabend, Alexei Starovoitov,
Daniel Borkmann, Song Liu, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 0a182f8d607464911756b4dbef5d6cad8de22469 ]
sock_map_free() calls release_sock(sk) without owning a reference
on the socket. This can cause use-after-free as syzbot found [1]
Jakub Sitnicki already took care of a similar issue
in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash:
Synchronize delete from bucket list on map free")
[1]
refcount_t: decrement hit 0; leaking memory.
WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31
Modules linked in:
CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: events_unbound bpf_map_free_deferred
RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31
Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff
RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246
RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0
RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000
RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5
R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004
R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_dec include/linux/refcount.h:344 [inline]
refcount_dec include/linux/refcount.h:359 [inline]
__sock_put include/net/sock.h:779 [inline]
tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092
release_sock+0xaf/0x1c0 net/core/sock.c:3468
sock_map_free+0x219/0x2c0 net/core/sock_map.c:356
process_one_work+0x81c/0xd10 kernel/workqueue.c:2289
worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
kthread+0x266/0x300 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
</TASK>
Fixes: 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during tear down")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jakub Sitnicki <jakub@cloudflare.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Song Liu <songliubraving@fb.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/20221202111640.2745533-1-edumazet@google.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/sock_map.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index cbf4184fabc9..ee5d3f49b0b5 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -358,11 +358,13 @@ static void sock_map_free(struct bpf_map *map)
sk = xchg(psk, NULL);
if (sk) {
+ sock_hold(sk);
lock_sock(sk);
rcu_read_lock();
sock_map_unref(sk, psk);
rcu_read_unlock();
release_sock(sk);
+ sock_put(sk);
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 217/783] ALSA: pcm: Set missing stop_operating flag at undoing trigger start
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 216/783] bpf, sockmap: fix race in sock_map_free() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 218/783] media: saa7164: fix missing pci_disable_device() Greg Kroah-Hartman
` (575 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 5c8cc93b06d1ff860327a273abf3ac006290d242 ]
When a PCM trigger-start fails at snd_pcm_do_start(), PCM core tries
to undo the action at snd_pcm_undo_start() by issuing the trigger STOP
manually. At that point, we forgot to set the stop_operating flag,
hence the sync-stop won't be issued at the next prepare or other
calls.
This patch adds the missing stop_operating flag at
snd_pcm_undo_start().
Fixes: 1e850beea278 ("ALSA: pcm: Add the support for sync-stop operation")
Link: https://lore.kernel.org/r/b4e71631-4a94-613-27b2-fb595792630@carlh.net
Link: https://lore.kernel.org/r/20221205132124.11585-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/pcm_native.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/core/pcm_native.c b/sound/core/pcm_native.c
index 6cc7c2a9fe73..9425fcd30c4c 100644
--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -1413,8 +1413,10 @@ static int snd_pcm_do_start(struct snd_pcm_substream *substream,
static void snd_pcm_undo_start(struct snd_pcm_substream *substream,
snd_pcm_state_t state)
{
- if (substream->runtime->trigger_master == substream)
+ if (substream->runtime->trigger_master == substream) {
substream->ops->trigger(substream, SNDRV_PCM_TRIGGER_STOP);
+ substream->runtime->stop_operating = true;
+ }
}
static void snd_pcm_post_start(struct snd_pcm_substream *substream,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 218/783] media: saa7164: fix missing pci_disable_device()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 217/783] ALSA: pcm: Set missing stop_operating flag at undoing trigger start Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 219/783] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt Greg Kroah-Hartman
` (574 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liu Shixin, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 57fb35d7542384cac8f198cd1c927540ad38b61a ]
Add missing pci_disable_device() in the error path in saa7164_initdev().
Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon")
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7164/saa7164-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c
index 6c08b77bfd47..3cadfbe60fe6 100644
--- a/drivers/media/pci/saa7164/saa7164-core.c
+++ b/drivers/media/pci/saa7164/saa7164-core.c
@@ -1270,7 +1270,7 @@ static int saa7164_initdev(struct pci_dev *pci_dev,
if (saa7164_dev_setup(dev) < 0) {
err = -EINVAL;
- goto fail_free;
+ goto fail_dev;
}
/* print pci info */
@@ -1438,6 +1438,8 @@ static int saa7164_initdev(struct pci_dev *pci_dev,
fail_irq:
saa7164_dev_unregister(dev);
+fail_dev:
+ pci_disable_device(pci_dev);
fail_free:
v4l2_device_unregister(&dev->v4l2_dev);
kfree(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 219/783] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 218/783] media: saa7164: fix missing pci_disable_device() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 220/783] xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() Greg Kroah-Hartman
` (573 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Takashi Iwai, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad ]
I got a null-ptr-defer error report when I do the following tests
on the qemu platform:
make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m,
CONFIG_SND_MTS64=m
Then making test scripts:
cat>test_mod1.sh<<EOF
modprobe snd-mts64
modprobe snd-mts64
EOF
Executing the script, perhaps several times, we will get a null-ptr-defer
report, as follow:
syzkaller:~# ./test_mod.sh
snd_mts64: probe of snd_mts64.0 failed with error -5
modprobe: ERROR: could not insert 'snd_mts64': No such device
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 0 PID: 205 Comm: modprobe Not tainted 6.1.0-rc8-00588-g76dcd734eca2 #6
Call Trace:
<IRQ>
snd_mts64_interrupt+0x24/0xa0 [snd_mts64]
parport_irq_handler+0x37/0x50 [parport]
__handle_irq_event_percpu+0x39/0x190
handle_irq_event_percpu+0xa/0x30
handle_irq_event+0x2f/0x50
handle_edge_irq+0x99/0x1b0
__common_interrupt+0x5d/0x100
common_interrupt+0xa0/0xc0
</IRQ>
<TASK>
asm_common_interrupt+0x22/0x40
RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30
parport_claim+0xbd/0x230 [parport]
snd_mts64_probe+0x14a/0x465 [snd_mts64]
platform_probe+0x3f/0xa0
really_probe+0x129/0x2c0
__driver_probe_device+0x6d/0xc0
driver_probe_device+0x1a/0xa0
__device_attach_driver+0x7a/0xb0
bus_for_each_drv+0x62/0xb0
__device_attach+0xe4/0x180
bus_probe_device+0x82/0xa0
device_add+0x550/0x920
platform_device_add+0x106/0x220
snd_mts64_attach+0x2e/0x80 [snd_mts64]
port_check+0x14/0x20 [parport]
bus_for_each_dev+0x6e/0xc0
__parport_register_driver+0x7c/0xb0 [parport]
snd_mts64_module_init+0x31/0x1000 [snd_mts64]
do_one_initcall+0x3c/0x1f0
do_init_module+0x46/0x1c6
load_module+0x1d8d/0x1e10
__do_sys_finit_module+0xa2/0xf0
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Kernel panic - not syncing: Fatal exception in interrupt
Rebooting in 1 seconds..
The mts wa not initialized during interrupt, we add check for
mts to fix this bug.
Fixes: 68ab801e32bb ("[ALSA] Add snd-mts64 driver for ESI Miditerminal 4140")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221206061004.1222966-1-cuigaosheng1@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/drivers/mts64.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c
index 9c708b693cb3..257314920e4d 100644
--- a/sound/drivers/mts64.c
+++ b/sound/drivers/mts64.c
@@ -816,6 +816,9 @@ static void snd_mts64_interrupt(void *private)
u8 status, data;
struct snd_rawmidi_substream *substream;
+ if (!mts)
+ return;
+
spin_lock(&mts->lock);
ret = mts64_read(mts->pardev->port);
data = ret & 0x00ff;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 220/783] xprtrdma: Fix regbuf data not freed in rpcrdma_req_create()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 219/783] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 221/783] SUNRPC: Fix missing release socket in rpc_sockname() Greg Kroah-Hartman
` (572 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Trond Myklebust, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit 9181f40fb2952fd59ecb75e7158620c9c669eee3 ]
If rdma receive buffer allocate failed, should call rpcrdma_regbuf_free()
to free the send buffer, otherwise, the buffer data will be leaked.
Fixes: bb93a1ae2bf4 ("xprtrdma: Allocate req's regbufs at xprt create time")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtrdma/verbs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index dcc1992b14d7..338b06de86d1 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -866,7 +866,7 @@ struct rpcrdma_req *rpcrdma_req_create(struct rpcrdma_xprt *r_xprt, size_t size,
return req;
out3:
- kfree(req->rl_sendbuf);
+ rpcrdma_regbuf_free(req->rl_sendbuf);
out2:
kfree(req);
out1:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 221/783] SUNRPC: Fix missing release socket in rpc_sockname()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 220/783] xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 222/783] NFSv4.x: Fail client initialisation if state manager thread cant run Greg Kroah-Hartman
` (571 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang ShaoBo, Trond Myklebust, Sasha Levin
From: Wang ShaoBo <bobo.shaobowang@huawei.com>
[ Upstream commit 50fa355bc0d75911fe9d5072a5ba52cdb803aff7 ]
socket dynamically created is not released when getting an unintended
address family type in rpc_sockname(), direct to out_release for calling
sock_release().
Fixes: 2e738fdce22f ("SUNRPC: Add API to acquire source address")
Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/clnt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 78c6648af782..c478108ca6a6 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1361,7 +1361,7 @@ static int rpc_sockname(struct net *net, struct sockaddr *sap, size_t salen,
break;
default:
err = -EAFNOSUPPORT;
- goto out;
+ goto out_release;
}
if (err < 0) {
dprintk("RPC: can't bind UDP socket (%d)\n", err);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 222/783] NFSv4.x: Fail client initialisation if state manager thread cant run
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 221/783] SUNRPC: Fix missing release socket in rpc_sockname() Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 223/783] mmc: alcor: fix return value check of mmc_add_host() Greg Kroah-Hartman
` (570 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ChenXiaoSong, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit b4e4f66901658fae0614dea5bf91062a5387eda7 ]
If the state manager thread fails to start, then we should just mark the
client initialisation as failed so that other processes or threads don't
get stuck in nfs_wait_client_init_complete().
Reported-by: ChenXiaoSong <chenxiaosong2@huawei.com>
Fixes: 4697bd5e9419 ("NFSv4: Fix a race in the net namespace mount notification")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/nfs4state.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index a77a3d8c0b3f..175b2e064003 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1226,6 +1226,8 @@ void nfs4_schedule_state_manager(struct nfs_client *clp)
if (IS_ERR(task)) {
printk(KERN_ERR "%s: kthread_run: %ld\n",
__func__, PTR_ERR(task));
+ if (!nfs_client_init_is_complete(clp))
+ nfs_mark_client_ready(clp, PTR_ERR(task));
nfs4_clear_state_manager_bit(clp);
nfs_put_client(clp);
module_put(THIS_MODULE);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 223/783] mmc: alcor: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 222/783] NFSv4.x: Fail client initialisation if state manager thread cant run Greg Kroah-Hartman
@ 2023-01-12 13:48 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 224/783] mmc: moxart: " Greg Kroah-Hartman
` (569 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:48 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e93d1468f429475a753d6baa79b853b7ee5ef8c0 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and calling mmc_free_host() in the
error path.
Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-2-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/alcor.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/alcor.c b/drivers/mmc/host/alcor.c
index bfb8efeb7eb8..d01df01d4b4d 100644
--- a/drivers/mmc/host/alcor.c
+++ b/drivers/mmc/host/alcor.c
@@ -1114,7 +1114,10 @@ static int alcor_pci_sdmmc_drv_probe(struct platform_device *pdev)
alcor_hw_init(host);
dev_set_drvdata(&pdev->dev, host);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto free_host;
+
return 0;
free_host:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 224/783] mmc: moxart: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2023-01-12 13:48 ` [PATCH 5.10 223/783] mmc: alcor: fix return value check of mmc_add_host() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 225/783] mmc: mxcmmc: " Greg Kroah-Hartman
` (568 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 0ca18d09c744fb030ae9bc5836c3e357e0237dea ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host().
Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-3-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/moxart-mmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c
index c16300b92139..fb96bb76eefb 100644
--- a/drivers/mmc/host/moxart-mmc.c
+++ b/drivers/mmc/host/moxart-mmc.c
@@ -668,7 +668,9 @@ static int moxart_probe(struct platform_device *pdev)
goto out;
dev_set_drvdata(dev, mmc);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto out;
dev_dbg(dev, "IRQ=%d, FIFO is %d bytes\n", irq, host->fifo_width);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 225/783] mmc: mxcmmc: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 224/783] mmc: moxart: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 226/783] mmc: pxamci: " Greg Kroah-Hartman
` (567 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit cde600af7b413c9fe03e85c58c4279df90e91d13 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host().
Fixes: d96be879ff46 ("mmc: Add a MX2/MX3 specific SDHC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-4-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/mxcmmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/mxcmmc.c b/drivers/mmc/host/mxcmmc.c
index 12ee07285980..93a105b07564 100644
--- a/drivers/mmc/host/mxcmmc.c
+++ b/drivers/mmc/host/mxcmmc.c
@@ -1167,7 +1167,9 @@ static int mxcmci_probe(struct platform_device *pdev)
timer_setup(&host->watchdog, mxcmci_watchdog, 0);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto out_free_dma;
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 226/783] mmc: pxamci: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 225/783] mmc: mxcmmc: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 227/783] mmc: rtsx_usb_sdmmc: " Greg Kroah-Hartman
` (566 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 80e1ef3afb8bfbe768380b70ffe1b6cab87d1a3b ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, ->exit() need be called to uninit the pdata.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-5-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/pxamci.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/pxamci.c b/drivers/mmc/host/pxamci.c
index 55868b6b8658..e25e9bb34eb3 100644
--- a/drivers/mmc/host/pxamci.c
+++ b/drivers/mmc/host/pxamci.c
@@ -763,7 +763,12 @@ static int pxamci_probe(struct platform_device *pdev)
dev_warn(dev, "gpio_ro and get_ro() both defined\n");
}
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret) {
+ if (host->pdata && host->pdata->exit)
+ host->pdata->exit(dev, mmc);
+ goto out;
+ }
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 227/783] mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 226/783] mmc: pxamci: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 228/783] mmc: toshsd: " Greg Kroah-Hartman
` (565 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit fc38a5a10e9e5a75eb9189854abeb8405b214cc9 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and calling mmc_free_host() in the
error path, besides, led_classdev_unregister() and pm_runtime_disable() also
need be called.
Fixes: c7f6558d84af ("mmc: Add realtek USB sdmmc host driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-7-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/rtsx_usb_sdmmc.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c
index 5fe4528e296e..1be3a355f10d 100644
--- a/drivers/mmc/host/rtsx_usb_sdmmc.c
+++ b/drivers/mmc/host/rtsx_usb_sdmmc.c
@@ -1332,6 +1332,7 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev)
#ifdef RTSX_USB_USE_LEDS_CLASS
int err;
#endif
+ int ret;
ucr = usb_get_intfdata(to_usb_interface(pdev->dev.parent));
if (!ucr)
@@ -1368,7 +1369,15 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev)
INIT_WORK(&host->led_work, rtsx_usb_update_led);
#endif
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret) {
+#ifdef RTSX_USB_USE_LEDS_CLASS
+ led_classdev_unregister(&host->led);
+#endif
+ mmc_free_host(mmc);
+ pm_runtime_disable(&pdev->dev);
+ return ret;
+ }
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 228/783] mmc: toshsd: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 227/783] mmc: rtsx_usb_sdmmc: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 229/783] mmc: vub300: " Greg Kroah-Hartman
` (564 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f670744a316ea983113a65313dcd387b5a992444 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, free_irq() also needs be called.
Fixes: a5eb8bbd66cc ("mmc: add Toshiba PCI SD controller driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-8-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/toshsd.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/toshsd.c b/drivers/mmc/host/toshsd.c
index 8d037c2071ab..497791ffada6 100644
--- a/drivers/mmc/host/toshsd.c
+++ b/drivers/mmc/host/toshsd.c
@@ -651,7 +651,9 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
if (ret)
goto unmap;
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto free_irq;
base = pci_resource_start(pdev, 0);
dev_dbg(&pdev->dev, "MMIO %pa, IRQ %d\n", &base, pdev->irq);
@@ -660,6 +662,8 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
return 0;
+free_irq:
+ free_irq(pdev->irq, host);
unmap:
pci_iounmap(pdev, host->ioaddr);
release:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 229/783] mmc: vub300: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 228/783] mmc: toshsd: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 230/783] mmc: wmt-sdmmc: " Greg Kroah-Hartman
` (563 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, the timer added before mmc_add_host() needs be del.
And this patch fixes another missing call mmc_free_host() if usb_control_msg()
fails.
Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/vub300.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c
index 97beece62fec..ab36ec479747 100644
--- a/drivers/mmc/host/vub300.c
+++ b/drivers/mmc/host/vub300.c
@@ -2299,14 +2299,14 @@ static int vub300_probe(struct usb_interface *interface,
0x0000, 0x0000, &vub300->system_port_status,
sizeof(vub300->system_port_status), 1000);
if (retval < 0) {
- goto error4;
+ goto error5;
} else if (sizeof(vub300->system_port_status) == retval) {
vub300->card_present =
(0x0001 & vub300->system_port_status.port_flags) ? 1 : 0;
vub300->read_only =
(0x0010 & vub300->system_port_status.port_flags) ? 1 : 0;
} else {
- goto error4;
+ goto error5;
}
usb_set_intfdata(interface, vub300);
INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread);
@@ -2329,8 +2329,13 @@ static int vub300_probe(struct usb_interface *interface,
"USB vub300 remote SDIO host controller[%d]"
"connected with no SD/SDIO card inserted\n",
interface_to_InterfaceNumber(interface));
- mmc_add_host(mmc);
+ retval = mmc_add_host(mmc);
+ if (retval)
+ goto error6;
+
return 0;
+error6:
+ del_timer_sync(&vub300->inactivity_timer);
error5:
mmc_free_host(mmc);
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 230/783] mmc: wmt-sdmmc: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 229/783] mmc: vub300: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 231/783] mmc: atmel-mci: " Greg Kroah-Hartman
` (562 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 29276d56f6ed138db0f38cd31aedc0b725c8c76c ]
mmc_add_host() may return error, if we ignore its return value, the memory
that allocated in mmc_alloc_host() will be leaked and it will lead a kernel
crash because of deleting not added device in the remove path.
So fix this by checking the return value and goto error path which will call
mmc_free_host(), besides, clk_disable_unprepare() also needs be called.
Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221101063023.1664968-10-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/wmt-sdmmc.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/wmt-sdmmc.c b/drivers/mmc/host/wmt-sdmmc.c
index 8df722ec57ed..393319548857 100644
--- a/drivers/mmc/host/wmt-sdmmc.c
+++ b/drivers/mmc/host/wmt-sdmmc.c
@@ -859,11 +859,15 @@ static int wmt_mci_probe(struct platform_device *pdev)
/* configure the controller to a known 'ready' state */
wmt_reset_hardware(mmc);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto fail7;
dev_info(&pdev->dev, "WMT SDHC Controller initialized\n");
return 0;
+fail7:
+ clk_disable_unprepare(priv->clk_sdmmc);
fail6:
clk_put(priv->clk_sdmmc);
fail5_and_a_half:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 231/783] mmc: atmel-mci: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 230/783] mmc: wmt-sdmmc: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 232/783] mmc: omap_hsmmc: " Greg Kroah-Hartman
` (561 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 9e6e8c43726673ca2abcaac87640b9215fd72f4c ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
So fix this by checking the return value and calling mmc_free_host()
in the error path.
Fixes: 7d2be0749a59 ("atmel-mci: Driver for Atmel on-chip MMC controllers")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221108122819.429975-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/atmel-mci.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/mmc/host/atmel-mci.c b/drivers/mmc/host/atmel-mci.c
index 444bd3a0a922..af85b32c6c1c 100644
--- a/drivers/mmc/host/atmel-mci.c
+++ b/drivers/mmc/host/atmel-mci.c
@@ -2223,6 +2223,7 @@ static int atmci_init_slot(struct atmel_mci *host,
{
struct mmc_host *mmc;
struct atmel_mci_slot *slot;
+ int ret;
mmc = mmc_alloc_host(sizeof(struct atmel_mci_slot), &host->pdev->dev);
if (!mmc)
@@ -2306,11 +2307,13 @@ static int atmci_init_slot(struct atmel_mci *host,
host->slot[id] = slot;
mmc_regulator_get_supply(mmc);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret) {
+ mmc_free_host(mmc);
+ return ret;
+ }
if (gpio_is_valid(slot->detect_pin)) {
- int ret;
-
timer_setup(&slot->detect_timer, atmci_detect_change, 0);
ret = request_irq(gpio_to_irq(slot->detect_pin),
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 232/783] mmc: omap_hsmmc: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 231/783] mmc: atmel-mci: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 233/783] mmc: meson-gx: " Greg Kroah-Hartman
` (560 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit a525cad241c339ca00bf7ebf03c5180f2a9b767c ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path wihch
will call mmc_free_host().
Fixes: a45c6cb81647 ("[ARM] 5369/1: omap mmc: Add new omap hsmmc controller for 2430 and 34xx, v3")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221108121316.340354-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/omap_hsmmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
index aa9cc49206d1..5b6ede81fc9f 100644
--- a/drivers/mmc/host/omap_hsmmc.c
+++ b/drivers/mmc/host/omap_hsmmc.c
@@ -1987,7 +1987,9 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
if (!ret)
mmc->caps |= MMC_CAP_SDIO_IRQ;
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto err_irq;
if (mmc_pdata(host)->name != NULL) {
ret = device_create_file(&mmc->class_dev, &dev_attr_slot_name);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 233/783] mmc: meson-gx: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 232/783] mmc: omap_hsmmc: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 234/783] mmc: via-sdmmc: " Greg Kroah-Hartman
` (559 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Neil Armstrong,
Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path which
will call mmc_free_host().
Fixes: 51c5d8447bd7 ("MMC: meson: initial support for GX platforms")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20221108123417.479045-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/meson-gx-mmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/meson-gx-mmc.c b/drivers/mmc/host/meson-gx-mmc.c
index bccc85b3fc50..19a6b55e344f 100644
--- a/drivers/mmc/host/meson-gx-mmc.c
+++ b/drivers/mmc/host/meson-gx-mmc.c
@@ -1280,7 +1280,9 @@ static int meson_mmc_probe(struct platform_device *pdev)
}
mmc->ops = &meson_mmc_ops;
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto err_free_irq;
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 234/783] mmc: via-sdmmc: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 233/783] mmc: meson-gx: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 235/783] mmc: wbsd: " Greg Kroah-Hartman
` (558 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
Fix this by checking the return value and goto error path which
will call mmc_free_host().
Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/via-sdmmc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
index f07c71db3caf..f6b525fb5c0e 100644
--- a/drivers/mmc/host/via-sdmmc.c
+++ b/drivers/mmc/host/via-sdmmc.c
@@ -1154,7 +1154,9 @@ static int via_sd_probe(struct pci_dev *pcidev,
pcidev->subsystem_device == 0x3891)
sdhost->quirks = VIA_CRDR_QUIRK_300MS_PWRDELAY;
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto unmap;
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 235/783] mmc: wbsd: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 234/783] mmc: via-sdmmc: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 236/783] mmc: mmci: " Greg Kroah-Hartman
` (557 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit dc5b9b50fc9d1334407e316e6e29a5097ef833bd ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
So fix this by checking the return value and goto error path which
will call mmc_free_host(), besides, other resources also need be
released.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221109133237.3273558-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/wbsd.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c
index cd63ea865b77..f3090216e0dc 100644
--- a/drivers/mmc/host/wbsd.c
+++ b/drivers/mmc/host/wbsd.c
@@ -1703,7 +1703,17 @@ static int wbsd_init(struct device *dev, int base, int irq, int dma,
*/
wbsd_init_device(host);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret) {
+ if (!pnp)
+ wbsd_chip_poweroff(host);
+
+ wbsd_release_resources(host);
+ wbsd_free_mmc(dev);
+
+ mmc_free_host(mmc);
+ return ret;
+ }
pr_info("%s: W83L51xD", mmc_hostname(mmc));
if (host->chip_id != 0)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 236/783] mmc: mmci: fix return value check of mmc_add_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 235/783] mmc: wbsd: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 237/783] media: c8sectpfe: Add of_node_put() when breaking out of loop Greg Kroah-Hartman
` (556 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Ulf Hansson, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit b38a20f29a49ae04d23750d104b25400b792b98c ]
mmc_add_host() may return error, if we ignore its return value,
it will lead two issues:
1. The memory that allocated in mmc_alloc_host() is leaked.
2. In the remove() path, mmc_remove_host() will be called to
delete device, but it's not added yet, it will lead a kernel
crash because of null-ptr-deref in device_del().
So fix this by checking the return value and goto error path which
will call mmc_free_host().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221109133539.3275664-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/mmci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
index b5684e5d79e6..5d83c8e7bf5c 100644
--- a/drivers/mmc/host/mmci.c
+++ b/drivers/mmc/host/mmci.c
@@ -2191,7 +2191,9 @@ static int mmci_probe(struct amba_device *dev,
pm_runtime_set_autosuspend_delay(&dev->dev, 50);
pm_runtime_use_autosuspend(&dev->dev);
- mmc_add_host(mmc);
+ ret = mmc_add_host(mmc);
+ if (ret)
+ goto clk_disable;
pm_runtime_put(&dev->dev);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 237/783] media: c8sectpfe: Add of_node_put() when breaking out of loop
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 236/783] mmc: mmci: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 238/783] media: coda: Add check for dcoda_iram_alloc Greg Kroah-Hartman
` (555 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liang He, Hans Verkuil, Sasha Levin
From: Liang He <windhl@126.com>
[ Upstream commit 63ff05a1ad242a5a0f897921c87b70d601bda59c ]
In configure_channels(), we should call of_node_put() when breaking
out of for_each_child_of_node() which will automatically increase
and decrease the refcount.
Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support")
Signed-off-by: Liang He <windhl@126.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
index dbe7788083a4..b7e0ec265b70 100644
--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
+++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c
@@ -937,6 +937,7 @@ static int configure_channels(struct c8sectpfei *fei)
if (ret) {
dev_err(fei->dev,
"configure_memdma_and_inputblock failed\n");
+ of_node_put(child);
goto err_unmap;
}
index++;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 238/783] media: coda: Add check for dcoda_iram_alloc
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 237/783] media: c8sectpfe: Add of_node_put() when breaking out of loop Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 239/783] media: coda: Add check for kmalloc Greg Kroah-Hartman
` (554 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 6b8082238fb8bb20f67e46388123e67a5bbc558d ]
As the coda_iram_alloc may return NULL pointer,
it should be better to check the return value
in order to avoid NULL poineter dereference,
same as the others.
Fixes: b313bcc9a467 ("[media] coda: simplify IRAM setup")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/coda/coda-bit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
index 159c9de85788..b8a70ef8e8ec 100644
--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -852,7 +852,7 @@ static void coda_setup_iram(struct coda_ctx *ctx)
/* Only H.264BP and H.263P3 are considered */
iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w64);
iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w64);
- if (!iram_info->buf_dbk_c_use)
+ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use)
goto out;
iram_info->axi_sram_use |= dbk_bits;
@@ -876,7 +876,7 @@ static void coda_setup_iram(struct coda_ctx *ctx)
iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w128);
iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w128);
- if (!iram_info->buf_dbk_c_use)
+ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use)
goto out;
iram_info->axi_sram_use |= dbk_bits;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 239/783] media: coda: Add check for kmalloc
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 238/783] media: coda: Add check for dcoda_iram_alloc Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 240/783] clk: samsung: Fix memory leak in _samsung_clk_register_pll() Greg Kroah-Hartman
` (553 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiasheng Jiang, Hans Verkuil, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit 6e5e5defdb8b0186312c2f855ace175aee6daf9b ]
As the kmalloc may return NULL pointer,
it should be better to check the return value
in order to avoid NULL poineter dereference,
same as the others.
Fixes: cb1d3a336371 ("[media] coda: add CODA7541 JPEG support")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/coda/coda-bit.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
index b8a70ef8e8ec..6ffa12e83e42 100644
--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -1082,10 +1082,16 @@ static int coda_start_encoding(struct coda_ctx *ctx)
}
if (dst_fourcc == V4L2_PIX_FMT_JPEG) {
- if (!ctx->params.jpeg_qmat_tab[0])
+ if (!ctx->params.jpeg_qmat_tab[0]) {
ctx->params.jpeg_qmat_tab[0] = kmalloc(64, GFP_KERNEL);
- if (!ctx->params.jpeg_qmat_tab[1])
+ if (!ctx->params.jpeg_qmat_tab[0])
+ return -ENOMEM;
+ }
+ if (!ctx->params.jpeg_qmat_tab[1]) {
ctx->params.jpeg_qmat_tab[1] = kmalloc(64, GFP_KERNEL);
+ if (!ctx->params.jpeg_qmat_tab[1])
+ return -ENOMEM;
+ }
coda_set_jpeg_compression_quality(ctx, ctx->params.jpeg_quality);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 240/783] clk: samsung: Fix memory leak in _samsung_clk_register_pll()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 239/783] media: coda: Add check for kmalloc Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 241/783] spi: spi-gpio: Dont set MOSI as an input if not 3WIRE mode Greg Kroah-Hartman
` (552 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Alim Akhtar,
Stephen Boyd, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 5174e5b0d1b669a489524192b6adcbb3c54ebc72 ]
If clk_register() fails, @pll->rate_table may have allocated memory by
kmemdup(), so it needs to be freed, otherwise will cause memory leak
issue, this patch fixes it.
Fixes: 3ff6e0d8d64d ("clk: samsung: Add support to register rate_table for samsung plls")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Link: https://lore.kernel.org/r/20221123032015.63980-1-xiujianfeng@huawei.com
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/samsung/clk-pll.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/clk/samsung/clk-pll.c b/drivers/clk/samsung/clk-pll.c
index ac70ad785d8e..33df20f813d5 100644
--- a/drivers/clk/samsung/clk-pll.c
+++ b/drivers/clk/samsung/clk-pll.c
@@ -1390,6 +1390,7 @@ static void __init _samsung_clk_register_pll(struct samsung_clk_provider *ctx,
if (ret) {
pr_err("%s: failed to register pll clock %s : %d\n",
__func__, pll_clk->name, ret);
+ kfree(pll->rate_table);
kfree(pll);
return;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 241/783] spi: spi-gpio: Dont set MOSI as an input if not 3WIRE mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 240/783] clk: samsung: Fix memory leak in _samsung_clk_register_pll() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 242/783] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h Greg Kroah-Hartman
` (551 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kris Bahnsen, Mark Brown, Sasha Levin
From: Kris Bahnsen <kris@embeddedTS.com>
[ Upstream commit 3a6f994f848a69deb2bf3cd9d130dd0c09730e55 ]
The addition of 3WIRE support would affect MOSI direction even
when still in standard (4 wire) mode. This can lead to MOSI being
at an invalid logic level when a device driver sets an SPI
message with a NULL tx_buf.
spi.h states that if tx_buf is NULL then "zeros will be shifted
out ... " If MOSI is tristated then the data shifted out is subject
to pull resistors, keepers, or in the absence of those, noise.
This issue came to light when using spi-gpio connected to an
ADS7843 touchscreen controller. MOSI pulled high when clocking
MISO data in caused the SPI device to interpret this as a command
which would put the device in an unexpected and non-functional
state.
Fixes: 4b859db2c606 ("spi: spi-gpio: add SPI_3WIRE support")
Fixes: 5132b3d28371 ("spi: gpio: Support 3WIRE high-impedance turn-around")
Signed-off-by: Kris Bahnsen <kris@embeddedTS.com>
Link: https://lore.kernel.org/r/20221207230853.6174-1-kris@embeddedTS.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-gpio.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/spi/spi-gpio.c b/drivers/spi/spi-gpio.c
index 0584f4d2fde2..3ffdab6caac2 100644
--- a/drivers/spi/spi-gpio.c
+++ b/drivers/spi/spi-gpio.c
@@ -244,9 +244,19 @@ static int spi_gpio_set_direction(struct spi_device *spi, bool output)
if (output)
return gpiod_direction_output(spi_gpio->mosi, 1);
- ret = gpiod_direction_input(spi_gpio->mosi);
- if (ret)
- return ret;
+ /*
+ * Only change MOSI to an input if using 3WIRE mode.
+ * Otherwise, MOSI could be left floating if there is
+ * no pull resistor connected to the I/O pin, or could
+ * be left logic high if there is a pull-up. Transmitting
+ * logic high when only clocking MISO data in can put some
+ * SPI devices in to a bad state.
+ */
+ if (spi->mode & SPI_3WIRE) {
+ ret = gpiod_direction_input(spi_gpio->mosi);
+ if (ret)
+ return ret;
+ }
/*
* Send a turnaround high impedance cycle when switching
* from output to input. Theoretically there should be
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 242/783] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 241/783] spi: spi-gpio: Dont set MOSI as an input if not 3WIRE mode Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 243/783] wifi: rtl8xxxu: Fix the channel width reporting Greg Kroah-Hartman
` (550 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Kalle Valo, Sasha Levin
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit dd469a754afdb782ba3033cee102147493dc39f4 ]
This struct is used to access a sequence of bytes received from the
wifi chip. It must not have any padding bytes between the members.
This doesn't change anything on my system, possibly because currently
none of the members need more than byte alignment.
Fixes: b2b43b7837ba ("rtl8xxxu: Initial functionality to handle C2H events for 8723bu")
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1a270918-da22-ff5f-29fc-7855f740c5ba@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
index b28fa0c4d180..0ed4d67308d7 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
@@ -1190,7 +1190,7 @@ struct rtl8723bu_c2h {
u8 bw;
} __packed ra_report;
};
-};
+} __packed;
struct rtl8xxxu_fileops;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 243/783] wifi: rtl8xxxu: Fix the channel width reporting
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 242/783] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 244/783] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() Greg Kroah-Hartman
` (549 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bitterblue Smith, Ping-Ke Shih,
Kalle Valo, Sasha Levin
From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
[ Upstream commit 76c16af2cb10282274596e21add2c9f0b95c941b ]
The gen 2 chips RTL8192EU and RTL8188FU periodically send the driver
reports about the TX rate, and the driver passes these reports to
sta_statistics. The reports from RTL8192EU may or may not include the
channel width. The reports from RTL8188FU do not include it.
Only access the c2h->ra_report.bw field if the report (skb) is big
enough.
The other problem fixed here is that the code was actually never
changing the channel width initially reported by
rtl8xxxu_bss_info_changed because the value of RATE_INFO_BW_20 is 0.
Fixes: 0985d3a410ac ("rtl8xxxu: Feed current txrate information for mac80211")
Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/5b41f1ae-72e7-6b7a-2459-b736399a1c40@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index 43898f105bb7..9a12f1d38007 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -5520,7 +5520,6 @@ static void rtl8xxxu_c2hcmd_callback(struct work_struct *work)
rarpt->txrate.flags = 0;
rate = c2h->ra_report.rate;
sgi = c2h->ra_report.sgi;
- bw = c2h->ra_report.bw;
if (rate < DESC_RATE_MCS0) {
rarpt->txrate.legacy =
@@ -5537,8 +5536,13 @@ static void rtl8xxxu_c2hcmd_callback(struct work_struct *work)
RATE_INFO_FLAGS_SHORT_GI;
}
- if (bw == RATE_INFO_BW_20)
- rarpt->txrate.bw |= RATE_INFO_BW_20;
+ if (skb->len >= offsetofend(typeof(*c2h), ra_report.bw)) {
+ if (c2h->ra_report.bw == RTL8XXXU_CHANNEL_WIDTH_40)
+ bw = RATE_INFO_BW_40;
+ else
+ bw = RATE_INFO_BW_20;
+ rarpt->txrate.bw = bw;
+ }
}
bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
rarpt->bit_rate = bit_rate;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 244/783] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 243/783] wifi: rtl8xxxu: Fix the channel width reporting Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 245/783] blktrace: Fix output non-blktrace event when blk_classic option enabled Greg Kroah-Hartman
` (548 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Yufen, Arend van Spriel,
Kalle Valo, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit c2f2924bc7f9ea75ef8d95863e710168f8196256 ]
Fix to return a negative error code instead of 0 when
brcmf_chip_set_active() fails. In addition, change the return
value for brcmf_pcie_exit_download_state() to keep consistent.
Fixes: d380ebc9b6fb ("brcmfmac: rename chip download functions")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/1669959342-27144-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +-
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
index 61febc9bfa14..4e9d2b3659f0 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -618,7 +618,7 @@ static int brcmf_pcie_exit_download_state(struct brcmf_pciedev_info *devinfo,
}
if (!brcmf_chip_set_active(devinfo->ci, resetintr))
- return -EINVAL;
+ return -EIO;
return 0;
}
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
index 9929e90866f0..3c0d5c68eaca 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -3401,6 +3401,7 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus,
/* Take arm out of reset */
if (!brcmf_chip_set_active(bus->ci, rstvec)) {
brcmf_err("error getting out of ARM core reset\n");
+ bcmerror = -EIO;
goto err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 245/783] blktrace: Fix output non-blktrace event when blk_classic option enabled
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 244/783] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 246/783] clk: socfpga: clk-pll: Remove unused variable rc Greg Kroah-Hartman
` (547 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Jihong, Jens Axboe, Sasha Levin
From: Yang Jihong <yangjihong1@huawei.com>
[ Upstream commit f596da3efaf4130ff61cd029558845808df9bf99 ]
When the blk_classic option is enabled, non-blktrace events must be
filtered out. Otherwise, events of other types are output in the blktrace
classic format, which is unexpected.
The problem can be triggered in the following ways:
# echo 1 > /sys/kernel/debug/tracing/options/blk_classic
# echo 1 > /sys/kernel/debug/tracing/events/enable
# echo blk > /sys/kernel/debug/tracing/current_tracer
# cat /sys/kernel/debug/tracing/trace_pipe
Fixes: c71a89615411 ("blktrace: add ftrace plugin")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Link: https://lore.kernel.org/r/20221122040410.85113-1-yangjihong1@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/blktrace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 15a376f85e09..ab912cc60760 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1592,7 +1592,8 @@ blk_trace_event_print_binary(struct trace_iterator *iter, int flags,
static enum print_line_t blk_tracer_print_line(struct trace_iterator *iter)
{
- if (!(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC))
+ if ((iter->ent->type != TRACE_BLK) ||
+ !(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC))
return TRACE_TYPE_UNHANDLED;
return print_one_line(iter, true);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 246/783] clk: socfpga: clk-pll: Remove unused variable rc
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 245/783] blktrace: Fix output non-blktrace event when blk_classic option enabled Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 247/783] clk: socfpga: use clk_hw_register for a5/c5 Greg Kroah-Hartman
` (546 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dinh Nguyen, Michael Turquette,
Stephen Boyd, linux-clk, Lee Jones, Sasha Levin
From: Lee Jones <lee.jones@linaro.org>
[ Upstream commit 75fddccbca32349570b2d53955982b4117fa5515 ]
Fixes the following W=1 kernel build warning(s):
drivers/clk/socfpga/clk-pll.c: In function ‘__socfpga_pll_init’:
drivers/clk/socfpga/clk-pll.c:83:6: warning: variable ‘rc’ set but not used [-Wunused-but-set-variable]
Cc: Dinh Nguyen <dinguyen@kernel.org>
Cc: Michael Turquette <mturquette@baylibre.com>
Cc: Stephen Boyd <sboyd@kernel.org>
Cc: linux-clk@vger.kernel.org
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Link: https://lore.kernel.org/r/20210120093040.1719407-8-lee.jones@linaro.org
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Stable-dep-of: 0b8ba891ad4d ("clk: socfpga: Fix memory leak in socfpga_gate_init()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/socfpga/clk-pll.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c
index e5fb786843f3..3cf99df7d005 100644
--- a/drivers/clk/socfpga/clk-pll.c
+++ b/drivers/clk/socfpga/clk-pll.c
@@ -80,7 +80,6 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node,
const char *parent_name[SOCFPGA_MAX_PARENTS];
struct clk_init_data init;
struct device_node *clkmgr_np;
- int rc;
of_property_read_u32(node, "reg", ®);
@@ -111,7 +110,7 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node,
kfree(pll_clk);
return NULL;
}
- rc = of_clk_add_provider(node, of_clk_src_simple_get, clk);
+ of_clk_add_provider(node, of_clk_src_simple_get, clk);
return clk;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 247/783] clk: socfpga: use clk_hw_register for a5/c5
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 246/783] clk: socfpga: clk-pll: Remove unused variable rc Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 248/783] clk: socfpga: Fix memory leak in socfpga_gate_init() Greg Kroah-Hartman
` (545 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Boyd, Dinh Nguyen, Sasha Levin
From: Dinh Nguyen <dinguyen@kernel.org>
[ Upstream commit 2c2b9c6067170de2a63e7e3d9f5bb205b870de7c ]
As recommended by Stephen Boyd, convert the cyclone5/arria5 clock driver
to use the clk_hw registration method.
Suggested-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lore.kernel.org/r/20210302214151.1333447-1-dinguyen@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Stable-dep-of: 0b8ba891ad4d ("clk: socfpga: Fix memory leak in socfpga_gate_init()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/socfpga/clk-gate.c | 11 +++++++----
drivers/clk/socfpga/clk-periph.c | 8 ++++----
drivers/clk/socfpga/clk-pll.c | 18 +++++++++++-------
3 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
index cf94a12459ea..1ec9678d8cd3 100644
--- a/drivers/clk/socfpga/clk-gate.c
+++ b/drivers/clk/socfpga/clk-gate.c
@@ -174,13 +174,14 @@ void __init socfpga_gate_init(struct device_node *node)
u32 div_reg[3];
u32 clk_phase[2];
u32 fixed_div;
- struct clk *clk;
+ struct clk_hw *hw_clk;
struct socfpga_gate_clk *socfpga_clk;
const char *clk_name = node->name;
const char *parent_name[SOCFPGA_MAX_PARENTS];
struct clk_init_data init;
struct clk_ops *ops;
int rc;
+ int err;
socfpga_clk = kzalloc(sizeof(*socfpga_clk), GFP_KERNEL);
if (WARN_ON(!socfpga_clk))
@@ -238,12 +239,14 @@ void __init socfpga_gate_init(struct device_node *node)
init.parent_names = parent_name;
socfpga_clk->hw.hw.init = &init;
- clk = clk_register(NULL, &socfpga_clk->hw.hw);
- if (WARN_ON(IS_ERR(clk))) {
+ hw_clk = &socfpga_clk->hw.hw;
+
+ err = clk_hw_register(NULL, hw_clk);
+ if (err) {
kfree(socfpga_clk);
return;
}
- rc = of_clk_add_provider(node, of_clk_src_simple_get, clk);
+ rc = of_clk_add_provider(node, of_clk_src_simple_get, hw_clk);
if (WARN_ON(rc))
return;
}
diff --git a/drivers/clk/socfpga/clk-periph.c b/drivers/clk/socfpga/clk-periph.c
index 5e0c4b45f77f..43707e2d7248 100644
--- a/drivers/clk/socfpga/clk-periph.c
+++ b/drivers/clk/socfpga/clk-periph.c
@@ -51,7 +51,7 @@ static __init void __socfpga_periph_init(struct device_node *node,
const struct clk_ops *ops)
{
u32 reg;
- struct clk *clk;
+ struct clk_hw *hw_clk;
struct socfpga_periph_clk *periph_clk;
const char *clk_name = node->name;
const char *parent_name[SOCFPGA_MAX_PARENTS];
@@ -94,13 +94,13 @@ static __init void __socfpga_periph_init(struct device_node *node,
init.parent_names = parent_name;
periph_clk->hw.hw.init = &init;
+ hw_clk = &periph_clk->hw.hw;
- clk = clk_register(NULL, &periph_clk->hw.hw);
- if (WARN_ON(IS_ERR(clk))) {
+ if (clk_hw_register(NULL, hw_clk)) {
kfree(periph_clk);
return;
}
- rc = of_clk_add_provider(node, of_clk_src_simple_get, clk);
+ rc = of_clk_add_provider(node, of_clk_src_simple_get, hw_clk);
}
void __init socfpga_periph_init(struct device_node *node)
diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c
index 3cf99df7d005..dcb573d44034 100644
--- a/drivers/clk/socfpga/clk-pll.c
+++ b/drivers/clk/socfpga/clk-pll.c
@@ -70,16 +70,18 @@ static const struct clk_ops clk_pll_ops = {
.get_parent = clk_pll_get_parent,
};
-static __init struct clk *__socfpga_pll_init(struct device_node *node,
+static __init struct clk_hw *__socfpga_pll_init(struct device_node *node,
const struct clk_ops *ops)
{
u32 reg;
- struct clk *clk;
+ struct clk_hw *hw_clk;
struct socfpga_pll *pll_clk;
const char *clk_name = node->name;
const char *parent_name[SOCFPGA_MAX_PARENTS];
struct clk_init_data init;
struct device_node *clkmgr_np;
+ int rc;
+ int err;
of_property_read_u32(node, "reg", ®);
@@ -105,13 +107,15 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node,
pll_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA;
- clk = clk_register(NULL, &pll_clk->hw.hw);
- if (WARN_ON(IS_ERR(clk))) {
+ hw_clk = &pll_clk->hw.hw;
+
+ err = clk_hw_register(NULL, hw_clk);
+ if (err) {
kfree(pll_clk);
- return NULL;
+ return ERR_PTR(err);
}
- of_clk_add_provider(node, of_clk_src_simple_get, clk);
- return clk;
+ rc = of_clk_add_provider(node, of_clk_src_simple_get, hw_clk);
+ return hw_clk;
}
void __init socfpga_pll_init(struct device_node *node)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 248/783] clk: socfpga: Fix memory leak in socfpga_gate_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 247/783] clk: socfpga: use clk_hw_register for a5/c5 Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 249/783] net: vmw_vsock: vmci: Check memcpy_from_msg() Greg Kroah-Hartman
` (544 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Dinh Nguyen,
Stephen Boyd, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 0b8ba891ad4d1ef6bfa4c72efc83f9f9f855f68b ]
Free @socfpga_clk and @ops on the error path to avoid memory leak issue.
Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Link: https://lore.kernel.org/r/20221123031622.63171-1-xiujianfeng@huawei.com
Acked-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/socfpga/clk-gate.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
index 1ec9678d8cd3..ee2a2d284113 100644
--- a/drivers/clk/socfpga/clk-gate.c
+++ b/drivers/clk/socfpga/clk-gate.c
@@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
return;
ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
- if (WARN_ON(!ops))
+ if (WARN_ON(!ops)) {
+ kfree(socfpga_clk);
return;
+ }
rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2);
if (rc)
@@ -243,6 +245,7 @@ void __init socfpga_gate_init(struct device_node *node)
err = clk_hw_register(NULL, hw_clk);
if (err) {
+ kfree(ops);
kfree(socfpga_clk);
return;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 249/783] net: vmw_vsock: vmci: Check memcpy_from_msg()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 248/783] clk: socfpga: Fix memory leak in socfpga_gate_init() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 250/783] net: defxx: Fix missing err handling in dfx_init() Greg Kroah-Hartman
` (543 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem Chernyshev,
Stefano Garzarella, Vishnu Dasa, David S. Miller, Sasha Levin
From: Artem Chernyshev <artem.chernyshev@red-soft.ru>
[ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ]
vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination. Return with an error if
memcpy_from_msg() fails.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Vishnu Dasa <vdasa@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/vmci_transport.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index a9ca95a0fcdd..8c2856cbfecc 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1713,7 +1713,11 @@ static int vmci_transport_dgram_enqueue(
if (!dg)
return -ENOMEM;
- memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+ err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len);
+ if (err) {
+ kfree(dg);
+ return err;
+ }
dg->dst = vmci_make_handle(remote_addr->svm_cid,
remote_addr->svm_port);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 250/783] net: defxx: Fix missing err handling in dfx_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 249/783] net: vmw_vsock: vmci: Check memcpy_from_msg() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 251/783] net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload() Greg Kroah-Hartman
` (542 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongqiang Liu, Jiri Pirko,
David S. Miller, Sasha Levin
From: Yongqiang Liu <liuyongqiang13@huawei.com>
[ Upstream commit ae18dcdff0f8d7e84cd3fd9f496518b5e72d185d ]
When eisa_driver_register() or tc_register_driver() failed,
the modprobe defxx would fail with some err log as follows:
Error: Driver 'defxx' is already registered, aborting...
Fix this issue by adding err hanling in dfx_init().
Fixes: e89a2cfb7d7b5 ("[TC] defxx: TURBOchannel support")
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/fddi/defxx.c | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/drivers/net/fddi/defxx.c b/drivers/net/fddi/defxx.c
index c7ce6d5491af..442bdc6e8dc4 100644
--- a/drivers/net/fddi/defxx.c
+++ b/drivers/net/fddi/defxx.c
@@ -3844,10 +3844,24 @@ static int dfx_init(void)
int status;
status = pci_register_driver(&dfx_pci_driver);
- if (!status)
- status = eisa_driver_register(&dfx_eisa_driver);
- if (!status)
- status = tc_register_driver(&dfx_tc_driver);
+ if (status)
+ goto err_pci_register;
+
+ status = eisa_driver_register(&dfx_eisa_driver);
+ if (status)
+ goto err_eisa_register;
+
+ status = tc_register_driver(&dfx_tc_driver);
+ if (status)
+ goto err_tc_register;
+
+ return 0;
+
+err_tc_register:
+ eisa_driver_unregister(&dfx_eisa_driver);
+err_eisa_register:
+ pci_unregister_driver(&dfx_pci_driver);
+err_pci_register:
return status;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 251/783] net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 250/783] net: defxx: Fix missing err handling in dfx_init() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 252/783] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() Greg Kroah-Hartman
` (541 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Changzhong, David S. Miller,
Sasha Levin
From: Zhang Changzhong <zhangchangzhong@huawei.com>
[ Upstream commit f150b63f3fa5fdd81e0dd6151e8850268e29438c ]
The skb allocated by stmmac_test_get_arp_skb() hasn't been released in
some error handling case, which will lead to a memory leak. Fix this up
by adding kfree_skb() to release skb.
Compile tested only.
Fixes: 5e3fb0a6e2b3 ("net: stmmac: selftests: Implement the ARP Offload test")
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
index dd5c4ef92ef3..ea7200b7b647 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_selftests.c
@@ -1654,12 +1654,16 @@ static int stmmac_test_arpoffload(struct stmmac_priv *priv)
}
ret = stmmac_set_arp_offload(priv, priv->hw, true, ip_addr);
- if (ret)
+ if (ret) {
+ kfree_skb(skb);
goto cleanup;
+ }
ret = dev_set_promiscuity(priv->dev, 1);
- if (ret)
+ if (ret) {
+ kfree_skb(skb);
goto cleanup;
+ }
ret = dev_direct_xmit(skb, 0);
if (ret)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 252/783] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 251/783] net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 253/783] of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() Greg Kroah-Hartman
` (540 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Leon Romanovsky,
David S. Miller, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 01de1123322e4fe1bbd0fcdf0982511b55519c03 ]
If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp
needs to be freed.
Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
index 8367891bfb13..e864c453c5e6 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c
@@ -221,6 +221,8 @@ int qlcnic_sriov_init(struct qlcnic_adapter *adapter, int num_vfs)
return 0;
qlcnic_destroy_async_wq:
+ while (i--)
+ kfree(sriov->vf_info[i].vp);
destroy_workqueue(bc->bc_async_wq);
qlcnic_destroy_trans_wq:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 253/783] of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 252/783] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 254/783] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (539 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ruanjinjie, Rob Herring, Sasha Levin
From: ruanjinjie <ruanjinjie@huawei.com>
[ Upstream commit ee9d7a0e754568180a2f8ebc4aad226278a9116f ]
When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will
be NULL, and strcmp() will cause null pointer dereference.
Fixes: 2fe0e8769df9 ("of: overlay: check prevents multiple fragments touching same property")
Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/r/20221211023337.592266-1-ruanjinjie@huawei.com
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/of/overlay.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/of/overlay.c b/drivers/of/overlay.c
index c8a0c0e9dec1..67b404f36e79 100644
--- a/drivers/of/overlay.c
+++ b/drivers/of/overlay.c
@@ -547,7 +547,7 @@ static int find_dup_cset_node_entry(struct overlay_changeset *ovcs,
fn_1 = kasprintf(GFP_KERNEL, "%pOF", ce_1->np);
fn_2 = kasprintf(GFP_KERNEL, "%pOF", ce_2->np);
- node_path_match = !strcmp(fn_1, fn_2);
+ node_path_match = !fn_1 || !fn_2 || !strcmp(fn_1, fn_2);
kfree(fn_1);
kfree(fn_2);
if (node_path_match) {
@@ -582,7 +582,7 @@ static int find_dup_cset_prop(struct overlay_changeset *ovcs,
fn_1 = kasprintf(GFP_KERNEL, "%pOF", ce_1->np);
fn_2 = kasprintf(GFP_KERNEL, "%pOF", ce_2->np);
- node_path_match = !strcmp(fn_1, fn_2);
+ node_path_match = !fn_1 || !fn_2 || !strcmp(fn_1, fn_2);
kfree(fn_1);
kfree(fn_2);
if (node_path_match &&
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 254/783] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 253/783] of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 255/783] net: farsync: Fix kmemleak when rmmods farsync Greg Kroah-Hartman
` (538 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 6cee96e09df54ae17784c0f38a49e0ed8229b825 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in free_tx_buffers() to drop
the SKBs in tx buffers, when the card is down, so replace it with
dev_kfree_skb_irq() here.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/neterion/s2io.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c
index 8a30be698f99..ff46b08ac1f4 100644
--- a/drivers/net/ethernet/neterion/s2io.c
+++ b/drivers/net/ethernet/neterion/s2io.c
@@ -2384,7 +2384,7 @@ static void free_tx_buffers(struct s2io_nic *nic)
skb = s2io_txdl_getskb(&mac_control->fifos[i], txdp, j);
if (skb) {
swstats->mem_freed += skb->truesize;
- dev_kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
cnt++;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 255/783] net: farsync: Fix kmemleak when rmmods farsync
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 254/783] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 256/783] net/tunnel: wait until all sk_user_data reader finish before releasing the sock Greg Kroah-Hartman
` (537 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Jiri Pirko,
David S. Miller, Sasha Levin
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit 2f623aaf9f31de968dea6169849706a2f9be444c ]
There are two memory leaks reported by kmemleak:
unreferenced object 0xffff888114b20200 (size 128):
comm "modprobe", pid 4846, jiffies 4295146524 (age 401.345s)
hex dump (first 32 bytes):
e0 62 57 09 81 88 ff ff e0 62 57 09 81 88 ff ff .bW......bW.....
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff83d35c78>] __hw_addr_add_ex+0x198/0x6c0
[<ffffffff83d3989d>] dev_addr_init+0x13d/0x230
[<ffffffff83d1063d>] alloc_netdev_mqs+0x10d/0xe50
[<ffffffff82b4a06e>] alloc_hdlcdev+0x2e/0x80
[<ffffffffa016a741>] fst_add_one+0x601/0x10e0 [farsync]
...
unreferenced object 0xffff88810b85b000 (size 1024):
comm "modprobe", pid 4846, jiffies 4295146523 (age 401.346s)
hex dump (first 32 bytes):
00 00 b0 02 00 c9 ff ff 00 70 0a 00 00 c9 ff ff .........p......
00 00 00 f2 00 00 00 f3 0a 00 00 00 02 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffffa016a294>] fst_add_one+0x154/0x10e0 [farsync]
[<ffffffff82060e83>] local_pci_probe+0xd3/0x170
...
The root cause is traced to the netdev and fst_card_info are not freed
when removes one fst in fst_remove_one(), which may trigger oom if
repeated insmod and rmmod module.
Fix it by adding free_netdev() and kfree() in fst_remove_one(), just as
the operations on the error handling path in fst_add_one().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wan/farsync.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c
index b50cf11d197d..36a6958b6a0b 100644
--- a/drivers/net/wan/farsync.c
+++ b/drivers/net/wan/farsync.c
@@ -2612,6 +2612,7 @@ fst_remove_one(struct pci_dev *pdev)
for (i = 0; i < card->nports; i++) {
struct net_device *dev = port_to_dev(&card->ports[i]);
unregister_hdlc_device(dev);
+ free_netdev(dev);
}
fst_disable_intr(card);
@@ -2632,6 +2633,7 @@ fst_remove_one(struct pci_dev *pdev)
card->tx_dma_handle_card);
}
fst_card_array[card->card_no] = NULL;
+ kfree(card);
}
static struct pci_driver fst_driver = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 256/783] net/tunnel: wait until all sk_user_data reader finish before releasing the sock
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 255/783] net: farsync: Fix kmemleak when rmmods farsync Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 257/783] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (536 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianlin Shi, Jakub Sitnicki,
Hangbin Liu, Jiri Pirko, David S. Miller, Sasha Levin
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ]
There is a race condition in vxlan that when deleting a vxlan device
during receiving packets, there is a possibility that the sock is
released after getting vxlan_sock vs from sk_user_data. Then in
later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got
NULL pointer dereference. e.g.
#0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757
#1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d
#2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48
#3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b
#4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb
#5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542
#6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62
[exception RIP: vxlan_ecn_decapsulate+0x3b]
RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246
RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000
RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700
RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae
R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700
R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]
#8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507
#9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45
#10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807
#11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951
#12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde
#13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b
#14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139
#15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a
#16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3
#17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca
#18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3
Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh
Fix this by waiting for all sk_user_data reader to finish before
releasing the sock.
Reported-by: Jianlin Shi <jishi@redhat.com>
Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Fixes: 6a93cc905274 ("udp-tunnel: Add a few more UDP tunnel APIs")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/udp_tunnel_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/udp_tunnel_core.c b/net/ipv4/udp_tunnel_core.c
index 3eecba0874aa..d70f683d3c49 100644
--- a/net/ipv4/udp_tunnel_core.c
+++ b/net/ipv4/udp_tunnel_core.c
@@ -194,6 +194,7 @@ EXPORT_SYMBOL_GPL(udp_tunnel_xmit_skb);
void udp_tunnel_sock_release(struct socket *sock)
{
rcu_assign_sk_user_data(sock->sk, NULL);
+ synchronize_rcu();
kernel_sock_shutdown(sock, SHUT_RDWR);
sock_release(sock);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 257/783] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 256/783] net/tunnel: wait until all sk_user_data reader finish before releasing the sock Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 258/783] net: apple: bmac: " Greg Kroah-Hartman
` (535 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 3dfe3486c1cd4f82b466b7d307f23777137b8acc ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in mace_tx_timeout() to drop
the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/apple/mace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/apple/mace.c b/drivers/net/ethernet/apple/mace.c
index 9e5006e59215..6f6530c29166 100644
--- a/drivers/net/ethernet/apple/mace.c
+++ b/drivers/net/ethernet/apple/mace.c
@@ -841,7 +841,7 @@ static void mace_tx_timeout(struct timer_list *t)
if (mp->tx_bad_runt) {
mp->tx_bad_runt = 0;
} else if (i != mp->tx_fill) {
- dev_kfree_skb(mp->tx_bufs[i]);
+ dev_kfree_skb_irq(mp->tx_bufs[i]);
if (++i >= N_TX_RING)
i = 0;
mp->tx_empty = i;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 258/783] net: apple: bmac: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 257/783] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 259/783] net: emaclite: " Greg Kroah-Hartman
` (534 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 5fe02e046e6422c4adfdbc50206ec7186077da24 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in bmac_tx_timeout() to drop
the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/apple/bmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c
index 1e4e402f07d7..dd6c44f5f925 100644
--- a/drivers/net/ethernet/apple/bmac.c
+++ b/drivers/net/ethernet/apple/bmac.c
@@ -1511,7 +1511,7 @@ static void bmac_tx_timeout(struct timer_list *t)
i = bp->tx_empty;
++dev->stats.tx_errors;
if (i != bp->tx_fill) {
- dev_kfree_skb(bp->tx_bufs[i]);
+ dev_kfree_skb_irq(bp->tx_bufs[i]);
bp->tx_bufs[i] = NULL;
if (++i >= N_TX_RING) i = 0;
bp->tx_empty = i;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 259/783] net: emaclite: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 258/783] net: apple: bmac: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 260/783] net: ethernet: dnet: " Greg Kroah-Hartman
` (533 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit d1678bf45f21fa5ae4a456f821858679556ea5f8 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In this case, dev_kfree_skb() is called in xemaclite_tx_timeout() to
drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq().
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
index f6ea4a0ad5df..02b95afe2506 100644
--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -541,7 +541,7 @@ static void xemaclite_tx_timeout(struct net_device *dev, unsigned int txqueue)
xemaclite_enable_interrupts(lp);
if (lp->deferred_skb) {
- dev_kfree_skb(lp->deferred_skb);
+ dev_kfree_skb_irq(lp->deferred_skb);
lp->deferred_skb = NULL;
dev->stats.tx_errors++;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 260/783] net: ethernet: dnet: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 259/783] net: emaclite: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 261/783] hamradio: " Greg Kroah-Hartman
` (532 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f07fadcbee2a5e84caa67c7c445424200bffb60b ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
In this case, the lock is used to protected 'bp', so we can move
dev_kfree_skb() after the spin_unlock_irqrestore().
Fixes: 4796417417a6 ("dnet: Dave DNET ethernet controller driver (updated)")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/dnet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/dnet.c b/drivers/net/ethernet/dnet.c
index 48c6eb142dcc..05a0cc583f8a 100644
--- a/drivers/net/ethernet/dnet.c
+++ b/drivers/net/ethernet/dnet.c
@@ -550,11 +550,11 @@ static netdev_tx_t dnet_start_xmit(struct sk_buff *skb, struct net_device *dev)
skb_tx_timestamp(skb);
+ spin_unlock_irqrestore(&bp->lock, flags);
+
/* free the buffer */
dev_kfree_skb(skb);
- spin_unlock_irqrestore(&bp->lock, flags);
-
return NETDEV_TX_OK;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 261/783] hamradio: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 260/783] net: ethernet: dnet: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 262/783] net: amd: lance: " Greg Kroah-Hartman
` (531 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 3727f742915f04f6fc550b80cf406999bd4e90d0 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In scc_discard_buffers(), dev_kfree_skb() is called to discard the SKBs,
so replace it with dev_kfree_skb_irq().
In scc_net_tx(), dev_kfree_skb() is called to drop the SKB that exceed
queue length, so replace it with dev_kfree_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/scc.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c
index 36eeb80406f2..eeb6c47d8167 100644
--- a/drivers/net/hamradio/scc.c
+++ b/drivers/net/hamradio/scc.c
@@ -300,12 +300,12 @@ static inline void scc_discard_buffers(struct scc_channel *scc)
spin_lock_irqsave(&scc->lock, flags);
if (scc->tx_buff != NULL)
{
- dev_kfree_skb(scc->tx_buff);
+ dev_kfree_skb_irq(scc->tx_buff);
scc->tx_buff = NULL;
}
while (!skb_queue_empty(&scc->tx_queue))
- dev_kfree_skb(skb_dequeue(&scc->tx_queue));
+ dev_kfree_skb_irq(skb_dequeue(&scc->tx_queue));
spin_unlock_irqrestore(&scc->lock, flags);
}
@@ -1667,7 +1667,7 @@ static netdev_tx_t scc_net_tx(struct sk_buff *skb, struct net_device *dev)
if (skb_queue_len(&scc->tx_queue) > scc->dev->tx_queue_len) {
struct sk_buff *skb_del;
skb_del = skb_dequeue(&scc->tx_queue);
- dev_kfree_skb(skb_del);
+ dev_kfree_skb_irq(skb_del);
}
skb_queue_tail(&scc->tx_queue, skb);
netif_trans_update(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 262/783] net: amd: lance: dont call dev_kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 261/783] hamradio: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 263/783] net: amd-xgbe: Fix logic around active and passive cables Greg Kroah-Hartman
` (530 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, David S. Miller,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 6151d105dfce8c23edf30eed35e97f3d9b96a35c ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
In these two cases, dev_kfree_skb() is called consume the xmited SKB,
so replace it with dev_consume_skb_irq().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/atarilance.c | 2 +-
drivers/net/ethernet/amd/lance.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/atarilance.c b/drivers/net/ethernet/amd/atarilance.c
index 961796abab35..5e8b72db8873 100644
--- a/drivers/net/ethernet/amd/atarilance.c
+++ b/drivers/net/ethernet/amd/atarilance.c
@@ -825,7 +825,7 @@ lance_start_xmit(struct sk_buff *skb, struct net_device *dev)
lp->memcpy_f( PKTBUF_ADDR(head), (void *)skb->data, skb->len );
head->flag = TMD1_OWN_CHIP | TMD1_ENP | TMD1_STP;
dev->stats.tx_bytes += skb->len;
- dev_kfree_skb( skb );
+ dev_consume_skb_irq(skb);
lp->cur_tx++;
while( lp->cur_tx >= TX_RING_SIZE && lp->dirty_tx >= TX_RING_SIZE ) {
lp->cur_tx -= TX_RING_SIZE;
diff --git a/drivers/net/ethernet/amd/lance.c b/drivers/net/ethernet/amd/lance.c
index aff44241988c..9dae225b7fd5 100644
--- a/drivers/net/ethernet/amd/lance.c
+++ b/drivers/net/ethernet/amd/lance.c
@@ -997,7 +997,7 @@ static netdev_tx_t lance_start_xmit(struct sk_buff *skb,
skb_copy_from_linear_data(skb, &lp->tx_bounce_buffs[entry], skb->len);
lp->tx_ring[entry].base =
((u32)isa_virt_to_bus((lp->tx_bounce_buffs + entry)) & 0xffffff) | 0x83000000;
- dev_kfree_skb(skb);
+ dev_consume_skb_irq(skb);
} else {
lp->tx_skbuff[entry] = skb;
lp->tx_ring[entry].base = ((u32)isa_virt_to_bus(skb->data) & 0xffffff) | 0x83000000;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 263/783] net: amd-xgbe: Fix logic around active and passive cables
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 262/783] net: amd: lance: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 264/783] net: amd-xgbe: Check only the minimum speed for active/passive cables Greg Kroah-Hartman
` (529 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, David S. Miller, Sasha Levin
From: Tom Lendacky <thomas.lendacky@amd.com>
[ Upstream commit 4998006c73afe44e2f639d55bd331c6c26eb039f ]
SFP+ active and passive cables are copper cables with fixed SFP+ end
connectors. Due to a misinterpretation of this, SFP+ active cables could
end up not being recognized, causing the driver to fail to establish a
connection.
Introduce a new enum in SFP+ cable types, XGBE_SFP_CABLE_FIBER, that is
the default cable type, and handle active and passive cables when they are
specifically detected.
Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index a7166cd1179f..a9a734454973 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -189,6 +189,7 @@ enum xgbe_sfp_cable {
XGBE_SFP_CABLE_UNKNOWN = 0,
XGBE_SFP_CABLE_ACTIVE,
XGBE_SFP_CABLE_PASSIVE,
+ XGBE_SFP_CABLE_FIBER,
};
enum xgbe_sfp_base {
@@ -1149,16 +1150,18 @@ static void xgbe_phy_sfp_parse_eeprom(struct xgbe_prv_data *pdata)
phy_data->sfp_tx_fault = xgbe_phy_check_sfp_tx_fault(phy_data);
phy_data->sfp_rx_los = xgbe_phy_check_sfp_rx_los(phy_data);
- /* Assume ACTIVE cable unless told it is PASSIVE */
+ /* Assume FIBER cable unless told otherwise */
if (sfp_base[XGBE_SFP_BASE_CABLE] & XGBE_SFP_BASE_CABLE_PASSIVE) {
phy_data->sfp_cable = XGBE_SFP_CABLE_PASSIVE;
phy_data->sfp_cable_len = sfp_base[XGBE_SFP_BASE_CU_CABLE_LEN];
- } else {
+ } else if (sfp_base[XGBE_SFP_BASE_CABLE] & XGBE_SFP_BASE_CABLE_ACTIVE) {
phy_data->sfp_cable = XGBE_SFP_CABLE_ACTIVE;
+ } else {
+ phy_data->sfp_cable = XGBE_SFP_CABLE_FIBER;
}
/* Determine the type of SFP */
- if (phy_data->sfp_cable == XGBE_SFP_CABLE_PASSIVE &&
+ if (phy_data->sfp_cable != XGBE_SFP_CABLE_FIBER &&
xgbe_phy_sfp_bit_rate(sfp_eeprom, XGBE_SFP_SPEED_10000))
phy_data->sfp_base = XGBE_SFP_BASE_10000_CR;
else if (sfp_base[XGBE_SFP_BASE_10GBE_CC] & XGBE_SFP_BASE_10GBE_CC_SR)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 264/783] net: amd-xgbe: Check only the minimum speed for active/passive cables
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 263/783] net: amd-xgbe: Fix logic around active and passive cables Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 265/783] can: tcan4x5x: Remove invalid write in clear_interrupts Greg Kroah-Hartman
` (528 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Lendacky, David S. Miller, Sasha Levin
From: Tom Lendacky <thomas.lendacky@amd.com>
[ Upstream commit f8ab263d4d48e6dab752029bf562f20a2ee630ed ]
There are cables that exist that can support speeds in excess of 10GbE.
The driver, however, restricts the EEPROM advertised nominal bitrate to
a specific range, which can prevent usage of cables that can support,
for example, up to 25GbE.
Rather than checking that an active or passive cable supports a specific
range, only check for a minimum supported speed.
Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
index a9a734454973..97e32c0490f8 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
@@ -237,10 +237,7 @@ enum xgbe_sfp_speed {
#define XGBE_SFP_BASE_BR 12
#define XGBE_SFP_BASE_BR_1GBE_MIN 0x0a
-#define XGBE_SFP_BASE_BR_1GBE_MAX 0x0d
#define XGBE_SFP_BASE_BR_10GBE_MIN 0x64
-#define XGBE_SFP_BASE_BR_10GBE_MAX 0x68
-#define XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX 0x78
#define XGBE_SFP_BASE_CU_CABLE_LEN 18
@@ -827,29 +824,22 @@ static void xgbe_phy_sfp_phy_settings(struct xgbe_prv_data *pdata)
static bool xgbe_phy_sfp_bit_rate(struct xgbe_sfp_eeprom *sfp_eeprom,
enum xgbe_sfp_speed sfp_speed)
{
- u8 *sfp_base, min, max;
+ u8 *sfp_base, min;
sfp_base = sfp_eeprom->base;
switch (sfp_speed) {
case XGBE_SFP_SPEED_1000:
min = XGBE_SFP_BASE_BR_1GBE_MIN;
- max = XGBE_SFP_BASE_BR_1GBE_MAX;
break;
case XGBE_SFP_SPEED_10000:
min = XGBE_SFP_BASE_BR_10GBE_MIN;
- if (memcmp(&sfp_eeprom->base[XGBE_SFP_BASE_VENDOR_NAME],
- XGBE_MOLEX_VENDOR, XGBE_SFP_BASE_VENDOR_NAME_LEN) == 0)
- max = XGBE_MOLEX_SFP_BASE_BR_10GBE_MAX;
- else
- max = XGBE_SFP_BASE_BR_10GBE_MAX;
break;
default:
return false;
}
- return ((sfp_base[XGBE_SFP_BASE_BR] >= min) &&
- (sfp_base[XGBE_SFP_BASE_BR] <= max));
+ return sfp_base[XGBE_SFP_BASE_BR] >= min;
}
static void xgbe_phy_free_phy_device(struct xgbe_prv_data *pdata)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 265/783] can: tcan4x5x: Remove invalid write in clear_interrupts
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 264/783] net: amd-xgbe: Check only the minimum speed for active/passive cables Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 266/783] net: lan9303: Fix read error execution path Greg Kroah-Hartman
` (527 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Schneider-Pargmann,
Marc Kleine-Budde, Sasha Levin
From: Markus Schneider-Pargmann <msp@baylibre.com>
[ Upstream commit 40c9e4f676abbe194541d88e796341c92d5a13c0 ]
Register 0x824 TCAN4X5X_MCAN_INT_REG is a read-only register. Any writes
to this register do not have any effect.
Remove this write. The m_can driver aldready clears the interrupts in
m_can_isr() by writing to M_CAN_IR which is translated to register
0x1050 which is a writable version of this register.
Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel")
Signed-off-by: Markus Schneider-Pargmann <msp@baylibre.com>
Link: https://lore.kernel.org/all/20221206115728.1056014-9-msp@baylibre.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/m_can/tcan4x5x.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/net/can/m_can/tcan4x5x.c b/drivers/net/can/m_can/tcan4x5x.c
index f169d9090e52..f903f78af087 100644
--- a/drivers/net/can/m_can/tcan4x5x.c
+++ b/drivers/net/can/m_can/tcan4x5x.c
@@ -294,11 +294,6 @@ static int tcan4x5x_clear_interrupts(struct m_can_classdev *cdev)
if (ret)
return ret;
- ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_MCAN_INT_REG,
- TCAN4X5X_ENABLE_MCAN_INT);
- if (ret)
- return ret;
-
ret = tcan4x5x_write_tcan_reg(cdev, TCAN4X5X_INT_FLAGS,
TCAN4X5X_CLEAR_ALL_INT);
if (ret)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 266/783] net: lan9303: Fix read error execution path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 265/783] can: tcan4x5x: Remove invalid write in clear_interrupts Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 267/783] ntb_netdev: Use dev_kfree_skb_any() in interrupt context Greg Kroah-Hartman
` (526 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jerry Ray, Vladimir Oltean,
Florian Fainelli, Jakub Kicinski, Sasha Levin
From: Jerry Ray <jerry.ray@microchip.com>
[ Upstream commit 8964916d206071b058c6351f88b1966bd58cbde0 ]
This patch fixes an issue where a read failure of a port statistic counter
will return unknown results. While it is highly unlikely the read will
ever fail, it is much cleaner to return a zero for the stat count.
Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303")
Signed-off-by: Jerry Ray <jerry.ray@microchip.com>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20221209153502.7429-1-jerry.ray@microchip.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/dsa/lan9303-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
index c79bb8cf962c..deeed50a42c0 100644
--- a/drivers/net/dsa/lan9303-core.c
+++ b/drivers/net/dsa/lan9303-core.c
@@ -1002,9 +1002,11 @@ static void lan9303_get_ethtool_stats(struct dsa_switch *ds, int port,
ret = lan9303_read_switch_port(
chip, port, lan9303_mib[u].offset, ®);
- if (ret)
+ if (ret) {
dev_warn(chip->dev, "Reading status port %d reg %u failed\n",
port, lan9303_mib[u].offset);
+ reg = 0;
+ }
data[u] = reg;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 267/783] ntb_netdev: Use dev_kfree_skb_any() in interrupt context
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 266/783] net: lan9303: Fix read error execution path Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 268/783] sctp: sysctl: make extra pointers netns aware Greg Kroah-Hartman
` (525 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Pilmore, Dave Jiang,
Jakub Kicinski, Sasha Levin
From: Eric Pilmore <epilmore@gigaio.com>
[ Upstream commit 5f7d78b2b12a9d561f48fa00bab29b40f4616dad ]
TX/RX callback handlers (ntb_netdev_tx_handler(),
ntb_netdev_rx_handler()) can be called in interrupt
context via the DMA framework when the respective
DMA operations have completed. As such, any calls
by these routines to free skb's, should use the
interrupt context safe dev_kfree_skb_any() function.
Previously, these callback handlers would call the
interrupt unsafe version of dev_kfree_skb(). This has
not presented an issue on Intel IOAT DMA engines as
that driver utilizes tasklets rather than a hard
interrupt handler, like the AMD PTDMA DMA driver.
On AMD systems, a kernel WARNING message is
encountered, which is being issued from
skb_release_head_state() due to in_hardirq()
being true.
Besides the user visible WARNING from the kernel,
the other symptom of this bug was that TCP/IP performance
across the ntb_netdev interface was very poor, i.e.
approximately an order of magnitude below what was
expected. With the repair to use dev_kfree_skb_any(),
kernel WARNINGs from skb_release_head_state() ceased
and TCP/IP performance, as measured by iperf, was on
par with expected results, approximately 20 Gb/s on
AMD Milan based server. Note that this performance
is comparable with Intel based servers.
Fixes: 765ccc7bc3d91 ("ntb_netdev: correct skb leak")
Fixes: 548c237c0a997 ("net: Add support for NTB virtual ethernet device")
Signed-off-by: Eric Pilmore <epilmore@gigaio.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20221209000659.8318-1-epilmore@gigaio.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ntb_netdev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c
index 1b7d588ff3c5..b701ee83e64a 100644
--- a/drivers/net/ntb_netdev.c
+++ b/drivers/net/ntb_netdev.c
@@ -137,7 +137,7 @@ static void ntb_netdev_rx_handler(struct ntb_transport_qp *qp, void *qp_data,
enqueue_again:
rc = ntb_transport_rx_enqueue(qp, skb, skb->data, ndev->mtu + ETH_HLEN);
if (rc) {
- dev_kfree_skb(skb);
+ dev_kfree_skb_any(skb);
ndev->stats.rx_errors++;
ndev->stats.rx_fifo_errors++;
}
@@ -192,7 +192,7 @@ static void ntb_netdev_tx_handler(struct ntb_transport_qp *qp, void *qp_data,
ndev->stats.tx_aborted_errors++;
}
- dev_kfree_skb(skb);
+ dev_kfree_skb_any(skb);
if (ntb_transport_tx_free_entry(dev->qp) >= tx_start) {
/* Make sure anybody stopping the queue after this sees the new
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 268/783] sctp: sysctl: make extra pointers netns aware
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 267/783] ntb_netdev: Use dev_kfree_skb_any() in interrupt context Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 269/783] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (524 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcelo Ricardo Leitner,
Jakub Kicinski, Firo Yang, Sasha Levin
From: Firo Yang <firo.yang@suse.com>
[ Upstream commit da05cecc4939c0410d56c29e252998b192756318 ]
Recently, a customer reported that from their container whose
net namespace is different to the host's init_net, they can't set
the container's net.sctp.rto_max to any value smaller than
init_net.sctp.rto_min.
For instance,
Host:
sudo sysctl net.sctp.rto_min
net.sctp.rto_min = 1000
Container:
echo 100 > /mnt/proc-net/sctp/rto_min
echo 400 > /mnt/proc-net/sctp/rto_max
echo: write error: Invalid argument
This is caused by the check made from this'commit 4f3fdf3bc59c
("sctp: add check rto_min and rto_max in sysctl")'
When validating the input value, it's always referring the boundary
value set for the init_net namespace.
Having container's rto_max smaller than host's init_net.sctp.rto_min
does make sense. Consider that the rto between two containers on the
same host is very likely smaller than it for two hosts.
So to fix this problem, as suggested by Marcelo, this patch makes the
extra pointers of rto_min, rto_max, pf_retrans, and ps_retrans point
to the corresponding variables from the newly created net namespace while
the new net namespace is being registered in sctp_sysctl_net_register.
Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl")
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Firo Yang <firo.yang@suse.com>
Link: https://lore.kernel.org/r/20221209054854.23889-1-firo.yang@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sysctl.c | 73 ++++++++++++++++++++++++++++-------------------
1 file changed, 44 insertions(+), 29 deletions(-)
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index c16c80963e55..e4af050aec1b 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -79,17 +79,18 @@ static struct ctl_table sctp_table[] = {
{ /* sentinel */ }
};
+/* The following index defines are used in sctp_sysctl_net_register().
+ * If you add new items to the sctp_net_table, please ensure that
+ * the index values of these defines hold the same meaning indicated by
+ * their macro names when they appear in sctp_net_table.
+ */
+#define SCTP_RTO_MIN_IDX 0
+#define SCTP_RTO_MAX_IDX 1
+#define SCTP_PF_RETRANS_IDX 2
+#define SCTP_PS_RETRANS_IDX 3
+
static struct ctl_table sctp_net_table[] = {
- {
- .procname = "rto_initial",
- .data = &init_net.sctp.rto_initial,
- .maxlen = sizeof(unsigned int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = SYSCTL_ONE,
- .extra2 = &timer_max
- },
- {
+ [SCTP_RTO_MIN_IDX] = {
.procname = "rto_min",
.data = &init_net.sctp.rto_min,
.maxlen = sizeof(unsigned int),
@@ -98,7 +99,7 @@ static struct ctl_table sctp_net_table[] = {
.extra1 = SYSCTL_ONE,
.extra2 = &init_net.sctp.rto_max
},
- {
+ [SCTP_RTO_MAX_IDX] = {
.procname = "rto_max",
.data = &init_net.sctp.rto_max,
.maxlen = sizeof(unsigned int),
@@ -107,6 +108,33 @@ static struct ctl_table sctp_net_table[] = {
.extra1 = &init_net.sctp.rto_min,
.extra2 = &timer_max
},
+ [SCTP_PF_RETRANS_IDX] = {
+ .procname = "pf_retrans",
+ .data = &init_net.sctp.pf_retrans,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = &init_net.sctp.ps_retrans,
+ },
+ [SCTP_PS_RETRANS_IDX] = {
+ .procname = "ps_retrans",
+ .data = &init_net.sctp.ps_retrans,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &init_net.sctp.pf_retrans,
+ .extra2 = &ps_retrans_max,
+ },
+ {
+ .procname = "rto_initial",
+ .data = &init_net.sctp.rto_initial,
+ .maxlen = sizeof(unsigned int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ONE,
+ .extra2 = &timer_max
+ },
{
.procname = "rto_alpha_exp_divisor",
.data = &init_net.sctp.rto_alpha,
@@ -202,24 +230,6 @@ static struct ctl_table sctp_net_table[] = {
.extra1 = SYSCTL_ONE,
.extra2 = SYSCTL_INT_MAX,
},
- {
- .procname = "pf_retrans",
- .data = &init_net.sctp.pf_retrans,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = SYSCTL_ZERO,
- .extra2 = &init_net.sctp.ps_retrans,
- },
- {
- .procname = "ps_retrans",
- .data = &init_net.sctp.ps_retrans,
- .maxlen = sizeof(int),
- .mode = 0644,
- .proc_handler = proc_dointvec_minmax,
- .extra1 = &init_net.sctp.pf_retrans,
- .extra2 = &ps_retrans_max,
- },
{
.procname = "sndbuf_policy",
.data = &init_net.sctp.sndbuf_policy,
@@ -489,6 +499,11 @@ int sctp_sysctl_net_register(struct net *net)
for (i = 0; table[i].data; i++)
table[i].data += (char *)(&net->sctp) - (char *)&init_net.sctp;
+ table[SCTP_RTO_MIN_IDX].extra2 = &net->sctp.rto_max;
+ table[SCTP_RTO_MAX_IDX].extra1 = &net->sctp.rto_min;
+ table[SCTP_PF_RETRANS_IDX].extra2 = &net->sctp.ps_retrans;
+ table[SCTP_PS_RETRANS_IDX].extra1 = &net->sctp.pf_retrans;
+
net->sctp.sysctl_header = register_net_sysctl(net, "net/sctp", table);
if (net->sctp.sysctl_header == NULL) {
kfree(table);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 269/783] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 268/783] sctp: sysctl: make extra pointers netns aware Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 270/783] Bluetooth: hci_qca: " Greg Kroah-Hartman
` (523 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit b15a6bd3c80c77faec8317319b97f976b1a08332 ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 803b58367ffb ("Bluetooth: btusb: Implement driver internal packet reassembly")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 54001ad5de9f..3d905fda9b29 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -661,13 +661,13 @@ static inline void btusb_free_frags(struct btusb_data *data)
spin_lock_irqsave(&data->rxlock, flags);
- kfree_skb(data->evt_skb);
+ dev_kfree_skb_irq(data->evt_skb);
data->evt_skb = NULL;
- kfree_skb(data->acl_skb);
+ dev_kfree_skb_irq(data->acl_skb);
data->acl_skb = NULL;
- kfree_skb(data->sco_skb);
+ dev_kfree_skb_irq(data->sco_skb);
data->sco_skb = NULL;
spin_unlock_irqrestore(&data->rxlock, flags);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 270/783] Bluetooth: hci_qca: dont call kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 269/783] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 271/783] Bluetooth: hci_ll: " Greg Kroah-Hartman
` (522 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit df4cfc91208e0a98f078223793f5871b1a82cc54 ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 0ff252c1976d ("Bluetooth: hciuart: Add support QCA chipset for UART")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_qca.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index eea18aed17f8..60b0e13bb9fc 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -905,7 +905,7 @@ static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb)
default:
BT_ERR("Illegal tx state: %d (losing packet)",
qca->tx_ibs_state);
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
break;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 271/783] Bluetooth: hci_ll: dont call kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 270/783] Bluetooth: hci_qca: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 272/783] Bluetooth: hci_h5: " Greg Kroah-Hartman
` (521 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 8f458f783dfbb19c1f1cb58ed06eeb701f52091b ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 166d2f6a4332 ("[Bluetooth] Add UART driver for Texas Instruments' BRF63xx chips")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_ll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c
index 8bfe024d1fcd..7495ca34c9e7 100644
--- a/drivers/bluetooth/hci_ll.c
+++ b/drivers/bluetooth/hci_ll.c
@@ -345,7 +345,7 @@ static int ll_enqueue(struct hci_uart *hu, struct sk_buff *skb)
default:
BT_ERR("illegal hcill state: %ld (losing packet)",
ll->hcill_state);
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
break;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 272/783] Bluetooth: hci_h5: dont call kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 271/783] Bluetooth: hci_ll: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 273/783] Bluetooth: hci_bcsp: " Greg Kroah-Hartman
` (520 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 383630cc6758d619874c2e8bb2f68a61f3f9ef6e ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 43eb12d78960 ("Bluetooth: Fix/implement Three-wire reliable packet sending")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_h5.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c
index 996729e78105..7f70a677b92b 100644
--- a/drivers/bluetooth/hci_h5.c
+++ b/drivers/bluetooth/hci_h5.c
@@ -299,7 +299,7 @@ static void h5_pkt_cull(struct h5 *h5)
break;
__skb_unlink(skb, &h5->unack);
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
}
if (skb_queue_empty(&h5->unack))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 273/783] Bluetooth: hci_bcsp: dont call kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 272/783] Bluetooth: hci_h5: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 274/783] Bluetooth: hci_core: " Greg Kroah-Hartman
` (519 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 7b503e339c1a80bf0051ec2d19c3bc777014ac61 ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/hci_bcsp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c
index cf4a56095817..8055f63603f4 100644
--- a/drivers/bluetooth/hci_bcsp.c
+++ b/drivers/bluetooth/hci_bcsp.c
@@ -378,7 +378,7 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp)
i++;
__skb_unlink(skb, &bcsp->unack);
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
}
if (skb_queue_empty(&bcsp->unack))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 274/783] Bluetooth: hci_core: dont call kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 273/783] Bluetooth: hci_bcsp: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 275/783] Bluetooth: RFCOMM: " Greg Kroah-Hartman
` (518 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 39c1eb6fcbae8ce9bb71b2ac5cb609355a2b181b ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 9238f36a5a50 ("Bluetooth: Add request cmd_complete and cmd_status functions")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index f8aab38ab595..2af1477a05ca 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -4910,7 +4910,7 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status,
*req_complete_skb = bt_cb(skb)->hci.req_complete_skb;
else
*req_complete = bt_cb(skb)->hci.req_complete;
- kfree_skb(skb);
+ dev_kfree_skb_irq(skb);
}
spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 275/783] Bluetooth: RFCOMM: dont call kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 274/783] Bluetooth: hci_core: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 276/783] stmmac: fix potential division by 0 Greg Kroah-Hartman
` (517 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Luiz Augusto von Dentz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 0ba18967d4544955b2eff2fbc4f2a8750c4df90a ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes: 81be03e026dc ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/rfcomm/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 7324764384b6..8d6fce9005bd 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -590,7 +590,7 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
ret = rfcomm_dlc_send_frag(d, frag);
if (ret < 0) {
- kfree_skb(frag);
+ dev_kfree_skb_irq(frag);
goto unlock;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 276/783] stmmac: fix potential division by 0
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 275/783] Bluetooth: RFCOMM: " Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 277/783] apparmor: fix a memleak in multi_transaction_new() Greg Kroah-Hartman
` (516 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piergiorgio Beruto, Andrew Lunn,
Jakub Kicinski, Sasha Levin
From: Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
[ Upstream commit ede5a389852d3640a28e7187fb32b7f204380901 ]
When the MAC is connected to a 10 Mb/s PHY and the PTP clock is derived
from the MAC reference clock (default), the clk_ptp_rate becomes too
small and the calculated sub second increment becomes 0 when computed by
the stmmac_config_sub_second_increment() function within
stmmac_init_tstamp_counter().
Therefore, the subsequent div_u64 in stmmac_init_tstamp_counter()
operation triggers a divide by 0 exception as shown below.
[ 95.062067] socfpga-dwmac ff700000.ethernet eth0: Register MEM_TYPE_PAGE_POOL RxQ-0
[ 95.076440] socfpga-dwmac ff700000.ethernet eth0: PHY [stmmac-0:08] driver [NCN26000] (irq=49)
[ 95.095964] dwmac1000: Master AXI performs any burst length
[ 95.101588] socfpga-dwmac ff700000.ethernet eth0: No Safety Features support found
[ 95.109428] Division by zero in kernel.
[ 95.113447] CPU: 0 PID: 239 Comm: ifconfig Not tainted 6.1.0-rc7-centurion3-1.0.3.0-01574-gb624218205b7-dirty #77
[ 95.123686] Hardware name: Altera SOCFPGA
[ 95.127695] unwind_backtrace from show_stack+0x10/0x14
[ 95.132938] show_stack from dump_stack_lvl+0x40/0x4c
[ 95.137992] dump_stack_lvl from Ldiv0+0x8/0x10
[ 95.142527] Ldiv0 from __aeabi_uidivmod+0x8/0x18
[ 95.147232] __aeabi_uidivmod from div_u64_rem+0x1c/0x40
[ 95.152552] div_u64_rem from stmmac_init_tstamp_counter+0xd0/0x164
[ 95.158826] stmmac_init_tstamp_counter from stmmac_hw_setup+0x430/0xf00
[ 95.165533] stmmac_hw_setup from __stmmac_open+0x214/0x2d4
[ 95.171117] __stmmac_open from stmmac_open+0x30/0x44
[ 95.176182] stmmac_open from __dev_open+0x11c/0x134
[ 95.181172] __dev_open from __dev_change_flags+0x168/0x17c
[ 95.186750] __dev_change_flags from dev_change_flags+0x14/0x50
[ 95.192662] dev_change_flags from devinet_ioctl+0x2b4/0x604
[ 95.198321] devinet_ioctl from inet_ioctl+0x1ec/0x214
[ 95.203462] inet_ioctl from sock_ioctl+0x14c/0x3c4
[ 95.208354] sock_ioctl from vfs_ioctl+0x20/0x38
[ 95.212984] vfs_ioctl from sys_ioctl+0x250/0x844
[ 95.217691] sys_ioctl from ret_fast_syscall+0x0/0x4c
[ 95.222743] Exception stack(0xd0ee1fa8 to 0xd0ee1ff0)
[ 95.227790] 1fa0: 00574c4f be9aeca4 00000003 00008914 be9aeca4 be9aec50
[ 95.235945] 1fc0: 00574c4f be9aeca4 0059f078 00000036 be9aee8c be9aef7a 00000015 00000000
[ 95.244096] 1fe0: 005a01f0 be9aec38 004d7484 b6e67d74
Signed-off-by: Piergiorgio Beruto <piergiorgio.beruto@gmail.com>
Fixes: 91a2559c1dc5 ("net: stmmac: Fix sub-second increment")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/de4c64ccac9084952c56a06a8171d738604c4770.1670678513.git.piergiorgio.beruto@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 3 ++-
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
index 53efcc9c40e2..0ad5ce874557 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c
@@ -44,7 +44,8 @@ static void config_sub_second_increment(void __iomem *ioaddr,
if (!(value & PTP_TCR_TSCTRLSSR))
data = (data * 1000) / 465;
- data &= PTP_SSIR_SSINC_MASK;
+ if (data > PTP_SSIR_SSINC_MAX)
+ data = PTP_SSIR_SSINC_MAX;
reg_value = data;
if (gmac4)
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
index 7abb1d47e7da..60e6b085e2f6 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h
@@ -61,7 +61,7 @@
#define PTP_TCR_TSENMACADDR BIT(18)
/* SSIR defines */
-#define PTP_SSIR_SSINC_MASK 0xff
+#define PTP_SSIR_SSINC_MAX 0xff
#define GMAC4_PTP_SSIR_SSINC_SHIFT 16
#endif /* __STMMAC_PTP_H__ */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 277/783] apparmor: fix a memleak in multi_transaction_new()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 276/783] stmmac: fix potential division by 0 Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 278/783] apparmor: fix lockdep warning when removing a namespace Greg Kroah-Hartman
` (515 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, John Johansen, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit c73275cf6834787ca090317f1d20dbfa3b7f05aa ]
In multi_transaction_new(), the variable t is not freed or passed out
on the failure of copy_from_user(t->data, buf, size), which could lead
to a memleak.
Fix this bug by adding a put_multi_transaction(t) in the error path.
Fixes: 1dea3b41e84c5 ("apparmor: speed up transactional queries")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/apparmorfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index c173f6fd7aee..49d97b331abc 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -867,8 +867,10 @@ static struct multi_transaction *multi_transaction_new(struct file *file,
if (!t)
return ERR_PTR(-ENOMEM);
kref_init(&t->count);
- if (copy_from_user(t->data, buf, size))
+ if (copy_from_user(t->data, buf, size)) {
+ put_multi_transaction(t);
return ERR_PTR(-EFAULT);
+ }
return t;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 278/783] apparmor: fix lockdep warning when removing a namespace
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 277/783] apparmor: fix a memleak in multi_transaction_new() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 279/783] apparmor: Fix abi check to include v8 abi Greg Kroah-Hartman
` (514 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Johansen, Sasha Levin
From: John Johansen <john.johansen@canonical.com>
[ Upstream commit 9c4557efc558a68e4cd973490fd936d6e3414db8 ]
Fix the following lockdep warning
[ 1119.158984] ============================================
[ 1119.158988] WARNING: possible recursive locking detected
[ 1119.158996] 6.0.0-rc1+ #257 Tainted: G E N
[ 1119.158999] --------------------------------------------
[ 1119.159001] bash/80100 is trying to acquire lock:
[ 1119.159007] ffff88803e79b4a0 (&ns->lock/1){+.+.}-{4:4}, at: destroy_ns.part.0+0x43/0x140
[ 1119.159028]
but task is already holding lock:
[ 1119.159030] ffff8881009764a0 (&ns->lock/1){+.+.}-{4:4}, at: aa_remove_profiles+0x3f0/0x640
[ 1119.159040]
other info that might help us debug this:
[ 1119.159042] Possible unsafe locking scenario:
[ 1119.159043] CPU0
[ 1119.159045] ----
[ 1119.159047] lock(&ns->lock/1);
[ 1119.159051] lock(&ns->lock/1);
[ 1119.159055]
*** DEADLOCK ***
Which is caused by an incorrect lockdep nesting notation
Fixes: feb3c766a3ab ("apparmor: fix possible recursive lock warning in __aa_create_ns")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 4c010c9a6af1..fcf22577f606 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -1125,7 +1125,7 @@ ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj,
if (!name) {
/* remove namespace - can only happen if fqname[0] == ':' */
- mutex_lock_nested(&ns->parent->lock, ns->level);
+ mutex_lock_nested(&ns->parent->lock, ns->parent->level);
__aa_bump_ns_revision(ns);
__aa_remove_ns(ns);
mutex_unlock(&ns->parent->lock);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 279/783] apparmor: Fix abi check to include v8 abi
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 278/783] apparmor: fix lockdep warning when removing a namespace Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 280/783] crypto: sun8i-ss - use dma_addr instead u32 Greg Kroah-Hartman
` (513 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Johansen, Sasha Levin
From: John Johansen <john.johansen@canonical.com>
[ Upstream commit 1b5a6198f5a9d0aa5497da0dc4bcd4fc166ee516 ]
The v8 abi is supported by the kernel but the userspace supported
version check does not allow for it. This was missed when v8 was added
due to a bug in the userspace compiler which was setting an older abi
version for v8 encoding (which is forward compatible except on the
network encoding). However it is possible to detect the network
encoding by checking the policydb network support which the code
does. The end result was that missing the abi flag worked until
userspace was fixed and began correctly checking for the v8 abi
version.
Fixes: 56974a6fcfef ("apparmor: add base infastructure for socket mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/policy_unpack.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index 556ef65ab6ee..519656e68582 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -964,7 +964,7 @@ static int verify_header(struct aa_ext *e, int required, const char **ns)
* if not specified use previous version
* Mask off everything that is not kernel abi version
*/
- if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v7)) {
+ if (VERSION_LT(e->version, v5) || VERSION_GT(e->version, v8)) {
audit_iface(NULL, NULL, NULL, "unsupported interface version",
e, error);
return error;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 280/783] crypto: sun8i-ss - use dma_addr instead u32
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 279/783] apparmor: Fix abi check to include v8 abi Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 281/783] crypto: nitrox - avoid double free on error path in nitrox_sriov_init() Greg Kroah-Hartman
` (512 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit 839b8ae2fc10f205317bcc32c9de18456756e1f5 ]
The DMA address need to be stored in a dma_addr_t
Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
index d0954993e2e3..49c7a8b464dd 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
@@ -105,7 +105,7 @@ static int sun8i_ss_setup_ivs(struct skcipher_request *areq)
unsigned int ivsize = crypto_skcipher_ivsize(tfm);
struct sun8i_ss_flow *sf = &ss->flows[rctx->flow];
int i = 0;
- u32 a;
+ dma_addr_t a;
int err;
rctx->ivlen = ivsize;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 281/783] crypto: nitrox - avoid double free on error path in nitrox_sriov_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 280/783] crypto: sun8i-ss - use dma_addr instead u32 Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 282/783] scsi: core: Fix a race between scsi_done() and scsi_timeout() Greg Kroah-Hartman
` (511 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Natalia Petrova, Alexey Khoroshilov,
Herbert Xu, Sasha Levin
From: Natalia Petrova <n.petrova@fintech.ru>
[ Upstream commit 094528b6a5a755b1195a01e10b13597d67d1a0e6 ]
If alloc_workqueue() fails in nitrox_mbox_init() it deallocates
ndev->iov.vfdev and returns error code, but then nitrox_sriov_init()
calls nitrox_sriov_cleanup() where ndev->iov.vfdev is deallocated
again.
Fix this by nulling ndev->iov.vfdev after the first deallocation.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: 9e5de3e06e54 ("crypto: cavium/nitrox - Add mailbox...")
Signed-off-by: Natalia Petrova <n.petrova@fintech.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/cavium/nitrox/nitrox_mbx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/crypto/cavium/nitrox/nitrox_mbx.c b/drivers/crypto/cavium/nitrox/nitrox_mbx.c
index b51b0449b478..a131dbbbcb86 100644
--- a/drivers/crypto/cavium/nitrox/nitrox_mbx.c
+++ b/drivers/crypto/cavium/nitrox/nitrox_mbx.c
@@ -190,6 +190,7 @@ int nitrox_mbox_init(struct nitrox_device *ndev)
ndev->iov.pf2vf_wq = alloc_workqueue("nitrox_pf2vf", 0, 0);
if (!ndev->iov.pf2vf_wq) {
kfree(ndev->iov.vfdev);
+ ndev->iov.vfdev = NULL;
return -ENOMEM;
}
/* enable pf2vf mailbox interrupts */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 282/783] scsi: core: Fix a race between scsi_done() and scsi_timeout()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 281/783] crypto: nitrox - avoid double free on error path in nitrox_sriov_init() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 283/783] apparmor: Use pointer to struct aa_label for lbs_cred Greg Kroah-Hartman
` (510 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Christie, Keith Busch,
Christoph Hellwig, Ming Lei, John Garry, Hannes Reinecke,
Adrian Hunter, Bart Van Assche, Martin K. Petersen, Sasha Levin
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit 978b7922d3dca672b41bb4b8ce6c06ab77112741 ]
If there is a race between scsi_done() and scsi_timeout() and if
scsi_timeout() loses the race, scsi_timeout() should not reset the request
timer. Hence change the return value for this case from BLK_EH_RESET_TIMER
into BLK_EH_DONE.
Although the block layer holds a reference on a request (req->ref) while
calling a timeout handler, restarting the timer (blk_add_timer()) while a
request is being completed is racy.
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Cc: Keith Busch <kbusch@kernel.org>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: John Garry <john.garry@huawei.com>
Cc: Hannes Reinecke <hare@suse.de>
Reported-by: Adrian Hunter <adrian.hunter@intel.com>
Fixes: 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20221018202958.1902564-2-bvanassche@acm.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_error.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index f11f51e2465f..0c4bc42b55c2 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -306,19 +306,11 @@ enum blk_eh_timer_return scsi_times_out(struct request *req)
if (rtn == BLK_EH_DONE) {
/*
- * Set the command to complete first in order to prevent a real
- * completion from releasing the command while error handling
- * is using it. If the command was already completed, then the
- * lower level driver beat the timeout handler, and it is safe
- * to return without escalating error recovery.
- *
- * If timeout handling lost the race to a real completion, the
- * block layer may ignore that due to a fake timeout injection,
- * so return RESET_TIMER to allow error handling another shot
- * at this command.
+ * If scsi_done() has already set SCMD_STATE_COMPLETE, do not
+ * modify *scmd.
*/
if (test_and_set_bit(SCMD_STATE_COMPLETE, &scmd->state))
- return BLK_EH_RESET_TIMER;
+ return BLK_EH_DONE;
if (scsi_abort_command(scmd) != SUCCESS) {
set_host_byte(scmd, DID_TIME_OUT);
scsi_eh_scmd_add(scmd);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 283/783] apparmor: Use pointer to struct aa_label for lbs_cred
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 282/783] scsi: core: Fix a race between scsi_done() and scsi_timeout() Greg Kroah-Hartman
@ 2023-01-12 13:49 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 284/783] PCI: dwc: Fix n_fts[] array overrun Greg Kroah-Hartman
` (509 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:49 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, John Johansen, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit 37923d4321b1e38170086da2c117f78f2b0f49c6 ]
According to the implementations of cred_label() and set_cred_label(),
we should use pointer to struct aa_label for lbs_cred instead of struct
aa_task_ctx, this patch fixes it.
Fixes: bbd3662a8348 ("Infrastructure management of the cred security blob")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/lsm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index ffeaee5ed968..585edcc6814d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1161,10 +1161,10 @@ static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb,
#endif
/*
- * The cred blob is a pointer to, not an instance of, an aa_task_ctx.
+ * The cred blob is a pointer to, not an instance of, an aa_label.
*/
struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
- .lbs_cred = sizeof(struct aa_task_ctx *),
+ .lbs_cred = sizeof(struct aa_label *),
.lbs_file = sizeof(struct aa_file_ctx),
.lbs_task = sizeof(struct aa_task_ctx),
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 284/783] PCI: dwc: Fix n_fts[] array overrun
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2023-01-12 13:49 ` [PATCH 5.10 283/783] apparmor: Use pointer to struct aa_label for lbs_cred Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 285/783] RDMA/core: Fix order of nldev_exit call Greg Kroah-Hartman
` (508 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vidya Sagar, Lorenzo Pieralisi,
Rob Herring, Jingoo Han, Sasha Levin
From: Vidya Sagar <vidyas@nvidia.com>
[ Upstream commit 66110361281b2f7da0c8bd51eaf1f152f4236035 ]
commit aeaa0bfe89654 ("PCI: dwc: Move N_FTS setup to common setup")
incorrectly uses pci->link_gen in deriving the index to the
n_fts[] array also introducing the issue of accessing beyond the
boundaries of array for greater than Gen-2 speeds. This change fixes
that issue.
Link: https://lore.kernel.org/r/20220926111923.22487-1-vidyas@nvidia.com
Fixes: aeaa0bfe8965 ("PCI: dwc: Move N_FTS setup to common setup")
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Reviewed-by: Rob Herring <robh@kernel.org>
Acked-by: Jingoo Han <jingoohan1@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/dwc/pcie-designware.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/controller/dwc/pcie-designware.c b/drivers/pci/controller/dwc/pcie-designware.c
index 2b74ff88c5c5..28945351da14 100644
--- a/drivers/pci/controller/dwc/pcie-designware.c
+++ b/drivers/pci/controller/dwc/pcie-designware.c
@@ -589,7 +589,7 @@ void dw_pcie_setup(struct dw_pcie *pci)
if (pci->n_fts[1]) {
val = dw_pcie_readl_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL);
val &= ~PORT_LOGIC_N_FTS_MASK;
- val |= pci->n_fts[pci->link_gen - 1];
+ val |= pci->n_fts[1];
dw_pcie_writel_dbi(pci, PCIE_LINK_WIDTH_SPEED_CONTROL, val);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 285/783] RDMA/core: Fix order of nldev_exit call
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 284/783] PCI: dwc: Fix n_fts[] array overrun Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 286/783] PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled Greg Kroah-Hartman
` (507 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leon Romanovsky, Leon Romanovsky,
Sasha Levin
From: Leon Romanovsky <leonro@nvidia.com>
[ Upstream commit 4508d32ccced24c972bc4592104513e1ff8439b5 ]
Create symmetrical exit flow by calling to nldev_exit() after
call to rdma_nl_unregister(RDMA_NL_LS).
Fixes: 6c80b41abe22 ("RDMA/netlink: Add nldev initialization flows")
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/64e676774a53a406f4cde265d5a4cfd6b8e97df9.1666683334.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c
index d91892ffe243..5b7abcf102fe 100644
--- a/drivers/infiniband/core/device.c
+++ b/drivers/infiniband/core/device.c
@@ -2793,8 +2793,8 @@ static int __init ib_core_init(void)
static void __exit ib_core_cleanup(void)
{
roce_gid_mgmt_cleanup();
- nldev_exit();
rdma_nl_unregister(RDMA_NL_LS);
+ nldev_exit();
unregister_pernet_device(&rdma_dev_net_ops);
unregister_blocking_lsm_notifier(&ibdev_lsm_nb);
ib_sa_cleanup();
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 286/783] PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 285/783] RDMA/core: Fix order of nldev_exit call Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 287/783] f2fs: Fix the race condition of resize flag between resizefs Greg Kroah-Hartman
` (506 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunihiko Hayashi, Lorenzo Pieralisi,
Om Prakash Singh, Kishon Vijay Abraham I, Sasha Levin
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
[ Upstream commit 6acd25cc98ce0c9ee4fefdaf44fc8bca534b26e5 ]
The pci_epf_test_notifier function should be installed also if only
core_init_notifier is enabled. Fix the current logic.
Link: https://lore.kernel.org/r/20220825090101.20474-1-hayashi.kunihiko@socionext.com
Fixes: 5e50ee27d4a5 ("PCI: pci-epf-test: Add support to defer core initialization")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Signed-off-by: Lorenzo Pieralisi <lpieralisi@kernel.org>
Acked-by: Om Prakash Singh <omp@nvidia.com>
Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/endpoint/functions/pci-epf-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
index ddfeca9016a0..ef52f5097eb3 100644
--- a/drivers/pci/endpoint/functions/pci-epf-test.c
+++ b/drivers/pci/endpoint/functions/pci-epf-test.c
@@ -870,7 +870,7 @@ static int pci_epf_test_bind(struct pci_epf *epf)
if (ret)
epf_test->dma_supported = false;
- if (linkup_notifier) {
+ if (linkup_notifier || core_init_notifier) {
epf->nb.notifier_call = pci_epf_test_notifier;
pci_epc_register_notifier(epc, &epf->nb);
} else {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 287/783] f2fs: Fix the race condition of resize flag between resizefs
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 286/783] PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 288/783] crypto: rockchip - do not do custom power management Greg Kroah-Hartman
` (505 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Zhang Qilong, Chao Yu,
Jaegeuk Kim, Sasha Levin
From: Zhang Qilong <zhangqilong3@huawei.com>
[ Upstream commit 28fc4e9077ce59ab28c89c20dc6be5154473218f ]
Because the set/clear SBI_IS_RESIZEFS flag not between any locks,
In the following case:
thread1 thread2
->ioctl(resizefs)
->set RESIZEFS flag ->ioctl(resizefs)
... ->set RESIZEFS flag
->clear RESIZEFS flag
->resizefs stream
# No RESIZEFS flag in the stream
Also before freeze_super, the resizefs not started, we should not set
the SBI_IS_RESIZEFS flag.
So move the set/clear SBI_IS_RESIZEFS flag between the cp_mutex and
gc_lock.
Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/gc.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 3baa62ef6e3a..5ac0b605335f 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -2035,8 +2035,6 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
if (err)
return err;
- set_sbi_flag(sbi, SBI_IS_RESIZEFS);
-
freeze_super(sbi->sb);
down_write(&sbi->gc_lock);
mutex_lock(&sbi->cp_mutex);
@@ -2052,6 +2050,7 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
if (err)
goto out_err;
+ set_sbi_flag(sbi, SBI_IS_RESIZEFS);
err = free_segment_range(sbi, secs, false);
if (err)
goto recover_out;
@@ -2075,6 +2074,7 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
f2fs_commit_super(sbi, false);
}
recover_out:
+ clear_sbi_flag(sbi, SBI_IS_RESIZEFS);
if (err) {
set_sbi_flag(sbi, SBI_NEED_FSCK);
f2fs_err(sbi, "resize_fs failed, should run fsck to repair!");
@@ -2087,6 +2087,5 @@ int f2fs_resize_fs(struct f2fs_sb_info *sbi, __u64 block_count)
mutex_unlock(&sbi->cp_mutex);
up_write(&sbi->gc_lock);
thaw_super(sbi->sb);
- clear_sbi_flag(sbi, SBI_IS_RESIZEFS);
return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 288/783] crypto: rockchip - do not do custom power management
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 287/783] f2fs: Fix the race condition of resize flag between resizefs Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 289/783] crypto: rockchip - do not store mode globally Greg Kroah-Hartman
` (504 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit c50ef1411c8cbad0c7db100c477126076b6e3348 ]
The clock enable/disable at tfm init/exit is fragile,
if 2 tfm are init in the same time and one is removed just after,
it will leave the hardware uncloked even if a user remains.
Instead simply enable clocks at probe time.
We will do PM later.
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/rockchip/rk3288_crypto.c | 4 ++--
drivers/crypto/rockchip/rk3288_crypto.h | 2 --
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 3 +--
drivers/crypto/rockchip/rk3288_crypto_skcipher.c | 5 +++--
4 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/drivers/crypto/rockchip/rk3288_crypto.c b/drivers/crypto/rockchip/rk3288_crypto.c
index 35d73061d156..5f8444b9633a 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.c
+++ b/drivers/crypto/rockchip/rk3288_crypto.c
@@ -395,8 +395,7 @@ static int rk_crypto_probe(struct platform_device *pdev)
rk_crypto_done_task_cb, (unsigned long)crypto_info);
crypto_init_queue(&crypto_info->queue, 50);
- crypto_info->enable_clk = rk_crypto_enable_clk;
- crypto_info->disable_clk = rk_crypto_disable_clk;
+ rk_crypto_enable_clk(crypto_info);
crypto_info->load_data = rk_load_data;
crypto_info->unload_data = rk_unload_data;
crypto_info->enqueue = rk_crypto_enqueue;
@@ -423,6 +422,7 @@ static int rk_crypto_remove(struct platform_device *pdev)
struct rk_crypto_info *crypto_tmp = platform_get_drvdata(pdev);
rk_crypto_unregister();
+ rk_crypto_disable_clk(crypto_tmp);
tasklet_kill(&crypto_tmp->done_task);
tasklet_kill(&crypto_tmp->queue_task);
return 0;
diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
index 3db595570c9c..39ffcd630760 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.h
+++ b/drivers/crypto/rockchip/rk3288_crypto.h
@@ -219,8 +219,6 @@ struct rk_crypto_info {
int (*start)(struct rk_crypto_info *dev);
int (*update)(struct rk_crypto_info *dev);
void (*complete)(struct crypto_async_request *base, int err);
- int (*enable_clk)(struct rk_crypto_info *dev);
- void (*disable_clk)(struct rk_crypto_info *dev);
int (*load_data)(struct rk_crypto_info *dev,
struct scatterlist *sg_src,
struct scatterlist *sg_dst);
diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
index 81befe7febaa..9583310a69d5 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
@@ -301,7 +301,7 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
sizeof(struct rk_ahash_rctx) +
crypto_ahash_reqsize(tctx->fallback_tfm));
- return tctx->dev->enable_clk(tctx->dev);
+ return 0;
}
static void rk_cra_hash_exit(struct crypto_tfm *tfm)
@@ -309,7 +309,6 @@ static void rk_cra_hash_exit(struct crypto_tfm *tfm)
struct rk_ahash_ctx *tctx = crypto_tfm_ctx(tfm);
free_page((unsigned long)tctx->dev->addr_vir);
- return tctx->dev->disable_clk(tctx->dev);
}
struct rk_crypto_tmp rk_ahash_sha1 = {
diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
index 5bbf0d2722e1..8c44a19eab75 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
@@ -388,8 +388,10 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
ctx->dev->update = rk_ablk_rx;
ctx->dev->complete = rk_crypto_complete;
ctx->dev->addr_vir = (char *)__get_free_page(GFP_KERNEL);
+ if (!ctx->dev->addr_vir)
+ return -ENOMEM;
- return ctx->dev->addr_vir ? ctx->dev->enable_clk(ctx->dev) : -ENOMEM;
+ return 0;
}
static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
@@ -397,7 +399,6 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
free_page((unsigned long)ctx->dev->addr_vir);
- ctx->dev->disable_clk(ctx->dev);
}
struct rk_crypto_tmp rk_ecb_aes_alg = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 289/783] crypto: rockchip - do not store mode globally
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 288/783] crypto: rockchip - do not do custom power management Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 290/783] crypto: rockchip - add fallback for cipher Greg Kroah-Hartman
` (503 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit 87e356c4966444866186f68f05832fdcc0f351a3 ]
Storing the mode globally does not work if 2 requests are handled in the
same time.
We should store it in a request context.
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/rockchip/rk3288_crypto.h | 5 +-
.../crypto/rockchip/rk3288_crypto_skcipher.c | 58 ++++++++++++-------
2 files changed, 41 insertions(+), 22 deletions(-)
diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
index 39ffcd630760..65b9b58bb304 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.h
+++ b/drivers/crypto/rockchip/rk3288_crypto.h
@@ -244,10 +244,13 @@ struct rk_ahash_rctx {
struct rk_cipher_ctx {
struct rk_crypto_info *dev;
unsigned int keylen;
- u32 mode;
u8 iv[AES_BLOCK_SIZE];
};
+struct rk_cipher_rctx {
+ u32 mode;
+};
+
enum alg_type {
ALG_TYPE_HASH,
ALG_TYPE_CIPHER,
diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
index 8c44a19eab75..bbd0bf52bf07 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
@@ -76,9 +76,10 @@ static int rk_aes_ecb_encrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_AES_ECB_MODE;
+ rctx->mode = RK_CRYPTO_AES_ECB_MODE;
return rk_handle_req(dev, req);
}
@@ -86,9 +87,10 @@ static int rk_aes_ecb_decrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_AES_ECB_MODE | RK_CRYPTO_DEC;
+ rctx->mode = RK_CRYPTO_AES_ECB_MODE | RK_CRYPTO_DEC;
return rk_handle_req(dev, req);
}
@@ -96,9 +98,10 @@ static int rk_aes_cbc_encrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_AES_CBC_MODE;
+ rctx->mode = RK_CRYPTO_AES_CBC_MODE;
return rk_handle_req(dev, req);
}
@@ -106,9 +109,10 @@ static int rk_aes_cbc_decrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_AES_CBC_MODE | RK_CRYPTO_DEC;
+ rctx->mode = RK_CRYPTO_AES_CBC_MODE | RK_CRYPTO_DEC;
return rk_handle_req(dev, req);
}
@@ -116,9 +120,10 @@ static int rk_des_ecb_encrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = 0;
+ rctx->mode = 0;
return rk_handle_req(dev, req);
}
@@ -126,9 +131,10 @@ static int rk_des_ecb_decrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_DEC;
+ rctx->mode = RK_CRYPTO_DEC;
return rk_handle_req(dev, req);
}
@@ -136,9 +142,10 @@ static int rk_des_cbc_encrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC;
+ rctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC;
return rk_handle_req(dev, req);
}
@@ -146,9 +153,10 @@ static int rk_des_cbc_decrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC | RK_CRYPTO_DEC;
+ rctx->mode = RK_CRYPTO_TDES_CHAINMODE_CBC | RK_CRYPTO_DEC;
return rk_handle_req(dev, req);
}
@@ -156,9 +164,10 @@ static int rk_des3_ede_ecb_encrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_TDES_SELECT;
+ rctx->mode = RK_CRYPTO_TDES_SELECT;
return rk_handle_req(dev, req);
}
@@ -166,9 +175,10 @@ static int rk_des3_ede_ecb_decrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_DEC;
+ rctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_DEC;
return rk_handle_req(dev, req);
}
@@ -176,9 +186,10 @@ static int rk_des3_ede_cbc_encrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC;
+ rctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC;
return rk_handle_req(dev, req);
}
@@ -186,9 +197,10 @@ static int rk_des3_ede_cbc_decrypt(struct skcipher_request *req)
{
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_crypto_info *dev = ctx->dev;
- ctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC |
+ rctx->mode = RK_CRYPTO_TDES_SELECT | RK_CRYPTO_TDES_CHAINMODE_CBC |
RK_CRYPTO_DEC;
return rk_handle_req(dev, req);
}
@@ -199,6 +211,7 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
skcipher_request_cast(dev->async_req);
struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(cipher);
u32 ivsize, block, conf_reg = 0;
@@ -206,22 +219,22 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
ivsize = crypto_skcipher_ivsize(cipher);
if (block == DES_BLOCK_SIZE) {
- ctx->mode |= RK_CRYPTO_TDES_FIFO_MODE |
+ rctx->mode |= RK_CRYPTO_TDES_FIFO_MODE |
RK_CRYPTO_TDES_BYTESWAP_KEY |
RK_CRYPTO_TDES_BYTESWAP_IV;
- CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, ctx->mode);
+ CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, rctx->mode);
memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, req->iv, ivsize);
conf_reg = RK_CRYPTO_DESSEL;
} else {
- ctx->mode |= RK_CRYPTO_AES_FIFO_MODE |
+ rctx->mode |= RK_CRYPTO_AES_FIFO_MODE |
RK_CRYPTO_AES_KEY_CHANGE |
RK_CRYPTO_AES_BYTESWAP_KEY |
RK_CRYPTO_AES_BYTESWAP_IV;
if (ctx->keylen == AES_KEYSIZE_192)
- ctx->mode |= RK_CRYPTO_AES_192BIT_key;
+ rctx->mode |= RK_CRYPTO_AES_192BIT_key;
else if (ctx->keylen == AES_KEYSIZE_256)
- ctx->mode |= RK_CRYPTO_AES_256BIT_key;
- CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, ctx->mode);
+ rctx->mode |= RK_CRYPTO_AES_256BIT_key;
+ CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, rctx->mode);
memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, req->iv, ivsize);
}
conf_reg |= RK_CRYPTO_BYTESWAP_BTFIFO |
@@ -246,6 +259,7 @@ static int rk_set_data_start(struct rk_crypto_info *dev)
struct skcipher_request *req =
skcipher_request_cast(dev->async_req);
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
u32 ivsize = crypto_skcipher_ivsize(tfm);
u8 *src_last_blk = page_address(sg_page(dev->sg_src)) +
@@ -254,7 +268,7 @@ static int rk_set_data_start(struct rk_crypto_info *dev)
/* Store the iv that need to be updated in chain mode.
* And update the IV buffer to contain the next IV for decryption mode.
*/
- if (ctx->mode & RK_CRYPTO_DEC) {
+ if (rctx->mode & RK_CRYPTO_DEC) {
memcpy(ctx->iv, src_last_blk, ivsize);
sg_pcopy_to_buffer(dev->first, dev->src_nents, req->iv,
ivsize, dev->total - ivsize);
@@ -294,11 +308,12 @@ static void rk_iv_copyback(struct rk_crypto_info *dev)
struct skcipher_request *req =
skcipher_request_cast(dev->async_req);
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
u32 ivsize = crypto_skcipher_ivsize(tfm);
/* Update the IV buffer to contain the next IV for encryption mode. */
- if (!(ctx->mode & RK_CRYPTO_DEC)) {
+ if (!(rctx->mode & RK_CRYPTO_DEC)) {
if (dev->aligned) {
memcpy(req->iv, sg_virt(dev->sg_dst) +
dev->sg_dst->length - ivsize, ivsize);
@@ -314,11 +329,12 @@ static void rk_update_iv(struct rk_crypto_info *dev)
struct skcipher_request *req =
skcipher_request_cast(dev->async_req);
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
u32 ivsize = crypto_skcipher_ivsize(tfm);
u8 *new_iv = NULL;
- if (ctx->mode & RK_CRYPTO_DEC) {
+ if (rctx->mode & RK_CRYPTO_DEC) {
new_iv = ctx->iv;
} else {
new_iv = page_address(sg_page(dev->sg_dst)) +
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 290/783] crypto: rockchip - add fallback for cipher
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 289/783] crypto: rockchip - do not store mode globally Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 291/783] crypto: rockchip - add fallback for ahash Greg Kroah-Hartman
` (502 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit 68ef8af09a1a912a5ed2cfaa4cca7606f52cef90 ]
The hardware does not handle 0 size length request, let's add a
fallback.
Furthermore fallback will be used for all unaligned case the hardware
cannot handle.
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/Kconfig | 4 +
drivers/crypto/rockchip/rk3288_crypto.h | 2 +
.../crypto/rockchip/rk3288_crypto_skcipher.c | 97 ++++++++++++++++---
3 files changed, 90 insertions(+), 13 deletions(-)
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index ff5e85eefbf6..8aa8b330df70 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -749,6 +749,10 @@ config CRYPTO_DEV_IMGTEC_HASH
config CRYPTO_DEV_ROCKCHIP
tristate "Rockchip's Cryptographic Engine driver"
depends on OF && ARCH_ROCKCHIP
+ depends on PM
+ select CRYPTO_ECB
+ select CRYPTO_CBC
+ select CRYPTO_DES
select CRYPTO_AES
select CRYPTO_LIB_DES
select CRYPTO_MD5
diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
index 65b9b58bb304..027e28f60843 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.h
+++ b/drivers/crypto/rockchip/rk3288_crypto.h
@@ -245,10 +245,12 @@ struct rk_cipher_ctx {
struct rk_crypto_info *dev;
unsigned int keylen;
u8 iv[AES_BLOCK_SIZE];
+ struct crypto_skcipher *fallback_tfm;
};
struct rk_cipher_rctx {
u32 mode;
+ struct skcipher_request fallback_req; // keep at the end
};
enum alg_type {
diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
index bbd0bf52bf07..eac5bba66e25 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
@@ -13,6 +13,63 @@
#define RK_CRYPTO_DEC BIT(0)
+static int rk_cipher_need_fallback(struct skcipher_request *req)
+{
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
+ unsigned int bs = crypto_skcipher_blocksize(tfm);
+ struct scatterlist *sgs, *sgd;
+ unsigned int stodo, dtodo, len;
+
+ if (!req->cryptlen)
+ return true;
+
+ len = req->cryptlen;
+ sgs = req->src;
+ sgd = req->dst;
+ while (sgs && sgd) {
+ if (!IS_ALIGNED(sgs->offset, sizeof(u32))) {
+ return true;
+ }
+ if (!IS_ALIGNED(sgd->offset, sizeof(u32))) {
+ return true;
+ }
+ stodo = min(len, sgs->length);
+ if (stodo % bs) {
+ return true;
+ }
+ dtodo = min(len, sgd->length);
+ if (dtodo % bs) {
+ return true;
+ }
+ if (stodo != dtodo) {
+ return true;
+ }
+ len -= stodo;
+ sgs = sg_next(sgs);
+ sgd = sg_next(sgd);
+ }
+ return false;
+}
+
+static int rk_cipher_fallback(struct skcipher_request *areq)
+{
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(areq);
+ struct rk_cipher_ctx *op = crypto_skcipher_ctx(tfm);
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(areq);
+ int err;
+
+ skcipher_request_set_tfm(&rctx->fallback_req, op->fallback_tfm);
+ skcipher_request_set_callback(&rctx->fallback_req, areq->base.flags,
+ areq->base.complete, areq->base.data);
+ skcipher_request_set_crypt(&rctx->fallback_req, areq->src, areq->dst,
+ areq->cryptlen, areq->iv);
+ if (rctx->mode & RK_CRYPTO_DEC)
+ err = crypto_skcipher_decrypt(&rctx->fallback_req);
+ else
+ err = crypto_skcipher_encrypt(&rctx->fallback_req);
+ return err;
+}
+
static void rk_crypto_complete(struct crypto_async_request *base, int err)
{
if (base->complete)
@@ -22,10 +79,10 @@ static void rk_crypto_complete(struct crypto_async_request *base, int err)
static int rk_handle_req(struct rk_crypto_info *dev,
struct skcipher_request *req)
{
- if (!IS_ALIGNED(req->cryptlen, dev->align_size))
- return -EINVAL;
- else
- return dev->enqueue(dev, &req->base);
+ if (rk_cipher_need_fallback(req))
+ return rk_cipher_fallback(req);
+
+ return dev->enqueue(dev, &req->base);
}
static int rk_aes_setkey(struct crypto_skcipher *cipher,
@@ -39,7 +96,8 @@ static int rk_aes_setkey(struct crypto_skcipher *cipher,
return -EINVAL;
ctx->keylen = keylen;
memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, key, keylen);
- return 0;
+
+ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
}
static int rk_des_setkey(struct crypto_skcipher *cipher,
@@ -54,7 +112,8 @@ static int rk_des_setkey(struct crypto_skcipher *cipher,
ctx->keylen = keylen;
memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
- return 0;
+
+ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
}
static int rk_tdes_setkey(struct crypto_skcipher *cipher,
@@ -69,7 +128,7 @@ static int rk_tdes_setkey(struct crypto_skcipher *cipher,
ctx->keylen = keylen;
memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
- return 0;
+ return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
}
static int rk_aes_ecb_encrypt(struct skcipher_request *req)
@@ -394,6 +453,7 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
{
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
+ const char *name = crypto_tfm_alg_name(&tfm->base);
struct rk_crypto_tmp *algt;
algt = container_of(alg, struct rk_crypto_tmp, alg.skcipher);
@@ -407,6 +467,16 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
if (!ctx->dev->addr_vir)
return -ENOMEM;
+ ctx->fallback_tfm = crypto_alloc_skcipher(name, 0, CRYPTO_ALG_NEED_FALLBACK);
+ if (IS_ERR(ctx->fallback_tfm)) {
+ dev_err(ctx->dev->dev, "ERROR: Cannot allocate fallback for %s %ld\n",
+ name, PTR_ERR(ctx->fallback_tfm));
+ return PTR_ERR(ctx->fallback_tfm);
+ }
+
+ tfm->reqsize = sizeof(struct rk_cipher_rctx) +
+ crypto_skcipher_reqsize(ctx->fallback_tfm);
+
return 0;
}
@@ -415,6 +485,7 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
free_page((unsigned long)ctx->dev->addr_vir);
+ crypto_free_skcipher(ctx->fallback_tfm);
}
struct rk_crypto_tmp rk_ecb_aes_alg = {
@@ -423,7 +494,7 @@ struct rk_crypto_tmp rk_ecb_aes_alg = {
.base.cra_name = "ecb(aes)",
.base.cra_driver_name = "ecb-aes-rk",
.base.cra_priority = 300,
- .base.cra_flags = CRYPTO_ALG_ASYNC,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
.base.cra_blocksize = AES_BLOCK_SIZE,
.base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
.base.cra_alignmask = 0x0f,
@@ -445,7 +516,7 @@ struct rk_crypto_tmp rk_cbc_aes_alg = {
.base.cra_name = "cbc(aes)",
.base.cra_driver_name = "cbc-aes-rk",
.base.cra_priority = 300,
- .base.cra_flags = CRYPTO_ALG_ASYNC,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
.base.cra_blocksize = AES_BLOCK_SIZE,
.base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
.base.cra_alignmask = 0x0f,
@@ -468,7 +539,7 @@ struct rk_crypto_tmp rk_ecb_des_alg = {
.base.cra_name = "ecb(des)",
.base.cra_driver_name = "ecb-des-rk",
.base.cra_priority = 300,
- .base.cra_flags = CRYPTO_ALG_ASYNC,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
.base.cra_blocksize = DES_BLOCK_SIZE,
.base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
.base.cra_alignmask = 0x07,
@@ -490,7 +561,7 @@ struct rk_crypto_tmp rk_cbc_des_alg = {
.base.cra_name = "cbc(des)",
.base.cra_driver_name = "cbc-des-rk",
.base.cra_priority = 300,
- .base.cra_flags = CRYPTO_ALG_ASYNC,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
.base.cra_blocksize = DES_BLOCK_SIZE,
.base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
.base.cra_alignmask = 0x07,
@@ -513,7 +584,7 @@ struct rk_crypto_tmp rk_ecb_des3_ede_alg = {
.base.cra_name = "ecb(des3_ede)",
.base.cra_driver_name = "ecb-des3-ede-rk",
.base.cra_priority = 300,
- .base.cra_flags = CRYPTO_ALG_ASYNC,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
.base.cra_blocksize = DES_BLOCK_SIZE,
.base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
.base.cra_alignmask = 0x07,
@@ -535,7 +606,7 @@ struct rk_crypto_tmp rk_cbc_des3_ede_alg = {
.base.cra_name = "cbc(des3_ede)",
.base.cra_driver_name = "cbc-des3-ede-rk",
.base.cra_priority = 300,
- .base.cra_flags = CRYPTO_ALG_ASYNC,
+ .base.cra_flags = CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK,
.base.cra_blocksize = DES_BLOCK_SIZE,
.base.cra_ctxsize = sizeof(struct rk_cipher_ctx),
.base.cra_alignmask = 0x07,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 291/783] crypto: rockchip - add fallback for ahash
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 290/783] crypto: rockchip - add fallback for cipher Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 292/783] crypto: rockchip - better handle cipher key Greg Kroah-Hartman
` (501 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit 816600485cb597b3ff7d6806a95a78512839f775 ]
Adds a fallback for all case hardware cannot handle.
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 38 +++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
index 9583310a69d5..f917adc4a608 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
@@ -16,6 +16,40 @@
* so we put the fixed hash out when met zero message.
*/
+static bool rk_ahash_need_fallback(struct ahash_request *req)
+{
+ struct scatterlist *sg;
+
+ sg = req->src;
+ while (sg) {
+ if (!IS_ALIGNED(sg->offset, sizeof(u32))) {
+ return true;
+ }
+ if (sg->length % 4) {
+ return true;
+ }
+ sg = sg_next(sg);
+ }
+ return false;
+}
+
+static int rk_ahash_digest_fb(struct ahash_request *areq)
+{
+ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
+ struct rk_ahash_ctx *tfmctx = crypto_ahash_ctx(tfm);
+
+ ahash_request_set_tfm(&rctx->fallback_req, tfmctx->fallback_tfm);
+ rctx->fallback_req.base.flags = areq->base.flags &
+ CRYPTO_TFM_REQ_MAY_SLEEP;
+
+ rctx->fallback_req.nbytes = areq->nbytes;
+ rctx->fallback_req.src = areq->src;
+ rctx->fallback_req.result = areq->result;
+
+ return crypto_ahash_digest(&rctx->fallback_req);
+}
+
static int zero_message_process(struct ahash_request *req)
{
struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
@@ -167,6 +201,9 @@ static int rk_ahash_digest(struct ahash_request *req)
struct rk_ahash_ctx *tctx = crypto_tfm_ctx(req->base.tfm);
struct rk_crypto_info *dev = tctx->dev;
+ if (rk_ahash_need_fallback(req))
+ return rk_ahash_digest_fb(req);
+
if (!req->nbytes)
return zero_message_process(req);
else
@@ -309,6 +346,7 @@ static void rk_cra_hash_exit(struct crypto_tfm *tfm)
struct rk_ahash_ctx *tctx = crypto_tfm_ctx(tfm);
free_page((unsigned long)tctx->dev->addr_vir);
+ crypto_free_ahash(tctx->fallback_tfm);
}
struct rk_crypto_tmp rk_ahash_sha1 = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 292/783] crypto: rockchip - better handle cipher key
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 291/783] crypto: rockchip - add fallback for ahash Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 293/783] crypto: rockchip - remove non-aligned handling Greg Kroah-Hartman
` (500 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit d6b23ccef82816050c2fd458c9dabfa0e0af09b9 ]
The key should not be set in hardware too much in advance, this will
fail it 2 TFM with different keys generate alternative requests.
The key should be stored and used just before doing cipher operations.
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/rockchip/rk3288_crypto.h | 1 +
drivers/crypto/rockchip/rk3288_crypto_skcipher.c | 10 +++++++---
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
index 027e28f60843..1eabf3952a03 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.h
+++ b/drivers/crypto/rockchip/rk3288_crypto.h
@@ -244,6 +244,7 @@ struct rk_ahash_rctx {
struct rk_cipher_ctx {
struct rk_crypto_info *dev;
unsigned int keylen;
+ u8 key[AES_MAX_KEY_SIZE];
u8 iv[AES_BLOCK_SIZE];
struct crypto_skcipher *fallback_tfm;
};
diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
index eac5bba66e25..1ef94f8db2c5 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
@@ -95,7 +95,7 @@ static int rk_aes_setkey(struct crypto_skcipher *cipher,
keylen != AES_KEYSIZE_256)
return -EINVAL;
ctx->keylen = keylen;
- memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, key, keylen);
+ memcpy(ctx->key, key, keylen);
return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
}
@@ -111,7 +111,7 @@ static int rk_des_setkey(struct crypto_skcipher *cipher,
return err;
ctx->keylen = keylen;
- memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
+ memcpy(ctx->key, key, keylen);
return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
}
@@ -127,7 +127,8 @@ static int rk_tdes_setkey(struct crypto_skcipher *cipher,
return err;
ctx->keylen = keylen;
- memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, key, keylen);
+ memcpy(ctx->key, key, keylen);
+
return crypto_skcipher_setkey(ctx->fallback_tfm, key, keylen);
}
@@ -283,6 +284,7 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
RK_CRYPTO_TDES_BYTESWAP_IV;
CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, rctx->mode);
memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, req->iv, ivsize);
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, ctx->key, ctx->keylen);
conf_reg = RK_CRYPTO_DESSEL;
} else {
rctx->mode |= RK_CRYPTO_AES_FIFO_MODE |
@@ -295,6 +297,7 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
rctx->mode |= RK_CRYPTO_AES_256BIT_key;
CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, rctx->mode);
memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, req->iv, ivsize);
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, ctx->key, ctx->keylen);
}
conf_reg |= RK_CRYPTO_BYTESWAP_BTFIFO |
RK_CRYPTO_BYTESWAP_BRFIFO;
@@ -484,6 +487,7 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
{
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
+ memzero_explicit(ctx->key, ctx->keylen);
free_page((unsigned long)ctx->dev->addr_vir);
crypto_free_skcipher(ctx->fallback_tfm);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 293/783] crypto: rockchip - remove non-aligned handling
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 292/783] crypto: rockchip - better handle cipher key Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 294/783] crypto: rockchip - delete unneeded variable initialization Greg Kroah-Hartman
` (499 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit bb3c7b73363c9a149b12b74c44ae94b73a8fddf8 ]
Now driver have fallback for un-aligned cases, remove all code handling
those cases.
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/rockchip/rk3288_crypto.c | 69 +++++--------------
drivers/crypto/rockchip/rk3288_crypto.h | 4 --
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 22 ++----
.../crypto/rockchip/rk3288_crypto_skcipher.c | 39 +++--------
4 files changed, 31 insertions(+), 103 deletions(-)
diff --git a/drivers/crypto/rockchip/rk3288_crypto.c b/drivers/crypto/rockchip/rk3288_crypto.c
index 5f8444b9633a..31453257ab11 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.c
+++ b/drivers/crypto/rockchip/rk3288_crypto.c
@@ -88,63 +88,26 @@ static int rk_load_data(struct rk_crypto_info *dev,
{
unsigned int count;
- dev->aligned = dev->aligned ?
- check_alignment(sg_src, sg_dst, dev->align_size) :
- dev->aligned;
- if (dev->aligned) {
- count = min(dev->left_bytes, sg_src->length);
- dev->left_bytes -= count;
-
- if (!dma_map_sg(dev->dev, sg_src, 1, DMA_TO_DEVICE)) {
- dev_err(dev->dev, "[%s:%d] dma_map_sg(src) error\n",
+ count = min(dev->left_bytes, sg_src->length);
+ dev->left_bytes -= count;
+
+ if (!dma_map_sg(dev->dev, sg_src, 1, DMA_TO_DEVICE)) {
+ dev_err(dev->dev, "[%s:%d] dma_map_sg(src) error\n",
__func__, __LINE__);
- return -EINVAL;
- }
- dev->addr_in = sg_dma_address(sg_src);
+ return -EINVAL;
+ }
+ dev->addr_in = sg_dma_address(sg_src);
- if (sg_dst) {
- if (!dma_map_sg(dev->dev, sg_dst, 1, DMA_FROM_DEVICE)) {
- dev_err(dev->dev,
+ if (sg_dst) {
+ if (!dma_map_sg(dev->dev, sg_dst, 1, DMA_FROM_DEVICE)) {
+ dev_err(dev->dev,
"[%s:%d] dma_map_sg(dst) error\n",
__func__, __LINE__);
- dma_unmap_sg(dev->dev, sg_src, 1,
- DMA_TO_DEVICE);
- return -EINVAL;
- }
- dev->addr_out = sg_dma_address(sg_dst);
- }
- } else {
- count = (dev->left_bytes > PAGE_SIZE) ?
- PAGE_SIZE : dev->left_bytes;
-
- if (!sg_pcopy_to_buffer(dev->first, dev->src_nents,
- dev->addr_vir, count,
- dev->total - dev->left_bytes)) {
- dev_err(dev->dev, "[%s:%d] pcopy err\n",
- __func__, __LINE__);
+ dma_unmap_sg(dev->dev, sg_src, 1,
+ DMA_TO_DEVICE);
return -EINVAL;
}
- dev->left_bytes -= count;
- sg_init_one(&dev->sg_tmp, dev->addr_vir, count);
- if (!dma_map_sg(dev->dev, &dev->sg_tmp, 1, DMA_TO_DEVICE)) {
- dev_err(dev->dev, "[%s:%d] dma_map_sg(sg_tmp) error\n",
- __func__, __LINE__);
- return -ENOMEM;
- }
- dev->addr_in = sg_dma_address(&dev->sg_tmp);
-
- if (sg_dst) {
- if (!dma_map_sg(dev->dev, &dev->sg_tmp, 1,
- DMA_FROM_DEVICE)) {
- dev_err(dev->dev,
- "[%s:%d] dma_map_sg(sg_tmp) error\n",
- __func__, __LINE__);
- dma_unmap_sg(dev->dev, &dev->sg_tmp, 1,
- DMA_TO_DEVICE);
- return -ENOMEM;
- }
- dev->addr_out = sg_dma_address(&dev->sg_tmp);
- }
+ dev->addr_out = sg_dma_address(sg_dst);
}
dev->count = count;
return 0;
@@ -154,11 +117,11 @@ static void rk_unload_data(struct rk_crypto_info *dev)
{
struct scatterlist *sg_in, *sg_out;
- sg_in = dev->aligned ? dev->sg_src : &dev->sg_tmp;
+ sg_in = dev->sg_src;
dma_unmap_sg(dev->dev, sg_in, 1, DMA_TO_DEVICE);
if (dev->sg_dst) {
- sg_out = dev->aligned ? dev->sg_dst : &dev->sg_tmp;
+ sg_out = dev->sg_dst;
dma_unmap_sg(dev->dev, sg_out, 1, DMA_FROM_DEVICE);
}
}
diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
index 1eabf3952a03..acaf6f875d0b 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.h
+++ b/drivers/crypto/rockchip/rk3288_crypto.h
@@ -203,12 +203,8 @@ struct rk_crypto_info {
/* the public variable */
struct scatterlist *sg_src;
struct scatterlist *sg_dst;
- struct scatterlist sg_tmp;
struct scatterlist *first;
unsigned int left_bytes;
- void *addr_vir;
- int aligned;
- int align_size;
size_t src_nents;
size_t dst_nents;
unsigned int total;
diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
index f917adc4a608..f1d482ecc195 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
@@ -236,8 +236,6 @@ static int rk_ahash_start(struct rk_crypto_info *dev)
dev->total = req->nbytes;
dev->left_bytes = req->nbytes;
- dev->aligned = 0;
- dev->align_size = 4;
dev->sg_dst = NULL;
dev->sg_src = req->src;
dev->first = req->src;
@@ -272,15 +270,13 @@ static int rk_ahash_crypto_rx(struct rk_crypto_info *dev)
dev->unload_data(dev);
if (dev->left_bytes) {
- if (dev->aligned) {
- if (sg_is_last(dev->sg_src)) {
- dev_warn(dev->dev, "[%s:%d], Lack of data\n",
- __func__, __LINE__);
- err = -ENOMEM;
- goto out_rx;
- }
- dev->sg_src = sg_next(dev->sg_src);
+ if (sg_is_last(dev->sg_src)) {
+ dev_warn(dev->dev, "[%s:%d], Lack of data\n",
+ __func__, __LINE__);
+ err = -ENOMEM;
+ goto out_rx;
}
+ dev->sg_src = sg_next(dev->sg_src);
err = rk_ahash_set_data_start(dev);
} else {
/*
@@ -318,11 +314,6 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
algt = container_of(alg, struct rk_crypto_tmp, alg.hash);
tctx->dev = algt->dev;
- tctx->dev->addr_vir = (void *)__get_free_page(GFP_KERNEL);
- if (!tctx->dev->addr_vir) {
- dev_err(tctx->dev->dev, "failed to kmalloc for addr_vir\n");
- return -ENOMEM;
- }
tctx->dev->start = rk_ahash_start;
tctx->dev->update = rk_ahash_crypto_rx;
tctx->dev->complete = rk_ahash_crypto_complete;
@@ -345,7 +336,6 @@ static void rk_cra_hash_exit(struct crypto_tfm *tfm)
{
struct rk_ahash_ctx *tctx = crypto_tfm_ctx(tfm);
- free_page((unsigned long)tctx->dev->addr_vir);
crypto_free_ahash(tctx->fallback_tfm);
}
diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
index 1ef94f8db2c5..d067b7f09165 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
@@ -356,7 +356,6 @@ static int rk_ablk_start(struct rk_crypto_info *dev)
dev->src_nents = sg_nents(req->src);
dev->sg_dst = req->dst;
dev->dst_nents = sg_nents(req->dst);
- dev->aligned = 1;
spin_lock_irqsave(&dev->lock, flags);
rk_ablk_hw_init(dev);
@@ -376,13 +375,9 @@ static void rk_iv_copyback(struct rk_crypto_info *dev)
/* Update the IV buffer to contain the next IV for encryption mode. */
if (!(rctx->mode & RK_CRYPTO_DEC)) {
- if (dev->aligned) {
- memcpy(req->iv, sg_virt(dev->sg_dst) +
- dev->sg_dst->length - ivsize, ivsize);
- } else {
- memcpy(req->iv, dev->addr_vir +
- dev->count - ivsize, ivsize);
- }
+ memcpy(req->iv,
+ sg_virt(dev->sg_dst) + dev->sg_dst->length - ivsize,
+ ivsize);
}
}
@@ -420,27 +415,16 @@ static int rk_ablk_rx(struct rk_crypto_info *dev)
skcipher_request_cast(dev->async_req);
dev->unload_data(dev);
- if (!dev->aligned) {
- if (!sg_pcopy_from_buffer(req->dst, dev->dst_nents,
- dev->addr_vir, dev->count,
- dev->total - dev->left_bytes -
- dev->count)) {
- err = -EINVAL;
- goto out_rx;
- }
- }
if (dev->left_bytes) {
rk_update_iv(dev);
- if (dev->aligned) {
- if (sg_is_last(dev->sg_src)) {
- dev_err(dev->dev, "[%s:%d] Lack of data\n",
+ if (sg_is_last(dev->sg_src)) {
+ dev_err(dev->dev, "[%s:%d] Lack of data\n",
__func__, __LINE__);
- err = -ENOMEM;
- goto out_rx;
- }
- dev->sg_src = sg_next(dev->sg_src);
- dev->sg_dst = sg_next(dev->sg_dst);
+ err = -ENOMEM;
+ goto out_rx;
}
+ dev->sg_src = sg_next(dev->sg_src);
+ dev->sg_dst = sg_next(dev->sg_dst);
err = rk_set_data_start(dev);
} else {
rk_iv_copyback(dev);
@@ -462,13 +446,9 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
algt = container_of(alg, struct rk_crypto_tmp, alg.skcipher);
ctx->dev = algt->dev;
- ctx->dev->align_size = crypto_tfm_alg_alignmask(crypto_skcipher_tfm(tfm)) + 1;
ctx->dev->start = rk_ablk_start;
ctx->dev->update = rk_ablk_rx;
ctx->dev->complete = rk_crypto_complete;
- ctx->dev->addr_vir = (char *)__get_free_page(GFP_KERNEL);
- if (!ctx->dev->addr_vir)
- return -ENOMEM;
ctx->fallback_tfm = crypto_alloc_skcipher(name, 0, CRYPTO_ALG_NEED_FALLBACK);
if (IS_ERR(ctx->fallback_tfm)) {
@@ -488,7 +468,6 @@ static void rk_ablk_exit_tfm(struct crypto_skcipher *tfm)
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
memzero_explicit(ctx->key, ctx->keylen);
- free_page((unsigned long)ctx->dev->addr_vir);
crypto_free_skcipher(ctx->fallback_tfm);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 294/783] crypto: rockchip - delete unneeded variable initialization
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 293/783] crypto: rockchip - remove non-aligned handling Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 295/783] crypto: rockchip - rework by using crypto_engine Greg Kroah-Hartman
` (498 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kai Ye, Herbert Xu, Sasha Levin
From: Kai Ye <yekai13@huawei.com>
[ Upstream commit 3d8c5f5a08c39835a365c69d1a6d9518722ed19e ]
Delete unneeded variable initialization
Signed-off-by: Kai Ye <yekai13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Stable-dep-of: 57d67c6e8219 ("crypto: rockchip - rework by using crypto_engine")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
index f1d482ecc195..c762e462eb57 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
@@ -82,7 +82,7 @@ static void rk_ahash_reg_init(struct rk_crypto_info *dev)
{
struct ahash_request *req = ahash_request_cast(dev->async_req);
struct rk_ahash_rctx *rctx = ahash_request_ctx(req);
- int reg_status = 0;
+ int reg_status;
reg_status = CRYPTO_READ(dev, RK_CRYPTO_CTRL) |
RK_CRYPTO_HASH_FLUSH | _SBF(0xffff, 16);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 295/783] crypto: rockchip - rework by using crypto_engine
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 294/783] crypto: rockchip - delete unneeded variable initialization Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 296/783] apparmor: Fix memleak in alloc_ns() Greg Kroah-Hartman
` (497 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Keeping, Corentin Labbe,
Herbert Xu, Sasha Levin
From: Corentin Labbe <clabbe@baylibre.com>
[ Upstream commit 57d67c6e8219b2a034c16d6149e30fb40fd39935 ]
Instead of doing manual queue management, let's use the crypto/engine
for that.
In the same time, rework the requests handling to be easier to
understand (and fix all bugs related to them).
Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API")
Reviewed-by: John Keeping <john@metanate.com>
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/Kconfig | 1 +
drivers/crypto/rockchip/rk3288_crypto.c | 152 +----------
drivers/crypto/rockchip/rk3288_crypto.h | 39 +--
drivers/crypto/rockchip/rk3288_crypto_ahash.c | 144 +++++-----
.../crypto/rockchip/rk3288_crypto_skcipher.c | 250 +++++++++---------
5 files changed, 221 insertions(+), 365 deletions(-)
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index 8aa8b330df70..0a3dd0793f30 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -754,6 +754,7 @@ config CRYPTO_DEV_ROCKCHIP
select CRYPTO_CBC
select CRYPTO_DES
select CRYPTO_AES
+ select CRYPTO_ENGINE
select CRYPTO_LIB_DES
select CRYPTO_MD5
select CRYPTO_SHA1
diff --git a/drivers/crypto/rockchip/rk3288_crypto.c b/drivers/crypto/rockchip/rk3288_crypto.c
index 31453257ab11..14a0aef18ab1 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.c
+++ b/drivers/crypto/rockchip/rk3288_crypto.c
@@ -65,149 +65,24 @@ static void rk_crypto_disable_clk(struct rk_crypto_info *dev)
clk_disable_unprepare(dev->sclk);
}
-static int check_alignment(struct scatterlist *sg_src,
- struct scatterlist *sg_dst,
- int align_mask)
-{
- int in, out, align;
-
- in = IS_ALIGNED((uint32_t)sg_src->offset, 4) &&
- IS_ALIGNED((uint32_t)sg_src->length, align_mask);
- if (!sg_dst)
- return in;
- out = IS_ALIGNED((uint32_t)sg_dst->offset, 4) &&
- IS_ALIGNED((uint32_t)sg_dst->length, align_mask);
- align = in && out;
-
- return (align && (sg_src->length == sg_dst->length));
-}
-
-static int rk_load_data(struct rk_crypto_info *dev,
- struct scatterlist *sg_src,
- struct scatterlist *sg_dst)
-{
- unsigned int count;
-
- count = min(dev->left_bytes, sg_src->length);
- dev->left_bytes -= count;
-
- if (!dma_map_sg(dev->dev, sg_src, 1, DMA_TO_DEVICE)) {
- dev_err(dev->dev, "[%s:%d] dma_map_sg(src) error\n",
- __func__, __LINE__);
- return -EINVAL;
- }
- dev->addr_in = sg_dma_address(sg_src);
-
- if (sg_dst) {
- if (!dma_map_sg(dev->dev, sg_dst, 1, DMA_FROM_DEVICE)) {
- dev_err(dev->dev,
- "[%s:%d] dma_map_sg(dst) error\n",
- __func__, __LINE__);
- dma_unmap_sg(dev->dev, sg_src, 1,
- DMA_TO_DEVICE);
- return -EINVAL;
- }
- dev->addr_out = sg_dma_address(sg_dst);
- }
- dev->count = count;
- return 0;
-}
-
-static void rk_unload_data(struct rk_crypto_info *dev)
-{
- struct scatterlist *sg_in, *sg_out;
-
- sg_in = dev->sg_src;
- dma_unmap_sg(dev->dev, sg_in, 1, DMA_TO_DEVICE);
-
- if (dev->sg_dst) {
- sg_out = dev->sg_dst;
- dma_unmap_sg(dev->dev, sg_out, 1, DMA_FROM_DEVICE);
- }
-}
-
static irqreturn_t rk_crypto_irq_handle(int irq, void *dev_id)
{
struct rk_crypto_info *dev = platform_get_drvdata(dev_id);
u32 interrupt_status;
- spin_lock(&dev->lock);
interrupt_status = CRYPTO_READ(dev, RK_CRYPTO_INTSTS);
CRYPTO_WRITE(dev, RK_CRYPTO_INTSTS, interrupt_status);
+ dev->status = 1;
if (interrupt_status & 0x0a) {
dev_warn(dev->dev, "DMA Error\n");
- dev->err = -EFAULT;
+ dev->status = 0;
}
- tasklet_schedule(&dev->done_task);
+ complete(&dev->complete);
- spin_unlock(&dev->lock);
return IRQ_HANDLED;
}
-static int rk_crypto_enqueue(struct rk_crypto_info *dev,
- struct crypto_async_request *async_req)
-{
- unsigned long flags;
- int ret;
-
- spin_lock_irqsave(&dev->lock, flags);
- ret = crypto_enqueue_request(&dev->queue, async_req);
- if (dev->busy) {
- spin_unlock_irqrestore(&dev->lock, flags);
- return ret;
- }
- dev->busy = true;
- spin_unlock_irqrestore(&dev->lock, flags);
- tasklet_schedule(&dev->queue_task);
-
- return ret;
-}
-
-static void rk_crypto_queue_task_cb(unsigned long data)
-{
- struct rk_crypto_info *dev = (struct rk_crypto_info *)data;
- struct crypto_async_request *async_req, *backlog;
- unsigned long flags;
- int err = 0;
-
- dev->err = 0;
- spin_lock_irqsave(&dev->lock, flags);
- backlog = crypto_get_backlog(&dev->queue);
- async_req = crypto_dequeue_request(&dev->queue);
-
- if (!async_req) {
- dev->busy = false;
- spin_unlock_irqrestore(&dev->lock, flags);
- return;
- }
- spin_unlock_irqrestore(&dev->lock, flags);
-
- if (backlog) {
- backlog->complete(backlog, -EINPROGRESS);
- backlog = NULL;
- }
-
- dev->async_req = async_req;
- err = dev->start(dev);
- if (err)
- dev->complete(dev->async_req, err);
-}
-
-static void rk_crypto_done_task_cb(unsigned long data)
-{
- struct rk_crypto_info *dev = (struct rk_crypto_info *)data;
-
- if (dev->err) {
- dev->complete(dev->async_req, dev->err);
- return;
- }
-
- dev->err = dev->update(dev);
- if (dev->err)
- dev->complete(dev->async_req, dev->err);
-}
-
static struct rk_crypto_tmp *rk_cipher_algs[] = {
&rk_ecb_aes_alg,
&rk_cbc_aes_alg,
@@ -300,8 +175,6 @@ static int rk_crypto_probe(struct platform_device *pdev)
if (err)
goto err_crypto;
- spin_lock_init(&crypto_info->lock);
-
crypto_info->reg = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(crypto_info->reg)) {
err = PTR_ERR(crypto_info->reg);
@@ -352,17 +225,11 @@ static int rk_crypto_probe(struct platform_device *pdev)
crypto_info->dev = &pdev->dev;
platform_set_drvdata(pdev, crypto_info);
- tasklet_init(&crypto_info->queue_task,
- rk_crypto_queue_task_cb, (unsigned long)crypto_info);
- tasklet_init(&crypto_info->done_task,
- rk_crypto_done_task_cb, (unsigned long)crypto_info);
- crypto_init_queue(&crypto_info->queue, 50);
+ crypto_info->engine = crypto_engine_alloc_init(&pdev->dev, true);
+ crypto_engine_start(crypto_info->engine);
+ init_completion(&crypto_info->complete);
rk_crypto_enable_clk(crypto_info);
- crypto_info->load_data = rk_load_data;
- crypto_info->unload_data = rk_unload_data;
- crypto_info->enqueue = rk_crypto_enqueue;
- crypto_info->busy = false;
err = rk_crypto_register(crypto_info);
if (err) {
@@ -374,9 +241,9 @@ static int rk_crypto_probe(struct platform_device *pdev)
return 0;
err_register_alg:
- tasklet_kill(&crypto_info->queue_task);
- tasklet_kill(&crypto_info->done_task);
+ crypto_engine_exit(crypto_info->engine);
err_crypto:
+ dev_err(dev, "Crypto Accelerator not successfully registered\n");
return err;
}
@@ -386,8 +253,7 @@ static int rk_crypto_remove(struct platform_device *pdev)
rk_crypto_unregister();
rk_crypto_disable_clk(crypto_tmp);
- tasklet_kill(&crypto_tmp->done_task);
- tasklet_kill(&crypto_tmp->queue_task);
+ crypto_engine_exit(crypto_tmp->engine);
return 0;
}
diff --git a/drivers/crypto/rockchip/rk3288_crypto.h b/drivers/crypto/rockchip/rk3288_crypto.h
index acaf6f875d0b..6b1413c0359b 100644
--- a/drivers/crypto/rockchip/rk3288_crypto.h
+++ b/drivers/crypto/rockchip/rk3288_crypto.h
@@ -5,9 +5,11 @@
#include <crypto/aes.h>
#include <crypto/internal/des.h>
#include <crypto/algapi.h>
+#include <linux/dma-mapping.h>
#include <linux/interrupt.h>
#include <linux/delay.h>
#include <linux/scatterlist.h>
+#include <crypto/engine.h>
#include <crypto/internal/hash.h>
#include <crypto/internal/skcipher.h>
@@ -192,39 +194,15 @@ struct rk_crypto_info {
struct reset_control *rst;
void __iomem *reg;
int irq;
- struct crypto_queue queue;
- struct tasklet_struct queue_task;
- struct tasklet_struct done_task;
- struct crypto_async_request *async_req;
- int err;
- /* device lock */
- spinlock_t lock;
-
- /* the public variable */
- struct scatterlist *sg_src;
- struct scatterlist *sg_dst;
- struct scatterlist *first;
- unsigned int left_bytes;
- size_t src_nents;
- size_t dst_nents;
- unsigned int total;
- unsigned int count;
- dma_addr_t addr_in;
- dma_addr_t addr_out;
- bool busy;
- int (*start)(struct rk_crypto_info *dev);
- int (*update)(struct rk_crypto_info *dev);
- void (*complete)(struct crypto_async_request *base, int err);
- int (*load_data)(struct rk_crypto_info *dev,
- struct scatterlist *sg_src,
- struct scatterlist *sg_dst);
- void (*unload_data)(struct rk_crypto_info *dev);
- int (*enqueue)(struct rk_crypto_info *dev,
- struct crypto_async_request *async_req);
+
+ struct crypto_engine *engine;
+ struct completion complete;
+ int status;
};
/* the private variable of hash */
struct rk_ahash_ctx {
+ struct crypto_engine_ctx enginectx;
struct rk_crypto_info *dev;
/* for fallback */
struct crypto_ahash *fallback_tfm;
@@ -234,10 +212,12 @@ struct rk_ahash_ctx {
struct rk_ahash_rctx {
struct ahash_request fallback_req;
u32 mode;
+ int nrsg;
};
/* the private variable of cipher */
struct rk_cipher_ctx {
+ struct crypto_engine_ctx enginectx;
struct rk_crypto_info *dev;
unsigned int keylen;
u8 key[AES_MAX_KEY_SIZE];
@@ -246,6 +226,7 @@ struct rk_cipher_ctx {
};
struct rk_cipher_rctx {
+ u8 backup_iv[AES_BLOCK_SIZE];
u32 mode;
struct skcipher_request fallback_req; // keep at the end
};
diff --git a/drivers/crypto/rockchip/rk3288_crypto_ahash.c b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
index c762e462eb57..edd40e16a3f0 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_ahash.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_ahash.c
@@ -9,6 +9,7 @@
* Some ideas are from marvell/cesa.c and s5p-sss.c driver.
*/
#include <linux/device.h>
+#include <asm/unaligned.h>
#include "rk3288_crypto.h"
/*
@@ -72,16 +73,12 @@ static int zero_message_process(struct ahash_request *req)
return 0;
}
-static void rk_ahash_crypto_complete(struct crypto_async_request *base, int err)
+static void rk_ahash_reg_init(struct ahash_request *req)
{
- if (base->complete)
- base->complete(base, err);
-}
-
-static void rk_ahash_reg_init(struct rk_crypto_info *dev)
-{
- struct ahash_request *req = ahash_request_cast(dev->async_req);
struct rk_ahash_rctx *rctx = ahash_request_ctx(req);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
+ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
+ struct rk_crypto_info *dev = tctx->dev;
int reg_status;
reg_status = CRYPTO_READ(dev, RK_CRYPTO_CTRL) |
@@ -108,7 +105,7 @@ static void rk_ahash_reg_init(struct rk_crypto_info *dev)
RK_CRYPTO_BYTESWAP_BRFIFO |
RK_CRYPTO_BYTESWAP_BTFIFO);
- CRYPTO_WRITE(dev, RK_CRYPTO_HASH_MSG_LEN, dev->total);
+ CRYPTO_WRITE(dev, RK_CRYPTO_HASH_MSG_LEN, req->nbytes);
}
static int rk_ahash_init(struct ahash_request *req)
@@ -206,44 +203,59 @@ static int rk_ahash_digest(struct ahash_request *req)
if (!req->nbytes)
return zero_message_process(req);
- else
- return dev->enqueue(dev, &req->base);
+
+ return crypto_transfer_hash_request_to_engine(dev->engine, req);
}
-static void crypto_ahash_dma_start(struct rk_crypto_info *dev)
+static void crypto_ahash_dma_start(struct rk_crypto_info *dev, struct scatterlist *sg)
{
- CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAS, dev->addr_in);
- CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAL, (dev->count + 3) / 4);
+ CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAS, sg_dma_address(sg));
+ CRYPTO_WRITE(dev, RK_CRYPTO_HRDMAL, sg_dma_len(sg) / 4);
CRYPTO_WRITE(dev, RK_CRYPTO_CTRL, RK_CRYPTO_HASH_START |
(RK_CRYPTO_HASH_START << 16));
}
-static int rk_ahash_set_data_start(struct rk_crypto_info *dev)
+static int rk_hash_prepare(struct crypto_engine *engine, void *breq)
+{
+ struct ahash_request *areq = container_of(breq, struct ahash_request, base);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
+ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
+ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
+ int ret;
+
+ ret = dma_map_sg(tctx->dev->dev, areq->src, sg_nents(areq->src), DMA_TO_DEVICE);
+ if (ret <= 0)
+ return -EINVAL;
+
+ rctx->nrsg = ret;
+
+ return 0;
+}
+
+static int rk_hash_unprepare(struct crypto_engine *engine, void *breq)
{
- int err;
+ struct ahash_request *areq = container_of(breq, struct ahash_request, base);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
+ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
+ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
- err = dev->load_data(dev, dev->sg_src, NULL);
- if (!err)
- crypto_ahash_dma_start(dev);
- return err;
+ dma_unmap_sg(tctx->dev->dev, areq->src, rctx->nrsg, DMA_TO_DEVICE);
+ return 0;
}
-static int rk_ahash_start(struct rk_crypto_info *dev)
+static int rk_hash_run(struct crypto_engine *engine, void *breq)
{
- struct ahash_request *req = ahash_request_cast(dev->async_req);
- struct crypto_ahash *tfm;
- struct rk_ahash_rctx *rctx;
-
- dev->total = req->nbytes;
- dev->left_bytes = req->nbytes;
- dev->sg_dst = NULL;
- dev->sg_src = req->src;
- dev->first = req->src;
- dev->src_nents = sg_nents(req->src);
- rctx = ahash_request_ctx(req);
+ struct ahash_request *areq = container_of(breq, struct ahash_request, base);
+ struct crypto_ahash *tfm = crypto_ahash_reqtfm(areq);
+ struct rk_ahash_rctx *rctx = ahash_request_ctx(areq);
+ struct rk_ahash_ctx *tctx = crypto_ahash_ctx(tfm);
+ struct scatterlist *sg = areq->src;
+ int err = 0;
+ int i;
+ u32 v;
+
rctx->mode = 0;
- tfm = crypto_ahash_reqtfm(req);
switch (crypto_ahash_digestsize(tfm)) {
case SHA1_DIGEST_SIZE:
rctx->mode = RK_CRYPTO_HASH_SHA1;
@@ -255,30 +267,26 @@ static int rk_ahash_start(struct rk_crypto_info *dev)
rctx->mode = RK_CRYPTO_HASH_MD5;
break;
default:
- return -EINVAL;
+ err = -EINVAL;
+ goto theend;
}
- rk_ahash_reg_init(dev);
- return rk_ahash_set_data_start(dev);
-}
+ rk_ahash_reg_init(areq);
-static int rk_ahash_crypto_rx(struct rk_crypto_info *dev)
-{
- int err = 0;
- struct ahash_request *req = ahash_request_cast(dev->async_req);
- struct crypto_ahash *tfm;
-
- dev->unload_data(dev);
- if (dev->left_bytes) {
- if (sg_is_last(dev->sg_src)) {
- dev_warn(dev->dev, "[%s:%d], Lack of data\n",
- __func__, __LINE__);
- err = -ENOMEM;
- goto out_rx;
+ while (sg) {
+ reinit_completion(&tctx->dev->complete);
+ tctx->dev->status = 0;
+ crypto_ahash_dma_start(tctx->dev, sg);
+ wait_for_completion_interruptible_timeout(&tctx->dev->complete,
+ msecs_to_jiffies(2000));
+ if (!tctx->dev->status) {
+ dev_err(tctx->dev->dev, "DMA timeout\n");
+ err = -EFAULT;
+ goto theend;
}
- dev->sg_src = sg_next(dev->sg_src);
- err = rk_ahash_set_data_start(dev);
- } else {
+ sg = sg_next(sg);
+ }
+
/*
* it will take some time to process date after last dma
* transmission.
@@ -289,18 +297,20 @@ static int rk_ahash_crypto_rx(struct rk_crypto_info *dev)
* efficiency, and make it response quickly when dma
* complete.
*/
- while (!CRYPTO_READ(dev, RK_CRYPTO_HASH_STS))
- udelay(10);
-
- tfm = crypto_ahash_reqtfm(req);
- memcpy_fromio(req->result, dev->reg + RK_CRYPTO_HASH_DOUT_0,
- crypto_ahash_digestsize(tfm));
- dev->complete(dev->async_req, 0);
- tasklet_schedule(&dev->queue_task);
+ while (!CRYPTO_READ(tctx->dev, RK_CRYPTO_HASH_STS))
+ udelay(10);
+
+ for (i = 0; i < crypto_ahash_digestsize(tfm) / 4; i++) {
+ v = readl(tctx->dev->reg + RK_CRYPTO_HASH_DOUT_0 + i * 4);
+ put_unaligned_le32(v, areq->result + i * 4);
}
-out_rx:
- return err;
+theend:
+ local_bh_disable();
+ crypto_finalize_hash_request(engine, breq, err);
+ local_bh_enable();
+
+ return 0;
}
static int rk_cra_hash_init(struct crypto_tfm *tfm)
@@ -314,9 +324,6 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
algt = container_of(alg, struct rk_crypto_tmp, alg.hash);
tctx->dev = algt->dev;
- tctx->dev->start = rk_ahash_start;
- tctx->dev->update = rk_ahash_crypto_rx;
- tctx->dev->complete = rk_ahash_crypto_complete;
/* for fallback */
tctx->fallback_tfm = crypto_alloc_ahash(alg_name, 0,
@@ -325,10 +332,15 @@ static int rk_cra_hash_init(struct crypto_tfm *tfm)
dev_err(tctx->dev->dev, "Could not load fallback driver.\n");
return PTR_ERR(tctx->fallback_tfm);
}
+
crypto_ahash_set_reqsize(__crypto_ahash_cast(tfm),
sizeof(struct rk_ahash_rctx) +
crypto_ahash_reqsize(tctx->fallback_tfm));
+ tctx->enginectx.op.do_one_request = rk_hash_run;
+ tctx->enginectx.op.prepare_request = rk_hash_prepare;
+ tctx->enginectx.op.unprepare_request = rk_hash_unprepare;
+
return 0;
}
diff --git a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
index d067b7f09165..67a7e05d5ae3 100644
--- a/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
+++ b/drivers/crypto/rockchip/rk3288_crypto_skcipher.c
@@ -9,6 +9,7 @@
* Some ideas are from marvell-cesa.c and s5p-sss.c driver.
*/
#include <linux/device.h>
+#include <crypto/scatterwalk.h>
#include "rk3288_crypto.h"
#define RK_CRYPTO_DEC BIT(0)
@@ -70,19 +71,15 @@ static int rk_cipher_fallback(struct skcipher_request *areq)
return err;
}
-static void rk_crypto_complete(struct crypto_async_request *base, int err)
-{
- if (base->complete)
- base->complete(base, err);
-}
-
static int rk_handle_req(struct rk_crypto_info *dev,
struct skcipher_request *req)
{
+ struct crypto_engine *engine = dev->engine;
+
if (rk_cipher_need_fallback(req))
return rk_cipher_fallback(req);
- return dev->enqueue(dev, &req->base);
+ return crypto_transfer_skcipher_request_to_engine(engine, req);
}
static int rk_aes_setkey(struct crypto_skcipher *cipher,
@@ -265,25 +262,21 @@ static int rk_des3_ede_cbc_decrypt(struct skcipher_request *req)
return rk_handle_req(dev, req);
}
-static void rk_ablk_hw_init(struct rk_crypto_info *dev)
+static void rk_ablk_hw_init(struct rk_crypto_info *dev, struct skcipher_request *req)
{
- struct skcipher_request *req =
- skcipher_request_cast(dev->async_req);
struct crypto_skcipher *cipher = crypto_skcipher_reqtfm(req);
struct crypto_tfm *tfm = crypto_skcipher_tfm(cipher);
struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(cipher);
- u32 ivsize, block, conf_reg = 0;
+ u32 block, conf_reg = 0;
block = crypto_tfm_alg_blocksize(tfm);
- ivsize = crypto_skcipher_ivsize(cipher);
if (block == DES_BLOCK_SIZE) {
rctx->mode |= RK_CRYPTO_TDES_FIFO_MODE |
RK_CRYPTO_TDES_BYTESWAP_KEY |
RK_CRYPTO_TDES_BYTESWAP_IV;
CRYPTO_WRITE(dev, RK_CRYPTO_TDES_CTRL, rctx->mode);
- memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, req->iv, ivsize);
memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_KEY1_0, ctx->key, ctx->keylen);
conf_reg = RK_CRYPTO_DESSEL;
} else {
@@ -296,7 +289,6 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
else if (ctx->keylen == AES_KEYSIZE_256)
rctx->mode |= RK_CRYPTO_AES_256BIT_key;
CRYPTO_WRITE(dev, RK_CRYPTO_AES_CTRL, rctx->mode);
- memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, req->iv, ivsize);
memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_KEY_0, ctx->key, ctx->keylen);
}
conf_reg |= RK_CRYPTO_BYTESWAP_BTFIFO |
@@ -306,133 +298,138 @@ static void rk_ablk_hw_init(struct rk_crypto_info *dev)
RK_CRYPTO_BCDMA_ERR_ENA | RK_CRYPTO_BCDMA_DONE_ENA);
}
-static void crypto_dma_start(struct rk_crypto_info *dev)
+static void crypto_dma_start(struct rk_crypto_info *dev,
+ struct scatterlist *sgs,
+ struct scatterlist *sgd, unsigned int todo)
{
- CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAS, dev->addr_in);
- CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAL, dev->count / 4);
- CRYPTO_WRITE(dev, RK_CRYPTO_BTDMAS, dev->addr_out);
+ CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAS, sg_dma_address(sgs));
+ CRYPTO_WRITE(dev, RK_CRYPTO_BRDMAL, todo);
+ CRYPTO_WRITE(dev, RK_CRYPTO_BTDMAS, sg_dma_address(sgd));
CRYPTO_WRITE(dev, RK_CRYPTO_CTRL, RK_CRYPTO_BLOCK_START |
_SBF(RK_CRYPTO_BLOCK_START, 16));
}
-static int rk_set_data_start(struct rk_crypto_info *dev)
+static int rk_cipher_run(struct crypto_engine *engine, void *async_req)
{
- int err;
- struct skcipher_request *req =
- skcipher_request_cast(dev->async_req);
- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
- struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
+ struct skcipher_request *areq = container_of(async_req, struct skcipher_request, base);
+ struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(areq);
struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
- u32 ivsize = crypto_skcipher_ivsize(tfm);
- u8 *src_last_blk = page_address(sg_page(dev->sg_src)) +
- dev->sg_src->offset + dev->sg_src->length - ivsize;
-
- /* Store the iv that need to be updated in chain mode.
- * And update the IV buffer to contain the next IV for decryption mode.
- */
- if (rctx->mode & RK_CRYPTO_DEC) {
- memcpy(ctx->iv, src_last_blk, ivsize);
- sg_pcopy_to_buffer(dev->first, dev->src_nents, req->iv,
- ivsize, dev->total - ivsize);
- }
-
- err = dev->load_data(dev, dev->sg_src, dev->sg_dst);
- if (!err)
- crypto_dma_start(dev);
- return err;
-}
-
-static int rk_ablk_start(struct rk_crypto_info *dev)
-{
- struct skcipher_request *req =
- skcipher_request_cast(dev->async_req);
- unsigned long flags;
+ struct rk_cipher_rctx *rctx = skcipher_request_ctx(areq);
+ struct scatterlist *sgs, *sgd;
int err = 0;
+ int ivsize = crypto_skcipher_ivsize(tfm);
+ int offset;
+ u8 iv[AES_BLOCK_SIZE];
+ u8 biv[AES_BLOCK_SIZE];
+ u8 *ivtouse = areq->iv;
+ unsigned int len = areq->cryptlen;
+ unsigned int todo;
+
+ ivsize = crypto_skcipher_ivsize(tfm);
+ if (areq->iv && crypto_skcipher_ivsize(tfm) > 0) {
+ if (rctx->mode & RK_CRYPTO_DEC) {
+ offset = areq->cryptlen - ivsize;
+ scatterwalk_map_and_copy(rctx->backup_iv, areq->src,
+ offset, ivsize, 0);
+ }
+ }
- dev->left_bytes = req->cryptlen;
- dev->total = req->cryptlen;
- dev->sg_src = req->src;
- dev->first = req->src;
- dev->src_nents = sg_nents(req->src);
- dev->sg_dst = req->dst;
- dev->dst_nents = sg_nents(req->dst);
-
- spin_lock_irqsave(&dev->lock, flags);
- rk_ablk_hw_init(dev);
- err = rk_set_data_start(dev);
- spin_unlock_irqrestore(&dev->lock, flags);
- return err;
-}
-
-static void rk_iv_copyback(struct rk_crypto_info *dev)
-{
- struct skcipher_request *req =
- skcipher_request_cast(dev->async_req);
- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
- struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
- struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
- u32 ivsize = crypto_skcipher_ivsize(tfm);
+ sgs = areq->src;
+ sgd = areq->dst;
- /* Update the IV buffer to contain the next IV for encryption mode. */
- if (!(rctx->mode & RK_CRYPTO_DEC)) {
- memcpy(req->iv,
- sg_virt(dev->sg_dst) + dev->sg_dst->length - ivsize,
- ivsize);
+ while (sgs && sgd && len) {
+ if (!sgs->length) {
+ sgs = sg_next(sgs);
+ sgd = sg_next(sgd);
+ continue;
+ }
+ if (rctx->mode & RK_CRYPTO_DEC) {
+ /* we backup last block of source to be used as IV at next step */
+ offset = sgs->length - ivsize;
+ scatterwalk_map_and_copy(biv, sgs, offset, ivsize, 0);
+ }
+ if (sgs == sgd) {
+ err = dma_map_sg(ctx->dev->dev, sgs, 1, DMA_BIDIRECTIONAL);
+ if (err <= 0) {
+ err = -EINVAL;
+ goto theend_iv;
+ }
+ } else {
+ err = dma_map_sg(ctx->dev->dev, sgs, 1, DMA_TO_DEVICE);
+ if (err <= 0) {
+ err = -EINVAL;
+ goto theend_iv;
+ }
+ err = dma_map_sg(ctx->dev->dev, sgd, 1, DMA_FROM_DEVICE);
+ if (err <= 0) {
+ err = -EINVAL;
+ goto theend_sgs;
+ }
+ }
+ err = 0;
+ rk_ablk_hw_init(ctx->dev, areq);
+ if (ivsize) {
+ if (ivsize == DES_BLOCK_SIZE)
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_TDES_IV_0, ivtouse, ivsize);
+ else
+ memcpy_toio(ctx->dev->reg + RK_CRYPTO_AES_IV_0, ivtouse, ivsize);
+ }
+ reinit_completion(&ctx->dev->complete);
+ ctx->dev->status = 0;
+
+ todo = min(sg_dma_len(sgs), len);
+ len -= todo;
+ crypto_dma_start(ctx->dev, sgs, sgd, todo / 4);
+ wait_for_completion_interruptible_timeout(&ctx->dev->complete,
+ msecs_to_jiffies(2000));
+ if (!ctx->dev->status) {
+ dev_err(ctx->dev->dev, "DMA timeout\n");
+ err = -EFAULT;
+ goto theend;
+ }
+ if (sgs == sgd) {
+ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_BIDIRECTIONAL);
+ } else {
+ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_TO_DEVICE);
+ dma_unmap_sg(ctx->dev->dev, sgd, 1, DMA_FROM_DEVICE);
+ }
+ if (rctx->mode & RK_CRYPTO_DEC) {
+ memcpy(iv, biv, ivsize);
+ ivtouse = iv;
+ } else {
+ offset = sgd->length - ivsize;
+ scatterwalk_map_and_copy(iv, sgd, offset, ivsize, 0);
+ ivtouse = iv;
+ }
+ sgs = sg_next(sgs);
+ sgd = sg_next(sgd);
}
-}
-
-static void rk_update_iv(struct rk_crypto_info *dev)
-{
- struct skcipher_request *req =
- skcipher_request_cast(dev->async_req);
- struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
- struct rk_cipher_rctx *rctx = skcipher_request_ctx(req);
- struct rk_cipher_ctx *ctx = crypto_skcipher_ctx(tfm);
- u32 ivsize = crypto_skcipher_ivsize(tfm);
- u8 *new_iv = NULL;
- if (rctx->mode & RK_CRYPTO_DEC) {
- new_iv = ctx->iv;
- } else {
- new_iv = page_address(sg_page(dev->sg_dst)) +
- dev->sg_dst->offset + dev->sg_dst->length - ivsize;
+ if (areq->iv && ivsize > 0) {
+ offset = areq->cryptlen - ivsize;
+ if (rctx->mode & RK_CRYPTO_DEC) {
+ memcpy(areq->iv, rctx->backup_iv, ivsize);
+ memzero_explicit(rctx->backup_iv, ivsize);
+ } else {
+ scatterwalk_map_and_copy(areq->iv, areq->dst, offset,
+ ivsize, 0);
+ }
}
- if (ivsize == DES_BLOCK_SIZE)
- memcpy_toio(dev->reg + RK_CRYPTO_TDES_IV_0, new_iv, ivsize);
- else if (ivsize == AES_BLOCK_SIZE)
- memcpy_toio(dev->reg + RK_CRYPTO_AES_IV_0, new_iv, ivsize);
-}
+theend:
+ local_bh_disable();
+ crypto_finalize_skcipher_request(engine, areq, err);
+ local_bh_enable();
+ return 0;
-/* return:
- * true some err was occurred
- * fault no err, continue
- */
-static int rk_ablk_rx(struct rk_crypto_info *dev)
-{
- int err = 0;
- struct skcipher_request *req =
- skcipher_request_cast(dev->async_req);
-
- dev->unload_data(dev);
- if (dev->left_bytes) {
- rk_update_iv(dev);
- if (sg_is_last(dev->sg_src)) {
- dev_err(dev->dev, "[%s:%d] Lack of data\n",
- __func__, __LINE__);
- err = -ENOMEM;
- goto out_rx;
- }
- dev->sg_src = sg_next(dev->sg_src);
- dev->sg_dst = sg_next(dev->sg_dst);
- err = rk_set_data_start(dev);
+theend_sgs:
+ if (sgs == sgd) {
+ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_BIDIRECTIONAL);
} else {
- rk_iv_copyback(dev);
- /* here show the calculation is over without any err */
- dev->complete(dev->async_req, 0);
- tasklet_schedule(&dev->queue_task);
+ dma_unmap_sg(ctx->dev->dev, sgs, 1, DMA_TO_DEVICE);
+ dma_unmap_sg(ctx->dev->dev, sgd, 1, DMA_FROM_DEVICE);
}
-out_rx:
+theend_iv:
return err;
}
@@ -446,9 +443,6 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
algt = container_of(alg, struct rk_crypto_tmp, alg.skcipher);
ctx->dev = algt->dev;
- ctx->dev->start = rk_ablk_start;
- ctx->dev->update = rk_ablk_rx;
- ctx->dev->complete = rk_crypto_complete;
ctx->fallback_tfm = crypto_alloc_skcipher(name, 0, CRYPTO_ALG_NEED_FALLBACK);
if (IS_ERR(ctx->fallback_tfm)) {
@@ -460,6 +454,8 @@ static int rk_ablk_init_tfm(struct crypto_skcipher *tfm)
tfm->reqsize = sizeof(struct rk_cipher_rctx) +
crypto_skcipher_reqsize(ctx->fallback_tfm);
+ ctx->enginectx.op.do_one_request = rk_cipher_run;
+
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 296/783] apparmor: Fix memleak in alloc_ns()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 295/783] crypto: rockchip - rework by using crypto_engine Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 297/783] f2fs: fix normal discard process Greg Kroah-Hartman
` (496 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, John Johansen, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit e9e6fa49dbab6d84c676666f3fe7d360497fd65b ]
After changes in commit a1bd627b46d1 ("apparmor: share profile name on
replacement"), the hname member of struct aa_policy is not valid slab
object, but a subset of that, it can not be freed by kfree_sensitive(),
use aa_policy_destroy() to fix it.
Fixes: a1bd627b46d1 ("apparmor: share profile name on replacement")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/policy_ns.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/security/apparmor/policy_ns.c b/security/apparmor/policy_ns.c
index 70921d95fb40..53d24cf63893 100644
--- a/security/apparmor/policy_ns.c
+++ b/security/apparmor/policy_ns.c
@@ -121,7 +121,7 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
return ns;
fail_unconfined:
- kfree_sensitive(ns->base.hname);
+ aa_policy_destroy(&ns->base);
fail_ns:
kfree_sensitive(ns);
return NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 297/783] f2fs: fix normal discard process
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 296/783] apparmor: Fix memleak in alloc_ns() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 298/783] RDMA/siw: Fix immediate work request flush to completion queue Greg Kroah-Hartman
` (495 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dongdong Zhang, Chao Yu,
Jaegeuk Kim, Sasha Levin
From: Dongdong Zhang <zhangdongdong1@oppo.com>
[ Upstream commit b5f1a218ae5e4339130d6e733f0e63d623e09a2c ]
In the DPOLICY_BG mode, there is a conflict between
the two conditions "i + 1 < dpolicy->granularity" and
"i < DEFAULT_DISCARD_GRANULARITY". If i = 15, the first
condition is false, it will enter the second condition
and dispatch all small granularity discards in function
__issue_discard_cmd_orderly. The restrictive effect
of the first condition to small discards will be
invalidated. These two conditions should align.
Fixes: 20ee4382322c ("f2fs: issue small discard by LBA order")
Signed-off-by: Dongdong Zhang <zhangdongdong1@oppo.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/segment.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 68774d6198a5..7c90d93f4e43 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -1532,7 +1532,7 @@ static int __issue_discard_cmd(struct f2fs_sb_info *sbi,
if (i + 1 < dpolicy->granularity)
break;
- if (i < DEFAULT_DISCARD_GRANULARITY && dpolicy->ordered)
+ if (i + 1 < DEFAULT_DISCARD_GRANULARITY && dpolicy->ordered)
return __issue_discard_cmd_orderly(sbi, dpolicy);
pend_list = &dcc->pend_list[i];
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 298/783] RDMA/siw: Fix immediate work request flush to completion queue
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 297/783] f2fs: fix normal discard process Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 299/783] RDMA/nldev: Return "-EAGAIN" if the cm_id isnt from expected port Greg Kroah-Hartman
` (494 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Tom Talpey,
Bernard Metzler, Leon Romanovsky, Sasha Levin
From: Bernard Metzler <bmt@zurich.ibm.com>
[ Upstream commit bdf1da5df9da680589a7f74448dd0a94dd3e1446 ]
Correctly set send queue element opcode during immediate work request
flushing in post sendqueue operation, if the QP is in ERROR state.
An undefined ocode value results in out-of-bounds access to an array
for mapping the opcode between siw internal and RDMA core representation
in work completion generation. It resulted in a KASAN BUG report
of type 'global-out-of-bounds' during NFSoRDMA testing.
This patch further fixes a potential case of a malicious user which may
write undefined values for completion queue elements status or opcode,
if the CQ is memory mapped to user land. It avoids the same out-of-bounds
access to arrays for status and opcode mapping as described above.
Fixes: 303ae1cdfdf7 ("rdma/siw: application interface")
Fixes: b0fff7317bb4 ("rdma/siw: completion queue methods")
Reported-by: Olga Kornievskaia <kolga@netapp.com>
Reviewed-by: Tom Talpey <tom@talpey.com>
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
Link: https://lore.kernel.org/r/20221107145057.895747-1-bmt@zurich.ibm.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/siw/siw_cq.c | 24 ++++++++++++++--
drivers/infiniband/sw/siw/siw_verbs.c | 40 ++++++++++++++++++++++++---
2 files changed, 58 insertions(+), 6 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c
index d68e37859e73..acc7bcd538b5 100644
--- a/drivers/infiniband/sw/siw/siw_cq.c
+++ b/drivers/infiniband/sw/siw/siw_cq.c
@@ -56,8 +56,6 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
if (READ_ONCE(cqe->flags) & SIW_WQE_VALID) {
memset(wc, 0, sizeof(*wc));
wc->wr_id = cqe->id;
- wc->status = map_cqe_status[cqe->status].ib;
- wc->opcode = map_wc_opcode[cqe->opcode];
wc->byte_len = cqe->bytes;
/*
@@ -71,10 +69,32 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
wc->wc_flags = IB_WC_WITH_INVALIDATE;
}
wc->qp = cqe->base_qp;
+ wc->opcode = map_wc_opcode[cqe->opcode];
+ wc->status = map_cqe_status[cqe->status].ib;
siw_dbg_cq(cq,
"idx %u, type %d, flags %2x, id 0x%pK\n",
cq->cq_get % cq->num_cqe, cqe->opcode,
cqe->flags, (void *)(uintptr_t)cqe->id);
+ } else {
+ /*
+ * A malicious user may set invalid opcode or
+ * status in the user mmapped CQE array.
+ * Sanity check and correct values in that case
+ * to avoid out-of-bounds access to global arrays
+ * for opcode and status mapping.
+ */
+ u8 opcode = cqe->opcode;
+ u16 status = cqe->status;
+
+ if (opcode >= SIW_NUM_OPCODES) {
+ opcode = 0;
+ status = IB_WC_GENERAL_ERR;
+ } else if (status >= SIW_NUM_WC_STATUS) {
+ status = IB_WC_GENERAL_ERR;
+ }
+ wc->opcode = map_wc_opcode[opcode];
+ wc->status = map_cqe_status[status].ib;
+
}
WRITE_ONCE(cqe->flags, 0);
cq->cq_get++;
diff --git a/drivers/infiniband/sw/siw/siw_verbs.c b/drivers/infiniband/sw/siw/siw_verbs.c
index 34e847a91eb8..d043793ff0f5 100644
--- a/drivers/infiniband/sw/siw/siw_verbs.c
+++ b/drivers/infiniband/sw/siw/siw_verbs.c
@@ -672,13 +672,45 @@ static int siw_copy_inline_sgl(const struct ib_send_wr *core_wr,
static int siw_sq_flush_wr(struct siw_qp *qp, const struct ib_send_wr *wr,
const struct ib_send_wr **bad_wr)
{
- struct siw_sqe sqe = {};
int rv = 0;
while (wr) {
- sqe.id = wr->wr_id;
- sqe.opcode = wr->opcode;
- rv = siw_sqe_complete(qp, &sqe, 0, SIW_WC_WR_FLUSH_ERR);
+ struct siw_sqe sqe = {};
+
+ switch (wr->opcode) {
+ case IB_WR_RDMA_WRITE:
+ sqe.opcode = SIW_OP_WRITE;
+ break;
+ case IB_WR_RDMA_READ:
+ sqe.opcode = SIW_OP_READ;
+ break;
+ case IB_WR_RDMA_READ_WITH_INV:
+ sqe.opcode = SIW_OP_READ_LOCAL_INV;
+ break;
+ case IB_WR_SEND:
+ sqe.opcode = SIW_OP_SEND;
+ break;
+ case IB_WR_SEND_WITH_IMM:
+ sqe.opcode = SIW_OP_SEND_WITH_IMM;
+ break;
+ case IB_WR_SEND_WITH_INV:
+ sqe.opcode = SIW_OP_SEND_REMOTE_INV;
+ break;
+ case IB_WR_LOCAL_INV:
+ sqe.opcode = SIW_OP_INVAL_STAG;
+ break;
+ case IB_WR_REG_MR:
+ sqe.opcode = SIW_OP_REG_MR;
+ break;
+ default:
+ rv = -EINVAL;
+ break;
+ }
+ if (!rv) {
+ sqe.id = wr->wr_id;
+ rv = siw_sqe_complete(qp, &sqe, 0,
+ SIW_WC_WR_FLUSH_ERR);
+ }
if (rv) {
if (bad_wr)
*bad_wr = wr;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 299/783] RDMA/nldev: Return "-EAGAIN" if the cm_id isnt from expected port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 298/783] RDMA/siw: Fix immediate work request flush to completion queue Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 300/783] RDMA/siw: Set defined status for work completion with undefined status Greg Kroah-Hartman
` (493 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Zhang, Leon Romanovsky, Sasha Levin
From: Mark Zhang <markzhang@nvidia.com>
[ Upstream commit ecacb3751f254572af0009b9501e2cdc83a30b6a ]
When filling a cm_id entry, return "-EAGAIN" instead of 0 if the cm_id
doesn'the have the same port as requested, otherwise an incomplete entry
may be returned, which causes "rdam res show cm_id" to return an error.
For example on a machine with two rdma devices with "rping -C 1 -v -s"
running background, the "rdma" command fails:
$ rdma -V
rdma utility, iproute2-5.19.0
$ rdma res show cm_id
link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 28056 comm rping src-addr 0.0.0.0:7174
error: Protocol not available
While with this fix it succeeds:
$ rdma res show cm_id
link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174
link mlx5_1/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174
Fixes: 00313983cda6 ("RDMA/nldev: provide detailed CM_ID information")
Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Link: https://lore.kernel.org/r/a08e898cdac5e28428eb749a99d9d981571b8ea7.1667810736.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/nldev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index c90f6378d839..f7689bc10d14 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -541,7 +541,7 @@ static int fill_res_cm_id_entry(struct sk_buff *msg, bool has_cap_net_admin,
struct rdma_cm_id *cm_id = &id_priv->id;
if (port && port != cm_id->port_num)
- return 0;
+ return -EAGAIN;
if (cm_id->port_num &&
nla_put_u32(msg, RDMA_NLDEV_ATTR_PORT_INDEX, cm_id->port_num))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 300/783] RDMA/siw: Set defined status for work completion with undefined status
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 299/783] RDMA/nldev: Return "-EAGAIN" if the cm_id isnt from expected port Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 301/783] scsi: scsi_debug: Fix a warning in resp_write_scat() Greg Kroah-Hartman
` (492 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Bernard Metzler,
Jason Gunthorpe, Sasha Levin
From: Bernard Metzler <bmt@zurich.ibm.com>
[ Upstream commit 60da2d11fcbc043304910e4d2ca82f9bab953e63 ]
A malicious user may write undefined values into memory mapped completion
queue elements status or opcode. Undefined status or opcode values will
result in out-of-bounds access to an array mapping siw internal
representation of opcode and status to RDMA core representation when
reaping CQ elements. While siw detects those undefined values, it did not
correctly set completion status to a defined value, thus defeating the
whole purpose of the check.
This bug leads to the following Smatch static checker warning:
drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe()
error: buffer overflow 'map_cqe_status' 10 <= 21
Fixes: bdf1da5df9da ("RDMA/siw: Fix immediate work request flush to completion queue")
Link: https://lore.kernel.org/r/20221115170747.1263298-1-bmt@zurich.ibm.com
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Bernard Metzler <bmt@zurich.ibm.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/siw/siw_cq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/sw/siw/siw_cq.c b/drivers/infiniband/sw/siw/siw_cq.c
index acc7bcd538b5..403029de6b92 100644
--- a/drivers/infiniband/sw/siw/siw_cq.c
+++ b/drivers/infiniband/sw/siw/siw_cq.c
@@ -88,9 +88,9 @@ int siw_reap_cqe(struct siw_cq *cq, struct ib_wc *wc)
if (opcode >= SIW_NUM_OPCODES) {
opcode = 0;
- status = IB_WC_GENERAL_ERR;
+ status = SIW_WC_GENERAL_ERR;
} else if (status >= SIW_NUM_WC_STATUS) {
- status = IB_WC_GENERAL_ERR;
+ status = SIW_WC_GENERAL_ERR;
}
wc->opcode = map_wc_opcode[opcode];
wc->status = map_cqe_status[status].ib;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 301/783] scsi: scsi_debug: Fix a warning in resp_write_scat()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 300/783] RDMA/siw: Set defined status for work completion with undefined status Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 302/783] crypto: ccree - Remove debugfs when platform_driver_register failed Greg Kroah-Hartman
` (491 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshit Mogalapalli,
Douglas Gilbert, Martin K. Petersen, Sasha Levin
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
[ Upstream commit 216e179724c1d9f57a8ababf8bd7aaabef67f01b ]
As 'lbdof_blen' is coming from user, if the size in kzalloc() is >=
MAX_ORDER then we hit a warning.
Call trace:
sg_ioctl
sg_ioctl_common
scsi_ioctl
sg_scsi_ioctl
blk_execute_rq
blk_mq_sched_insert_request
blk_mq_run_hw_queue
__blk_mq_delay_run_hw_queue
__blk_mq_run_hw_queue
blk_mq_sched_dispatch_requests
__blk_mq_sched_dispatch_requests
blk_mq_dispatch_rq_list
scsi_queue_rq
scsi_dispatch_cmd
scsi_debug_queuecommand
schedule_resp
resp_write_scat
If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc()
will definitely fail. It creates a stack trace and messes up dmesg. The
user controls the size here so if they specify a too large size it will
fail.
Add __GFP_NOWARN in order to avoid too large allocation warning. This is
detected by static analysis using smatch.
Fixes: 481b5e5c7949 ("scsi: scsi_debug: add resp_write_scat function")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Link: https://lore.kernel.org/r/20221111100526.1790533-1-harshit.m.mogalapalli@oracle.com
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index cc20621bb49d..110d0e7f9413 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -3619,7 +3619,7 @@ static int resp_write_scat(struct scsi_cmnd *scp,
mk_sense_buffer(scp, ILLEGAL_REQUEST, INVALID_FIELD_IN_CDB, 0);
return illegal_condition_result;
}
- lrdp = kzalloc(lbdof_blen, GFP_ATOMIC);
+ lrdp = kzalloc(lbdof_blen, GFP_ATOMIC | __GFP_NOWARN);
if (lrdp == NULL)
return SCSI_MLQUEUE_HOST_BUSY;
if (sdebug_verbose)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 302/783] crypto: ccree - Remove debugfs when platform_driver_register failed
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 301/783] scsi: scsi_debug: Fix a warning in resp_write_scat() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 303/783] crypto: cryptd - Use request context instead of stack for sub-request Greg Kroah-Hartman
` (490 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Herbert Xu, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 4f1c596df706c9aca662b6c214fad84047ae2a97 ]
When platform_driver_register failed, we need to remove debugfs,
which will caused a resource leak, fix it.
Failed logs as follows:
[ 32.606488] debugfs: Directory 'ccree' with parent '/' already present!
Fixes: 4c3f97276e15 ("crypto: ccree - introduce CryptoCell driver")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccree/cc_driver.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/ccree/cc_driver.c b/drivers/crypto/ccree/cc_driver.c
index 6f519d3e896c..7924693f58e0 100644
--- a/drivers/crypto/ccree/cc_driver.c
+++ b/drivers/crypto/ccree/cc_driver.c
@@ -614,9 +614,17 @@ static struct platform_driver ccree_driver = {
static int __init ccree_init(void)
{
+ int rc;
+
cc_debugfs_global_init();
- return platform_driver_register(&ccree_driver);
+ rc = platform_driver_register(&ccree_driver);
+ if (rc) {
+ cc_debugfs_global_fini();
+ return rc;
+ }
+
+ return 0;
}
module_init(ccree_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 303/783] crypto: cryptd - Use request context instead of stack for sub-request
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 302/783] crypto: ccree - Remove debugfs when platform_driver_register failed Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 304/783] crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set() Greg Kroah-Hartman
` (489 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 3a58c231172537f7b0e19d93ed33decd04f80eab ]
cryptd is buggy as it tries to use sync_skcipher without going
through the proper sync_skcipher interface. In fact it doesn't
even need sync_skcipher since it's already a proper skcipher and
can easily access the request context instead of using something
off the stack.
Fixes: 36b3875a97b8 ("crypto: cryptd - Remove VLA usage of skcipher")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/cryptd.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index 668095eca0fa..ca3a40fc7da9 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -68,11 +68,12 @@ struct aead_instance_ctx {
struct cryptd_skcipher_ctx {
refcount_t refcnt;
- struct crypto_sync_skcipher *child;
+ struct crypto_skcipher *child;
};
struct cryptd_skcipher_request_ctx {
crypto_completion_t complete;
+ struct skcipher_request req;
};
struct cryptd_hash_ctx {
@@ -227,13 +228,13 @@ static int cryptd_skcipher_setkey(struct crypto_skcipher *parent,
const u8 *key, unsigned int keylen)
{
struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(parent);
- struct crypto_sync_skcipher *child = ctx->child;
+ struct crypto_skcipher *child = ctx->child;
- crypto_sync_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
- crypto_sync_skcipher_set_flags(child,
- crypto_skcipher_get_flags(parent) &
- CRYPTO_TFM_REQ_MASK);
- return crypto_sync_skcipher_setkey(child, key, keylen);
+ crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
+ crypto_skcipher_set_flags(child,
+ crypto_skcipher_get_flags(parent) &
+ CRYPTO_TFM_REQ_MASK);
+ return crypto_skcipher_setkey(child, key, keylen);
}
static void cryptd_skcipher_complete(struct skcipher_request *req, int err)
@@ -258,13 +259,13 @@ static void cryptd_skcipher_encrypt(struct crypto_async_request *base,
struct cryptd_skcipher_request_ctx *rctx = skcipher_request_ctx(req);
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
- struct crypto_sync_skcipher *child = ctx->child;
- SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, child);
+ struct skcipher_request *subreq = &rctx->req;
+ struct crypto_skcipher *child = ctx->child;
if (unlikely(err == -EINPROGRESS))
goto out;
- skcipher_request_set_sync_tfm(subreq, child);
+ skcipher_request_set_tfm(subreq, child);
skcipher_request_set_callback(subreq, CRYPTO_TFM_REQ_MAY_SLEEP,
NULL, NULL);
skcipher_request_set_crypt(subreq, req->src, req->dst, req->cryptlen,
@@ -286,13 +287,13 @@ static void cryptd_skcipher_decrypt(struct crypto_async_request *base,
struct cryptd_skcipher_request_ctx *rctx = skcipher_request_ctx(req);
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
- struct crypto_sync_skcipher *child = ctx->child;
- SYNC_SKCIPHER_REQUEST_ON_STACK(subreq, child);
+ struct skcipher_request *subreq = &rctx->req;
+ struct crypto_skcipher *child = ctx->child;
if (unlikely(err == -EINPROGRESS))
goto out;
- skcipher_request_set_sync_tfm(subreq, child);
+ skcipher_request_set_tfm(subreq, child);
skcipher_request_set_callback(subreq, CRYPTO_TFM_REQ_MAY_SLEEP,
NULL, NULL);
skcipher_request_set_crypt(subreq, req->src, req->dst, req->cryptlen,
@@ -343,9 +344,10 @@ static int cryptd_skcipher_init_tfm(struct crypto_skcipher *tfm)
if (IS_ERR(cipher))
return PTR_ERR(cipher);
- ctx->child = (struct crypto_sync_skcipher *)cipher;
+ ctx->child = cipher;
crypto_skcipher_set_reqsize(
- tfm, sizeof(struct cryptd_skcipher_request_ctx));
+ tfm, sizeof(struct cryptd_skcipher_request_ctx) +
+ crypto_skcipher_reqsize(cipher));
return 0;
}
@@ -353,7 +355,7 @@ static void cryptd_skcipher_exit_tfm(struct crypto_skcipher *tfm)
{
struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
- crypto_free_sync_skcipher(ctx->child);
+ crypto_free_skcipher(ctx->child);
}
static void cryptd_skcipher_free(struct skcipher_instance *inst)
@@ -931,7 +933,7 @@ struct crypto_skcipher *cryptd_skcipher_child(struct cryptd_skcipher *tfm)
{
struct cryptd_skcipher_ctx *ctx = crypto_skcipher_ctx(&tfm->base);
- return &ctx->child->base;
+ return ctx->child;
}
EXPORT_SYMBOL_GPL(cryptd_skcipher_child);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 304/783] crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 303/783] crypto: cryptd - Use request context instead of stack for sub-request Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 305/783] RDMA/hns: Repacing dseg_len by macros in fill_ext_sge_inl_data() Greg Kroah-Hartman
` (488 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Weili Qian,
Herbert Xu, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit cc7710d0d4ebc6998f04035cde4f32c5ddbe9d7f ]
pci_get_device() will increase the reference count for the returned
pci_dev. We need to use pci_dev_put() to decrease the reference count
before q_num_set() returns.
Fixes: c8b4b477079d ("crypto: hisilicon - add HiSilicon HPRE accelerator")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Reviewed-by: Weili Qian <qianweili@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/hisilicon/qm.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/hisilicon/qm.h b/drivers/crypto/hisilicon/qm.h
index 0420f4ce7197..aaad3d76dc04 100644
--- a/drivers/crypto/hisilicon/qm.h
+++ b/drivers/crypto/hisilicon/qm.h
@@ -289,14 +289,14 @@ struct hisi_qp {
static inline int q_num_set(const char *val, const struct kernel_param *kp,
unsigned int device)
{
- struct pci_dev *pdev = pci_get_device(PCI_VENDOR_ID_HUAWEI,
- device, NULL);
+ struct pci_dev *pdev;
u32 n, q_num;
int ret;
if (!val)
return -EINVAL;
+ pdev = pci_get_device(PCI_VENDOR_ID_HUAWEI, device, NULL);
if (!pdev) {
q_num = min_t(u32, QM_QNUM_V1, QM_QNUM_V2);
pr_info("No device found currently, suppose queue number is %d\n",
@@ -306,6 +306,8 @@ static inline int q_num_set(const char *val, const struct kernel_param *kp,
q_num = QM_QNUM_V1;
else
q_num = QM_QNUM_V2;
+
+ pci_dev_put(pdev);
}
ret = kstrtou32(val, 10, &n);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 305/783] RDMA/hns: Repacing dseg_len by macros in fill_ext_sge_inl_data()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 304/783] crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 306/783] RDMA/hns: Fix ext_sge num error when post send Greg Kroah-Hartman
` (487 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luoyouming, Haoyue Xu,
Jason Gunthorpe, Sasha Levin
From: Luoyouming <luoyouming@huawei.com>
[ Upstream commit 3b1f864c904915b3baebffb31ea05ee704b0df3c ]
The sge size is known to be constant, so it's unnecessary to use sizeof to
calculate.
Link: https://lore.kernel.org/r/20220922123315.3732205-11-xuhaoyue1@hisilicon.com
Signed-off-by: Luoyouming <luoyouming@huawei.com>
Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Stable-dep-of: 8eaa6f7d569b ("RDMA/hns: Fix ext_sge num error when post send")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index 6dab03b7aca8..4836090ec817 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -159,8 +159,7 @@ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
unsigned int *sge_idx, u32 msg_len)
{
struct ib_device *ibdev = &(to_hr_dev(qp->ibqp.device))->ib_dev;
- unsigned int dseg_len = sizeof(struct hns_roce_v2_wqe_data_seg);
- unsigned int ext_sge_sz = qp->sq.max_gs * dseg_len;
+ unsigned int ext_sge_sz = qp->sq.max_gs * HNS_ROCE_SGE_SIZE;
unsigned int left_len_in_pg;
unsigned int idx = *sge_idx;
unsigned int i = 0;
@@ -188,7 +187,7 @@ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
if (len <= left_len_in_pg) {
memcpy(dseg, addr, len);
- idx += len / dseg_len;
+ idx += len / HNS_ROCE_SGE_SIZE;
i++;
if (i >= wr->num_sge)
@@ -203,7 +202,7 @@ static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
len -= left_len_in_pg;
addr += left_len_in_pg;
- idx += left_len_in_pg / dseg_len;
+ idx += left_len_in_pg / HNS_ROCE_SGE_SIZE;
dseg = hns_roce_get_extend_sge(qp,
idx & (qp->sge.sge_cnt - 1));
left_len_in_pg = 1 << HNS_HW_PAGE_SHIFT;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 306/783] RDMA/hns: Fix ext_sge num error when post send
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 305/783] RDMA/hns: Repacing dseg_len by macros in fill_ext_sge_inl_data() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 307/783] PCI: Check for alloc failure in pci_request_irq() Greg Kroah-Hartman
` (486 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luoyouming, Haoyue Xu,
Jason Gunthorpe, Sasha Levin
From: Luoyouming <luoyouming@huawei.com>
[ Upstream commit 8eaa6f7d569b4a22bfc1b0a3fdfeeb401feb65a4 ]
In the HNS ROCE driver, The sge is divided into standard sge and extended
sge. There are 2 standard sge in RC/XRC, and the UD standard sge is 0.
In the scenario of RC SQ inline, if the data does not exceed 32bytes, the
standard sge will be used. If it exceeds, only the extended sge will be
used to fill the data.
Currently, when filling the extended sge, max_gs is directly used as the
number of the extended sge, which did not subtract the number of standard
sge. There is a logical error. The new algorithm subtracts the number of
standard sge from max_gs to get the actual number of extended sge.
Fixes: 30b707886aeb ("RDMA/hns: Support inline data in extented sge space for RC")
Link: https://lore.kernel.org/r/20221108133847.2304539-2-xuhaoyue1@hisilicon.com
Signed-off-by: Luoyouming <luoyouming@huawei.com>
Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index 4836090ec817..e1395590edfd 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -154,20 +154,29 @@ static void set_atomic_seg(const struct ib_send_wr *wr,
V2_RC_SEND_WQE_BYTE_16_SGE_NUM_S, valid_num_sge);
}
+static unsigned int get_std_sge_num(struct hns_roce_qp *qp)
+{
+ if (qp->ibqp.qp_type == IB_QPT_GSI || qp->ibqp.qp_type == IB_QPT_UD)
+ return 0;
+
+ return HNS_ROCE_SGE_IN_WQE;
+}
+
static int fill_ext_sge_inl_data(struct hns_roce_qp *qp,
const struct ib_send_wr *wr,
unsigned int *sge_idx, u32 msg_len)
{
struct ib_device *ibdev = &(to_hr_dev(qp->ibqp.device))->ib_dev;
- unsigned int ext_sge_sz = qp->sq.max_gs * HNS_ROCE_SGE_SIZE;
unsigned int left_len_in_pg;
unsigned int idx = *sge_idx;
+ unsigned int std_sge_num;
unsigned int i = 0;
unsigned int len;
void *addr;
void *dseg;
- if (msg_len > ext_sge_sz) {
+ std_sge_num = get_std_sge_num(qp);
+ if (msg_len > (qp->sq.max_gs - std_sge_num) * HNS_ROCE_SGE_SIZE) {
ibdev_err(ibdev,
"no enough extended sge space for inline data.\n");
return -EINVAL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 307/783] PCI: Check for alloc failure in pci_request_irq()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 306/783] RDMA/hns: Fix ext_sge num error when post send Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 308/783] RDMA/hfi: Decrease PCI device reference count in error path Greg Kroah-Hartman
` (485 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zeng Heng, Bjorn Helgaas,
Christoph Hellwig, Sasha Levin
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit 2d9cd957d40c3ac491b358e7cff0515bb07a3a9c ]
When kvasprintf() fails to allocate memory, it returns a NULL pointer.
Return error from pci_request_irq() so we don't dereference it.
[bhelgaas: commit log]
Fixes: 704e8953d3e9 ("PCI/irq: Add pci_request_irq() and pci_free_irq() helpers")
Link: https://lore.kernel.org/r/20221121020029.3759444-1-zengheng4@huawei.com
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/irq.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/irq.c b/drivers/pci/irq.c
index 12ecd0aaa28d..0050e8f6814e 100644
--- a/drivers/pci/irq.c
+++ b/drivers/pci/irq.c
@@ -44,6 +44,8 @@ int pci_request_irq(struct pci_dev *dev, unsigned int nr, irq_handler_t handler,
va_start(ap, fmt);
devname = kvasprintf(GFP_KERNEL, fmt, ap);
va_end(ap);
+ if (!devname)
+ return -ENOMEM;
ret = request_threaded_irq(pci_irq_vector(dev, nr), handler, thread_fn,
irqflags, devname, dev_id);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 308/783] RDMA/hfi: Decrease PCI device reference count in error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 307/783] PCI: Check for alloc failure in pci_request_irq() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 309/783] crypto: ccree - Make cc_debugfs_global_fini() available for module init function Greg Kroah-Hartman
` (484 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Leon Romanovsky,
Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 9b51d072da1d27e1193e84708201c48e385ad912 ]
pci_get_device() will increase the reference count for the returned
pci_dev, and also decrease the reference count for the input parameter
*from* if it is not NULL.
If we break out the loop in node_affinity_init() with 'dev' not NULL, we
need to call pci_dev_put() to decrease the reference count. Add missing
pci_dev_put() in error path.
Fixes: c513de490f80 ("IB/hfi1: Invalid NUMA node information can cause a divide by zero")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Link: https://lore.kernel.org/r/20221117131546.113280-1-wangxiongfeng2@huawei.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hfi1/affinity.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/hw/hfi1/affinity.c b/drivers/infiniband/hw/hfi1/affinity.c
index 04b1e8f021f6..d5a8d0173709 100644
--- a/drivers/infiniband/hw/hfi1/affinity.c
+++ b/drivers/infiniband/hw/hfi1/affinity.c
@@ -219,6 +219,8 @@ int node_affinity_init(void)
for (node = 0; node < node_affinity.num_possible_nodes; node++)
hfi1_per_node_cntr[node] = 1;
+ pci_dev_put(dev);
+
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 309/783] crypto: ccree - Make cc_debugfs_global_fini() available for module init function
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 308/783] RDMA/hfi: Decrease PCI device reference count in error path Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 310/783] RDMA/hns: fix memory leak in hns_roce_alloc_mr() Greg Kroah-Hartman
` (483 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Herbert Xu,
Sasha Levin
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 8e96729fc26c8967db45a3fb7a60387619f77a22 ]
ccree_init() calls cc_debugfs_global_fini(), the former is an init
function and the latter an exit function though.
A modular build emits:
WARNING: modpost: drivers/crypto/ccree/ccree.o: section mismatch in reference: init_module (section: .init.text) -> cc_debugfs_global_fini (section: .exit.text)
(with CONFIG_DEBUG_SECTION_MISMATCH=y).
Fixes: 4f1c596df706 ("crypto: ccree - Remove debugfs when platform_driver_register failed")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/ccree/cc_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/ccree/cc_debugfs.c b/drivers/crypto/ccree/cc_debugfs.c
index 7083767602fc..8f008f024f8f 100644
--- a/drivers/crypto/ccree/cc_debugfs.c
+++ b/drivers/crypto/ccree/cc_debugfs.c
@@ -55,7 +55,7 @@ void __init cc_debugfs_global_init(void)
cc_debugfs_dir = debugfs_create_dir("ccree", NULL);
}
-void __exit cc_debugfs_global_fini(void)
+void cc_debugfs_global_fini(void)
{
debugfs_remove(cc_debugfs_dir);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 310/783] RDMA/hns: fix memory leak in hns_roce_alloc_mr()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 309/783] crypto: ccree - Make cc_debugfs_global_fini() available for module init function Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 311/783] RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed Greg Kroah-Hartman
` (482 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Leon Romanovsky,
Sasha Levin
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit a115aa00b18f7b8982b8f458149632caf64a862a ]
When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not
released. Compiled test only.
Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Link: https://lore.kernel.org/r/20221119070834.48502-1-shaozhengchao@huawei.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_mr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_mr.c b/drivers/infiniband/hw/hns/hns_roce_mr.c
index 6d7cc724862f..1c342a7bd7df 100644
--- a/drivers/infiniband/hw/hns/hns_roce_mr.c
+++ b/drivers/infiniband/hw/hns/hns_roce_mr.c
@@ -456,10 +456,10 @@ struct ib_mr *hns_roce_alloc_mr(struct ib_pd *pd, enum ib_mr_type mr_type,
return &mr->ibmr;
-err_key:
- free_mr_key(hr_dev, mr);
err_pbl:
free_mr_pbl(hr_dev, mr);
+err_key:
+ free_mr_key(hr_dev, mr);
err_free:
kfree(mr);
return ERR_PTR(ret);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 311/783] RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 310/783] RDMA/hns: fix memory leak in hns_roce_alloc_mr() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 312/783] scsi: hpsa: Fix possible memory leak in hpsa_init_one() Greg Kroah-Hartman
` (481 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Jason Gunthorpe, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit f67376d801499f4fa0838c18c1efcad8840e550d ]
There is a null-ptr-deref when mount.cifs over rdma:
BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
Read of size 8 at addr 0000000000000018 by task mount.cifs/3046
CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
kasan_report+0xad/0x130
rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe]
execute_in_process_context+0x25/0x90
__rxe_cleanup+0x101/0x1d0 [rdma_rxe]
rxe_create_qp+0x16a/0x180 [rdma_rxe]
create_qp.part.0+0x27d/0x340
ib_create_qp_kernel+0x73/0x160
rdma_create_qp+0x100/0x230
_smbd_get_connection+0x752/0x20f0
smbd_get_connection+0x21/0x40
cifs_get_tcp_session+0x8ef/0xda0
mount_get_conns+0x60/0x750
cifs_mount+0x103/0xd00
cifs_smb3_do_mount+0x1dd/0xcb0
smb3_get_tree+0x1d5/0x300
vfs_get_tree+0x41/0xf0
path_mount+0x9b3/0xdd0
__x64_sys_mount+0x190/0x1d0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
The root cause of the issue is the socket create failed in
rxe_qp_init_req().
So move the reset rxe_qp_do_cleanup() after the NULL ptr check.
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://lore.kernel.org/r/20221122151437.1057671-1-zhangxiaoxu5@huawei.com
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_qp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index 2e4b008f0387..99c1b3553e6e 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -812,12 +812,12 @@ static void rxe_qp_do_cleanup(struct work_struct *work)
qp->resp.mr = NULL;
}
- if (qp_type(qp) == IB_QPT_RC)
- sk_dst_reset(qp->sk->sk);
-
free_rd_atomic_resources(qp);
if (qp->sk) {
+ if (qp_type(qp) == IB_QPT_RC)
+ sk_dst_reset(qp->sk->sk);
+
kernel_sock_shutdown(qp->sk, SHUT_RDWR);
sock_release(qp->sk);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 312/783] scsi: hpsa: Fix possible memory leak in hpsa_init_one()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 311/783] RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 313/783] crypto: tcrypt - Fix multibuffer skcipher speed test mem leak Greg Kroah-Hartman
` (480 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Ming Lei,
Martin K. Petersen, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 9c9ff300e0de07475796495d86f449340d454a0c ]
The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in
hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to
clean1 directly, which frees h and leaks the h->reply_map.
Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead
free h directly.
Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221122015751.87284-1-yuancan@huawei.com
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hpsa.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 8df70c92911d..cd78d77911cd 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -8904,7 +8904,7 @@ static int hpsa_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
destroy_workqueue(h->monitor_ctlr_wq);
h->monitor_ctlr_wq = NULL;
}
- kfree(h);
+ hpda_free_ctlr_info(h);
return rc;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 313/783] crypto: tcrypt - Fix multibuffer skcipher speed test mem leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 312/783] scsi: hpsa: Fix possible memory leak in hpsa_init_one() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 314/783] padata: Always leave BHs disabled when running ->parallel() Greg Kroah-Hartman
` (479 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Yiqun, Herbert Xu, Sasha Levin
From: Zhang Yiqun <zhangyiqun@phytium.com.cn>
[ Upstream commit 1aa33fc8d4032227253ceb736f47c52b859d9683 ]
In the past, the data for mb-skcipher test has been allocated
twice, that means the first allcated memory area is without
free, which may cause a potential memory leakage. So this
patch is to remove one allocation to fix this error.
Fixes: e161c5930c15 ("crypto: tcrypt - add multibuf skcipher...")
Signed-off-by: Zhang Yiqun <zhangyiqun@phytium.com.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
crypto/tcrypt.c | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c
index 8609174e036e..7972d2784b3b 100644
--- a/crypto/tcrypt.c
+++ b/crypto/tcrypt.c
@@ -1282,15 +1282,6 @@ static void test_mb_skcipher_speed(const char *algo, int enc, int secs,
goto out_free_tfm;
}
-
- for (i = 0; i < num_mb; ++i)
- if (testmgr_alloc_buf(data[i].xbuf)) {
- while (i--)
- testmgr_free_buf(data[i].xbuf);
- goto out_free_tfm;
- }
-
-
for (i = 0; i < num_mb; ++i) {
data[i].req = skcipher_request_alloc(tfm, GFP_KERNEL);
if (!data[i].req) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 314/783] padata: Always leave BHs disabled when running ->parallel()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 313/783] crypto: tcrypt - Fix multibuffer skcipher speed test mem leak Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 315/783] padata: Fix list iterator in padata_do_serial() Greg Kroah-Hartman
` (478 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bc05445bc14148d51915,
Daniel Jordan, Steffen Klassert, Herbert Xu, Sasha Levin
From: Daniel Jordan <daniel.m.jordan@oracle.com>
[ Upstream commit 34c3a47d20ae55b3600fed733bf96eafe9c500d5 ]
A deadlock can happen when an overloaded system runs ->parallel() in the
context of the current task:
padata_do_parallel
->parallel()
pcrypt_aead_enc/dec
padata_do_serial
spin_lock(&reorder->lock) // BHs still enabled
<interrupt>
...
__do_softirq
...
padata_do_serial
spin_lock(&reorder->lock)
It's a bug for BHs to be on in _do_serial as Steffen points out, so
ensure they're off in the "current task" case like they are in
padata_parallel_worker to avoid this situation.
Reported-by: syzbot+bc05445bc14148d51915@syzkaller.appspotmail.com
Fixes: 4611ce224688 ("padata: allocate work structures for parallel jobs from a pool")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index d4d3ba6e1728..4d31a69a9b38 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -220,14 +220,16 @@ int padata_do_parallel(struct padata_shell *ps,
pw = padata_work_alloc();
spin_unlock(&padata_works_lock);
+ if (!pw) {
+ /* Maximum works limit exceeded, run in the current task. */
+ padata->parallel(padata);
+ }
+
rcu_read_unlock_bh();
if (pw) {
padata_work_init(pw, padata_parallel_worker, padata, 0);
queue_work(pinst->parallel_wq, &pw->pw_work);
- } else {
- /* Maximum works limit exceeded, run in the current task. */
- padata->parallel(padata);
}
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 315/783] padata: Fix list iterator in padata_do_serial()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 314/783] padata: Always leave BHs disabled when running ->parallel() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 316/783] scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() Greg Kroah-Hartman
` (477 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Jordan, Herbert Xu, Sasha Levin
From: Daniel Jordan <daniel.m.jordan@oracle.com>
[ Upstream commit 57ddfecc72a6c9941d159543e1c0c0a74fe9afdd ]
list_for_each_entry_reverse() assumes that the iterated list is nonempty
and that every list_head is embedded in the same type, but its use in
padata_do_serial() breaks both rules.
This doesn't cause any issues now because padata_priv and padata_list
happen to have their list fields at the same offset, but we really
shouldn't be relying on that.
Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/padata.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/kernel/padata.c b/kernel/padata.c
index 4d31a69a9b38..11ca3ebd8b12 100644
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -403,13 +403,16 @@ void padata_do_serial(struct padata_priv *padata)
int hashed_cpu = padata_cpu_hash(pd, padata->seq_nr);
struct padata_list *reorder = per_cpu_ptr(pd->reorder_list, hashed_cpu);
struct padata_priv *cur;
+ struct list_head *pos;
spin_lock(&reorder->lock);
/* Sort in ascending order of sequence number. */
- list_for_each_entry_reverse(cur, &reorder->list, list)
+ list_for_each_prev(pos, &reorder->list) {
+ cur = list_entry(pos, struct padata_priv, list);
if (cur->seq_nr < padata->seq_nr)
break;
- list_add(&padata->list, &cur->list);
+ }
+ list_add(&padata->list, pos);
spin_unlock(&reorder->lock);
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 316/783] scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 315/783] padata: Fix list iterator in padata_do_serial() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 317/783] scsi: hpsa: Fix error handling in hpsa_add_sas_host() Greg Kroah-Hartman
` (476 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 78316e9dfc24906dd474630928ed1d3c562b568e ]
In mpt3sas_transport_port_add(), if sas_rphy_add() returns error,
sas_rphy_free() needs be called to free the resource allocated in
sas_end_device_alloc(). Otherwise a kernel crash will happen:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108
CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : device_del+0x54/0x3d0
lr : device_del+0x37c/0x3d0
Call trace:
device_del+0x54/0x3d0
attribute_container_class_device_del+0x28/0x38
transport_remove_classdev+0x6c/0x80
attribute_container_device_trigger+0x108/0x110
transport_remove_device+0x28/0x38
sas_rphy_remove+0x50/0x78 [scsi_transport_sas]
sas_port_delete+0x30/0x148 [scsi_transport_sas]
do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
device_for_each_child+0x68/0xb0
sas_remove_children+0x30/0x50 [scsi_transport_sas]
sas_rphy_remove+0x38/0x78 [scsi_transport_sas]
sas_port_delete+0x30/0x148 [scsi_transport_sas]
do_sas_phy_delete+0x78/0x80 [scsi_transport_sas]
device_for_each_child+0x68/0xb0
sas_remove_children+0x30/0x50 [scsi_transport_sas]
sas_remove_host+0x20/0x38 [scsi_transport_sas]
scsih_remove+0xd8/0x420 [mpt3sas]
Because transport_add_device() is not called when sas_rphy_add() fails, the
device is not added. When sas_rphy_remove() is subsequently called to
remove the device in the remove() path, a NULL pointer dereference happens.
Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221109032403.1636422-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/mpt3sas/mpt3sas_transport.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
index 6ec5b7f33dfd..b58f4d9c296a 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
@@ -712,6 +712,8 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
if ((sas_rphy_add(rphy))) {
ioc_err(ioc, "failure at %s:%d/%s()!\n",
__FILE__, __LINE__, __func__);
+ sas_rphy_free(rphy);
+ rphy = NULL;
}
if (mpt3sas_port->remote_identify.device_type == SAS_END_DEVICE) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 317/783] scsi: hpsa: Fix error handling in hpsa_add_sas_host()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 316/783] scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 318/783] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() Greg Kroah-Hartman
` (475 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 4ef174a3ad9b5d73c1b6573e244ebba2b0d86eac ]
hpsa_sas_port_add_phy() does:
...
sas_phy_add() -> may return error here
sas_port_add_phy()
...
Whereas hpsa_free_sas_phy() does:
...
sas_port_delete_phy()
sas_phy_delete()
...
If hpsa_sas_port_add_phy() returns an error, hpsa_free_sas_phy() can not be
called to free the memory because the port and the phy have not been added
yet.
Replace hpsa_free_sas_phy() with sas_phy_free() and kfree() to avoid kernel
crash in this case.
Fixes: d04e62b9d63a ("hpsa: add in sas transport class")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221110151129.394389-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hpsa.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index cd78d77911cd..48be84b4e95c 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -9764,7 +9764,8 @@ static int hpsa_add_sas_host(struct ctlr_info *h)
return 0;
free_sas_phy:
- hpsa_free_sas_phy(hpsa_sas_phy);
+ sas_phy_free(hpsa_sas_phy->phy);
+ kfree(hpsa_sas_phy);
free_sas_port:
hpsa_free_sas_port(hpsa_sas_port);
free_sas_node:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 318/783] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 317/783] scsi: hpsa: Fix error handling in hpsa_add_sas_host() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 319/783] scsi: scsi_debug: Fix a warning in resp_verify() Greg Kroah-Hartman
` (474 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit fda34a5d304d0b98cc967e8763b52221b66dc202 ]
If hpsa_sas_port_add_rphy() returns an error, the 'rphy' allocated in
sas_end_device_alloc() needs to be freed. Address this by calling
sas_rphy_free() in the error path.
Fixes: d04e62b9d63a ("hpsa: add in sas transport class")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221111043012.1074466-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hpsa.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index 48be84b4e95c..b2d4b6c78b5c 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -9801,10 +9801,12 @@ static int hpsa_add_sas_device(struct hpsa_sas_node *hpsa_sas_node,
rc = hpsa_sas_port_add_rphy(hpsa_sas_port, rphy);
if (rc)
- goto free_sas_port;
+ goto free_sas_rphy;
return 0;
+free_sas_rphy:
+ sas_rphy_free(rphy);
free_sas_port:
hpsa_free_sas_port(hpsa_sas_port);
device->sas_port = NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 319/783] scsi: scsi_debug: Fix a warning in resp_verify()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 318/783] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 320/783] scsi: scsi_debug: Fix a warning in resp_report_zones() Greg Kroah-Hartman
` (473 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshit Mogalapalli,
Martin K. Petersen, Sasha Levin
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
[ Upstream commit ed0f17b748b20271cb568c7ca0b23b120316a47d ]
As 'vnum' is controlled by user, so if user tries to allocate memory larger
than(>=) MAX_ORDER, then kcalloc() will fail, it creates a stack trace and
messes up dmesg with a warning.
Add __GFP_NOWARN in order to avoid too large allocation warning. This is
detected by static analysis using smatch.
Fixes: c3e2fe9222d4 ("scsi: scsi_debug: Implement VERIFY(10), add VERIFY(16)")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Link: https://lore.kernel.org/r/20221112070031.2121068-1-harshit.m.mogalapalli@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index 110d0e7f9413..cdbcb5eaf279 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -4275,7 +4275,7 @@ static int resp_verify(struct scsi_cmnd *scp, struct sdebug_dev_info *devip)
if (ret)
return ret;
- arr = kcalloc(lb_size, vnum, GFP_ATOMIC);
+ arr = kcalloc(lb_size, vnum, GFP_ATOMIC | __GFP_NOWARN);
if (!arr) {
mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
INSUFF_RES_ASCQ);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 320/783] scsi: scsi_debug: Fix a warning in resp_report_zones()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 319/783] scsi: scsi_debug: Fix a warning in resp_verify() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 321/783] scsi: fcoe: Fix possible name leak when device_register() fails Greg Kroah-Hartman
` (472 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshit Mogalapalli,
Martin K. Petersen, Sasha Levin
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
[ Upstream commit 07f2ca139d9a7a1ba71c4c03997c8de161db2346 ]
As 'alloc_len' is user controlled data, if user tries to allocate memory
larger than(>=) MAX_ORDER, then kcalloc() will fail, it creates a stack
trace and messes up dmesg with a warning.
Add __GFP_NOWARN in order to avoid too large allocation warning. This is
detected by static analysis using smatch.
Fixes: 7db0e0c8190a ("scsi: scsi_debug: Fix buffer size of REPORT ZONES command")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Link: https://lore.kernel.org/r/20221112070612.2121535-1-harshit.m.mogalapalli@oracle.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_debug.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index cdbcb5eaf279..bd63357f439d 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -4346,7 +4346,7 @@ static int resp_report_zones(struct scsi_cmnd *scp,
rep_max_zones = min((alloc_len - 64) >> ilog2(RZONES_DESC_HD),
max_zones);
- arr = kzalloc(alloc_len, GFP_ATOMIC);
+ arr = kzalloc(alloc_len, GFP_ATOMIC | __GFP_NOWARN);
if (!arr) {
mk_sense_buffer(scp, ILLEGAL_REQUEST, INSUFF_RES_ASC,
INSUFF_RES_ASCQ);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 321/783] scsi: fcoe: Fix possible name leak when device_register() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 320/783] scsi: scsi_debug: Fix a warning in resp_report_zones() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 322/783] scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper() Greg Kroah-Hartman
` (471 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 47b6a122c7b69a876c7ee2fc064a26b09627de9d ]
If device_register() returns an error, the name allocated by dev_set_name()
needs to be freed. As the comment of device_register() says, one should use
put_device() to give up the reference in the error path. Fix this by
calling put_device(), then the name can be freed in kobject_cleanup().
The 'fcf' is freed in fcoe_fcf_device_release(), so the kfree() in the
error path can be removed.
The 'ctlr' is freed in fcoe_ctlr_device_release(), so don't use the error
label, just return NULL after calling put_device().
Fixes: 9a74e884ee71 ("[SCSI] libfcoe: Add fcoe_sysfs")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221112094310.3633291-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/fcoe/fcoe_sysfs.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c
index ffef2c8eddc6..68d8027d5108 100644
--- a/drivers/scsi/fcoe/fcoe_sysfs.c
+++ b/drivers/scsi/fcoe/fcoe_sysfs.c
@@ -830,14 +830,15 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent,
dev_set_name(&ctlr->dev, "ctlr_%d", ctlr->id);
error = device_register(&ctlr->dev);
- if (error)
- goto out_del_q2;
+ if (error) {
+ destroy_workqueue(ctlr->devloss_work_q);
+ destroy_workqueue(ctlr->work_q);
+ put_device(&ctlr->dev);
+ return NULL;
+ }
return ctlr;
-out_del_q2:
- destroy_workqueue(ctlr->devloss_work_q);
- ctlr->devloss_work_q = NULL;
out_del_q:
destroy_workqueue(ctlr->work_q);
ctlr->work_q = NULL;
@@ -1036,16 +1037,16 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr,
fcf->selected = new_fcf->selected;
error = device_register(&fcf->dev);
- if (error)
- goto out_del;
+ if (error) {
+ put_device(&fcf->dev);
+ goto out;
+ }
fcf->state = FCOE_FCF_STATE_CONNECTED;
list_add_tail(&fcf->peers, &ctlr->fcfs);
return fcf;
-out_del:
- kfree(fcf);
out:
return NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 322/783] scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 321/783] scsi: fcoe: Fix possible name leak when device_register() fails Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 323/783] scsi: ipr: Fix WARNING in ipr_init() Greg Kroah-Hartman
` (470 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin K. Petersen,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e6d773f93a49e0eda88a903a2a6542ca83380eb1 ]
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id
string array"), the name of device is allocated dynamically, it needs be
freed when device_register() returns error.
As comment of device_register() says, one should use put_device() to give
up the reference in the error path. Fix this by calling put_device(), then
the name can be freed in kobject_cleanup(), and sdbg_host is freed in
sdebug_release_adapter().
When the device release is not set, it means the device is not initialized.
We can not call put_device() in this case. Use kfree() to free memory.
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221112131010.3757845-1-yangyingliang@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/scsi_debug.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
index bd63357f439d..7cfc6db81763 100644
--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -7103,7 +7103,10 @@ static int sdebug_add_host_helper(int per_host_idx)
kfree(sdbg_devinfo->zstate);
kfree(sdbg_devinfo);
}
- kfree(sdbg_host);
+ if (sdbg_host->dev.release)
+ put_device(&sdbg_host->dev);
+ else
+ kfree(sdbg_host);
pr_warn("%s: failed, errno=%d\n", __func__, -error);
return error;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 323/783] scsi: ipr: Fix WARNING in ipr_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 322/783] scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 324/783] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails Greg Kroah-Hartman
` (469 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Martin K. Petersen,
Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit e6f108bffc3708ddcff72324f7d40dfcd0204894 ]
ipr_init() will not call unregister_reboot_notifier() when
pci_register_driver() fails, which causes a WARNING. Call
unregister_reboot_notifier() when pci_register_driver() fails.
notifier callback ipr_halt [ipr] already registered
WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29
notifier_chain_register+0x16d/0x230
Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore
led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm
drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks
agpgart cfbft
CPU: 3 PID: 299 Comm: modprobe Tainted: G W
6.1.0-rc1-00190-g39508d23b672-dirty #332
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:notifier_chain_register+0x16d/0x230
Call Trace:
<TASK>
__blocking_notifier_chain_register+0x73/0xb0
ipr_init+0x30/0x1000 [ipr]
do_one_initcall+0xdb/0x480
do_init_module+0x1cf/0x680
load_module+0x6a50/0x70a0
__do_sys_finit_module+0x12f/0x1c0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: f72919ec2bbb ("[SCSI] ipr: implement shutdown changes and remove obsolete write cache parameter")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Link: https://lore.kernel.org/r/20221113064513.14028-1-shangxiaojing@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ipr.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index 90e8a538b078..a5e6fbd86ad4 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -10870,11 +10870,19 @@ static struct notifier_block ipr_notifier = {
**/
static int __init ipr_init(void)
{
+ int rc;
+
ipr_info("IBM Power RAID SCSI Device Driver version: %s %s\n",
IPR_DRIVER_VERSION, IPR_DRIVER_DATE);
register_reboot_notifier(&ipr_notifier);
- return pci_register_driver(&ipr_driver);
+ rc = pci_register_driver(&ipr_driver);
+ if (rc) {
+ unregister_reboot_notifier(&ipr_notifier);
+ return rc;
+ }
+
+ return 0;
}
/**
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 324/783] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 323/783] scsi: ipr: Fix WARNING in ipr_init() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 325/783] scsi: snic: Fix possible UAF in snic_tgt_create() Greg Kroah-Hartman
` (468 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Martin K. Petersen,
Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit 4155658cee394b22b24c6d64e49247bf26d95b92 ]
fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when
fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed
&fcoe_sw_transport on fcoe_transports list. This causes panic when
reinserting module.
BUG: unable to handle page fault for address: fffffbfff82e2213
RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe]
Call Trace:
<TASK>
do_one_initcall+0xd0/0x4e0
load_module+0x5eee/0x7210
...
Fixes: 78a582463c1e ("[SCSI] fcoe: convert fcoe.ko to become an fcoe transport provider driver")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Link: https://lore.kernel.org/r/20221115092442.133088-1-chenzhongjin@huawei.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/fcoe/fcoe.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c
index 0f9274960dc6..30afcbbe1f86 100644
--- a/drivers/scsi/fcoe/fcoe.c
+++ b/drivers/scsi/fcoe/fcoe.c
@@ -2504,6 +2504,7 @@ static int __init fcoe_init(void)
out_free:
mutex_unlock(&fcoe_config_mutex);
+ fcoe_transport_detach(&fcoe_sw_transport);
out_destroy:
destroy_workqueue(fcoe_wq);
return rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 325/783] scsi: snic: Fix possible UAF in snic_tgt_create()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 324/783] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 326/783] RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps() Greg Kroah-Hartman
` (467 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Narsimhulu Musini,
Martin K. Petersen, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit e118df492320176af94deec000ae034cc92be754 ]
Smatch reports a warning as follows:
drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn:
'&tgt->list' not removed from list
If device_add() fails in snic_tgt_create(), tgt will be freed, but
tgt->list will not be removed from snic->disc.tgt_list, then list traversal
may cause UAF.
Remove from snic->disc.tgt_list before free().
Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035100.2944812-1-cuigaosheng1@huawei.com
Acked-by: Narsimhulu Musini <nmusini@cisco.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/snic/snic_disc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c
index e9ccfb97773f..7cf871323b2c 100644
--- a/drivers/scsi/snic/snic_disc.c
+++ b/drivers/scsi/snic/snic_disc.c
@@ -318,6 +318,9 @@ snic_tgt_create(struct snic *snic, struct snic_tgt_id *tgtid)
ret);
put_device(&snic->shost->shost_gendev);
+ spin_lock_irqsave(snic->shost->host_lock, flags);
+ list_del(&tgt->list);
+ spin_unlock_irqrestore(snic->shost->host_lock, flags);
kfree(tgt);
tgt = NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 326/783] RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 325/783] scsi: snic: Fix possible UAF in snic_tgt_create() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 327/783] f2fs: avoid victim selection from previous victim section Greg Kroah-Hartman
` (466 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Leon Romanovsky, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit ea5ef136e215fdef35f14010bc51fcd6686e6922 ]
As the nla_nest_start() may fail with NULL returned, the return value needs
to be checked.
Fixes: c4ffee7c9bdb ("RDMA/netlink: Implement counter dumpit calback")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221126043410.85632-1-yuancan@huawei.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/nldev.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index f7689bc10d14..78534340d282 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -754,6 +754,8 @@ static int fill_stat_counter_qps(struct sk_buff *msg,
int ret = 0;
table_attr = nla_nest_start(msg, RDMA_NLDEV_ATTR_RES_QP);
+ if (!table_attr)
+ return -EMSGSIZE;
rt = &counter->device->res[RDMA_RESTRACK_QP];
xa_lock(&rt->xa);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 327/783] f2fs: avoid victim selection from previous victim section
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 326/783] RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 328/783] RDMA/nldev: Fix failure to send large messages Greg Kroah-Hartman
` (465 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yonggil Song, Chao Yu, Jaegeuk Kim,
Sasha Levin
From: Yonggil Song <yonggil.song@samsung.com>
[ Upstream commit e219aecfd4b766c4e878a3769057e9809f7fcadc ]
When f2fs chooses GC victim in large section & LFS mode,
next_victim_seg[gc_type] is referenced first. After segment is freed,
next_victim_seg[gc_type] has the next segment number.
However, next_victim_seg[gc_type] still has the last segment number
even after the last segment of section is freed. In this case, when f2fs
chooses a victim for the next GC round, the last segment of previous victim
section is chosen as a victim.
Initialize next_victim_seg[gc_type] to NULL_SEGNO for the last segment in
large section.
Fixes: e3080b0120a1 ("f2fs: support subsectional garbage collection")
Signed-off-by: Yonggil Song <yonggil.song@samsung.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/gc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index 5ac0b605335f..89156568a4fb 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1649,8 +1649,9 @@ static int do_garbage_collect(struct f2fs_sb_info *sbi,
get_valid_blocks(sbi, segno, false) == 0)
seg_freed++;
- if (__is_large_section(sbi) && segno + 1 < end_segno)
- sbi->next_victim_seg[gc_type] = segno + 1;
+ if (__is_large_section(sbi))
+ sbi->next_victim_seg[gc_type] =
+ (segno + 1 < end_segno) ? segno + 1 : NULL_SEGNO;
skip:
f2fs_put_page(sum_page, 0);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 328/783] RDMA/nldev: Fix failure to send large messages
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 327/783] f2fs: avoid victim selection from previous victim section Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 329/783] crypto: amlogic - Remove kcalloc without check Greg Kroah-Hartman
` (464 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Zhang, Patrisious Haddad,
Leon Romanovsky, Sasha Levin
From: Mark Zhang <markzhang@nvidia.com>
[ Upstream commit fc8f93ad3e5485d45c992233c96acd902992dfc4 ]
Return "-EMSGSIZE" instead of "-EINVAL" when filling a QP entry, so that
new SKBs will be allocated if there's not enough room in current SKB.
Fixes: 65959522f806 ("RDMA: Add support to dump resource tracker in RAW format")
Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Link: https://lore.kernel.org/r/b5e9c62f6b8369acab5648b661bf539cbceeffdc.1669636336.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/nldev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
index 78534340d282..f7f80707af4b 100644
--- a/drivers/infiniband/core/nldev.c
+++ b/drivers/infiniband/core/nldev.c
@@ -502,7 +502,7 @@ static int fill_res_qp_entry(struct sk_buff *msg, bool has_cap_net_admin,
/* In create_qp() port is not set yet */
if (qp->port && nla_put_u32(msg, RDMA_NLDEV_ATTR_PORT_INDEX, qp->port))
- return -EINVAL;
+ return -EMSGSIZE;
ret = nla_put_u32(msg, RDMA_NLDEV_ATTR_RES_LQPN, qp->qp_num);
if (ret)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 329/783] crypto: amlogic - Remove kcalloc without check
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 328/783] RDMA/nldev: Fix failure to send large messages Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 330/783] crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe() Greg Kroah-Hartman
` (463 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Herbert Xu, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 3d780c8a9850ad60dee47a8d971ba7888f3d1bd3 ]
There is no real point in allocating dedicated memory for the irqs array.
MAXFLOW is only 2, so it is easier to allocated the needed space
directly within the 'meson_dev' structure.
This saves some memory allocation and avoids an indirection when using the
irqs array.
Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator...")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/amlogic/amlogic-gxl-core.c | 1 -
drivers/crypto/amlogic/amlogic-gxl.h | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/crypto/amlogic/amlogic-gxl-core.c b/drivers/crypto/amlogic/amlogic-gxl-core.c
index 5bbeff433c8c..7a5cf1122af9 100644
--- a/drivers/crypto/amlogic/amlogic-gxl-core.c
+++ b/drivers/crypto/amlogic/amlogic-gxl-core.c
@@ -240,7 +240,6 @@ static int meson_crypto_probe(struct platform_device *pdev)
return err;
}
- mc->irqs = devm_kcalloc(mc->dev, MAXFLOW, sizeof(int), GFP_KERNEL);
for (i = 0; i < MAXFLOW; i++) {
mc->irqs[i] = platform_get_irq(pdev, i);
if (mc->irqs[i] < 0)
diff --git a/drivers/crypto/amlogic/amlogic-gxl.h b/drivers/crypto/amlogic/amlogic-gxl.h
index dc0f142324a3..8c0746a1d6d4 100644
--- a/drivers/crypto/amlogic/amlogic-gxl.h
+++ b/drivers/crypto/amlogic/amlogic-gxl.h
@@ -95,7 +95,7 @@ struct meson_dev {
struct device *dev;
struct meson_flow *chanlist;
atomic_t flow;
- int *irqs;
+ int irqs[MAXFLOW];
#ifdef CONFIG_CRYPTO_DEV_AMLOGIC_GXL_DEBUG
struct dentry *dbgfs_dir;
#endif
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 330/783] crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 329/783] crypto: amlogic - Remove kcalloc without check Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 331/783] riscv/mm: add arch hook arch_clear_hugepage_flags Greg Kroah-Hartman
` (462 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Mark Greer,
Herbert Xu, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit 7bcceb4c9896b1b672b636ae70fe75110d6bf1ad ]
omap_sham_probe() calls pm_runtime_get_sync() and calls
pm_runtime_put_sync() latter to put usage_counter. However,
pm_runtime_get_sync() will increment usage_counter even it failed. Fix
it by replacing it with pm_runtime_resume_and_get() to keep usage
counter balanced.
Fixes: b359f034c8bf ("crypto: omap-sham - Convert to use pm_runtime API")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Acked-by: Mark Greer <mgreer@animalcreek.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/omap-sham.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c
index 48f78e34cf8d..5a57617441b8 100644
--- a/drivers/crypto/omap-sham.c
+++ b/drivers/crypto/omap-sham.c
@@ -2130,7 +2130,7 @@ static int omap_sham_probe(struct platform_device *pdev)
pm_runtime_enable(dev);
pm_runtime_irq_safe(dev);
- err = pm_runtime_get_sync(dev);
+ err = pm_runtime_resume_and_get(dev);
if (err < 0) {
dev_err(dev, "failed to get sync: %d\n", err);
goto err_pm;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 331/783] riscv/mm: add arch hook arch_clear_hugepage_flags
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 330/783] crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 332/783] RDMA/hfi1: Fix error return code in parse_platform_config() Greg Kroah-Hartman
` (461 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tong Tiangen, Palmer Dabbelt, Sasha Levin
From: Tong Tiangen <tongtiangen@huawei.com>
[ Upstream commit d8bf77a1dc3079692f54be3087a5fd16d90027b0 ]
With the PG_arch_1 we keep track if the page's data cache is clean,
architecture rely on this property to treat new pages as dirty with
respect to the data cache and perform the flushing before mapping the pages
into userspace.
This patch adds a new architecture hook, arch_clear_hugepage_flags,so that
architectures which rely on the page flags being in a particular state for
fresh allocations can adjust the flags accordingly when a page is freed
into the pool.
Fixes: 9e953cda5cdf ("riscv: Introduce huge page support for 32/64bit kernel")
Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>
Link: https://lore.kernel.org/r/20221024094725.3054311-3-tongtiangen@huawei.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/hugetlb.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/riscv/include/asm/hugetlb.h b/arch/riscv/include/asm/hugetlb.h
index a5c2ca1d1cd8..ec19d6afc896 100644
--- a/arch/riscv/include/asm/hugetlb.h
+++ b/arch/riscv/include/asm/hugetlb.h
@@ -5,4 +5,10 @@
#include <asm-generic/hugetlb.h>
#include <asm/page.h>
+static inline void arch_clear_hugepage_flags(struct page *page)
+{
+ clear_bit(PG_dcache_clean, &page->flags);
+}
+#define arch_clear_hugepage_flags arch_clear_hugepage_flags
+
#endif /* _ASM_RISCV_HUGETLB_H */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 332/783] RDMA/hfi1: Fix error return code in parse_platform_config()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 331/783] riscv/mm: add arch hook arch_clear_hugepage_flags Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 333/783] RDMA/srp: Fix error return code in srp_parse_options() Greg Kroah-Hartman
` (460 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Yufen, Leon Romanovsky, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit 725349f8ba1e78a146c6ff8f3ee5e2712e517106 ]
In the previous iteration of the while loop, the "ret" may have been
assigned a value of 0, so the error return code -EINVAL may have been
incorrectly set to 0. To fix set valid return code before calling to
goto.
Fixes: 97167e813415 ("staging/rdma/hfi1: Tune for unknown channel if configuration file is absent")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/r/1669953638-11747-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hfi1/firmware.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/infiniband/hw/hfi1/firmware.c b/drivers/infiniband/hw/hfi1/firmware.c
index 2cf102b5abd4..f3e64c850aa5 100644
--- a/drivers/infiniband/hw/hfi1/firmware.c
+++ b/drivers/infiniband/hw/hfi1/firmware.c
@@ -1786,6 +1786,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
if (!dd->platform_config.data) {
dd_dev_err(dd, "%s: Missing config file\n", __func__);
+ ret = -EINVAL;
goto bail;
}
ptr = (u32 *)dd->platform_config.data;
@@ -1794,6 +1795,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
ptr++;
if (magic_num != PLATFORM_CONFIG_MAGIC_NUM) {
dd_dev_err(dd, "%s: Bad config file\n", __func__);
+ ret = -EINVAL;
goto bail;
}
@@ -1817,6 +1819,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
if (file_length > dd->platform_config.size) {
dd_dev_info(dd, "%s:File claims to be larger than read size\n",
__func__);
+ ret = -EINVAL;
goto bail;
} else if (file_length < dd->platform_config.size) {
dd_dev_info(dd,
@@ -1837,6 +1840,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
dd_dev_err(dd, "%s: Failed validation at offset %ld\n",
__func__, (ptr - (u32 *)
dd->platform_config.data));
+ ret = -EINVAL;
goto bail;
}
@@ -1880,6 +1884,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
__func__, table_type,
(ptr - (u32 *)
dd->platform_config.data));
+ ret = -EINVAL;
goto bail; /* We don't trust this file now */
}
pcfgcache->config_tables[table_type].table = ptr;
@@ -1899,6 +1904,7 @@ int parse_platform_config(struct hfi1_devdata *dd)
__func__, table_type,
(ptr -
(u32 *)dd->platform_config.data));
+ ret = -EINVAL;
goto bail; /* We don't trust this file now */
}
pcfgcache->config_tables[table_type].table_metadata =
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 333/783] RDMA/srp: Fix error return code in srp_parse_options()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 332/783] RDMA/hfi1: Fix error return code in parse_platform_config() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 334/783] orangefs: Fix sysfs not cleanup when dev init failed Greg Kroah-Hartman
` (459 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Yufen, Bart Van Assche,
Leon Romanovsky, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit ed461b30b22c8fa85c25189c14cb89f29595cd14 ]
In the previous iteration of the while loop, the "ret" may have been
assigned a value of 0, so the error return code -EINVAL may have been
incorrectly set to 0. To fix set valid return code before calling to
goto. Also investigate each case separately as Andy suggessted.
Fixes: e711f968c49c ("IB/srp: replace custom implementation of hex2bin()")
Fixes: 2a174df0c602 ("IB/srp: Use kstrtoull() instead of simple_strtoull()")
Fixes: 19f313438c77 ("IB/srp: Add RDMA/CM support")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/r/1669953638-11747-2-git-send-email-wangyufen@huawei.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/srp/ib_srp.c | 96 ++++++++++++++++++++++++-----
1 file changed, 82 insertions(+), 14 deletions(-)
diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c
index b4ccb333a834..adbd56af379f 100644
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -3397,7 +3397,8 @@ static int srp_parse_options(struct net *net, const char *buf,
break;
case SRP_OPT_PKEY:
- if (match_hex(args, &token)) {
+ ret = match_hex(args, &token);
+ if (ret) {
pr_warn("bad P_Key parameter '%s'\n", p);
goto out;
}
@@ -3457,7 +3458,8 @@ static int srp_parse_options(struct net *net, const char *buf,
break;
case SRP_OPT_MAX_SECT:
- if (match_int(args, &token)) {
+ ret = match_int(args, &token);
+ if (ret) {
pr_warn("bad max sect parameter '%s'\n", p);
goto out;
}
@@ -3465,8 +3467,15 @@ static int srp_parse_options(struct net *net, const char *buf,
break;
case SRP_OPT_QUEUE_SIZE:
- if (match_int(args, &token) || token < 1) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for queue_size parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 1) {
pr_warn("bad queue_size parameter '%s'\n", p);
+ ret = -EINVAL;
goto out;
}
target->scsi_host->can_queue = token;
@@ -3477,25 +3486,40 @@ static int srp_parse_options(struct net *net, const char *buf,
break;
case SRP_OPT_MAX_CMD_PER_LUN:
- if (match_int(args, &token) || token < 1) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for max cmd_per_lun parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 1) {
pr_warn("bad max cmd_per_lun parameter '%s'\n",
p);
+ ret = -EINVAL;
goto out;
}
target->scsi_host->cmd_per_lun = token;
break;
case SRP_OPT_TARGET_CAN_QUEUE:
- if (match_int(args, &token) || token < 1) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for max target_can_queue parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 1) {
pr_warn("bad max target_can_queue parameter '%s'\n",
p);
+ ret = -EINVAL;
goto out;
}
target->target_can_queue = token;
break;
case SRP_OPT_IO_CLASS:
- if (match_hex(args, &token)) {
+ ret = match_hex(args, &token);
+ if (ret) {
pr_warn("bad IO class parameter '%s'\n", p);
goto out;
}
@@ -3504,6 +3528,7 @@ static int srp_parse_options(struct net *net, const char *buf,
pr_warn("unknown IO class parameter value %x specified (use %x or %x).\n",
token, SRP_REV10_IB_IO_CLASS,
SRP_REV16A_IB_IO_CLASS);
+ ret = -EINVAL;
goto out;
}
target->io_class = token;
@@ -3526,16 +3551,24 @@ static int srp_parse_options(struct net *net, const char *buf,
break;
case SRP_OPT_CMD_SG_ENTRIES:
- if (match_int(args, &token) || token < 1 || token > 255) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for max cmd_sg_entries parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 1 || token > 255) {
pr_warn("bad max cmd_sg_entries parameter '%s'\n",
p);
+ ret = -EINVAL;
goto out;
}
target->cmd_sg_cnt = token;
break;
case SRP_OPT_ALLOW_EXT_SG:
- if (match_int(args, &token)) {
+ ret = match_int(args, &token);
+ if (ret) {
pr_warn("bad allow_ext_sg parameter '%s'\n", p);
goto out;
}
@@ -3543,43 +3576,77 @@ static int srp_parse_options(struct net *net, const char *buf,
break;
case SRP_OPT_SG_TABLESIZE:
- if (match_int(args, &token) || token < 1 ||
- token > SG_MAX_SEGMENTS) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for max sg_tablesize parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 1 || token > SG_MAX_SEGMENTS) {
pr_warn("bad max sg_tablesize parameter '%s'\n",
p);
+ ret = -EINVAL;
goto out;
}
target->sg_tablesize = token;
break;
case SRP_OPT_COMP_VECTOR:
- if (match_int(args, &token) || token < 0) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for comp_vector parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 0) {
pr_warn("bad comp_vector parameter '%s'\n", p);
+ ret = -EINVAL;
goto out;
}
target->comp_vector = token;
break;
case SRP_OPT_TL_RETRY_COUNT:
- if (match_int(args, &token) || token < 2 || token > 7) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for tl_retry_count parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 2 || token > 7) {
pr_warn("bad tl_retry_count parameter '%s' (must be a number between 2 and 7)\n",
p);
+ ret = -EINVAL;
goto out;
}
target->tl_retry_count = token;
break;
case SRP_OPT_MAX_IT_IU_SIZE:
- if (match_int(args, &token) || token < 0) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for max it_iu_size parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 0) {
pr_warn("bad maximum initiator to target IU size '%s'\n", p);
+ ret = -EINVAL;
goto out;
}
target->max_it_iu_size = token;
break;
case SRP_OPT_CH_COUNT:
- if (match_int(args, &token) || token < 1) {
+ ret = match_int(args, &token);
+ if (ret) {
+ pr_warn("match_int() failed for channel count parameter '%s', Error %d\n",
+ p, ret);
+ goto out;
+ }
+ if (token < 1) {
pr_warn("bad channel count %s\n", p);
+ ret = -EINVAL;
goto out;
}
target->ch_count = token;
@@ -3588,6 +3655,7 @@ static int srp_parse_options(struct net *net, const char *buf,
default:
pr_warn("unknown parameter or missing value '%s' in target creation request\n",
p);
+ ret = -EINVAL;
goto out;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 334/783] orangefs: Fix sysfs not cleanup when dev init failed
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 333/783] RDMA/srp: Fix error return code in srp_parse_options() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 335/783] RDMA/hns: Fix PBL page MTR find Greg Kroah-Hartman
` (458 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Mike Marshall, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit ea60a4ad0cf88b411cde6888b8c890935686ecd7 ]
When the dev init failed, should cleanup the sysfs, otherwise, the
module will never be loaded since can not create duplicate sysfs
directory:
sysfs: cannot create duplicate filename '/fs/orangefs'
CPU: 1 PID: 6549 Comm: insmod Tainted: G W 6.0.0+ #44
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
sysfs_warn_dup.cold+0x17/0x24
sysfs_create_dir_ns+0x16d/0x180
kobject_add_internal+0x156/0x3a0
kobject_init_and_add+0xcf/0x120
orangefs_sysfs_init+0x7e/0x3a0 [orangefs]
orangefs_init+0xfe/0x1000 [orangefs]
do_one_initcall+0x87/0x2a0
do_init_module+0xdf/0x320
load_module+0x2f98/0x3330
__do_sys_finit_module+0x113/0x1b0
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
kobject_add_internal failed for orangefs with -EEXIST, don't try to register things with the same name in the same directory.
Fixes: 2f83ace37181 ("orangefs: put register_chrdev immediately before register_filesystem")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-mod.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/orangefs/orangefs-mod.c b/fs/orangefs/orangefs-mod.c
index 74a3d6337ef4..ac9c91b83868 100644
--- a/fs/orangefs/orangefs-mod.c
+++ b/fs/orangefs/orangefs-mod.c
@@ -141,7 +141,7 @@ static int __init orangefs_init(void)
gossip_err("%s: could not initialize device subsystem %d!\n",
__func__,
ret);
- goto cleanup_device;
+ goto cleanup_sysfs;
}
ret = register_filesystem(&orangefs_fs_type);
@@ -152,11 +152,11 @@ static int __init orangefs_init(void)
goto out;
}
- orangefs_sysfs_exit();
-
-cleanup_device:
orangefs_dev_cleanup();
+cleanup_sysfs:
+ orangefs_sysfs_exit();
+
sysfs_init_failed:
orangefs_debugfs_cleanup();
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 335/783] RDMA/hns: Fix PBL page MTR find
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 334/783] orangefs: Fix sysfs not cleanup when dev init failed Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 336/783] RDMA/hns: Fix page size cap from firmware Greg Kroah-Hartman
` (457 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengchang Tang, Haoyue Xu,
Jason Gunthorpe, Sasha Levin
From: Chengchang Tang <tangchengchang@huawei.com>
[ Upstream commit 9fb39ef2ff3e18f1740625ba04093dfbef086d2b ]
Now, The address of the first two pages in the MR will be searched, which
use to speed up the lookup of the pbl table for hardware. An exception
will occur when there is only one page in this MR. This patch fix the
number of page to search.
Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process")
Link: https://lore.kernel.org/r/20221126102911.2921820-4-xuhaoyue1@hisilicon.com
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index e1395590edfd..0f4ef4516868 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -2738,7 +2738,8 @@ static int set_mtpt_pbl(struct hns_roce_dev *hr_dev,
int i, count;
count = hns_roce_mtr_find(hr_dev, &mr->pbl_mtr, 0, pages,
- ARRAY_SIZE(pages), &pbl_ba);
+ min_t(int, ARRAY_SIZE(pages), mr->npages),
+ &pbl_ba);
if (count < 1) {
ibdev_err(ibdev, "failed to find PBL mtr, count = %d.\n",
count);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 336/783] RDMA/hns: Fix page size cap from firmware
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 335/783] RDMA/hns: Fix PBL page MTR find Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 337/783] crypto: img-hash - Fix variable dereferenced before check hdev->req Greg Kroah-Hartman
` (456 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengchang Tang, Haoyue Xu,
Jason Gunthorpe, Sasha Levin
From: Chengchang Tang <tangchengchang@huawei.com>
[ Upstream commit 99dc5a0712883d5d13b620d25b3759d429577bc8 ]
Add verification to make sure the roce page size cap is supported by the
system page size.
Fixes: ba6bb7e97421 ("RDMA/hns: Add interfaces to get pf capabilities from firmware")
Link: https://lore.kernel.org/r/20221126102911.2921820-5-xuhaoyue1@hisilicon.com
Signed-off-by: Chengchang Tang <tangchengchang@huawei.com>
Signed-off-by: Haoyue Xu <xuhaoyue1@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
index 0f4ef4516868..76ed547b76ea 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
+++ b/drivers/infiniband/hw/hns/hns_roce_hw_v2.c
@@ -2166,6 +2166,9 @@ static int hns_roce_query_pf_caps(struct hns_roce_dev *hr_dev)
calc_pg_sz(caps->num_idx_segs, caps->idx_entry_sz, caps->idx_hop_num,
1, &caps->idx_buf_pg_sz, &caps->idx_ba_pg_sz, HEM_TYPE_IDX);
+ if (!(caps->page_size_cap & PAGE_SIZE))
+ caps->page_size_cap = HNS_ROCE_V2_PAGE_SIZE_SUPPORTED;
+
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 337/783] crypto: img-hash - Fix variable dereferenced before check hdev->req
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 336/783] RDMA/hns: Fix page size cap from firmware Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 338/783] hwrng: amd - Fix PCI device refcount leak Greg Kroah-Hartman
` (455 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Herbert Xu, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 04ba54e5af8f8f0137b08cb51a0b3a2e1ea46c94 ]
Smatch report warning as follows:
drivers/crypto/img-hash.c:366 img_hash_dma_task() warn: variable
dereferenced before check 'hdev->req'
Variable dereferenced should be done after check 'hdev->req',
fix it.
Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator")
Fixes: 10badea259fa ("crypto: img-hash - Fix null pointer exception")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/img-hash.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c
index 91f555ccbb31..cecae50d0f58 100644
--- a/drivers/crypto/img-hash.c
+++ b/drivers/crypto/img-hash.c
@@ -357,12 +357,16 @@ static int img_hash_dma_init(struct img_hash_dev *hdev)
static void img_hash_dma_task(unsigned long d)
{
struct img_hash_dev *hdev = (struct img_hash_dev *)d;
- struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req);
+ struct img_hash_request_ctx *ctx;
u8 *addr;
size_t nbytes, bleft, wsend, len, tbc;
struct scatterlist tsg;
- if (!hdev->req || !ctx->sg)
+ if (!hdev->req)
+ return;
+
+ ctx = ahash_request_ctx(hdev->req);
+ if (!ctx->sg)
return;
addr = sg_virt(ctx->sg);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 338/783] hwrng: amd - Fix PCI device refcount leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 337/783] crypto: img-hash - Fix variable dereferenced before check hdev->req Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 339/783] hwrng: geode " Greg Kroah-Hartman
` (454 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Herbert Xu, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit ecadb5b0111ea19fc7c240bb25d424a94471eb7d ]
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. Add the missing
pci_dev_put() for the normal and error path.
Fixes: 96d63c0297cc ("[PATCH] Add AMD HW RNG driver")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/amd-rng.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/char/hw_random/amd-rng.c b/drivers/char/hw_random/amd-rng.c
index 9959c762da2f..db3dd467194c 100644
--- a/drivers/char/hw_random/amd-rng.c
+++ b/drivers/char/hw_random/amd-rng.c
@@ -143,15 +143,19 @@ static int __init mod_init(void)
found:
err = pci_read_config_dword(pdev, 0x58, &pmbase);
if (err)
- return err;
+ goto put_dev;
pmbase &= 0x0000FF00;
- if (pmbase == 0)
- return -EIO;
+ if (pmbase == 0) {
+ err = -EIO;
+ goto put_dev;
+ }
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
- if (!priv)
- return -ENOMEM;
+ if (!priv) {
+ err = -ENOMEM;
+ goto put_dev;
+ }
if (!request_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE, DRV_NAME)) {
dev_err(&pdev->dev, DRV_NAME " region 0x%x already in use!\n",
@@ -185,6 +189,8 @@ static int __init mod_init(void)
release_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE);
out:
kfree(priv);
+put_dev:
+ pci_dev_put(pdev);
return err;
}
@@ -200,6 +206,8 @@ static void __exit mod_exit(void)
release_region(priv->pmbase + PMBASE_OFFSET, PMBASE_SIZE);
+ pci_dev_put(priv->pcidev);
+
kfree(priv);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 339/783] hwrng: geode - Fix PCI device refcount leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 338/783] hwrng: amd - Fix PCI device refcount leak Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 340/783] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces Greg Kroah-Hartman
` (453 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Herbert Xu, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 ]
for_each_pci_dev() is implemented by pci_get_device(). The comment of
pci_get_device() says that it will increase the reference count for the
returned pci_dev and also decrease the reference count for the input
pci_dev @from if it is not NULL.
If we break for_each_pci_dev() loop with pdev not NULL, we need to call
pci_dev_put() to decrease the reference count. We add a new struct
'amd_geode_priv' to record pointer of the pci_dev and membase, and then
add missing pci_dev_put() for the normal and error path.
Fixes: ef5d862734b8 ("[PATCH] Add Geode HW RNG driver")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/hw_random/geode-rng.c | 36 +++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 8 deletions(-)
diff --git a/drivers/char/hw_random/geode-rng.c b/drivers/char/hw_random/geode-rng.c
index e1d421a36a13..207272979f23 100644
--- a/drivers/char/hw_random/geode-rng.c
+++ b/drivers/char/hw_random/geode-rng.c
@@ -51,6 +51,10 @@ static const struct pci_device_id pci_tbl[] = {
};
MODULE_DEVICE_TABLE(pci, pci_tbl);
+struct amd_geode_priv {
+ struct pci_dev *pcidev;
+ void __iomem *membase;
+};
static int geode_rng_data_read(struct hwrng *rng, u32 *data)
{
@@ -90,6 +94,7 @@ static int __init mod_init(void)
const struct pci_device_id *ent;
void __iomem *mem;
unsigned long rng_base;
+ struct amd_geode_priv *priv;
for_each_pci_dev(pdev) {
ent = pci_match_id(pci_tbl, pdev);
@@ -97,17 +102,26 @@ static int __init mod_init(void)
goto found;
}
/* Device not found. */
- goto out;
+ return err;
found:
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv) {
+ err = -ENOMEM;
+ goto put_dev;
+ }
+
rng_base = pci_resource_start(pdev, 0);
if (rng_base == 0)
- goto out;
+ goto free_priv;
err = -ENOMEM;
mem = ioremap(rng_base, 0x58);
if (!mem)
- goto out;
- geode_rng.priv = (unsigned long)mem;
+ goto free_priv;
+
+ geode_rng.priv = (unsigned long)priv;
+ priv->membase = mem;
+ priv->pcidev = pdev;
pr_info("AMD Geode RNG detected\n");
err = hwrng_register(&geode_rng);
@@ -116,20 +130,26 @@ static int __init mod_init(void)
err);
goto err_unmap;
}
-out:
return err;
err_unmap:
iounmap(mem);
- goto out;
+free_priv:
+ kfree(priv);
+put_dev:
+ pci_dev_put(pdev);
+ return err;
}
static void __exit mod_exit(void)
{
- void __iomem *mem = (void __iomem *)geode_rng.priv;
+ struct amd_geode_priv *priv;
+ priv = (struct amd_geode_priv *)geode_rng.priv;
hwrng_unregister(&geode_rng);
- iounmap(mem);
+ iounmap(priv->membase);
+ pci_dev_put(priv->pcidev);
+ kfree(priv);
}
module_init(mod_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 340/783] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 339/783] hwrng: geode " Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 341/783] drivers: dio: fix possible memory leak in dio_init() Greg Kroah-Hartman
` (452 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Leon Romanovsky,
Sasha Levin
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit dbc94a0fb81771a38733c0e8f2ea8c4fa6934dc1 ]
There are 2 ways to create IPoIB PKEY child interfaces:
1) Writing a PKEY to /sys/class/net/<ib parent interface>/create_child.
2) Using netlink with iproute.
While with sysfs the child interface has the same number of tx and
rx queues as the parent, with netlink there will always be 1 tx
and 1 rx queue for the child interface. That's because the
get_num_tx/rx_queues() netlink ops are missing and the default value
of 1 is taken for the number of queues (in rtnl_create_link()).
This change adds the get_num_tx/rx_queues() ops which allows for
interfaces with multiple queues to be created over netlink. This
constant only represents the max number of tx and rx queues on that
net device.
Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Link: https://lore.kernel.org/r/f4a42c8aa43c02d5ae5559a60c3e5e0f18c82531.1670485816.git.leonro@nvidia.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
index 5b05cf3837da..28e9b70844e4 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
@@ -42,6 +42,11 @@ static const struct nla_policy ipoib_policy[IFLA_IPOIB_MAX + 1] = {
[IFLA_IPOIB_UMCAST] = { .type = NLA_U16 },
};
+static unsigned int ipoib_get_max_num_queues(void)
+{
+ return min_t(unsigned int, num_possible_cpus(), 128);
+}
+
static int ipoib_fill_info(struct sk_buff *skb, const struct net_device *dev)
{
struct ipoib_dev_priv *priv = ipoib_priv(dev);
@@ -173,6 +178,8 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
.changelink = ipoib_changelink,
.get_size = ipoib_get_size,
.fill_info = ipoib_fill_info,
+ .get_num_rx_queues = ipoib_get_max_num_queues,
+ .get_num_tx_queues = ipoib_get_max_num_queues,
};
struct rtnl_link_ops *ipoib_get_link_ops(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 341/783] drivers: dio: fix possible memory leak in dio_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 340/783] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 342/783] serial: tegra: Read DMA status before terminating Greg Kroah-Hartman
` (451 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit e63e99397b2613d50a5f4f02ed07307e67a190f1 ]
If device_register() returns error, the 'dev' and name needs be
freed. Add a release function, and then call put_device() in the
error path, so the name is freed in kobject_cleanup() and to the
'dev' is freed in release function.
Fixes: 2e4c77bea3d8 ("m68k: dio - Kill warn_unused_result warnings")
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221109064036.1835346-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dio/dio.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/dio/dio.c b/drivers/dio/dio.c
index 193b40e7aec0..1414a1c81834 100644
--- a/drivers/dio/dio.c
+++ b/drivers/dio/dio.c
@@ -110,6 +110,12 @@ static char dio_no_name[] = { 0 };
#endif /* CONFIG_DIO_CONSTANTS */
+static void dio_dev_release(struct device *dev)
+{
+ struct dio_dev *ddev = container_of(dev, typeof(struct dio_dev), dev);
+ kfree(ddev);
+}
+
int __init dio_find(int deviceid)
{
/* Called to find a DIO device before the full bus scan has run.
@@ -224,6 +230,7 @@ static int __init dio_init(void)
dev->bus = &dio_bus;
dev->dev.parent = &dio_bus.dev;
dev->dev.bus = &dio_bus_type;
+ dev->dev.release = dio_dev_release;
dev->scode = scode;
dev->resource.start = pa;
dev->resource.end = pa + DIO_SIZE(scode, va);
@@ -251,6 +258,7 @@ static int __init dio_init(void)
if (error) {
pr_err("DIO: Error registering device %s\n",
dev->name);
+ put_device(&dev->dev);
continue;
}
error = dio_create_sysfs_dev_files(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 342/783] serial: tegra: Read DMA status before terminating
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 341/783] drivers: dio: fix possible memory leak in dio_init() Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 343/783] class: fix possible memory leak in __class_register() Greg Kroah-Hartman
` (450 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jon Hunter, Ilpo Järvinen,
Thierry Reding, Akhil R, Kartik, Sasha Levin
From: Kartik <kkartik@nvidia.com>
[ Upstream commit 109a951a9f1fd8a34ebd1896cbbd5d5cede880a7 ]
Read the DMA status before terminating the DMA, as doing so deletes
the DMA desc.
Also, to get the correct transfer status information, pause the DMA
using dmaengine_pause() before reading the DMA status.
Fixes: e9ea096dd225 ("serial: tegra: add serial driver")
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Akhil R <akhilrajeev@nvidia.com>
Signed-off-by: Kartik <kkartik@nvidia.com>
Link: https://lore.kernel.org/r/1666105086-17326-1-git-send-email-kkartik@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/serial-tegra.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c
index cda71802b698..62377c831894 100644
--- a/drivers/tty/serial/serial-tegra.c
+++ b/drivers/tty/serial/serial-tegra.c
@@ -614,8 +614,9 @@ static void tegra_uart_stop_tx(struct uart_port *u)
if (tup->tx_in_progress != TEGRA_UART_TX_DMA)
return;
- dmaengine_terminate_all(tup->tx_dma_chan);
+ dmaengine_pause(tup->tx_dma_chan);
dmaengine_tx_status(tup->tx_dma_chan, tup->tx_cookie, &state);
+ dmaengine_terminate_all(tup->tx_dma_chan);
count = tup->tx_bytes_requested - state.residue;
async_tx_ack(tup->tx_dma_desc);
uart_xmit_advance(&tup->uport, count);
@@ -758,8 +759,9 @@ static void tegra_uart_terminate_rx_dma(struct tegra_uart_port *tup)
return;
}
- dmaengine_terminate_all(tup->rx_dma_chan);
+ dmaengine_pause(tup->rx_dma_chan);
dmaengine_tx_status(tup->rx_dma_chan, tup->rx_cookie, &state);
+ dmaengine_terminate_all(tup->rx_dma_chan);
tegra_uart_rx_buffer_push(tup, state.residue);
tup->rx_dma_active = false;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 343/783] class: fix possible memory leak in __class_register()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 342/783] serial: tegra: Read DMA status before terminating Greg Kroah-Hartman
@ 2023-01-12 13:50 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 344/783] vfio: platform: Do not pass return buffer to ACPI _RST method Greg Kroah-Hartman
` (449 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:50 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 8c3e8a6bdb5253b97ad532570f8b5db5f7a06407 ]
If class_add_groups() returns error, the 'cp->subsys' need be
unregister, and the 'cp' need be freed.
We can not call kset_unregister() here, because the 'cls' will
be freed in callback function class_release() and it's also
freed in caller's error path, it will cause double free.
So fix this by calling kobject_del() and kfree_const(name) to
cleanup kobject. Besides, call kfree() to free the 'cp'.
Fault injection test can trigger this:
unreferenced object 0xffff888102fa8190 (size 8):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 8 bytes):
70 6b 74 63 64 76 64 00 pktcdvd.
backtrace:
[<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320
[<000000005e4d70bc>] kstrdup+0x3a/0x70
[<00000000c2e5e85a>] kstrdup_const+0x68/0x80
[<000000000049a8c7>] kvasprintf_const+0x10b/0x190
[<0000000029123163>] kobject_set_name_vargs+0x56/0x150
[<00000000747219c9>] kobject_set_name+0xab/0xe0
[<0000000005f1ea4e>] __class_register+0x15c/0x49a
unreferenced object 0xffff888037274000 (size 1024):
comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s)
hex dump (first 32 bytes):
00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7....
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
backtrace:
[<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0
[<00000000ecf3dd95>] __class_register+0x86/0x49a
Fixes: ced6473e7486 ("driver core: class: add class_groups support")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221026082803.3458760-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/class.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/base/class.c b/drivers/base/class.c
index c3451481194e..ef7ff822bc08 100644
--- a/drivers/base/class.c
+++ b/drivers/base/class.c
@@ -192,6 +192,11 @@ int __class_register(struct class *cls, struct lock_class_key *key)
}
error = class_add_groups(class_get(cls), cls->class_groups);
class_put(cls);
+ if (error) {
+ kobject_del(&cp->subsys.kobj);
+ kfree_const(cp->subsys.kobj.name);
+ kfree(cp);
+ }
return error;
}
EXPORT_SYMBOL_GPL(__class_register);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 344/783] vfio: platform: Do not pass return buffer to ACPI _RST method
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2023-01-12 13:50 ` [PATCH 5.10 343/783] class: fix possible memory leak in __class_register() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 345/783] uio: uio_dmem_genirq: Fix missing unlock in irq configuration Greg Kroah-Hartman
` (448 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael Mendonca, Eric Auger,
Alex Williamson, Sasha Levin
From: Rafael Mendonca <rafaelmendsr@gmail.com>
[ Upstream commit e67e070632a665c932d534b8b800477bb3111449 ]
The ACPI _RST method has no return value, there's no need to pass a return
buffer to acpi_evaluate_object().
Fixes: d30daa33ec1d ("vfio: platform: call _RST method when using ACPI")
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Link: https://lore.kernel.org/r/20221018152825.891032-1-rafaelmendsr@gmail.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/platform/vfio_platform_common.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c
index e83a7cd15c95..e15ef1a949e0 100644
--- a/drivers/vfio/platform/vfio_platform_common.c
+++ b/drivers/vfio/platform/vfio_platform_common.c
@@ -72,12 +72,11 @@ static int vfio_platform_acpi_call_reset(struct vfio_platform_device *vdev,
const char **extra_dbg)
{
#ifdef CONFIG_ACPI
- struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
struct device *dev = vdev->device;
acpi_handle handle = ACPI_HANDLE(dev);
acpi_status acpi_ret;
- acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, &buffer);
+ acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, NULL);
if (ACPI_FAILURE(acpi_ret)) {
if (extra_dbg)
*extra_dbg = acpi_format_exception(acpi_ret);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 345/783] uio: uio_dmem_genirq: Fix missing unlock in irq configuration
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 344/783] vfio: platform: Do not pass return buffer to ACPI _RST method Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 346/783] uio: uio_dmem_genirq: Fix deadlock between irq config and handling Greg Kroah-Hartman
` (447 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael Mendonca, Sasha Levin
From: Rafael Mendonca <rafaelmendsr@gmail.com>
[ Upstream commit 9de255c461d1b3f0242b3ad1450c3323a3e00b34 ]
Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in
uio_dmem_genirq_irqcontrol()") started calling disable_irq() without
holding the spinlock because it can sleep. However, that fix introduced
another bug: if interrupt is already disabled and a new disable request
comes in, then the spinlock is not unlocked:
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0
root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002
[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc]
[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21
[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 14.855664] Call Trace:
[ 14.855861] <TASK>
[ 14.856025] dump_stack_lvl+0x4d/0x67
[ 14.856325] dump_stack+0x14/0x1a
[ 14.856583] __schedule_bug.cold+0x4b/0x5c
[ 14.856915] __schedule+0xe81/0x13d0
[ 14.857199] ? idr_find+0x13/0x20
[ 14.857456] ? get_work_pool+0x2d/0x50
[ 14.857756] ? __flush_work+0x233/0x280
[ 14.858068] ? __schedule+0xa95/0x13d0
[ 14.858307] ? idr_find+0x13/0x20
[ 14.858519] ? get_work_pool+0x2d/0x50
[ 14.858798] schedule+0x6c/0x100
[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110
[ 14.859335] ? tty_write_room+0x1f/0x30
[ 14.859598] ? n_tty_poll+0x1ec/0x220
[ 14.859830] ? tty_ldisc_deref+0x1a/0x20
[ 14.860090] schedule_hrtimeout_range+0x17/0x20
[ 14.860373] do_select+0x596/0x840
[ 14.860627] ? __kernel_text_address+0x16/0x50
[ 14.860954] ? poll_freewait+0xb0/0xb0
[ 14.861235] ? poll_freewait+0xb0/0xb0
[ 14.861517] ? rpm_resume+0x49d/0x780
[ 14.861798] ? common_interrupt+0x59/0xa0
[ 14.862127] ? asm_common_interrupt+0x2b/0x40
[ 14.862511] ? __uart_start.isra.0+0x61/0x70
[ 14.862902] ? __check_object_size+0x61/0x280
[ 14.863255] core_sys_select+0x1c6/0x400
[ 14.863575] ? vfs_write+0x1c9/0x3d0
[ 14.863853] ? vfs_write+0x1c9/0x3d0
[ 14.864121] ? _copy_from_user+0x45/0x70
[ 14.864526] do_pselect.constprop.0+0xb3/0xf0
[ 14.864893] ? do_syscall_64+0x6d/0x90
[ 14.865228] ? do_syscall_64+0x6d/0x90
[ 14.865556] __x64_sys_pselect6+0x76/0xa0
[ 14.865906] do_syscall_64+0x60/0x90
[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50
[ 14.866640] ? do_syscall_64+0x6d/0x90
[ 14.866972] ? do_syscall_64+0x6d/0x90
[ 14.867286] ? do_syscall_64+0x6d/0x90
[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...] stripped
[ 14.872959] </TASK>
('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this)
The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
to interrupt configuration and handling. At the time "uio_dmem_genirq" was
introduced, both had the same implementation of the 'uio_info' handlers
irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency
issue"), which was only applied to "uio_pdrv_genirq", ended up making them
a little different. That commit, among other things, changed disable_irq()
to disable_irq_nosync() in the implementation of irqcontrol(). The
motivation there was to avoid a deadlock between irqcontrol() and
handler(), since it added a spinlock in the irq handler, and disable_irq()
waits for the completion of the irq handler.
By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also
avoid the sleeping-while-atomic bug that commit b74351287d4b ("uio: fix a
sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") was trying to
fix. Thus, this fixes the missing unlock in irqcontrol() by importing the
implementation of irqcontrol() handler from the "uio_pdrv_genirq" driver.
In the end, it reverts commit b74351287d4b ("uio: fix a
sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") and change
disable_irq() to disable_irq_nosync().
It is worth noting that this still does not address the concurrency issue
fixed by commit 34cb27528398 ("UIO: Fix concurrency issue"). It will be
addressed separately in the next commits.
Split out from commit 34cb27528398 ("UIO: Fix concurrency issue").
Fixes: b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()")
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
Link: https://lore.kernel.org/r/20220930224100.816175-2-rafaelmendsr@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/uio/uio_dmem_genirq.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
index ec7f66f4555a..796946bab508 100644
--- a/drivers/uio/uio_dmem_genirq.c
+++ b/drivers/uio/uio_dmem_genirq.c
@@ -132,13 +132,11 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
if (irq_on) {
if (test_and_clear_bit(0, &priv->flags))
enable_irq(dev_info->irq);
- spin_unlock_irqrestore(&priv->lock, flags);
} else {
- if (!test_and_set_bit(0, &priv->flags)) {
- spin_unlock_irqrestore(&priv->lock, flags);
- disable_irq(dev_info->irq);
- }
+ if (!test_and_set_bit(0, &priv->flags))
+ disable_irq_nosync(dev_info->irq);
}
+ spin_unlock_irqrestore(&priv->lock, flags);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 346/783] uio: uio_dmem_genirq: Fix deadlock between irq config and handling
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 345/783] uio: uio_dmem_genirq: Fix missing unlock in irq configuration Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 347/783] usb: fotg210-udc: Fix ages old endianness issues Greg Kroah-Hartman
` (446 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rafael Mendonca, Sasha Levin
From: Rafael Mendonca <rafaelmendsr@gmail.com>
[ Upstream commit 118b918018175d9fcd8db667f905012e986cc2c9 ]
This fixes a concurrency issue addressed in commit 34cb27528398 ("UIO: Fix
concurrency issue"):
"In a SMP case there was a race condition issue between
Uio_pdrv_genirq_irqcontrol() running on one CPU and irq handler on
another CPU. Fix it by spin_locking shared resources access inside irq
handler."
The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and
it is used in a similar manner to the "uio_pdrv_genirq" driver with respect
to interrupt configuration and handling. At the time "uio_dmem_genirq" was
merged, both had the same implementation of the 'uio_info' handlers
irqcontrol() and handler(), thus, both had the same concurrency issue
mentioned by the above commit. However, the above patch was only applied to
the "uio_pdrv_genirq" driver.
Split out from commit 34cb27528398 ("UIO: Fix concurrency issue").
Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation")
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
Link: https://lore.kernel.org/r/20220930224100.816175-3-rafaelmendsr@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/uio/uio_dmem_genirq.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c
index 796946bab508..92751737bbea 100644
--- a/drivers/uio/uio_dmem_genirq.c
+++ b/drivers/uio/uio_dmem_genirq.c
@@ -110,8 +110,10 @@ static irqreturn_t uio_dmem_genirq_handler(int irq, struct uio_info *dev_info)
* remember the state so we can allow user space to enable it later.
*/
+ spin_lock(&priv->lock);
if (!test_and_set_bit(0, &priv->flags))
disable_irq_nosync(irq);
+ spin_unlock(&priv->lock);
return IRQ_HANDLED;
}
@@ -125,7 +127,8 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on)
* in the interrupt controller, but keep track of the
* state to prevent per-irq depth damage.
*
- * Serialize this operation to support multiple tasks.
+ * Serialize this operation to support multiple tasks and concurrency
+ * with irq handler on SMP systems.
*/
spin_lock_irqsave(&priv->lock, flags);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 347/783] usb: fotg210-udc: Fix ages old endianness issues
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 346/783] uio: uio_dmem_genirq: Fix deadlock between irq config and handling Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 348/783] staging: vme_user: Fix possible UAF in tsi148_dma_list_add Greg Kroah-Hartman
` (445 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Linus Walleij,
Sasha Levin
From: Linus Walleij <linus.walleij@linaro.org>
[ Upstream commit 46ed6026ca2181c917c8334a82e3eaf40a6234dd ]
The code in the FOTG210 driver isn't entirely endianness-agnostic
as reported by the kernel robot sparse testing. This came to
the surface while moving the files around.
The driver is only used on little-endian systems, so this causes
no real-world regression, but it is nice to be strict and have
some compile coverage also on big endian machines, so fix it
up with the right LE accessors.
Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver")
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/linux-usb/202211110910.0dJ7nZCn-lkp@intel.com/
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20221111090317.94228-1-linus.walleij@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/udc/fotg210-udc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c
index 75bf446f4a66..11712bc89635 100644
--- a/drivers/usb/gadget/udc/fotg210-udc.c
+++ b/drivers/usb/gadget/udc/fotg210-udc.c
@@ -629,10 +629,10 @@ static void fotg210_request_error(struct fotg210_udc *fotg210)
static void fotg210_set_address(struct fotg210_udc *fotg210,
struct usb_ctrlrequest *ctrl)
{
- if (ctrl->wValue >= 0x0100) {
+ if (le16_to_cpu(ctrl->wValue) >= 0x0100) {
fotg210_request_error(fotg210);
} else {
- fotg210_set_dev_addr(fotg210, ctrl->wValue);
+ fotg210_set_dev_addr(fotg210, le16_to_cpu(ctrl->wValue));
fotg210_set_cxdone(fotg210);
}
}
@@ -713,17 +713,17 @@ static void fotg210_get_status(struct fotg210_udc *fotg210,
switch (ctrl->bRequestType & USB_RECIP_MASK) {
case USB_RECIP_DEVICE:
- fotg210->ep0_data = 1 << USB_DEVICE_SELF_POWERED;
+ fotg210->ep0_data = cpu_to_le16(1 << USB_DEVICE_SELF_POWERED);
break;
case USB_RECIP_INTERFACE:
- fotg210->ep0_data = 0;
+ fotg210->ep0_data = cpu_to_le16(0);
break;
case USB_RECIP_ENDPOINT:
epnum = ctrl->wIndex & USB_ENDPOINT_NUMBER_MASK;
if (epnum)
fotg210->ep0_data =
- fotg210_is_epnstall(fotg210->ep[epnum])
- << USB_ENDPOINT_HALT;
+ cpu_to_le16(fotg210_is_epnstall(fotg210->ep[epnum])
+ << USB_ENDPOINT_HALT);
else
fotg210_request_error(fotg210);
break;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 348/783] staging: vme_user: Fix possible UAF in tsi148_dma_list_add
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 347/783] usb: fotg210-udc: Fix ages old endianness issues Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 349/783] usb: typec: Check for ops->exit instead of ops->enter in altmode_exit Greg Kroah-Hartman
` (444 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ]
Smatch report warning as follows:
drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn:
'&entry->list' not removed from list
In tsi148_dma_list_add(), the error path "goto err_dma" will not
remove entry->list from list->entries, but entry will be freed,
then list traversal may cause UAF.
Fix by removeing it from list->entries before free().
Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vme/bridges/vme_tsi148.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/vme/bridges/vme_tsi148.c b/drivers/vme/bridges/vme_tsi148.c
index 50ae26977a02..5ccda1a363ec 100644
--- a/drivers/vme/bridges/vme_tsi148.c
+++ b/drivers/vme/bridges/vme_tsi148.c
@@ -1771,6 +1771,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list,
return 0;
err_dma:
+ list_del(&entry->list);
err_dest:
err_source:
err_align:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 349/783] usb: typec: Check for ops->exit instead of ops->enter in altmode_exit
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 348/783] staging: vme_user: Fix possible UAF in tsi148_dma_list_add Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 350/783] usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() Greg Kroah-Hartman
` (443 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Peter, Heikki Krogerus, Sasha Levin
From: Sven Peter <sven@svenpeter.dev>
[ Upstream commit b6ddd180e3d9f92c1e482b3cdeec7dda086b1341 ]
typec_altmode_exit checks if ops->enter is not NULL but then calls
ops->exit a few lines below. Fix that and check for the function
pointer it's about to call instead.
Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20221114165924.33487-1-sven@svenpeter.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/typec/bus.c b/drivers/usb/typec/bus.c
index e8ddb81cb6df..f4e7f4d78b56 100644
--- a/drivers/usb/typec/bus.c
+++ b/drivers/usb/typec/bus.c
@@ -132,7 +132,7 @@ int typec_altmode_exit(struct typec_altmode *adev)
if (!adev || !adev->active)
return 0;
- if (!pdev->ops || !pdev->ops->enter)
+ if (!pdev->ops || !pdev->ops->exit)
return -EOPNOTSUPP;
/* Moving to USB Safe State */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 350/783] usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 349/783] usb: typec: Check for ops->exit instead of ops->enter in altmode_exit Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 351/783] usb: typec: tipd: Fix spurious fwnode_handle_put in error path Greg Kroah-Hartman
` (442 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Heikki Krogerus,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 0384e87e3fec735e47f1c133c796f32ef7a72a9b ]
I got the following report while doing device(mt6370-tcpc) load
test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@34/tcpc/connector
The 'fwnode' set in tcpci_parse_config() which is called
in tcpci_register_port(), its node refcount is increased
in device_get_named_child_node(). It needs be put while
exiting, so call fwnode_handle_put() in the error path of
tcpci_register_port() and in tcpci_unregister_port() to
avoid leak.
Fixes: 5e85a04c8c0d ("usb: typec: add fwnode to tcpc")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20221121062416.1026192-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/tcpm/tcpci.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/typec/tcpm/tcpci.c b/drivers/usb/typec/tcpm/tcpci.c
index 49420e28a1f7..069affa5cb1e 100644
--- a/drivers/usb/typec/tcpm/tcpci.c
+++ b/drivers/usb/typec/tcpm/tcpci.c
@@ -649,8 +649,10 @@ struct tcpci *tcpci_register_port(struct device *dev, struct tcpci_data *data)
return ERR_PTR(err);
tcpci->port = tcpm_register_port(tcpci->dev, &tcpci->tcpc);
- if (IS_ERR(tcpci->port))
+ if (IS_ERR(tcpci->port)) {
+ fwnode_handle_put(tcpci->tcpc.fwnode);
return ERR_CAST(tcpci->port);
+ }
return tcpci;
}
@@ -659,6 +661,7 @@ EXPORT_SYMBOL_GPL(tcpci_register_port);
void tcpci_unregister_port(struct tcpci *tcpci)
{
tcpm_unregister_port(tcpci->port);
+ fwnode_handle_put(tcpci->tcpc.fwnode);
}
EXPORT_SYMBOL_GPL(tcpci_unregister_port);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 351/783] usb: typec: tipd: Fix spurious fwnode_handle_put in error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 350/783] usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 352/783] serial: amba-pl011: avoid SBSA UART accessing DMACR register Greg Kroah-Hartman
` (441 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Peter, Heikki Krogerus, Sasha Levin
From: Sven Peter <sven@svenpeter.dev>
[ Upstream commit 782c70edc4852a5d39be12377a85501546236212 ]
The err_role_put error path always calls fwnode_handle_put to release
the fwnode. This path can be reached after probe itself has already
released that fwnode though. Fix that by moving fwnode_handle_put in the
happy path to the very end.
Fixes: 18a6c866bb19 ("usb: typec: tps6598x: Add USB role switching logic")
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20221114174449.34634-2-sven@svenpeter.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/tps6598x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/typec/tps6598x.c b/drivers/usb/typec/tps6598x.c
index 6cb5c8e2c853..4722b7f7a4a2 100644
--- a/drivers/usb/typec/tps6598x.c
+++ b/drivers/usb/typec/tps6598x.c
@@ -564,7 +564,6 @@ static int tps6598x_probe(struct i2c_client *client)
ret = PTR_ERR(tps->port);
goto err_role_put;
}
- fwnode_handle_put(fwnode);
if (status & TPS_STATUS_PLUG_PRESENT) {
ret = tps6598x_connect(tps, status);
@@ -583,6 +582,7 @@ static int tps6598x_probe(struct i2c_client *client)
}
i2c_set_clientdata(client, tps);
+ fwnode_handle_put(fwnode);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 352/783] serial: amba-pl011: avoid SBSA UART accessing DMACR register
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 351/783] usb: typec: tipd: Fix spurious fwnode_handle_put in error path Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 353/783] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle Greg Kroah-Hartman
` (440 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiamei Xie, Andre Przywara, Sasha Levin
From: Jiamei Xie <jiamei.xie@arm.com>
[ Upstream commit 94cdb9f33698478b0e7062586633c42c6158a786 ]
Chapter "B Generic UART" in "ARM Server Base System Architecture" [1]
documentation describes a generic UART interface. Such generic UART
does not support DMA. In current code, sbsa_uart_pops and
amba_pl011_pops share the same stop_rx operation, which will invoke
pl011_dma_rx_stop, leading to an access of the DMACR register. This
commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the
access to DMACR register for SBSA UARTs which does not support DMA.
When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux
SBSA PL011 driver will access PL011 DMACR register in some functions.
For most real SBSA Pl011 hardware implementations, the DMACR write
behaviour will be ignored. So these DMACR operations will not cause
obvious problems. But for some virtual SBSA PL011 hardware, like Xen
virtual SBSA PL011 (vpl011) device, the behaviour might be different.
Xen vpl011 emulation will inject a data abort to guest, when guest is
accessing an unimplemented UART register. As Xen VPL011 is SBSA
compatible, it will not implement DMACR register. So when Linux SBSA
PL011 driver access DMACR register, it will get an unhandled data abort
fault and the application will get a segmentation fault:
Unhandled fault at 0xffffffc00944d048
Mem abort info:
ESR = 0x96000000
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x00: ttbr address size fault
Data abort info:
ISV = 0, ISS = 0x00000000
CM = 0, WnR = 0
swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000
[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13
Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP
...
Call trace:
pl011_stop_rx+0x70/0x80
tty_port_shutdown+0x7c/0xb4
tty_port_close+0x60/0xcc
uart_close+0x34/0x8c
tty_release+0x144/0x4c0
__fput+0x78/0x220
____fput+0x1c/0x30
task_work_run+0x88/0xc0
do_notify_resume+0x8d0/0x123c
el0_svc+0xa8/0xc0
el0t_64_sync_handler+0xa4/0x130
el0t_64_sync+0x1a0/0x1a4
Code: b9000083 b901f001 794038a0 8b000042 (b9000041)
---[ end trace 83dd93df15c3216f ]---
note: bootlogd[132] exited with preempt_count 1
/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon
This has been discussed in the Xen community, and we think it should fix
this in Linux. See [2] for more information.
[1] https://developer.arm.com/documentation/den0094/c/?lang=en
[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html
Fixes: 0dd1e247fd39 (drivers: PL011: add support for the ARM SBSA generic UART)
Signed-off-by: Jiamei Xie <jiamei.xie@arm.com>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Link: https://lore.kernel.org/r/20221117103237.86856-1-jiamei.xie@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/amba-pl011.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
index 9900ee3f9068..2f7373fc7bb7 100644
--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -1048,6 +1048,9 @@ static void pl011_dma_rx_callback(void *data)
*/
static inline void pl011_dma_rx_stop(struct uart_amba_port *uap)
{
+ if (!uap->using_rx_dma)
+ return;
+
/* FIXME. Just disable the DMA enable */
uap->dmacr &= ~UART011_RXDMAE;
pl011_write(uap->dmacr, uap, REG_DMACR);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 353/783] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle.
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 352/783] serial: amba-pl011: avoid SBSA UART accessing DMACR register Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 354/783] serial: pch: Fix PCI device refcount leak in pch_request_dma() Greg Kroah-Hartman
` (439 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, delisun, Ilpo Järvinen, Sasha Levin
From: delisun <delisun@pateo.com.cn>
[ Upstream commit 032d5a71ed378ffc6a2d41a187d8488a4f9fe415 ]
Clearing the RX FIFO will cause data loss.
Copy the pl011_enabl_interrupts implementation, and remove the clear
interrupt and FIFO part of the code.
Fixes: 211565b10099 ("serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle")
Signed-off-by: delisun <delisun@pateo.com.cn>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20221110020108.7700-1-delisun@pateo.com.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/amba-pl011.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c
index 2f7373fc7bb7..348d4b2a391a 100644
--- a/drivers/tty/serial/amba-pl011.c
+++ b/drivers/tty/serial/amba-pl011.c
@@ -1760,8 +1760,17 @@ static void pl011_enable_interrupts(struct uart_amba_port *uap)
static void pl011_unthrottle_rx(struct uart_port *port)
{
struct uart_amba_port *uap = container_of(port, struct uart_amba_port, port);
+ unsigned long flags;
- pl011_enable_interrupts(uap);
+ spin_lock_irqsave(&uap->port.lock, flags);
+
+ uap->im = UART011_RTIM;
+ if (!pl011_dma_rx_running(uap))
+ uap->im |= UART011_RXIM;
+
+ pl011_write(uap->im, uap, REG_IMSC);
+
+ spin_unlock_irqrestore(&uap->port.lock, flags);
}
static int pl011_startup(struct uart_port *port)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 354/783] serial: pch: Fix PCI device refcount leak in pch_request_dma()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 353/783] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 355/783] tty: serial: clean up stop-tx part in altera_uart_tx_chars() Greg Kroah-Hartman
` (438 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 8be3a7bf773700534a6e8f87f6ed2ed111254be5 ]
As comment of pci_get_slot() says, it returns a pci_device with its
refcount increased. The caller must decrement the reference count by
calling pci_dev_put().
Since 'dma_dev' is only used to filter the channel in filter(), we can
call pci_dev_put() before exiting from pch_request_dma(). Add the
missing pci_dev_put() for the normal and error path.
Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Link: https://lore.kernel.org/r/20221122114559.27692-1-wangxiongfeng2@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/pch_uart.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
index 351ad0b02029..fa2061f1cf3d 100644
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -711,6 +711,7 @@ static void pch_request_dma(struct uart_port *port)
if (!chan) {
dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n",
__func__);
+ pci_dev_put(dma_dev);
return;
}
priv->chan_tx = chan;
@@ -727,6 +728,7 @@ static void pch_request_dma(struct uart_port *port)
__func__);
dma_release_channel(priv->chan_tx);
priv->chan_tx = NULL;
+ pci_dev_put(dma_dev);
return;
}
@@ -734,6 +736,8 @@ static void pch_request_dma(struct uart_port *port)
priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize,
&priv->rx_buf_dma, GFP_KERNEL);
priv->chan_rx = chan;
+
+ pci_dev_put(dma_dev);
}
static void pch_dma_rx_complete(void *arg)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 355/783] tty: serial: clean up stop-tx part in altera_uart_tx_chars()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 354/783] serial: pch: Fix PCI device refcount leak in pch_request_dma() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 356/783] tty: serial: altera_uart_{r,t}x_chars() need only uart_port Greg Kroah-Hartman
` (437 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tobias Klauser, Ilpo Järvinen,
Jiri Slaby, Sasha Levin
From: Jiri Slaby <jslaby@suse.cz>
[ Upstream commit d9c128117da41cf4cb0e80ae565b5d3ac79dffac ]
The "stop TX" path in altera_uart_tx_chars() is open-coded, so:
* use uart_circ_empty() to check if the buffer is empty, and
* when true, call altera_uart_stop_tx().
Cc: Tobias Klauser <tklauser@distanz.ch>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Acked-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20220920052049.20507-3-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 1307c5d33cce ("serial: altera_uart: fix locking in polling mode")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/altera_uart.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c
index 0e487ce091ac..508a3c2b7781 100644
--- a/drivers/tty/serial/altera_uart.c
+++ b/drivers/tty/serial/altera_uart.c
@@ -274,10 +274,8 @@ static void altera_uart_tx_chars(struct altera_uart *pp)
if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS)
uart_write_wakeup(port);
- if (xmit->head == xmit->tail) {
- pp->imr &= ~ALTERA_UART_CONTROL_TRDY_MSK;
- altera_uart_update_ctrl_reg(pp);
- }
+ if (uart_circ_empty(xmit))
+ altera_uart_stop_tx(port);
}
static irqreturn_t altera_uart_interrupt(int irq, void *data)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 356/783] tty: serial: altera_uart_{r,t}x_chars() need only uart_port
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 355/783] tty: serial: clean up stop-tx part in altera_uart_tx_chars() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 357/783] serial: altera_uart: fix locking in polling mode Greg Kroah-Hartman
` (436 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tobias Klauser, Ilpo Järvinen,
Jiri Slaby, Sasha Levin
From: Jiri Slaby <jslaby@suse.cz>
[ Upstream commit 3af44d9bb0539d5fa27d6159d696fda5f3747bff ]
Both altera_uart_{r,t}x_chars() need only uart_port, not altera_uart. So
pass the former from altera_uart_interrupt() directly.
Apart it maybe saves a dereference, this makes the transition of
altera_uart_tx_chars() easier to follow in the next patch.
Cc: Tobias Klauser <tklauser@distanz.ch>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Acked-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Link: https://lore.kernel.org/r/20220920052049.20507-4-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 1307c5d33cce ("serial: altera_uart: fix locking in polling mode")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/altera_uart.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c
index 508a3c2b7781..20c610440133 100644
--- a/drivers/tty/serial/altera_uart.c
+++ b/drivers/tty/serial/altera_uart.c
@@ -199,9 +199,8 @@ static void altera_uart_set_termios(struct uart_port *port,
*/
}
-static void altera_uart_rx_chars(struct altera_uart *pp)
+static void altera_uart_rx_chars(struct uart_port *port)
{
- struct uart_port *port = &pp->port;
unsigned char ch, flag;
unsigned short status;
@@ -248,9 +247,8 @@ static void altera_uart_rx_chars(struct altera_uart *pp)
spin_lock(&port->lock);
}
-static void altera_uart_tx_chars(struct altera_uart *pp)
+static void altera_uart_tx_chars(struct uart_port *port)
{
- struct uart_port *port = &pp->port;
struct circ_buf *xmit = &port->state->xmit;
if (port->x_char) {
@@ -288,9 +286,9 @@ static irqreturn_t altera_uart_interrupt(int irq, void *data)
spin_lock(&port->lock);
if (isr & ALTERA_UART_STATUS_RRDY_MSK)
- altera_uart_rx_chars(pp);
+ altera_uart_rx_chars(port);
if (isr & ALTERA_UART_STATUS_TRDY_MSK)
- altera_uart_tx_chars(pp);
+ altera_uart_tx_chars(port);
spin_unlock(&port->lock);
return IRQ_RETVAL(isr);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 357/783] serial: altera_uart: fix locking in polling mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 356/783] tty: serial: altera_uart_{r,t}x_chars() need only uart_port Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 358/783] serial: sunsab: Fix error handling in sunsab_init() Greg Kroah-Hartman
` (435 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gabriel Somlo, Sasha Levin
From: Gabriel Somlo <gsomlo@gmail.com>
[ Upstream commit 1307c5d33cce8a41dd77c2571e4df65a5b627feb ]
Since altera_uart_interrupt() may also be called from
a poll timer in "serving_softirq" context, use
spin_[lock_irqsave|unlock_irqrestore] variants, which
are appropriate for both softirq and hardware interrupt
contexts.
Fixes: 2f8b9c15cd88 ("altera_uart: Add support for polling mode (IRQ-less)")
Signed-off-by: Gabriel Somlo <gsomlo@gmail.com>
Link: https://lore.kernel.org/r/20221122200426.888349-1-gsomlo@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/altera_uart.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/altera_uart.c b/drivers/tty/serial/altera_uart.c
index 20c610440133..d91f76b1d353 100644
--- a/drivers/tty/serial/altera_uart.c
+++ b/drivers/tty/serial/altera_uart.c
@@ -280,16 +280,17 @@ static irqreturn_t altera_uart_interrupt(int irq, void *data)
{
struct uart_port *port = data;
struct altera_uart *pp = container_of(port, struct altera_uart, port);
+ unsigned long flags;
unsigned int isr;
isr = altera_uart_readl(port, ALTERA_UART_STATUS_REG) & pp->imr;
- spin_lock(&port->lock);
+ spin_lock_irqsave(&port->lock, flags);
if (isr & ALTERA_UART_STATUS_RRDY_MSK)
altera_uart_rx_chars(port);
if (isr & ALTERA_UART_STATUS_TRDY_MSK)
altera_uart_tx_chars(port);
- spin_unlock(&port->lock);
+ spin_unlock_irqrestore(&port->lock, flags);
return IRQ_RETVAL(isr);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 358/783] serial: sunsab: Fix error handling in sunsab_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 357/783] serial: altera_uart: fix locking in polling mode Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 359/783] test_firmware: fix memory leak in test_firmware_init() Greg Kroah-Hartman
` (434 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 1a6ec673fb627c26e2267ca0a03849f91dbd9b40 ]
The sunsab_init() returns the platform_driver_register() directly without
checking its return value, if platform_driver_register() failed, the
allocated sunsab_ports is leaked.
Fix by free sunsab_ports and set it to NULL when platform_driver_register()
failed.
Fixes: c4d37215a824 ("[SERIAL] sunsab: Convert to of_driver framework.")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221123061212.52593-1-yuancan@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/sunsab.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/sunsab.c b/drivers/tty/serial/sunsab.c
index bab551f46963..451c7233623f 100644
--- a/drivers/tty/serial/sunsab.c
+++ b/drivers/tty/serial/sunsab.c
@@ -1137,7 +1137,13 @@ static int __init sunsab_init(void)
}
}
- return platform_driver_register(&sab_driver);
+ err = platform_driver_register(&sab_driver);
+ if (err) {
+ kfree(sunsab_ports);
+ sunsab_ports = NULL;
+ }
+
+ return err;
}
static void __exit sunsab_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 359/783] test_firmware: fix memory leak in test_firmware_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 358/783] serial: sunsab: Fix error handling in sunsab_init() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 360/783] misc: ocxl: fix possible name leak in ocxl_file_register_afu() Greg Kroah-Hartman
` (433 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Luis Chamberlain,
Sasha Levin
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit 7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e ]
When misc_register() failed in test_firmware_init(), the memory pointed
by test_fw_config->name is not released. The memory leak information is
as follows:
unreferenced object 0xffff88810a34cb00 (size 32):
comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s)
hex dump (first 32 bytes):
74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi
6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............
backtrace:
[<ffffffff81b21fcb>] __kmalloc_node_track_caller+0x4b/0xc0
[<ffffffff81affb96>] kstrndup+0x46/0xc0
[<ffffffffa0403a49>] __test_firmware_config_init+0x29/0x380 [test_firmware]
[<ffffffffa040f068>] 0xffffffffa040f068
[<ffffffff81002c41>] do_one_initcall+0x141/0x780
[<ffffffff816a72c3>] do_init_module+0x1c3/0x630
[<ffffffff816adb9e>] load_module+0x623e/0x76a0
[<ffffffff816af471>] __do_sys_finit_module+0x181/0x240
[<ffffffff89978f99>] do_syscall_64+0x39/0xb0
[<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Link: https://lore.kernel.org/r/20221119035721.18268-1-shaozhengchao@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/test_firmware.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/test_firmware.c b/lib/test_firmware.c
index 2baa275a6ddf..76550d2e2edc 100644
--- a/lib/test_firmware.c
+++ b/lib/test_firmware.c
@@ -1114,6 +1114,7 @@ static int __init test_firmware_init(void)
rc = misc_register(&test_fw_misc_device);
if (rc) {
+ __test_firmware_config_free();
kfree(test_fw_config);
pr_err("could not register misc device: %d\n", rc);
return rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 360/783] misc: ocxl: fix possible name leak in ocxl_file_register_afu()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 359/783] test_firmware: fix memory leak in test_firmware_init() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 361/783] ocxl: fix pci device refcount leak when calling get_function_0() Greg Kroah-Hartman
` (432 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Andrew Donnellan,
Frederic Barrat, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit a4cb1004aeed2ab893a058fad00a5b41a12c4691 ]
If device_register() returns error in ocxl_file_register_afu(),
the name allocated by dev_set_name() need be freed. As comment
of device_register() says, it should use put_device() to give
up the reference in the error path. So fix this by calling
put_device(), then the name can be freed in kobject_cleanup(),
and info is freed in info_release().
Fixes: 75ca758adbaf ("ocxl: Create a clear delineation between ocxl backend & frontend")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
Link: https://lore.kernel.org/r/20221111145929.2429271-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/ocxl/file.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/ocxl/file.c b/drivers/misc/ocxl/file.c
index e094809b54ff..524ded87964d 100644
--- a/drivers/misc/ocxl/file.c
+++ b/drivers/misc/ocxl/file.c
@@ -543,8 +543,11 @@ int ocxl_file_register_afu(struct ocxl_afu *afu)
goto err_put;
rc = device_register(&info->dev);
- if (rc)
- goto err_put;
+ if (rc) {
+ free_minor(info);
+ put_device(&info->dev);
+ return rc;
+ }
rc = ocxl_sysfs_register_afu(info);
if (rc)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 361/783] ocxl: fix pci device refcount leak when calling get_function_0()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 360/783] misc: ocxl: fix possible name leak in ocxl_file_register_afu() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 362/783] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() Greg Kroah-Hartman
` (431 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Donnellan, Yang Yingliang,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 27158c72678b39ee01cc01de1aba6b51c71abe2f ]
get_function_0() calls pci_get_domain_bus_and_slot(), as comment
says, it returns a pci device with refcount increment, so after
using it, pci_dev_put() needs be called.
Get the device reference when get_function_0() is not called, so
pci_dev_put() can be called in the error path and callers
unconditionally. And add comment above get_dvsec_vendor0() to tell
callers to call pci_dev_put().
Fixes: 87db7579ebd5 ("ocxl: control via sysfs whether the FPGA is reloaded on a link reset")
Suggested-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
Link: https://lore.kernel.org/r/20221121154339.4088935-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/ocxl/config.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/ocxl/config.c b/drivers/misc/ocxl/config.c
index 4d490b92d951..3ced98b506f4 100644
--- a/drivers/misc/ocxl/config.c
+++ b/drivers/misc/ocxl/config.c
@@ -204,6 +204,18 @@ static int read_dvsec_vendor(struct pci_dev *dev)
return 0;
}
+/**
+ * get_dvsec_vendor0() - Find a related PCI device (function 0)
+ * @dev: PCI device to match
+ * @dev0: The PCI device (function 0) found
+ * @out_pos: The position of PCI device (function 0)
+ *
+ * Returns 0 on success, negative on failure.
+ *
+ * NOTE: If it's successful, the reference of dev0 is increased,
+ * so after using it, the callers must call pci_dev_put() to give
+ * up the reference.
+ */
static int get_dvsec_vendor0(struct pci_dev *dev, struct pci_dev **dev0,
int *out_pos)
{
@@ -213,10 +225,14 @@ static int get_dvsec_vendor0(struct pci_dev *dev, struct pci_dev **dev0,
dev = get_function_0(dev);
if (!dev)
return -1;
+ } else {
+ dev = pci_dev_get(dev);
}
pos = find_dvsec(dev, OCXL_DVSEC_VENDOR_ID);
- if (!pos)
+ if (!pos) {
+ pci_dev_put(dev);
return -1;
+ }
*dev0 = dev;
*out_pos = pos;
return 0;
@@ -233,6 +249,7 @@ int ocxl_config_get_reset_reload(struct pci_dev *dev, int *val)
pci_read_config_dword(dev0, pos + OCXL_DVSEC_VENDOR_RESET_RELOAD,
&reset_reload);
+ pci_dev_put(dev0);
*val = !!(reset_reload & BIT(0));
return 0;
}
@@ -254,6 +271,7 @@ int ocxl_config_set_reset_reload(struct pci_dev *dev, int val)
reset_reload &= ~BIT(0);
pci_write_config_dword(dev0, pos + OCXL_DVSEC_VENDOR_RESET_RELOAD,
reset_reload);
+ pci_dev_put(dev0);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 362/783] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 361/783] ocxl: fix pci device refcount leak when calling get_function_0() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 363/783] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Greg Kroah-Hartman
` (430 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ruanjinjie, Sasha Levin
From: ruanjinjie <ruanjinjie@huawei.com>
[ Upstream commit fd2c930cf6a5b9176382c15f9acb1996e76e25ad ]
If device_register() returns error in tifm_7xx1_switch_media(),
name of kobject which is allocated in dev_set_name() called in device_add()
is leaked.
Never directly free @dev after calling device_register(), even
if it returned an error! Always use put_device() to give up the
reference initialized.
Fixes: 2428a8fe2261 ("tifm: move common device management tasks from tifm_7xx1 to tifm_core")
Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/r/20221117064725.3478402-1-ruanjinjie@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/tifm_7xx1.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/tifm_7xx1.c b/drivers/misc/tifm_7xx1.c
index 228f2eb1d476..2aebbfda104d 100644
--- a/drivers/misc/tifm_7xx1.c
+++ b/drivers/misc/tifm_7xx1.c
@@ -190,7 +190,7 @@ static void tifm_7xx1_switch_media(struct work_struct *work)
spin_unlock_irqrestore(&fm->lock, flags);
}
if (sock)
- tifm_free_device(&sock->dev);
+ put_device(&sock->dev);
}
spin_lock_irqsave(&fm->lock, flags);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 363/783] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 362/783] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 364/783] firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe() Greg Kroah-Hartman
` (429 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Wang, Dimitri Sivanich, Sasha Levin
From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc ]
In some bad situation, the gts may be freed gru_check_chiplet_assignment.
The call chain can be gru_unload_context->gru_free_gru_context->gts_drop
and kfree finally. However, the caller didn't know if the gts is freed
or not and use it afterwards. This will trigger a Use after Free bug.
Fix it by introducing a return value to see if it's in error path or not.
Free the gts in caller if gru_check_chiplet_assignment check failed.
Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Acked-by: Dimitri Sivanich <sivanich@hpe.com>
Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/sgi-gru/grufault.c | 13 +++++++++++--
drivers/misc/sgi-gru/grumain.c | 22 ++++++++++++++++++----
drivers/misc/sgi-gru/grutables.h | 2 +-
3 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c
index 723825524ea0..9c7d475d1890 100644
--- a/drivers/misc/sgi-gru/grufault.c
+++ b/drivers/misc/sgi-gru/grufault.c
@@ -648,6 +648,7 @@ int gru_handle_user_call_os(unsigned long cb)
if ((cb & (GRU_HANDLE_STRIDE - 1)) || ucbnum >= GRU_NUM_CB)
return -EINVAL;
+again:
gts = gru_find_lock_gts(cb);
if (!gts)
return -EINVAL;
@@ -656,7 +657,11 @@ int gru_handle_user_call_os(unsigned long cb)
if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE)
goto exit;
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ gru_unlock_gts(gts);
+ gru_unload_context(gts, 1);
+ goto again;
+ }
/*
* CCH may contain stale data if ts_force_cch_reload is set.
@@ -874,7 +879,11 @@ int gru_set_context_option(unsigned long arg)
} else {
gts->ts_user_blade_id = req.val1;
gts->ts_user_chiplet_id = req.val0;
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ gru_unlock_gts(gts);
+ gru_unload_context(gts, 1);
+ return ret;
+ }
}
break;
case sco_gseg_owner:
diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
index 40ac59dd018c..e2325e3d077e 100644
--- a/drivers/misc/sgi-gru/grumain.c
+++ b/drivers/misc/sgi-gru/grumain.c
@@ -716,9 +716,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru,
* chiplet. Misassignment can occur if the process migrates to a different
* blade or if the user changes the selected blade/chiplet.
*/
-void gru_check_context_placement(struct gru_thread_state *gts)
+int gru_check_context_placement(struct gru_thread_state *gts)
{
struct gru_state *gru;
+ int ret = 0;
/*
* If the current task is the context owner, verify that the
@@ -726,15 +727,23 @@ void gru_check_context_placement(struct gru_thread_state *gts)
* references. Pthread apps use non-owner references to the CBRs.
*/
gru = gts->ts_gru;
+ /*
+ * If gru or gts->ts_tgid_owner isn't initialized properly, return
+ * success to indicate that the caller does not need to unload the
+ * gru context.The caller is responsible for their inspection and
+ * reinitialization if needed.
+ */
if (!gru || gts->ts_tgid_owner != current->tgid)
- return;
+ return ret;
if (!gru_check_chiplet_assignment(gru, gts)) {
STAT(check_context_unload);
- gru_unload_context(gts, 1);
+ ret = -EINVAL;
} else if (gru_retarget_intr(gts)) {
STAT(check_context_retarget_intr);
}
+
+ return ret;
}
@@ -934,7 +943,12 @@ vm_fault_t gru_fault(struct vm_fault *vmf)
mutex_lock(>s->ts_ctxlock);
preempt_disable();
- gru_check_context_placement(gts);
+ if (gru_check_context_placement(gts)) {
+ preempt_enable();
+ mutex_unlock(>s->ts_ctxlock);
+ gru_unload_context(gts, 1);
+ return VM_FAULT_NOPAGE;
+ }
if (!gts->ts_gru) {
STAT(load_user_context);
diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
index 5ce8f3081e96..10f0a083b1fa 100644
--- a/drivers/misc/sgi-gru/grutables.h
+++ b/drivers/misc/sgi-gru/grutables.h
@@ -637,7 +637,7 @@ extern int gru_user_flush_tlb(unsigned long arg);
extern int gru_user_unload_context(unsigned long arg);
extern int gru_get_exception_detail(unsigned long arg);
extern int gru_set_context_option(unsigned long address);
-extern void gru_check_context_placement(struct gru_thread_state *gts);
+extern int gru_check_context_placement(struct gru_thread_state *gts);
extern int gru_cpu_fault_map_id(void);
extern struct vm_area_struct *gru_find_vma(unsigned long vaddr);
extern void gru_flush_all_tlb(struct gru_state *gru);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 364/783] firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 363/783] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 365/783] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() Greg Kroah-Hartman
` (428 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Joel Savitz, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 7b51161696e803fd5f9ad55b20a64c2df313f95c ]
In rpi_firmware_probe(), if mbox_request_channel() fails, the 'fw' will
not be freed through rpi_firmware_delete(), fix this leak by calling
kfree() in the error path.
Fixes: 1e7c57355a3b ("firmware: raspberrypi: Keep count of all consumers")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221117070636.3849773-1-yangyingliang@huawei.com
Acked-by: Joel Savitz <jsavitz@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/raspberrypi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/raspberrypi.c b/drivers/firmware/raspberrypi.c
index 1d965c1252ca..9eef49da47e0 100644
--- a/drivers/firmware/raspberrypi.c
+++ b/drivers/firmware/raspberrypi.c
@@ -265,6 +265,7 @@ static int rpi_firmware_probe(struct platform_device *pdev)
int ret = PTR_ERR(fw->chan);
if (ret != -EPROBE_DEFER)
dev_err(dev, "Failed to get mbox channel: %d\n", ret);
+ kfree(fw);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 365/783] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 364/783] firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 366/783] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() Greg Kroah-Hartman
` (427 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Andrew Donnellan,
Frederic Barrat, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 61c80d1c3833e196256fb060382db94f24d3d9a7 ]
If device_register() fails in cxl_register_afu|adapter(), the device
is not added, device_unregister() can not be called in the error path,
otherwise it will cause a null-ptr-deref because of removing not added
device.
As comment of device_register() says, it should use put_device() to give
up the reference in the error path. So split device_unregister() into
device_del() and put_device(), then goes to put dev when register fails.
Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
Link: https://lore.kernel.org/r/20221111145440.2426970-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/cxl/guest.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/drivers/misc/cxl/guest.c b/drivers/misc/cxl/guest.c
index 186308f1f8eb..6334376826a9 100644
--- a/drivers/misc/cxl/guest.c
+++ b/drivers/misc/cxl/guest.c
@@ -959,10 +959,10 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
* if it returns an error!
*/
if ((rc = cxl_register_afu(afu)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_afu_add(afu)))
- goto err_put1;
+ goto err_del_dev;
/*
* pHyp doesn't expose the programming models supported by the
@@ -978,7 +978,7 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
afu->modes_supported = CXL_MODE_DIRECTED;
if ((rc = cxl_afu_select_best_mode(afu)))
- goto err_put2;
+ goto err_remove_sysfs;
adapter->afu[afu->slice] = afu;
@@ -998,10 +998,12 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n
return 0;
-err_put2:
+err_remove_sysfs:
cxl_sysfs_afu_remove(afu);
-err_put1:
- device_unregister(&afu->dev);
+err_del_dev:
+ device_del(&afu->dev);
+err_put_dev:
+ put_device(&afu->dev);
free = false;
guest_release_serr_irq(afu);
err2:
@@ -1135,18 +1137,20 @@ struct cxl *cxl_guest_init_adapter(struct device_node *np, struct platform_devic
* even if it returns an error!
*/
if ((rc = cxl_register_adapter(adapter)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_adapter_add(adapter)))
- goto err_put1;
+ goto err_del_dev;
/* release the context lock as the adapter is configured */
cxl_adapter_context_unlock(adapter);
return adapter;
-err_put1:
- device_unregister(&adapter->dev);
+err_del_dev:
+ device_del(&adapter->dev);
+err_put_dev:
+ put_device(&adapter->dev);
free = false;
cxl_guest_remove_chardev(adapter);
err1:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 366/783] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 365/783] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 367/783] iio: temperature: ltc2983: make bulk write buffer DMA-safe Greg Kroah-Hartman
` (426 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Frederic Barrat,
Andrew Donnellan, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 02cd3032b154fa02fdf90e7467abaeed889330b2 ]
If device_register() fails in cxl_pci_afu|adapter(), the device
is not added, device_unregister() can not be called in the error
path, otherwise it will cause a null-ptr-deref because of removing
not added device.
As comment of device_register() says, it should use put_device() to give
up the reference in the error path. So split device_unregister() into
device_del() and put_device(), then goes to put dev when register fails.
Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
Link: https://lore.kernel.org/r/20221111145440.2426970-2-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/cxl/pci.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c
index 2ba899f5659f..0ac3f4cb88ac 100644
--- a/drivers/misc/cxl/pci.c
+++ b/drivers/misc/cxl/pci.c
@@ -1164,10 +1164,10 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev)
* if it returns an error!
*/
if ((rc = cxl_register_afu(afu)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_afu_add(afu)))
- goto err_put1;
+ goto err_del_dev;
adapter->afu[afu->slice] = afu;
@@ -1176,10 +1176,12 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev)
return 0;
-err_put1:
+err_del_dev:
+ device_del(&afu->dev);
+err_put_dev:
pci_deconfigure_afu(afu);
cxl_debugfs_afu_remove(afu);
- device_unregister(&afu->dev);
+ put_device(&afu->dev);
return rc;
err_free_native:
@@ -1667,23 +1669,25 @@ static struct cxl *cxl_pci_init_adapter(struct pci_dev *dev)
* even if it returns an error!
*/
if ((rc = cxl_register_adapter(adapter)))
- goto err_put1;
+ goto err_put_dev;
if ((rc = cxl_sysfs_adapter_add(adapter)))
- goto err_put1;
+ goto err_del_dev;
/* Release the context lock as adapter is configured */
cxl_adapter_context_unlock(adapter);
return adapter;
-err_put1:
+err_del_dev:
+ device_del(&adapter->dev);
+err_put_dev:
/* This should mirror cxl_remove_adapter, except without the
* sysfs parts
*/
cxl_debugfs_adapter_remove(adapter);
cxl_deconfigure_adapter(adapter);
- device_unregister(&adapter->dev);
+ put_device(&adapter->dev);
return ERR_PTR(rc);
err_release:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 367/783] iio: temperature: ltc2983: make bulk write buffer DMA-safe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 366/783] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 368/783] genirq: Add IRQF_NO_AUTOEN for request_irq/nmi() Greg Kroah-Hartman
` (425 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cosmin Tanislav, Jonathan Cameron,
Sasha Levin
From: Cosmin Tanislav <cosmin.tanislav@analog.com>
[ Upstream commit 5e0176213949724fbe9a8e4a39817edce337b8a0 ]
regmap_bulk_write() does not guarantee implicit DMA-safety,
even though the current implementation duplicates the given
buffer. Do not rely on it.
Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983")
Signed-off-by: Cosmin Tanislav <cosmin.tanislav@analog.com>
Link: https://lore.kernel.org/r/20221103130041.2153295-2-demonsingur@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/temperature/ltc2983.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/iio/temperature/ltc2983.c b/drivers/iio/temperature/ltc2983.c
index 8306daa77908..b2ae2d2c7eef 100644
--- a/drivers/iio/temperature/ltc2983.c
+++ b/drivers/iio/temperature/ltc2983.c
@@ -205,6 +205,7 @@ struct ltc2983_data {
* Holds the converted temperature
*/
__be32 temp ____cacheline_aligned;
+ __be32 chan_val;
};
struct ltc2983_sensor {
@@ -309,19 +310,18 @@ static int __ltc2983_fault_handler(const struct ltc2983_data *st,
return 0;
}
-static int __ltc2983_chan_assign_common(const struct ltc2983_data *st,
+static int __ltc2983_chan_assign_common(struct ltc2983_data *st,
const struct ltc2983_sensor *sensor,
u32 chan_val)
{
u32 reg = LTC2983_CHAN_START_ADDR(sensor->chan);
- __be32 __chan_val;
chan_val |= LTC2983_CHAN_TYPE(sensor->type);
dev_dbg(&st->spi->dev, "Assign reg:0x%04X, val:0x%08X\n", reg,
chan_val);
- __chan_val = cpu_to_be32(chan_val);
- return regmap_bulk_write(st->regmap, reg, &__chan_val,
- sizeof(__chan_val));
+ st->chan_val = cpu_to_be32(chan_val);
+ return regmap_bulk_write(st->regmap, reg, &st->chan_val,
+ sizeof(st->chan_val));
}
static int __ltc2983_chan_custom_sensor_assign(struct ltc2983_data *st,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 368/783] genirq: Add IRQF_NO_AUTOEN for request_irq/nmi()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 367/783] iio: temperature: ltc2983: make bulk write buffer DMA-safe Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 369/783] iio:imu:adis: Use IRQF_NO_AUTOEN instead of irq request then disable Greg Kroah-Hartman
` (424 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barry Song, Thomas Gleixner,
Ingo Molnar, dmitry.torokhov, Sasha Levin
From: Barry Song <song.bao.hua@hisilicon.com>
[ Upstream commit cbe16f35bee6880becca6f20d2ebf6b457148552 ]
Many drivers don't want interrupts enabled automatically via request_irq().
So they are handling this issue by either way of the below two:
(1)
irq_set_status_flags(irq, IRQ_NOAUTOEN);
request_irq(dev, irq...);
(2)
request_irq(dev, irq...);
disable_irq(irq);
The code in the second way is silly and unsafe. In the small time gap
between request_irq() and disable_irq(), interrupts can still come.
The code in the first way is safe though it's subobtimal.
Add a new IRQF_NO_AUTOEN flag which can be handed in by drivers to
request_irq() and request_nmi(). It prevents the automatic enabling of the
requested interrupt/nmi in the same safe way as #1 above. With that the
various usage sites of #1 and #2 above can be simplified and corrected.
Signed-off-by: Barry Song <song.bao.hua@hisilicon.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: dmitry.torokhov@gmail.com
Link: https://lore.kernel.org/r/20210302224916.13980-2-song.bao.hua@hisilicon.com
Stable-dep-of: 99c05e4283a1 ("iio: adis: add '__adis_enable_irq()' implementation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/interrupt.h | 4 ++++
kernel/irq/manage.c | 11 +++++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
index ee8299eb1f52..0652b4858ba6 100644
--- a/include/linux/interrupt.h
+++ b/include/linux/interrupt.h
@@ -61,6 +61,9 @@
* interrupt handler after suspending interrupts. For system
* wakeup devices users need to implement wakeup detection in
* their interrupt handlers.
+ * IRQF_NO_AUTOEN - Don't enable IRQ or NMI automatically when users request it.
+ * Users will enable it explicitly by enable_irq() or enable_nmi()
+ * later.
*/
#define IRQF_SHARED 0x00000080
#define IRQF_PROBE_SHARED 0x00000100
@@ -74,6 +77,7 @@
#define IRQF_NO_THREAD 0x00010000
#define IRQF_EARLY_RESUME 0x00020000
#define IRQF_COND_SUSPEND 0x00040000
+#define IRQF_NO_AUTOEN 0x00080000
#define IRQF_TIMER (__IRQF_TIMER | IRQF_NO_SUSPEND | IRQF_NO_THREAD)
diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
index 3cb29835632f..437b073dc487 100644
--- a/kernel/irq/manage.c
+++ b/kernel/irq/manage.c
@@ -1667,7 +1667,8 @@ __setup_irq(unsigned int irq, struct irq_desc *desc, struct irqaction *new)
irqd_set(&desc->irq_data, IRQD_NO_BALANCING);
}
- if (irq_settings_can_autoenable(desc)) {
+ if (!(new->flags & IRQF_NO_AUTOEN) &&
+ irq_settings_can_autoenable(desc)) {
irq_startup(desc, IRQ_RESEND, IRQ_START_COND);
} else {
/*
@@ -2054,10 +2055,15 @@ int request_threaded_irq(unsigned int irq, irq_handler_t handler,
* which interrupt is which (messes up the interrupt freeing
* logic etc).
*
+ * Also shared interrupts do not go well with disabling auto enable.
+ * The sharing interrupt might request it while it's still disabled
+ * and then wait for interrupts forever.
+ *
* Also IRQF_COND_SUSPEND only makes sense for shared interrupts and
* it cannot be set along with IRQF_NO_SUSPEND.
*/
if (((irqflags & IRQF_SHARED) && !dev_id) ||
+ ((irqflags & IRQF_SHARED) && (irqflags & IRQF_NO_AUTOEN)) ||
(!(irqflags & IRQF_SHARED) && (irqflags & IRQF_COND_SUSPEND)) ||
((irqflags & IRQF_NO_SUSPEND) && (irqflags & IRQF_COND_SUSPEND)))
return -EINVAL;
@@ -2213,7 +2219,8 @@ int request_nmi(unsigned int irq, irq_handler_t handler,
desc = irq_to_desc(irq);
- if (!desc || irq_settings_can_autoenable(desc) ||
+ if (!desc || (irq_settings_can_autoenable(desc) &&
+ !(irqflags & IRQF_NO_AUTOEN)) ||
!irq_settings_can_request(desc) ||
WARN_ON(irq_settings_is_per_cpu_devid(desc)) ||
!irq_supports_nmi(desc))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 369/783] iio:imu:adis: Use IRQF_NO_AUTOEN instead of irq request then disable
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 368/783] genirq: Add IRQF_NO_AUTOEN for request_irq/nmi() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 370/783] iio: adis: handle devices that cannot unmask the drdy pin Greg Kroah-Hartman
` (423 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron,
Alexandru Ardelean, Nuno Sa, Barry Song, Andy Shevchenko,
Lars-Peter Clausen, Sasha Levin
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 30f6a542b7d39b1ba990a28a3891bc03691d8d41 ]
This is a bit involved as the adis library code already has some
sanity checking of the flags of the requested irq that we need
to ensure is happy to pass through the IRQF_NO_AUTOEN flag untouched.
Using this flag avoids us autoenabling the irq in the adis16460 and
adis16475 drivers which cover parts that don't have any means of
masking the interrupt on the device end.
Note, compile tested only!
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Alexandru Ardelean <ardeleanalex@gmail.com>
Reviewed-by: Nuno Sa <nuno.sa@analog.com>
Reviewed-by: Barry Song <song.bao.hua@hisilicon.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
Link: https://lore.kernel.org/r/20210402184544.488862-7-jic23@kernel.org
Stable-dep-of: 99c05e4283a1 ("iio: adis: add '__adis_enable_irq()' implementation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/adis16460.c | 4 ++--
drivers/iio/imu/adis16475.c | 5 +++--
drivers/iio/imu/adis_trigger.c | 11 ++++++-----
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/iio/imu/adis16460.c b/drivers/iio/imu/adis16460.c
index 74a161e39733..73bf45e859b8 100644
--- a/drivers/iio/imu/adis16460.c
+++ b/drivers/iio/imu/adis16460.c
@@ -403,12 +403,12 @@ static int adis16460_probe(struct spi_device *spi)
if (ret)
return ret;
+ /* We cannot mask the interrupt, so ensure it isn't auto enabled */
+ st->adis.irq_flag |= IRQF_NO_AUTOEN;
ret = devm_adis_setup_buffer_and_trigger(&st->adis, indio_dev, NULL);
if (ret)
return ret;
- adis16460_enable_irq(&st->adis, 0);
-
ret = __adis_initial_startup(&st->adis);
if (ret)
return ret;
diff --git a/drivers/iio/imu/adis16475.c b/drivers/iio/imu/adis16475.c
index 3c4e4deb8760..8ab88ba4892c 100644
--- a/drivers/iio/imu/adis16475.c
+++ b/drivers/iio/imu/adis16475.c
@@ -1196,6 +1196,9 @@ static int adis16475_config_irq_pin(struct adis16475 *st)
return -EINVAL;
}
+ /* We cannot mask the interrupt so ensure it's not enabled at request */
+ st->adis.irq_flag |= IRQF_NO_AUTOEN;
+
val = ADIS16475_MSG_CTRL_DR_POL(polarity);
ret = __adis_update_bits(&st->adis, ADIS16475_REG_MSG_CTRL,
ADIS16475_MSG_CTRL_DR_POL_MASK, val);
@@ -1300,8 +1303,6 @@ static int adis16475_probe(struct spi_device *spi)
if (ret)
return ret;
- adis16475_enable_irq(&st->adis, false);
-
ret = devm_iio_device_register(&spi->dev, indio_dev);
if (ret)
return ret;
diff --git a/drivers/iio/imu/adis_trigger.c b/drivers/iio/imu/adis_trigger.c
index 64e0ba51cb18..17058ac7aa9f 100644
--- a/drivers/iio/imu/adis_trigger.c
+++ b/drivers/iio/imu/adis_trigger.c
@@ -36,18 +36,19 @@ static void adis_trigger_setup(struct adis *adis)
static int adis_validate_irq_flag(struct adis *adis)
{
+ unsigned long direction = adis->irq_flag & IRQF_TRIGGER_MASK;
/*
* Typically this devices have data ready either on the rising edge or
* on the falling edge of the data ready pin. This checks enforces that
* one of those is set in the drivers... It defaults to
- * IRQF_TRIGGER_RISING for backward compatibility wiht devices that
+ * IRQF_TRIGGER_RISING for backward compatibility with devices that
* don't support changing the pin polarity.
*/
- if (!adis->irq_flag) {
- adis->irq_flag = IRQF_TRIGGER_RISING;
+ if (direction == IRQF_TRIGGER_NONE) {
+ adis->irq_flag |= IRQF_TRIGGER_RISING;
return 0;
- } else if (adis->irq_flag != IRQF_TRIGGER_RISING &&
- adis->irq_flag != IRQF_TRIGGER_FALLING) {
+ } else if (direction != IRQF_TRIGGER_RISING &&
+ direction != IRQF_TRIGGER_FALLING) {
dev_err(&adis->spi->dev, "Invalid IRQ mask: %08lx\n",
adis->irq_flag);
return -EINVAL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 370/783] iio: adis: handle devices that cannot unmask the drdy pin
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 369/783] iio:imu:adis: Use IRQF_NO_AUTOEN instead of irq request then disable Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 371/783] iio: adis: stylistic changes Greg Kroah-Hartman
` (422 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, Jonathan Cameron, Sasha Levin
From: Nuno Sá <nuno.sa@analog.com>
[ Upstream commit 31fa357ac809affd9f9a7d0b5d1991951e16beec ]
Some devices can't mask/unmask the data ready pin and in those cases
each driver was just calling '{dis}enable_irq()' to control the trigger
state. This change, moves that handling into the library by introducing
a new boolean in the data structure that tells the library that the
device cannot unmask the pin.
On top of controlling the trigger state, we can also use this flag to
automatically request the IRQ with 'IRQF_NO_AUTOEN' in case it is set.
So far, all users of the library want to start operation with IRQs/DRDY
pin disabled so it should be fairly safe to do this inside the library.
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20210903141423.517028-3-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 99c05e4283a1 ("iio: adis: add '__adis_enable_irq()' implementation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/adis.c | 15 ++++++++++++++-
drivers/iio/imu/adis_trigger.c | 4 ++++
include/linux/iio/imu/adis.h | 2 ++
3 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c
index 715eef81bc24..5fcf269e98a6 100644
--- a/drivers/iio/imu/adis.c
+++ b/drivers/iio/imu/adis.c
@@ -290,6 +290,13 @@ int adis_enable_irq(struct adis *adis, bool enable)
if (adis->data->enable_irq) {
ret = adis->data->enable_irq(adis, enable);
goto out_unlock;
+ } else if (adis->data->unmasked_drdy) {
+ if (enable)
+ enable_irq(adis->spi->irq);
+ else
+ disable_irq(adis->spi->irq);
+
+ goto out_unlock;
}
ret = __adis_read_reg_16(adis, adis->data->msc_ctrl_reg, &msc);
@@ -434,7 +441,13 @@ int __adis_initial_startup(struct adis *adis)
if (ret)
return ret;
- adis_enable_irq(adis, false);
+ /*
+ * don't bother calling this if we can't unmask the IRQ as in this case
+ * the IRQ is most likely not yet requested and we will request it
+ * with 'IRQF_NO_AUTOEN' anyways.
+ */
+ if (!adis->data->unmasked_drdy)
+ adis_enable_irq(adis, false);
if (!adis->data->prod_id_reg)
return 0;
diff --git a/drivers/iio/imu/adis_trigger.c b/drivers/iio/imu/adis_trigger.c
index 17058ac7aa9f..76b0488ef41b 100644
--- a/drivers/iio/imu/adis_trigger.c
+++ b/drivers/iio/imu/adis_trigger.c
@@ -37,6 +37,10 @@ static void adis_trigger_setup(struct adis *adis)
static int adis_validate_irq_flag(struct adis *adis)
{
unsigned long direction = adis->irq_flag & IRQF_TRIGGER_MASK;
+
+ /* We cannot mask the interrupt so ensure it's not enabled at request */
+ if (adis->data->unmasked_drdy)
+ adis->irq_flag |= IRQF_NO_AUTOEN;
/*
* Typically this devices have data ready either on the rising edge or
* on the falling edge of the data ready pin. This checks enforces that
diff --git a/include/linux/iio/imu/adis.h b/include/linux/iio/imu/adis.h
index 04e96d688ba9..2ced0c88f481 100644
--- a/include/linux/iio/imu/adis.h
+++ b/include/linux/iio/imu/adis.h
@@ -49,6 +49,7 @@ struct adis_timeout {
* @status_error_mask: Bitmask of errors supported by the device
* @timeouts: Chip specific delays
* @enable_irq: Hook for ADIS devices that have a special IRQ enable/disable
+ * @unmasked_drdy: True for devices that cannot mask/unmask the data ready pin
* @has_paging: True if ADIS device has paged registers
* @burst_reg_cmd: Register command that triggers burst
* @burst_len: Burst size in the SPI RX buffer. If @burst_max_len is defined,
@@ -77,6 +78,7 @@ struct adis_data {
unsigned int status_error_mask;
int (*enable_irq)(struct adis *adis, bool enable);
+ bool unmasked_drdy;
bool has_paging;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 371/783] iio: adis: stylistic changes
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 370/783] iio: adis: handle devices that cannot unmask the drdy pin Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 372/783] iio:imu:adis: Move exports into IIO_ADISLIB namespace Greg Kroah-Hartman
` (421 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá, Jonathan Cameron, Sasha Levin
From: Nuno Sá <nuno.sa@analog.com>
[ Upstream commit c39010ea6ba13bdf0003bd353e1d4c663aaac0a8 ]
Minor stylistic changes to address checkptach complains when called with
'--strict'.
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20220122130905.99-3-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: 99c05e4283a1 ("iio: adis: add '__adis_enable_irq()' implementation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/adis.c | 47 +++++++++++++++++----------------
drivers/iio/imu/adis_buffer.c | 6 ++---
drivers/iio/imu/adis_trigger.c | 3 +--
include/linux/iio/imu/adis.h | 48 ++++++++++++++++++----------------
4 files changed, 54 insertions(+), 50 deletions(-)
diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c
index 5fcf269e98a6..54d1084f13d0 100644
--- a/drivers/iio/imu/adis.c
+++ b/drivers/iio/imu/adis.c
@@ -34,8 +34,8 @@
* @value: The value to write to device (up to 4 bytes)
* @size: The size of the @value (in bytes)
*/
-int __adis_write_reg(struct adis *adis, unsigned int reg,
- unsigned int value, unsigned int size)
+int __adis_write_reg(struct adis *adis, unsigned int reg, unsigned int value,
+ unsigned int size)
{
unsigned int page = reg / ADIS_PAGE_SIZE;
int ret, i;
@@ -118,7 +118,7 @@ int __adis_write_reg(struct adis *adis, unsigned int reg,
ret = spi_sync(adis->spi, &msg);
if (ret) {
dev_err(&adis->spi->dev, "Failed to write register 0x%02X: %d\n",
- reg, ret);
+ reg, ret);
} else {
adis->current_page = page;
}
@@ -134,8 +134,8 @@ EXPORT_SYMBOL_GPL(__adis_write_reg);
* @val: The value read back from the device
* @size: The size of the @val buffer
*/
-int __adis_read_reg(struct adis *adis, unsigned int reg,
- unsigned int *val, unsigned int size)
+int __adis_read_reg(struct adis *adis, unsigned int reg, unsigned int *val,
+ unsigned int size)
{
unsigned int page = reg / ADIS_PAGE_SIZE;
struct spi_message msg;
@@ -205,12 +205,12 @@ int __adis_read_reg(struct adis *adis, unsigned int reg,
ret = spi_sync(adis->spi, &msg);
if (ret) {
dev_err(&adis->spi->dev, "Failed to read register 0x%02X: %d\n",
- reg, ret);
+ reg, ret);
return ret;
- } else {
- adis->current_page = page;
}
+ adis->current_page = page;
+
switch (size) {
case 4:
*val = get_unaligned_be32(adis->rx);
@@ -251,13 +251,13 @@ EXPORT_SYMBOL_GPL(__adis_update_bits_base);
#ifdef CONFIG_DEBUG_FS
-int adis_debugfs_reg_access(struct iio_dev *indio_dev,
- unsigned int reg, unsigned int writeval, unsigned int *readval)
+int adis_debugfs_reg_access(struct iio_dev *indio_dev, unsigned int reg,
+ unsigned int writeval, unsigned int *readval)
{
struct adis *adis = iio_device_get_drvdata(indio_dev);
if (readval) {
- uint16_t val16;
+ u16 val16;
int ret;
ret = adis_read_reg_16(adis, reg, &val16);
@@ -265,9 +265,9 @@ int adis_debugfs_reg_access(struct iio_dev *indio_dev,
*readval = val16;
return ret;
- } else {
- return adis_write_reg_16(adis, reg, writeval);
}
+
+ return adis_write_reg_16(adis, reg, writeval);
}
EXPORT_SYMBOL(adis_debugfs_reg_access);
@@ -283,14 +283,16 @@ EXPORT_SYMBOL(adis_debugfs_reg_access);
int adis_enable_irq(struct adis *adis, bool enable)
{
int ret = 0;
- uint16_t msc;
+ u16 msc;
mutex_lock(&adis->state_lock);
if (adis->data->enable_irq) {
ret = adis->data->enable_irq(adis, enable);
goto out_unlock;
- } else if (adis->data->unmasked_drdy) {
+ }
+
+ if (adis->data->unmasked_drdy) {
if (enable)
enable_irq(adis->spi->irq);
else
@@ -326,7 +328,7 @@ EXPORT_SYMBOL(adis_enable_irq);
*/
int __adis_check_status(struct adis *adis)
{
- uint16_t status;
+ u16 status;
int ret;
int i;
@@ -362,7 +364,7 @@ int __adis_reset(struct adis *adis)
const struct adis_timeout *timeouts = adis->data->timeouts;
ret = __adis_write_reg_8(adis, adis->data->glob_cmd_reg,
- ADIS_GLOB_CMD_SW_RESET);
+ ADIS_GLOB_CMD_SW_RESET);
if (ret) {
dev_err(&adis->spi->dev, "Failed to reset device: %d\n", ret);
return ret;
@@ -418,7 +420,7 @@ int __adis_initial_startup(struct adis *adis)
{
const struct adis_timeout *timeouts = adis->data->timeouts;
struct gpio_desc *gpio;
- uint16_t prod_id;
+ u16 prod_id;
int ret;
/* check if the device has rst pin low */
@@ -427,7 +429,7 @@ int __adis_initial_startup(struct adis *adis)
return PTR_ERR(gpio);
if (gpio) {
- msleep(10);
+ usleep_range(10, 12);
/* bring device out of reset */
gpiod_set_value_cansleep(gpio, 0);
msleep(timeouts->reset_ms);
@@ -481,7 +483,8 @@ EXPORT_SYMBOL_GPL(__adis_initial_startup);
* a error bit in the channels raw value set error_mask to 0.
*/
int adis_single_conversion(struct iio_dev *indio_dev,
- const struct iio_chan_spec *chan, unsigned int error_mask, int *val)
+ const struct iio_chan_spec *chan,
+ unsigned int error_mask, int *val)
{
struct adis *adis = iio_device_get_drvdata(indio_dev);
unsigned int uval;
@@ -490,7 +493,7 @@ int adis_single_conversion(struct iio_dev *indio_dev,
mutex_lock(&adis->state_lock);
ret = __adis_read_reg(adis, chan->address, &uval,
- chan->scan_type.storagebits / 8);
+ chan->scan_type.storagebits / 8);
if (ret)
goto err_unlock;
@@ -525,7 +528,7 @@ EXPORT_SYMBOL_GPL(adis_single_conversion);
* called.
*/
int adis_init(struct adis *adis, struct iio_dev *indio_dev,
- struct spi_device *spi, const struct adis_data *data)
+ struct spi_device *spi, const struct adis_data *data)
{
if (!data || !data->timeouts) {
dev_err(&spi->dev, "No config data or timeouts not defined!\n");
diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
index 175af154e443..7a7747617fca 100644
--- a/drivers/iio/imu/adis_buffer.c
+++ b/drivers/iio/imu/adis_buffer.c
@@ -20,7 +20,7 @@
#include <linux/iio/imu/adis.h>
static int adis_update_scan_mode_burst(struct iio_dev *indio_dev,
- const unsigned long *scan_mask)
+ const unsigned long *scan_mask)
{
struct adis *adis = iio_device_get_drvdata(indio_dev);
unsigned int burst_length, burst_max_length;
@@ -63,7 +63,7 @@ static int adis_update_scan_mode_burst(struct iio_dev *indio_dev,
}
int adis_update_scan_mode(struct iio_dev *indio_dev,
- const unsigned long *scan_mask)
+ const unsigned long *scan_mask)
{
struct adis *adis = iio_device_get_drvdata(indio_dev);
const struct iio_chan_spec *chan;
@@ -149,7 +149,7 @@ static irqreturn_t adis_trigger_handler(int irq, void *p)
}
iio_push_to_buffers_with_timestamp(indio_dev, adis->buffer,
- pf->timestamp);
+ pf->timestamp);
iio_trigger_notify_done(indio_dev->trig);
diff --git a/drivers/iio/imu/adis_trigger.c b/drivers/iio/imu/adis_trigger.c
index 76b0488ef41b..e7f0ee3e7a07 100644
--- a/drivers/iio/imu/adis_trigger.c
+++ b/drivers/iio/imu/adis_trigger.c
@@ -15,8 +15,7 @@
#include <linux/iio/trigger.h>
#include <linux/iio/imu/adis.h>
-static int adis_data_rdy_trigger_set_state(struct iio_trigger *trig,
- bool state)
+static int adis_data_rdy_trigger_set_state(struct iio_trigger *trig, bool state)
{
struct adis *adis = iio_trigger_get_drvdata(trig);
diff --git a/include/linux/iio/imu/adis.h b/include/linux/iio/imu/adis.h
index 2ced0c88f481..1b66953573ee 100644
--- a/include/linux/iio/imu/adis.h
+++ b/include/linux/iio/imu/adis.h
@@ -32,6 +32,7 @@ struct adis_timeout {
u16 sw_reset_ms;
u16 self_test_ms;
};
+
/**
* struct adis_data - ADIS chip variant specific data
* @read_delay: SPI delay for read operations in us
@@ -45,7 +46,7 @@ struct adis_timeout {
* @self_test_mask: Bitmask of supported self-test operations
* @self_test_reg: Register address to request self test command
* @self_test_no_autoclear: True if device's self-test needs clear of ctrl reg
- * @status_error_msgs: Array of error messgaes
+ * @status_error_msgs: Array of error messages
* @status_error_mask: Bitmask of errors supported by the device
* @timeouts: Chip specific delays
* @enable_irq: Hook for ADIS devices that have a special IRQ enable/disable
@@ -128,12 +129,12 @@ struct adis {
unsigned long irq_flag;
void *buffer;
- uint8_t tx[10] ____cacheline_aligned;
- uint8_t rx[4];
+ u8 tx[10] ____cacheline_aligned;
+ u8 rx[4];
};
int adis_init(struct adis *adis, struct iio_dev *indio_dev,
- struct spi_device *spi, const struct adis_data *data);
+ struct spi_device *spi, const struct adis_data *data);
int __adis_reset(struct adis *adis);
/**
@@ -154,9 +155,9 @@ static inline int adis_reset(struct adis *adis)
}
int __adis_write_reg(struct adis *adis, unsigned int reg,
- unsigned int val, unsigned int size);
+ unsigned int val, unsigned int size);
int __adis_read_reg(struct adis *adis, unsigned int reg,
- unsigned int *val, unsigned int size);
+ unsigned int *val, unsigned int size);
/**
* __adis_write_reg_8() - Write single byte to a register (unlocked)
@@ -165,7 +166,7 @@ int __adis_read_reg(struct adis *adis, unsigned int reg,
* @value: The value to write
*/
static inline int __adis_write_reg_8(struct adis *adis, unsigned int reg,
- uint8_t val)
+ u8 val)
{
return __adis_write_reg(adis, reg, val, 1);
}
@@ -177,7 +178,7 @@ static inline int __adis_write_reg_8(struct adis *adis, unsigned int reg,
* @value: Value to be written
*/
static inline int __adis_write_reg_16(struct adis *adis, unsigned int reg,
- uint16_t val)
+ u16 val)
{
return __adis_write_reg(adis, reg, val, 2);
}
@@ -189,7 +190,7 @@ static inline int __adis_write_reg_16(struct adis *adis, unsigned int reg,
* @value: Value to be written
*/
static inline int __adis_write_reg_32(struct adis *adis, unsigned int reg,
- uint32_t val)
+ u32 val)
{
return __adis_write_reg(adis, reg, val, 4);
}
@@ -201,7 +202,7 @@ static inline int __adis_write_reg_32(struct adis *adis, unsigned int reg,
* @val: The value read back from the device
*/
static inline int __adis_read_reg_16(struct adis *adis, unsigned int reg,
- uint16_t *val)
+ u16 *val)
{
unsigned int tmp;
int ret;
@@ -220,7 +221,7 @@ static inline int __adis_read_reg_16(struct adis *adis, unsigned int reg,
* @val: The value read back from the device
*/
static inline int __adis_read_reg_32(struct adis *adis, unsigned int reg,
- uint32_t *val)
+ u32 *val)
{
unsigned int tmp;
int ret;
@@ -240,7 +241,7 @@ static inline int __adis_read_reg_32(struct adis *adis, unsigned int reg,
* @size: The size of the @value (in bytes)
*/
static inline int adis_write_reg(struct adis *adis, unsigned int reg,
- unsigned int val, unsigned int size)
+ unsigned int val, unsigned int size)
{
int ret;
@@ -259,7 +260,7 @@ static inline int adis_write_reg(struct adis *adis, unsigned int reg,
* @size: The size of the @val buffer
*/
static int adis_read_reg(struct adis *adis, unsigned int reg,
- unsigned int *val, unsigned int size)
+ unsigned int *val, unsigned int size)
{
int ret;
@@ -277,7 +278,7 @@ static int adis_read_reg(struct adis *adis, unsigned int reg,
* @value: The value to write
*/
static inline int adis_write_reg_8(struct adis *adis, unsigned int reg,
- uint8_t val)
+ u8 val)
{
return adis_write_reg(adis, reg, val, 1);
}
@@ -289,7 +290,7 @@ static inline int adis_write_reg_8(struct adis *adis, unsigned int reg,
* @value: Value to be written
*/
static inline int adis_write_reg_16(struct adis *adis, unsigned int reg,
- uint16_t val)
+ u16 val)
{
return adis_write_reg(adis, reg, val, 2);
}
@@ -301,7 +302,7 @@ static inline int adis_write_reg_16(struct adis *adis, unsigned int reg,
* @value: Value to be written
*/
static inline int adis_write_reg_32(struct adis *adis, unsigned int reg,
- uint32_t val)
+ u32 val)
{
return adis_write_reg(adis, reg, val, 4);
}
@@ -313,7 +314,7 @@ static inline int adis_write_reg_32(struct adis *adis, unsigned int reg,
* @val: The value read back from the device
*/
static inline int adis_read_reg_16(struct adis *adis, unsigned int reg,
- uint16_t *val)
+ u16 *val)
{
unsigned int tmp;
int ret;
@@ -332,7 +333,7 @@ static inline int adis_read_reg_16(struct adis *adis, unsigned int reg,
* @val: The value read back from the device
*/
static inline int adis_read_reg_32(struct adis *adis, unsigned int reg,
- uint32_t *val)
+ u32 *val)
{
unsigned int tmp;
int ret;
@@ -431,8 +432,8 @@ static inline int adis_initial_startup(struct adis *adis)
}
int adis_single_conversion(struct iio_dev *indio_dev,
- const struct iio_chan_spec *chan, unsigned int error_mask,
- int *val);
+ const struct iio_chan_spec *chan,
+ unsigned int error_mask, int *val);
#define ADIS_VOLTAGE_CHAN(addr, si, chan, name, info_all, bits) { \
.type = IIO_VOLTAGE, \
@@ -481,7 +482,7 @@ int adis_single_conversion(struct iio_dev *indio_dev,
.modified = 1, \
.channel2 = IIO_MOD_ ## mod, \
.info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | \
- info_sep, \
+ (info_sep), \
.info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), \
.info_mask_shared_by_all = info_all, \
.address = (addr), \
@@ -515,7 +516,7 @@ devm_adis_setup_buffer_and_trigger(struct adis *adis, struct iio_dev *indio_dev,
int devm_adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev);
int adis_update_scan_mode(struct iio_dev *indio_dev,
- const unsigned long *scan_mask);
+ const unsigned long *scan_mask);
#else /* CONFIG_IIO_BUFFER */
@@ -539,7 +540,8 @@ static inline int devm_adis_probe_trigger(struct adis *adis,
#ifdef CONFIG_DEBUG_FS
int adis_debugfs_reg_access(struct iio_dev *indio_dev,
- unsigned int reg, unsigned int writeval, unsigned int *readval);
+ unsigned int reg, unsigned int writeval,
+ unsigned int *readval);
#else
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 372/783] iio:imu:adis: Move exports into IIO_ADISLIB namespace
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 371/783] iio: adis: stylistic changes Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 373/783] iio: adis: add __adis_enable_irq() implementation Greg Kroah-Hartman
` (420 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron,
Lars-Peter Clausen, Song Bao Hua (Barry Song),
Andy Shevchenko, Sasha Levin
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 6c9304d6af122f9afea41885ad82ed627e9442a8 ]
In order to avoid unneessary pollution of the global symbol namespace
move the common/library functions into a specific namespace and import
that into the various specific device drivers that use them.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Lars-Peter Clausen <lars@metafoo.de>
Cc: Song Bao Hua (Barry Song) <song.bao.hua@hisilicon.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220130205701.334592-9-jic23@kernel.org
Stable-dep-of: 99c05e4283a1 ("iio: adis: add '__adis_enable_irq()' implementation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/accel/adis16201.c | 1 +
drivers/iio/accel/adis16209.c | 1 +
drivers/iio/gyro/adis16136.c | 1 +
drivers/iio/gyro/adis16260.c | 1 +
drivers/iio/imu/adis.c | 20 ++++++++++----------
drivers/iio/imu/adis16400.c | 1 +
drivers/iio/imu/adis16460.c | 1 +
drivers/iio/imu/adis16475.c | 1 +
drivers/iio/imu/adis16480.c | 1 +
drivers/iio/imu/adis_buffer.c | 4 ++--
drivers/iio/imu/adis_trigger.c | 2 +-
drivers/staging/iio/accel/adis16203.c | 1 +
drivers/staging/iio/accel/adis16240.c | 1 +
13 files changed, 23 insertions(+), 13 deletions(-)
diff --git a/drivers/iio/accel/adis16201.c b/drivers/iio/accel/adis16201.c
index 84bbdfd2f2ba..b4ae4f86da3e 100644
--- a/drivers/iio/accel/adis16201.c
+++ b/drivers/iio/accel/adis16201.c
@@ -304,3 +304,4 @@ MODULE_AUTHOR("Barry Song <21cnbao@gmail.com>");
MODULE_DESCRIPTION("Analog Devices ADIS16201 Dual-Axis Digital Inclinometer and Accelerometer");
MODULE_LICENSE("GPL v2");
MODULE_ALIAS("spi:adis16201");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/accel/adis16209.c b/drivers/iio/accel/adis16209.c
index 4a841aec6268..e6e465f397d9 100644
--- a/drivers/iio/accel/adis16209.c
+++ b/drivers/iio/accel/adis16209.c
@@ -314,3 +314,4 @@ MODULE_AUTHOR("Barry Song <21cnbao@gmail.com>");
MODULE_DESCRIPTION("Analog Devices ADIS16209 Dual-Axis Digital Inclinometer and Accelerometer");
MODULE_LICENSE("GPL v2");
MODULE_ALIAS("spi:adis16209");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/gyro/adis16136.c b/drivers/iio/gyro/adis16136.c
index a11ae9db0d11..74db8edb4283 100644
--- a/drivers/iio/gyro/adis16136.c
+++ b/drivers/iio/gyro/adis16136.c
@@ -599,3 +599,4 @@ module_spi_driver(adis16136_driver);
MODULE_AUTHOR("Lars-Peter Clausen <lars@metafoo.de>");
MODULE_DESCRIPTION("Analog Devices ADIS16133/ADIS16135/ADIS16136 gyroscope driver");
MODULE_LICENSE("GPL v2");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/gyro/adis16260.c b/drivers/iio/gyro/adis16260.c
index e7c9a3e31c45..1e45d93de5b7 100644
--- a/drivers/iio/gyro/adis16260.c
+++ b/drivers/iio/gyro/adis16260.c
@@ -438,3 +438,4 @@ module_spi_driver(adis16260_driver);
MODULE_AUTHOR("Barry Song <21cnbao@gmail.com>");
MODULE_DESCRIPTION("Analog Devices ADIS16260/5 Digital Gyroscope Sensor");
MODULE_LICENSE("GPL v2");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c
index 54d1084f13d0..b0a426053c20 100644
--- a/drivers/iio/imu/adis.c
+++ b/drivers/iio/imu/adis.c
@@ -125,7 +125,7 @@ int __adis_write_reg(struct adis *adis, unsigned int reg, unsigned int value,
return ret;
}
-EXPORT_SYMBOL_GPL(__adis_write_reg);
+EXPORT_SYMBOL_NS_GPL(__adis_write_reg, IIO_ADISLIB);
/**
* __adis_read_reg() - read N bytes from register (unlocked version)
@@ -222,7 +222,7 @@ int __adis_read_reg(struct adis *adis, unsigned int reg, unsigned int *val,
return ret;
}
-EXPORT_SYMBOL_GPL(__adis_read_reg);
+EXPORT_SYMBOL_NS_GPL(__adis_read_reg, IIO_ADISLIB);
/**
* __adis_update_bits_base() - ADIS Update bits function - Unlocked version
* @adis: The adis device
@@ -247,7 +247,7 @@ int __adis_update_bits_base(struct adis *adis, unsigned int reg, const u32 mask,
return __adis_write_reg(adis, reg, __val, size);
}
-EXPORT_SYMBOL_GPL(__adis_update_bits_base);
+EXPORT_SYMBOL_NS_GPL(__adis_update_bits_base, IIO_ADISLIB);
#ifdef CONFIG_DEBUG_FS
@@ -269,7 +269,7 @@ int adis_debugfs_reg_access(struct iio_dev *indio_dev, unsigned int reg,
return adis_write_reg_16(adis, reg, writeval);
}
-EXPORT_SYMBOL(adis_debugfs_reg_access);
+EXPORT_SYMBOL_NS(adis_debugfs_reg_access, IIO_ADISLIB);
#endif
@@ -318,7 +318,7 @@ int adis_enable_irq(struct adis *adis, bool enable)
mutex_unlock(&adis->state_lock);
return ret;
}
-EXPORT_SYMBOL(adis_enable_irq);
+EXPORT_SYMBOL_NS(adis_enable_irq, IIO_ADISLIB);
/**
* __adis_check_status() - Check the device for error conditions (unlocked)
@@ -350,7 +350,7 @@ int __adis_check_status(struct adis *adis)
return -EIO;
}
-EXPORT_SYMBOL_GPL(__adis_check_status);
+EXPORT_SYMBOL_NS_GPL(__adis_check_status, IIO_ADISLIB);
/**
* __adis_reset() - Reset the device (unlocked version)
@@ -374,7 +374,7 @@ int __adis_reset(struct adis *adis)
return 0;
}
-EXPORT_SYMBOL_GPL(__adis_reset);
+EXPORT_SYMBOL_NS_GPL(__adis_reset, IIO_ADIS_LIB);
static int adis_self_test(struct adis *adis)
{
@@ -465,7 +465,7 @@ int __adis_initial_startup(struct adis *adis)
return 0;
}
-EXPORT_SYMBOL_GPL(__adis_initial_startup);
+EXPORT_SYMBOL_NS_GPL(__adis_initial_startup, IIO_ADISLIB);
/**
* adis_single_conversion() - Performs a single sample conversion
@@ -513,7 +513,7 @@ int adis_single_conversion(struct iio_dev *indio_dev,
mutex_unlock(&adis->state_lock);
return ret;
}
-EXPORT_SYMBOL_GPL(adis_single_conversion);
+EXPORT_SYMBOL_NS_GPL(adis_single_conversion, IIO_ADISLIB);
/**
* adis_init() - Initialize adis device structure
@@ -550,7 +550,7 @@ int adis_init(struct adis *adis, struct iio_dev *indio_dev,
return 0;
}
-EXPORT_SYMBOL_GPL(adis_init);
+EXPORT_SYMBOL_NS_GPL(adis_init, IIO_ADISLIB);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Lars-Peter Clausen <lars@metafoo.de>");
diff --git a/drivers/iio/imu/adis16400.c b/drivers/iio/imu/adis16400.c
index 4aff16466da0..c5255116954a 100644
--- a/drivers/iio/imu/adis16400.c
+++ b/drivers/iio/imu/adis16400.c
@@ -1252,3 +1252,4 @@ module_spi_driver(adis16400_driver);
MODULE_AUTHOR("Manuel Stahl <manuel.stahl@iis.fraunhofer.de>");
MODULE_DESCRIPTION("Analog Devices ADIS16400/5 IMU SPI driver");
MODULE_LICENSE("GPL v2");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/imu/adis16460.c b/drivers/iio/imu/adis16460.c
index 73bf45e859b8..a28143a19d3a 100644
--- a/drivers/iio/imu/adis16460.c
+++ b/drivers/iio/imu/adis16460.c
@@ -447,3 +447,4 @@ module_spi_driver(adis16460_driver);
MODULE_AUTHOR("Dragos Bogdan <dragos.bogdan@analog.com>");
MODULE_DESCRIPTION("Analog Devices ADIS16460 IMU driver");
MODULE_LICENSE("GPL");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/imu/adis16475.c b/drivers/iio/imu/adis16475.c
index 8ab88ba4892c..aed1cf3bfa13 100644
--- a/drivers/iio/imu/adis16475.c
+++ b/drivers/iio/imu/adis16475.c
@@ -1324,3 +1324,4 @@ module_spi_driver(adis16475_driver);
MODULE_AUTHOR("Nuno Sa <nuno.sa@analog.com>");
MODULE_DESCRIPTION("Analog Devices ADIS16475 IMU driver");
MODULE_LICENSE("GPL");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/imu/adis16480.c b/drivers/iio/imu/adis16480.c
index dfe86c589325..c6a3d9a04fce 100644
--- a/drivers/iio/imu/adis16480.c
+++ b/drivers/iio/imu/adis16480.c
@@ -1340,3 +1340,4 @@ module_spi_driver(adis16480_driver);
MODULE_AUTHOR("Lars-Peter Clausen <lars@metafoo.de>");
MODULE_DESCRIPTION("Analog Devices ADIS16480 IMU driver");
MODULE_LICENSE("GPL v2");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
index 7a7747617fca..7cc1145910f6 100644
--- a/drivers/iio/imu/adis_buffer.c
+++ b/drivers/iio/imu/adis_buffer.c
@@ -120,7 +120,7 @@ int adis_update_scan_mode(struct iio_dev *indio_dev,
return 0;
}
-EXPORT_SYMBOL_GPL(adis_update_scan_mode);
+EXPORT_SYMBOL_NS_GPL(adis_update_scan_mode, IIO_ADISLIB);
static irqreturn_t adis_trigger_handler(int irq, void *p)
{
@@ -202,5 +202,5 @@ devm_adis_setup_buffer_and_trigger(struct adis *adis, struct iio_dev *indio_dev,
return devm_add_action_or_reset(&adis->spi->dev, adis_buffer_cleanup,
adis);
}
-EXPORT_SYMBOL_GPL(devm_adis_setup_buffer_and_trigger);
+EXPORT_SYMBOL_NS_GPL(devm_adis_setup_buffer_and_trigger, IIO_ADISLIB);
diff --git a/drivers/iio/imu/adis_trigger.c b/drivers/iio/imu/adis_trigger.c
index e7f0ee3e7a07..80adfa58e50c 100644
--- a/drivers/iio/imu/adis_trigger.c
+++ b/drivers/iio/imu/adis_trigger.c
@@ -92,5 +92,5 @@ int devm_adis_probe_trigger(struct adis *adis, struct iio_dev *indio_dev)
return devm_iio_trigger_register(&adis->spi->dev, adis->trig);
}
-EXPORT_SYMBOL_GPL(devm_adis_probe_trigger);
+EXPORT_SYMBOL_NS_GPL(devm_adis_probe_trigger, IIO_ADISLIB);
diff --git a/drivers/staging/iio/accel/adis16203.c b/drivers/staging/iio/accel/adis16203.c
index b68304da288b..7be44ff2c943 100644
--- a/drivers/staging/iio/accel/adis16203.c
+++ b/drivers/staging/iio/accel/adis16203.c
@@ -318,3 +318,4 @@ MODULE_AUTHOR("Barry Song <21cnbao@gmail.com>");
MODULE_DESCRIPTION("Analog Devices ADIS16203 Programmable 360 Degrees Inclinometer");
MODULE_LICENSE("GPL v2");
MODULE_ALIAS("spi:adis16203");
+MODULE_IMPORT_NS(IIO_ADISLIB);
diff --git a/drivers/staging/iio/accel/adis16240.c b/drivers/staging/iio/accel/adis16240.c
index 5064adce5f58..dbbbf81207f9 100644
--- a/drivers/staging/iio/accel/adis16240.c
+++ b/drivers/staging/iio/accel/adis16240.c
@@ -445,3 +445,4 @@ MODULE_AUTHOR("Barry Song <21cnbao@gmail.com>");
MODULE_DESCRIPTION("Analog Devices Programmable Impact Sensor and Recorder");
MODULE_LICENSE("GPL v2");
MODULE_ALIAS("spi:adis16240");
+MODULE_IMPORT_NS(IIO_ADISLIB);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 373/783] iio: adis: add __adis_enable_irq() implementation
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 372/783] iio:imu:adis: Move exports into IIO_ADISLIB namespace Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 374/783] counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update Greg Kroah-Hartman
` (419 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ramona Bolboaca, Nuno Sá,
Jonathan Cameron, Sasha Levin
From: Ramona Bolboaca <ramona.bolboaca@analog.com>
[ Upstream commit 99c05e4283a19a02a256f14100ca4ec3b2da3f62 ]
Add '__adis_enable_irq()' implementation which is the unlocked
version of 'adis_enable_irq()'.
Call '__adis_enable_irq()' instead of 'adis_enable_irq()' from
'__adis_intial_startup()' to keep the expected unlocked functionality.
This fix is needed to remove a deadlock for all devices which are
using 'adis_initial_startup()'. The deadlock occurs because the
same mutex is acquired twice, without releasing it.
The mutex is acquired once inside 'adis_initial_startup()', before
calling '__adis_initial_startup()', and once inside
'adis_enable_irq()', which is called by '__adis_initial_startup()'.
The deadlock is removed by calling '__adis_enable_irq()', instead of
'adis_enable_irq()' from within '__adis_initial_startup()'.
Fixes: b600bd7eb3335 ("iio: adis: do not disabe IRQs in 'adis_init()'")
Signed-off-by: Ramona Bolboaca <ramona.bolboaca@analog.com>
Reviewed-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20221122082757.449452-2-ramona.bolboaca@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/imu/adis.c | 28 ++++++++++------------------
include/linux/iio/imu/adis.h | 13 ++++++++++++-
2 files changed, 22 insertions(+), 19 deletions(-)
diff --git a/drivers/iio/imu/adis.c b/drivers/iio/imu/adis.c
index b0a426053c20..e9821814afec 100644
--- a/drivers/iio/imu/adis.c
+++ b/drivers/iio/imu/adis.c
@@ -274,23 +274,19 @@ EXPORT_SYMBOL_NS(adis_debugfs_reg_access, IIO_ADISLIB);
#endif
/**
- * adis_enable_irq() - Enable or disable data ready IRQ
+ * __adis_enable_irq() - Enable or disable data ready IRQ (unlocked)
* @adis: The adis device
* @enable: Whether to enable the IRQ
*
* Returns 0 on success, negative error code otherwise
*/
-int adis_enable_irq(struct adis *adis, bool enable)
+int __adis_enable_irq(struct adis *adis, bool enable)
{
- int ret = 0;
+ int ret;
u16 msc;
- mutex_lock(&adis->state_lock);
-
- if (adis->data->enable_irq) {
- ret = adis->data->enable_irq(adis, enable);
- goto out_unlock;
- }
+ if (adis->data->enable_irq)
+ return adis->data->enable_irq(adis, enable);
if (adis->data->unmasked_drdy) {
if (enable)
@@ -298,12 +294,12 @@ int adis_enable_irq(struct adis *adis, bool enable)
else
disable_irq(adis->spi->irq);
- goto out_unlock;
+ return 0;
}
ret = __adis_read_reg_16(adis, adis->data->msc_ctrl_reg, &msc);
if (ret)
- goto out_unlock;
+ return ret;
msc |= ADIS_MSC_CTRL_DATA_RDY_POL_HIGH;
msc &= ~ADIS_MSC_CTRL_DATA_RDY_DIO2;
@@ -312,13 +308,9 @@ int adis_enable_irq(struct adis *adis, bool enable)
else
msc &= ~ADIS_MSC_CTRL_DATA_RDY_EN;
- ret = __adis_write_reg_16(adis, adis->data->msc_ctrl_reg, msc);
-
-out_unlock:
- mutex_unlock(&adis->state_lock);
- return ret;
+ return __adis_write_reg_16(adis, adis->data->msc_ctrl_reg, msc);
}
-EXPORT_SYMBOL_NS(adis_enable_irq, IIO_ADISLIB);
+EXPORT_SYMBOL_NS(__adis_enable_irq, IIO_ADISLIB);
/**
* __adis_check_status() - Check the device for error conditions (unlocked)
@@ -449,7 +441,7 @@ int __adis_initial_startup(struct adis *adis)
* with 'IRQF_NO_AUTOEN' anyways.
*/
if (!adis->data->unmasked_drdy)
- adis_enable_irq(adis, false);
+ __adis_enable_irq(adis, false);
if (!adis->data->prod_id_reg)
return 0;
diff --git a/include/linux/iio/imu/adis.h b/include/linux/iio/imu/adis.h
index 1b66953573ee..5f45b785e794 100644
--- a/include/linux/iio/imu/adis.h
+++ b/include/linux/iio/imu/adis.h
@@ -404,9 +404,20 @@ static inline int adis_update_bits_base(struct adis *adis, unsigned int reg,
__adis_update_bits_base(adis, reg, mask, val, 2)); \
})
-int adis_enable_irq(struct adis *adis, bool enable);
int __adis_check_status(struct adis *adis);
int __adis_initial_startup(struct adis *adis);
+int __adis_enable_irq(struct adis *adis, bool enable);
+
+static inline int adis_enable_irq(struct adis *adis, bool enable)
+{
+ int ret;
+
+ mutex_lock(&adis->state_lock);
+ ret = __adis_enable_irq(adis, enable);
+ mutex_unlock(&adis->state_lock);
+
+ return ret;
+}
static inline int adis_check_status(struct adis *adis)
{
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 374/783] counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 373/783] iio: adis: add __adis_enable_irq() implementation Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 375/783] usb: roles: fix of node refcount leak in usb_role_switch_is_parent() Greg Kroah-Hartman
` (418 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabrice Gasnier,
William Breathitt Gray, Sasha Levin
From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
[ Upstream commit fd5ac974fc25feed084c2d1599d0dddb4e0556bc ]
The ARR (auto reload register) and CMP (compare) registers are
successively written. The status bits to check the update of these
registers are polled together with regmap_read_poll_timeout().
The condition to end the loop may become true, even if one of the register
isn't correctly updated.
So ensure both status bits are set before clearing them.
Fixes: d8958824cf07 ("iio: counter: Add support for STM32 LPTimer")
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
Link: https://lore.kernel.org/r/20221123133609.465614-1-fabrice.gasnier@foss.st.com/
Signed-off-by: William Breathitt Gray <william.gray@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/counter/stm32-lptimer-cnt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/counter/stm32-lptimer-cnt.c b/drivers/counter/stm32-lptimer-cnt.c
index 937439635d53..b084e971a493 100644
--- a/drivers/counter/stm32-lptimer-cnt.c
+++ b/drivers/counter/stm32-lptimer-cnt.c
@@ -69,7 +69,7 @@ static int stm32_lptim_set_enable_state(struct stm32_lptim_cnt *priv,
/* ensure CMP & ARR registers are properly written */
ret = regmap_read_poll_timeout(priv->regmap, STM32_LPTIM_ISR, val,
- (val & STM32_LPTIM_CMPOK_ARROK),
+ (val & STM32_LPTIM_CMPOK_ARROK) == STM32_LPTIM_CMPOK_ARROK,
100, 1000);
if (ret)
return ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 375/783] usb: roles: fix of node refcount leak in usb_role_switch_is_parent()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 374/783] counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 376/783] usb: gadget: f_hid: optional SETUP/SET_REPORT mode Greg Kroah-Hartman
` (417 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Yang Yingliang,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 1ab30c610630da5391a373cddb8a065bf4c4bc01 ]
I got the following report while doing device(mt6370-tcpc) load
test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled:
OF: ERROR: memory leak, expected refcount 1 instead of 2,
of_node_get()/of_node_put() unbalanced - destroy cset entry:
attach overlay node /i2c/pmic@34
The 'parent' returned by fwnode_get_parent() with refcount incremented.
it needs be put after using.
Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent")
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221122111226.251588-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/roles/class.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/roles/class.c b/drivers/usb/roles/class.c
index 33b637d0d8d9..5cc20275335d 100644
--- a/drivers/usb/roles/class.c
+++ b/drivers/usb/roles/class.c
@@ -106,10 +106,13 @@ usb_role_switch_is_parent(struct fwnode_handle *fwnode)
struct fwnode_handle *parent = fwnode_get_parent(fwnode);
struct device *dev;
- if (!parent || !fwnode_property_present(parent, "usb-role-switch"))
+ if (!fwnode_property_present(parent, "usb-role-switch")) {
+ fwnode_handle_put(parent);
return NULL;
+ }
dev = class_find_device_by_fwnode(role_class, parent);
+ fwnode_handle_put(parent);
return dev ? to_role_switch(dev) : ERR_PTR(-EPROBE_DEFER);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 376/783] usb: gadget: f_hid: optional SETUP/SET_REPORT mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 375/783] usb: roles: fix of node refcount leak in usb_role_switch_is_parent() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 377/783] usb: gadget: f_hid: fix f_hidg lifetime vs cdev Greg Kroah-Hartman
` (416 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Żenczykowski,
Felipe Balbi, Maxim Devaev, Sasha Levin
From: Maxim Devaev <mdevaev@gmail.com>
[ Upstream commit d7428bc26fc767942c38d74b80299bcd4f01e7cb ]
f_hid provides the OUT Endpoint as only way for receiving reports
from the host. SETUP/SET_REPORT method is not supported, and this causes
a number of compatibility problems with various host drivers, especially
in the case of keyboard emulation using f_hid.
- Some hosts do not support the OUT Endpoint and ignore it,
so it becomes impossible for the gadget to receive a report
from the host. In the case of a keyboard, the gadget loses
the ability to receive the status of the LEDs.
- Some BIOSes/UEFIs can't work with HID devices with the OUT Endpoint
at all. This may be due to their bugs or incomplete implementation
of the HID standard.
For example, absolutely all Apple UEFIs can't handle the OUT Endpoint
if it goes after IN Endpoint in the descriptor and require the reverse
order (OUT, IN) which is a violation of the standard.
Other hosts either do not initialize gadgets with a descriptor
containing the OUT Endpoint completely (like some HP and DELL BIOSes
and embedded firmwares like on KVM switches), or initialize them,
but will not poll the IN Endpoint.
This patch adds configfs option no_out_endpoint=1 to disable
the OUT Endpoint and allows f_hid to receive reports from the host
via SETUP/SET_REPORT.
Previously, there was such a feature in f_hid, but it was replaced
by the OUT Endpoint [1] in the commit 99c515005857 ("usb: gadget: hidg:
register OUT INT endpoint for SET_REPORT"). So this patch actually
returns the removed functionality while making it optional.
For backward compatibility reasons, the OUT Endpoint mode remains
the default behaviour.
- The OUT Endpoint mode provides the report queue and reduces
USB overhead (eliminating SETUP routine) on transmitting a report
from the host.
- If the SETUP/SET_REPORT mode is used, there is no report queue,
so the userspace will only read last report. For classic HID devices
like keyboards this is not a problem, since it's intended to transmit
the status of the LEDs and only the last report is important.
This mode provides better compatibility with strange and buggy
host drivers.
Both modes passed USBCV tests. Checking with the USB protocol analyzer
also confirmed that everything is working as it should and the new mode
ensures operability in all of the described cases.
Link: https://www.spinics.net/lists/linux-usb/msg65494.html [1]
Reviewed-by: Maciej Żenczykowski <zenczykowski@gmail.com>
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Maxim Devaev <mdevaev@gmail.com>
Link: https://lore.kernel.org/r/20210821134004.363217-1-mdevaev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 89ff3dfac604 ("usb: gadget: f_hid: fix f_hidg lifetime vs cdev")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_hid.c | 220 +++++++++++++++++++++++-----
drivers/usb/gadget/function/u_hid.h | 1 +
2 files changed, 188 insertions(+), 33 deletions(-)
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 6742271cd6e6..8cb199f52b52 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -45,12 +45,25 @@ struct f_hidg {
unsigned short report_desc_length;
char *report_desc;
unsigned short report_length;
+ /*
+ * use_out_ep - if true, the OUT Endpoint (interrupt out method)
+ * will be used to receive reports from the host
+ * using functions with the "intout" suffix.
+ * Otherwise, the OUT Endpoint will not be configured
+ * and the SETUP/SET_REPORT method ("ssreport" suffix)
+ * will be used to receive reports.
+ */
+ bool use_out_ep;
/* recv report */
- struct list_head completed_out_req;
spinlock_t read_spinlock;
wait_queue_head_t read_queue;
+ /* recv report - interrupt out only (use_out_ep == 1) */
+ struct list_head completed_out_req;
unsigned int qlen;
+ /* recv report - setup set_report only (use_out_ep == 0) */
+ char *set_report_buf;
+ unsigned int set_report_length;
/* send report */
spinlock_t write_spinlock;
@@ -79,7 +92,7 @@ static struct usb_interface_descriptor hidg_interface_desc = {
.bDescriptorType = USB_DT_INTERFACE,
/* .bInterfaceNumber = DYNAMIC */
.bAlternateSetting = 0,
- .bNumEndpoints = 2,
+ /* .bNumEndpoints = DYNAMIC (depends on use_out_ep) */
.bInterfaceClass = USB_CLASS_HID,
/* .bInterfaceSubClass = DYNAMIC */
/* .bInterfaceProtocol = DYNAMIC */
@@ -140,7 +153,7 @@ static struct usb_ss_ep_comp_descriptor hidg_ss_out_comp_desc = {
/* .wBytesPerInterval = DYNAMIC */
};
-static struct usb_descriptor_header *hidg_ss_descriptors[] = {
+static struct usb_descriptor_header *hidg_ss_descriptors_intout[] = {
(struct usb_descriptor_header *)&hidg_interface_desc,
(struct usb_descriptor_header *)&hidg_desc,
(struct usb_descriptor_header *)&hidg_ss_in_ep_desc,
@@ -150,6 +163,14 @@ static struct usb_descriptor_header *hidg_ss_descriptors[] = {
NULL,
};
+static struct usb_descriptor_header *hidg_ss_descriptors_ssreport[] = {
+ (struct usb_descriptor_header *)&hidg_interface_desc,
+ (struct usb_descriptor_header *)&hidg_desc,
+ (struct usb_descriptor_header *)&hidg_ss_in_ep_desc,
+ (struct usb_descriptor_header *)&hidg_ss_in_comp_desc,
+ NULL,
+};
+
/* High-Speed Support */
static struct usb_endpoint_descriptor hidg_hs_in_ep_desc = {
@@ -176,7 +197,7 @@ static struct usb_endpoint_descriptor hidg_hs_out_ep_desc = {
*/
};
-static struct usb_descriptor_header *hidg_hs_descriptors[] = {
+static struct usb_descriptor_header *hidg_hs_descriptors_intout[] = {
(struct usb_descriptor_header *)&hidg_interface_desc,
(struct usb_descriptor_header *)&hidg_desc,
(struct usb_descriptor_header *)&hidg_hs_in_ep_desc,
@@ -184,6 +205,13 @@ static struct usb_descriptor_header *hidg_hs_descriptors[] = {
NULL,
};
+static struct usb_descriptor_header *hidg_hs_descriptors_ssreport[] = {
+ (struct usb_descriptor_header *)&hidg_interface_desc,
+ (struct usb_descriptor_header *)&hidg_desc,
+ (struct usb_descriptor_header *)&hidg_hs_in_ep_desc,
+ NULL,
+};
+
/* Full-Speed Support */
static struct usb_endpoint_descriptor hidg_fs_in_ep_desc = {
@@ -210,7 +238,7 @@ static struct usb_endpoint_descriptor hidg_fs_out_ep_desc = {
*/
};
-static struct usb_descriptor_header *hidg_fs_descriptors[] = {
+static struct usb_descriptor_header *hidg_fs_descriptors_intout[] = {
(struct usb_descriptor_header *)&hidg_interface_desc,
(struct usb_descriptor_header *)&hidg_desc,
(struct usb_descriptor_header *)&hidg_fs_in_ep_desc,
@@ -218,6 +246,13 @@ static struct usb_descriptor_header *hidg_fs_descriptors[] = {
NULL,
};
+static struct usb_descriptor_header *hidg_fs_descriptors_ssreport[] = {
+ (struct usb_descriptor_header *)&hidg_interface_desc,
+ (struct usb_descriptor_header *)&hidg_desc,
+ (struct usb_descriptor_header *)&hidg_fs_in_ep_desc,
+ NULL,
+};
+
/*-------------------------------------------------------------------------*/
/* Strings */
@@ -241,8 +276,8 @@ static struct usb_gadget_strings *ct_func_strings[] = {
/*-------------------------------------------------------------------------*/
/* Char Device */
-static ssize_t f_hidg_read(struct file *file, char __user *buffer,
- size_t count, loff_t *ptr)
+static ssize_t f_hidg_intout_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *ptr)
{
struct f_hidg *hidg = file->private_data;
struct f_hidg_req_list *list;
@@ -255,15 +290,15 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
spin_lock_irqsave(&hidg->read_spinlock, flags);
-#define READ_COND (!list_empty(&hidg->completed_out_req))
+#define READ_COND_INTOUT (!list_empty(&hidg->completed_out_req))
/* wait for at least one buffer to complete */
- while (!READ_COND) {
+ while (!READ_COND_INTOUT) {
spin_unlock_irqrestore(&hidg->read_spinlock, flags);
if (file->f_flags & O_NONBLOCK)
return -EAGAIN;
- if (wait_event_interruptible(hidg->read_queue, READ_COND))
+ if (wait_event_interruptible(hidg->read_queue, READ_COND_INTOUT))
return -ERESTARTSYS;
spin_lock_irqsave(&hidg->read_spinlock, flags);
@@ -313,6 +348,60 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
return count;
}
+#define READ_COND_SSREPORT (hidg->set_report_buf != NULL)
+
+static ssize_t f_hidg_ssreport_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *ptr)
+{
+ struct f_hidg *hidg = file->private_data;
+ char *tmp_buf = NULL;
+ unsigned long flags;
+
+ if (!count)
+ return 0;
+
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
+
+ while (!READ_COND_SSREPORT) {
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
+ if (file->f_flags & O_NONBLOCK)
+ return -EAGAIN;
+
+ if (wait_event_interruptible(hidg->read_queue, READ_COND_SSREPORT))
+ return -ERESTARTSYS;
+
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
+ }
+
+ count = min_t(unsigned int, count, hidg->set_report_length);
+ tmp_buf = hidg->set_report_buf;
+ hidg->set_report_buf = NULL;
+
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
+
+ if (tmp_buf != NULL) {
+ count -= copy_to_user(buffer, tmp_buf, count);
+ kfree(tmp_buf);
+ } else {
+ count = -ENOMEM;
+ }
+
+ wake_up(&hidg->read_queue);
+
+ return count;
+}
+
+static ssize_t f_hidg_read(struct file *file, char __user *buffer,
+ size_t count, loff_t *ptr)
+{
+ struct f_hidg *hidg = file->private_data;
+
+ if (hidg->use_out_ep)
+ return f_hidg_intout_read(file, buffer, count, ptr);
+ else
+ return f_hidg_ssreport_read(file, buffer, count, ptr);
+}
+
static void f_hidg_req_complete(struct usb_ep *ep, struct usb_request *req)
{
struct f_hidg *hidg = (struct f_hidg *)ep->driver_data;
@@ -433,14 +522,20 @@ static __poll_t f_hidg_poll(struct file *file, poll_table *wait)
if (WRITE_COND)
ret |= EPOLLOUT | EPOLLWRNORM;
- if (READ_COND)
- ret |= EPOLLIN | EPOLLRDNORM;
+ if (hidg->use_out_ep) {
+ if (READ_COND_INTOUT)
+ ret |= EPOLLIN | EPOLLRDNORM;
+ } else {
+ if (READ_COND_SSREPORT)
+ ret |= EPOLLIN | EPOLLRDNORM;
+ }
return ret;
}
#undef WRITE_COND
-#undef READ_COND
+#undef READ_COND_SSREPORT
+#undef READ_COND_INTOUT
static int f_hidg_release(struct inode *inode, struct file *fd)
{
@@ -467,7 +562,7 @@ static inline struct usb_request *hidg_alloc_ep_req(struct usb_ep *ep,
return alloc_ep_req(ep, length);
}
-static void hidg_set_report_complete(struct usb_ep *ep, struct usb_request *req)
+static void hidg_intout_complete(struct usb_ep *ep, struct usb_request *req)
{
struct f_hidg *hidg = (struct f_hidg *) req->context;
struct usb_composite_dev *cdev = hidg->func.config->cdev;
@@ -502,6 +597,37 @@ static void hidg_set_report_complete(struct usb_ep *ep, struct usb_request *req)
}
}
+static void hidg_ssreport_complete(struct usb_ep *ep, struct usb_request *req)
+{
+ struct f_hidg *hidg = (struct f_hidg *)req->context;
+ struct usb_composite_dev *cdev = hidg->func.config->cdev;
+ char *new_buf = NULL;
+ unsigned long flags;
+
+ if (req->status != 0 || req->buf == NULL || req->actual == 0) {
+ ERROR(cdev,
+ "%s FAILED: status=%d, buf=%p, actual=%d\n",
+ __func__, req->status, req->buf, req->actual);
+ return;
+ }
+
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
+
+ new_buf = krealloc(hidg->set_report_buf, req->actual, GFP_ATOMIC);
+ if (new_buf == NULL) {
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
+ return;
+ }
+ hidg->set_report_buf = new_buf;
+
+ hidg->set_report_length = req->actual;
+ memcpy(hidg->set_report_buf, req->buf, req->actual);
+
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
+
+ wake_up(&hidg->read_queue);
+}
+
static int hidg_setup(struct usb_function *f,
const struct usb_ctrlrequest *ctrl)
{
@@ -549,7 +675,11 @@ static int hidg_setup(struct usb_function *f,
case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
| HID_REQ_SET_REPORT):
VDBG(cdev, "set_report | wLength=%d\n", ctrl->wLength);
- goto stall;
+ if (hidg->use_out_ep)
+ goto stall;
+ req->complete = hidg_ssreport_complete;
+ req->context = hidg;
+ goto respond;
break;
case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
@@ -637,15 +767,18 @@ static void hidg_disable(struct usb_function *f)
unsigned long flags;
usb_ep_disable(hidg->in_ep);
- usb_ep_disable(hidg->out_ep);
- spin_lock_irqsave(&hidg->read_spinlock, flags);
- list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
- free_ep_req(hidg->out_ep, list->req);
- list_del(&list->list);
- kfree(list);
+ if (hidg->out_ep) {
+ usb_ep_disable(hidg->out_ep);
+
+ spin_lock_irqsave(&hidg->read_spinlock, flags);
+ list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
+ free_ep_req(hidg->out_ep, list->req);
+ list_del(&list->list);
+ kfree(list);
+ }
+ spin_unlock_irqrestore(&hidg->read_spinlock, flags);
}
- spin_unlock_irqrestore(&hidg->read_spinlock, flags);
spin_lock_irqsave(&hidg->write_spinlock, flags);
if (!hidg->write_pending) {
@@ -691,8 +824,7 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
}
}
-
- if (hidg->out_ep != NULL) {
+ if (hidg->use_out_ep && hidg->out_ep != NULL) {
/* restart endpoint */
usb_ep_disable(hidg->out_ep);
@@ -717,7 +849,7 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
hidg_alloc_ep_req(hidg->out_ep,
hidg->report_length);
if (req) {
- req->complete = hidg_set_report_complete;
+ req->complete = hidg_intout_complete;
req->context = hidg;
status = usb_ep_queue(hidg->out_ep, req,
GFP_ATOMIC);
@@ -743,7 +875,8 @@ static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
}
return 0;
disable_out_ep:
- usb_ep_disable(hidg->out_ep);
+ if (hidg->out_ep)
+ usb_ep_disable(hidg->out_ep);
free_req_in:
if (req_in)
free_ep_req(hidg->in_ep, req_in);
@@ -795,14 +928,21 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
goto fail;
hidg->in_ep = ep;
- ep = usb_ep_autoconfig(c->cdev->gadget, &hidg_fs_out_ep_desc);
- if (!ep)
- goto fail;
- hidg->out_ep = ep;
+ hidg->out_ep = NULL;
+ if (hidg->use_out_ep) {
+ ep = usb_ep_autoconfig(c->cdev->gadget, &hidg_fs_out_ep_desc);
+ if (!ep)
+ goto fail;
+ hidg->out_ep = ep;
+ }
+
+ /* used only if use_out_ep == 1 */
+ hidg->set_report_buf = NULL;
/* set descriptor dynamic values */
hidg_interface_desc.bInterfaceSubClass = hidg->bInterfaceSubClass;
hidg_interface_desc.bInterfaceProtocol = hidg->bInterfaceProtocol;
+ hidg_interface_desc.bNumEndpoints = hidg->use_out_ep ? 2 : 1;
hidg->protocol = HID_REPORT_PROTOCOL;
hidg->idle = 1;
hidg_ss_in_ep_desc.wMaxPacketSize = cpu_to_le16(hidg->report_length);
@@ -833,9 +973,19 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
hidg_ss_out_ep_desc.bEndpointAddress =
hidg_fs_out_ep_desc.bEndpointAddress;
- status = usb_assign_descriptors(f, hidg_fs_descriptors,
- hidg_hs_descriptors, hidg_ss_descriptors,
- hidg_ss_descriptors);
+ if (hidg->use_out_ep)
+ status = usb_assign_descriptors(f,
+ hidg_fs_descriptors_intout,
+ hidg_hs_descriptors_intout,
+ hidg_ss_descriptors_intout,
+ hidg_ss_descriptors_intout);
+ else
+ status = usb_assign_descriptors(f,
+ hidg_fs_descriptors_ssreport,
+ hidg_hs_descriptors_ssreport,
+ hidg_ss_descriptors_ssreport,
+ hidg_ss_descriptors_ssreport);
+
if (status)
goto fail;
@@ -950,6 +1100,7 @@ CONFIGFS_ATTR(f_hid_opts_, name)
F_HID_OPT(subclass, 8, 255);
F_HID_OPT(protocol, 8, 255);
+F_HID_OPT(no_out_endpoint, 8, 1);
F_HID_OPT(report_length, 16, 65535);
static ssize_t f_hid_opts_report_desc_show(struct config_item *item, char *page)
@@ -1009,6 +1160,7 @@ CONFIGFS_ATTR_RO(f_hid_opts_, dev);
static struct configfs_attribute *hid_attrs[] = {
&f_hid_opts_attr_subclass,
&f_hid_opts_attr_protocol,
+ &f_hid_opts_attr_no_out_endpoint,
&f_hid_opts_attr_report_length,
&f_hid_opts_attr_report_desc,
&f_hid_opts_attr_dev,
@@ -1093,6 +1245,7 @@ static void hidg_free(struct usb_function *f)
hidg = func_to_hidg(f);
opts = container_of(f->fi, struct f_hid_opts, func_inst);
kfree(hidg->report_desc);
+ kfree(hidg->set_report_buf);
kfree(hidg);
mutex_lock(&opts->lock);
--opts->refcnt;
@@ -1139,6 +1292,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
return ERR_PTR(-ENOMEM);
}
}
+ hidg->use_out_ep = !opts->no_out_endpoint;
mutex_unlock(&opts->lock);
diff --git a/drivers/usb/gadget/function/u_hid.h b/drivers/usb/gadget/function/u_hid.h
index 84e6da302499..fa631f34bb3d 100644
--- a/drivers/usb/gadget/function/u_hid.h
+++ b/drivers/usb/gadget/function/u_hid.h
@@ -20,6 +20,7 @@ struct f_hid_opts {
int minor;
unsigned char subclass;
unsigned char protocol;
+ unsigned char no_out_endpoint;
unsigned short report_length;
unsigned short report_desc_length;
unsigned char *report_desc;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 377/783] usb: gadget: f_hid: fix f_hidg lifetime vs cdev
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 376/783] usb: gadget: f_hid: optional SETUP/SET_REPORT mode Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 378/783] usb: gadget: f_hid: fix refcount leak on error path Greg Kroah-Hartman
` (415 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Andrzej Pietrasiewicz,
John Keeping, Sasha Levin
From: John Keeping <john@metanate.com>
[ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ]
The embedded struct cdev does not have its lifetime correctly tied to
the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN
is held open while the gadget is deleted.
This can readily be replicated with libusbgx's example programs (for
conciseness - operating directly via configfs is equivalent):
gadget-hid
exec 3<> /dev/hidg0
gadget-vid-pid-remove
exec 3<&-
Pull the existing device up in to struct f_hidg and make use of the
cdev_device_{add,del}() helpers. This changes the lifetime of the
device object to match struct f_hidg, but note that it is still added
and deleted at the same time.
Fixes: 71adf1189469 ("USB: gadget: add HID gadget driver")
Tested-by: Lee Jones <lee@kernel.org>
Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@metanate.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_hid.c | 52 ++++++++++++++++-------------
1 file changed, 28 insertions(+), 24 deletions(-)
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 8cb199f52b52..97e927eacc62 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -71,7 +71,7 @@ struct f_hidg {
wait_queue_head_t write_queue;
struct usb_request *req;
- int minor;
+ struct device dev;
struct cdev cdev;
struct usb_function func;
@@ -84,6 +84,14 @@ static inline struct f_hidg *func_to_hidg(struct usb_function *f)
return container_of(f, struct f_hidg, func);
}
+static void hidg_release(struct device *dev)
+{
+ struct f_hidg *hidg = container_of(dev, struct f_hidg, dev);
+
+ kfree(hidg->set_report_buf);
+ kfree(hidg);
+}
+
/*-------------------------------------------------------------------------*/
/* Static descriptors */
@@ -904,9 +912,7 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
struct usb_ep *ep;
struct f_hidg *hidg = func_to_hidg(f);
struct usb_string *us;
- struct device *device;
int status;
- dev_t dev;
/* maybe allocate device-global string IDs, and patch descriptors */
us = usb_gstrings_attach(c->cdev, ct_func_strings,
@@ -999,21 +1005,11 @@ static int hidg_bind(struct usb_configuration *c, struct usb_function *f)
/* create char device */
cdev_init(&hidg->cdev, &f_hidg_fops);
- dev = MKDEV(major, hidg->minor);
- status = cdev_add(&hidg->cdev, dev, 1);
+ status = cdev_device_add(&hidg->cdev, &hidg->dev);
if (status)
goto fail_free_descs;
- device = device_create(hidg_class, NULL, dev, NULL,
- "%s%d", "hidg", hidg->minor);
- if (IS_ERR(device)) {
- status = PTR_ERR(device);
- goto del;
- }
-
return 0;
-del:
- cdev_del(&hidg->cdev);
fail_free_descs:
usb_free_all_descriptors(f);
fail:
@@ -1244,9 +1240,7 @@ static void hidg_free(struct usb_function *f)
hidg = func_to_hidg(f);
opts = container_of(f->fi, struct f_hid_opts, func_inst);
- kfree(hidg->report_desc);
- kfree(hidg->set_report_buf);
- kfree(hidg);
+ put_device(&hidg->dev);
mutex_lock(&opts->lock);
--opts->refcnt;
mutex_unlock(&opts->lock);
@@ -1256,8 +1250,7 @@ static void hidg_unbind(struct usb_configuration *c, struct usb_function *f)
{
struct f_hidg *hidg = func_to_hidg(f);
- device_destroy(hidg_class, MKDEV(major, hidg->minor));
- cdev_del(&hidg->cdev);
+ cdev_device_del(&hidg->cdev, &hidg->dev);
usb_free_all_descriptors(f);
}
@@ -1266,6 +1259,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
{
struct f_hidg *hidg;
struct f_hid_opts *opts;
+ int ret;
/* allocate and initialize one new instance */
hidg = kzalloc(sizeof(*hidg), GFP_KERNEL);
@@ -1277,17 +1271,27 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
mutex_lock(&opts->lock);
++opts->refcnt;
- hidg->minor = opts->minor;
+ device_initialize(&hidg->dev);
+ hidg->dev.release = hidg_release;
+ hidg->dev.class = hidg_class;
+ hidg->dev.devt = MKDEV(major, opts->minor);
+ ret = dev_set_name(&hidg->dev, "hidg%d", opts->minor);
+ if (ret) {
+ --opts->refcnt;
+ mutex_unlock(&opts->lock);
+ return ERR_PTR(ret);
+ }
+
hidg->bInterfaceSubClass = opts->subclass;
hidg->bInterfaceProtocol = opts->protocol;
hidg->report_length = opts->report_length;
hidg->report_desc_length = opts->report_desc_length;
if (opts->report_desc) {
- hidg->report_desc = kmemdup(opts->report_desc,
- opts->report_desc_length,
- GFP_KERNEL);
+ hidg->report_desc = devm_kmemdup(&hidg->dev, opts->report_desc,
+ opts->report_desc_length,
+ GFP_KERNEL);
if (!hidg->report_desc) {
- kfree(hidg);
+ put_device(&hidg->dev);
mutex_unlock(&opts->lock);
return ERR_PTR(-ENOMEM);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 378/783] usb: gadget: f_hid: fix refcount leak on error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 377/783] usb: gadget: f_hid: fix f_hidg lifetime vs cdev Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 379/783] drivers: mcb: fix resource leak in mcb_probe() Greg Kroah-Hartman
` (414 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee Jones, Andrzej Pietrasiewicz,
John Keeping, Sasha Levin
From: John Keeping <john@metanate.com>
[ Upstream commit 70a3288a7586526315105c699b687d78cd32559a ]
When failing to allocate report_desc, opts->refcnt has already been
incremented so it needs to be decremented to avoid leaving the options
structure permanently locked.
Fixes: 21a9476a7ba8 ("usb: gadget: hid: add configfs support")
Tested-by: Lee Jones <lee@kernel.org>
Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Reviewed-by: Lee Jones <lee@kernel.org>
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20221122123523.3068034-3-john@metanate.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/function/f_hid.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 97e927eacc62..e7cf56b13c64 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -1292,6 +1292,7 @@ static struct usb_function *hidg_alloc(struct usb_function_instance *fi)
GFP_KERNEL);
if (!hidg->report_desc) {
put_device(&hidg->dev);
+ --opts->refcnt;
mutex_unlock(&opts->lock);
return ERR_PTR(-ENOMEM);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 379/783] drivers: mcb: fix resource leak in mcb_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 378/783] usb: gadget: f_hid: fix refcount leak on error path Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 380/783] mcb: mcb-parse: fix error handing in chameleon_parse_gdd() Greg Kroah-Hartman
` (413 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Johannes Thumshirn,
Sasha Levin
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit d7237462561fcd224fa687c56ccb68629f50fc0d ]
When probe hook function failed in mcb_probe(), it doesn't put the device.
Compiled test only.
Fixes: 7bc364097a89 ("mcb: Acquire reference to device in probe")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Signed-off-by: Johannes Thumshirn <jth@kernel.org>
Link: https://lore.kernel.org/r/9f87de36bfb85158b506cb78c6fc9db3f6a3bad1.1669624063.git.johannes.thumshirn@wdc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mcb/mcb-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c
index 38cc8340e817..8b8cd751fe9a 100644
--- a/drivers/mcb/mcb-core.c
+++ b/drivers/mcb/mcb-core.c
@@ -71,8 +71,10 @@ static int mcb_probe(struct device *dev)
get_device(dev);
ret = mdrv->probe(mdev, found_id);
- if (ret)
+ if (ret) {
module_put(carrier_mod);
+ put_device(dev);
+ }
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 380/783] mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 379/783] drivers: mcb: fix resource leak in mcb_probe() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 381/783] chardev: fix error handling in cdev_device_add() Greg Kroah-Hartman
` (412 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Yang Yingliang,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 728ac3389296caf68638628c987aeae6c8851e2d ]
If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount
of bus and device name are leaked. Fix this by calling put_device() to give up
the reference, so they can be released in mcb_release_dev() and kobject_cleanup().
Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus")
Reviewed-by: Johannes Thumshirn <jth@kernel.org>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Johannes Thumshirn <jth@kernel.org>
Link: https://lore.kernel.org/r/ebfb06e39b19272f0197fa9136b5e4b6f34ad732.1669624063.git.johannes.thumshirn@wdc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mcb/mcb-parse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c
index 0266bfddfbe2..aa6938da0db8 100644
--- a/drivers/mcb/mcb-parse.c
+++ b/drivers/mcb/mcb-parse.c
@@ -108,7 +108,7 @@ static int chameleon_parse_gdd(struct mcb_bus *bus,
return 0;
err:
- mcb_free_dev(mdev);
+ put_device(&mdev->dev);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 381/783] chardev: fix error handling in cdev_device_add()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 380/783] mcb: mcb-parse: fix error handing in chameleon_parse_gdd() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 382/783] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe Greg Kroah-Hartman
` (411 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 ]
While doing fault injection test, I got the following report:
------------[ cut here ]------------
kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called.
WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0
CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:kobject_put+0x23d/0x4e0
Call Trace:
<TASK>
cdev_device_add+0x15e/0x1b0
__iio_device_register+0x13b4/0x1af0 [industrialio]
__devm_iio_device_register+0x22/0x90 [industrialio]
max517_probe+0x3d8/0x6b4 [max517]
i2c_device_probe+0xa81/0xc00
When device_add() is injected fault and returns error, if dev->devt is not set,
cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt
in error path.
Fixes: 233ed09d7fda ("chardev: add helper function to register char devs with a struct device")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221202030237.520280-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/char_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/char_dev.c b/fs/char_dev.c
index ba0ded7842a7..3f667292608c 100644
--- a/fs/char_dev.c
+++ b/fs/char_dev.c
@@ -547,7 +547,7 @@ int cdev_device_add(struct cdev *cdev, struct device *dev)
}
rc = device_add(dev);
- if (rc)
+ if (rc && dev->devt)
cdev_del(cdev);
return rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 382/783] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 381/783] chardev: fix error handling in cdev_device_add() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 383/783] staging: rtl8192u: Fix use after free in ieee80211_rx() Greg Kroah-Hartman
` (410 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hui Tang, Wolfram Sang, Sasha Levin
From: Hui Tang <tanghui20@huawei.com>
[ Upstream commit d78a167332e1ca8113268ed922c1212fd71b73ad ]
Using pcim_enable_device() to avoid missing pci_disable_device().
Fixes: 7e94dd154e93 ("i2c-pxa2xx: Add PCI support for PXA I2C controller")
Signed-off-by: Hui Tang <tanghui20@huawei.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-pxa-pci.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/drivers/i2c/busses/i2c-pxa-pci.c b/drivers/i2c/busses/i2c-pxa-pci.c
index f614cade432b..30e38bc8b6db 100644
--- a/drivers/i2c/busses/i2c-pxa-pci.c
+++ b/drivers/i2c/busses/i2c-pxa-pci.c
@@ -105,7 +105,7 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
int i;
struct ce4100_devices *sds;
- ret = pci_enable_device_mem(dev);
+ ret = pcim_enable_device(dev);
if (ret)
return ret;
@@ -114,10 +114,8 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
return -EINVAL;
}
sds = kzalloc(sizeof(*sds), GFP_KERNEL);
- if (!sds) {
- ret = -ENOMEM;
- goto err_mem;
- }
+ if (!sds)
+ return -ENOMEM;
for (i = 0; i < ARRAY_SIZE(sds->pdev); i++) {
sds->pdev[i] = add_i2c_device(dev, i);
@@ -133,8 +131,6 @@ static int ce4100_i2c_probe(struct pci_dev *dev,
err_dev_add:
kfree(sds);
-err_mem:
- pci_disable_device(dev);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 383/783] staging: rtl8192u: Fix use after free in ieee80211_rx()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 382/783] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 384/783] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() Greg Kroah-Hartman
` (409 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Sasha Levin
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ]
We cannot dereference the "skb" pointer after calling
ieee80211_monitor_rx(), because it is a use after free.
Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
index b6fee7230ce0..3871437f4708 100644
--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
+++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c
@@ -954,9 +954,11 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb,
#endif
if (ieee->iw_mode == IW_MODE_MONITOR) {
+ unsigned int len = skb->len;
+
ieee80211_monitor_rx(ieee, skb, rx_stats);
stats->rx_packets++;
- stats->rx_bytes += skb->len;
+ stats->rx_bytes += len;
return 1;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 384/783] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 383/783] staging: rtl8192u: Fix use after free in ieee80211_rx() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 385/783] vme: Fix error not catched in fake_init() Greg Kroah-Hartman
` (408 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, YueHaibing, Sasha Levin
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ]
The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it,
after calling this, dereferencing skb may trigger use-after-free.
Found by Smatch.
Fixes: 94a799425eee ("From: wlanfae <wlanfae@realtek.com> [PATCH 1/8] rtl8192e: Import new version of driver from realtek")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/rtl8192e/rtllib_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c
index 63752233e551..404794503fb6 100644
--- a/drivers/staging/rtl8192e/rtllib_rx.c
+++ b/drivers/staging/rtl8192e/rtllib_rx.c
@@ -1490,9 +1490,9 @@ static int rtllib_rx_Monitor(struct rtllib_device *ieee, struct sk_buff *skb,
hdrlen += 4;
}
- rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen);
ieee->stats.rx_packets++;
ieee->stats.rx_bytes += skb->len;
+ rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen);
return 1;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 385/783] vme: Fix error not catched in fake_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 384/783] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 386/783] gpiolib: Get rid of redundant else Greg Kroah-Hartman
` (407 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Sasha Levin
From: Chen Zhongjin <chenzhongjin@huawei.com>
[ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ]
In fake_init(), __root_device_register() is possible to fail but it's
ignored, which can cause unregistering vme_root fail when exit.
general protection fault,
probably for non-canonical address 0xdffffc000000008c
KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467]
RIP: 0010:root_device_unregister+0x26/0x60
Call Trace:
<TASK>
__x64_sys_delete_module+0x34f/0x540
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Return error when __root_device_register() fails.
Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver")
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vme/bridges/vme_fake.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/vme/bridges/vme_fake.c b/drivers/vme/bridges/vme_fake.c
index 6a1bc284f297..eae78366eb02 100644
--- a/drivers/vme/bridges/vme_fake.c
+++ b/drivers/vme/bridges/vme_fake.c
@@ -1073,6 +1073,8 @@ static int __init fake_init(void)
/* We need a fake parent device */
vme_root = __root_device_register("vme", THIS_MODULE);
+ if (IS_ERR(vme_root))
+ return PTR_ERR(vme_root);
/* If we want to support more than one bridge at some point, we need to
* dynamically allocate this so we get one per device.
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 386/783] gpiolib: Get rid of redundant else
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 385/783] vme: Fix error not catched in fake_init() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 387/783] gpiolib: cdev: fix NULL-pointer dereferences Greg Kroah-Hartman
` (406 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko,
Bartosz Golaszewski, Sasha Levin
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 1cef8b5019769d46725932eeace7a383bca97905 ]
In the snippets like the following
if (...)
return / goto / break / continue ...;
else
...
the 'else' is redundant. Get rid of it. In case of IOCTLs use
switch-case pattern that seems the usual in such cases.
While at it, clarify necessity of else in gpiod_direction_output()
by attaching else if to the closing curly brace on a previous line.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Stable-dep-of: 533aae7c94db ("gpiolib: cdev: fix NULL-pointer dereferences")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 66 ++++++++++++++++++++-----------------
drivers/gpio/gpiolib.c | 12 +++----
2 files changed, 40 insertions(+), 38 deletions(-)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 381cfa26a4a1..b51b4d7a611e 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -197,16 +197,15 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
void __user *ip = (void __user *)arg;
struct gpiohandle_data ghd;
DECLARE_BITMAP(vals, GPIOHANDLES_MAX);
- int i;
+ unsigned int i;
+ int ret;
- if (cmd == GPIOHANDLE_GET_LINE_VALUES_IOCTL) {
- /* NOTE: It's ok to read values of output lines. */
- int ret = gpiod_get_array_value_complex(false,
- true,
- lh->num_descs,
- lh->descs,
- NULL,
- vals);
+ switch (cmd) {
+ case GPIOHANDLE_GET_LINE_VALUES_IOCTL:
+ /* NOTE: It's okay to read values of output lines */
+ ret = gpiod_get_array_value_complex(false, true,
+ lh->num_descs, lh->descs,
+ NULL, vals);
if (ret)
return ret;
@@ -218,7 +217,7 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
return -EFAULT;
return 0;
- } else if (cmd == GPIOHANDLE_SET_LINE_VALUES_IOCTL) {
+ case GPIOHANDLE_SET_LINE_VALUES_IOCTL:
/*
* All line descriptors were created at once with the same
* flags so just check if the first one is really output.
@@ -240,10 +239,11 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
lh->descs,
NULL,
vals);
- } else if (cmd == GPIOHANDLE_SET_CONFIG_IOCTL) {
+ case GPIOHANDLE_SET_CONFIG_IOCTL:
return linehandle_set_config(lh, ip);
+ default:
+ return -EINVAL;
}
- return -EINVAL;
}
#ifdef CONFIG_COMPAT
@@ -1165,14 +1165,16 @@ static long linereq_ioctl(struct file *file, unsigned int cmd,
struct linereq *lr = file->private_data;
void __user *ip = (void __user *)arg;
- if (cmd == GPIO_V2_LINE_GET_VALUES_IOCTL)
+ switch (cmd) {
+ case GPIO_V2_LINE_GET_VALUES_IOCTL:
return linereq_get_values(lr, ip);
- else if (cmd == GPIO_V2_LINE_SET_VALUES_IOCTL)
+ case GPIO_V2_LINE_SET_VALUES_IOCTL:
return linereq_set_values(lr, ip);
- else if (cmd == GPIO_V2_LINE_SET_CONFIG_IOCTL)
+ case GPIO_V2_LINE_SET_CONFIG_IOCTL:
return linereq_set_config(lr, ip);
-
- return -EINVAL;
+ default:
+ return -EINVAL;
+ }
}
#ifdef CONFIG_COMPAT
@@ -2095,28 +2097,30 @@ static long gpio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
return -ENODEV;
/* Fill in the struct and pass to userspace */
- if (cmd == GPIO_GET_CHIPINFO_IOCTL) {
+ switch (cmd) {
+ case GPIO_GET_CHIPINFO_IOCTL:
return chipinfo_get(cdev, ip);
#ifdef CONFIG_GPIO_CDEV_V1
- } else if (cmd == GPIO_GET_LINEHANDLE_IOCTL) {
+ case GPIO_GET_LINEHANDLE_IOCTL:
return linehandle_create(gdev, ip);
- } else if (cmd == GPIO_GET_LINEEVENT_IOCTL) {
+ case GPIO_GET_LINEEVENT_IOCTL:
return lineevent_create(gdev, ip);
- } else if (cmd == GPIO_GET_LINEINFO_IOCTL ||
- cmd == GPIO_GET_LINEINFO_WATCH_IOCTL) {
- return lineinfo_get_v1(cdev, ip,
- cmd == GPIO_GET_LINEINFO_WATCH_IOCTL);
+ case GPIO_GET_LINEINFO_IOCTL:
+ return lineinfo_get_v1(cdev, ip, false);
+ case GPIO_GET_LINEINFO_WATCH_IOCTL:
+ return lineinfo_get_v1(cdev, ip, true);
#endif /* CONFIG_GPIO_CDEV_V1 */
- } else if (cmd == GPIO_V2_GET_LINEINFO_IOCTL ||
- cmd == GPIO_V2_GET_LINEINFO_WATCH_IOCTL) {
- return lineinfo_get(cdev, ip,
- cmd == GPIO_V2_GET_LINEINFO_WATCH_IOCTL);
- } else if (cmd == GPIO_V2_GET_LINE_IOCTL) {
+ case GPIO_V2_GET_LINEINFO_IOCTL:
+ return lineinfo_get(cdev, ip, false);
+ case GPIO_V2_GET_LINEINFO_WATCH_IOCTL:
+ return lineinfo_get(cdev, ip, true);
+ case GPIO_V2_GET_LINE_IOCTL:
return linereq_create(gdev, ip);
- } else if (cmd == GPIO_GET_LINEINFO_UNWATCH_IOCTL) {
+ case GPIO_GET_LINEINFO_UNWATCH_IOCTL:
return lineinfo_unwatch(cdev, ip);
+ default:
+ return -EINVAL;
}
- return -EINVAL;
}
#ifdef CONFIG_COMPAT
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 59d8affad343..3e01a3ac652d 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -186,9 +186,8 @@ static int gpiochip_find_base(int ngpio)
/* found a free space? */
if (gdev->base + gdev->ngpio <= base)
break;
- else
- /* nope, check the space right before the chip */
- base = gdev->base - ngpio;
+ /* nope, check the space right before the chip */
+ base = gdev->base - ngpio;
}
if (gpio_is_valid(base)) {
@@ -2481,8 +2480,7 @@ int gpiod_direction_output(struct gpio_desc *desc, int value)
ret = gpiod_direction_input(desc);
goto set_output_flag;
}
- }
- else if (test_bit(FLAG_OPEN_SOURCE, &desc->flags)) {
+ } else if (test_bit(FLAG_OPEN_SOURCE, &desc->flags)) {
ret = gpio_set_config(desc, PIN_CONFIG_DRIVE_OPEN_SOURCE);
if (!ret)
goto set_output_value;
@@ -2656,9 +2654,9 @@ static int gpiod_get_raw_value_commit(const struct gpio_desc *desc)
static int gpio_chip_get_multiple(struct gpio_chip *gc,
unsigned long *mask, unsigned long *bits)
{
- if (gc->get_multiple) {
+ if (gc->get_multiple)
return gc->get_multiple(gc, mask, bits);
- } else if (gc->get) {
+ if (gc->get) {
int i, value;
for_each_set_bit(i, mask, gc->ngpio) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 387/783] gpiolib: cdev: fix NULL-pointer dereferences
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 386/783] gpiolib: Get rid of redundant else Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 388/783] i2c: mux: reg: check return value after calling platform_get_resource() Greg Kroah-Hartman
` (405 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bartosz Golaszewski,
Andy Shevchenko, Linus Walleij, Sasha Levin
From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
[ Upstream commit 533aae7c94dbc2b14301cfd68ae7e0e90f0c8438 ]
There are several places where we can crash the kernel by requesting
lines, unbinding the GPIO device, then calling any of the system calls
relevant to the GPIO character device's annonymous file descriptors:
ioctl(), read(), poll().
While I observed it with the GPIO simulator, it will also happen for any
of the GPIO devices that can be hot-unplugged - for instance any HID GPIO
expander (e.g. CP2112).
This affects both v1 and v2 uAPI.
This fixes it partially by checking if gdev->chip is not NULL but it
doesn't entirely remedy the situation as we still have a race condition
in which another thread can remove the device after the check.
Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL")
Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL")
Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL")
Fixes: 7b8e00d98168 ("gpiolib: cdev: support GPIO_V2_LINE_SET_VALUES_IOCTL")
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpiolib-cdev.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index b51b4d7a611e..40d0196d8bdc 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -200,6 +200,9 @@ static long linehandle_ioctl(struct file *file, unsigned int cmd,
unsigned int i;
int ret;
+ if (!lh->gdev->chip)
+ return -ENODEV;
+
switch (cmd) {
case GPIOHANDLE_GET_LINE_VALUES_IOCTL:
/* NOTE: It's okay to read values of output lines */
@@ -1165,6 +1168,9 @@ static long linereq_ioctl(struct file *file, unsigned int cmd,
struct linereq *lr = file->private_data;
void __user *ip = (void __user *)arg;
+ if (!lr->gdev->chip)
+ return -ENODEV;
+
switch (cmd) {
case GPIO_V2_LINE_GET_VALUES_IOCTL:
return linereq_get_values(lr, ip);
@@ -1191,6 +1197,9 @@ static __poll_t linereq_poll(struct file *file,
struct linereq *lr = file->private_data;
__poll_t events = 0;
+ if (!lr->gdev->chip)
+ return EPOLLHUP | EPOLLERR;
+
poll_wait(file, &lr->wait, wait);
if (!kfifo_is_empty_spinlocked_noirqsave(&lr->events,
@@ -1210,6 +1219,9 @@ static ssize_t linereq_read(struct file *file,
ssize_t bytes_read = 0;
int ret;
+ if (!lr->gdev->chip)
+ return -ENODEV;
+
if (count < sizeof(le))
return -EINVAL;
@@ -1475,6 +1487,9 @@ static __poll_t lineevent_poll(struct file *file,
struct lineevent_state *le = file->private_data;
__poll_t events = 0;
+ if (!le->gdev->chip)
+ return EPOLLHUP | EPOLLERR;
+
poll_wait(file, &le->wait, wait);
if (!kfifo_is_empty_spinlocked_noirqsave(&le->events, &le->wait.lock))
@@ -1510,6 +1525,9 @@ static ssize_t lineevent_read(struct file *file,
ssize_t ge_size;
int ret;
+ if (!le->gdev->chip)
+ return -ENODEV;
+
/*
* When compatible system call is being used the struct gpioevent_data,
* in case of at least ia32, has different size due to the alignment
@@ -1588,6 +1606,9 @@ static long lineevent_ioctl(struct file *file, unsigned int cmd,
void __user *ip = (void __user *)arg;
struct gpiohandle_data ghd;
+ if (!le->gdev->chip)
+ return -ENODEV;
+
/*
* We can get the value for an event line but not set it,
* because it is input by definition.
@@ -2168,6 +2189,9 @@ static __poll_t lineinfo_watch_poll(struct file *file,
struct gpio_chardev_data *cdev = file->private_data;
__poll_t events = 0;
+ if (!cdev->gdev->chip)
+ return EPOLLHUP | EPOLLERR;
+
poll_wait(file, &cdev->wait, pollt);
if (!kfifo_is_empty_spinlocked_noirqsave(&cdev->events,
@@ -2186,6 +2210,9 @@ static ssize_t lineinfo_watch_read(struct file *file, char __user *buf,
int ret;
size_t event_size;
+ if (!cdev->gdev->chip)
+ return -ENODEV;
+
#ifndef CONFIG_GPIO_CDEV_V1
event_size = sizeof(struct gpio_v2_line_info_changed);
if (count < event_size)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 388/783] i2c: mux: reg: check return value after calling platform_get_resource()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 387/783] gpiolib: cdev: fix NULL-pointer dereferences Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 389/783] i2c: ismt: Fix an out-of-bounds bug in ismt_access() Greg Kroah-Hartman
` (404 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Wolfram Sang, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 2d47b79d2bd39cc6369eccf94a06568d84c906ae ]
It will cause null-ptr-deref in resource_size(), if platform_get_resource()
returns NULL, move calling resource_size() after devm_ioremap_resource() that
will check 'res' to avoid null-ptr-deref.
And use devm_platform_get_and_ioremap_resource() to simplify code.
Fixes: b3fdd32799d8 ("i2c: mux: Add register-based mux i2c-mux-reg")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/muxes/i2c-mux-reg.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/i2c/muxes/i2c-mux-reg.c b/drivers/i2c/muxes/i2c-mux-reg.c
index 0e0679f65cf7..30a6de1694e0 100644
--- a/drivers/i2c/muxes/i2c-mux-reg.c
+++ b/drivers/i2c/muxes/i2c-mux-reg.c
@@ -183,13 +183,12 @@ static int i2c_mux_reg_probe(struct platform_device *pdev)
if (!mux->data.reg) {
dev_info(&pdev->dev,
"Register not set, using platform resource\n");
- res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
- mux->data.reg_size = resource_size(res);
- mux->data.reg = devm_ioremap_resource(&pdev->dev, res);
+ mux->data.reg = devm_platform_get_and_ioremap_resource(pdev, 0, &res);
if (IS_ERR(mux->data.reg)) {
ret = PTR_ERR(mux->data.reg);
goto err_put_parent;
}
+ mux->data.reg_size = resource_size(res);
}
if (mux->data.reg_size != 4 && mux->data.reg_size != 2 &&
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 389/783] i2c: ismt: Fix an out-of-bounds bug in ismt_access()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 388/783] i2c: mux: reg: check return value after calling platform_get_resource() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 390/783] usb: storage: Add check for kcalloc Greg Kroah-Hartman
` (403 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheyu Ma, Wolfram Sang, Sasha Levin
From: Zheyu Ma <zheyuma97@gmail.com>
[ Upstream commit 39244cc754829bf707dccd12e2ce37510f5b1f8d ]
When the driver does not check the data from the user, the variable
'data->block[0]' may be very large to cause an out-of-bounds bug.
The following log can reveal it:
[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20
[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE
[ 33.996475] ==================================================================
[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b
[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485
[ 33.999450] Call Trace:
[ 34.001849] memcpy+0x20/0x60
[ 34.002077] ismt_access.cold+0x374/0x214b
[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0
[ 34.004007] i2c_smbus_xfer+0x10a/0x390
[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710
[ 34.005196] i2cdev_ioctl+0x5ec/0x74c
Fix this bug by checking the size of 'data->block[0]' first.
Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-ismt.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c
index 3d2d92640651..cec2b2ae7684 100644
--- a/drivers/i2c/busses/i2c-ismt.c
+++ b/drivers/i2c/busses/i2c-ismt.c
@@ -507,6 +507,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr,
if (read_write == I2C_SMBUS_WRITE) {
/* Block Write */
dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n");
+ if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX)
+ return -EINVAL;
+
dma_size = data->block[0] + 1;
dma_direction = DMA_TO_DEVICE;
desc->wr_len_cmd = dma_size;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 390/783] usb: storage: Add check for kcalloc
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 389/783] i2c: ismt: Fix an out-of-bounds bug in ismt_access() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 391/783] tracing/hist: Fix issue of losting command info in error_log Greg Kroah-Hartman
` (402 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, Jiasheng Jiang, Sasha Levin
From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
[ Upstream commit c35ca10f53c51eeb610d3f8fbc6dd6d511b58a58 ]
As kcalloc may return NULL pointer, the return value should
be checked and return error if fails as same as the ones in
alauda_read_map.
Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support")
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Link: https://lore.kernel.org/r/20221208110058.12983-1-jiasheng@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/storage/alauda.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c
index 20b857e97e60..7e4ce0e7e05a 100644
--- a/drivers/usb/storage/alauda.c
+++ b/drivers/usb/storage/alauda.c
@@ -438,6 +438,8 @@ static int alauda_init_media(struct us_data *us)
+ MEDIA_INFO(us).blockshift + MEDIA_INFO(us).pageshift);
MEDIA_INFO(us).pba_to_lba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO);
MEDIA_INFO(us).lba_to_pba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO);
+ if (MEDIA_INFO(us).pba_to_lba == NULL || MEDIA_INFO(us).lba_to_pba == NULL)
+ return USB_STOR_TRANSPORT_ERROR;
if (alauda_reset_media(us) != USB_STOR_XFER_GOOD)
return USB_STOR_TRANSPORT_ERROR;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 391/783] tracing/hist: Fix issue of losting command info in error_log
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 390/783] usb: storage: Add check for kcalloc Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 392/783] samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() Greg Kroah-Hartman
` (401 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, mhiramat, zanussi, Zheng Yejian,
Steven Rostedt (Google),
Sasha Levin
From: Zheng Yejian <zhengyejian1@huawei.com>
[ Upstream commit 608c6ed3337850c767ab0dd6c583477922233e29 ]
When input some constructed invalid 'trigger' command, command info
in 'error_log' are lost [1].
The root cause is that there is a path that event_hist_trigger_parse()
is recursely called once and 'last_cmd' which save origin command is
cleared, then later calling of hist_err() will no longer record origin
command info:
event_hist_trigger_parse() {
last_cmd_set() // <1> 'last_cmd' save origin command here at first
create_actions() {
onmatch_create() {
action_create() {
trace_action_create() {
trace_action_create_field_var() {
create_field_var_hist() {
event_hist_trigger_parse() { // <2> recursely called once
hist_err_clear() // <3> 'last_cmd' is cleared here
}
hist_err() // <4> No longer find origin command!!!
Since 'glob' is empty string while running into the recurse call, we
can trickly check it and bypass the call of hist_err_clear() to solve it.
[1]
# cd /sys/kernel/tracing
# echo "my_synth_event int v1; int v2; int v3;" >> synthetic_events
# echo 'hist:keys=pid' >> events/sched/sched_waking/trigger
# echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
pid,pid1)" >> events/sched/sched_switch/trigger
# cat error_log
[ 8.405018] hist:sched:sched_switch: error: Couldn't find synthetic event
Command:
hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
^
[ 8.816902] hist:sched:sched_switch: error: Couldn't find field
Command:
hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
^
[ 8.816902] hist:sched:sched_switch: error: Couldn't parse field variable
Command:
hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1)
^
[ 8.999880] : error: Couldn't find field
Command:
^
[ 8.999880] : error: Couldn't parse field variable
Command:
^
[ 8.999880] : error: Couldn't find field
Command:
^
[ 8.999880] : error: Couldn't create histogram for field
Command:
^
Link: https://lore.kernel.org/linux-trace-kernel/20221207135326.3483216-1-zhengyejian1@huawei.com
Cc: <mhiramat@kernel.org>
Cc: <zanussi@kernel.org>
Fixes: f404da6e1d46 ("tracing: Add 'last error' error facility for hist triggers")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events_hist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c
index fd5416829445..8e01ab49118d 100644
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -5827,7 +5827,7 @@ static int event_hist_trigger_func(struct event_command *cmd_ops,
/* Just return zero, not the number of registered triggers */
ret = 0;
out:
- if (ret == 0)
+ if (ret == 0 && glob[0])
hist_err_clear();
return ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 392/783] samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 391/783] tracing/hist: Fix issue of losting command info in error_log Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 393/783] thermal/drivers/imx8mm_thermal: Validate temperature range Greg Kroah-Hartman
` (400 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Alex Williamson,
Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit d1f0f50fbbbbca1e3e8157e51934613bf88f6d44 ]
Add missing pci_disable_device() in fail path of mdpy_fb_probe().
Besides, fix missing release functions in mdpy_fb_remove().
Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Link: https://lore.kernel.org/r/20221208013341.3999-1-shangxiaojing@huawei.com
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
samples/vfio-mdev/mdpy-fb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c
index 9ec93d90e8a5..4eb7aa11cfbb 100644
--- a/samples/vfio-mdev/mdpy-fb.c
+++ b/samples/vfio-mdev/mdpy-fb.c
@@ -109,7 +109,7 @@ static int mdpy_fb_probe(struct pci_dev *pdev,
ret = pci_request_regions(pdev, "mdpy-fb");
if (ret < 0)
- return ret;
+ goto err_disable_dev;
pci_read_config_dword(pdev, MDPY_FORMAT_OFFSET, &format);
pci_read_config_dword(pdev, MDPY_WIDTH_OFFSET, &width);
@@ -191,6 +191,9 @@ static int mdpy_fb_probe(struct pci_dev *pdev,
err_release_regions:
pci_release_regions(pdev);
+err_disable_dev:
+ pci_disable_device(pdev);
+
return ret;
}
@@ -199,7 +202,10 @@ static void mdpy_fb_remove(struct pci_dev *pdev)
struct fb_info *info = pci_get_drvdata(pdev);
unregister_framebuffer(info);
+ iounmap(info->screen_base);
framebuffer_release(info);
+ pci_release_regions(pdev);
+ pci_disable_device(pdev);
}
static struct pci_device_id mdpy_fb_pci_table[] = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 393/783] thermal/drivers/imx8mm_thermal: Validate temperature range
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 392/783] samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 394/783] fbdev: ssd1307fb: Drop optional dependency Greg Kroah-Hartman
` (399 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marcus Folkesson, Jacky Bai,
Daniel Lezcano, Sasha Levin
From: Marcus Folkesson <marcus.folkesson@gmail.com>
[ Upstream commit d37edc7370273306d8747097fafa62436c1cfe16 ]
Check against the upper temperature limit (125 degrees C) before
consider the temperature valid.
Fixes: 5eed800a6811 ("thermal: imx8mm: Add support for i.MX8MM thermal monitoring unit")
Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Reviewed-by: Jacky Bai <ping.bai@nxp.com>
Link: https://lore.kernel.org/r/20221014073507.1594844-1-marcus.folkesson@gmail.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/imx8mm_thermal.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/thermal/imx8mm_thermal.c b/drivers/thermal/imx8mm_thermal.c
index 0f4cabd2a8c6..6be16e0598b6 100644
--- a/drivers/thermal/imx8mm_thermal.c
+++ b/drivers/thermal/imx8mm_thermal.c
@@ -65,8 +65,14 @@ static int imx8mm_tmu_get_temp(void *data, int *temp)
u32 val;
val = readl_relaxed(tmu->base + TRITSR) & TRITSR_TEMP0_VAL_MASK;
+
+ /*
+ * Do not validate against the V bit (bit 31) due to errata
+ * ERR051272: TMU: Bit 31 of registers TMU_TSCR/TMU_TRITSR/TMU_TRATSR invalid
+ */
+
*temp = val * 1000;
- if (*temp < VER1_TEMP_LOW_LIMIT)
+ if (*temp < VER1_TEMP_LOW_LIMIT || *temp > VER2_TEMP_HIGH_LIMIT)
return -EAGAIN;
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 394/783] fbdev: ssd1307fb: Drop optional dependency
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 393/783] thermal/drivers/imx8mm_thermal: Validate temperature range Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 395/783] fbdev: pm2fb: fix missing pci_disable_device() Greg Kroah-Hartman
` (398 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Helge Deller, Sasha Levin
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 ]
Only a single out of three devices need a PWM, so from driver it's
optional. Moreover it's a single driver in the entire kernel that
currently selects PWM. Unfortunately this selection is a root cause
of the circular dependencies when we want to enable optional PWM
for some other drivers that select GPIOLIB.
Fixes: a2ed00da5047 ("drivers/video: add support for the Solomon SSD1307 OLED Controller")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/Kconfig | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig
index 4f02db65dede..3ac78db17e46 100644
--- a/drivers/video/fbdev/Kconfig
+++ b/drivers/video/fbdev/Kconfig
@@ -2216,7 +2216,6 @@ config FB_SSD1307
select FB_SYS_COPYAREA
select FB_SYS_IMAGEBLIT
select FB_DEFERRED_IO
- select PWM
select FB_BACKLIGHT
help
This driver implements support for the Solomon SSD1307
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 395/783] fbdev: pm2fb: fix missing pci_disable_device()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 394/783] fbdev: ssd1307fb: Drop optional dependency Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 396/783] fbdev: via: Fix error in via_core_init() Greg Kroah-Hartman
` (397 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Helge Deller, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit ed359a464846b48f76ea6cc5cd8257e545ac97f4 ]
Add missing pci_disable_device() in error path of probe() and remove() path.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/pm2fb.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c
index c12d46e28359..87b6a929a6b3 100644
--- a/drivers/video/fbdev/pm2fb.c
+++ b/drivers/video/fbdev/pm2fb.c
@@ -1529,8 +1529,10 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id)
}
info = framebuffer_alloc(sizeof(struct pm2fb_par), &pdev->dev);
- if (!info)
- return -ENOMEM;
+ if (!info) {
+ err = -ENOMEM;
+ goto err_exit_disable;
+ }
default_par = info->par;
switch (pdev->device) {
@@ -1711,6 +1713,8 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id)
release_mem_region(pm2fb_fix.mmio_start, pm2fb_fix.mmio_len);
err_exit_neither:
framebuffer_release(info);
+ err_exit_disable:
+ pci_disable_device(pdev);
return retval;
}
@@ -1737,6 +1741,7 @@ static void pm2fb_remove(struct pci_dev *pdev)
fb_dealloc_cmap(&info->cmap);
kfree(info->pixmap.addr);
framebuffer_release(info);
+ pci_disable_device(pdev);
}
static const struct pci_device_id pm2fb_id_table[] = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 396/783] fbdev: via: Fix error in via_core_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 395/783] fbdev: pm2fb: fix missing pci_disable_device() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 397/783] fbdev: vermilion: decrease reference count in error path Greg Kroah-Hartman
` (396 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Helge Deller, Sasha Levin
From: Shang XiaoJing <shangxiaojing@huawei.com>
[ Upstream commit 5886b130de953cfb8826f7771ec8640a79934a7f ]
via_core_init() won't exit the driver when pci_register_driver() failed.
Exit the viafb-i2c and the viafb-gpio in failed path to prevent error.
VIA Graphics Integration Chipset framebuffer 2.4 initializing
Error: Driver 'viafb-i2c' is already registered, aborting...
Error: Driver 'viafb-gpio' is already registered, aborting...
Fixes: 7582eb9be85f ("viafb: Turn GPIO and i2c into proper platform devices")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/via/via-core.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/via/via-core.c b/drivers/video/fbdev/via/via-core.c
index 89d75079b730..0363b478fa3e 100644
--- a/drivers/video/fbdev/via/via-core.c
+++ b/drivers/video/fbdev/via/via-core.c
@@ -725,7 +725,14 @@ static int __init via_core_init(void)
return ret;
viafb_i2c_init();
viafb_gpio_init();
- return pci_register_driver(&via_driver);
+ ret = pci_register_driver(&via_driver);
+ if (ret) {
+ viafb_gpio_exit();
+ viafb_i2c_exit();
+ return ret;
+ }
+
+ return 0;
}
static void __exit via_core_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 397/783] fbdev: vermilion: decrease reference count in error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 396/783] fbdev: via: Fix error in via_core_init() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 398/783] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() Greg Kroah-Hartman
` (395 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiongfeng Wang, Helge Deller, Sasha Levin
From: Xiongfeng Wang <wangxiongfeng2@huawei.com>
[ Upstream commit 001f2cdb952a9566c77fb4b5470cc361db5601bb ]
pci_get_device() will increase the reference count for the returned
pci_dev. For the error path, we need to use pci_dev_put() to decrease
the reference count.
Fixes: dbe7e429fedb ("vmlfb: framebuffer driver for Intel Vermilion Range")
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/vermilion/vermilion.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/vermilion/vermilion.c b/drivers/video/fbdev/vermilion/vermilion.c
index ff61605b8764..a543643ce014 100644
--- a/drivers/video/fbdev/vermilion/vermilion.c
+++ b/drivers/video/fbdev/vermilion/vermilion.c
@@ -277,8 +277,10 @@ static int vmlfb_get_gpu(struct vml_par *par)
mutex_unlock(&vml_mutex);
- if (pci_enable_device(par->gpu) < 0)
+ if (pci_enable_device(par->gpu) < 0) {
+ pci_dev_put(par->gpu);
return -ENODEV;
+ }
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 398/783] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (396 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 397/783] fbdev: vermilion: decrease reference count in error path Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 399/783] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() Greg Kroah-Hartman
` (394 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Helge Deller,
Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit a94371040712031ba129c7e9d8ff04a06a2f8207 ]
If an error occurs after a successful uvesafb_init_mtrr() call, it must be
undone by a corresponding arch_phys_wc_del() call, as already done in the
remove function.
This has been added in the remove function in commit 63e28a7a5ffc
("uvesafb: Clean up MTRR code")
Fixes: 8bdb3a2d7df4 ("uvesafb: the driver core")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/uvesafb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
index def14ac0ebe1..661f12742e4f 100644
--- a/drivers/video/fbdev/uvesafb.c
+++ b/drivers/video/fbdev/uvesafb.c
@@ -1756,6 +1756,7 @@ static int uvesafb_probe(struct platform_device *dev)
out_unmap:
iounmap(info->screen_base);
out_mem:
+ arch_phys_wc_del(par->mtrr_handle);
release_mem_region(info->fix.smem_start, info->fix.smem_len);
out_reg:
release_region(0x3c0, 32);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 399/783] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (397 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 398/783] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 400/783] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() Greg Kroah-Hartman
` (393 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sebastian Reichel,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f5181c35ed7ba0ceb6e42872aad1334d994b0175 ]
In error label 'out1' path in ssi_probe(), the pm_runtime_enable()
has not been called yet, so pm_runtime_disable() is not needed.
Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hsi/controllers/omap_ssi_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
index eb9820158318..b23a576ed88a 100644
--- a/drivers/hsi/controllers/omap_ssi_core.c
+++ b/drivers/hsi/controllers/omap_ssi_core.c
@@ -536,9 +536,9 @@ static int ssi_probe(struct platform_device *pd)
device_for_each_child(&pd->dev, NULL, ssi_remove_ports);
out2:
ssi_remove_controller(ssi);
+ pm_runtime_disable(&pd->dev);
out1:
platform_set_drvdata(pd, NULL);
- pm_runtime_disable(&pd->dev);
return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 400/783] HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (398 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 399/783] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 401/783] power: supply: fix residue sysfs file in error handle route of __power_supply_register() Greg Kroah-Hartman
` (392 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Sebastian Reichel,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 1aff514e1d2bd47854dbbdf867970b9d463d4c57 ]
If ssi_add_controller() returns error, it should call hsi_put_controller()
to give up the reference that was set in hsi_alloc_controller(), so that
it can call hsi_controller_release() to free controller and ports that
allocated in hsi_alloc_controller().
Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hsi/controllers/omap_ssi_core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
index b23a576ed88a..052cf3e92dd6 100644
--- a/drivers/hsi/controllers/omap_ssi_core.c
+++ b/drivers/hsi/controllers/omap_ssi_core.c
@@ -502,8 +502,10 @@ static int ssi_probe(struct platform_device *pd)
platform_set_drvdata(pd, ssi);
err = ssi_add_controller(ssi, pd);
- if (err < 0)
+ if (err < 0) {
+ hsi_put_controller(ssi);
goto out1;
+ }
pm_runtime_enable(&pd->dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 401/783] power: supply: fix residue sysfs file in error handle route of __power_supply_register()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (399 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 400/783] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 402/783] perf trace: Return error if a system call doesnt exist Greg Kroah-Hartman
` (391 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zeng Heng, Sebastian Reichel, Sasha Levin
From: Zeng Heng <zengheng4@huawei.com>
[ Upstream commit 5b79480ce1978864ac3f06f2134dfa3b6691fe74 ]
If device_add() succeeds, we should call device_del() when want to
get rid of it, so move it into proper jump symbol.
Otherwise, when __power_supply_register() returns fail and goto
wakeup_init_failed to exit, there is still residue device file in sysfs.
When attempt to probe device again, sysfs would complain as below:
sysfs: cannot create duplicate filename '/devices/platform/i2c/i2c-0/0-001c/power_supply/adp5061'
Call Trace:
dump_stack_lvl+0x68/0x85
sysfs_warn_dup.cold+0x1c/0x29
sysfs_create_dir_ns+0x1b1/0x1d0
kobject_add_internal+0x143/0x390
kobject_add+0x108/0x170
Fixes: 80c6463e2fa3 ("power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate")
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/power_supply_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c
index 280c54c23e37..be2cb925c115 100644
--- a/drivers/power/supply/power_supply_core.c
+++ b/drivers/power/supply/power_supply_core.c
@@ -1201,8 +1201,8 @@ __power_supply_register(struct device *parent,
register_cooler_failed:
psy_unregister_thermal(psy);
register_thermal_failed:
- device_del(dev);
wakeup_init_failed:
+ device_del(dev);
device_add_failed:
check_supplies_failed:
dev_set_name_failed:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 402/783] perf trace: Return error if a system call doesnt exist
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (400 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 401/783] power: supply: fix residue sysfs file in error handle route of __power_supply_register() Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 403/783] perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number Greg Kroah-Hartman
` (390 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers,
Alexander Shishkin, bpf, Ingo Molnar, Jiri Olsa, Mark Rutland,
Namhyung Kim, Peter Zijlstra, Arnaldo Carvalho de Melo,
Sasha Levin
From: Leo Yan <leo.yan@linaro.org>
[ Upstream commit d4223e1776c30b2ce8d0e6eaadcbf696e60fca3c ]
When a system call is not detected, the reason is either because the
system call ID is out of scope or failure to find the corresponding path
in the sysfs, trace__read_syscall_info() returns zero. Finally, without
returning an error value it introduces confusion for the caller.
This patch lets the function trace__read_syscall_info() to return
-EEXIST when a system call doesn't exist.
Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages")
Signed-off-by: Leo Yan <leo.yan@linaro.org>
Acked-by: Ian Rogers <irogers@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: bpf@vger.kernel.org
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20221121075237.127706-3-leo.yan@linaro.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index de80534473af..555e16d8d55b 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1774,11 +1774,11 @@ static int trace__read_syscall_info(struct trace *trace, int id)
#endif
sc = trace->syscalls.table + id;
if (sc->nonexistent)
- return 0;
+ return -EEXIST;
if (name == NULL) {
sc->nonexistent = true;
- return 0;
+ return -EEXIST;
}
sc->name = name;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 403/783] perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (401 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 402/783] perf trace: Return error if a system call doesnt exist Greg Kroah-Hartman
@ 2023-01-12 13:51 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 404/783] perf trace: Handle failure when trace point folder is missed Greg Kroah-Hartman
` (389 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:51 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers,
Alexander Shishkin, Ingo Molnar, Jiri Olsa, Mark Rutland,
Namhyung Kim, Peter Zijlstra, bpf, Arnaldo Carvalho de Melo,
Sasha Levin
From: Leo Yan <leo.yan@linaro.org>
[ Upstream commit eadcab4c7a66e1df03d32da0db55d89fd9343fcc ]
This patch defines a macro RAW_SYSCALL_ARGS_NUM to replace the open
coded number '6'.
Signed-off-by: Leo Yan <leo.yan@linaro.org>
Acked-by: Ian Rogers <irogers@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: bpf@vger.kernel.org
Link: https://lore.kernel.org/r/20221121075237.127706-2-leo.yan@linaro.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index 555e16d8d55b..1a7279687f25 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -87,6 +87,8 @@
# define F_LINUX_SPECIFIC_BASE 1024
#endif
+#define RAW_SYSCALL_ARGS_NUM 6
+
/*
* strtoul: Go from a string to a value, i.e. for msr: MSR_FS_BASE to 0xc0000100
*/
@@ -107,7 +109,7 @@ struct syscall_fmt {
const char *sys_enter,
*sys_exit;
} bpf_prog_name;
- struct syscall_arg_fmt arg[6];
+ struct syscall_arg_fmt arg[RAW_SYSCALL_ARGS_NUM];
u8 nr_args;
bool errpid;
bool timeout;
@@ -1216,7 +1218,7 @@ struct syscall {
*/
struct bpf_map_syscall_entry {
bool enabled;
- u16 string_args_len[6];
+ u16 string_args_len[RAW_SYSCALL_ARGS_NUM];
};
/*
@@ -1641,7 +1643,7 @@ static int syscall__alloc_arg_fmts(struct syscall *sc, int nr_args)
{
int idx;
- if (nr_args == 6 && sc->fmt && sc->fmt->nr_args != 0)
+ if (nr_args == RAW_SYSCALL_ARGS_NUM && sc->fmt && sc->fmt->nr_args != 0)
nr_args = sc->fmt->nr_args;
sc->arg_fmt = calloc(nr_args, sizeof(*sc->arg_fmt));
@@ -1792,7 +1794,8 @@ static int trace__read_syscall_info(struct trace *trace, int id)
sc->tp_format = trace_event__tp_format("syscalls", tp_name);
}
- if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ? 6 : sc->tp_format->format.nr_fields))
+ if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ?
+ RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields))
return -ENOMEM;
if (IS_ERR(sc->tp_format))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 404/783] perf trace: Handle failure when trace point folder is missed
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (402 preceding siblings ...)
2023-01-12 13:51 ` [PATCH 5.10 403/783] perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 405/783] perf symbol: correction while adjusting symbol Greg Kroah-Hartman
` (388 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Leo Yan, Ian Rogers,
Alexander Shishkin, bpf, Ingo Molnar, Jiri Olsa, Mark Rutland,
Namhyung Kim, Peter Zijlstra, Arnaldo Carvalho de Melo,
Sasha Levin
From: Leo Yan <leo.yan@linaro.org>
[ Upstream commit 03e9a5d8eb552a1bf692a9c8a5ecd50f4e428006 ]
On Arm64 a case is perf tools fails to find the corresponding trace
point folder for system calls listed in the table 'syscalltbl_arm64',
e.g. the generated system call table contains "lookup_dcookie" but we
cannot find out the matched trace point folder for it.
We need to figure out if there have any issue for the generated system
call table, on the other hand, we need to handle the case when trace
point folder is missed under sysfs, this patch sets the flag
syscall::nonexistent as true and returns the error from
trace__read_syscall_info().
Another problem is for trace__syscall_info(), it returns two different
values if a system call doesn't exist: at the first time calling
trace__syscall_info() it returns NULL when the system call doesn't exist,
later if call trace__syscall_info() again for the same missed system
call, it returns pointer of syscall. trace__syscall_info() checks the
condition 'syscalls.table[id].name == NULL', but the name will be
assigned in the first invoking even the system call is not found.
So checking system call's name in trace__syscall_info() is not the right
thing to do, this patch simply checks flag syscall::nonexistent to make
decision if a system call exists or not, finally trace__syscall_info()
returns the consistent result (NULL) if a system call doesn't existed.
Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages")
Signed-off-by: Leo Yan <leo.yan@linaro.org>
Acked-by: Ian Rogers <irogers@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: bpf@vger.kernel.org
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20221121075237.127706-4-leo.yan@linaro.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-trace.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
index 1a7279687f25..8de0d0a740de 100644
--- a/tools/perf/builtin-trace.c
+++ b/tools/perf/builtin-trace.c
@@ -1794,13 +1794,19 @@ static int trace__read_syscall_info(struct trace *trace, int id)
sc->tp_format = trace_event__tp_format("syscalls", tp_name);
}
+ /*
+ * Fails to read trace point format via sysfs node, so the trace point
+ * doesn't exist. Set the 'nonexistent' flag as true.
+ */
+ if (IS_ERR(sc->tp_format)) {
+ sc->nonexistent = true;
+ return PTR_ERR(sc->tp_format);
+ }
+
if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ?
RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields))
return -ENOMEM;
- if (IS_ERR(sc->tp_format))
- return PTR_ERR(sc->tp_format);
-
sc->args = sc->tp_format->format.fields;
/*
* We need to check and discard the first variable '__syscall_nr'
@@ -2117,11 +2123,8 @@ static struct syscall *trace__syscall_info(struct trace *trace,
(err = trace__read_syscall_info(trace, id)) != 0)
goto out_cant_read;
- if (trace->syscalls.table[id].name == NULL) {
- if (trace->syscalls.table[id].nonexistent)
- return NULL;
+ if (trace->syscalls.table && trace->syscalls.table[id].nonexistent)
goto out_cant_read;
- }
return &trace->syscalls.table[id];
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 405/783] perf symbol: correction while adjusting symbol
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (403 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 404/783] perf trace: Handle failure when trace point folder is missed Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 406/783] HSI: omap_ssi_core: Fix error handling in ssi_init() Greg Kroah-Hartman
` (387 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ajay Kaher, Alexander Shishkin,
Alexey Makhalov, Jiri Olsa, Leo Yan, Mark Rutland, Namhyung Kim,
Peter Zijlstra, Srivatsa S. Bhat, Steven Rostedt (VMware),
Vasavi Sirnapalli, Arnaldo Carvalho de Melo, Sasha Levin
From: Ajay Kaher <akaher@vmware.com>
[ Upstream commit 6f520ce17920b3cdfbd2479b3ccf27f9706219d0 ]
perf doesn't provide proper symbol information for specially crafted
.debug files.
Sometimes .debug file may not have similar program header as runtime
ELF file. For example if we generate .debug file using objcopy
--only-keep-debug resulting file will not contain .text, .data and
other runtime sections. That means corresponding program headers will
have zero FileSiz and modified Offset.
Example: program header of text section of libxxx.so:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
LOAD 0x00000000003d3000 0x00000000003d3000 0x00000000003d3000
0x000000000055ae80 0x000000000055ae80 R E 0x1000
Same program header after executing:
objcopy --only-keep-debug libxxx.so libxxx.so.debug
LOAD 0x0000000000001000 0x00000000003d3000 0x00000000003d3000
0x0000000000000000 0x000000000055ae80 R E 0x1000
Offset and FileSiz have been changed.
Following formula will not provide correct value, if program header
taken from .debug file (syms_ss):
sym.st_value -= phdr.p_vaddr - phdr.p_offset;
Correct program header information is located inside runtime ELF
file (runtime_ss).
Fixes: 2d86612aacb7805f ("perf symbol: Correct address for bss symbols")
Signed-off-by: Ajay Kaher <akaher@vmware.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexey Makhalov <amakhalov@vmware.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Srivatsa S. Bhat <srivatsab@vmware.com>
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Vasavi Sirnapalli <vsirnapalli@vmware.com>
Link: http://lore.kernel.org/lkml/1669198696-50547-1-git-send-email-akaher@vmware.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol-elf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index 3e423a920015..5221f272f85c 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -1247,7 +1247,7 @@ int dso__load_sym(struct dso *dso, struct map *map, struct symsrc *syms_ss,
(!used_opd && syms_ss->adjust_symbols)) {
GElf_Phdr phdr;
- if (elf_read_program_header(syms_ss->elf,
+ if (elf_read_program_header(runtime_ss->elf,
(u64)sym.st_value, &phdr)) {
pr_debug4("%s: failed to find program header for "
"symbol: %s st_value: %#" PRIx64 "\n",
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 406/783] HSI: omap_ssi_core: Fix error handling in ssi_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (404 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 405/783] perf symbol: correction while adjusting symbol Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 407/783] power: supply: fix null pointer dereferencing in power_supply_get_battery_info Greg Kroah-Hartman
` (386 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Sebastian Reichel, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 3ffa9f713c39a213a08d9ff13ab983a8aa5d8b5d ]
The ssi_init() returns the platform_driver_register() directly without
checking its return value, if platform_driver_register() failed, the
ssi_pdriver is not unregistered.
Fix by unregister ssi_pdriver when the last platform_driver_register()
failed.
Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hsi/controllers/omap_ssi_core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c
index 052cf3e92dd6..26f2c3c01297 100644
--- a/drivers/hsi/controllers/omap_ssi_core.c
+++ b/drivers/hsi/controllers/omap_ssi_core.c
@@ -631,7 +631,13 @@ static int __init ssi_init(void) {
if (ret)
return ret;
- return platform_driver_register(&ssi_port_pdriver);
+ ret = platform_driver_register(&ssi_port_pdriver);
+ if (ret) {
+ platform_driver_unregister(&ssi_pdriver);
+ return ret;
+ }
+
+ return 0;
}
module_init(ssi_init);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 407/783] power: supply: fix null pointer dereferencing in power_supply_get_battery_info
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (405 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 406/783] HSI: omap_ssi_core: Fix error handling in ssi_init() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 408/783] RDMA/siw: Fix pointer cast warning Greg Kroah-Hartman
` (385 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ruanjinjie, Baolin Wang,
Sebastian Reichel, Sasha Levin
From: ruanjinjie <ruanjinjie@huawei.com>
[ Upstream commit 104bb8a663451404a26331263ce5b96c34504049 ]
when kmalloc() fail to allocate memory in kasprintf(), propname
will be NULL, strcmp() called by of_get_property() will cause
null pointer dereference.
So return ENOMEM if kasprintf() return NULL pointer.
Fixes: 3afb50d7125b ("power: supply: core: Add some helpers to use the battery OCV capacity table")
Signed-off-by: ruanjinjie <ruanjinjie@huawei.com>
Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/power_supply_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c
index be2cb925c115..2b644590fa8e 100644
--- a/drivers/power/supply/power_supply_core.c
+++ b/drivers/power/supply/power_supply_core.c
@@ -677,6 +677,11 @@ int power_supply_get_battery_info(struct power_supply *psy,
int i, tab_len, size;
propname = kasprintf(GFP_KERNEL, "ocv-capacity-table-%d", index);
+ if (!propname) {
+ power_supply_put_battery_info(psy, info);
+ err = -ENOMEM;
+ goto out_put_node;
+ }
list = of_get_property(battery_np, propname, &size);
if (!list || !size) {
dev_err(&psy->dev, "failed to get %s\n", propname);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 408/783] RDMA/siw: Fix pointer cast warning
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (406 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 407/783] power: supply: fix null pointer dereferencing in power_supply_get_battery_info Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 409/783] iommu/sun50i: Fix reset release Greg Kroah-Hartman
` (384 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Bernard Metzler,
Linus Walleij, Jason Gunthorpe, Sasha Levin
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 5244ca88671a1981ceec09c5c8809f003e6a62aa ]
The previous build fix left a remaining issue in configurations with
64-bit dma_addr_t on 32-bit architectures:
drivers/infiniband/sw/siw/siw_qp_tx.c: In function 'siw_get_pblpage':
drivers/infiniband/sw/siw/siw_qp_tx.c:32:37: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
32 | return virt_to_page((void *)paddr);
| ^
Use the same double cast here that the driver uses elsewhere to convert
between dma_addr_t and void*.
Fixes: 0d1b756acf60 ("RDMA/siw: Pass a pointer to virt_to_page()")
Link: https://lore.kernel.org/r/20221215170347.2612403-1-arnd@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Bernard Metzler <bmt@zurich.ibm.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/siw/siw_qp_tx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/sw/siw/siw_qp_tx.c b/drivers/infiniband/sw/siw/siw_qp_tx.c
index 3c3ae5ef2942..df8802b4981c 100644
--- a/drivers/infiniband/sw/siw/siw_qp_tx.c
+++ b/drivers/infiniband/sw/siw/siw_qp_tx.c
@@ -29,7 +29,7 @@ static struct page *siw_get_pblpage(struct siw_mem *mem, u64 addr, int *idx)
dma_addr_t paddr = siw_pbl_get_buffer(pbl, offset, NULL, idx);
if (paddr)
- return virt_to_page((void *)paddr);
+ return virt_to_page((void *)(uintptr_t)paddr);
return NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 409/783] iommu/sun50i: Fix reset release
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (407 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 408/783] RDMA/siw: Fix pointer cast warning Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 410/783] iommu/sun50i: Consider all fault sources for reset Greg Kroah-Hartman
` (383 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jernej Skrabec, Joerg Roedel, Sasha Levin
From: Jernej Skrabec <jernej.skrabec@gmail.com>
[ Upstream commit 9ad0c1252e84dbc664f0462707182245ed603237 ]
Reset signal is asserted by writing 0 to the corresponding locations of
masters we want to reset. So in order to deassert all reset signals, we
should write 1's to all locations.
Current code writes 1's to locations of masters which were just reset
which is good. However, at the same time it also writes 0's to other
locations and thus asserts reset signals of remaining masters. Fix code
by writing all 1's when we want to deassert all reset signals.
This bug was discovered when working with Cedrus (video decoder). When
it faulted, display went blank due to reset signal assertion.
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://lore.kernel.org/r/20221025165415.307591-2-jernej.skrabec@gmail.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/sun50i-iommu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
index ea6db1341916..3dead4f91420 100644
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -28,6 +28,7 @@
#include <linux/types.h>
#define IOMMU_RESET_REG 0x010
+#define IOMMU_RESET_RELEASE_ALL 0xffffffff
#define IOMMU_ENABLE_REG 0x020
#define IOMMU_ENABLE_ENABLE BIT(0)
@@ -905,7 +906,7 @@ static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
iommu_write(iommu, IOMMU_INT_CLR_REG, status);
iommu_write(iommu, IOMMU_RESET_REG, ~status);
- iommu_write(iommu, IOMMU_RESET_REG, status);
+ iommu_write(iommu, IOMMU_RESET_REG, IOMMU_RESET_RELEASE_ALL);
spin_unlock(&iommu->iommu_lock);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 410/783] iommu/sun50i: Consider all fault sources for reset
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (408 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 409/783] iommu/sun50i: Fix reset release Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 411/783] iommu/sun50i: Fix R/W permission check Greg Kroah-Hartman
` (382 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jernej Skrabec, Joerg Roedel, Sasha Levin
From: Jernej Skrabec <jernej.skrabec@gmail.com>
[ Upstream commit cef20703e2b2276aaa402ec5a65ec9a09963b83e ]
We have to reset masters for all faults - permissions, L1 fault or L2
fault. Currently it's done only for permissions. If other type of fault
happens, master is in locked up state. Fix that by really considering
all fault sources.
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://lore.kernel.org/r/20221025165415.307591-3-jernej.skrabec@gmail.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/sun50i-iommu.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
index 3dead4f91420..2512eabbf4ac 100644
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -881,8 +881,8 @@ static phys_addr_t sun50i_iommu_handle_perm_irq(struct sun50i_iommu *iommu)
static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
{
+ u32 status, l1_status, l2_status, resets;
struct sun50i_iommu *iommu = dev_id;
- u32 status;
spin_lock(&iommu->iommu_lock);
@@ -892,6 +892,9 @@ static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
return IRQ_NONE;
}
+ l1_status = iommu_read(iommu, IOMMU_L1PG_INT_REG);
+ l2_status = iommu_read(iommu, IOMMU_L2PG_INT_REG);
+
if (status & IOMMU_INT_INVALID_L2PG)
sun50i_iommu_handle_pt_irq(iommu,
IOMMU_INT_ERR_ADDR_L2_REG,
@@ -905,7 +908,8 @@ static irqreturn_t sun50i_iommu_irq(int irq, void *dev_id)
iommu_write(iommu, IOMMU_INT_CLR_REG, status);
- iommu_write(iommu, IOMMU_RESET_REG, ~status);
+ resets = (status | l1_status | l2_status) & IOMMU_INT_MASTER_MASK;
+ iommu_write(iommu, IOMMU_RESET_REG, ~resets);
iommu_write(iommu, IOMMU_RESET_REG, IOMMU_RESET_RELEASE_ALL);
spin_unlock(&iommu->iommu_lock);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 411/783] iommu/sun50i: Fix R/W permission check
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (409 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 410/783] iommu/sun50i: Consider all fault sources for reset Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 412/783] iommu/sun50i: Fix flush size Greg Kroah-Hartman
` (381 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jernej Skrabec, Joerg Roedel, Sasha Levin
From: Jernej Skrabec <jernej.skrabec@gmail.com>
[ Upstream commit eac0104dc69be50bed86926d6f32e82b44f8c921 ]
Because driver has enum type permissions and iommu subsystem has bitmap
type, we have to be careful how check for combined read and write
permissions is done. In such case, we have to mask both permissions and
check that both are set at the same time.
Current code just masks both flags but doesn't check that both are set.
In short, it always sets R/W permission, regardles if requested
permissions were RO, WO or RW. Fix that.
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://lore.kernel.org/r/20221025165415.307591-4-jernej.skrabec@gmail.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/sun50i-iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
index 2512eabbf4ac..68aee56e2231 100644
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -272,7 +272,7 @@ static u32 sun50i_mk_pte(phys_addr_t page, int prot)
enum sun50i_iommu_aci aci;
u32 flags = 0;
- if (prot & (IOMMU_READ | IOMMU_WRITE))
+ if ((prot & (IOMMU_READ | IOMMU_WRITE)) == (IOMMU_READ | IOMMU_WRITE))
aci = SUN50I_IOMMU_ACI_RD_WR;
else if (prot & IOMMU_READ)
aci = SUN50I_IOMMU_ACI_RD;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 412/783] iommu/sun50i: Fix flush size
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (410 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 411/783] iommu/sun50i: Fix R/W permission check Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 413/783] phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices Greg Kroah-Hartman
` (380 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jernej Skrabec, Joerg Roedel, Sasha Levin
From: Jernej Skrabec <jernej.skrabec@gmail.com>
[ Upstream commit 67a8a67f9eceb72e4c73d1d09ed9ab04f4b8e12d ]
Function sun50i_table_flush() takes number of entries as an argument,
not number of bytes. Fix that mistake in sun50i_dte_get_page_table().
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Link: https://lore.kernel.org/r/20221025165415.307591-5-jernej.skrabec@gmail.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/sun50i-iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
index 68aee56e2231..dc8ad35cbc4e 100644
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -513,7 +513,7 @@ static u32 *sun50i_dte_get_page_table(struct sun50i_iommu_domain *sun50i_domain,
sun50i_iommu_free_page_table(iommu, drop_pt);
}
- sun50i_table_flush(sun50i_domain, page_table, PT_SIZE);
+ sun50i_table_flush(sun50i_domain, page_table, NUM_PT_ENTRIES);
sun50i_table_flush(sun50i_domain, dte_addr, 1);
return page_table;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 413/783] phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (411 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 412/783] iommu/sun50i: Fix flush size Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 414/783] include/uapi/linux/swab: Fix potentially missing __always_inline Greg Kroah-Hartman
` (379 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Cooper, Justin Chen,
Florian Fainelli, Vinod Koul, Sasha Levin
From: Al Cooper <alcooperx@gmail.com>
[ Upstream commit f7fc5b7090372fc4dd7798c874635ca41b8ba733 ]
The PHY's "wakeup_count" is not incrementing when waking from
WoL. The wakeup count can be found in sysfs at:
/sys/bus/platform/devices/rdb/*.usb-phy/power/wakeup_count.
The problem is that the system wakup event handler was being passed
the wrong "device" by the PHY driver.
Fixes: f1c0db40a3ad ("phy: usb: Add "wake on" functionality")
Signed-off-by: Al Cooper <alcooperx@gmail.com>
Signed-off-by: Justin Chen <justinpopo6@gmail.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/1665005418-15807-3-git-send-email-justinpopo6@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/broadcom/phy-brcm-usb.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/phy/broadcom/phy-brcm-usb.c b/drivers/phy/broadcom/phy-brcm-usb.c
index b901a0d4e2a8..cd2240ea2c9a 100644
--- a/drivers/phy/broadcom/phy-brcm-usb.c
+++ b/drivers/phy/broadcom/phy-brcm-usb.c
@@ -101,9 +101,9 @@ static int brcm_pm_notifier(struct notifier_block *notifier,
static irqreturn_t brcm_usb_phy_wake_isr(int irq, void *dev_id)
{
- struct phy *gphy = dev_id;
+ struct device *dev = dev_id;
- pm_wakeup_event(&gphy->dev, 0);
+ pm_wakeup_event(dev, 0);
return IRQ_HANDLED;
}
@@ -437,7 +437,7 @@ static int brcm_usb_phy_dvr_init(struct platform_device *pdev,
if (priv->wake_irq >= 0) {
err = devm_request_irq(dev, priv->wake_irq,
brcm_usb_phy_wake_isr, 0,
- dev_name(dev), gphy);
+ dev_name(dev), dev);
if (err < 0)
return err;
device_set_wakeup_capable(dev, 1);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 414/783] include/uapi/linux/swab: Fix potentially missing __always_inline
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (412 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 413/783] phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 415/783] pwm: tegra: Improve required rate calculation Greg Kroah-Hartman
` (378 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matt Redfearn, Florian Fainelli,
Arnd Bergmann, Nathan Chancellor, Petr Vaněk, Sasha Levin
From: Matt Redfearn <matt.redfearn@mips.com>
[ Upstream commit defbab270d45e32b068e7e73c3567232d745c60f ]
Commit bc27fb68aaad ("include/uapi/linux/byteorder, swab: force inlining
of some byteswap operations") added __always_inline to swab functions
and commit 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to
userspace headers") added a definition of __always_inline for use in
exported headers when the kernel's compiler.h is not available.
However, since swab.h does not include stddef.h, if the header soup does
not indirectly include it, the definition of __always_inline is missing,
resulting in a compilation failure, which was observed compiling the
perf tool using exported headers containing this commit:
In file included from /usr/include/linux/byteorder/little_endian.h:12:0,
from /usr/include/asm/byteorder.h:14,
from tools/include/uapi/linux/perf_event.h:20,
from perf.h:8,
from builtin-bench.c:18:
/usr/include/linux/swab.h:160:8: error: unknown type name `__always_inline'
static __always_inline __u16 __swab16p(const __u16 *p)
Fix this by replacing the inclusion of linux/compiler.h with
linux/stddef.h to ensure that we pick up that definition if required,
without relying on it's indirect inclusion. compiler.h is then included
indirectly, via stddef.h.
Fixes: 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to userspace headers")
Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Petr Vaněk <arkamar@atlas.cz>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/swab.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
index 7272f85d6d6a..3736f2fe1541 100644
--- a/include/uapi/linux/swab.h
+++ b/include/uapi/linux/swab.h
@@ -3,7 +3,7 @@
#define _UAPI_LINUX_SWAB_H
#include <linux/types.h>
-#include <linux/compiler.h>
+#include <linux/stddef.h>
#include <asm/bitsperlong.h>
#include <asm/swab.h>
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 415/783] pwm: tegra: Improve required rate calculation
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (413 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 414/783] include/uapi/linux/swab: Fix potentially missing __always_inline Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 416/783] dmaengine: idxd: Fix crc_val field for completion record Greg Kroah-Hartman
` (377 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jon Hunter, Uwe Kleine-König,
Thierry Reding, Sasha Levin
From: Jon Hunter <jonathanh@nvidia.com>
[ Upstream commit f271946117dde2ca8741b8138b347b2d68e6ad56 ]
For the case where dev_pm_opp_set_rate() is called to set the PWM clock
rate, the requested rate is calculated as ...
required_clk_rate = (NSEC_PER_SEC / period_ns) << PWM_DUTY_WIDTH;
The above calculation may lead to rounding errors because the
NSEC_PER_SEC is divided by 'period_ns' before applying the
PWM_DUTY_WIDTH multiplication factor. For example, if the period is
45334ns, the above calculation yields a rate of 5646848Hz instead of
5646976Hz. Fix this by applying the multiplication factor before
dividing and using the DIV_ROUND_UP macro which yields the expected
result of 5646976Hz.
Fixes: 1d7796bdb63a ("pwm: tegra: Support dynamic clock frequency configuration")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-tegra.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pwm/pwm-tegra.c b/drivers/pwm/pwm-tegra.c
index 8c4e6657b61e..36cc1452cb7a 100644
--- a/drivers/pwm/pwm-tegra.c
+++ b/drivers/pwm/pwm-tegra.c
@@ -142,8 +142,8 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
* source clock rate as required_clk_rate, PWM controller will
* be able to configure the requested period.
*/
- required_clk_rate =
- (NSEC_PER_SEC / period_ns) << PWM_DUTY_WIDTH;
+ required_clk_rate = DIV_ROUND_UP_ULL(NSEC_PER_SEC << PWM_DUTY_WIDTH,
+ period_ns);
err = clk_set_rate(pc->clk, required_clk_rate);
if (err < 0)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 416/783] dmaengine: idxd: Fix crc_val field for completion record
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (414 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 415/783] pwm: tegra: Improve required rate calculation Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 417/783] rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0 Greg Kroah-Hartman
` (376 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nirav N Shah, Fenghua Yu,
Dave Jiang, Vinod Koul, Sasha Levin
From: Fenghua Yu <fenghua.yu@intel.com>
[ Upstream commit dc901d98b1fe6e52ab81cd3e0879379168e06daa ]
The crc_val in the completion record should be 64 bits and not 32 bits.
Fixes: 4ac823e9cd85 ("dmaengine: idxd: fix delta_rec and crc size field for completion record")
Reported-by: Nirav N Shah <nirav.n.shah@intel.com>
Signed-off-by: Fenghua Yu <fenghua.yu@intel.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/20221111012715.2031481-1-fenghua.yu@intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/idxd.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/idxd.h b/include/uapi/linux/idxd.h
index 9d9ecc0f4c38..f086c5579006 100644
--- a/include/uapi/linux/idxd.h
+++ b/include/uapi/linux/idxd.h
@@ -188,7 +188,7 @@ struct dsa_completion_record {
};
uint32_t delta_rec_size;
- uint32_t crc_val;
+ uint64_t crc_val;
/* DIF check & strip */
struct {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 417/783] rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (415 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 416/783] dmaengine: idxd: Fix crc_val field for completion record Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 418/783] rtc: cmos: Fix event handler registration ordering issue Greg Kroah-Hartman
` (375 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki,
Mario Limonciello, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 6492fed7d8c95f53b0b804ef541324d924d95d41 ]
The ACPI_FADT_LOW_POWER_S0 flag merely means that it is better to
use low-power S0 idle on the given platform than S3 (provided that
the latter is supported) and it doesn't preclude using either of
them (which of them will be used depends on the choices made by user
space).
For this reason, there is no benefit from checking that flag in
use_acpi_alarm_quirks().
First off, it cannot be a bug to do S3 with use_acpi_alarm set,
because S3 can be used on systems with ACPI_FADT_LOW_POWER_S0 and it
must work if really supported, so the ACPI_FADT_LOW_POWER_S0 check is
not needed to protect the S3-capable systems from failing.
Second, suspend-to-idle can be carried out on a system with
ACPI_FADT_LOW_POWER_S0 unset and it is expected to work, so if setting
use_acpi_alarm is needed to handle that case correctly, it should be
set regardless of the ACPI_FADT_LOW_POWER_S0 value.
Accordingly, drop the ACPI_FADT_LOW_POWER_S0 check from
use_acpi_alarm_quirks().
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/12054246.O9o76ZdvQC@kreacher
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index d4f6c4dd42c4..19bc1d8a5de5 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -1265,9 +1265,6 @@ static void use_acpi_alarm_quirks(void)
if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
return;
- if (!(acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0))
- return;
-
if (!is_hpet_enabled())
return;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 418/783] rtc: cmos: Fix event handler registration ordering issue
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (416 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 417/783] rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0 Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 419/783] rtc: cmos: Fix wake alarm breakage Greg Kroah-Hartman
` (374 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mel Gorman, Rafael J. Wysocki,
Bjorn Helgaas, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 4919d3eb2ec0ee364f7e3cf2d99646c1b224fae8 ]
Because acpi_install_fixed_event_handler() enables the event
automatically on success, it is incorrect to call it before the
handler routine passed to it is ready to handle events.
Unfortunately, the rtc-cmos driver does exactly the incorrect thing
by calling cmos_wake_setup(), which passes rtc_handler() to
acpi_install_fixed_event_handler(), before cmos_do_probe(), because
rtc_handler() uses dev_get_drvdata() to get to the cmos object
pointer and the driver data pointer is only populated in
cmos_do_probe().
This leads to a NULL pointer dereference in rtc_handler() on boot
if the RTC fixed event happens to be active at the init time.
To address this issue, change the initialization ordering of the
driver so that cmos_wake_setup() is always called after a successful
cmos_do_probe() call.
While at it, change cmos_pnp_probe() to call cmos_do_probe() after
the initial if () statement used for computing the IRQ argument to
be passed to cmos_do_probe() which is cleaner than calling it in
each branch of that if () (local variable "irq" can be of type int,
because it is passed to that function as an argument of type int).
Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check
ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number
of systems, because previously it only affected systems with
ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that
commit.
Fixes: 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0")
Fixes: a474aaedac99 ("rtc-cmos: move wake setup from ACPI glue into RTC driver")
Link: https://lore.kernel.org/linux-acpi/20221010141630.zfzi7mk7zvnmclzy@techsingularity.net/
Reported-by: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Tested-by: Mel Gorman <mgorman@techsingularity.net>
Link: https://lore.kernel.org/r/5629262.DvuYhMxLoT@kreacher
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 29 +++++++++++++++++++----------
1 file changed, 19 insertions(+), 10 deletions(-)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index 19bc1d8a5de5..449818732acf 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -1357,10 +1357,10 @@ static void cmos_check_acpi_rtc_status(struct device *dev,
static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
{
- cmos_wake_setup(&pnp->dev);
+ int irq, ret;
if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
- unsigned int irq = 0;
+ irq = 0;
#ifdef CONFIG_X86
/* Some machines contain a PNP entry for the RTC, but
* don't define the IRQ. It should always be safe to
@@ -1369,13 +1369,17 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
if (nr_legacy_irqs())
irq = RTC_IRQ;
#endif
- return cmos_do_probe(&pnp->dev,
- pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
} else {
- return cmos_do_probe(&pnp->dev,
- pnp_get_resource(pnp, IORESOURCE_IO, 0),
- pnp_irq(pnp, 0));
+ irq = pnp_irq(pnp, 0);
}
+
+ ret = cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
+ if (ret)
+ return ret;
+
+ cmos_wake_setup(&pnp->dev);
+
+ return 0;
}
static void cmos_pnp_remove(struct pnp_dev *pnp)
@@ -1459,10 +1463,9 @@ static inline void cmos_of_init(struct platform_device *pdev) {}
static int __init cmos_platform_probe(struct platform_device *pdev)
{
struct resource *resource;
- int irq;
+ int irq, ret;
cmos_of_init(pdev);
- cmos_wake_setup(&pdev->dev);
if (RTC_IOMAPPED)
resource = platform_get_resource(pdev, IORESOURCE_IO, 0);
@@ -1472,7 +1475,13 @@ static int __init cmos_platform_probe(struct platform_device *pdev)
if (irq < 0)
irq = -1;
- return cmos_do_probe(&pdev->dev, resource, irq);
+ ret = cmos_do_probe(&pdev->dev, resource, irq);
+ if (ret)
+ return ret;
+
+ cmos_wake_setup(&pdev->dev);
+
+ return 0;
}
static int cmos_platform_remove(struct platform_device *pdev)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 419/783] rtc: cmos: Fix wake alarm breakage
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (417 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 418/783] rtc: cmos: Fix event handler registration ordering issue Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 420/783] rtc: cmos: fix build on non-ACPI platforms Greg Kroah-Hartman
` (373 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Rui, Todd Brandt,
Rafael J. Wysocki, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 0782b66ed2fbb035dda76111df0954515e417b24 ]
Commit 4919d3eb2ec0 ("rtc: cmos: Fix event handler registration
ordering issue") overlooked the fact that cmos_do_probe() depended
on the preparations carried out by cmos_wake_setup() and the wake
alarm stopped working after the ordering of them had been changed.
Address this by partially reverting commit 4919d3eb2ec0 so that
cmos_wake_setup() is called before cmos_do_probe() again and moving
the rtc_wake_setup() invocation from cmos_wake_setup() directly to the
callers of cmos_do_probe() where it will happen after a successful
completion of the latter.
Fixes: 4919d3eb2ec0 ("rtc: cmos: Fix event handler registration ordering issue")
Reported-by: Zhang Rui <rui.zhang@intel.com>
Reported-by: Todd Brandt <todd.e.brandt@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/5887691.lOV4Wx5bFT@kreacher
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index 449818732acf..426e6a67cc38 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -1238,6 +1238,9 @@ static u32 rtc_handler(void *context)
static inline void rtc_wake_setup(struct device *dev)
{
+ if (acpi_disabled)
+ return;
+
acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev);
/*
* After the RTC handler is installed, the Fixed_RTC event should
@@ -1291,7 +1294,6 @@ static void cmos_wake_setup(struct device *dev)
use_acpi_alarm_quirks();
- rtc_wake_setup(dev);
acpi_rtc_info.wake_on = rtc_wake_on;
acpi_rtc_info.wake_off = rtc_wake_off;
@@ -1359,6 +1361,8 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
{
int irq, ret;
+ cmos_wake_setup(&pnp->dev);
+
if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
irq = 0;
#ifdef CONFIG_X86
@@ -1377,7 +1381,7 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
if (ret)
return ret;
- cmos_wake_setup(&pnp->dev);
+ rtc_wake_setup(&pnp->dev);
return 0;
}
@@ -1466,6 +1470,7 @@ static int __init cmos_platform_probe(struct platform_device *pdev)
int irq, ret;
cmos_of_init(pdev);
+ cmos_wake_setup(&pdev->dev);
if (RTC_IOMAPPED)
resource = platform_get_resource(pdev, IORESOURCE_IO, 0);
@@ -1479,7 +1484,7 @@ static int __init cmos_platform_probe(struct platform_device *pdev)
if (ret)
return ret;
- cmos_wake_setup(&pdev->dev);
+ rtc_wake_setup(&pdev->dev);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 420/783] rtc: cmos: fix build on non-ACPI platforms
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (418 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 419/783] rtc: cmos: Fix wake alarm breakage Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 421/783] rtc: cmos: Call cmos_wake_setup() from cmos_do_probe() Greg Kroah-Hartman
` (372 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot,
Alexandre Belloni, Sasha Levin
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
[ Upstream commit db4e955ae333567dea02822624106c0b96a2f84f ]
Now that rtc_wake_setup is called outside of cmos_wake_setup, it also need
to be defined on non-ACPI platforms.
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/r/20221018203512.2532407-1-alexandre.belloni@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index 426e6a67cc38..ff556a93a397 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -1351,6 +1351,9 @@ static void cmos_check_acpi_rtc_status(struct device *dev,
{
}
+static void rtc_wake_setup(struct device *dev)
+{
+}
#endif
#ifdef CONFIG_PNP
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 421/783] rtc: cmos: Call cmos_wake_setup() from cmos_do_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (419 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 420/783] rtc: cmos: fix build on non-ACPI platforms Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 422/783] rtc: cmos: Call rtc_wake_setup() " Greg Kroah-Hartman
` (371 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Zhang Rui,
Andy Shevchenko, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 508ccdfb86b21da37ad091003a4d4567709d5dfb ]
Notice that cmos_wake_setup() is the only user of acpi_rtc_info and it
can operate on the cmos_rtc variable directly, so it need not set the
platform_data pointer before cmos_do_probe() is called. Instead, it
can be called by cmos_do_probe() in the case when the platform_data
pointer is not set to implement the default behavior (which is to use
the FADT information as long as ACPI support is enabled).
Modify the code accordingly.
While at it, drop a comment that doesn't really match the code it is
supposed to be describing.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Zhang Rui <rui.zhang@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/4803444.31r3eYUQgx@kreacher
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 47 ++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 25 deletions(-)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index ff556a93a397..c292af30d4fd 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -750,6 +750,8 @@ static irqreturn_t cmos_interrupt(int irq, void *p)
return IRQ_NONE;
}
+static void cmos_wake_setup(struct device *dev);
+
#ifdef CONFIG_PNP
#define INITSECTION
@@ -833,19 +835,27 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
if (info->address_space)
address_space = info->address_space;
- if (info->rtc_day_alarm && info->rtc_day_alarm < 128)
- cmos_rtc.day_alrm = info->rtc_day_alarm;
- if (info->rtc_mon_alarm && info->rtc_mon_alarm < 128)
- cmos_rtc.mon_alrm = info->rtc_mon_alarm;
- if (info->rtc_century && info->rtc_century < 128)
- cmos_rtc.century = info->rtc_century;
+ cmos_rtc.day_alrm = info->rtc_day_alarm;
+ cmos_rtc.mon_alrm = info->rtc_mon_alarm;
+ cmos_rtc.century = info->rtc_century;
if (info->wake_on && info->wake_off) {
cmos_rtc.wake_on = info->wake_on;
cmos_rtc.wake_off = info->wake_off;
}
+ } else {
+ cmos_wake_setup(dev);
}
+ if (cmos_rtc.day_alrm >= 128)
+ cmos_rtc.day_alrm = 0;
+
+ if (cmos_rtc.mon_alrm >= 128)
+ cmos_rtc.mon_alrm = 0;
+
+ if (cmos_rtc.century >= 128)
+ cmos_rtc.century = 0;
+
cmos_rtc.dev = dev;
dev_set_drvdata(dev, &cmos_rtc);
@@ -1280,13 +1290,6 @@ static void use_acpi_alarm_quirks(void)
static inline void use_acpi_alarm_quirks(void) { }
#endif
-/* Every ACPI platform has a mc146818 compatible "cmos rtc". Here we find
- * its device node and pass extra config data. This helps its driver use
- * capabilities that the now-obsolete mc146818 didn't have, and informs it
- * that this board's RTC is wakeup-capable (per ACPI spec).
- */
-static struct cmos_rtc_board_info acpi_rtc_info;
-
static void cmos_wake_setup(struct device *dev)
{
if (acpi_disabled)
@@ -1294,26 +1297,23 @@ static void cmos_wake_setup(struct device *dev)
use_acpi_alarm_quirks();
- acpi_rtc_info.wake_on = rtc_wake_on;
- acpi_rtc_info.wake_off = rtc_wake_off;
+ cmos_rtc.wake_on = rtc_wake_on;
+ cmos_rtc.wake_off = rtc_wake_off;
- /* workaround bug in some ACPI tables */
+ /* ACPI tables bug workaround. */
if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) {
dev_dbg(dev, "bogus FADT month_alarm (%d)\n",
acpi_gbl_FADT.month_alarm);
acpi_gbl_FADT.month_alarm = 0;
}
- acpi_rtc_info.rtc_day_alarm = acpi_gbl_FADT.day_alarm;
- acpi_rtc_info.rtc_mon_alarm = acpi_gbl_FADT.month_alarm;
- acpi_rtc_info.rtc_century = acpi_gbl_FADT.century;
+ cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm;
+ cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm;
+ cmos_rtc.century = acpi_gbl_FADT.century;
- /* NOTE: S4_RTC_WAKE is NOT currently useful to Linux */
if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE)
dev_info(dev, "RTC can wake from S4\n");
- dev->platform_data = &acpi_rtc_info;
-
/* RTC always wakes from S1/S2/S3, and often S4/STD */
device_init_wakeup(dev, 1);
}
@@ -1364,8 +1364,6 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
{
int irq, ret;
- cmos_wake_setup(&pnp->dev);
-
if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
irq = 0;
#ifdef CONFIG_X86
@@ -1473,7 +1471,6 @@ static int __init cmos_platform_probe(struct platform_device *pdev)
int irq, ret;
cmos_of_init(pdev);
- cmos_wake_setup(&pdev->dev);
if (RTC_IOMAPPED)
resource = platform_get_resource(pdev, IORESOURCE_IO, 0);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 422/783] rtc: cmos: Call rtc_wake_setup() from cmos_do_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (420 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 421/783] rtc: cmos: Call cmos_wake_setup() from cmos_do_probe() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 423/783] rtc: cmos: Eliminate forward declarations of some functions Greg Kroah-Hartman
` (370 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Zhang Rui,
Andy Shevchenko, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 375bbba09692fe4c5218eddee8e312dd733fa846 ]
To reduce code duplication, move the invocation of rtc_wake_setup()
into cmos_do_probe() and simplify the callers of the latter.
No intentional functional impact.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Zhang Rui <rui.zhang@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/2143522.irdbgypaU6@kreacher
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 28 ++++++++++++----------------
1 file changed, 12 insertions(+), 16 deletions(-)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index c292af30d4fd..445089cad471 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -750,6 +750,7 @@ static irqreturn_t cmos_interrupt(int irq, void *p)
return IRQ_NONE;
}
+static inline void rtc_wake_setup(struct device *dev);
static void cmos_wake_setup(struct device *dev);
#ifdef CONFIG_PNP
@@ -943,6 +944,13 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
if (rtc_nvmem_register(cmos_rtc.rtc, &nvmem_cfg))
dev_err(dev, "nvmem registration failed\n");
+ /*
+ * Everything has gone well so far, so by default register a handler for
+ * the ACPI RTC fixed event.
+ */
+ if (!info)
+ rtc_wake_setup(dev);
+
dev_info(dev, "%s%s, %d bytes nvram%s\n",
!is_valid_irq(rtc_irq) ? "no alarms" :
cmos_rtc.mon_alrm ? "alarms up to one year" :
@@ -1362,7 +1370,7 @@ static void rtc_wake_setup(struct device *dev)
static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
{
- int irq, ret;
+ int irq;
if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) {
irq = 0;
@@ -1378,13 +1386,7 @@ static int cmos_pnp_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
irq = pnp_irq(pnp, 0);
}
- ret = cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
- if (ret)
- return ret;
-
- rtc_wake_setup(&pnp->dev);
-
- return 0;
+ return cmos_do_probe(&pnp->dev, pnp_get_resource(pnp, IORESOURCE_IO, 0), irq);
}
static void cmos_pnp_remove(struct pnp_dev *pnp)
@@ -1468,7 +1470,7 @@ static inline void cmos_of_init(struct platform_device *pdev) {}
static int __init cmos_platform_probe(struct platform_device *pdev)
{
struct resource *resource;
- int irq, ret;
+ int irq;
cmos_of_init(pdev);
@@ -1480,13 +1482,7 @@ static int __init cmos_platform_probe(struct platform_device *pdev)
if (irq < 0)
irq = -1;
- ret = cmos_do_probe(&pdev->dev, resource, irq);
- if (ret)
- return ret;
-
- rtc_wake_setup(&pdev->dev);
-
- return 0;
+ return cmos_do_probe(&pdev->dev, resource, irq);
}
static int cmos_platform_remove(struct platform_device *pdev)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 423/783] rtc: cmos: Eliminate forward declarations of some functions
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (421 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 422/783] rtc: cmos: Call rtc_wake_setup() " Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 424/783] rtc: cmos: Rename ACPI-related functions Greg Kroah-Hartman
` (369 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Zhang Rui,
Andy Shevchenko, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit dca4d3b71c8a09a16951add656711fbd6f5bfbb0 ]
Reorder the ACPI-related code before cmos_do_probe() so as to eliminate
excessive forward declarations of some functions.
While at it, for consistency, add the inline modifier to the
definitions of empty stub static funtions and remove it from the
corresponding definitions of functions with non-empty bodies.
No intentional functional impact.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Zhang Rui <rui.zhang@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/13157911.uLZWGnKmhe@kreacher
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 304 ++++++++++++++++++++---------------------
1 file changed, 149 insertions(+), 155 deletions(-)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index 445089cad471..541cdae587eb 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -750,8 +750,155 @@ static irqreturn_t cmos_interrupt(int irq, void *p)
return IRQ_NONE;
}
-static inline void rtc_wake_setup(struct device *dev);
-static void cmos_wake_setup(struct device *dev);
+#ifdef CONFIG_ACPI
+
+#include <linux/acpi.h>
+
+static u32 rtc_handler(void *context)
+{
+ struct device *dev = context;
+ struct cmos_rtc *cmos = dev_get_drvdata(dev);
+ unsigned char rtc_control = 0;
+ unsigned char rtc_intr;
+ unsigned long flags;
+
+
+ /*
+ * Always update rtc irq when ACPI is used as RTC Alarm.
+ * Or else, ACPI SCI is enabled during suspend/resume only,
+ * update rtc irq in that case.
+ */
+ if (cmos_use_acpi_alarm())
+ cmos_interrupt(0, (void *)cmos->rtc);
+ else {
+ /* Fix me: can we use cmos_interrupt() here as well? */
+ spin_lock_irqsave(&rtc_lock, flags);
+ if (cmos_rtc.suspend_ctrl)
+ rtc_control = CMOS_READ(RTC_CONTROL);
+ if (rtc_control & RTC_AIE) {
+ cmos_rtc.suspend_ctrl &= ~RTC_AIE;
+ CMOS_WRITE(rtc_control, RTC_CONTROL);
+ rtc_intr = CMOS_READ(RTC_INTR_FLAGS);
+ rtc_update_irq(cmos->rtc, 1, rtc_intr);
+ }
+ spin_unlock_irqrestore(&rtc_lock, flags);
+ }
+
+ pm_wakeup_hard_event(dev);
+ acpi_clear_event(ACPI_EVENT_RTC);
+ acpi_disable_event(ACPI_EVENT_RTC, 0);
+ return ACPI_INTERRUPT_HANDLED;
+}
+
+static void rtc_wake_setup(struct device *dev)
+{
+ if (acpi_disabled)
+ return;
+
+ acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev);
+ /*
+ * After the RTC handler is installed, the Fixed_RTC event should
+ * be disabled. Only when the RTC alarm is set will it be enabled.
+ */
+ acpi_clear_event(ACPI_EVENT_RTC);
+ acpi_disable_event(ACPI_EVENT_RTC, 0);
+}
+
+static void rtc_wake_on(struct device *dev)
+{
+ acpi_clear_event(ACPI_EVENT_RTC);
+ acpi_enable_event(ACPI_EVENT_RTC, 0);
+}
+
+static void rtc_wake_off(struct device *dev)
+{
+ acpi_disable_event(ACPI_EVENT_RTC, 0);
+}
+
+#ifdef CONFIG_X86
+/* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */
+static void use_acpi_alarm_quirks(void)
+{
+ if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
+ return;
+
+ if (!is_hpet_enabled())
+ return;
+
+ if (dmi_get_bios_year() < 2015)
+ return;
+
+ use_acpi_alarm = true;
+}
+#else
+static inline void use_acpi_alarm_quirks(void) { }
+#endif
+
+static void cmos_wake_setup(struct device *dev)
+{
+ if (acpi_disabled)
+ return;
+
+ use_acpi_alarm_quirks();
+
+ cmos_rtc.wake_on = rtc_wake_on;
+ cmos_rtc.wake_off = rtc_wake_off;
+
+ /* ACPI tables bug workaround. */
+ if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) {
+ dev_dbg(dev, "bogus FADT month_alarm (%d)\n",
+ acpi_gbl_FADT.month_alarm);
+ acpi_gbl_FADT.month_alarm = 0;
+ }
+
+ cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm;
+ cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm;
+ cmos_rtc.century = acpi_gbl_FADT.century;
+
+ if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE)
+ dev_info(dev, "RTC can wake from S4\n");
+
+ /* RTC always wakes from S1/S2/S3, and often S4/STD */
+ device_init_wakeup(dev, 1);
+}
+
+static void cmos_check_acpi_rtc_status(struct device *dev,
+ unsigned char *rtc_control)
+{
+ struct cmos_rtc *cmos = dev_get_drvdata(dev);
+ acpi_event_status rtc_status;
+ acpi_status status;
+
+ if (acpi_gbl_FADT.flags & ACPI_FADT_FIXED_RTC)
+ return;
+
+ status = acpi_get_event_status(ACPI_EVENT_RTC, &rtc_status);
+ if (ACPI_FAILURE(status)) {
+ dev_err(dev, "Could not get RTC status\n");
+ } else if (rtc_status & ACPI_EVENT_FLAG_SET) {
+ unsigned char mask;
+ *rtc_control &= ~RTC_AIE;
+ CMOS_WRITE(*rtc_control, RTC_CONTROL);
+ mask = CMOS_READ(RTC_INTR_FLAGS);
+ rtc_update_irq(cmos->rtc, 1, mask);
+ }
+}
+
+#else /* !CONFIG_ACPI */
+
+static inline void rtc_wake_setup(struct device *dev)
+{
+}
+
+static inline void cmos_wake_setup(struct device *dev)
+{
+}
+
+static inline void cmos_check_acpi_rtc_status(struct device *dev,
+ unsigned char *rtc_control)
+{
+}
+#endif /* CONFIG_ACPI */
#ifdef CONFIG_PNP
#define INITSECTION
@@ -1145,9 +1292,6 @@ static void cmos_check_wkalrm(struct device *dev)
}
}
-static void cmos_check_acpi_rtc_status(struct device *dev,
- unsigned char *rtc_control);
-
static int __maybe_unused cmos_resume(struct device *dev)
{
struct cmos_rtc *cmos = dev_get_drvdata(dev);
@@ -1214,156 +1358,6 @@ static SIMPLE_DEV_PM_OPS(cmos_pm_ops, cmos_suspend, cmos_resume);
* predate even PNPBIOS should set up platform_bus devices.
*/
-#ifdef CONFIG_ACPI
-
-#include <linux/acpi.h>
-
-static u32 rtc_handler(void *context)
-{
- struct device *dev = context;
- struct cmos_rtc *cmos = dev_get_drvdata(dev);
- unsigned char rtc_control = 0;
- unsigned char rtc_intr;
- unsigned long flags;
-
-
- /*
- * Always update rtc irq when ACPI is used as RTC Alarm.
- * Or else, ACPI SCI is enabled during suspend/resume only,
- * update rtc irq in that case.
- */
- if (cmos_use_acpi_alarm())
- cmos_interrupt(0, (void *)cmos->rtc);
- else {
- /* Fix me: can we use cmos_interrupt() here as well? */
- spin_lock_irqsave(&rtc_lock, flags);
- if (cmos_rtc.suspend_ctrl)
- rtc_control = CMOS_READ(RTC_CONTROL);
- if (rtc_control & RTC_AIE) {
- cmos_rtc.suspend_ctrl &= ~RTC_AIE;
- CMOS_WRITE(rtc_control, RTC_CONTROL);
- rtc_intr = CMOS_READ(RTC_INTR_FLAGS);
- rtc_update_irq(cmos->rtc, 1, rtc_intr);
- }
- spin_unlock_irqrestore(&rtc_lock, flags);
- }
-
- pm_wakeup_hard_event(dev);
- acpi_clear_event(ACPI_EVENT_RTC);
- acpi_disable_event(ACPI_EVENT_RTC, 0);
- return ACPI_INTERRUPT_HANDLED;
-}
-
-static inline void rtc_wake_setup(struct device *dev)
-{
- if (acpi_disabled)
- return;
-
- acpi_install_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler, dev);
- /*
- * After the RTC handler is installed, the Fixed_RTC event should
- * be disabled. Only when the RTC alarm is set will it be enabled.
- */
- acpi_clear_event(ACPI_EVENT_RTC);
- acpi_disable_event(ACPI_EVENT_RTC, 0);
-}
-
-static void rtc_wake_on(struct device *dev)
-{
- acpi_clear_event(ACPI_EVENT_RTC);
- acpi_enable_event(ACPI_EVENT_RTC, 0);
-}
-
-static void rtc_wake_off(struct device *dev)
-{
- acpi_disable_event(ACPI_EVENT_RTC, 0);
-}
-
-#ifdef CONFIG_X86
-/* Enable use_acpi_alarm mode for Intel platforms no earlier than 2015 */
-static void use_acpi_alarm_quirks(void)
-{
- if (boot_cpu_data.x86_vendor != X86_VENDOR_INTEL)
- return;
-
- if (!is_hpet_enabled())
- return;
-
- if (dmi_get_bios_year() < 2015)
- return;
-
- use_acpi_alarm = true;
-}
-#else
-static inline void use_acpi_alarm_quirks(void) { }
-#endif
-
-static void cmos_wake_setup(struct device *dev)
-{
- if (acpi_disabled)
- return;
-
- use_acpi_alarm_quirks();
-
- cmos_rtc.wake_on = rtc_wake_on;
- cmos_rtc.wake_off = rtc_wake_off;
-
- /* ACPI tables bug workaround. */
- if (acpi_gbl_FADT.month_alarm && !acpi_gbl_FADT.day_alarm) {
- dev_dbg(dev, "bogus FADT month_alarm (%d)\n",
- acpi_gbl_FADT.month_alarm);
- acpi_gbl_FADT.month_alarm = 0;
- }
-
- cmos_rtc.day_alrm = acpi_gbl_FADT.day_alarm;
- cmos_rtc.mon_alrm = acpi_gbl_FADT.month_alarm;
- cmos_rtc.century = acpi_gbl_FADT.century;
-
- if (acpi_gbl_FADT.flags & ACPI_FADT_S4_RTC_WAKE)
- dev_info(dev, "RTC can wake from S4\n");
-
- /* RTC always wakes from S1/S2/S3, and often S4/STD */
- device_init_wakeup(dev, 1);
-}
-
-static void cmos_check_acpi_rtc_status(struct device *dev,
- unsigned char *rtc_control)
-{
- struct cmos_rtc *cmos = dev_get_drvdata(dev);
- acpi_event_status rtc_status;
- acpi_status status;
-
- if (acpi_gbl_FADT.flags & ACPI_FADT_FIXED_RTC)
- return;
-
- status = acpi_get_event_status(ACPI_EVENT_RTC, &rtc_status);
- if (ACPI_FAILURE(status)) {
- dev_err(dev, "Could not get RTC status\n");
- } else if (rtc_status & ACPI_EVENT_FLAG_SET) {
- unsigned char mask;
- *rtc_control &= ~RTC_AIE;
- CMOS_WRITE(*rtc_control, RTC_CONTROL);
- mask = CMOS_READ(RTC_INTR_FLAGS);
- rtc_update_irq(cmos->rtc, 1, mask);
- }
-}
-
-#else
-
-static void cmos_wake_setup(struct device *dev)
-{
-}
-
-static void cmos_check_acpi_rtc_status(struct device *dev,
- unsigned char *rtc_control)
-{
-}
-
-static void rtc_wake_setup(struct device *dev)
-{
-}
-#endif
-
#ifdef CONFIG_PNP
#include <linux/pnp.h>
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 424/783] rtc: cmos: Rename ACPI-related functions
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (422 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 423/783] rtc: cmos: Eliminate forward declarations of some functions Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 425/783] rtc: cmos: Disable ACPI RTC event on removal Greg Kroah-Hartman
` (368 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Zhang Rui,
Andy Shevchenko, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit d13e9ad9f5146f066a5c5a1cc993d09e4fb21ead ]
The names of rtc_wake_setup() and cmos_wake_setup() don't indicate
that these functions are ACPI-related, which is the case, and the
former doesn't really reflect the role of the function.
Rename them to acpi_rtc_event_setup() and acpi_cmos_wake_setup(),
respectively, to address this shortcoming.
No intentional functional impact.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Zhang Rui <rui.zhang@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/3225614.44csPzL39Z@kreacher
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index 541cdae587eb..dd05c12dada8 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -790,7 +790,7 @@ static u32 rtc_handler(void *context)
return ACPI_INTERRUPT_HANDLED;
}
-static void rtc_wake_setup(struct device *dev)
+static void acpi_rtc_event_setup(struct device *dev)
{
if (acpi_disabled)
return;
@@ -834,7 +834,7 @@ static void use_acpi_alarm_quirks(void)
static inline void use_acpi_alarm_quirks(void) { }
#endif
-static void cmos_wake_setup(struct device *dev)
+static void acpi_cmos_wake_setup(struct device *dev)
{
if (acpi_disabled)
return;
@@ -886,11 +886,11 @@ static void cmos_check_acpi_rtc_status(struct device *dev,
#else /* !CONFIG_ACPI */
-static inline void rtc_wake_setup(struct device *dev)
+static inline void acpi_rtc_event_setup(struct device *dev)
{
}
-static inline void cmos_wake_setup(struct device *dev)
+static inline void acpi_cmos_wake_setup(struct device *dev)
{
}
@@ -992,7 +992,7 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
cmos_rtc.wake_off = info->wake_off;
}
} else {
- cmos_wake_setup(dev);
+ acpi_cmos_wake_setup(dev);
}
if (cmos_rtc.day_alrm >= 128)
@@ -1096,7 +1096,7 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
* the ACPI RTC fixed event.
*/
if (!info)
- rtc_wake_setup(dev);
+ acpi_rtc_event_setup(dev);
dev_info(dev, "%s%s, %d bytes nvram%s\n",
!is_valid_irq(rtc_irq) ? "no alarms" :
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 425/783] rtc: cmos: Disable ACPI RTC event on removal
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (423 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 424/783] rtc: cmos: Rename ACPI-related functions Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 426/783] rtc: snvs: Allow a time difference on clock register read Greg Kroah-Hartman
` (367 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Zhang Rui,
Andy Shevchenko, Alexandre Belloni, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 83ebb7b3036d151ee39a4a752018665648fc3bd4 ]
Make cmos_do_remove() drop the ACPI RTC fixed event handler so as to
prevent it from operating on stale data in case the event triggers
after driver removal.
Fixes: 311ee9c151ad ("rtc: cmos: allow using ACPI for RTC alarm instead of HPET")
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Zhang Rui <rui.zhang@intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/2224609.iZASKD2KPV@kreacher
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-cmos.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
index dd05c12dada8..7f560937bf7c 100644
--- a/drivers/rtc/rtc-cmos.c
+++ b/drivers/rtc/rtc-cmos.c
@@ -804,6 +804,14 @@ static void acpi_rtc_event_setup(struct device *dev)
acpi_disable_event(ACPI_EVENT_RTC, 0);
}
+static void acpi_rtc_event_cleanup(void)
+{
+ if (acpi_disabled)
+ return;
+
+ acpi_remove_fixed_event_handler(ACPI_EVENT_RTC, rtc_handler);
+}
+
static void rtc_wake_on(struct device *dev)
{
acpi_clear_event(ACPI_EVENT_RTC);
@@ -890,6 +898,10 @@ static inline void acpi_rtc_event_setup(struct device *dev)
{
}
+static inline void acpi_rtc_event_cleanup(void)
+{
+}
+
static inline void acpi_cmos_wake_setup(struct device *dev)
{
}
@@ -1143,6 +1155,9 @@ static void cmos_do_remove(struct device *dev)
hpet_unregister_irq_handler(cmos_interrupt);
}
+ if (!dev_get_platdata(dev))
+ acpi_rtc_event_cleanup();
+
cmos->rtc = NULL;
ports = cmos->iomem;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 426/783] rtc: snvs: Allow a time difference on clock register read
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (424 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 425/783] rtc: cmos: Disable ACPI RTC event on removal Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 427/783] rtc: pcf85063: Fix reading alarm Greg Kroah-Hartman
` (366 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francesco Dolcini,
Stefan Eichenberger, Francesco Dolcini, Alexandre Belloni,
Sasha Levin
From: Stefan Eichenberger <stefan.eichenberger@toradex.com>
[ Upstream commit 0462681e207ccc44778a77b3297af728b1cf5b9f ]
On an iMX6ULL the following message appears when a wakealarm is set:
echo 0 > /sys/class/rtc/rtc1/wakealarm
rtc rtc1: Timeout trying to get valid LPSRT Counter read
This does not always happen but is reproducible quite often (7 out of 10
times). The problem appears because the iMX6ULL is not able to read the
registers within one 32kHz clock cycle which is the base clock of the
RTC. Therefore, this patch allows a difference of up to 320 cycles
(10ms). 10ms was chosen to be big enough even on systems with less cpu
power (e.g. iMX6ULL). According to the reference manual a difference is
fine:
- If the two consecutive reads are similar, the value is correct.
The values have to be similar, not equal.
Fixes: cd7f3a249dbe ("rtc: snvs: Add timeouts to avoid kernel lockups")
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Signed-off-by: Stefan Eichenberger <stefan.eichenberger@toradex.com>
Signed-off-by: Francesco Dolcini <francesco@dolcini.it>
Link: https://lore.kernel.org/r/20221106115915.7930-1-francesco@dolcini.it
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-snvs.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c
index 0263d996b8a8..cc7f6c4216bc 100644
--- a/drivers/rtc/rtc-snvs.c
+++ b/drivers/rtc/rtc-snvs.c
@@ -32,6 +32,14 @@
#define SNVS_LPPGDR_INIT 0x41736166
#define CNTR_TO_SECS_SH 15
+/* The maximum RTC clock cycles that are allowed to pass between two
+ * consecutive clock counter register reads. If the values are corrupted a
+ * bigger difference is expected. The RTC frequency is 32kHz. With 320 cycles
+ * we end at 10ms which should be enough for most cases. If it once takes
+ * longer than expected we do a retry.
+ */
+#define MAX_RTC_READ_DIFF_CYCLES 320
+
struct snvs_rtc_data {
struct rtc_device *rtc;
struct regmap *regmap;
@@ -56,6 +64,7 @@ static u64 rtc_read_lpsrt(struct snvs_rtc_data *data)
static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
{
u64 read1, read2;
+ s64 diff;
unsigned int timeout = 100;
/* As expected, the registers might update between the read of the LSB
@@ -66,7 +75,8 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
do {
read2 = read1;
read1 = rtc_read_lpsrt(data);
- } while (read1 != read2 && --timeout);
+ diff = read1 - read2;
+ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout);
if (!timeout)
dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n");
@@ -78,13 +88,15 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data)
static int rtc_read_lp_counter_lsb(struct snvs_rtc_data *data, u32 *lsb)
{
u32 count1, count2;
+ s32 diff;
unsigned int timeout = 100;
regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1);
do {
count2 = count1;
regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1);
- } while (count1 != count2 && --timeout);
+ diff = count1 - count2;
+ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout);
if (!timeout) {
dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n");
return -ETIMEDOUT;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 427/783] rtc: pcf85063: Fix reading alarm
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (425 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 426/783] rtc: snvs: Allow a time difference on clock register read Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 428/783] iommu/amd: Fix pci device refcount leak in ppr_notifier() Greg Kroah-Hartman
` (365 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Alexandre Belloni,
Sasha Levin
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit a6ceee26fd5ed9b5bd37322b1ca88e4548cee4a3 ]
If the alarms are disabled the topmost bit (AEN_*) is set in the alarm
registers. This is also interpreted in BCD number leading to this warning:
rtc rtc0: invalid alarm value: 2022-09-21T80:80:80
Fix this by masking alarm enabling and reserved bits.
Fixes: 05cb3a56ee8c ("rtc: pcf85063: add alarm support")
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://lore.kernel.org/r/20220921074141.3903104-1-alexander.stein@ew.tq-group.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-pcf85063.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
index 62684ca3a665..d739b0c965aa 100644
--- a/drivers/rtc/rtc-pcf85063.c
+++ b/drivers/rtc/rtc-pcf85063.c
@@ -167,10 +167,10 @@ static int pcf85063_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm)
if (ret)
return ret;
- alrm->time.tm_sec = bcd2bin(buf[0]);
- alrm->time.tm_min = bcd2bin(buf[1]);
- alrm->time.tm_hour = bcd2bin(buf[2]);
- alrm->time.tm_mday = bcd2bin(buf[3]);
+ alrm->time.tm_sec = bcd2bin(buf[0] & 0x7f);
+ alrm->time.tm_min = bcd2bin(buf[1] & 0x7f);
+ alrm->time.tm_hour = bcd2bin(buf[2] & 0x3f);
+ alrm->time.tm_mday = bcd2bin(buf[3] & 0x3f);
ret = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL2, &val);
if (ret)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 428/783] iommu/amd: Fix pci device refcount leak in ppr_notifier()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (426 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 427/783] rtc: pcf85063: Fix reading alarm Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 429/783] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() Greg Kroah-Hartman
` (364 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Joerg Roedel, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 6cf0981c2233f97d56938d9d61845383d6eb227c ]
As comment of pci_get_domain_bus_and_slot() says, it returns
a pci device with refcount increment, when finish using it,
the caller must decrement the reference count by calling
pci_dev_put(). So call it before returning from ppr_notifier()
to avoid refcount leak.
Fixes: daae2d25a477 ("iommu/amd: Don't copy GCR3 table root pointer")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20221118093604.216371-1-yangyingliang@huawei.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/amd/iommu_v2.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/iommu/amd/iommu_v2.c b/drivers/iommu/amd/iommu_v2.c
index fb61bdca4c2c..16776e3c6eab 100644
--- a/drivers/iommu/amd/iommu_v2.c
+++ b/drivers/iommu/amd/iommu_v2.c
@@ -587,6 +587,7 @@ static int ppr_notifier(struct notifier_block *nb, unsigned long e, void *data)
put_device_state(dev_state);
out:
+ pci_dev_put(pdev);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 429/783] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (427 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 428/783] iommu/amd: Fix pci device refcount leak in ppr_notifier() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 430/783] macintosh: fix possible memory leak in macio_add_one_device() Greg Kroah-Hartman
` (363 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Joerg Roedel, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 73f5fc5f884ad0c5f7d57f66303af64f9f002526 ]
The fsl_pamu_probe() returns directly when create_csd() failed, leaving
irq and memories unreleased.
Fix by jumping to error if create_csd() returns error.
Fixes: 695093e38c3e ("iommu/fsl: Freescale PAMU driver and iommu implementation.")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Link: https://lore.kernel.org/r/20221121082022.19091-1-yuancan@huawei.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/fsl_pamu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/fsl_pamu.c b/drivers/iommu/fsl_pamu.c
index b9a974d97831..25689bdf812e 100644
--- a/drivers/iommu/fsl_pamu.c
+++ b/drivers/iommu/fsl_pamu.c
@@ -1122,7 +1122,7 @@ static int fsl_pamu_probe(struct platform_device *pdev)
ret = create_csd(ppaact_phys, mem_size, csd_port_id);
if (ret) {
dev_err(dev, "could not create coherence subdomain\n");
- return ret;
+ goto error;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 430/783] macintosh: fix possible memory leak in macio_add_one_device()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (428 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 429/783] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 431/783] macintosh/macio-adb: check the return value of ioremap() Greg Kroah-Hartman
` (362 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Michael Ellerman,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 5ca86eae55a2f006e6c1edd2029b2cacb6979515 ]
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's
bus_id string array"), the name of device is allocated dynamically. It
needs to be freed when of_device_register() fails. Call put_device() to
give up the reference that's taken in device_initialize(), so that it
can be freed in kobject_cleanup() when the refcount hits 0.
macio device is freed in macio_release_dev(), so the kfree() can be
removed.
Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221104032551.1075335-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/macintosh/macio_asic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/macintosh/macio_asic.c b/drivers/macintosh/macio_asic.c
index 49af60bdac92..7db2e23a5ac8 100644
--- a/drivers/macintosh/macio_asic.c
+++ b/drivers/macintosh/macio_asic.c
@@ -425,7 +425,7 @@ static struct macio_dev * macio_add_one_device(struct macio_chip *chip,
if (of_device_register(&dev->ofdev) != 0) {
printk(KERN_DEBUG"macio: device registration error for %s!\n",
dev_name(&dev->ofdev.dev));
- kfree(dev);
+ put_device(&dev->ofdev.dev);
return NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 431/783] macintosh/macio-adb: check the return value of ioremap()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (429 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 430/783] macintosh: fix possible memory leak in macio_add_one_device() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 432/783] powerpc/52xx: Fix a resource leak in an error handling path Greg Kroah-Hartman
` (361 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hacash Robot, Xie Shaowen,
Michael Ellerman, Sasha Levin
From: Xie Shaowen <studentxswpy@163.com>
[ Upstream commit dbaa3105736d4d73063ea0a3b01cd7fafce924e6 ]
The function ioremap() in macio_init() can fail, so its return value
should be checked.
Fixes: 36874579dbf4c ("[PATCH] powerpc: macio-adb build fix")
Reported-by: Hacash Robot <hacashRobot@santino.com>
Signed-off-by: Xie Shaowen <studentxswpy@163.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220802074148.3213659-1-studentxswpy@163.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/macintosh/macio-adb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/macintosh/macio-adb.c b/drivers/macintosh/macio-adb.c
index d4759db002c6..defe65f51fa2 100644
--- a/drivers/macintosh/macio-adb.c
+++ b/drivers/macintosh/macio-adb.c
@@ -106,6 +106,10 @@ int macio_init(void)
return -ENXIO;
}
adb = ioremap(r.start, sizeof(struct adb_regs));
+ if (!adb) {
+ of_node_put(adbs);
+ return -ENOMEM;
+ }
out_8(&adb->ctrl.r, 0);
out_8(&adb->intr.r, 0);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 432/783] powerpc/52xx: Fix a resource leak in an error handling path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (430 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 431/783] macintosh/macio-adb: check the return value of ioremap() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 433/783] cxl: Fix refcount leak in cxl_calc_capp_routing Greg Kroah-Hartman
` (360 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET,
Michael Ellerman, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 5836947613ef33d311b4eff6a32d019580a214f5 ]
The error handling path of mpc52xx_lpbfifo_probe() has a request_irq()
that is not balanced by a corresponding free_irq().
Add the missing call, as already done in the remove function.
Fixes: 3c9059d79f5e ("powerpc/5200: add LocalPlus bus FIFO device driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/dec1496d46ccd5311d0f6e9f9ca4238be11bf6a6.1643440531.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
index 05e19470d523..22e264bd3ed2 100644
--- a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
+++ b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c
@@ -530,6 +530,7 @@ static int mpc52xx_lpbfifo_probe(struct platform_device *op)
err_bcom_rx_irq:
bcom_gen_bd_rx_release(lpbfifo.bcom_rx_task);
err_bcom_rx:
+ free_irq(lpbfifo.irq, &lpbfifo);
err_irq:
iounmap(lpbfifo.regs);
lpbfifo.regs = NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 433/783] cxl: Fix refcount leak in cxl_calc_capp_routing
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (431 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 432/783] powerpc/52xx: Fix a resource leak in an error handling path Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 434/783] powerpc/xmon: Enable breakpoints on 8xx Greg Kroah-Hartman
` (359 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Andrew Donnellan,
Frederic Barrat, Michael Ellerman, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 1d09697ff22908ae487fc8c4fbde1811732be523 ]
of_get_next_parent() returns a node pointer with refcount incremented,
we should use of_node_put() on it when not need anymore.
This function only calls of_node_put() in normal path,
missing it in the error path.
Add missing of_node_put() to avoid refcount leak.
Fixes: f24be42aab37 ("cxl: Add psl9 specific code")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Acked-by: Andrew Donnellan <ajd@linux.ibm.com>
Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220605060038.62217-1-linmq006@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/misc/cxl/pci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c
index 0ac3f4cb88ac..d183836d80e3 100644
--- a/drivers/misc/cxl/pci.c
+++ b/drivers/misc/cxl/pci.c
@@ -387,6 +387,7 @@ int cxl_calc_capp_routing(struct pci_dev *dev, u64 *chipid,
rc = get_phb_index(np, phb_index);
if (rc) {
pr_err("cxl: invalid phb index\n");
+ of_node_put(np);
return rc;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 434/783] powerpc/xmon: Enable breakpoints on 8xx
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (432 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 433/783] cxl: Fix refcount leak in cxl_calc_capp_routing Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 435/783] powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds Greg Kroah-Hartman
` (358 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Michael Ellerman,
Sasha Levin
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 30662217885d7341161924acf1665924d7d37d64 ]
Since commit 4ad8622dc548 ("powerpc/8xx: Implement hw_breakpoint"),
8xx has breakpoints so there is no reason to opt breakpoint logic
out of xmon for the 8xx.
Fixes: 4ad8622dc548 ("powerpc/8xx: Implement hw_breakpoint")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/b0607f1113d1558e73476bb06db0ee16d31a6e5b.1608716197.git.christophe.leroy@csgroup.eu
Stable-dep-of: 1c4a4a4c8410 ("powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/xmon/xmon.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index 5559edf36756..c6a36b4045e8 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -1383,7 +1383,6 @@ static long check_bp_loc(unsigned long addr)
return 1;
}
-#ifndef CONFIG_PPC_8xx
static int find_free_data_bpt(void)
{
int i;
@@ -1395,7 +1394,6 @@ static int find_free_data_bpt(void)
printf("Couldn't find free breakpoint register\n");
return -1;
}
-#endif
static void print_data_bpts(void)
{
@@ -1435,7 +1433,6 @@ bpt_cmds(void)
cmd = inchar();
switch (cmd) {
-#ifndef CONFIG_PPC_8xx
static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
int mode;
case 'd': /* bd - hardware data breakpoint */
@@ -1497,7 +1494,6 @@ bpt_cmds(void)
force_enable_xmon();
}
break;
-#endif
case 'c':
if (!scanhex(&a)) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 435/783] powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (433 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 434/783] powerpc/xmon: Enable breakpoints on 8xx Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 436/783] powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() Greg Kroah-Hartman
` (357 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva, Kees Cook,
Michael Ellerman, Sasha Levin
From: Gustavo A. R. Silva <gustavoars@kernel.org>
[ Upstream commit 1c4a4a4c8410be4a231a58b23e7a30923ff954ac ]
When building with automatic stack variable initialization, GCC 12
complains about variables defined outside of switch case statements.
Move the variable into the case that uses it, which silences the warning:
arch/powerpc/xmon/xmon.c: In function ‘bpt_cmds’:
arch/powerpc/xmon/xmon.c:1529:13: warning: statement will never be executed [-Wswitch-unreachable]
1529 | int mode;
| ^~~~
Fixes: 09b6c1129f89 ("powerpc/xmon: Fix compile error with PPC_8xx=y")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/YySE6FHiOcbWWR+9@work
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/xmon/xmon.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
index c6a36b4045e8..2872b66d9fec 100644
--- a/arch/powerpc/xmon/xmon.c
+++ b/arch/powerpc/xmon/xmon.c
@@ -1433,9 +1433,9 @@ bpt_cmds(void)
cmd = inchar();
switch (cmd) {
- static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
- int mode;
- case 'd': /* bd - hardware data breakpoint */
+ case 'd': { /* bd - hardware data breakpoint */
+ static const char badaddr[] = "Only kernel addresses are permitted for breakpoints\n";
+ int mode;
if (xmon_is_ro) {
printf(xmon_ro_msg);
break;
@@ -1468,6 +1468,7 @@ bpt_cmds(void)
force_enable_xmon();
break;
+ }
case 'i': /* bi - hardware instr breakpoint */
if (xmon_is_ro) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 436/783] powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (434 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 435/783] powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 437/783] kbuild: remove unneeded mkdir for external modules_install Greg Kroah-Hartman
` (356 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang,
Cédric Le Goater, Michael Ellerman, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 8b49670f3bb3f10cd4d5a6dca17f5a31b173ecdc ]
If remapping 'data->trig_page' fails, the 'data->eoi_mmio' need be unmapped
before returning from xive_spapr_populate_irq_data().
Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221017032333.1852406-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/sysdev/xive/spapr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/sysdev/xive/spapr.c b/arch/powerpc/sysdev/xive/spapr.c
index 38e8b9896174..53cf14349d5e 100644
--- a/arch/powerpc/sysdev/xive/spapr.c
+++ b/arch/powerpc/sysdev/xive/spapr.c
@@ -425,6 +425,7 @@ static int xive_spapr_populate_irq_data(u32 hw_irq, struct xive_irq_data *data)
data->trig_mmio = ioremap(data->trig_page, 1u << data->esb_shift);
if (!data->trig_mmio) {
+ iounmap(data->eoi_mmio);
pr_err("Failed to map trigger page for irq 0x%x\n", hw_irq);
return -ENOMEM;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 437/783] kbuild: remove unneeded mkdir for external modules_install
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (435 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 436/783] powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 438/783] kbuild: unify modules(_install) for in-tree and external modules Greg Kroah-Hartman
` (355 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 4b97ec0e9cfd5995f41b9726c88566a31f4625cc ]
scripts/Makefile.modinst creates directories as needed.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Stable-dep-of: c7b98de745cf ("phy: qcom-qmp-combo: fix runtime suspend")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Makefile | 2 --
1 file changed, 2 deletions(-)
diff --git a/Makefile b/Makefile
index 68f8efa0cc30..9be2a818d4d7 100644
--- a/Makefile
+++ b/Makefile
@@ -1746,10 +1746,8 @@ $(MODORDER): descend
PHONY += modules_install
modules_install: _emodinst_ _emodinst_post
-install-dir := $(if $(INSTALL_MOD_DIR),$(INSTALL_MOD_DIR),extra)
PHONY += _emodinst_
_emodinst_:
- $(Q)mkdir -p $(MODLIB)/$(install-dir)
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst
PHONY += _emodinst_post
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 438/783] kbuild: unify modules(_install) for in-tree and external modules
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (436 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 437/783] kbuild: remove unneeded mkdir for external modules_install Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 439/783] kbuild: refactor single builds of *.ko Greg Kroah-Hartman
` (354 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 3e3005df73b535cb849cf4ec8075d6aa3c460f68 ]
If you attempt to build or install modules ('make modules(_install)'
with CONFIG_MODULES disabled, you will get a clear error message, but
nothing for external module builds.
Factor out the modules and modules_install rules into the common part,
so you will get the same error message when you try to build external
modules with CONFIG_MODULES=n.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Stable-dep-of: c7b98de745cf ("phy: qcom-qmp-combo: fix runtime suspend")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Makefile | 85 ++++++++++++++++++++++++--------------------------------
1 file changed, 36 insertions(+), 49 deletions(-)
diff --git a/Makefile b/Makefile
index 9be2a818d4d7..e32d3137b1d9 100644
--- a/Makefile
+++ b/Makefile
@@ -1425,7 +1425,6 @@ endif
PHONY += modules
modules: $(if $(KBUILD_BUILTIN),vmlinux) modules_check modules_prepare
- $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
PHONY += modules_check
modules_check: modules.order
@@ -1443,12 +1442,9 @@ PHONY += modules_prepare
modules_prepare: prepare
$(Q)$(MAKE) $(build)=scripts scripts/module.lds
-# Target to install modules
-PHONY += modules_install
-modules_install: _modinst_ _modinst_post
-
-PHONY += _modinst_
-_modinst_:
+modules_install: __modinst_pre
+PHONY += __modinst_pre
+__modinst_pre:
@rm -rf $(MODLIB)/kernel
@rm -f $(MODLIB)/source
@mkdir -p $(MODLIB)/kernel
@@ -1460,14 +1456,6 @@ _modinst_:
@sed 's:^:kernel/:' modules.order > $(MODLIB)/modules.order
@cp -f modules.builtin $(MODLIB)/
@cp -f $(objtree)/modules.builtin.modinfo $(MODLIB)/
- $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst
-
-# This depmod is only for convenience to give the initial
-# boot a modules.dep even before / is mounted read-write. However the
-# boot script depmod is the master version.
-PHONY += _modinst_post
-_modinst_post: _modinst_
- $(call cmd,depmod)
ifeq ($(CONFIG_MODULE_SIG), y)
PHONY += modules_sign
@@ -1475,20 +1463,6 @@ modules_sign:
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modsign
endif
-else # CONFIG_MODULES
-
-# Modules not configured
-# ---------------------------------------------------------------------------
-
-PHONY += modules modules_install
-modules modules_install:
- @echo >&2
- @echo >&2 "The present kernel configuration has modules disabled."
- @echo >&2 "Type 'make config' and enable loadable module support."
- @echo >&2 "Then build a kernel with module support enabled."
- @echo >&2
- @exit 1
-
endif # CONFIG_MODULES
###
@@ -1736,24 +1710,9 @@ KBUILD_BUILTIN :=
KBUILD_MODULES := 1
build-dirs := $(KBUILD_EXTMOD)
-PHONY += modules
-modules: $(MODORDER)
- $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-
$(MODORDER): descend
@:
-PHONY += modules_install
-modules_install: _emodinst_ _emodinst_post
-
-PHONY += _emodinst_
-_emodinst_:
- $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst
-
-PHONY += _emodinst_post
-_emodinst_post: _emodinst_
- $(call cmd,depmod)
-
compile_commands.json: $(extmod-prefix)compile_commands.json
PHONY += compile_commands.json
@@ -1776,6 +1735,39 @@ PHONY += prepare modules_prepare
endif # KBUILD_EXTMOD
+# ---------------------------------------------------------------------------
+# Modules
+
+PHONY += modules modules_install
+
+ifdef CONFIG_MODULES
+
+modules: $(MODORDER)
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
+
+quiet_cmd_depmod = DEPMOD $(KERNELRELEASE)
+ cmd_depmod = $(CONFIG_SHELL) $(srctree)/scripts/depmod.sh $(DEPMOD) \
+ $(KERNELRELEASE)
+
+modules_install:
+ $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modinst
+ $(call cmd,depmod)
+
+else # CONFIG_MODULES
+
+# Modules not configured
+# ---------------------------------------------------------------------------
+
+modules modules_install:
+ @echo >&2 '***'
+ @echo >&2 '*** The present kernel configuration has modules disabled.'
+ @echo >&2 '*** To use the module feature, please run "make menuconfig" etc.'
+ @echo >&2 '*** to enable CONFIG_MODULES.'
+ @echo >&2 '***'
+ @exit 1
+
+endif # CONFIG_MODULES
+
# Single targets
# ---------------------------------------------------------------------------
# To build individual files in subdirectories, you can do like this:
@@ -1963,11 +1955,6 @@ tools/%: FORCE
quiet_cmd_rmfiles = $(if $(wildcard $(rm-files)),CLEAN $(wildcard $(rm-files)))
cmd_rmfiles = rm -rf $(rm-files)
-# Run depmod only if we have System.map and depmod is executable
-quiet_cmd_depmod = DEPMOD $(KERNELRELEASE)
- cmd_depmod = $(CONFIG_SHELL) $(srctree)/scripts/depmod.sh $(DEPMOD) \
- $(KERNELRELEASE)
-
# read saved command lines for existing targets
existing-targets := $(wildcard $(sort $(targets)))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 439/783] kbuild: refactor single builds of *.ko
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (437 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 438/783] kbuild: unify modules(_install) for in-tree and external modules Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 440/783] powerpc/perf: callchain validate kernel stack pointer bounds Greg Kroah-Hartman
` (353 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit f110e5a250e3c5db417e094b3dd86f1c135291ca ]
Remove the potentially invalid modules.order instead of using
the temporary file.
Also, KBUILD_MODULES is don't care for single builds. No need to
cancel it.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Stable-dep-of: c7b98de745cf ("phy: qcom-qmp-combo: fix runtime suspend")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Makefile | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/Makefile b/Makefile
index e32d3137b1d9..36aff1531386 100644
--- a/Makefile
+++ b/Makefile
@@ -1766,6 +1766,8 @@ modules modules_install:
@echo >&2 '***'
@exit 1
+KBUILD_MODULES :=
+
endif # CONFIG_MODULES
# Single targets
@@ -1791,18 +1793,12 @@ $(single-ko): single_modpost
$(single-no-ko): descend
@:
-ifeq ($(KBUILD_EXTMOD),)
-# For the single build of in-tree modules, use a temporary file to avoid
-# the situation of modules_install installing an invalid modules.order.
-MODORDER := .modules.tmp
-endif
-
+# Remove MODORDER when done because it is not the real one.
PHONY += single_modpost
single_modpost: $(single-no-ko) modules_prepare
$(Q){ $(foreach m, $(single-ko), echo $(extmod-prefix)$m;) } > $(MODORDER)
$(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
-
-KBUILD_MODULES := 1
+ $(Q)rm -f $(MODORDER)
export KBUILD_SINGLE_TARGETS := $(addprefix $(extmod-prefix), $(single-no-ko))
@@ -1812,10 +1808,6 @@ build-dirs := $(foreach d, $(build-dirs), \
endif
-ifndef CONFIG_MODULES
-KBUILD_MODULES :=
-endif
-
# Handle descending into subdirectories listed in $(build-dirs)
# Preset locale variables to speed up the build process. Limit locale
# tweaks to this spot to avoid wrong language settings when running
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 440/783] powerpc/perf: callchain validate kernel stack pointer bounds
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (438 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 439/783] kbuild: refactor single builds of *.ko Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 441/783] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() Greg Kroah-Hartman
` (352 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nicholas Piggin, Michael Ellerman,
Sasha Levin
From: Nicholas Piggin <npiggin@gmail.com>
[ Upstream commit 32c5209214bd8d4f8c4e9d9b630ef4c671f58e79 ]
The interrupt frame detection and loads from the hypothetical pt_regs
are not bounds-checked. The next-frame validation only bounds-checks
STACK_FRAME_OVERHEAD, which does not include the pt_regs. Add another
test for this.
The user could set r1 to be equal to the address matching the first
interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page
due to the kernel redzone, and induce the kernel to load the marker from
there. Possibly this could cause a crash at least. If the user could
induce the previous page to contain a valid marker, then it might be
able to direct perf to read specific memory addresses in a way that
could be transmitted back to the user in the perf data.
Fixes: 20002ded4d93 ("perf_counter: powerpc: Add callchain support")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221127124942.1665522-4-npiggin@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/perf/callchain.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c
index 6c028ee513c0..99f3c4fc21cb 100644
--- a/arch/powerpc/perf/callchain.c
+++ b/arch/powerpc/perf/callchain.c
@@ -61,6 +61,7 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re
next_sp = fp[0];
if (next_sp == sp + STACK_INT_FRAME_SIZE &&
+ validate_sp(sp, current, STACK_INT_FRAME_SIZE) &&
fp[STACK_FRAME_MARKER] == STACK_FRAME_REGS_MARKER) {
/*
* This looks like an interrupt frame for an
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 441/783] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (439 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 440/783] powerpc/perf: callchain validate kernel stack pointer bounds Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 442/783] powerpc/hv-gpci: Fix hv_gpci event list Greg Kroah-Hartman
` (351 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Michael Ellerman,
Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 4d0eea415216fe3791da2f65eb41399e70c7bedf ]
If platform_device_add() is not called or failed, it can not call
platform_device_del() to clean up memory, it should call
platform_device_put() in error case.
Fixes: 26f6cb999366 ("[POWERPC] fsl_soc: add support for fsl_spi")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221029111626.429971-1-yangyingliang@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/83xx/mpc832x_rdb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/platforms/83xx/mpc832x_rdb.c b/arch/powerpc/platforms/83xx/mpc832x_rdb.c
index 622c625d5ce4..1114b6a11b3f 100644
--- a/arch/powerpc/platforms/83xx/mpc832x_rdb.c
+++ b/arch/powerpc/platforms/83xx/mpc832x_rdb.c
@@ -106,7 +106,7 @@ static int __init of_fsl_spi_probe(char *type, char *compatible, u32 sysclk,
goto next;
unreg:
- platform_device_del(pdev);
+ platform_device_put(pdev);
err:
pr_err("%pOF: registration failed\n", np);
next:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 442/783] powerpc/hv-gpci: Fix hv_gpci event list
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (440 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 441/783] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 443/783] selftests/powerpc: Fix resource leaks Greg Kroah-Hartman
` (350 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kajol Jain, Madhavan Srinivasan,
Athira Rajeev, Michael Ellerman, Sasha Levin
From: Kajol Jain <kjain@linux.ibm.com>
[ Upstream commit 03f7c1d2a49acd30e38789cd809d3300721e9b0e ]
Based on getPerfCountInfo v1.018 documentation, some of the
hv_gpci events were deprecated for platform firmware that
supports counter_info_version 0x8 or above.
Fix the hv_gpci event list by adding a new attribute group
called "hv_gpci_event_attrs_v6" and a "ENABLE_EVENTS_COUNTERINFO_V6"
macro to enable these events for platform firmware
that supports counter_info_version 0x6 or below. And assigning
the hv_gpci event list based on output counter info version
of underlying plaform.
Fixes: 97bf2640184f ("powerpc/perf/hv-gpci: add the remaining gpci requests")
Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
Reviewed-by: Madhavan Srinivasan <maddy@linux.ibm.com>
Reviewed-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221130174513.87501-1-kjain@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/perf/hv-gpci-requests.h | 4 ++++
arch/powerpc/perf/hv-gpci.c | 33 +++++++++++++++++++++++++++-
arch/powerpc/perf/hv-gpci.h | 1 +
arch/powerpc/perf/req-gen/perf.h | 20 +++++++++++++++++
4 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h
index 8965b4463d43..5e86371a20c7 100644
--- a/arch/powerpc/perf/hv-gpci-requests.h
+++ b/arch/powerpc/perf/hv-gpci-requests.h
@@ -79,6 +79,7 @@ REQUEST(__field(0, 8, partition_id)
)
#include I(REQUEST_END)
+#ifdef ENABLE_EVENTS_COUNTERINFO_V6
/*
* Not available for counter_info_version >= 0x8, use
* run_instruction_cycles_by_partition(0x100) instead.
@@ -92,6 +93,7 @@ REQUEST(__field(0, 8, partition_id)
__count(0x10, 8, cycles)
)
#include I(REQUEST_END)
+#endif
#define REQUEST_NAME system_performance_capabilities
#define REQUEST_NUM 0x40
@@ -103,6 +105,7 @@ REQUEST(__field(0, 1, perf_collect_privileged)
)
#include I(REQUEST_END)
+#ifdef ENABLE_EVENTS_COUNTERINFO_V6
#define REQUEST_NAME processor_bus_utilization_abc_links
#define REQUEST_NUM 0x50
#define REQUEST_IDX_KIND "hw_chip_id=?"
@@ -194,6 +197,7 @@ REQUEST(__field(0, 4, phys_processor_idx)
__count(0x28, 8, instructions_completed)
)
#include I(REQUEST_END)
+#endif
/* Processor_core_power_mode (0x95) skipped, no counters */
/* Affinity_domain_information_by_virtual_processor (0xA0) skipped,
diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c
index c756228a081f..28b770bbc10b 100644
--- a/arch/powerpc/perf/hv-gpci.c
+++ b/arch/powerpc/perf/hv-gpci.c
@@ -72,7 +72,7 @@ static struct attribute_group format_group = {
static struct attribute_group event_group = {
.name = "events",
- .attrs = hv_gpci_event_attrs,
+ /* .attrs is set in init */
};
#define HV_CAPS_ATTR(_name, _format) \
@@ -330,6 +330,7 @@ static int hv_gpci_init(void)
int r;
unsigned long hret;
struct hv_perf_caps caps;
+ struct hv_gpci_request_buffer *arg;
hv_gpci_assert_offsets_correct();
@@ -353,6 +354,36 @@ static int hv_gpci_init(void)
/* sampling not supported */
h_gpci_pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT;
+ arg = (void *)get_cpu_var(hv_gpci_reqb);
+ memset(arg, 0, HGPCI_REQ_BUFFER_SIZE);
+
+ /*
+ * hcall H_GET_PERF_COUNTER_INFO populates the output
+ * counter_info_version value based on the system hypervisor.
+ * Pass the counter request 0x10 corresponds to request type
+ * 'Dispatch_timebase_by_processor', to get the supported
+ * counter_info_version.
+ */
+ arg->params.counter_request = cpu_to_be32(0x10);
+
+ r = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO,
+ virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE);
+ if (r) {
+ pr_devel("hcall failed, can't get supported counter_info_version: 0x%x\n", r);
+ arg->params.counter_info_version_out = 0x8;
+ }
+
+ /*
+ * Use counter_info_version_out value to assign
+ * required hv-gpci event list.
+ */
+ if (arg->params.counter_info_version_out >= 0x8)
+ event_group.attrs = hv_gpci_event_attrs;
+ else
+ event_group.attrs = hv_gpci_event_attrs_v6;
+
+ put_cpu_var(hv_gpci_reqb);
+
r = perf_pmu_register(&h_gpci_pmu, h_gpci_pmu.name, -1);
if (r)
return r;
diff --git a/arch/powerpc/perf/hv-gpci.h b/arch/powerpc/perf/hv-gpci.h
index 4d108262bed7..c72020912dea 100644
--- a/arch/powerpc/perf/hv-gpci.h
+++ b/arch/powerpc/perf/hv-gpci.h
@@ -26,6 +26,7 @@ enum {
#define REQUEST_FILE "../hv-gpci-requests.h"
#define NAME_LOWER hv_gpci
#define NAME_UPPER HV_GPCI
+#define ENABLE_EVENTS_COUNTERINFO_V6
#include "req-gen/perf.h"
#undef REQUEST_FILE
#undef NAME_LOWER
diff --git a/arch/powerpc/perf/req-gen/perf.h b/arch/powerpc/perf/req-gen/perf.h
index fa9bc804e67a..6b2a59fefffa 100644
--- a/arch/powerpc/perf/req-gen/perf.h
+++ b/arch/powerpc/perf/req-gen/perf.h
@@ -139,6 +139,26 @@ PMU_EVENT_ATTR_STRING( \
#define REQUEST_(r_name, r_value, r_idx_1, r_fields) \
r_fields
+/* Generate event list for platforms with counter_info_version 0x6 or below */
+static __maybe_unused struct attribute *hv_gpci_event_attrs_v6[] = {
+#include REQUEST_FILE
+ NULL
+};
+
+/*
+ * Based on getPerfCountInfo v1.018 documentation, some of the hv-gpci
+ * events were deprecated for platform firmware that supports
+ * counter_info_version 0x8 or above.
+ * Those deprecated events are still part of platform firmware that
+ * support counter_info_version 0x6 and below. As per the getPerfCountInfo
+ * v1.018 documentation there is no counter_info_version 0x7.
+ * Undefining macro ENABLE_EVENTS_COUNTERINFO_V6, to disable the addition of
+ * deprecated events in "hv_gpci_event_attrs" attribute group, for platforms
+ * that supports counter_info_version 0x8 or above.
+ */
+#undef ENABLE_EVENTS_COUNTERINFO_V6
+
+/* Generate event list for platforms with counter_info_version 0x8 or above*/
static __maybe_unused struct attribute *hv_gpci_event_attrs[] = {
#include REQUEST_FILE
NULL
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 443/783] selftests/powerpc: Fix resource leaks
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (441 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 442/783] powerpc/hv-gpci: Fix hv_gpci event list Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 444/783] iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY Greg Kroah-Hartman
` (349 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Michael Ellerman, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 8f4ab7da904ab7027ccd43ddb4f0094e932a5877 ]
In check_all_cpu_dscr_defaults, opendir() opens the directory stream.
Add missing closedir() in the error path to release it.
In check_cpu_dscr_default, open() creates an open file descriptor.
Add missing close() in the error path to release it.
Fixes: ebd5858c904b ("selftests/powerpc: Add test for all DSCR sysfs interfaces")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221205084429.570654-1-linmq006@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
index fbbdffdb2e5d..f20d1c166d1e 100644
--- a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
+++ b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c
@@ -24,6 +24,7 @@ static int check_cpu_dscr_default(char *file, unsigned long val)
rc = read(fd, buf, sizeof(buf));
if (rc == -1) {
perror("read() failed");
+ close(fd);
return 1;
}
close(fd);
@@ -65,8 +66,10 @@ static int check_all_cpu_dscr_defaults(unsigned long val)
if (access(file, F_OK))
continue;
- if (check_cpu_dscr_default(file, val))
+ if (check_cpu_dscr_default(file, val)) {
+ closedir(sysfs);
return 1;
+ }
}
closedir(sysfs);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 444/783] iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (442 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 443/783] selftests/powerpc: Fix resource leaks Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 445/783] pwm: sifive: Call pwm_sifive_update_clock() while mutex is held Greg Kroah-Hartman
` (348 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Robin Murphy,
Joerg Roedel, Sasha Levin
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit ef5bb8e7a7127218f826b9ccdf7508e7a339f4c2 ]
This driver treats IOMMU_DOMAIN_IDENTITY the same as UNMANAGED, which
cannot possibly be correct.
UNMANAGED domains are required to start out blocking all DMAs. This seems
to be what this driver does as it allocates a first level 'dt' for the IO
page table that is 0 filled.
Thus UNMANAGED looks like a working IO page table, and so IDENTITY must be
a mistake. Remove it.
Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Link: https://lore.kernel.org/r/0-v1-97f0adf27b5e+1f0-s50_identity_jgg@nvidia.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/sun50i-iommu.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
index dc8ad35cbc4e..65aa30d55d3a 100644
--- a/drivers/iommu/sun50i-iommu.c
+++ b/drivers/iommu/sun50i-iommu.c
@@ -603,7 +603,6 @@ static struct iommu_domain *sun50i_iommu_domain_alloc(unsigned type)
struct sun50i_iommu_domain *sun50i_domain;
if (type != IOMMU_DOMAIN_DMA &&
- type != IOMMU_DOMAIN_IDENTITY &&
type != IOMMU_DOMAIN_UNMANAGED)
return NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 445/783] pwm: sifive: Call pwm_sifive_update_clock() while mutex is held
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (443 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 444/783] iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 446/783] remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() Greg Kroah-Hartman
` (347 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emil Renner Berthing,
Uwe Kleine-König, Thierry Reding, Sasha Levin
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit 45558b3abb87eeb2cedb8a59cb2699c120b5102a ]
As was documented in commit 0f02f491b786 ("pwm: sifive: Reduce time the
controller lock is held") a caller of pwm_sifive_update_clock() must
hold the mutex. So fix pwm_sifive_clock_notifier() to grab the lock.
While this necessity was only documented later, the race exists since
the driver was introduced.
Fixes: 9e37a53eb051 ("pwm: sifive: Add a driver for SiFive SoC PWM")
Reported-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
Reviewed-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>
Link: https://lore.kernel.org/r/20221018061656.1428111-1-u.kleine-koenig@pengutronix.de
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-sifive.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/pwm/pwm-sifive.c b/drivers/pwm/pwm-sifive.c
index 9cc0612f0849..12e9e23272ab 100644
--- a/drivers/pwm/pwm-sifive.c
+++ b/drivers/pwm/pwm-sifive.c
@@ -217,8 +217,11 @@ static int pwm_sifive_clock_notifier(struct notifier_block *nb,
struct pwm_sifive_ddata *ddata =
container_of(nb, struct pwm_sifive_ddata, notifier);
- if (event == POST_RATE_CHANGE)
+ if (event == POST_RATE_CHANGE) {
+ mutex_lock(&ddata->lock);
pwm_sifive_update_clock(ddata, ndata->new_rate);
+ mutex_unlock(&ddata->lock);
+ }
return NOTIFY_OK;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 446/783] remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (444 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 445/783] pwm: sifive: Call pwm_sifive_update_clock() while mutex is held Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 447/783] remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove Greg Kroah-Hartman
` (346 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Bjorn Andersson, Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit e01ce676aaef3b13d02343d7e70f9637d93a3367 ]
The kfree() should be called when of_irq_get_byname() fails or
devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(),
otherwise there will be a memory leak, so add kfree() to fix it.
Fixes: 027045a6e2b7 ("remoteproc: qcom: Add shutdown-ack irq")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221129105650.1539187-1-cuigaosheng1@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_sysmon.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/remoteproc/qcom_sysmon.c b/drivers/remoteproc/qcom_sysmon.c
index a26221a6f6c2..c348ea35e47c 100644
--- a/drivers/remoteproc/qcom_sysmon.c
+++ b/drivers/remoteproc/qcom_sysmon.c
@@ -625,7 +625,9 @@ struct qcom_sysmon *qcom_add_sysmon_subdev(struct rproc *rproc,
if (sysmon->shutdown_irq != -ENODATA) {
dev_err(sysmon->dev,
"failed to retrieve shutdown-ack IRQ\n");
- return ERR_PTR(sysmon->shutdown_irq);
+ ret = sysmon->shutdown_irq;
+ kfree(sysmon);
+ return ERR_PTR(ret);
}
} else {
ret = devm_request_threaded_irq(sysmon->dev,
@@ -636,6 +638,7 @@ struct qcom_sysmon *qcom_add_sysmon_subdev(struct rproc *rproc,
if (ret) {
dev_err(sysmon->dev,
"failed to acquire shutdown-ack IRQ\n");
+ kfree(sysmon);
return ERR_PTR(ret);
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 447/783] remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (445 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 446/783] remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 448/783] remoteproc: qcom_q6v5_pas: detach power domains on remove Greg Kroah-Hartman
` (345 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mukesh Ojha, Luca Weiss,
Caleb Connolly, Sibi Sankar, Bjorn Andersson, Sasha Levin
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit 9a70551996e699fda262e8d54bbd41739d7aad6d ]
Leaving wakeup enabled during probe fail (-EPROBE_DEFER) or remove makes
the subsequent probe fail.
[ 3.749454] remoteproc remoteproc0: releasing 3000000.remoteproc
[ 3.752949] qcom_q6v5_pas: probe of 3000000.remoteproc failed with error -17
[ 3.878935] remoteproc remoteproc0: releasing 4080000.remoteproc
[ 3.887602] qcom_q6v5_pas: probe of 4080000.remoteproc failed with error -17
[ 4.319552] remoteproc remoteproc0: releasing 8300000.remoteproc
[ 4.332716] qcom_q6v5_pas: probe of 8300000.remoteproc failed with error -17
Fix this by disabling wakeup in both cases so the driver can properly
probe on the next try.
Fixes: a781e5aa5911 ("remoteproc: core: Prevent system suspend during remoteproc recovery")
Fixes: dc86c129b4fb ("remoteproc: qcom: pas: Mark devices as wakeup capable")
Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
Reviewed-by: Sibi Sankar <quic_sibis@quicinc.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221118090816.100012-1-luca.weiss@fairphone.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5_pas.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
index 0678b417707e..99b206b00456 100644
--- a/drivers/remoteproc/qcom_q6v5_pas.c
+++ b/drivers/remoteproc/qcom_q6v5_pas.c
@@ -472,6 +472,7 @@ static int adsp_probe(struct platform_device *pdev)
detach_active_pds:
adsp_pds_detach(adsp, adsp->active_pds, adsp->active_pd_count);
free_rproc:
+ device_init_wakeup(adsp->dev, false);
rproc_free(rproc);
return ret;
@@ -487,6 +488,7 @@ static int adsp_remove(struct platform_device *pdev)
qcom_remove_sysmon_subdev(adsp->sysmon);
qcom_remove_smd_subdev(adsp->rproc, &adsp->smd_subdev);
qcom_remove_ssr_subdev(adsp->rproc, &adsp->ssr_subdev);
+ device_init_wakeup(adsp->dev, false);
rproc_free(adsp->rproc);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 448/783] remoteproc: qcom_q6v5_pas: detach power domains on remove
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (446 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 447/783] remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 449/783] remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region() Greg Kroah-Hartman
` (344 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sibi Sankar, Mukesh Ojha,
Luca Weiss, Bjorn Andersson, Sasha Levin
From: Luca Weiss <luca.weiss@fairphone.com>
[ Upstream commit 34d01df00b84127be04c914fc9f8e8be1fcdf851 ]
We need to detach from the power domains also on remove, not just on
probe fail so a subsequent probe works as expected.
Otherwise the following error appears on re-probe:
[ 29.452005] sysfs: cannot create duplicate filename '/devices/genpd:0:3000000.remoteproc'
[ 29.477121] CPU: 1 PID: 483 Comm: sh Tainted: G W 6.1.0-rc4-00075-g71a113770bda #78
[ 29.510319] Hardware name: Fairphone 4 (DT)
[ 29.538335] Call trace:
[ 29.564470] dump_backtrace.part.0+0xe0/0xf0
[ 29.592602] show_stack+0x18/0x30
[ 29.619616] dump_stack_lvl+0x64/0x80
[ 29.646834] dump_stack+0x18/0x34
[ 29.673541] sysfs_warn_dup+0x60/0x7c
[ 29.700592] sysfs_create_dir_ns+0xec/0x110
[ 29.728057] kobject_add_internal+0xb8/0x374
[ 29.755530] kobject_add+0x9c/0x104
[ 29.782072] device_add+0xbc/0x8a0
[ 29.808445] device_register+0x20/0x30
[ 29.835175] genpd_dev_pm_attach_by_id+0xa4/0x190
[ 29.862851] genpd_dev_pm_attach_by_name+0x3c/0xb0
[ 29.890472] dev_pm_domain_attach_by_name+0x20/0x30
[ 29.918212] adsp_probe+0x278/0x580
[ 29.944384] platform_probe+0x68/0xc0
[ 29.970603] really_probe+0xbc/0x2dc
[ 29.996662] __driver_probe_device+0x78/0xe0
[ 30.023491] device_driver_attach+0x48/0xac
[ 30.050215] bind_store+0xb8/0x114
[ 30.075957] drv_attr_store+0x24/0x3c
[ 30.101874] sysfs_kf_write+0x44/0x54
[ 30.127751] kernfs_fop_write_iter+0x120/0x1f0
[ 30.154448] vfs_write+0x1ac/0x380
[ 30.179937] ksys_write+0x70/0x104
[ 30.205274] __arm64_sys_write+0x1c/0x2c
[ 30.231060] invoke_syscall+0x48/0x114
[ 30.256594] el0_svc_common.constprop.0+0x44/0xec
[ 30.283183] do_el0_svc+0x2c/0xd0
[ 30.308320] el0_svc+0x2c/0x84
[ 30.333059] el0t_64_sync_handler+0xf4/0x120
[ 30.359001] el0t_64_sync+0x18c/0x190
[ 30.384385] kobject_add_internal failed for genpd:0:3000000.remoteproc with -EEXIST, don't try to register things with the same name in the same directory.
[ 30.406029] remoteproc remoteproc0: releasing 3000000.remoteproc
[ 30.416064] qcom_q6v5_pas: probe of 3000000.remoteproc failed with error -17
Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains")
Reviewed-by: Sibi Sankar <quic_sibis@quicinc.com>
Reviewed-by: Mukesh Ojha <quic_mojha@quicinc.com>
Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221118090816.100012-2-luca.weiss@fairphone.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5_pas.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
index 99b206b00456..d8ef10fba8e8 100644
--- a/drivers/remoteproc/qcom_q6v5_pas.c
+++ b/drivers/remoteproc/qcom_q6v5_pas.c
@@ -488,6 +488,7 @@ static int adsp_remove(struct platform_device *pdev)
qcom_remove_sysmon_subdev(adsp->sysmon);
qcom_remove_smd_subdev(adsp->rproc, &adsp->smd_subdev);
qcom_remove_ssr_subdev(adsp->rproc, &adsp->ssr_subdev);
+ adsp_pds_detach(adsp, adsp->proxy_pds, adsp->proxy_pd_count);
device_init_wakeup(adsp->dev, false);
rproc_free(adsp->rproc);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 449/783] remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (447 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 448/783] remoteproc: qcom_q6v5_pas: detach power domains on remove Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 450/783] powerpc/eeh: Drop redundant spinlock initialization Greg Kroah-Hartman
` (343 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Bjorn Andersson, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 38e7d9c19276832ebb0277f415b9214bf7baeb37 ]
The pointer node is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
Fixes: b9e718e950c3 ("remoteproc: Introduce Qualcomm ADSP PIL")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221203070639.15128-1-yuancan@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/qcom_q6v5_pas.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/remoteproc/qcom_q6v5_pas.c b/drivers/remoteproc/qcom_q6v5_pas.c
index d8ef10fba8e8..1a0d6eb9425b 100644
--- a/drivers/remoteproc/qcom_q6v5_pas.c
+++ b/drivers/remoteproc/qcom_q6v5_pas.c
@@ -365,6 +365,7 @@ static int adsp_alloc_memory_region(struct qcom_adsp *adsp)
}
ret = of_address_to_resource(node, 0, &r);
+ of_node_put(node);
if (ret)
return ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 450/783] powerpc/eeh: Drop redundant spinlock initialization
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (448 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 449/783] remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 451/783] powerpc/pseries/eeh: use correct API for error log size Greg Kroah-Hartman
` (342 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haowen Bai, Michael Ellerman, Sasha Levin
From: Haowen Bai <baihaowen@meizu.com>
[ Upstream commit 3def164a5cedad9117859dd4610cae2cc59cb6d2 ]
slot_errbuf_lock has declared and initialized by DEFINE_SPINLOCK,
so we don't need to spin_lock_init again, drop it.
Signed-off-by: Haowen Bai <baihaowen@meizu.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1652232476-9696-1-git-send-email-baihaowen@meizu.com
Stable-dep-of: 9aafbfa5f57a ("powerpc/pseries/eeh: use correct API for error log size")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/eeh_pseries.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c
index 7ed38ebd0c7b..6ad8bda06345 100644
--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
+++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
@@ -846,8 +846,7 @@ static int __init eeh_pseries_init(void)
return -EINVAL;
}
- /* Initialize error log lock and size */
- spin_lock_init(&slot_errbuf_lock);
+ /* Initialize error log size */
eeh_error_buf_size = rtas_token("rtas-error-log-max");
if (eeh_error_buf_size == RTAS_UNKNOWN_SERVICE) {
pr_info("%s: unknown EEH error log size\n",
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 451/783] powerpc/pseries/eeh: use correct API for error log size
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (449 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 450/783] powerpc/eeh: Drop redundant spinlock initialization Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 452/783] netfilter: flowtable: really fix NAT IPv6 offload Greg Kroah-Hartman
` (341 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Michael Ellerman, Sasha Levin
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit 9aafbfa5f57a4b75bafd3bed0191e8429c5fa618 ]
rtas-error-log-max is not the name of an RTAS function, so rtas_token()
is not the appropriate API for retrieving its value. We already have
rtas_get_error_log_max() which returns a sensible value if the property
is absent for any reason, so use that instead.
Fixes: 8d633291b4fc ("powerpc/eeh: pseries platform EEH error log retrieval")
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
[mpe: Drop no-longer possible error handling as noticed by ajd]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221118150751.469393-6-nathanl@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/eeh_pseries.c | 11 +----------
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/eeh_pseries.c b/arch/powerpc/platforms/pseries/eeh_pseries.c
index 6ad8bda06345..4601ad10ca7b 100644
--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
+++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
@@ -847,16 +847,7 @@ static int __init eeh_pseries_init(void)
}
/* Initialize error log size */
- eeh_error_buf_size = rtas_token("rtas-error-log-max");
- if (eeh_error_buf_size == RTAS_UNKNOWN_SERVICE) {
- pr_info("%s: unknown EEH error log size\n",
- __func__);
- eeh_error_buf_size = 1024;
- } else if (eeh_error_buf_size > RTAS_ERROR_LOG_MAX) {
- pr_info("%s: EEH error log size %d exceeds the maximal %d\n",
- __func__, eeh_error_buf_size, RTAS_ERROR_LOG_MAX);
- eeh_error_buf_size = RTAS_ERROR_LOG_MAX;
- }
+ eeh_error_buf_size = rtas_get_error_log_max();
/* Set EEH probe mode */
eeh_add_flag(EEH_PROBE_MODE_DEVTREE | EEH_ENABLE_IO_FOR_LOG);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 452/783] netfilter: flowtable: really fix NAT IPv6 offload
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (450 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 451/783] powerpc/pseries/eeh: use correct API for error log size Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 453/783] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() Greg Kroah-Hartman
` (340 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qingfang DENG, Pablo Neira Ayuso,
Sasha Levin
From: Qingfang DENG <dqfext@gmail.com>
[ Upstream commit 5fb45f95eec682621748b7cb012c6a8f0f981e6a ]
The for-loop was broken from the start. It translates to:
for (i = 0; i < 4; i += 4)
which means the loop statement is run only once, so only the highest
32-bit of the IPv6 address gets mangled.
Fix the loop increment.
Fixes: 0e07e25b481a ("netfilter: flowtable: fix NAT IPv6 offload mangling")
Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support")
Signed-off-by: Qingfang DENG <dqfext@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nf_flow_table_offload.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 28306cb66719..746ca77d0aad 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -305,12 +305,12 @@ static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,
const __be32 *addr, const __be32 *mask)
{
struct flow_action_entry *entry;
- int i, j;
+ int i;
- for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) {
+ for (i = 0; i < sizeof(struct in6_addr) / sizeof(u32); i++) {
entry = flow_action_entry_next(flow_rule);
flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,
- offset + i, &addr[j], mask);
+ offset + i * sizeof(u32), &addr[i], mask);
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 453/783] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (451 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 452/783] netfilter: flowtable: really fix NAT IPv6 offload Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 454/783] rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe() Greg Kroah-Hartman
` (339 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Alexandre Belloni,
Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 5fb733d7bd6949e90028efdce8bd528c6ab7cf1e ]
The clk_disable_unprepare() should be called in the error handling
of clk_get_rate(), fix it.
Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221123014805.1993052-1-cuigaosheng1@huawei.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-st-lpc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c
index 0c65448b85ee..7d53f7e2febc 100644
--- a/drivers/rtc/rtc-st-lpc.c
+++ b/drivers/rtc/rtc-st-lpc.c
@@ -238,6 +238,7 @@ static int st_rtc_probe(struct platform_device *pdev)
rtc->clkrate = clk_get_rate(rtc->clk);
if (!rtc->clkrate) {
+ clk_disable_unprepare(rtc->clk);
dev_err(&pdev->dev, "Unable to fetch clock rate\n");
return -EINVAL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 454/783] rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (452 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 453/783] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 455/783] rtc: pcf85063: fix pcf85063_clkout_control Greg Kroah-Hartman
` (338 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Alexandre Belloni,
Sasha Levin
From: Gaosheng Cui <cuigaosheng1@huawei.com>
[ Upstream commit 90cd5c88830140c9fade92a8027e0fb2c6e4cc49 ]
The pic32_rtc_enable(pdata, 0) and clk_disable_unprepare(pdata->clk)
should be called in the error handling of devm_rtc_allocate_device(),
so we should move devm_rtc_allocate_device earlier in pic32_rtc_probe()
to fix it.
Fixes: 6515e23b9fde ("rtc: pic32: convert to devm_rtc_allocate_device")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221123015953.1998521-1-cuigaosheng1@huawei.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-pic32.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/rtc/rtc-pic32.c b/drivers/rtc/rtc-pic32.c
index 2b6946744654..7be1ca1633fc 100644
--- a/drivers/rtc/rtc-pic32.c
+++ b/drivers/rtc/rtc-pic32.c
@@ -324,16 +324,16 @@ static int pic32_rtc_probe(struct platform_device *pdev)
spin_lock_init(&pdata->alarm_lock);
+ pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
+ if (IS_ERR(pdata->rtc))
+ return PTR_ERR(pdata->rtc);
+
clk_prepare_enable(pdata->clk);
pic32_rtc_enable(pdata, 1);
device_init_wakeup(&pdev->dev, 1);
- pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
- if (IS_ERR(pdata->rtc))
- return PTR_ERR(pdata->rtc);
-
pdata->rtc->ops = &pic32_rtcops;
pdata->rtc->range_min = RTC_TIMESTAMP_BEGIN_2000;
pdata->rtc->range_max = RTC_TIMESTAMP_END_2099;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 455/783] rtc: pcf85063: fix pcf85063_clkout_control
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (453 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 454/783] rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 456/783] NFSD: Remove spurious cb_setup_err tracepoint Greg Kroah-Hartman
` (337 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Janne Terho, Alexandre Belloni, Sasha Levin
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
[ Upstream commit c2d12e85336f6d4172fb2bab5935027c446d7343 ]
pcf85063_clkout_control reads the wrong register but then update the
correct one.
Reported-by: Janne Terho <janne.terho@ouman.fi>
Fixes: 8c229ab6048b ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework")
Link: https://lore.kernel.org/r/20221211223553.59955-1-alexandre.belloni@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-pcf85063.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
index d739b0c965aa..449204d84c61 100644
--- a/drivers/rtc/rtc-pcf85063.c
+++ b/drivers/rtc/rtc-pcf85063.c
@@ -430,7 +430,7 @@ static int pcf85063_clkout_control(struct clk_hw *hw, bool enable)
unsigned int buf;
int ret;
- ret = regmap_read(pcf85063->regmap, PCF85063_REG_OFFSET, &buf);
+ ret = regmap_read(pcf85063->regmap, PCF85063_REG_CTRL2, &buf);
if (ret < 0)
return ret;
buf &= PCF85063_REG_CLKO_F_MASK;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 456/783] NFSD: Remove spurious cb_setup_err tracepoint
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (454 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 455/783] rtc: pcf85063: fix pcf85063_clkout_control Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 457/783] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure Greg Kroah-Hartman
` (336 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, J. Bruce Fields, Sasha Levin
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 9f57c6062bf3ce2c6ab9ba60040b34e8134ef259 ]
This path is not really an error path, so the tracepoint I added
there is just noise.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Stable-dep-of: 3bc8edc98bd4 ("nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4callback.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index 7325592b456e..4eceff561e5a 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -915,10 +915,8 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
args.authflavor = clp->cl_cred.cr_flavor;
clp->cl_cb_ident = conn->cb_ident;
} else {
- if (!conn->cb_xprt) {
- trace_nfsd_cb_setup_err(clp, -EINVAL);
+ if (!conn->cb_xprt)
return -EINVAL;
- }
clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
clp->cl_cb_session = ses;
args.bc_xprt = conn->cb_xprt;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 457/783] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (455 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 456/783] NFSD: Remove spurious cb_setup_err tracepoint Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 458/783] net: macsec: fix net device access prior to holding a lock Greg Kroah-Hartman
` (335 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiyu Yang, J. Bruce Fields,
Dan Aloni, Jeff Layton, Chuck Lever, Sasha Levin
From: Dan Aloni <dan.aloni@vastdata.com>
[ Upstream commit 3bc8edc98bd43540dbe648e4ef91f443d6d20a24 ]
On error situation `clp->cl_cb_conn.cb_xprt` should not be given
a reference to the xprt otherwise both client cleanup and the
error handling path of the caller call to put it. Better to
delay handing over the reference to a later branch.
[ 72.530665] refcount_t: underflow; use-after-free.
[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120
[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc]
[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1
[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014
[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd]
[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120
[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48
[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286
[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000
[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0
[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff
[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180
[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0
[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000
[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0
[ 72.554874] Call Trace:
[ 72.555278] <TASK>
[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc]
[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd]
[ 72.557087] ? update_load_avg+0x82/0x610
[ 72.557652] ? cpuacct_charge+0x60/0x70
[ 72.558212] ? dequeue_entity+0xdb/0x3e0
[ 72.558765] ? queued_spin_unlock+0x9/0x20
[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd]
[ 72.560031] process_one_work+0x1df/0x390
[ 72.560600] worker_thread+0x37/0x3b0
[ 72.561644] ? process_one_work+0x390/0x390
[ 72.562247] kthread+0x12f/0x150
[ 72.562710] ? set_kthread_struct+0x50/0x50
[ 72.563309] ret_from_fork+0x22/0x30
[ 72.563818] </TASK>
[ 72.564189] ---[ end trace 031117b1c72ec616 ]---
[ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018).
[ 72.567647] ------------[ cut here ]------------
Fixes: a4abc6b12eb1 ("nfsd: Fix svc_xprt refcnt leak when setup callback client failed")
Cc: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Cc: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Dan Aloni <dan.aloni@vastdata.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4callback.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index 4eceff561e5a..af2064e36ac6 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -917,7 +917,6 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
} else {
if (!conn->cb_xprt)
return -EINVAL;
- clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
clp->cl_cb_session = ses;
args.bc_xprt = conn->cb_xprt;
args.prognumber = clp->cl_cb_session->se_cb_prog;
@@ -937,6 +936,9 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c
rpc_shutdown_client(client);
return -ENOMEM;
}
+
+ if (clp->cl_minorversion != 0)
+ clp->cl_cb_conn.cb_xprt = conn->cb_xprt;
clp->cl_cb_client = client;
clp->cl_cb_cred = cred;
trace_nfsd_cb_setup(clp);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 458/783] net: macsec: fix net device access prior to holding a lock
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (456 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 457/783] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 459/783] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
` (334 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Raed Salem, Emeel Hakim,
Jakub Kicinski, Sasha Levin
From: Emeel Hakim <ehakim@nvidia.com>
[ Upstream commit f3b4a00f0f62da252c598310698dfc82ef2f2e2e ]
Currently macsec offload selection update routine accesses
the net device prior to holding the relevant lock.
Fix by holding the lock prior to the device access.
Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection")
Reviewed-by: Raed Salem <raeds@nvidia.com>
Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
Link: https://lore.kernel.org/r/20221211075532.28099-1-ehakim@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/macsec.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index eb029456b594..4fdb970e3482 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -2584,7 +2584,7 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
const struct macsec_ops *ops;
struct macsec_context ctx;
struct macsec_dev *macsec;
- int ret;
+ int ret = 0;
if (!attrs[MACSEC_ATTR_IFINDEX])
return -EINVAL;
@@ -2597,28 +2597,36 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
macsec_genl_offload_policy, NULL))
return -EINVAL;
+ rtnl_lock();
+
dev = get_dev_from_nl(genl_info_net(info), attrs);
- if (IS_ERR(dev))
- return PTR_ERR(dev);
+ if (IS_ERR(dev)) {
+ ret = PTR_ERR(dev);
+ goto out;
+ }
macsec = macsec_priv(dev);
- if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE])
- return -EINVAL;
+ if (!tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]) {
+ ret = -EINVAL;
+ goto out;
+ }
offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]);
if (macsec->offload == offload)
- return 0;
+ goto out;
/* Check if the offloading mode is supported by the underlying layers */
if (offload != MACSEC_OFFLOAD_OFF &&
- !macsec_check_offload(offload, macsec))
- return -EOPNOTSUPP;
+ !macsec_check_offload(offload, macsec)) {
+ ret = -EOPNOTSUPP;
+ goto out;
+ }
/* Check if the net device is busy. */
- if (netif_running(dev))
- return -EBUSY;
-
- rtnl_lock();
+ if (netif_running(dev)) {
+ ret = -EBUSY;
+ goto out;
+ }
prev_offload = macsec->offload;
macsec->offload = offload;
@@ -2653,7 +2661,7 @@ static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
rollback:
macsec->offload = prev_offload;
-
+out:
rtnl_unlock();
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 459/783] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (457 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 458/783] net: macsec: fix net device access prior to holding a lock Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 460/783] mISDN: hfcpci: " Greg Kroah-Hartman
` (333 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexander Duyck,
Jakub Kicinski, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit ddc9648db162eee556edd5222d2808fe33730203 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead.
The difference between them is free reason, dev_kfree_skb_irq() means
the SKB is dropped in error and dev_consume_skb_irq() means the SKB
is consumed in normal.
skb_queue_purge() is called under spin_lock_irqsave() in hfcusb_l2l1D(),
kfree_skb() is called in it, to fix this, use skb_queue_splice_init()
to move the dch->squeue to a free queue, also enqueue the tx_skb and
rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock.
In tx_iso_complete(), dev_kfree_skb() is called to consume the transmitted
SKB, so replace it with dev_consume_skb_irq().
Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/hardware/mISDN/hfcsusb.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c
index cd5642cef01f..e8b37bd5e34a 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -326,20 +326,24 @@ hfcusb_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
if (hw->protocol == ISDN_P_NT_S0) {
+ struct sk_buff_head free_queue;
+
+ __skb_queue_head_init(&free_queue);
hfcsusb_ph_command(hw, HFC_L1_DEACTIVATE_NT);
spin_lock_irqsave(&hw->lock, flags);
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
spin_unlock_irqrestore(&hw->lock, flags);
+ __skb_queue_purge(&free_queue);
#ifdef FIXME
if (test_and_clear_bit(FLG_L1_BUSY, &dch->Flags))
dchannel_sched_event(&hc->dch, D_CLEARBUSY);
@@ -1330,7 +1334,7 @@ tx_iso_complete(struct urb *urb)
printk("\n");
}
- dev_kfree_skb(tx_skb);
+ dev_consume_skb_irq(tx_skb);
tx_skb = NULL;
if (fifo->dch && get_next_dframe(fifo->dch))
tx_skb = fifo->dch->tx_skb;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 460/783] mISDN: hfcpci: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (458 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 459/783] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 461/783] mISDN: hfcmulti: " Greg Kroah-Hartman
` (332 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexander Duyck,
Jakub Kicinski, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit f0f596bd75a9d573ca9b587abb39cee0b916bb82 ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
skb_queue_purge() is called under spin_lock_irqsave() in hfcpci_l2l1D(),
kfree_skb() is called in it, to fix this, use skb_queue_splice_init()
to move the dch->squeue to a free queue, also enqueue the tx_skb and
rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock.
Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/hardware/mISDN/hfcpci.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
index af17459c1a5c..eba58b99cd29 100644
--- a/drivers/isdn/hardware/mISDN/hfcpci.c
+++ b/drivers/isdn/hardware/mISDN/hfcpci.c
@@ -1617,16 +1617,19 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
spin_lock_irqsave(&hc->lock, flags);
if (hc->hw.protocol == ISDN_P_NT_S0) {
+ struct sk_buff_head free_queue;
+
+ __skb_queue_head_init(&free_queue);
/* prepare deactivation */
Write_hfc(hc, HFCPCI_STATES, 0x40);
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
@@ -1639,10 +1642,12 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb)
hc->hw.mst_m &= ~HFCPCI_MASTER;
Write_hfc(hc, HFCPCI_MST_MODE, hc->hw.mst_m);
ret = 0;
+ spin_unlock_irqrestore(&hc->lock, flags);
+ __skb_queue_purge(&free_queue);
} else {
ret = l1_event(dch->l1, hh->prim);
+ spin_unlock_irqrestore(&hc->lock, flags);
}
- spin_unlock_irqrestore(&hc->lock, flags);
break;
}
if (!ret)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 461/783] mISDN: hfcmulti: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (459 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 460/783] mISDN: hfcpci: " Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 462/783] nfc: pn533: Clear nfc_target before being used Greg Kroah-Hartman
` (331 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Alexander Duyck,
Jakub Kicinski, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit 1232946cf522b8de9e398828bde325d7c41f29dd ]
It is not allowed to call kfree_skb() or consume_skb() from hardware
interrupt context or with hardware interrupts being disabled.
skb_queue_purge() is called under spin_lock_irqsave() in handle_dmsg()
and hfcm_l1callback(), kfree_skb() is called in them, to fix this, use
skb_queue_splice_init() to move the dch->squeue to a free queue, also
enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to
free the SKBs afer unlock.
Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/hardware/mISDN/hfcmulti.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c
index 7013a3f08429..4c5b6772562d 100644
--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
+++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
@@ -3219,6 +3219,7 @@ static int
hfcm_l1callback(struct dchannel *dch, u_int cmd)
{
struct hfc_multi *hc = dch->hw;
+ struct sk_buff_head free_queue;
u_long flags;
switch (cmd) {
@@ -3247,6 +3248,7 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd)
l1_event(dch->l1, HW_POWERUP_IND);
break;
case HW_DEACT_REQ:
+ __skb_queue_head_init(&free_queue);
/* start deactivation */
spin_lock_irqsave(&hc->lock, flags);
if (hc->ctype == HFC_TYPE_E1) {
@@ -3266,20 +3268,21 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd)
plxsd_checksync(hc, 0);
}
}
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
if (test_and_clear_bit(FLG_BUSY_TIMER, &dch->Flags))
del_timer(&dch->timer);
spin_unlock_irqrestore(&hc->lock, flags);
+ __skb_queue_purge(&free_queue);
break;
case HW_POWERUP_REQ:
spin_lock_irqsave(&hc->lock, flags);
@@ -3386,6 +3389,9 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
case PH_DEACTIVATE_REQ:
test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags);
if (dch->dev.D.protocol != ISDN_P_TE_S0) {
+ struct sk_buff_head free_queue;
+
+ __skb_queue_head_init(&free_queue);
spin_lock_irqsave(&hc->lock, flags);
if (debug & DEBUG_HFCMULTI_MSG)
printk(KERN_DEBUG
@@ -3407,14 +3413,14 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
/* deactivate */
dch->state = 1;
}
- skb_queue_purge(&dch->squeue);
+ skb_queue_splice_init(&dch->squeue, &free_queue);
if (dch->tx_skb) {
- dev_kfree_skb(dch->tx_skb);
+ __skb_queue_tail(&free_queue, dch->tx_skb);
dch->tx_skb = NULL;
}
dch->tx_idx = 0;
if (dch->rx_skb) {
- dev_kfree_skb(dch->rx_skb);
+ __skb_queue_tail(&free_queue, dch->rx_skb);
dch->rx_skb = NULL;
}
test_and_clear_bit(FLG_TX_BUSY, &dch->Flags);
@@ -3426,6 +3432,7 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb)
#endif
ret = 0;
spin_unlock_irqrestore(&hc->lock, flags);
+ __skb_queue_purge(&free_queue);
} else
ret = l1_event(dch->l1, hh->prim);
break;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 462/783] nfc: pn533: Clear nfc_target before being used
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (460 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 461/783] mISDN: hfcmulti: " Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 463/783] r6040: Fix kmemleak in probe and remove Greg Kroah-Hartman
` (330 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Minsuk Kang, Krzysztof Kozlowski,
Jakub Kicinski, Sasha Levin
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ]
Fix a slab-out-of-bounds read that occurs in nla_put() called from
nfc_genl_send_target() when target->sensb_res_len, which is duplicated
from an nfc_target in pn533, is too large as the nfc_target is not
properly initialized and retains garbage values. Clear nfc_targets with
memset() before they are used.
Found by a modified version of syzkaller.
BUG: KASAN: slab-out-of-bounds in nla_put
Call Trace:
memcpy
nla_put
nfc_genl_dump_targets
genl_lock_dumpit
netlink_dump
__netlink_dump_start
genl_family_rcv_msg_dumpit
genl_rcv_msg
netlink_rcv_skb
genl_rcv
netlink_unicast
netlink_sendmsg
sock_sendmsg
____sys_sendmsg
___sys_sendmsg
__sys_sendmsg
do_syscall_64
Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection")
Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533")
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/pn533/pn533.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index 8d7e29d953b7..87e1296c6838 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -1319,6 +1319,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg,
if (IS_ERR(resp))
return PTR_ERR(resp);
+ memset(&nfc_target, 0, sizeof(struct nfc_target));
+
rsp = (struct pn533_cmd_jump_dep_response *)resp->data;
rc = rsp->status & PN533_CMD_RET_MASK;
@@ -1960,6 +1962,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg,
dev_dbg(dev->dev, "Creating new target\n");
+ memset(&nfc_target, 0, sizeof(struct nfc_target));
+
nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK;
nfc_target.nfcid1_len = 10;
memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 463/783] r6040: Fix kmemleak in probe and remove
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (461 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 462/783] nfc: pn533: Clear nfc_target before being used Greg Kroah-Hartman
@ 2023-01-12 13:52 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 464/783] net: switch to storing KCOV handle directly in sk_buff Greg Kroah-Hartman
` (329 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:52 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Li Zetao, Leon Romanovsky,
Paolo Abeni, Sasha Levin
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f ]
There is a memory leaks reported by kmemleak:
unreferenced object 0xffff888116111000 (size 2048):
comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s)
hex dump (first 32 bytes):
00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................
08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff815bcd82>] kmalloc_trace+0x22/0x60
[<ffffffff827e20ee>] phy_device_create+0x4e/0x90
[<ffffffff827e6072>] get_phy_device+0xd2/0x220
[<ffffffff827e7844>] mdiobus_scan+0xa4/0x2e0
[<ffffffff827e8be2>] __mdiobus_register+0x482/0x8b0
[<ffffffffa01f5d24>] r6040_init_one+0x714/0xd2c [r6040]
...
The problem occurs in probe process as follows:
r6040_init_one:
mdiobus_register
mdiobus_scan <- alloc and register phy_device,
the reference count of phy_device is 3
r6040_mii_probe
phy_connect <- connect to the first phy_device,
so the reference count of the first
phy_device is 4, others are 3
register_netdev <- fault inject succeeded, goto error handling path
// error handling path
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
mdiobus_free(lp->mii_bus); <- the reference count of the first
phy_device is 1, it is not released
and other phy_devices are released
// similarly, the remove process also has the same problem
The root cause is traced to the phy_device is not disconnected when
removes one r6040 device in r6040_remove_one() or on error handling path
after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet
device is connected to the first PHY device of mii_bus, in order to
notify the connected driver when the link status changes, which is the
default behavior of the PHY infrastructure to handle everything.
Therefore the phy_device should be disconnected when removes one r6040
device or on error handling path.
Fix it by adding phy_disconnect() when removes one r6040 device or on
error handling path after r6040_mii probed successfully.
Fixes: 3831861b4ad8 ("r6040: implement phylib")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20221213125614.927754-1-lizetao1@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/rdc/r6040.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/rdc/r6040.c b/drivers/net/ethernet/rdc/r6040.c
index ccdfa930130b..4cff544f04c2 100644
--- a/drivers/net/ethernet/rdc/r6040.c
+++ b/drivers/net/ethernet/rdc/r6040.c
@@ -1158,10 +1158,12 @@ static int r6040_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
err = register_netdev(dev);
if (err) {
dev_err(&pdev->dev, "Failed to register net device\n");
- goto err_out_mdio_unregister;
+ goto err_out_phy_disconnect;
}
return 0;
+err_out_phy_disconnect:
+ phy_disconnect(dev->phydev);
err_out_mdio_unregister:
mdiobus_unregister(lp->mii_bus);
err_out_mdio:
@@ -1185,6 +1187,7 @@ static void r6040_remove_one(struct pci_dev *pdev)
struct r6040_private *lp = netdev_priv(dev);
unregister_netdev(dev);
+ phy_disconnect(dev->phydev);
mdiobus_unregister(lp->mii_bus);
mdiobus_free(lp->mii_bus);
netif_napi_del(&lp->napi);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 464/783] net: switch to storing KCOV handle directly in sk_buff
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (462 preceding siblings ...)
2023-01-12 13:52 ` [PATCH 5.10 463/783] r6040: Fix kmemleak in probe and remove Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 465/783] net: add inline function skb_csum_is_sctp Greg Kroah-Hartman
` (328 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Marco Elver,
Jakub Kicinski, Sasha Levin
From: Marco Elver <elver@google.com>
[ Upstream commit fa69ee5aa48b5b52e8028c2eb486906e9998d081 ]
It turns out that usage of skb extensions can cause memory leaks. Ido
Schimmel reported: "[...] there are instances that blindly overwrite
'skb->extensions' by invoking skb_copy_header() after __alloc_skb()."
Therefore, give up on using skb extensions for KCOV handle, and instead
directly store kcov_handle in sk_buff.
Fixes: 6370cc3bbd8a ("net: add kcov handle to skb extensions")
Fixes: 85ce50d337d1 ("net: kcov: don't select SKB_EXTENSIONS when there is no NET")
Fixes: 97f53a08cba1 ("net: linux/skbuff.h: combine SKB_EXTENSIONS + KCOV handling")
Link: https://lore.kernel.org/linux-wireless/20201121160941.GA485907@shredder.lan/
Reported-by: Ido Schimmel <idosch@idosch.org>
Signed-off-by: Marco Elver <elver@google.com>
Link: https://lore.kernel.org/r/20201125224840.2014773-1-elver@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/skbuff.h | 37 +++++++++++++------------------------
lib/Kconfig.debug | 1 -
net/core/skbuff.c | 6 ------
3 files changed, 13 insertions(+), 31 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 462b0e3ef2b2..521d66ec8d80 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -702,6 +702,7 @@ typedef unsigned char *sk_buff_data_t;
* @transport_header: Transport layer header
* @network_header: Network layer header
* @mac_header: Link layer header
+ * @kcov_handle: KCOV remote handle for remote coverage collection
* @tail: Tail pointer
* @end: End pointer
* @head: Head of buffer
@@ -906,6 +907,10 @@ struct sk_buff {
__u16 network_header;
__u16 mac_header;
+#ifdef CONFIG_KCOV
+ u64 kcov_handle;
+#endif
+
/* private: */
__u32 headers_end[0];
/* public: */
@@ -4160,9 +4165,6 @@ enum skb_ext_id {
#endif
#if IS_ENABLED(CONFIG_MPTCP)
SKB_EXT_MPTCP,
-#endif
-#if IS_ENABLED(CONFIG_KCOV)
- SKB_EXT_KCOV_HANDLE,
#endif
SKB_EXT_NUM, /* must be last */
};
@@ -4618,35 +4620,22 @@ static inline void skb_reset_redirect(struct sk_buff *skb)
#endif
}
-#if IS_ENABLED(CONFIG_KCOV) && IS_ENABLED(CONFIG_SKB_EXTENSIONS)
static inline void skb_set_kcov_handle(struct sk_buff *skb,
const u64 kcov_handle)
{
- /* Do not allocate skb extensions only to set kcov_handle to zero
- * (as it is zero by default). However, if the extensions are
- * already allocated, update kcov_handle anyway since
- * skb_set_kcov_handle can be called to zero a previously set
- * value.
- */
- if (skb_has_extensions(skb) || kcov_handle) {
- u64 *kcov_handle_ptr = skb_ext_add(skb, SKB_EXT_KCOV_HANDLE);
-
- if (kcov_handle_ptr)
- *kcov_handle_ptr = kcov_handle;
- }
+#ifdef CONFIG_KCOV
+ skb->kcov_handle = kcov_handle;
+#endif
}
static inline u64 skb_get_kcov_handle(struct sk_buff *skb)
{
- u64 *kcov_handle = skb_ext_find(skb, SKB_EXT_KCOV_HANDLE);
-
- return kcov_handle ? *kcov_handle : 0;
-}
+#ifdef CONFIG_KCOV
+ return skb->kcov_handle;
#else
-static inline void skb_set_kcov_handle(struct sk_buff *skb,
- const u64 kcov_handle) { }
-static inline u64 skb_get_kcov_handle(struct sk_buff *skb) { return 0; }
-#endif /* CONFIG_KCOV && CONFIG_SKB_EXTENSIONS */
+ return 0;
+#endif
+}
#endif /* __KERNEL__ */
#endif /* _LINUX_SKBUFF_H */
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 4aed8abb2022..19c28a34c5f1 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1915,7 +1915,6 @@ config KCOV
depends on CC_HAS_SANCOV_TRACE_PC || GCC_PLUGINS
select DEBUG_FS
select GCC_PLUGIN_SANCOV if !CC_HAS_SANCOV_TRACE_PC
- select SKB_EXTENSIONS if NET
help
KCOV exposes kernel code coverage information in a form suitable
for coverage-guided fuzzing (randomized testing).
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 06169889b0ca..176bcbb07aab 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4258,9 +4258,6 @@ static const u8 skb_ext_type_len[] = {
#if IS_ENABLED(CONFIG_MPTCP)
[SKB_EXT_MPTCP] = SKB_EXT_CHUNKSIZEOF(struct mptcp_ext),
#endif
-#if IS_ENABLED(CONFIG_KCOV)
- [SKB_EXT_KCOV_HANDLE] = SKB_EXT_CHUNKSIZEOF(u64),
-#endif
};
static __always_inline unsigned int skb_ext_total_length(void)
@@ -4277,9 +4274,6 @@ static __always_inline unsigned int skb_ext_total_length(void)
#endif
#if IS_ENABLED(CONFIG_MPTCP)
skb_ext_type_len[SKB_EXT_MPTCP] +
-#endif
-#if IS_ENABLED(CONFIG_KCOV)
- skb_ext_type_len[SKB_EXT_KCOV_HANDLE] +
#endif
0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 465/783] net: add inline function skb_csum_is_sctp
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (463 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 464/783] net: switch to storing KCOV handle directly in sk_buff Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 466/783] net: igc: use skb_csum_is_sctp instead of protocol check Greg Kroah-Hartman
` (327 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Duyck, Xin Long,
Alexander Duyck, Jakub Kicinski, Sasha Levin
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit fa82117010430aff2ce86400f7328f55a31b48a6 ]
This patch is to define a inline function skb_csum_is_sctp(), and
also replace all places where it checks if it's a SCTP CSUM skb.
This function would be used later in many networking drivers in
the following patches.
Suggested-by: Alexander Duyck <alexander.duyck@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pensando/ionic/ionic_txrx.c | 2 +-
include/linux/skbuff.h | 5 +++++
net/core/dev.c | 2 +-
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
index 46dbb49f837c..5463c8b8e43c 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_txrx.c
@@ -986,7 +986,7 @@ static int ionic_tx_calc_csum(struct ionic_queue *q, struct sk_buff *skb)
stats->vlan_inserted++;
}
- if (skb->csum_not_inet)
+ if (skb_csum_is_sctp(skb))
stats->crc32_csum++;
else
stats->csum++;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 521d66ec8d80..39636fe7e8f0 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4620,6 +4620,11 @@ static inline void skb_reset_redirect(struct sk_buff *skb)
#endif
}
+static inline bool skb_csum_is_sctp(struct sk_buff *skb)
+{
+ return skb->csum_not_inet;
+}
+
static inline void skb_set_kcov_handle(struct sk_buff *skb,
const u64 kcov_handle)
{
diff --git a/net/core/dev.c b/net/core/dev.c
index 34b5aab42b91..a421c54331ea 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3631,7 +3631,7 @@ static struct sk_buff *validate_xmit_vlan(struct sk_buff *skb,
int skb_csum_hwoffload_help(struct sk_buff *skb,
const netdev_features_t features)
{
- if (unlikely(skb->csum_not_inet))
+ if (unlikely(skb_csum_is_sctp(skb)))
return !!(features & NETIF_F_SCTP_CRC) ? 0 :
skb_crc32c_csum_help(skb);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 466/783] net: igc: use skb_csum_is_sctp instead of protocol check
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (464 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 465/783] net: add inline function skb_csum_is_sctp Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 467/783] net: add a helper to avoid issues with HW TX timestamping and SO_TXTIME Greg Kroah-Hartman
` (326 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Alexander Duyck,
Jakub Kicinski, Sasha Levin
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 609d29a9d2429a840a2f1f44e77b71d58e3e9a33 ]
Using skb_csum_is_sctp is a easier way to validate it's a SCTP CRC
checksum offload packet, and yet it also makes igc support SCTP
CRC checksum offload for UDP and GRE encapped packets, just as it
does in igb driver.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 14 +-------------
1 file changed, 1 insertion(+), 13 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index e7ffe63925fd..f438cdf83e55 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -954,15 +954,6 @@ static void igc_tx_ctxtdesc(struct igc_ring *tx_ring,
}
}
-static inline bool igc_ipv6_csum_is_sctp(struct sk_buff *skb)
-{
- unsigned int offset = 0;
-
- ipv6_find_hdr(skb, &offset, IPPROTO_SCTP, NULL, NULL);
-
- return offset == skb_checksum_start_offset(skb);
-}
-
static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first)
{
struct sk_buff *skb = first->skb;
@@ -985,10 +976,7 @@ static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first)
break;
case offsetof(struct sctphdr, checksum):
/* validate that this is actually an SCTP request */
- if ((first->protocol == htons(ETH_P_IP) &&
- (ip_hdr(skb)->protocol == IPPROTO_SCTP)) ||
- (first->protocol == htons(ETH_P_IPV6) &&
- igc_ipv6_csum_is_sctp(skb))) {
+ if (skb_csum_is_sctp(skb)) {
type_tucmd = IGC_ADVTXD_TUCMD_L4T_SCTP;
break;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 467/783] net: add a helper to avoid issues with HW TX timestamping and SO_TXTIME
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (465 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 466/783] net: igc: use skb_csum_is_sctp instead of protocol check Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 468/783] igc: Enhance Qbv scheduling by using first flag bit Greg Kroah-Hartman
` (325 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vinicius Costa Gomes,
Vladimir Oltean, David S. Miller, Sasha Levin
From: Vladimir Oltean <olteanv@gmail.com>
[ Upstream commit 847cbfc014adafeac401e19e349b0fd524f201c3 ]
As explained in commit 29d98f54a4fe ("net: enetc: allow hardware
timestamping on TX queues with tc-etf enabled"), hardware TX
timestamping requires an skb with skb->tstamp = 0. When a packet is sent
with SO_TXTIME, the skb->skb_mstamp_ns corrupts the value of skb->tstamp,
so the drivers need to explicitly reset skb->tstamp to zero after
consuming the TX time.
Create a helper named skb_txtime_consumed() which does just that. All
drivers which offload TC_SETUP_QDISC_ETF should implement it, and it
would make it easier to assess during review whether they do the right
thing in order to be compatible with hardware timestamping or not.
Suggested-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: db0b124f02ba ("igc: Enhance Qbv scheduling by using first flag bit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/enetc/enetc.c | 8 ++------
drivers/net/ethernet/intel/igb/igb_main.c | 2 +-
drivers/net/ethernet/intel/igc/igc_main.c | 2 +-
include/net/pkt_sched.h | 9 +++++++++
4 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
index 975762ccb66f..5f9603d4c049 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc.c
@@ -5,6 +5,7 @@
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/vmalloc.h>
+#include <net/pkt_sched.h>
/* ENETC overhead: optional extension BD + 1 BD gap */
#define ENETC_TXBDS_NEEDED(val) ((val) + 2)
@@ -384,12 +385,7 @@ static void enetc_tstamp_tx(struct sk_buff *skb, u64 tstamp)
if (skb_shinfo(skb)->tx_flags & SKBTX_IN_PROGRESS) {
memset(&shhwtstamps, 0, sizeof(shhwtstamps));
shhwtstamps.hwtstamp = ns_to_ktime(tstamp);
- /* Ensure skb_mstamp_ns, which might have been populated with
- * the txtime, is not mistaken for a software timestamp,
- * because this will prevent the dispatch of our hardware
- * timestamp to the socket.
- */
- skb->tstamp = ktime_set(0, 0);
+ skb_txtime_consumed(skb);
skb_tstamp_tx(skb, &shhwtstamps);
}
}
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index f24f1a8ec2fb..2646601c3487 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -5879,7 +5879,7 @@ static void igb_tx_ctxtdesc(struct igb_ring *tx_ring,
*/
if (tx_ring->launchtime_enable) {
ts = ktime_to_timespec64(first->skb->tstamp);
- first->skb->tstamp = ktime_set(0, 0);
+ skb_txtime_consumed(first->skb);
context_desc->seqnum_seed = cpu_to_le32(ts.tv_nsec / 32);
} else {
context_desc->seqnum_seed = 0;
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index f438cdf83e55..48192594d3d7 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -946,7 +946,7 @@ static void igc_tx_ctxtdesc(struct igc_ring *tx_ring,
struct igc_adapter *adapter = netdev_priv(tx_ring->netdev);
ktime_t txtime = first->skb->tstamp;
- first->skb->tstamp = ktime_set(0, 0);
+ skb_txtime_consumed(first->skb);
context_desc->launch_time = igc_tx_launchtime(adapter,
txtime);
} else {
diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h
index 7e58b4470570..50d5ffbad473 100644
--- a/include/net/pkt_sched.h
+++ b/include/net/pkt_sched.h
@@ -179,4 +179,13 @@ struct tc_taprio_qopt_offload *taprio_offload_get(struct tc_taprio_qopt_offload
*offload);
void taprio_offload_free(struct tc_taprio_qopt_offload *offload);
+/* Ensure skb_mstamp_ns, which might have been populated with the txtime, is
+ * not mistaken for a software timestamp, because this will otherwise prevent
+ * the dispatch of hardware timestamps to the socket.
+ */
+static inline void skb_txtime_consumed(struct sk_buff *skb)
+{
+ skb->tstamp = ktime_set(0, 0);
+}
+
#endif
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 468/783] igc: Enhance Qbv scheduling by using first flag bit
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (466 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 467/783] net: add a helper to avoid issues with HW TX timestamping and SO_TXTIME Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 469/783] igc: Use strict cycles for Qbv scheduling Greg Kroah-Hartman
` (324 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vinicius Costa Gomes,
Aravindhan Gunasekaran, Muhammad Husaini Zulkifli, Malli C,
Naama Meir, Tony Nguyen, Sasha Levin
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit db0b124f02ba68de6517ac303d431af220ccfe9f ]
The I225 hardware has a limitation that packets can only be scheduled
in the [0, cycle-time] interval. So, scheduling a packet to the start
of the next cycle doesn't usually work.
To overcome this, we use the Transmit Descriptor first flag to indicates
that a packet should be the first packet (from a queue) in a cycle
according to the section 7.5.2.9.3.4 The First Packet on Each QBV Cycle
in Intel Discrete I225/6 User Manual.
But this only works if there was any packet from that queue during the
current cycle, to avoid this issue, we issue an empty packet if that's
not the case. Also require one more descriptor to be available, to take
into account the empty packet that might be issued.
Test Setup:
Talker: Use l2_tai to generate the launchtime into packet load.
Listener: Use timedump.c to compute the delta between packet arrival
and LaunchTime packet payload.
Test Result:
Before:
1666000610127300000,1666000610127300096,96,621273
1666000610127400000,1666000610127400192,192,621274
1666000610127500000,1666000610127500032,32,621275
1666000610127600000,1666000610127600128,128,621276
1666000610127700000,1666000610127700224,224,621277
1666000610127800000,1666000610127800064,64,621278
1666000610127900000,1666000610127900160,160,621279
1666000610128000000,1666000610128000000,0,621280
1666000610128100000,1666000610128100096,96,621281
1666000610128200000,1666000610128200192,192,621282
1666000610128300000,1666000610128300032,32,621283
1666000610128400000,1666000610128301056,-98944,621284
1666000610128500000,1666000610128302080,-197920,621285
1666000610128600000,1666000610128302848,-297152,621286
1666000610128700000,1666000610128303872,-396128,621287
1666000610128800000,1666000610128304896,-495104,621288
1666000610128900000,1666000610128305664,-594336,621289
1666000610129000000,1666000610128306688,-693312,621290
1666000610129100000,1666000610128307712,-792288,621291
1666000610129200000,1666000610128308480,-891520,621292
1666000610129300000,1666000610128309504,-990496,621293
1666000610129400000,1666000610128310528,-1089472,621294
1666000610129500000,1666000610128311296,-1188704,621295
1666000610129600000,1666000610128312320,-1287680,621296
1666000610129700000,1666000610128313344,-1386656,621297
1666000610129800000,1666000610128314112,-1485888,621298
1666000610129900000,1666000610128315136,-1584864,621299
1666000610130000000,1666000610128316160,-1683840,621300
1666000610130100000,1666000610128316928,-1783072,621301
1666000610130200000,1666000610128317952,-1882048,621302
1666000610130300000,1666000610128318976,-1981024,621303
1666000610130400000,1666000610128319744,-2080256,621304
1666000610130500000,1666000610128320768,-2179232,621305
1666000610130600000,1666000610128321792,-2278208,621306
1666000610130700000,1666000610128322816,-2377184,621307
1666000610130800000,1666000610128323584,-2476416,621308
1666000610130900000,1666000610128324608,-2575392,621309
1666000610131000000,1666000610128325632,-2674368,621310
1666000610131100000,1666000610128326400,-2773600,621311
1666000610131200000,1666000610128327424,-2872576,621312
1666000610131300000,1666000610128328448,-2971552,621313
1666000610131400000,1666000610128329216,-3070784,621314
1666000610131500000,1666000610131500032,32,621315
1666000610131600000,1666000610131600128,128,621316
1666000610131700000,1666000610131700224,224,621317
After:
1666073510646200000,1666073510646200064,64,2676462
1666073510646300000,1666073510646300160,160,2676463
1666073510646400000,1666073510646400256,256,2676464
1666073510646500000,1666073510646500096,96,2676465
1666073510646600000,1666073510646600192,192,2676466
1666073510646700000,1666073510646700032,32,2676467
1666073510646800000,1666073510646800128,128,2676468
1666073510646900000,1666073510646900224,224,2676469
1666073510647000000,1666073510647000064,64,2676470
1666073510647100000,1666073510647100160,160,2676471
1666073510647200000,1666073510647200256,256,2676472
1666073510647300000,1666073510647300096,96,2676473
1666073510647400000,1666073510647400192,192,2676474
1666073510647500000,1666073510647500032,32,2676475
1666073510647600000,1666073510647600128,128,2676476
1666073510647700000,1666073510647700224,224,2676477
1666073510647800000,1666073510647800064,64,2676478
1666073510647900000,1666073510647900160,160,2676479
1666073510648000000,1666073510648000000,0,2676480
1666073510648100000,1666073510648100096,96,2676481
1666073510648200000,1666073510648200192,192,2676482
1666073510648300000,1666073510648300032,32,2676483
1666073510648400000,1666073510648400128,128,2676484
1666073510648500000,1666073510648500224,224,2676485
1666073510648600000,1666073510648600064,64,2676486
1666073510648700000,1666073510648700160,160,2676487
1666073510648800000,1666073510648800000,0,2676488
1666073510648900000,1666073510648900096,96,2676489
1666073510649000000,1666073510649000192,192,2676490
1666073510649100000,1666073510649100032,32,2676491
1666073510649200000,1666073510649200128,128,2676492
1666073510649300000,1666073510649300224,224,2676493
1666073510649400000,1666073510649400064,64,2676494
1666073510649500000,1666073510649500160,160,2676495
1666073510649600000,1666073510649600000,0,2676496
1666073510649700000,1666073510649700096,96,2676497
1666073510649800000,1666073510649800192,192,2676498
1666073510649900000,1666073510649900032,32,2676499
1666073510650000000,1666073510650000128,128,2676500
Fixes: 82faa9b79950 ("igc: Add support for ETF offloading")
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Co-developed-by: Aravindhan Gunasekaran <aravindhan.gunasekaran@intel.com>
Signed-off-by: Aravindhan Gunasekaran <aravindhan.gunasekaran@intel.com>
Co-developed-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
Signed-off-by: Malli C <mallikarjuna.chilakala@intel.com>
Tested-by: Naama Meir <naamax.meir@linux.intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc.h | 2 +
drivers/net/ethernet/intel/igc/igc_defines.h | 2 +
drivers/net/ethernet/intel/igc/igc_main.c | 176 ++++++++++++++++---
3 files changed, 151 insertions(+), 29 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc.h b/drivers/net/ethernet/intel/igc/igc.h
index a97bf7a5f1d6..970dd878d8a7 100644
--- a/drivers/net/ethernet/intel/igc/igc.h
+++ b/drivers/net/ethernet/intel/igc/igc.h
@@ -87,6 +87,8 @@ struct igc_ring {
u8 queue_index; /* logical index of the ring*/
u8 reg_idx; /* physical index of the ring */
bool launchtime_enable; /* true if LaunchTime is enabled */
+ ktime_t last_tx_cycle; /* end of the cycle with a launchtime transmission */
+ ktime_t last_ff_cycle; /* Last cycle with an active first flag */
u32 start_time;
u32 end_time;
diff --git a/drivers/net/ethernet/intel/igc/igc_defines.h b/drivers/net/ethernet/intel/igc/igc_defines.h
index 32f5fd684139..352b50d3881d 100644
--- a/drivers/net/ethernet/intel/igc/igc_defines.h
+++ b/drivers/net/ethernet/intel/igc/igc_defines.h
@@ -278,6 +278,8 @@
#define IGC_ADVTXD_L4LEN_SHIFT 8 /* Adv ctxt L4LEN shift */
#define IGC_ADVTXD_MSS_SHIFT 16 /* Adv ctxt MSS shift */
+#define IGC_ADVTXD_TSN_CNTX_FIRST 0x00000080
+
/* Transmit Control */
#define IGC_TCTL_EN 0x00000002 /* enable Tx */
#define IGC_TCTL_PSP 0x00000008 /* pad short packets */
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index 48192594d3d7..f4082ea7beaa 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -898,25 +898,118 @@ static int igc_write_mc_addr_list(struct net_device *netdev)
return netdev_mc_count(netdev);
}
-static __le32 igc_tx_launchtime(struct igc_adapter *adapter, ktime_t txtime)
+static __le32 igc_tx_launchtime(struct igc_ring *ring, ktime_t txtime,
+ bool *first_flag, bool *insert_empty)
{
+ struct igc_adapter *adapter = netdev_priv(ring->netdev);
ktime_t cycle_time = adapter->cycle_time;
ktime_t base_time = adapter->base_time;
+ ktime_t now = ktime_get_clocktai();
+ ktime_t baset_est, end_of_cycle;
u32 launchtime;
+ s64 n;
- /* FIXME: when using ETF together with taprio, we may have a
- * case where 'delta' is larger than the cycle_time, this may
- * cause problems if we don't read the current value of
- * IGC_BASET, as the value writen into the launchtime
- * descriptor field may be misinterpreted.
+ n = div64_s64(ktime_sub_ns(now, base_time), cycle_time);
+
+ baset_est = ktime_add_ns(base_time, cycle_time * (n));
+ end_of_cycle = ktime_add_ns(baset_est, cycle_time);
+
+ if (ktime_compare(txtime, end_of_cycle) >= 0) {
+ if (baset_est != ring->last_ff_cycle) {
+ *first_flag = true;
+ ring->last_ff_cycle = baset_est;
+
+ if (ktime_compare(txtime, ring->last_tx_cycle) > 0)
+ *insert_empty = true;
+ }
+ }
+
+ /* Introducing a window at end of cycle on which packets
+ * potentially not honor launchtime. Window of 5us chosen
+ * considering software update the tail pointer and packets
+ * are dma'ed to packet buffer.
*/
- div_s64_rem(ktime_sub_ns(txtime, base_time), cycle_time, &launchtime);
+ if ((ktime_sub_ns(end_of_cycle, now) < 5 * NSEC_PER_USEC))
+ netdev_warn(ring->netdev, "Packet with txtime=%llu may not be honoured\n",
+ txtime);
+
+ ring->last_tx_cycle = end_of_cycle;
+
+ launchtime = ktime_sub_ns(txtime, baset_est);
+ if (launchtime > 0)
+ div_s64_rem(launchtime, cycle_time, &launchtime);
+ else
+ launchtime = 0;
return cpu_to_le32(launchtime);
}
+static int igc_init_empty_frame(struct igc_ring *ring,
+ struct igc_tx_buffer *buffer,
+ struct sk_buff *skb)
+{
+ unsigned int size;
+ dma_addr_t dma;
+
+ size = skb_headlen(skb);
+
+ dma = dma_map_single(ring->dev, skb->data, size, DMA_TO_DEVICE);
+ if (dma_mapping_error(ring->dev, dma)) {
+ netdev_err_once(ring->netdev, "Failed to map DMA for TX\n");
+ return -ENOMEM;
+ }
+
+ buffer->skb = skb;
+ buffer->protocol = 0;
+ buffer->bytecount = skb->len;
+ buffer->gso_segs = 1;
+ buffer->time_stamp = jiffies;
+ dma_unmap_len_set(buffer, len, skb->len);
+ dma_unmap_addr_set(buffer, dma, dma);
+
+ return 0;
+}
+
+static int igc_init_tx_empty_descriptor(struct igc_ring *ring,
+ struct sk_buff *skb,
+ struct igc_tx_buffer *first)
+{
+ union igc_adv_tx_desc *desc;
+ u32 cmd_type, olinfo_status;
+ int err;
+
+ if (!igc_desc_unused(ring))
+ return -EBUSY;
+
+ err = igc_init_empty_frame(ring, first, skb);
+ if (err)
+ return err;
+
+ cmd_type = IGC_ADVTXD_DTYP_DATA | IGC_ADVTXD_DCMD_DEXT |
+ IGC_ADVTXD_DCMD_IFCS | IGC_TXD_DCMD |
+ first->bytecount;
+ olinfo_status = first->bytecount << IGC_ADVTXD_PAYLEN_SHIFT;
+
+ desc = IGC_TX_DESC(ring, ring->next_to_use);
+ desc->read.cmd_type_len = cpu_to_le32(cmd_type);
+ desc->read.olinfo_status = cpu_to_le32(olinfo_status);
+ desc->read.buffer_addr = cpu_to_le64(dma_unmap_addr(first, dma));
+
+ netdev_tx_sent_queue(txring_txq(ring), skb->len);
+
+ first->next_to_watch = desc;
+
+ ring->next_to_use++;
+ if (ring->next_to_use == ring->count)
+ ring->next_to_use = 0;
+
+ return 0;
+}
+
+#define IGC_EMPTY_FRAME_SIZE 60
+
static void igc_tx_ctxtdesc(struct igc_ring *tx_ring,
- struct igc_tx_buffer *first,
+ __le32 launch_time, bool first_flag,
u32 vlan_macip_lens, u32 type_tucmd,
u32 mss_l4len_idx)
{
@@ -935,26 +1028,17 @@ static void igc_tx_ctxtdesc(struct igc_ring *tx_ring,
if (test_bit(IGC_RING_FLAG_TX_CTX_IDX, &tx_ring->flags))
mss_l4len_idx |= tx_ring->reg_idx << 4;
+ if (first_flag)
+ mss_l4len_idx |= IGC_ADVTXD_TSN_CNTX_FIRST;
+
context_desc->vlan_macip_lens = cpu_to_le32(vlan_macip_lens);
context_desc->type_tucmd_mlhl = cpu_to_le32(type_tucmd);
context_desc->mss_l4len_idx = cpu_to_le32(mss_l4len_idx);
-
- /* We assume there is always a valid Tx time available. Invalid times
- * should have been handled by the upper layers.
- */
- if (tx_ring->launchtime_enable) {
- struct igc_adapter *adapter = netdev_priv(tx_ring->netdev);
- ktime_t txtime = first->skb->tstamp;
-
- skb_txtime_consumed(first->skb);
- context_desc->launch_time = igc_tx_launchtime(adapter,
- txtime);
- } else {
- context_desc->launch_time = 0;
- }
+ context_desc->launch_time = launch_time;
}
-static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first)
+static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first,
+ __le32 launch_time, bool first_flag)
{
struct sk_buff *skb = first->skb;
u32 vlan_macip_lens = 0;
@@ -994,7 +1078,8 @@ static void igc_tx_csum(struct igc_ring *tx_ring, struct igc_tx_buffer *first)
vlan_macip_lens |= skb_network_offset(skb) << IGC_ADVTXD_MACLEN_SHIFT;
vlan_macip_lens |= first->tx_flags & IGC_TX_FLAGS_VLAN_MASK;
- igc_tx_ctxtdesc(tx_ring, first, vlan_macip_lens, type_tucmd, 0);
+ igc_tx_ctxtdesc(tx_ring, launch_time, first_flag,
+ vlan_macip_lens, type_tucmd, 0);
}
static int __igc_maybe_stop_tx(struct igc_ring *tx_ring, const u16 size)
@@ -1218,6 +1303,7 @@ static int igc_tx_map(struct igc_ring *tx_ring,
static int igc_tso(struct igc_ring *tx_ring,
struct igc_tx_buffer *first,
+ __le32 launch_time, bool first_flag,
u8 *hdr_len)
{
u32 vlan_macip_lens, type_tucmd, mss_l4len_idx;
@@ -1304,8 +1390,8 @@ static int igc_tso(struct igc_ring *tx_ring,
vlan_macip_lens |= (ip.hdr - skb->data) << IGC_ADVTXD_MACLEN_SHIFT;
vlan_macip_lens |= first->tx_flags & IGC_TX_FLAGS_VLAN_MASK;
- igc_tx_ctxtdesc(tx_ring, first, vlan_macip_lens,
- type_tucmd, mss_l4len_idx);
+ igc_tx_ctxtdesc(tx_ring, launch_time, first_flag,
+ vlan_macip_lens, type_tucmd, mss_l4len_idx);
return 1;
}
@@ -1313,11 +1399,14 @@ static int igc_tso(struct igc_ring *tx_ring,
static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb,
struct igc_ring *tx_ring)
{
+ bool first_flag = false, insert_empty = false;
u16 count = TXD_USE_COUNT(skb_headlen(skb));
__be16 protocol = vlan_get_protocol(skb);
struct igc_tx_buffer *first;
+ __le32 launch_time = 0;
u32 tx_flags = 0;
unsigned short f;
+ ktime_t txtime;
u8 hdr_len = 0;
int tso = 0;
@@ -1331,11 +1420,40 @@ static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb,
count += TXD_USE_COUNT(skb_frag_size(
&skb_shinfo(skb)->frags[f]));
- if (igc_maybe_stop_tx(tx_ring, count + 3)) {
+ if (igc_maybe_stop_tx(tx_ring, count + 5)) {
/* this is a hard error */
return NETDEV_TX_BUSY;
}
+ if (!tx_ring->launchtime_enable)
+ goto done;
+
+ txtime = skb->tstamp;
+ skb->tstamp = ktime_set(0, 0);
+ launch_time = igc_tx_launchtime(tx_ring, txtime, &first_flag, &insert_empty);
+
+ if (insert_empty) {
+ struct igc_tx_buffer *empty_info;
+ struct sk_buff *empty;
+ void *data;
+
+ empty_info = &tx_ring->tx_buffer_info[tx_ring->next_to_use];
+ empty = alloc_skb(IGC_EMPTY_FRAME_SIZE, GFP_ATOMIC);
+ if (!empty)
+ goto done;
+
+ data = skb_put(empty, IGC_EMPTY_FRAME_SIZE);
+ memset(data, 0, IGC_EMPTY_FRAME_SIZE);
+
+ igc_tx_ctxtdesc(tx_ring, 0, false, 0, 0, 0);
+
+ if (igc_init_tx_empty_descriptor(tx_ring,
+ empty,
+ empty_info) < 0)
+ dev_kfree_skb_any(empty);
+ }
+
+done:
/* record the location of the first descriptor for this packet */
first = &tx_ring->tx_buffer_info[tx_ring->next_to_use];
first->skb = skb;
@@ -1366,11 +1484,11 @@ static netdev_tx_t igc_xmit_frame_ring(struct sk_buff *skb,
first->tx_flags = tx_flags;
first->protocol = protocol;
- tso = igc_tso(tx_ring, first, &hdr_len);
+ tso = igc_tso(tx_ring, first, launch_time, first_flag, &hdr_len);
if (tso < 0)
goto out_drop;
else if (!tso)
- igc_tx_csum(tx_ring, first);
+ igc_tx_csum(tx_ring, first, launch_time, first_flag);
igc_tx_map(tx_ring, first, hdr_len);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 469/783] igc: Use strict cycles for Qbv scheduling
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (467 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 468/783] igc: Enhance Qbv scheduling by using first flag bit Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 470/783] igc: Add checking for basetime less than zero Greg Kroah-Hartman
` (323 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vinicius Costa Gomes,
Aravindhan Gunasekaran, Muhammad Husaini Zulkifli, Naama Meir,
Tony Nguyen, Sasha Levin
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
[ Upstream commit d8f45be01dd9381065a3778a579385249ed011dc ]
Configuring strict cycle mode in the controller forces more well
behaved transmissions when taprio is offloaded.
When set this strict_cycle and strict_end, transmission is not
enabled if the whole packet cannot be completed before end of
the Qbv cycle.
Fixes: 82faa9b79950 ("igc: Add support for ETF offloading")
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Aravindhan Gunasekaran <aravindhan.gunasekaran@intel.com>
Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
Tested-by: Naama Meir <naamax.meir@linux.intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_tsn.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_tsn.c b/drivers/net/ethernet/intel/igc/igc_tsn.c
index 174103c4bea6..2d4db2a547b2 100644
--- a/drivers/net/ethernet/intel/igc/igc_tsn.c
+++ b/drivers/net/ethernet/intel/igc/igc_tsn.c
@@ -92,15 +92,8 @@ static int igc_tsn_enable_offload(struct igc_adapter *adapter)
wr32(IGC_STQT(i), ring->start_time);
wr32(IGC_ENDQT(i), ring->end_time);
- if (adapter->base_time) {
- /* If we have a base_time we are in "taprio"
- * mode and we need to be strict about the
- * cycles: only transmit a packet if it can be
- * completed during that cycle.
- */
- txqctl |= IGC_TXQCTL_STRICT_CYCLE |
- IGC_TXQCTL_STRICT_END;
- }
+ txqctl |= IGC_TXQCTL_STRICT_CYCLE |
+ IGC_TXQCTL_STRICT_END;
if (ring->launchtime_enable)
txqctl |= IGC_TXQCTL_QUEUE_MODE_LAUNCHT;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 470/783] igc: Add checking for basetime less than zero
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (468 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 469/783] igc: Use strict cycles for Qbv scheduling Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 471/783] igc: recalculate Qbv end_time by considering cycle time Greg Kroah-Hartman
` (322 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Husaini Zulkifli,
Naama Meir, Tony Nguyen, Sasha Levin
From: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
[ Upstream commit 3b61764fb49a6e147ac90d71dccdddc9d5508ba1 ]
Using the tc qdisc command, the user can set basetime to any value.
Checking should be done on the driver's side to prevent registering
basetime values that are less than zero.
Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading")
Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
Tested-by: Naama Meir <naamax.meir@linux.intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index f4082ea7beaa..45069dc0ccc6 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -4912,6 +4912,9 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
return 0;
}
+ if (qopt->base_time < 0)
+ return -ERANGE;
+
if (adapter->base_time)
return -EALREADY;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 471/783] igc: recalculate Qbv end_time by considering cycle time
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (469 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 470/783] igc: Add checking for basetime less than zero Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 472/783] igc: Lift TAPRIO schedule restriction Greg Kroah-Hartman
` (321 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tan Tee Min,
Muhammad Husaini Zulkifli, Naama Meir, Tony Nguyen, Sasha Levin
From: Tan Tee Min <tee.min.tan@linux.intel.com>
[ Upstream commit 6d05251d537a4d3835959a8cdd8cbbbdcdc0c904 ]
Qbv users can specify a cycle time that is not equal to the total GCL
intervals. Hence, recalculation is necessary here to exclude the time
interval that exceeds the cycle time. As those GCL which exceeds the
cycle time will be truncated.
According to IEEE Std. 802.1Q-2018 section 8.6.9.2, once the end of
the list is reached, it will switch to the END_OF_CYCLE state and
leave the gates in the same state until the next cycle is started.
Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading")
Signed-off-by: Tan Tee Min <tee.min.tan@linux.intel.com>
Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
Tested-by: Naama Meir <naamax.meir@linux.intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index 45069dc0ccc6..94a608585f71 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -4933,6 +4933,21 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
end_time += e->interval;
+ /* If any of the conditions below are true, we need to manually
+ * control the end time of the cycle.
+ * 1. Qbv users can specify a cycle time that is not equal
+ * to the total GCL intervals. Hence, recalculation is
+ * necessary here to exclude the time interval that
+ * exceeds the cycle time.
+ * 2. According to IEEE Std. 802.1Q-2018 section 8.6.9.2,
+ * once the end of the list is reached, it will switch
+ * to the END_OF_CYCLE state and leave the gates in the
+ * same state until the next cycle is started.
+ */
+ if (end_time > adapter->cycle_time ||
+ n + 1 == qopt->num_entries)
+ end_time = adapter->cycle_time;
+
for (i = 0; i < adapter->num_tx_queues; i++) {
struct igc_ring *ring = adapter->tx_ring[i];
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 472/783] igc: Lift TAPRIO schedule restriction
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (470 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 471/783] igc: recalculate Qbv end_time by considering cycle time Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 473/783] igc: Set Qbv start_time and end_time to end_time if not being configured in GCL Greg Kroah-Hartman
` (320 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kurt Kanzenbach,
Vinicius Costa Gomes, Naama Meir, Tony Nguyen, Sasha Levin
From: Kurt Kanzenbach <kurt@linutronix.de>
[ Upstream commit a5fd39464a4081ce11c801d7e20c4551ba7cb983 ]
Add support for Qbv schedules where one queue stays open
in consecutive entries. Currently that's not supported.
Example schedule:
|tc qdisc replace dev ${INTERFACE} handle 100 parent root taprio num_tc 3 \
| map 2 2 1 0 2 2 2 2 2 2 2 2 2 2 2 2 \
| queues 1@0 1@1 2@2 \
| base-time ${BASETIME} \
| sched-entry S 0x01 300000 \ # Stream High/Low
| sched-entry S 0x06 500000 \ # Management and Best Effort
| sched-entry S 0x04 200000 \ # Best Effort
| flags 0x02
Signed-off-by: Kurt Kanzenbach <kurt@linutronix.de>
Reviewed-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Tested-by: Naama Meir <naamax.meir@linux.intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Stable-dep-of: 72abeedd8398 ("igc: Set Qbv start_time and end_time to end_time if not being configured in GCL")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index 94a608585f71..9420a169780c 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -4862,9 +4862,10 @@ static bool validate_schedule(struct igc_adapter *adapter,
return false;
for (n = 0; n < qopt->num_entries; n++) {
- const struct tc_taprio_sched_entry *e;
+ const struct tc_taprio_sched_entry *e, *prev;
int i;
+ prev = n ? &qopt->entries[n - 1] : NULL;
e = &qopt->entries[n];
/* i225 only supports "global" frame preemption
@@ -4877,7 +4878,12 @@ static bool validate_schedule(struct igc_adapter *adapter,
if (e->gate_mask & BIT(i))
queue_uses[i]++;
- if (queue_uses[i] > 1)
+ /* There are limitations: A single queue cannot be
+ * opened and closed multiple times per cycle unless the
+ * gate stays open. Check for it.
+ */
+ if (queue_uses[i] > 1 &&
+ !(prev->gate_mask & BIT(i)))
return false;
}
}
@@ -4904,6 +4910,7 @@ static int igc_tsn_enable_launchtime(struct igc_adapter *adapter,
static int igc_save_qbv_schedule(struct igc_adapter *adapter,
struct tc_taprio_qopt_offload *qopt)
{
+ bool queue_configured[IGC_MAX_TX_QUEUES] = { };
u32 start_time = 0, end_time = 0;
size_t n;
@@ -4924,9 +4931,6 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
adapter->cycle_time = qopt->cycle_time;
adapter->base_time = qopt->base_time;
- /* FIXME: be a little smarter about cases when the gate for a
- * queue stays open for more than one entry.
- */
for (n = 0; n < qopt->num_entries; n++) {
struct tc_taprio_sched_entry *e = &qopt->entries[n];
int i;
@@ -4954,8 +4958,15 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
if (!(e->gate_mask & BIT(i)))
continue;
- ring->start_time = start_time;
+ /* Check whether a queue stays open for more than one
+ * entry. If so, keep the start and advance the end
+ * time.
+ */
+ if (!queue_configured[i])
+ ring->start_time = start_time;
ring->end_time = end_time;
+
+ queue_configured[i] = true;
}
start_time += e->interval;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 473/783] igc: Set Qbv start_time and end_time to end_time if not being configured in GCL
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (471 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 472/783] igc: Lift TAPRIO schedule restriction Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 474/783] rtc: mxc_v2: Add missing clk_disable_unprepare() Greg Kroah-Hartman
` (319 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tan Tee Min,
Muhammad Husaini Zulkifli, Naama Meir, Tony Nguyen, Sasha Levin
From: Tan Tee Min <tee.min.tan@linux.intel.com>
[ Upstream commit 72abeedd83982c1bc6023f631e412db78374d9b4 ]
The default setting of end_time minus start_time is whole 1 second.
Thus, if it's not being configured in any GCL entry then it will be
staying at original 1 second.
This patch is changing the start_time and end_time to be end_time as
if setting zero will be having weird HW behavior where the gate will
not be fully closed.
Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading")
Signed-off-by: Tan Tee Min <tee.min.tan@linux.intel.com>
Signed-off-by: Muhammad Husaini Zulkifli <muhammad.husaini.zulkifli@intel.com>
Tested-by: Naama Meir <naamax.meir@linux.intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igc/igc_main.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
index 9420a169780c..1a0aae7b128d 100644
--- a/drivers/net/ethernet/intel/igc/igc_main.c
+++ b/drivers/net/ethernet/intel/igc/igc_main.c
@@ -4913,6 +4913,7 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
bool queue_configured[IGC_MAX_TX_QUEUES] = { };
u32 start_time = 0, end_time = 0;
size_t n;
+ int i;
if (!qopt->enable) {
adapter->base_time = 0;
@@ -4933,7 +4934,6 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
for (n = 0; n < qopt->num_entries; n++) {
struct tc_taprio_sched_entry *e = &qopt->entries[n];
- int i;
end_time += e->interval;
@@ -4972,6 +4972,18 @@ static int igc_save_qbv_schedule(struct igc_adapter *adapter,
start_time += e->interval;
}
+ /* Check whether a queue gets configured.
+ * If not, set the start and end time to be end time.
+ */
+ for (i = 0; i < adapter->num_tx_queues; i++) {
+ if (!queue_configured[i]) {
+ struct igc_ring *ring = adapter->tx_ring[i];
+
+ ring->start_time = end_time;
+ ring->end_time = end_time;
+ }
+ }
+
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 474/783] rtc: mxc_v2: Add missing clk_disable_unprepare()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (472 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 473/783] igc: Set Qbv start_time and end_time to end_time if not being configured in GCL Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 475/783] selftests: devlink: fix the fd redirect in dummy_reporter_test Greg Kroah-Hartman
` (318 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, GUO Zihua, Alexandre Belloni, Sasha Levin
From: GUO Zihua <guozihua@huawei.com>
[ Upstream commit 55d5a86618d3b1a768bce01882b74cbbd2651975 ]
The call to clk_disable_unprepare() is left out in the error handling of
devm_rtc_allocate_device. Add it back.
Fixes: 5490a1e018a4 ("rtc: mxc_v2: fix possible race condition")
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Link: https://lore.kernel.org/r/20221122085046.21689-1-guozihua@huawei.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-mxc_v2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-mxc_v2.c b/drivers/rtc/rtc-mxc_v2.c
index d349cef09cb7..48595b00ebb3 100644
--- a/drivers/rtc/rtc-mxc_v2.c
+++ b/drivers/rtc/rtc-mxc_v2.c
@@ -337,8 +337,10 @@ static int mxc_rtc_probe(struct platform_device *pdev)
}
pdata->rtc = devm_rtc_allocate_device(&pdev->dev);
- if (IS_ERR(pdata->rtc))
+ if (IS_ERR(pdata->rtc)) {
+ clk_disable_unprepare(pdata->clk);
return PTR_ERR(pdata->rtc);
+ }
pdata->rtc->ops = &mxc_rtc_ops;
pdata->rtc->range_max = U32_MAX;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 475/783] selftests: devlink: fix the fd redirect in dummy_reporter_test
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (473 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 474/783] rtc: mxc_v2: Add missing clk_disable_unprepare() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 476/783] openvswitch: Fix flow lookup to use unmasked key Greg Kroah-Hartman
` (317 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, David S. Miller,
Sasha Levin
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 2fc60e2ff972d3dca836bff0b08cbe503c4ca1ce ]
$number + > bash means redirect FD $number, e.g. commonly
used 2> redirects stderr (fd 2). The test uses 8192> to
write the number 8192 to a file, this results in:
./devlink.sh: line 499: 8192: Bad file descriptor
Oddly the test also papers over this issue by checking
for failure (expecting an error rather than success)
so it passes, anyway.
Fixes: ff18176ad806 ("selftests: Add a test of large binary to devlink health test")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/drivers/net/netdevsim/devlink.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/drivers/net/netdevsim/devlink.sh b/tools/testing/selftests/drivers/net/netdevsim/devlink.sh
index 40909c254365..16d2de18591d 100755
--- a/tools/testing/selftests/drivers/net/netdevsim/devlink.sh
+++ b/tools/testing/selftests/drivers/net/netdevsim/devlink.sh
@@ -495,8 +495,8 @@ dummy_reporter_test()
check_reporter_info dummy healthy 3 3 10 true
- echo 8192> $DEBUGFS_DIR/health/binary_len
- check_fail $? "Failed set dummy reporter binary len to 8192"
+ echo 8192 > $DEBUGFS_DIR/health/binary_len
+ check_err $? "Failed set dummy reporter binary len to 8192"
local dump=$(devlink health dump show $DL_HANDLE reporter dummy -j)
check_err $? "Failed show dump of dummy reporter"
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 476/783] openvswitch: Fix flow lookup to use unmasked key
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (474 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 475/783] selftests: devlink: fix the fd redirect in dummy_reporter_test Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 477/783] skbuff: Account for tail adjustment during pull operations Greg Kroah-Hartman
` (316 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eelco Chaudron, David S. Miller,
Sasha Levin
From: Eelco Chaudron <echaudro@redhat.com>
[ Upstream commit 68bb10101e6b0a6bb44e9c908ef795fc4af99eae ]
The commit mentioned below causes the ovs_flow_tbl_lookup() function
to be called with the masked key. However, it's supposed to be called
with the unmasked key. This due to the fact that the datapath supports
installing wider flows, and OVS relies on this behavior. For example
if ipv4(src=1.1.1.1/192.0.0.0, dst=1.1.1.2/192.0.0.0) exists, a wider
flow (smaller mask) of ipv4(src=192.1.1.1/128.0.0.0,dst=192.1.1.2/
128.0.0.0) is allowed to be added.
However, if we try to add a wildcard rule, the installation fails:
$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
ipv4(src=1.1.1.1/192.0.0.0,dst=1.1.1.2/192.0.0.0,frag=no)" 2
$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
ipv4(src=192.1.1.1/0.0.0.0,dst=49.1.1.2/0.0.0.0,frag=no)" 2
ovs-vswitchd: updating flow table (File exists)
The reason is that the key used to determine if the flow is already
present in the system uses the original key ANDed with the mask.
This results in the IP address not being part of the (miniflow) key,
i.e., being substituted with an all-zero value. When doing the actual
lookup, this results in the key wrongfully matching the first flow,
and therefore the flow does not get installed.
This change reverses the commit below, but rather than having the key
on the stack, it's allocated.
Fixes: 190aa3e77880 ("openvswitch: Fix Frame-size larger than 1024 bytes warning.")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/datapath.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 7ed97dc0b561..435f7f1be614 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -933,6 +933,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
struct sw_flow_mask mask;
struct sk_buff *reply;
struct datapath *dp;
+ struct sw_flow_key *key;
struct sw_flow_actions *acts;
struct sw_flow_match match;
u32 ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]);
@@ -960,24 +961,26 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
}
/* Extract key. */
- ovs_match_init(&match, &new_flow->key, false, &mask);
+ key = kzalloc(sizeof(*key), GFP_KERNEL);
+ if (!key) {
+ error = -ENOMEM;
+ goto err_kfree_key;
+ }
+
+ ovs_match_init(&match, key, false, &mask);
error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY],
a[OVS_FLOW_ATTR_MASK], log);
if (error)
goto err_kfree_flow;
+ ovs_flow_mask_key(&new_flow->key, key, true, &mask);
+
/* Extract flow identifier. */
error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID],
- &new_flow->key, log);
+ key, log);
if (error)
goto err_kfree_flow;
- /* unmasked key is needed to match when ufid is not used. */
- if (ovs_identifier_is_key(&new_flow->id))
- match.key = new_flow->id.unmasked_key;
-
- ovs_flow_mask_key(&new_flow->key, &new_flow->key, true, &mask);
-
/* Validate actions. */
error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS],
&new_flow->key, &acts, log);
@@ -1004,7 +1007,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
if (ovs_identifier_is_ufid(&new_flow->id))
flow = ovs_flow_tbl_lookup_ufid(&dp->table, &new_flow->id);
if (!flow)
- flow = ovs_flow_tbl_lookup(&dp->table, &new_flow->key);
+ flow = ovs_flow_tbl_lookup(&dp->table, key);
if (likely(!flow)) {
rcu_assign_pointer(new_flow->sf_acts, acts);
@@ -1074,6 +1077,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
if (reply)
ovs_notify(&dp_flow_genl_family, reply, info);
+
+ kfree(key);
return 0;
err_unlock_ovs:
@@ -1083,6 +1088,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info)
ovs_nla_free_flow_actions(acts);
err_kfree_flow:
ovs_flow_free(new_flow, false);
+err_kfree_key:
+ kfree(key);
error:
return error;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 477/783] skbuff: Account for tail adjustment during pull operations
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (475 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 476/783] openvswitch: Fix flow lookup to use unmasked key Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 478/783] mailbox: zynq-ipi: fix error handling while device_register() fails Greg Kroah-Hartman
` (315 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sean Tranchetti,
Subash Abhinov Kasiviswanathan, Alexander Duyck, Jakub Kicinski,
Sasha Levin
From: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
[ Upstream commit 2d7afdcbc9d32423f177ee12b7c93783aea338fb ]
Extending the tail can have some unexpected side effects if a program uses
a helper like BPF_FUNC_skb_pull_data to read partial content beyond the
head skb headlen when all the skbs in the gso frag_list are linear with no
head_frag -
kernel BUG at net/core/skbuff.c:4219!
pc : skb_segment+0xcf4/0xd2c
lr : skb_segment+0x63c/0xd2c
Call trace:
skb_segment+0xcf4/0xd2c
__udp_gso_segment+0xa4/0x544
udp4_ufo_fragment+0x184/0x1c0
inet_gso_segment+0x16c/0x3a4
skb_mac_gso_segment+0xd4/0x1b0
__skb_gso_segment+0xcc/0x12c
udp_rcv_segment+0x54/0x16c
udp_queue_rcv_skb+0x78/0x144
udp_unicast_rcv_skb+0x8c/0xa4
__udp4_lib_rcv+0x490/0x68c
udp_rcv+0x20/0x30
ip_protocol_deliver_rcu+0x1b0/0x33c
ip_local_deliver+0xd8/0x1f0
ip_rcv+0x98/0x1a4
deliver_ptype_list_skb+0x98/0x1ec
__netif_receive_skb_core+0x978/0xc60
Fix this by marking these skbs as GSO_DODGY so segmentation can handle
the tail updates accordingly.
Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list")
Signed-off-by: Sean Tranchetti <quic_stranche@quicinc.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Link: https://lore.kernel.org/r/1671084718-24796-1-git-send-email-quic_subashab@quicinc.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/skbuff.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 176bcbb07aab..2b12e0730b85 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2115,6 +2115,9 @@ void *__pskb_pull_tail(struct sk_buff *skb, int delta)
insp = list;
} else {
/* Eaten partially. */
+ if (skb_is_gso(skb) && !list->head_frag &&
+ skb_headlen(list))
+ skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
if (skb_shared(list)) {
/* Sucks! We need to fork list. :-( */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 478/783] mailbox: zynq-ipi: fix error handling while device_register() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (476 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 477/783] skbuff: Account for tail adjustment during pull operations Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 479/783] net_sched: reject TCF_EM_SIMPLE case for complex ematch module Greg Kroah-Hartman
` (314 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Jassi Brar, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit a6792a0cdef0b1c2d77920246283a72537e60e94 ]
If device_register() fails, it has two issues:
1. The name allocated by dev_set_name() is leaked.
2. The parent of device is not NULL, device_unregister() is called
in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because
of removing not added device.
Call put_device() to give up the reference, so the name is freed in
kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes()
to avoid null-ptr-deref.
Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/zynqmp-ipi-mailbox.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mailbox/zynqmp-ipi-mailbox.c b/drivers/mailbox/zynqmp-ipi-mailbox.c
index f44079d62b1a..527204c6d5cd 100644
--- a/drivers/mailbox/zynqmp-ipi-mailbox.c
+++ b/drivers/mailbox/zynqmp-ipi-mailbox.c
@@ -493,6 +493,7 @@ static int zynqmp_ipi_mbox_probe(struct zynqmp_ipi_mbox *ipi_mbox,
ret = device_register(&ipi_mbox->dev);
if (ret) {
dev_err(dev, "Failed to register ipi mbox dev.\n");
+ put_device(&ipi_mbox->dev);
return ret;
}
mdev = &ipi_mbox->dev;
@@ -619,7 +620,8 @@ static void zynqmp_ipi_free_mboxes(struct zynqmp_ipi_pdata *pdata)
ipi_mbox = &pdata->ipi_mboxes[i];
if (ipi_mbox->dev.parent) {
mbox_controller_unregister(&ipi_mbox->mbox);
- device_unregister(&ipi_mbox->dev);
+ if (device_is_registered(&ipi_mbox->dev))
+ device_unregister(&ipi_mbox->dev);
}
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 479/783] net_sched: reject TCF_EM_SIMPLE case for complex ematch module
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (477 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 478/783] mailbox: zynq-ipi: fix error handling while device_register() fails Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 480/783] rxrpc: Fix missing unlock in rxrpc_do_sendmsg() Greg Kroah-Hartman
` (313 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jun Nie, Jamal Hadi Salim,
Paolo Abeni, Cong Wang, David S. Miller, Sasha Levin,
syzbot+4caeae4c7103813598ae
From: Cong Wang <cong.wang@bytedance.com>
[ Upstream commit 9cd3fd2054c3b3055163accbf2f31a4426f10317 ]
When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
for ematch implementation:
https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/
"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
set will simply result in allocating & copy. It's an optimization,
nothing more."
So if an ematch module provides ops->datalen that means it wants a
complex data structure (saved in its em->data) instead of a simple u32
value. We should simply reject such a combination, otherwise this u32
could be misinterpreted as a pointer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com
Reported-by: Jun Nie <jun.nie@linaro.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/ematch.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index f885bea5b452..b7154103e9cd 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -255,6 +255,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
* the value carried.
*/
if (em_hdr->flags & TCF_EM_SIMPLE) {
+ if (em->ops->datalen > 0)
+ goto errout;
if (data_len < sizeof(u32))
goto errout;
em->data = *(u32 *) data;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 480/783] rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (478 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 479/783] net_sched: reject TCF_EM_SIMPLE case for complex ematch module Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 481/783] myri10ge: Fix an error handling path in myri10ge_probe() Greg Kroah-Hartman
` (312 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Marc Dionne,
linux-afs, David S. Miller, Sasha Levin
From: David Howells <dhowells@redhat.com>
[ Upstream commit 4feb2c44629e6f9b459b41a5a60491069d346a95 ]
One of the error paths in rxrpc_do_sendmsg() doesn't unlock the call mutex
before returning. Fix it to do this.
Note that this still doesn't get rid of the checker warning:
../net/rxrpc/sendmsg.c:617:5: warning: context imbalance in 'rxrpc_do_sendmsg' - wrong count at exit
I think the interplay between the socket lock and the call's user_mutex may
be too complicated for checker to analyse, especially as
rxrpc_new_client_call_for_sendmsg(), which it calls, returns with the
call's user_mutex if successful but unconditionally drops the socket lock.
Fixes: e754eba685aa ("rxrpc: Provide a cmsg to specify the amount of Tx data for a call")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rxrpc/sendmsg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index eef3c14fd1c1..a670553159ab 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -733,7 +733,7 @@ int rxrpc_do_sendmsg(struct rxrpc_sock *rx, struct msghdr *msg, size_t len)
if (call->tx_total_len != -1 ||
call->tx_pending ||
call->tx_top != 0)
- goto error_put;
+ goto out_put_unlock;
call->tx_total_len = p.call.tx_total_len;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 481/783] myri10ge: Fix an error handling path in myri10ge_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (479 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 480/783] rxrpc: Fix missing unlock in rxrpc_do_sendmsg() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 482/783] net: stream: purge sk_error_queue in sk_stream_kill_queues() Greg Kroah-Hartman
` (311 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, David S. Miller,
Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit d83b950d44d2982c0e62e3d81b0f35ab09431008 ]
Some memory allocated in myri10ge_probe_slices() is not released in the
error handling path of myri10ge_probe().
Add the corresponding kfree(), as already done in the remove function.
Fixes: 0dcffac1a329 ("myri10ge: add multislices support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
index 1664e9184c9c..5a1ed4818baa 100644
--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
@@ -3920,6 +3920,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
myri10ge_free_slices(mgp);
abort_with_firmware:
+ kfree(mgp->msix_vectors);
myri10ge_dummy_rdma(mgp, 0);
abort_with_ioremap:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 482/783] net: stream: purge sk_error_queue in sk_stream_kill_queues()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (480 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 481/783] myri10ge: Fix an error handling path in myri10ge_probe() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 483/783] rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() Greg Kroah-Hartman
` (310 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Changheon Lee, Eric Dumazet,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 ]
Changheon Lee reported TCP socket leaks, with a nice repro.
It seems we leak TCP sockets with the following sequence:
1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket.
Each ACK will cook an skb put in error queue, from __skb_tstamp_tx().
__skb_tstamp_tx() is using skb_clone(), unless
SOF_TIMESTAMPING_OPT_TSONLY was also requested.
2) If the application is also using MSG_ZEROCOPY, then we put in the
error queue cloned skbs that had a struct ubuf_info attached to them.
Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc()
does a sock_hold().
As long as the cloned skbs are still in sk_error_queue,
socket refcount is kept elevated.
3) Application closes the socket, while error queue is not empty.
Since tcp_close() no longer purges the socket error queue,
we might end up with a TCP socket with at least one skb in
error queue keeping the socket alive forever.
This bug can be (ab)used to consume all kernel memory
and freeze the host.
We need to purge the error queue, with proper synchronization
against concurrent writers.
Fixes: 24bcbe1cc69f ("net: stream: don't purge sk_error_queue in sk_stream_kill_queues()")
Reported-by: Changheon Lee <darklight2357@icloud.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/stream.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/core/stream.c b/net/core/stream.c
index a61130504827..d7c5413d16d5 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -196,6 +196,12 @@ void sk_stream_kill_queues(struct sock *sk)
/* First the read buffer. */
__skb_queue_purge(&sk->sk_receive_queue);
+ /* Next, the error queue.
+ * We need to use queue lock, because other threads might
+ * add packets to the queue without socket lock being held.
+ */
+ skb_queue_purge(&sk->sk_error_queue);
+
/* Next, the write queue. */
WARN_ON(!skb_queue_empty(&sk->sk_write_queue));
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 483/783] rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (481 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 482/783] net: stream: purge sk_error_queue in sk_stream_kill_queues() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 484/783] arm64: make is_ttbrX_addr() noinstr-safe Greg Kroah-Hartman
` (309 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zqiang, Joel Fernandes (Google),
Paul E. McKenney, Sasha Levin
From: Zqiang <qiang1.zhang@intel.com>
[ Upstream commit ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15 ]
Running rcutorture with non-zero fqs_duration module parameter in a
kernel built with CONFIG_PREEMPTION=y results in the following splat:
BUG: using __this_cpu_read() in preemptible [00000000]
code: rcu_torture_fqs/398
caller is __this_cpu_preempt_check+0x13/0x20
CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+
Call Trace:
<TASK>
dump_stack_lvl+0x5b/0x86
dump_stack+0x10/0x16
check_preemption_disabled+0xe5/0xf0
__this_cpu_preempt_check+0x13/0x20
rcu_force_quiescent_state.part.0+0x1c/0x170
rcu_force_quiescent_state+0x1e/0x30
rcu_torture_fqs+0xca/0x160
? rcu_torture_boost+0x430/0x430
kthread+0x192/0x1d0
? kthread_complete_and_exit+0x30/0x30
ret_from_fork+0x22/0x30
</TASK>
The problem is that rcu_force_quiescent_state() uses __this_cpu_read()
in preemptible code instead of the proper raw_cpu_read(). This commit
therefore changes __this_cpu_read() to raw_cpu_read().
Signed-off-by: Zqiang <qiang1.zhang@intel.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/tree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
index b10d6bcea77d..3fe7c75c371b 100644
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -2650,7 +2650,7 @@ void rcu_force_quiescent_state(void)
struct rcu_node *rnp_old = NULL;
/* Funnel through hierarchy to reduce memory contention. */
- rnp = __this_cpu_read(rcu_data.mynode);
+ rnp = raw_cpu_read(rcu_data.mynode);
for (; rnp != NULL; rnp = rnp->parent) {
ret = (READ_ONCE(rcu_state.gp_flags) & RCU_GP_FLAG_FQS) ||
!raw_spin_trylock(&rnp->fqslock);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 484/783] arm64: make is_ttbrX_addr() noinstr-safe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (482 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 483/783] rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 485/783] video: hyperv_fb: Avoid taking busy spinlock on panic path Greg Kroah-Hartman
` (308 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Will Deacon, Sasha Levin
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit d8c1d798a2e5091128c391c6dadcc9be334af3f5 ]
We use is_ttbr0_addr() in noinstr code, but as it's only marked as
inline, it's theoretically possible for the compiler to place it
out-of-line and instrument it, which would be problematic.
Mark is_ttbr0_addr() as __always_inline such that that can safely be
used from noinstr code. For consistency, do the same to is_ttbr1_addr().
Note that while is_ttbr1_addr() calls arch_kasan_reset_tag(), this is a
macro (and its callees are either macros or __always_inline), so there
is not a risk of transient instrumentation.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20221114144042.3001140-1-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/processor.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h
index 7c546c3487c9..c628d8e3a403 100644
--- a/arch/arm64/include/asm/processor.h
+++ b/arch/arm64/include/asm/processor.h
@@ -230,13 +230,13 @@ static inline void compat_start_thread(struct pt_regs *regs, unsigned long pc,
}
#endif
-static inline bool is_ttbr0_addr(unsigned long addr)
+static __always_inline bool is_ttbr0_addr(unsigned long addr)
{
/* entry assembly clears tags for TTBR0 addrs */
return addr < TASK_SIZE;
}
-static inline bool is_ttbr1_addr(unsigned long addr)
+static __always_inline bool is_ttbr1_addr(unsigned long addr)
{
/* TTBR1 addresses may have a tag if KASAN_SW_TAGS is in use */
return arch_kasan_reset_tag(addr) >= PAGE_OFFSET;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 485/783] video: hyperv_fb: Avoid taking busy spinlock on panic path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (483 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 484/783] arm64: make is_ttbrX_addr() noinstr-safe Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 486/783] x86/hyperv: Remove unregister syscore call from Hyper-V cleanup Greg Kroah-Hartman
` (307 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrea Parri (Microsoft),
Dexuan Cui, Haiyang Zhang, K. Y. Srinivasan, Michael Kelley,
Stephen Hemminger, Tianyu Lan, Wei Liu, Fabio A M Martins,
Guilherme G. Piccoli, Sasha Levin
From: Guilherme G. Piccoli <gpiccoli@igalia.com>
[ Upstream commit 1d044ca035dc22df0d3b39e56f2881071d9118bd ]
The Hyper-V framebuffer code registers a panic notifier in order
to try updating its fbdev if the kernel crashed. The notifier
callback is straightforward, but it calls the vmbus_sendpacket()
routine eventually, and such function takes a spinlock for the
ring buffer operations.
Panic path runs in atomic context, with local interrupts and
preemption disabled, and all secondary CPUs shutdown. That said,
taking a spinlock might cause a lockup if a secondary CPU was
disabled with such lock taken. Fix it here by checking if the
ring buffer spinlock is busy on Hyper-V framebuffer panic notifier;
if so, bail-out avoiding the potential lockup scenario.
Cc: Andrea Parri (Microsoft) <parri.andrea@gmail.com>
Cc: Dexuan Cui <decui@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Michael Kelley <mikelley@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Tianyu Lan <Tianyu.Lan@microsoft.com>
Cc: Wei Liu <wei.liu@kernel.org>
Tested-by: Fabio A M Martins <fabiomirmar@gmail.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/20220819221731.480795-10-gpiccoli@igalia.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hv/ring_buffer.c | 13 +++++++++++++
drivers/video/fbdev/hyperv_fb.c | 8 +++++++-
include/linux/hyperv.h | 2 ++
3 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c
index 769851b6e74c..7ed6fad3fa8f 100644
--- a/drivers/hv/ring_buffer.c
+++ b/drivers/hv/ring_buffer.c
@@ -246,6 +246,19 @@ void hv_ringbuffer_cleanup(struct hv_ring_buffer_info *ring_info)
mutex_unlock(&ring_info->ring_buffer_mutex);
}
+/*
+ * Check if the ring buffer spinlock is available to take or not; used on
+ * atomic contexts, like panic path (see the Hyper-V framebuffer driver).
+ */
+
+bool hv_ringbuffer_spinlock_busy(struct vmbus_channel *channel)
+{
+ struct hv_ring_buffer_info *rinfo = &channel->outbound;
+
+ return spin_is_locked(&rinfo->ring_lock);
+}
+EXPORT_SYMBOL_GPL(hv_ringbuffer_spinlock_busy);
+
/* Write to the ring buffer. */
int hv_ringbuffer_write(struct vmbus_channel *channel,
const struct kvec *kv_list, u32 kv_count)
diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
index 40baa79f8046..f0a66a344d87 100644
--- a/drivers/video/fbdev/hyperv_fb.c
+++ b/drivers/video/fbdev/hyperv_fb.c
@@ -798,12 +798,18 @@ static void hvfb_ondemand_refresh_throttle(struct hvfb_par *par,
static int hvfb_on_panic(struct notifier_block *nb,
unsigned long e, void *p)
{
+ struct hv_device *hdev;
struct hvfb_par *par;
struct fb_info *info;
par = container_of(nb, struct hvfb_par, hvfb_panic_nb);
- par->synchronous_fb = true;
info = par->info;
+ hdev = device_to_hv_device(info->device);
+
+ if (hv_ringbuffer_spinlock_busy(hdev->channel))
+ return NOTIFY_DONE;
+
+ par->synchronous_fb = true;
if (par->need_docopy)
hvfb_docopy(par, 0, dio_fb_size);
synthvid_update(info, 0, 0, INT_MAX, INT_MAX);
diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
index 1ce131f29f3b..eada4d8d6587 100644
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -1269,6 +1269,8 @@ struct hv_ring_buffer_debug_info {
int hv_ringbuffer_get_debuginfo(struct hv_ring_buffer_info *ring_info,
struct hv_ring_buffer_debug_info *debug_info);
+bool hv_ringbuffer_spinlock_busy(struct vmbus_channel *channel);
+
/* Vmbus interface */
#define vmbus_driver_register(driver) \
__vmbus_driver_register(driver, THIS_MODULE, KBUILD_MODNAME)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 486/783] x86/hyperv: Remove unregister syscore call from Hyper-V cleanup
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (484 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 485/783] video: hyperv_fb: Avoid taking busy spinlock on panic path Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 487/783] binfmt_misc: fix shift-out-of-bounds in check_special_flags Greg Kroah-Hartman
` (306 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gaurav Kohli, Michael Kelley,
Wei Liu, Sasha Levin
From: Gaurav Kohli <gauravkohli@linux.microsoft.com>
[ Upstream commit 32c97d980e2eef25465d453f2956a9ca68926a3c ]
Hyper-V cleanup code comes under panic path where preemption and irq
is already disabled. So calling of unregister_syscore_ops might schedule
out the thread even for the case where mutex lock is free.
hyperv_cleanup
unregister_syscore_ops
mutex_lock(&syscore_ops_lock)
might_sleep
Here might_sleep might schedule out this thread, where voluntary preemption
config is on and this thread will never comes back. And also this was added
earlier to maintain the symmetry which is not required as this can comes
during crash shutdown path only.
To prevent the same, removing unregister_syscore_ops function call.
Signed-off-by: Gaurav Kohli <gauravkohli@linux.microsoft.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/1669443291-2575-1-git-send-email-gauravkohli@linux.microsoft.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/hyperv/hv_init.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
index 01860c0d324d..70fd21ebb9d5 100644
--- a/arch/x86/hyperv/hv_init.c
+++ b/arch/x86/hyperv/hv_init.c
@@ -453,8 +453,6 @@ void hyperv_cleanup(void)
{
union hv_x64_msr_hypercall_contents hypercall_msr;
- unregister_syscore_ops(&hv_syscore_ops);
-
/* Reset our OS id */
wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 487/783] binfmt_misc: fix shift-out-of-bounds in check_special_flags
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (485 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 486/783] x86/hyperv: Remove unregister syscore call from Hyper-V cleanup Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 488/783] fs: jfs: fix shift-out-of-bounds in dbAllocAG Greg Kroah-Hartman
` (305 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Liu Shixin, Kees Cook, Sasha Levin
From: Liu Shixin <liushixin2@huawei.com>
[ Upstream commit 6a46bf558803dd2b959ca7435a5c143efe837217 ]
UBSAN reported a shift-out-of-bounds warning:
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106
ubsan_epilogue+0xa/0x44 lib/ubsan.c:151
__ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322
check_special_flags fs/binfmt_misc.c:241 [inline]
create_entry fs/binfmt_misc.c:456 [inline]
bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654
vfs_write+0x11e/0x580 fs/read_write.c:582
ksys_write+0xcf/0x120 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x4194e1
Since the type of Node's flags is unsigned long, we should define these
macros with same type too.
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102025123.1117184-1-liushixin2@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/binfmt_misc.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
index 11b5bf241955..ce0047feea72 100644
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -44,10 +44,10 @@ static LIST_HEAD(entries);
static int enabled = 1;
enum {Enabled, Magic};
-#define MISC_FMT_PRESERVE_ARGV0 (1 << 31)
-#define MISC_FMT_OPEN_BINARY (1 << 30)
-#define MISC_FMT_CREDENTIALS (1 << 29)
-#define MISC_FMT_OPEN_FILE (1 << 28)
+#define MISC_FMT_PRESERVE_ARGV0 (1UL << 31)
+#define MISC_FMT_OPEN_BINARY (1UL << 30)
+#define MISC_FMT_CREDENTIALS (1UL << 29)
+#define MISC_FMT_OPEN_FILE (1UL << 28)
typedef struct {
struct list_head list;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 488/783] fs: jfs: fix shift-out-of-bounds in dbAllocAG
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (486 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 487/783] binfmt_misc: fix shift-out-of-bounds in check_special_flags Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 489/783] udf: Avoid double brelse() in udf_rename() Greg Kroah-Hartman
` (304 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+15342c1aa6a00fb7a438,
Dongliang Mu, Dave Kleikamp, Sasha Levin
From: Dongliang Mu <mudongliangabcd@gmail.com>
[ Upstream commit 898f706695682b9954f280d95e49fa86ffa55d08 ]
Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The
underlying bug is the missing check of bmp->db_agl2size. The field can
be greater than 64 and trigger the shift-out-of-bounds.
Fix this bug by adding a check of bmp->db_agl2size in dbMount since this
field is used in many following functions. The upper bound for this
field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp.
Note that, for maintenance, I reorganized error handling code of dbMount.
Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 0ce17ea8fa8a..b0a65aaed43e 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -155,7 +155,7 @@ int dbMount(struct inode *ipbmap)
struct bmap *bmp;
struct dbmap_disk *dbmp_le;
struct metapage *mp;
- int i;
+ int i, err;
/*
* allocate/initialize the in-memory bmap descriptor
@@ -170,8 +170,8 @@ int dbMount(struct inode *ipbmap)
BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
PSIZE, 0);
if (mp == NULL) {
- kfree(bmp);
- return -EIO;
+ err = -EIO;
+ goto err_kfree_bmp;
}
/* copy the on-disk bmap descriptor to its in-memory version. */
@@ -181,9 +181,8 @@ int dbMount(struct inode *ipbmap)
bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
if (!bmp->db_numag) {
- release_metapage(mp);
- kfree(bmp);
- return -EINVAL;
+ err = -EINVAL;
+ goto err_release_metapage;
}
bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
@@ -194,6 +193,11 @@ int dbMount(struct inode *ipbmap)
bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
+ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+
for (i = 0; i < MAXAG; i++)
bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
@@ -214,6 +218,12 @@ int dbMount(struct inode *ipbmap)
BMAP_LOCK_INIT(bmp);
return (0);
+
+err_release_metapage:
+ release_metapage(mp);
+err_kfree_bmp:
+ kfree(bmp);
+ return err;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 489/783] udf: Avoid double brelse() in udf_rename()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (487 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 488/783] fs: jfs: fix shift-out-of-bounds in dbAllocAG Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 490/783] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
` (303 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7902cd7684bc35306224,
Shigeru Yoshida, Jan Kara, Sasha Levin
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 ]
syzbot reported a warning like below [1]:
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0
...
Call Trace:
<TASK>
invalidate_bh_lru+0x99/0x150
smp_call_function_many_cond+0xe2a/0x10c0
? generic_remap_file_range_prep+0x50/0x50
? __brelse+0xa0/0xa0
? __mutex_lock+0x21c/0x12d0
? smp_call_on_cpu+0x250/0x250
? rcu_read_lock_sched_held+0xb/0x60
? lock_release+0x587/0x810
? __brelse+0xa0/0xa0
? generic_remap_file_range_prep+0x50/0x50
on_each_cpu_cond_mask+0x3c/0x80
blkdev_flush_mapping+0x13a/0x2f0
blkdev_put_whole+0xd3/0xf0
blkdev_put+0x222/0x760
deactivate_locked_super+0x96/0x160
deactivate_super+0xda/0x100
cleanup_mnt+0x222/0x3d0
task_work_run+0x149/0x240
? task_work_cancel+0x30/0x30
do_exit+0xb29/0x2a40
? reacquire_held_locks+0x4a0/0x4a0
? do_raw_spin_lock+0x12a/0x2b0
? mm_update_next_owner+0x7c0/0x7c0
? rwlock_bug.part.0+0x90/0x90
? zap_other_threads+0x234/0x2d0
do_group_exit+0xd0/0x2a0
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x34/0xb0
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The cause of the issue is that brelse() is called on both ofibh.sbh
and ofibh.ebh by udf_find_entry() when it returns NULL. However,
brelse() is called by udf_rename(), too. So, b_count on buffer_head
becomes unbalanced.
This patch fixes the issue by not calling brelse() by udf_rename()
when udf_find_entry() returns NULL.
Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1]
Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/namei.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index aff5ca32e4f6..58120d2f265f 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -1090,8 +1090,9 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry,
return -EINVAL;
ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi);
- if (IS_ERR(ofi)) {
- retval = PTR_ERR(ofi);
+ if (!ofi || IS_ERR(ofi)) {
+ if (IS_ERR(ofi))
+ retval = PTR_ERR(ofi);
goto end_rename;
}
@@ -1100,8 +1101,7 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry,
brelse(ofibh.sbh);
tloc = lelb_to_cpu(ocfi.icb.extLocation);
- if (!ofi || udf_get_lb_pblock(old_dir->i_sb, &tloc, 0)
- != old_inode->i_ino)
+ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino)
goto end_rename;
nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 490/783] fs: jfs: fix shift-out-of-bounds in dbDiscardAG
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (488 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 489/783] udf: Avoid double brelse() in udf_rename() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 491/783] ACPICA: Fix error code path in acpi_ds_call_control_method() Greg Kroah-Hartman
` (302 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hoi Pok Wu, Dave Kleikamp, Sasha Levin
From: Hoi Pok Wu <wuhoipok@gmail.com>
[ Upstream commit 25e70c6162f207828dd405b432d8f2a98dbf7082 ]
This should be applied to most URSAN bugs found recently by syzbot,
by guarding the dbMount. As syzbot feeding rubbish into the bmap
descriptor.
Signed-off-by: Hoi Pok Wu <wuhoipok@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index b0a65aaed43e..2c9493011aec 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -198,6 +198,11 @@ int dbMount(struct inode *ipbmap)
goto err_release_metapage;
}
+ if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+
for (i = 0; i < MAXAG; i++)
bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]);
bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 491/783] ACPICA: Fix error code path in acpi_ds_call_control_method()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (489 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 490/783] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 492/783] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Greg Kroah-Hartman
` (301 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Rafael J. Wysocki,
Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 404ec60438add1afadaffaed34bb5fe4ddcadd40 ]
A use-after-free in acpi_ps_parse_aml() after a failing invocaion of
acpi_ds_call_control_method() is reported by KASAN [1] and code
inspection reveals that next_walk_state pushed to the thread by
acpi_ds_create_walk_state() is freed on errors, but it is not popped
from the thread beforehand. Thus acpi_ds_get_current_walk_state()
called by acpi_ps_parse_aml() subsequently returns it as the new
walk state which is incorrect.
To address this, make acpi_ds_call_control_method() call
acpi_ds_pop_walk_state() to pop next_walk_state from the thread before
returning an error.
Link: https://lore.kernel.org/linux-acpi/20221019073443.248215-1-chenzhongjin@huawei.com/ # [1]
Reported-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Chen Zhongjin <chenzhongjin@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/dsmethod.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c
index cf67caff878a..97971c79c5f5 100644
--- a/drivers/acpi/acpica/dsmethod.c
+++ b/drivers/acpi/acpica/dsmethod.c
@@ -517,7 +517,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
info = ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_evaluate_info));
if (!info) {
status = AE_NO_MEMORY;
- goto cleanup;
+ goto pop_walk_state;
}
info->parameters = &this_walk_state->operands[0];
@@ -529,7 +529,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
ACPI_FREE(info);
if (ACPI_FAILURE(status)) {
- goto cleanup;
+ goto pop_walk_state;
}
next_walk_state->method_nesting_depth =
@@ -575,6 +575,12 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread,
return_ACPI_STATUS(status);
+pop_walk_state:
+
+ /* On error, pop the walk state to be deleted from thread */
+
+ acpi_ds_pop_walk_state(thread);
+
cleanup:
/* On error, we must terminate the method properly */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 492/783] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (490 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 491/783] ACPICA: Fix error code path in acpi_ds_call_control_method() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 493/783] nilfs2: fix shift-out-of-bounds due to too large exponent of block size Greg Kroah-Hartman
` (300 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+e91619dd4c11c4960706, Andrew Morton, Sasha Levin
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit 610a2a3d7d8be3537458a378ec69396a76c385b6 ]
Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount
time".
The first patch fixes a bug reported by syzbot, and the second one fixes
the remaining bug of the same kind. Although they are triggered by the
same super block data anomaly, I divided it into the above two because the
details of the issues and how to fix it are different.
Both are required to eliminate the shift-out-of-bounds issues at mount
time.
This patch (of 2):
If the block size exponent information written in an on-disk superblock is
corrupted, nilfs_sb2_bad_offset helper function can trigger
shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn
is set):
shift exponent 38983 is too large for 64-bit type 'unsigned long long'
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322
nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline]
nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523
init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577
nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047
nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317
...
In addition, since nilfs_sb2_bad_offset() performs multiplication without
considering the upper bound, the computation may overflow if the disk
layout parameters are not normal.
This fixes these issues by inserting preliminary sanity checks for those
parameters and by converting the comparison from one involving
multiplication and left bit-shifting to one using division and right
bit-shifting.
Link: https://lkml.kernel.org/r/20221027044306.42774-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20221027044306.42774-2-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+e91619dd4c11c4960706@syzkaller.appspotmail.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/the_nilfs.c | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
index ce103dd39b89..6e2ccdd79c89 100644
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -13,6 +13,7 @@
#include <linux/blkdev.h>
#include <linux/backing-dev.h>
#include <linux/random.h>
+#include <linux/log2.h>
#include <linux/crc32.h>
#include "nilfs.h"
#include "segment.h"
@@ -443,11 +444,33 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp)
return crc == le32_to_cpu(sbp->s_sum);
}
-static int nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset)
+/**
+ * nilfs_sb2_bad_offset - check the location of the second superblock
+ * @sbp: superblock raw data buffer
+ * @offset: byte offset of second superblock calculated from device size
+ *
+ * nilfs_sb2_bad_offset() checks if the position on the second
+ * superblock is valid or not based on the filesystem parameters
+ * stored in @sbp. If @offset points to a location within the segment
+ * area, or if the parameters themselves are not normal, it is
+ * determined to be invalid.
+ *
+ * Return Value: true if invalid, false if valid.
+ */
+static bool nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset)
{
- return offset < ((le64_to_cpu(sbp->s_nsegments) *
- le32_to_cpu(sbp->s_blocks_per_segment)) <<
- (le32_to_cpu(sbp->s_log_block_size) + 10));
+ unsigned int shift_bits = le32_to_cpu(sbp->s_log_block_size);
+ u32 blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment);
+ u64 nsegments = le64_to_cpu(sbp->s_nsegments);
+ u64 index;
+
+ if (blocks_per_segment < NILFS_SEG_MIN_BLOCKS ||
+ shift_bits > ilog2(NILFS_MAX_BLOCK_SIZE) - BLOCK_SIZE_BITS)
+ return true;
+
+ index = offset >> (shift_bits + BLOCK_SIZE_BITS);
+ do_div(index, blocks_per_segment);
+ return index < nsegments;
}
static void nilfs_release_super_block(struct the_nilfs *nilfs)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 493/783] nilfs2: fix shift-out-of-bounds due to too large exponent of block size
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (491 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 492/783] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 494/783] acct: fix potential integer overflow in encode_comp_t() Greg Kroah-Hartman
` (299 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi, Andrew Morton, Sasha Levin
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
[ Upstream commit ebeccaaef67a4895d2496ab8d9c2fb8d89201211 ]
If field s_log_block_size of superblock data is corrupted and too large,
init_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds
warning followed by a kernel panic (if panic_on_warn is set):
shift exponent 38973 is too large for 32-bit type 'int'
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
ubsan_epilogue+0xb/0x50
__ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5
init_nilfs.cold.11+0x18/0x1d [nilfs2]
nilfs_mount+0x9b5/0x12b0 [nilfs2]
...
This fixes the issue by adding and using a new helper function for getting
block size with sanity check.
Link: https://lkml.kernel.org/r/20221027044306.42774-3-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nilfs2/the_nilfs.c | 42 ++++++++++++++++++++++++++++++++++++++----
1 file changed, 38 insertions(+), 4 deletions(-)
diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c
index 6e2ccdd79c89..211937054c31 100644
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -193,6 +193,34 @@ static int nilfs_store_log_cursor(struct the_nilfs *nilfs,
return ret;
}
+/**
+ * nilfs_get_blocksize - get block size from raw superblock data
+ * @sb: super block instance
+ * @sbp: superblock raw data buffer
+ * @blocksize: place to store block size
+ *
+ * nilfs_get_blocksize() calculates the block size from the block size
+ * exponent information written in @sbp and stores it in @blocksize,
+ * or aborts with an error message if it's too large.
+ *
+ * Return Value: On success, 0 is returned. If the block size is too
+ * large, -EINVAL is returned.
+ */
+static int nilfs_get_blocksize(struct super_block *sb,
+ struct nilfs_super_block *sbp, int *blocksize)
+{
+ unsigned int shift_bits = le32_to_cpu(sbp->s_log_block_size);
+
+ if (unlikely(shift_bits >
+ ilog2(NILFS_MAX_BLOCK_SIZE) - BLOCK_SIZE_BITS)) {
+ nilfs_err(sb, "too large filesystem blocksize: 2 ^ %u KiB",
+ shift_bits);
+ return -EINVAL;
+ }
+ *blocksize = BLOCK_SIZE << shift_bits;
+ return 0;
+}
+
/**
* load_nilfs - load and recover the nilfs
* @nilfs: the_nilfs structure to be released
@@ -246,11 +274,15 @@ int load_nilfs(struct the_nilfs *nilfs, struct super_block *sb)
nilfs->ns_sbwtime = le64_to_cpu(sbp[0]->s_wtime);
/* verify consistency between two super blocks */
- blocksize = BLOCK_SIZE << le32_to_cpu(sbp[0]->s_log_block_size);
+ err = nilfs_get_blocksize(sb, sbp[0], &blocksize);
+ if (err)
+ goto scan_error;
+
if (blocksize != nilfs->ns_blocksize) {
nilfs_warn(sb,
"blocksize differs between two super blocks (%d != %d)",
blocksize, nilfs->ns_blocksize);
+ err = -EINVAL;
goto scan_error;
}
@@ -609,9 +641,11 @@ int init_nilfs(struct the_nilfs *nilfs, struct super_block *sb, char *data)
if (err)
goto failed_sbh;
- blocksize = BLOCK_SIZE << le32_to_cpu(sbp->s_log_block_size);
- if (blocksize < NILFS_MIN_BLOCK_SIZE ||
- blocksize > NILFS_MAX_BLOCK_SIZE) {
+ err = nilfs_get_blocksize(sb, sbp, &blocksize);
+ if (err)
+ goto failed_sbh;
+
+ if (blocksize < NILFS_MIN_BLOCK_SIZE) {
nilfs_err(sb,
"couldn't mount because of unsupported filesystem blocksize %d",
blocksize);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 494/783] acct: fix potential integer overflow in encode_comp_t()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (492 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 493/783] nilfs2: fix shift-out-of-bounds due to too large exponent of block size Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 495/783] hfs: fix OOB Read in __hfs_brec_find Greg Kroah-Hartman
` (298 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Yejian, Hanjun Guo,
Randy Dunlap, Vlastimil Babka, Zhang Jinhao, Andrew Morton,
Sasha Levin
From: Zheng Yejian <zhengyejian1@huawei.com>
[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ]
The integer overflow is descripted with following codes:
> 317 static comp_t encode_comp_t(u64 value)
> 318 {
> 319 int exp, rnd;
......
> 341 exp <<= MANTSIZE;
> 342 exp += value;
> 343 return exp;
> 344 }
Currently comp_t is defined as type of '__u16', but the variable 'exp' is
type of 'int', so overflow would happen when variable 'exp' in line 343 is
greater than 65535.
Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Cc: Hanjun Guo <guohanjun@huawei.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Zhang Jinhao <zhangjinhao2@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/acct.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/acct.c b/kernel/acct.c
index f175df8f6aa4..12f7dacf560e 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -331,6 +331,8 @@ static comp_t encode_comp_t(unsigned long value)
exp++;
}
+ if (exp > (((comp_t) ~0U) >> MANTSIZE))
+ return (comp_t) ~0U;
/*
* Clean it up and polish it off.
*/
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 495/783] hfs: fix OOB Read in __hfs_brec_find
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (493 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 494/783] acct: fix potential integer overflow in encode_comp_t() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 496/783] drm/etnaviv: add missing quirks for GC300 Greg Kroah-Hartman
` (297 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, ZhangPeng,
syzbot+e836ff7133ac02be825f, Damien Le Moal, Ira Weiny,
Jeff Layton, Kefeng Wang, Matthew Wilcox, Nanyong Sun,
Viacheslav Dubeyko, Andrew Morton, Sasha Levin
From: ZhangPeng <zhangpeng362@huawei.com>
[ Upstream commit 8d824e69d9f3fa3121b2dda25053bae71e2460d2 ]
Syzbot reported a OOB read bug:
==================================================================
BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190
fs/hfs/string.c:84
Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11
CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted
6.1.0-rc6-syzkaller-00308-g644e9524388a #0
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106
print_address_description+0x74/0x340 mm/kasan/report.c:284
print_report+0x107/0x1f0 mm/kasan/report.c:395
kasan_report+0xcd/0x100 mm/kasan/report.c:495
hfs_strcmp+0x117/0x190 fs/hfs/string.c:84
__hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75
hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138
hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462
write_inode fs/fs-writeback.c:1440 [inline]
If the input inode of hfs_write_inode() is incorrect:
struct inode
struct hfs_inode_info
struct hfs_cat_key
struct hfs_name
u8 len # len is greater than HFS_NAMELEN(31) which is the
maximum length of an HFS filename
OOB read occurred:
hfs_write_inode()
hfs_brec_find()
__hfs_brec_find()
hfs_cat_keycmp()
hfs_strcmp() # OOB read occurred due to len is too large
Fix this by adding a Check on len in hfs_write_inode() before calling
hfs_brec_find().
Link: https://lkml.kernel.org/r/20221130065959.2168236-1-zhangpeng362@huawei.com
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Reported-by: <syzbot+e836ff7133ac02be825f@syzkaller.appspotmail.com>
Cc: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Jeff Layton <jlayton@kernel.org>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Nanyong Sun <sunnanyong@huawei.com>
Cc: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c
index f35a37c65e5f..e9b4249a4b01 100644
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -454,6 +454,8 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc)
/* panic? */
return -EIO;
+ if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN)
+ return -EIO;
fd.search_key->cat = HFS_I(main_inode)->cat_key;
if (hfs_brec_find(&fd))
/* panic? */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 496/783] drm/etnaviv: add missing quirks for GC300
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (494 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 495/783] hfs: fix OOB Read in __hfs_brec_find Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 497/783] brcmfmac: return error when getting invalid max_flowrings from dongle Greg Kroah-Hartman
` (296 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Brown, Christian Gmeiner,
Lucas Stach, Sasha Levin
From: Doug Brown <doug@schmorgal.com>
[ Upstream commit cc7d3fb446a91f24978a6aa59cbb578f92e22242 ]
The GC300's features register doesn't specify that a 2D pipe is
available, and like the GC600, its idle register reports zero bits where
modules aren't present.
Signed-off-by: Doug Brown <doug@schmorgal.com>
Reviewed-by: Christian Gmeiner <christian.gmeiner@gmail.com>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/etnaviv/etnaviv_gpu.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
index 2520b7dad6ce..f3281d56b1d8 100644
--- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
+++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c
@@ -408,6 +408,12 @@ static void etnaviv_hw_identify(struct etnaviv_gpu *gpu)
if (gpu->identity.model == chipModel_GC700)
gpu->identity.features &= ~chipFeatures_FAST_CLEAR;
+ /* These models/revisions don't have the 2D pipe bit */
+ if ((gpu->identity.model == chipModel_GC500 &&
+ gpu->identity.revision <= 2) ||
+ gpu->identity.model == chipModel_GC300)
+ gpu->identity.features |= chipFeatures_PIPE_2D;
+
if ((gpu->identity.model == chipModel_GC500 &&
gpu->identity.revision < 2) ||
(gpu->identity.model == chipModel_GC300 &&
@@ -441,8 +447,9 @@ static void etnaviv_hw_identify(struct etnaviv_gpu *gpu)
gpu_read(gpu, VIVS_HI_CHIP_MINOR_FEATURE_5);
}
- /* GC600 idle register reports zero bits where modules aren't present */
- if (gpu->identity.model == chipModel_GC600)
+ /* GC600/300 idle register reports zero bits where modules aren't present */
+ if (gpu->identity.model == chipModel_GC600 ||
+ gpu->identity.model == chipModel_GC300)
gpu->idle_mask = VIVS_HI_IDLE_STATE_TX |
VIVS_HI_IDLE_STATE_RA |
VIVS_HI_IDLE_STATE_SE |
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 497/783] brcmfmac: return error when getting invalid max_flowrings from dongle
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (495 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 496/783] drm/etnaviv: add missing quirks for GC300 Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 498/783] wifi: ath9k: verify the expected usb_endpoints are present Greg Kroah-Hartman
` (295 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wright Feng, Chi-hsien Lin, Ian Lin,
Kalle Valo, Sasha Levin
From: Wright Feng <wright.feng@cypress.com>
[ Upstream commit 2aca4f3734bd717e04943ddf340d49ab62299a00 ]
When firmware hit trap at initialization, host will read abnormal
max_flowrings number from dongle, and it will cause kernel panic when
doing iowrite to initialize dongle ring.
To detect this error at early stage, we directly return error when getting
invalid max_flowrings(>256).
Signed-off-by: Wright Feng <wright.feng@cypress.com>
Signed-off-by: Chi-hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Ian Lin <ian.lin@infineon.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220929031001.9962-3-ian.lin@infineon.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
index 4e9d2b3659f0..6a5621f17bf5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -1109,6 +1109,10 @@ static int brcmf_pcie_init_ringbuffers(struct brcmf_pciedev_info *devinfo)
BRCMF_NROF_H2D_COMMON_MSGRINGS;
max_completionrings = BRCMF_NROF_D2H_COMMON_MSGRINGS;
}
+ if (max_flowrings > 256) {
+ brcmf_err(bus, "invalid max_flowrings(%d)\n", max_flowrings);
+ return -EIO;
+ }
if (devinfo->dma_idx_sz != 0) {
bufsz = (max_submissionrings + max_completionrings) *
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 498/783] wifi: ath9k: verify the expected usb_endpoints are present
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (496 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 497/783] brcmfmac: return error when getting invalid max_flowrings from dongle Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 499/783] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Greg Kroah-Hartman
` (294 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, Fedor Pchelkin,
Alexey Khoroshilov, Toke Høiland-Jørgensen, Kalle Valo,
Sasha Levin
From: Fedor Pchelkin <pchelkin@ispras.ru>
[ Upstream commit 16ef02bad239f11f322df8425d302be62f0443ce ]
The bug arises when a USB device claims to be an ATH9K but doesn't
have the expected endpoints. (In this case there was an interrupt
endpoint where the driver expected a bulk endpoint.) The kernel
needs to be able to handle such devices without getting an internal error.
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
Modules linked in:
CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Workqueue: events request_firmware_work_func
RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493
Call Trace:
ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline]
ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019
ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline]
ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242
request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097
process_one_work+0x9af/0x1600 kernel/workqueue.c:2279
worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425
kthread+0x3b4/0x4a0 kernel/kthread.c:313
ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221008211532.74583-1-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index e5d5b0761881..f938ac1a4abd 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1328,10 +1328,24 @@ static int send_eject_command(struct usb_interface *interface)
static int ath9k_hif_usb_probe(struct usb_interface *interface,
const struct usb_device_id *id)
{
+ struct usb_endpoint_descriptor *bulk_in, *bulk_out, *int_in, *int_out;
struct usb_device *udev = interface_to_usbdev(interface);
+ struct usb_host_interface *alt;
struct hif_device_usb *hif_dev;
int ret = 0;
+ /* Verify the expected endpoints are present */
+ alt = interface->cur_altsetting;
+ if (usb_find_common_endpoints(alt, &bulk_in, &bulk_out, &int_in, &int_out) < 0 ||
+ usb_endpoint_num(bulk_in) != USB_WLAN_RX_PIPE ||
+ usb_endpoint_num(bulk_out) != USB_WLAN_TX_PIPE ||
+ usb_endpoint_num(int_in) != USB_REG_IN_PIPE ||
+ usb_endpoint_num(int_out) != USB_REG_OUT_PIPE) {
+ dev_err(&udev->dev,
+ "ath9k_htc: Device endpoint numbers are not the expected ones\n");
+ return -ENODEV;
+ }
+
if (id->driver_info == STORAGE_DEVICE)
return send_eject_command(interface);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 499/783] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (497 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 498/783] wifi: ath9k: verify the expected usb_endpoints are present Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 500/783] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform Greg Kroah-Hartman
` (293 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+95001b1fd6dfcc716c29,
Shigeru Yoshida, Kalle Valo, Sasha Levin
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit b6702a942a069c2a975478d719e98d83cdae1797 ]
syzkaller reported use-after-free with the stack trace like below [1]:
[ 38.960489][ C3] ==================================================================
[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240
[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0
[ 38.966363][ C3]
[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18
[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
[ 38.969959][ C3] Call Trace:
[ 38.970841][ C3] <IRQ>
[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174
[ 38.972620][ C3] print_report.cold+0x2c3/0x752
[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
[ 38.974644][ C3] kasan_report+0xb1/0x1d0
[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240
[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240
[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0
[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430
[ 38.981266][ C3] dummy_timer+0x140c/0x34e0
[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0
[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60
[ 38.986242][ C3] ? lock_release+0x51c/0x790
[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70
[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130
[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0
[ 38.990777][ C3] ? lock_acquire+0x472/0x550
[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60
[ 38.993138][ C3] ? lock_acquire+0x472/0x550
[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230
[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0
[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0
[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0
[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0
[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0
[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860
[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0
[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10
[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40
[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0
[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0
[ 39.016196][ C3] __do_softirq+0x1d2/0x9be
[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190
[ 39.019004][ C3] irq_exit_rcu+0x5/0x20
[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0
[ 39.021965][ C3] </IRQ>
[ 39.023237][ C3] <TASK>
In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below
(there are other functions which finally call ar5523_cmd()):
ar5523_probe()
-> ar5523_host_available()
-> ar5523_cmd_read()
-> ar5523_cmd()
If ar5523_cmd() timed out, then ar5523_host_available() failed and
ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb()
might touch the freed structure.
This patch fixes this issue by canceling in-flight tx cmd if submitted
urb timed out.
Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1]
Reported-by: syzbot+95001b1fd6dfcc716c29@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221009183223.420015-1-syoshida@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index 1baec4b412c8..efe38b2c1df7 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -241,6 +241,11 @@ static void ar5523_cmd_tx_cb(struct urb *urb)
}
}
+static void ar5523_cancel_tx_cmd(struct ar5523 *ar)
+{
+ usb_kill_urb(ar->tx_cmd.urb_tx);
+}
+
static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
int ilen, void *odata, int olen, int flags)
{
@@ -280,6 +285,7 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
}
if (!wait_for_completion_timeout(&cmd->done, 2 * HZ)) {
+ ar5523_cancel_tx_cmd(ar);
cmd->odata = NULL;
ar5523_err(ar, "timeout waiting for command %02x reply\n",
code);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 500/783] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (498 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 499/783] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 501/783] ipmi: fix memleak when unload ipmi driver Greg Kroah-Hartman
` (292 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Mark Brown, Sasha Levin
From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
[ Upstream commit 953dbd1cef18ce9ac0d69c1bd735b929fe52a17e ]
KBL-R RVP platforms also use combojack, so we need to enable that
configuration for them.
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20221010121955.718168-4-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt298.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/sound/soc/codecs/rt298.c b/sound/soc/codecs/rt298.c
index dc0273a5a11f..1ca06213e3a3 100644
--- a/sound/soc/codecs/rt298.c
+++ b/sound/soc/codecs/rt298.c
@@ -1168,6 +1168,13 @@ static const struct dmi_system_id force_combo_jack_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "Geminilake")
}
},
+ {
+ .ident = "Intel Kabylake R RVP",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Intel Corporation"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Kabylake Client platform")
+ }
+ },
{ }
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 501/783] ipmi: fix memleak when unload ipmi driver
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (499 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 500/783] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 502/783] drm/amd/display: prevent memory leak Greg Kroah-Hartman
` (291 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Yuchen, Corey Minyard, Sasha Levin
From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
[ Upstream commit 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 ]
After the IPMI disconnect problem, the memory kept rising and we tried
to unload the driver to free the memory. However, only part of the
free memory is recovered after the driver is uninstalled. Using
ebpf to hook free functions, we find that neither ipmi_user nor
ipmi_smi_msg is free, only ipmi_recv_msg is free.
We find that the deliver_smi_err_response call in clean_smi_msgs does
the destroy processing on each message from the xmit_msg queue without
checking the return value and free ipmi_smi_msg.
deliver_smi_err_response is called only at this location. Adding the
free handling has no effect.
To verify, try using ebpf to trace the free function.
$ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv
%p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n",
arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n",
retval);} kprobe:free_smi_msg {printf("free smi %p\n",arg0)}'
Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com>
[Fixed the comment above handle_one_recv_msg().]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
index 05e7339752ac..223b90247648 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -3540,12 +3540,16 @@ static void deliver_smi_err_response(struct ipmi_smi *intf,
struct ipmi_smi_msg *msg,
unsigned char err)
{
+ int rv;
msg->rsp[0] = msg->data[0] | 4;
msg->rsp[1] = msg->data[1];
msg->rsp[2] = err;
msg->rsp_size = 3;
- /* It's an error, so it will never requeue, no need to check return. */
- handle_one_recv_msg(intf, msg);
+
+ /* This will never requeue, but it may ask us to free the message. */
+ rv = handle_one_recv_msg(intf, msg);
+ if (rv == 0)
+ ipmi_free_smi_msg(msg);
}
static void cleanup_smi_msgs(struct ipmi_smi *intf)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 502/783] drm/amd/display: prevent memory leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (500 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 501/783] ipmi: fix memleak when unload ipmi driver Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 503/783] qed (gcc13): use u16 for fid to be big enough Greg Kroah-Hartman
` (290 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, gehao,
Alex Deucher, Sasha Levin
From: gehao <gehao@kylinos.cn>
[ Upstream commit d232afb1f3417ae8194ccf19ad3a8360e70e104e ]
In dce6(0,1,4)_create_resource_pool and dce80_create_resource_pool
the allocated memory should be released if construct pool fails.
Reviewed-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: gehao <gehao@kylinos.cn>
Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c | 3 +++
drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c b/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c
index 5a5a9cb77acb..bcdd8a958fc0 100644
--- a/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dce60/dce60_resource.c
@@ -1132,6 +1132,7 @@ struct resource_pool *dce60_create_resource_pool(
if (dce60_construct(num_virtual_links, dc, pool))
return &pool->base;
+ kfree(pool);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -1329,6 +1330,7 @@ struct resource_pool *dce61_create_resource_pool(
if (dce61_construct(num_virtual_links, dc, pool))
return &pool->base;
+ kfree(pool);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -1522,6 +1524,7 @@ struct resource_pool *dce64_create_resource_pool(
if (dce64_construct(num_virtual_links, dc, pool))
return &pool->base;
+ kfree(pool);
BREAK_TO_DEBUGGER();
return NULL;
}
diff --git a/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c b/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c
index a19be9de2df7..2eefa07762ae 100644
--- a/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dce80/dce80_resource.c
@@ -1141,6 +1141,7 @@ struct resource_pool *dce80_create_resource_pool(
if (dce80_construct(num_virtual_links, dc, pool))
return &pool->base;
+ kfree(pool);
BREAK_TO_DEBUGGER();
return NULL;
}
@@ -1338,6 +1339,7 @@ struct resource_pool *dce81_create_resource_pool(
if (dce81_construct(num_virtual_links, dc, pool))
return &pool->base;
+ kfree(pool);
BREAK_TO_DEBUGGER();
return NULL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 503/783] qed (gcc13): use u16 for fid to be big enough
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (501 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 502/783] drm/amd/display: prevent memory leak Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 504/783] bpf: make sure skb->len != 0 when redirecting to a tunneling device Greg Kroah-Hartman
` (289 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Liska, Ariel Elior,
Manish Chopra, Jiri Slaby (SUSE),
Jakub Kicinski, Sasha Levin
From: Jiri Slaby (SUSE) <jirislaby@kernel.org>
[ Upstream commit 7d84118229bf7f7290438c85caa8e49de52d50c1 ]
gcc 13 correctly reports overflow in qed_grc_dump_addr_range():
In file included from drivers/net/ethernet/qlogic/qed/qed.h:23,
from drivers/net/ethernet/qlogic/qed/qed_debug.c:10:
drivers/net/ethernet/qlogic/qed/qed_debug.c: In function 'qed_grc_dump_addr_range':
include/linux/qed/qed_if.h:1217:9: error: overflow in conversion from 'int' to 'u8' {aka 'unsigned char'} changes value from '(int)vf_id << 8 | 128' to '128' [-Werror=overflow]
We do:
u8 fid;
...
fid = vf_id << 8 | 128;
Since fid is 16bit (and the stored value above too), fid should be u16,
not u8. Fix that.
Cc: Martin Liska <mliska@suse.cz>
Cc: Ariel Elior <aelior@marvell.com>
Cc: Manish Chopra <manishc@marvell.com>
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20221031114354.10398-1-jirislaby@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/qed/qed_debug.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_debug.c b/drivers/net/ethernet/qlogic/qed/qed_debug.c
index 6ab3e60d4928..4b4077cf2d26 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_debug.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_debug.c
@@ -1796,9 +1796,10 @@ static u32 qed_grc_dump_addr_range(struct qed_hwfn *p_hwfn,
u8 split_id)
{
struct dbg_tools_data *dev_data = &p_hwfn->dbg_info;
- u8 port_id = 0, pf_id = 0, vf_id = 0, fid = 0;
+ u8 port_id = 0, pf_id = 0, vf_id = 0;
bool read_using_dmae = false;
u32 thresh;
+ u16 fid;
if (!dump)
return len;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 504/783] bpf: make sure skb->len != 0 when redirecting to a tunneling device
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (502 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 503/783] qed (gcc13): use u16 for fid to be big enough Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 505/783] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Greg Kroah-Hartman
` (288 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet,
syzbot+f635e86ec3fa0a37e019, Stanislav Fomichev,
Martin KaFai Lau, Alexei Starovoitov, Sasha Levin
From: Stanislav Fomichev <sdf@google.com>
[ Upstream commit 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca ]
syzkaller managed to trigger another case where skb->len == 0
when we enter __dev_queue_xmit:
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]
WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295
Call Trace:
dev_queue_xmit+0x17/0x20 net/core/dev.c:4406
__bpf_tx_skb net/core/filter.c:2115 [inline]
__bpf_redirect_no_mac net/core/filter.c:2140 [inline]
__bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163
____bpf_clone_redirect net/core/filter.c:2447 [inline]
bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419
bpf_prog_48159a89cb4a9a16+0x59/0x5e
bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]
__bpf_prog_run include/linux/filter.h:596 [inline]
bpf_prog_run include/linux/filter.h:603 [inline]
bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402
bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170
bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648
__sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005
__do_sys_bpf kernel/bpf/syscall.c:5091 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5089 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089
do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
entry_SYSCALL_64_after_hwframe+0x61/0xc6
The reproducer doesn't really reproduce outside of syzkaller
environment, so I'm taking a guess here. It looks like we
do generate correct ETH_HLEN-sized packet, but we redirect
the packet to the tunneling device. Before we do so, we
__skb_pull l2 header and arrive again at skb->len == 0.
Doesn't seem like we can do anything better than having
an explicit check after __skb_pull?
Cc: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221027225537.353077-1-sdf@google.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index ef7e74260afc..e3cdbd4996e0 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2132,6 +2132,10 @@ static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
if (mlen) {
__skb_pull(skb, mlen);
+ if (unlikely(!skb->len)) {
+ kfree_skb(skb);
+ return -ERANGE;
+ }
/* At ingress, the mac header has already been pulled once.
* At egress, skb_pospull_rcsum has to be done in case that
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 505/783] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (503 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 504/783] bpf: make sure skb->len != 0 when redirecting to a tunneling device Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 506/783] hamradio: baycom_epp: Fix return type of baycom_send_packet() Greg Kroah-Hartman
` (287 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Kees Cook,
Jakub Kicinski, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 63fe6ff674a96cfcfc0fa8df1051a27aa31c70b4 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = netcp_ndo_start_xmit,
^~~~~~~~~~~~~~~~~~~~
1 error generated.
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of
netcp_ndo_start_xmit() to match the prototype's to resolve the warning
and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102160933.1601260-1-nathan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/ti/netcp_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c
index dc50e948195d..f145abb77a49 100644
--- a/drivers/net/ethernet/ti/netcp_core.c
+++ b/drivers/net/ethernet/ti/netcp_core.c
@@ -1262,7 +1262,7 @@ static int netcp_tx_submit_skb(struct netcp_intf *netcp,
}
/* Submit the packet */
-static int netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev)
+static netdev_tx_t netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev)
{
struct netcp_intf *netcp = netdev_priv(ndev);
struct netcp_stats *tx_stats = &netcp->stats;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 506/783] hamradio: baycom_epp: Fix return type of baycom_send_packet()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (504 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 505/783] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 507/783] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Greg Kroah-Hartman
` (286 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Kees Cook,
Jakub Kicinski, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit c5733e5b15d91ab679646ec3149e192996a27d5d ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/net/hamradio/baycom_epp.c:1119:25: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = baycom_send_packet,
^~~~~~~~~~~~~~~~~~
1 error generated.
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of baycom_send_packet()
to match the prototype's to resolve the warning and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102160610.1186145-1-nathan@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/baycom_epp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/hamradio/baycom_epp.c b/drivers/net/hamradio/baycom_epp.c
index e4e4981ac1d2..eea9d47157cf 100644
--- a/drivers/net/hamradio/baycom_epp.c
+++ b/drivers/net/hamradio/baycom_epp.c
@@ -758,7 +758,7 @@ static void epp_bh(struct work_struct *work)
* ===================== network driver interface =========================
*/
-static int baycom_send_packet(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t baycom_send_packet(struct sk_buff *skb, struct net_device *dev)
{
struct baycom_state *bc = netdev_priv(dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 507/783] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (505 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 506/783] hamradio: baycom_epp: Fix return type of baycom_send_packet() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [Intel-wired-lan] " Greg Kroah-Hartman
` (285 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dokyung Song, Jisoo Jang,
Minsuk Kang, Kalle Valo, Sasha Levin
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit 81d17f6f3331f03c8eafdacea68ab773426c1e3c ]
This patch fixes a shift-out-of-bounds in brcmfmac that occurs in
BIT(chiprev) when a 'chiprev' provided by the device is too large.
It should also not be equal to or greater than BITS_PER_TYPE(u32)
as we do bitwise AND with a u32 variable and BIT(chiprev). The patch
adds a check that makes the function return NULL if that is the case.
Note that the NULL case is later handled by the bus-specific caller,
brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example.
Found by a modified version of syzkaller.
UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
shift exponent 151055786 is too large for 64-bit type 'long unsigned int'
CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x57/0x7d
ubsan_epilogue+0x5/0x40
__ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb
? lock_chain_count+0x20/0x20
brcmf_fw_alloc_request.cold+0x19/0x3ea
? brcmf_fw_get_firmwares+0x250/0x250
? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0
brcmf_usb_get_fwname+0x114/0x1a0
? brcmf_usb_reset_resume+0x120/0x120
? number+0x6c4/0x9a0
brcmf_c_process_clm_blob+0x168/0x590
? put_dec+0x90/0x90
? enable_ptr_key_workfn+0x20/0x20
? brcmf_common_pd_remove+0x50/0x50
? rcu_read_lock_sched_held+0xa1/0xd0
brcmf_c_preinit_dcmds+0x673/0xc40
? brcmf_c_set_joinpref_default+0x100/0x100
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lock_acquire+0x19d/0x4e0
? find_held_lock+0x2d/0x110
? brcmf_usb_deq+0x1cc/0x260
? mark_held_locks+0x9f/0xe0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? _raw_spin_unlock_irqrestore+0x47/0x50
? trace_hardirqs_on+0x1c/0x120
? brcmf_usb_deq+0x1a7/0x260
? brcmf_usb_rx_fill_all+0x5a/0xf0
brcmf_attach+0x246/0xd40
? wiphy_new_nm+0x1476/0x1d50
? kmemdup+0x30/0x40
brcmf_usb_probe+0x12de/0x1690
? brcmf_usbdev_qinit.constprop.0+0x470/0x470
usb_probe_interface+0x25f/0x710
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
? usb_match_id.part.0+0x88/0xc0
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __mutex_unlock_slowpath+0xe7/0x660
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_set_configuration+0x984/0x1770
? kernfs_create_link+0x175/0x230
usb_generic_driver_probe+0x69/0x90
usb_probe_device+0x9c/0x220
really_probe+0x1be/0xa90
__driver_probe_device+0x2ab/0x460
driver_probe_device+0x49/0x120
__device_attach_driver+0x18a/0x250
? driver_allows_async_probing+0x120/0x120
bus_for_each_drv+0x123/0x1a0
? bus_rescan_devices+0x20/0x20
? lockdep_hardirqs_on_prepare+0x273/0x3e0
? trace_hardirqs_on+0x1c/0x120
__device_attach+0x207/0x330
? device_bind_driver+0xb0/0xb0
? kobject_uevent_env+0x230/0x12c0
bus_probe_device+0x1a2/0x260
device_add+0xa61/0x1ce0
? __fw_devlink_link_to_suppliers+0x550/0x550
usb_new_device.cold+0x463/0xf66
? hub_disconnect+0x400/0x400
? _raw_spin_unlock_irq+0x24/0x30
hub_event+0x10d5/0x3330
? hub_port_debounce+0x280/0x280
? __lock_acquire+0x1671/0x5790
? wq_calc_node_cpumask+0x170/0x2a0
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x873/0x13e0
? lock_release+0x640/0x640
? pwq_dec_nr_in_flight+0x320/0x320
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x8b/0xd10
? __kthread_parkme+0xd9/0x1d0
? process_one_work+0x13e0/0x13e0
kthread+0x379/0x450
? _raw_spin_unlock_irq+0x24/0x30
? set_kthread_struct+0x100/0x100
ret_from_fork+0x1f/0x30
Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221024071329.504277-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
index a2b8d9171af2..060889bf6d05 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
@@ -703,6 +703,11 @@ brcmf_fw_alloc_request(u32 chip, u32 chiprev,
u32 i, j;
char end = '\0';
+ if (chiprev >= BITS_PER_TYPE(u32)) {
+ brcmf_err("Invalid chip revision %u\n", chiprev);
+ return NULL;
+ }
+
for (i = 0; i < table_size; i++) {
if (mapping_table[i].chipid == chip &&
mapping_table[i].revmask & BIT(chiprev))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 508/783] igb: Do not free q_vector unless new one was allocated
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 002/783] arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins Greg Kroah-Hartman
` (791 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesse Brandeburg, Tony Nguyen,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
intel-wired-lan, netdev, Kees Cook, Michael J. Ruhl,
Jacob Keller, Sasha Levin, Gurucharan
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ]
Avoid potential use-after-free condition under memory pressure. If the
kzalloc() fails, q_vector will be freed but left in the original
adapter->q_vector[v_idx] array position.
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 2646601c3487..0ea8e4024d63 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -1204,8 +1204,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
if (!q_vector) {
q_vector = kzalloc(size, GFP_KERNEL);
} else if (size > ksize(q_vector)) {
- kfree_rcu(q_vector, rcu);
- q_vector = kzalloc(size, GFP_KERNEL);
+ struct igb_q_vector *new_q_vector;
+
+ new_q_vector = kzalloc(size, GFP_KERNEL);
+ if (new_q_vector)
+ kfree_rcu(q_vector, rcu);
+ q_vector = new_q_vector;
} else {
memset(q_vector, 0, size);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [Intel-wired-lan] [PATCH 5.10 508/783] igb: Do not free q_vector unless new one was allocated
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
0 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Sasha Levin, Kees Cook, Greg Kroah-Hartman, patches,
Jesse Brandeburg, Michael J. Ruhl, Eric Dumazet, netdev,
Tony Nguyen, intel-wired-lan, Jakub Kicinski, Paolo Abeni,
David S. Miller
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ]
Avoid potential use-after-free condition under memory pressure. If the
kzalloc() fails, q_vector will be freed but left in the original
adapter->q_vector[v_idx] array position.
Cc: Jesse Brandeburg <jesse.brandeburg@intel.com>
Cc: Tony Nguyen <anthony.l.nguyen@intel.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: intel-wired-lan@lists.osuosl.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Gurucharan <gurucharanx.g@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 2646601c3487..0ea8e4024d63 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -1204,8 +1204,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter,
if (!q_vector) {
q_vector = kzalloc(size, GFP_KERNEL);
} else if (size > ksize(q_vector)) {
- kfree_rcu(q_vector, rcu);
- q_vector = kzalloc(size, GFP_KERNEL);
+ struct igb_q_vector *new_q_vector;
+
+ new_q_vector = kzalloc(size, GFP_KERNEL);
+ if (new_q_vector)
+ kfree_rcu(q_vector, rcu);
+ q_vector = new_q_vector;
} else {
memset(q_vector, 0, size);
}
--
2.35.1
_______________________________________________
Intel-wired-lan mailing list
Intel-wired-lan@osuosl.org
https://lists.osuosl.org/mailman/listinfo/intel-wired-lan
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 509/783] drm/amdgpu: Fix type of second parameter in trans_msg() callback
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (507 preceding siblings ...)
2023-01-12 13:53 ` [Intel-wired-lan] " Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 510/783] drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback Greg Kroah-Hartman
` (283 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sami Tolvanen, Kees Cook,
Nathan Chancellor, Alex Deucher, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit f0d0f1087333714ee683cc134a95afe331d7ddd9 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c:412:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]
.trans_msg = xgpu_ai_mailbox_trans_msg,
^~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c:435:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]
.trans_msg = xgpu_nv_mailbox_trans_msg,
^~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
The type of the second parameter in the prototype should be 'enum
idh_request' instead of 'u32'. Update it to clear up the warnings.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reported-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
index aea49bad914f..fbd92fff8b06 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h
@@ -62,6 +62,8 @@ struct amdgpu_vf_error_buffer {
uint64_t data[AMDGPU_VF_ERROR_ENTRY_SIZE];
};
+enum idh_request;
+
/**
* struct amdgpu_virt_ops - amdgpu device virt operations
*/
@@ -71,7 +73,8 @@ struct amdgpu_virt_ops {
int (*req_init_data)(struct amdgpu_device *adev);
int (*reset_gpu)(struct amdgpu_device *adev);
int (*wait_reset)(struct amdgpu_device *adev);
- void (*trans_msg)(struct amdgpu_device *adev, u32 req, u32 data1, u32 data2, u32 data3);
+ void (*trans_msg)(struct amdgpu_device *adev, enum idh_request req,
+ u32 data1, u32 data2, u32 data3);
};
/*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 510/783] drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (508 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 509/783] drm/amdgpu: Fix type of second parameter in trans_msg() callback Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 511/783] s390/ctcm: Fix return type of ctc{mp,}m_tx() Greg Kroah-Hartman
` (282 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sami Tolvanen, Kees Cook,
Nathan Chancellor, Alex Deucher, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit e4d0ef752081e7aa6ffb7ccac11c499c732a2e05 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict]
.odn_edit_dpm_table = smu_od_edit_dpm_table,
^~~~~~~~~~~~~~~~~~~~~
1 error generated.
There are only two implementations of ->odn_edit_dpm_table() in 'struct
amd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One
has a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the
other uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls
->od_edit_dpm_table() from 'struct pptable_funcs' and
pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct
pp_hwmgr_func', which both have a second parameter type of 'enum
PP_OD_DPM_TABLE_COMMAND'.
Update the type parameter in both the prototype in 'struct amd_pm_funcs'
and pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which
cleans up the warning.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reported-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/include/kgd_pp_interface.h | 3 ++-
drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/include/kgd_pp_interface.h b/drivers/gpu/drm/amd/include/kgd_pp_interface.h
index 94132c70d7af..5e8876ad1a1b 100644
--- a/drivers/gpu/drm/amd/include/kgd_pp_interface.h
+++ b/drivers/gpu/drm/amd/include/kgd_pp_interface.h
@@ -282,7 +282,8 @@ struct amd_pm_funcs {
int (*get_power_profile_mode)(void *handle, char *buf);
int (*set_power_profile_mode)(void *handle, long *input, uint32_t size);
int (*set_fine_grain_clk_vol)(void *handle, uint32_t type, long *input, uint32_t size);
- int (*odn_edit_dpm_table)(void *handle, uint32_t type, long *input, uint32_t size);
+ int (*odn_edit_dpm_table)(void *handle, enum PP_OD_DPM_TABLE_COMMAND type,
+ long *input, uint32_t size);
int (*set_mp1_state)(void *handle, enum pp_mp1_state mp1_state);
int (*smu_i2c_bus_access)(void *handle, bool acquire);
/* export to DC */
diff --git a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
index eab9768029c1..a98ea29b2fd5 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c
@@ -924,7 +924,8 @@ static int pp_set_fine_grain_clk_vol(void *handle, uint32_t type, long *input, u
return hwmgr->hwmgr_func->set_fine_grain_clk_vol(hwmgr, type, input, size);
}
-static int pp_odn_edit_dpm_table(void *handle, uint32_t type, long *input, uint32_t size)
+static int pp_odn_edit_dpm_table(void *handle, enum PP_OD_DPM_TABLE_COMMAND type,
+ long *input, uint32_t size)
{
struct pp_hwmgr *hwmgr = handle;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 511/783] s390/ctcm: Fix return type of ctc{mp,}m_tx()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (509 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 510/783] drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 512/783] s390/netiucv: Fix return type of netiucv_tx() Greg Kroah-Hartman
` (281 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandra Winter, Kees Cook,
Nathan Chancellor, David S. Miller, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit aa5bf80c3c067b82b4362cd6e8e2194623bcaca6 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = ctcm_tx,
^~~~~~~
drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = ctcmpc_tx,
^~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Additionally, while in the area, remove a comment block that is no
longer relevant.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/net/ctcm_main.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c
index d06809eac16d..fb0e8f1cabdc 100644
--- a/drivers/s390/net/ctcm_main.c
+++ b/drivers/s390/net/ctcm_main.c
@@ -865,16 +865,9 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb)
/**
* Start transmission of a packet.
* Called from generic network device layer.
- *
- * skb Pointer to buffer containing the packet.
- * dev Pointer to interface struct.
- *
- * returns 0 if packet consumed, !0 if packet rejected.
- * Note: If we return !0, then the packet is free'd by
- * the generic network layer.
*/
/* first merge version - leaving both functions separated */
-static int ctcm_tx(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t ctcm_tx(struct sk_buff *skb, struct net_device *dev)
{
struct ctcm_priv *priv = dev->ml_priv;
@@ -917,7 +910,7 @@ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev)
}
/* unmerged MPC variant of ctcm_tx */
-static int ctcmpc_tx(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t ctcmpc_tx(struct sk_buff *skb, struct net_device *dev)
{
int len = 0;
struct ctcm_priv *priv = dev->ml_priv;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 512/783] s390/netiucv: Fix return type of netiucv_tx()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (510 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 511/783] s390/ctcm: Fix return type of ctc{mp,}m_tx() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 513/783] s390/lcs: Fix return type of lcs_start_xmit() Greg Kroah-Hartman
` (280 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandra Winter, Kees Cook,
Nathan Chancellor, David S. Miller, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = netiucv_tx,
^~~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Additionally, while in the area, remove a comment block that is no
longer relevant.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/net/netiucv.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/drivers/s390/net/netiucv.c b/drivers/s390/net/netiucv.c
index 260860cf3aa1..a2f403c4ec38 100644
--- a/drivers/s390/net/netiucv.c
+++ b/drivers/s390/net/netiucv.c
@@ -1260,15 +1260,8 @@ static int netiucv_close(struct net_device *dev)
/**
* Start transmission of a packet.
* Called from generic network device layer.
- *
- * @param skb Pointer to buffer containing the packet.
- * @param dev Pointer to interface struct.
- *
- * @return 0 if packet consumed, !0 if packet rejected.
- * Note: If we return !0, then the packet is free'd by
- * the generic network layer.
*/
-static int netiucv_tx(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t netiucv_tx(struct sk_buff *skb, struct net_device *dev)
{
struct netiucv_priv *privptr = netdev_priv(dev);
int rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 513/783] s390/lcs: Fix return type of lcs_start_xmit()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (511 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 512/783] s390/netiucv: Fix return type of netiucv_tx() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 514/783] drm/msm: Use drm_mode_copy() Greg Kroah-Hartman
` (279 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexandra Winter, Kees Cook,
Nathan Chancellor, David S. Miller, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit bb16db8393658e0978c3f0d30ae069e878264fa3 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = lcs_start_xmit,
^~~~~~~~~~~~~~
drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = lcs_start_xmit,
^~~~~~~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/net/lcs.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c
index 06a322bdced6..7e743f4717a9 100644
--- a/drivers/s390/net/lcs.c
+++ b/drivers/s390/net/lcs.c
@@ -1518,9 +1518,8 @@ lcs_txbuffer_cb(struct lcs_channel *channel, struct lcs_buffer *buffer)
/**
* Packet transmit function called by network stack
*/
-static int
-__lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
- struct net_device *dev)
+static netdev_tx_t __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
+ struct net_device *dev)
{
struct lcs_header *header;
int rc = NETDEV_TX_OK;
@@ -1581,8 +1580,7 @@ __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb,
return rc;
}
-static int
-lcs_start_xmit(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t lcs_start_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct lcs_card *card;
int rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 514/783] drm/msm: Use drm_mode_copy()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (512 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 513/783] s390/lcs: Fix return type of lcs_start_xmit() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` Greg Kroah-Hartman
` (278 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Sean Paul, Abhinav Kumar,
linux-arm-msm, freedreno, Dmitry Baryshkov, Daniel Vetter,
Ville Syrjälä,
Sasha Levin
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit b2a1c5ca50db22b3677676dd5bad5f6092429acf ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Cc: Rob Clark <robdclark@gmail.com>
Cc: Sean Paul <sean@poorly.run>
Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
Cc: linux-arm-msm@vger.kernel.org
Cc: freedreno@lists.freedesktop.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-5-ville.syrjala@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_display.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
index 5a152d505dfb..1c3dcbc6cce8 100644
--- a/drivers/gpu/drm/msm/dp/dp_display.c
+++ b/drivers/gpu/drm/msm/dp/dp_display.c
@@ -848,7 +848,7 @@ static int dp_display_set_mode(struct msm_dp *dp_display,
dp = container_of(dp_display, struct dp_display_private, dp_display);
- dp->panel->dp_mode.drm_mode = mode->drm_mode;
+ drm_mode_copy(&dp->panel->dp_mode.drm_mode, &mode->drm_mode);
dp->panel->dp_mode.bpp = mode->bpp;
dp->panel->dp_mode.capabilities = mode->capabilities;
dp_panel_init_panel_info(dp->panel);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 515/783] drm/rockchip: Use drm_mode_copy()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 001/783] usb: musb: remove extra check in musb_gadget_vbus_draw Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 003/783] arm64: dts: qcom: msm8996: fix GPU OPP table Greg Kroah-Hartman
` (790 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Sandy Huang, Heiko Stübner, linux-arm-kernel,
linux-rockchip, Daniel Vetter, Sasha Levin
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 2bfaa28000d2830d3209161a4541cce0660e1b84 ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Sandy Huang <hjc@rock-chips.com>
Cc: "Heiko Stübner" <heiko@sntech.de>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-rockchip@lists.infradead.org
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-7-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
drivers/gpu/drm/rockchip/inno_hdmi.c | 2 +-
drivers/gpu/drm/rockchip/rk3066_hdmi.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c
index 857c47c69ef1..adeaa0140f0f 100644
--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
+++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
@@ -564,7 +564,7 @@ static void cdn_dp_encoder_mode_set(struct drm_encoder *encoder,
video->v_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NVSYNC);
video->h_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NHSYNC);
- memcpy(&dp->mode, adjusted, sizeof(*mode));
+ drm_mode_copy(&dp->mode, adjusted);
}
static bool cdn_dp_check_link_status(struct cdn_dp_device *dp)
diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c
index 7afdc54eb3ec..78120da5e63a 100644
--- a/drivers/gpu/drm/rockchip/inno_hdmi.c
+++ b/drivers/gpu/drm/rockchip/inno_hdmi.c
@@ -488,7 +488,7 @@ static void inno_hdmi_encoder_mode_set(struct drm_encoder *encoder,
inno_hdmi_setup(hdmi, adj_mode);
/* Store the display mode for plugin/DPMS poweron events */
- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
+ drm_mode_copy(&hdmi->previous_mode, adj_mode);
}
static void inno_hdmi_encoder_enable(struct drm_encoder *encoder)
diff --git a/drivers/gpu/drm/rockchip/rk3066_hdmi.c b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
index 1c546c3a8998..17e7c40a9e7b 100644
--- a/drivers/gpu/drm/rockchip/rk3066_hdmi.c
+++ b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
@@ -383,7 +383,7 @@ rk3066_hdmi_encoder_mode_set(struct drm_encoder *encoder,
struct rk3066_hdmi *hdmi = to_rk3066_hdmi(encoder);
/* Store the display mode for plugin/DPMS poweron events. */
- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
+ drm_mode_copy(&hdmi->previous_mode, adj_mode);
}
static void rk3066_hdmi_encoder_enable(struct drm_encoder *encoder)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 515/783] drm/rockchip: Use drm_mode_copy()
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
0 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Sandy Huang, Heiko Stübner, linux-arm-kernel,
linux-rockchip, Daniel Vetter, Sasha Levin
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 2bfaa28000d2830d3209161a4541cce0660e1b84 ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Sandy Huang <hjc@rock-chips.com>
Cc: "Heiko Stübner" <heiko@sntech.de>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-rockchip@lists.infradead.org
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-7-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
drivers/gpu/drm/rockchip/inno_hdmi.c | 2 +-
drivers/gpu/drm/rockchip/rk3066_hdmi.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c
index 857c47c69ef1..adeaa0140f0f 100644
--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
+++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
@@ -564,7 +564,7 @@ static void cdn_dp_encoder_mode_set(struct drm_encoder *encoder,
video->v_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NVSYNC);
video->h_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NHSYNC);
- memcpy(&dp->mode, adjusted, sizeof(*mode));
+ drm_mode_copy(&dp->mode, adjusted);
}
static bool cdn_dp_check_link_status(struct cdn_dp_device *dp)
diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c
index 7afdc54eb3ec..78120da5e63a 100644
--- a/drivers/gpu/drm/rockchip/inno_hdmi.c
+++ b/drivers/gpu/drm/rockchip/inno_hdmi.c
@@ -488,7 +488,7 @@ static void inno_hdmi_encoder_mode_set(struct drm_encoder *encoder,
inno_hdmi_setup(hdmi, adj_mode);
/* Store the display mode for plugin/DPMS poweron events */
- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
+ drm_mode_copy(&hdmi->previous_mode, adj_mode);
}
static void inno_hdmi_encoder_enable(struct drm_encoder *encoder)
diff --git a/drivers/gpu/drm/rockchip/rk3066_hdmi.c b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
index 1c546c3a8998..17e7c40a9e7b 100644
--- a/drivers/gpu/drm/rockchip/rk3066_hdmi.c
+++ b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
@@ -383,7 +383,7 @@ rk3066_hdmi_encoder_mode_set(struct drm_encoder *encoder,
struct rk3066_hdmi *hdmi = to_rk3066_hdmi(encoder);
/* Store the display mode for plugin/DPMS poweron events. */
- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
+ drm_mode_copy(&hdmi->previous_mode, adj_mode);
}
static void rk3066_hdmi_encoder_enable(struct drm_encoder *encoder)
--
2.35.1
_______________________________________________
Linux-rockchip mailing list
Linux-rockchip@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-rockchip
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 515/783] drm/rockchip: Use drm_mode_copy()
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
0 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Sandy Huang, Heiko Stübner, linux-arm-kernel,
linux-rockchip, Daniel Vetter, Sasha Levin
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 2bfaa28000d2830d3209161a4541cce0660e1b84 ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: Sandy Huang <hjc@rock-chips.com>
Cc: "Heiko Stübner" <heiko@sntech.de>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-rockchip@lists.infradead.org
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-7-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
drivers/gpu/drm/rockchip/inno_hdmi.c | 2 +-
drivers/gpu/drm/rockchip/rk3066_hdmi.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c
index 857c47c69ef1..adeaa0140f0f 100644
--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
+++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
@@ -564,7 +564,7 @@ static void cdn_dp_encoder_mode_set(struct drm_encoder *encoder,
video->v_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NVSYNC);
video->h_sync_polarity = !!(mode->flags & DRM_MODE_FLAG_NHSYNC);
- memcpy(&dp->mode, adjusted, sizeof(*mode));
+ drm_mode_copy(&dp->mode, adjusted);
}
static bool cdn_dp_check_link_status(struct cdn_dp_device *dp)
diff --git a/drivers/gpu/drm/rockchip/inno_hdmi.c b/drivers/gpu/drm/rockchip/inno_hdmi.c
index 7afdc54eb3ec..78120da5e63a 100644
--- a/drivers/gpu/drm/rockchip/inno_hdmi.c
+++ b/drivers/gpu/drm/rockchip/inno_hdmi.c
@@ -488,7 +488,7 @@ static void inno_hdmi_encoder_mode_set(struct drm_encoder *encoder,
inno_hdmi_setup(hdmi, adj_mode);
/* Store the display mode for plugin/DPMS poweron events */
- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
+ drm_mode_copy(&hdmi->previous_mode, adj_mode);
}
static void inno_hdmi_encoder_enable(struct drm_encoder *encoder)
diff --git a/drivers/gpu/drm/rockchip/rk3066_hdmi.c b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
index 1c546c3a8998..17e7c40a9e7b 100644
--- a/drivers/gpu/drm/rockchip/rk3066_hdmi.c
+++ b/drivers/gpu/drm/rockchip/rk3066_hdmi.c
@@ -383,7 +383,7 @@ rk3066_hdmi_encoder_mode_set(struct drm_encoder *encoder,
struct rk3066_hdmi *hdmi = to_rk3066_hdmi(encoder);
/* Store the display mode for plugin/DPMS poweron events. */
- memcpy(&hdmi->previous_mode, adj_mode, sizeof(hdmi->previous_mode));
+ drm_mode_copy(&hdmi->previous_mode, adj_mode);
}
static void rk3066_hdmi_encoder_enable(struct drm_encoder *encoder)
--
2.35.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 516/783] drm/sti: Use drm_mode_copy()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (514 preceding siblings ...)
2023-01-12 13:53 ` Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 517/783] drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() Greg Kroah-Hartman
` (276 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alain Volmat,
Ville Syrjälä,
Daniel Vetter, Sasha Levin
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
[ Upstream commit 442cf8e22ba25a77cb9092d78733fdbac9844e50 ]
struct drm_display_mode embeds a list head, so overwriting
the full struct with another one will corrupt the list
(if the destination mode is on a list). Use drm_mode_copy()
instead which explicitly preserves the list head of
the destination mode.
Even if we know the destination mode is not on any list
using drm_mode_copy() seems decent as it sets a good
example. Bad examples of not using it might eventually
get copied into code where preserving the list head
actually matters.
Obviously one case not covered here is when the mode
itself is embedded in a larger structure and the whole
structure is copied. But if we are careful when copying
into modes embedded in structures I think we can be a
little more reassured that bogus list heads haven't been
propagated in.
@is_mode_copy@
@@
drm_mode_copy(...)
{
...
}
@depends on !is_mode_copy@
struct drm_display_mode *mode;
expression E, S;
@@
(
- *mode = E
+ drm_mode_copy(mode, &E)
|
- memcpy(mode, E, S)
+ drm_mode_copy(mode, E)
)
@depends on !is_mode_copy@
struct drm_display_mode mode;
expression E;
@@
(
- mode = E
+ drm_mode_copy(&mode, &E)
|
- memcpy(&mode, E, S)
+ drm_mode_copy(&mode, E)
)
@@
struct drm_display_mode *mode;
@@
- &*mode
+ mode
Cc: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-8-ville.syrjala@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sti/sti_dvo.c | 2 +-
drivers/gpu/drm/sti/sti_hda.c | 2 +-
drivers/gpu/drm/sti/sti_hdmi.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c
index ddb4184f0726..b0676a73a1d7 100644
--- a/drivers/gpu/drm/sti/sti_dvo.c
+++ b/drivers/gpu/drm/sti/sti_dvo.c
@@ -288,7 +288,7 @@ static void sti_dvo_set_mode(struct drm_bridge *bridge,
DRM_DEBUG_DRIVER("\n");
- memcpy(&dvo->mode, mode, sizeof(struct drm_display_mode));
+ drm_mode_copy(&dvo->mode, mode);
/* According to the path used (main or aux), the dvo clocks should
* have a different parent clock. */
diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c
index 5c2b650b561d..84109800143a 100644
--- a/drivers/gpu/drm/sti/sti_hda.c
+++ b/drivers/gpu/drm/sti/sti_hda.c
@@ -523,7 +523,7 @@ static void sti_hda_set_mode(struct drm_bridge *bridge,
DRM_DEBUG_DRIVER("\n");
- memcpy(&hda->mode, mode, sizeof(struct drm_display_mode));
+ drm_mode_copy(&hda->mode, mode);
if (!hda_get_mode_idx(hda->mode, &mode_idx)) {
DRM_ERROR("Undefined mode\n");
diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
index 38a558768e53..412664dfb0b0 100644
--- a/drivers/gpu/drm/sti/sti_hdmi.c
+++ b/drivers/gpu/drm/sti/sti_hdmi.c
@@ -934,7 +934,7 @@ static void sti_hdmi_set_mode(struct drm_bridge *bridge,
DRM_DEBUG_DRIVER("\n");
/* Copy the drm display mode in the connector local structure */
- memcpy(&hdmi->mode, mode, sizeof(struct drm_display_mode));
+ drm_mode_copy(&hdmi->mode, mode);
/* Update clock framerate according to the selected mode */
ret = clk_set_rate(hdmi->clk_pix, mode->clock * 1000);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 517/783] drivers/md/md-bitmap: check the return value of md_bitmap_get_counter()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (515 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 516/783] drm/sti: " Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 518/783] md/raid1: stop mdx_raid1 thread when raid1 array run failed Greg Kroah-Hartman
` (275 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Zhong, Song Liu, Sasha Levin
From: Li Zhong <floridsleeves@gmail.com>
[ Upstream commit 3bd548e5b819b8c0f2c9085de775c5c7bff9052f ]
Check the return value of md_bitmap_get_counter() in case it returns
NULL pointer, which will result in a null pointer dereference.
v2: update the check to include other dereference
Signed-off-by: Li Zhong <floridsleeves@gmail.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/md-bitmap.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/drivers/md/md-bitmap.c b/drivers/md/md-bitmap.c
index d377ea060925..4e52fcf98d59 100644
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -2196,20 +2196,23 @@ int md_bitmap_resize(struct bitmap *bitmap, sector_t blocks,
if (set) {
bmc_new = md_bitmap_get_counter(&bitmap->counts, block, &new_blocks, 1);
- if (*bmc_new == 0) {
- /* need to set on-disk bits too. */
- sector_t end = block + new_blocks;
- sector_t start = block >> chunkshift;
- start <<= chunkshift;
- while (start < end) {
- md_bitmap_file_set_bit(bitmap, block);
- start += 1 << chunkshift;
+ if (bmc_new) {
+ if (*bmc_new == 0) {
+ /* need to set on-disk bits too. */
+ sector_t end = block + new_blocks;
+ sector_t start = block >> chunkshift;
+
+ start <<= chunkshift;
+ while (start < end) {
+ md_bitmap_file_set_bit(bitmap, block);
+ start += 1 << chunkshift;
+ }
+ *bmc_new = 2;
+ md_bitmap_count_page(&bitmap->counts, block, 1);
+ md_bitmap_set_pending(&bitmap->counts, block);
}
- *bmc_new = 2;
- md_bitmap_count_page(&bitmap->counts, block, 1);
- md_bitmap_set_pending(&bitmap->counts, block);
+ *bmc_new |= NEEDED_MASK;
}
- *bmc_new |= NEEDED_MASK;
if (new_blocks < old_blocks)
old_blocks = new_blocks;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 518/783] md/raid1: stop mdx_raid1 thread when raid1 array run failed
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (516 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 517/783] drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 519/783] drm/amd/display: fix array index out of bound error in bios parser Greg Kroah-Hartman
` (274 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiang Li, Song Liu, Sasha Levin
From: Jiang Li <jiang.li@ugreen.com>
[ Upstream commit b611ad14006e5be2170d9e8e611bf49dff288911 ]
fail run raid1 array when we assemble array with the inactive disk only,
but the mdx_raid1 thread were not stop, Even if the associated resources
have been released. it will caused a NULL dereference when we do poweroff.
This causes the following Oops:
[ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070
[ 287.594762] #PF: supervisor read access in kernel mode
[ 287.599912] #PF: error_code(0x0000) - not-present page
[ 287.605061] PGD 0 P4D 0
[ 287.607612] Oops: 0000 [#1] SMP NOPTI
[ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0
[ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022
[ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod]
[ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ......
[ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202
[ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000
[ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800
[ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff
[ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800
[ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500
[ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000
[ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0
[ 287.713033] Call Trace:
[ 287.715498] raid1d+0x6c/0xbbb [raid1]
[ 287.719256] ? __schedule+0x1ff/0x760
[ 287.722930] ? schedule+0x3b/0xb0
[ 287.726260] ? schedule_timeout+0x1ed/0x290
[ 287.730456] ? __switch_to+0x11f/0x400
[ 287.734219] md_thread+0xe9/0x140 [md_mod]
[ 287.738328] ? md_thread+0xe9/0x140 [md_mod]
[ 287.742601] ? wait_woken+0x80/0x80
[ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod]
[ 287.751064] kthread+0x11a/0x140
[ 287.754300] ? kthread_park+0x90/0x90
[ 287.757974] ret_from_fork+0x1f/0x30
In fact, when raid1 array run fail, we need to do
md_unregister_thread() before raid1_free().
Signed-off-by: Jiang Li <jiang.li@ugreen.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/raid1.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
index fb31e5dd54a6..6b5cc3f59fb3 100644
--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -3115,6 +3115,7 @@ static int raid1_run(struct mddev *mddev)
* RAID1 needs at least one disk in active
*/
if (conf->raid_disks - mddev->degraded < 1) {
+ md_unregister_thread(&conf->thread);
ret = -EINVAL;
goto abort;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 519/783] drm/amd/display: fix array index out of bound error in bios parser
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (517 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 518/783] md/raid1: stop mdx_raid1 thread when raid1 array run failed Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 520/783] net: add atomic_long_t to net_device_stats fields Greg Kroah-Hartman
` (273 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Leung, Tom Chung,
Aurabindo Pillai, Daniel Wheeler, Alex Deucher, Sasha Levin
From: Aurabindo Pillai <aurabindo.pillai@amd.com>
[ Upstream commit 4fc1ba4aa589ca267468ad23fedef37562227d32 ]
[Why&How]
Firmware headers dictate that gpio_pin array only has a size of 8. The
count returned from vbios however is greater than 8.
Fix this by not using array indexing but incrementing the pointer since
gpio_pin definition in atomfirmware.h is hardcoded to size 8
Reviewed-by: Martin Leung <Martin.Leung@amd.com>
Acked-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/bios/bios_parser2.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
index 29d64e7e304f..930d2b7d3448 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -352,6 +352,7 @@ static enum bp_result get_gpio_i2c_info(
uint32_t count = 0;
unsigned int table_index = 0;
bool find_valid = false;
+ struct atom_gpio_pin_assignment *pin;
if (!info)
return BP_RESULT_BADINPUT;
@@ -379,20 +380,17 @@ static enum bp_result get_gpio_i2c_info(
- sizeof(struct atom_common_table_header))
/ sizeof(struct atom_gpio_pin_assignment);
+ pin = (struct atom_gpio_pin_assignment *) header->gpio_pin;
+
for (table_index = 0; table_index < count; table_index++) {
- if (((record->i2c_id & I2C_HW_CAP) == (
- header->gpio_pin[table_index].gpio_id &
- I2C_HW_CAP)) &&
- ((record->i2c_id & I2C_HW_ENGINE_ID_MASK) ==
- (header->gpio_pin[table_index].gpio_id &
- I2C_HW_ENGINE_ID_MASK)) &&
- ((record->i2c_id & I2C_HW_LANE_MUX) ==
- (header->gpio_pin[table_index].gpio_id &
- I2C_HW_LANE_MUX))) {
+ if (((record->i2c_id & I2C_HW_CAP) == (pin->gpio_id & I2C_HW_CAP)) &&
+ ((record->i2c_id & I2C_HW_ENGINE_ID_MASK) == (pin->gpio_id & I2C_HW_ENGINE_ID_MASK)) &&
+ ((record->i2c_id & I2C_HW_LANE_MUX) == (pin->gpio_id & I2C_HW_LANE_MUX))) {
/* still valid */
find_valid = true;
break;
}
+ pin = (struct atom_gpio_pin_assignment *)((uint8_t *)pin + sizeof(struct atom_gpio_pin_assignment));
}
/* If we don't find the entry that we are looking for then
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 520/783] net: add atomic_long_t to net_device_stats fields
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (518 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 519/783] drm/amd/display: fix array index out of bound error in bios parser Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 521/783] mrp: introduce active flags to prevent UAF when applicant uninit Greg Kroah-Hartman
` (272 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 6c1c5097781f563b70a81683ea6fdac21637573b ]
Long standing KCSAN issues are caused by data-race around
some dev->stats changes.
Most performance critical paths already use per-cpu
variables, or per-queue ones.
It is reasonable (and more correct) to use atomic operations
for the slow paths.
This patch adds an union for each field of net_device_stats,
so that we can convert paths that are not yet protected
by a spinlock or a mutex.
netdev_stats_to_stats64() no longer has an #if BITS_PER_LONG==64
Note that the memcpy() we were using on 64bit arches
had no provision to avoid load-tearing,
while atomic_long_read() is providing the needed protection
at no cost.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 58 +++++++++++++++++++++++----------------
include/net/dst.h | 5 ++--
net/core/dev.c | 14 ++--------
3 files changed, 40 insertions(+), 37 deletions(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index ef75567efd27..b478a16ef284 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -166,31 +166,38 @@ static inline bool dev_xmit_complete(int rc)
* (unsigned long) so they can be read and written atomically.
*/
+#define NET_DEV_STAT(FIELD) \
+ union { \
+ unsigned long FIELD; \
+ atomic_long_t __##FIELD; \
+ }
+
struct net_device_stats {
- unsigned long rx_packets;
- unsigned long tx_packets;
- unsigned long rx_bytes;
- unsigned long tx_bytes;
- unsigned long rx_errors;
- unsigned long tx_errors;
- unsigned long rx_dropped;
- unsigned long tx_dropped;
- unsigned long multicast;
- unsigned long collisions;
- unsigned long rx_length_errors;
- unsigned long rx_over_errors;
- unsigned long rx_crc_errors;
- unsigned long rx_frame_errors;
- unsigned long rx_fifo_errors;
- unsigned long rx_missed_errors;
- unsigned long tx_aborted_errors;
- unsigned long tx_carrier_errors;
- unsigned long tx_fifo_errors;
- unsigned long tx_heartbeat_errors;
- unsigned long tx_window_errors;
- unsigned long rx_compressed;
- unsigned long tx_compressed;
+ NET_DEV_STAT(rx_packets);
+ NET_DEV_STAT(tx_packets);
+ NET_DEV_STAT(rx_bytes);
+ NET_DEV_STAT(tx_bytes);
+ NET_DEV_STAT(rx_errors);
+ NET_DEV_STAT(tx_errors);
+ NET_DEV_STAT(rx_dropped);
+ NET_DEV_STAT(tx_dropped);
+ NET_DEV_STAT(multicast);
+ NET_DEV_STAT(collisions);
+ NET_DEV_STAT(rx_length_errors);
+ NET_DEV_STAT(rx_over_errors);
+ NET_DEV_STAT(rx_crc_errors);
+ NET_DEV_STAT(rx_frame_errors);
+ NET_DEV_STAT(rx_fifo_errors);
+ NET_DEV_STAT(rx_missed_errors);
+ NET_DEV_STAT(tx_aborted_errors);
+ NET_DEV_STAT(tx_carrier_errors);
+ NET_DEV_STAT(tx_fifo_errors);
+ NET_DEV_STAT(tx_heartbeat_errors);
+ NET_DEV_STAT(tx_window_errors);
+ NET_DEV_STAT(rx_compressed);
+ NET_DEV_STAT(tx_compressed);
};
+#undef NET_DEV_STAT
#include <linux/cache.h>
@@ -5256,4 +5263,9 @@ do { \
extern struct net_device *blackhole_netdev;
+/* Note: Avoid these macros in fast path, prefer per-cpu or per-queue counters. */
+#define DEV_STATS_INC(DEV, FIELD) atomic_long_inc(&(DEV)->stats.__##FIELD)
+#define DEV_STATS_ADD(DEV, FIELD, VAL) \
+ atomic_long_add((VAL), &(DEV)->stats.__##FIELD)
+
#endif /* _LINUX_NETDEVICE_H */
diff --git a/include/net/dst.h b/include/net/dst.h
index acd15c544cf3..ae2cf57d796b 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -356,9 +356,8 @@ static inline void __skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev,
static inline void skb_tunnel_rx(struct sk_buff *skb, struct net_device *dev,
struct net *net)
{
- /* TODO : stats should be SMP safe */
- dev->stats.rx_packets++;
- dev->stats.rx_bytes += skb->len;
+ DEV_STATS_INC(dev, rx_packets);
+ DEV_STATS_ADD(dev, rx_bytes, skb->len);
__skb_tunnel_rx(skb, dev, net);
}
diff --git a/net/core/dev.c b/net/core/dev.c
index a421c54331ea..37bb60a7e97e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -10320,24 +10320,16 @@ void netdev_run_todo(void)
void netdev_stats_to_stats64(struct rtnl_link_stats64 *stats64,
const struct net_device_stats *netdev_stats)
{
-#if BITS_PER_LONG == 64
- BUILD_BUG_ON(sizeof(*stats64) < sizeof(*netdev_stats));
- memcpy(stats64, netdev_stats, sizeof(*netdev_stats));
- /* zero out counters that only exist in rtnl_link_stats64 */
- memset((char *)stats64 + sizeof(*netdev_stats), 0,
- sizeof(*stats64) - sizeof(*netdev_stats));
-#else
- size_t i, n = sizeof(*netdev_stats) / sizeof(unsigned long);
- const unsigned long *src = (const unsigned long *)netdev_stats;
+ size_t i, n = sizeof(*netdev_stats) / sizeof(atomic_long_t);
+ const atomic_long_t *src = (atomic_long_t *)netdev_stats;
u64 *dst = (u64 *)stats64;
BUILD_BUG_ON(n > sizeof(*stats64) / sizeof(u64));
for (i = 0; i < n; i++)
- dst[i] = src[i];
+ dst[i] = atomic_long_read(&src[i]);
/* zero out counters that only exist in rtnl_link_stats64 */
memset((char *)stats64 + n * sizeof(u64), 0,
sizeof(*stats64) - n * sizeof(u64));
-#endif
}
EXPORT_SYMBOL(netdev_stats_to_stats64);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 521/783] mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (519 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 520/783] net: add atomic_long_t to net_device_stats fields Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 522/783] ppp: associate skb with a device at tx Greg Kroah-Hartman
` (271 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+6fd64001c20aa99e34a4,
Schspa Shi, David S. Miller, Sasha Levin
From: Schspa Shi <schspa@gmail.com>
[ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ]
The caller of del_timer_sync must prevent restarting of the timer, If
we have no this synchronization, there is a small probability that the
cancellation will not be successful.
And syzbot report the fellowing crash:
==================================================================
BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline]
BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
Write at addr f9ff000024df6058 by task syz-fuzzer/2256
Pointer tag: [f9], memory tag: [fe]
CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008-
ge01d50cbd6ee #0
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156
dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline]
show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x1a8/0x4a0 mm/kasan/report.c:395
kasan_report+0x94/0xb4 mm/kasan/report.c:495
__do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320
do_bad_area arch/arm64/mm/fault.c:473 [inline]
do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749
do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825
el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367
el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427
el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576
hlist_add_head include/linux/list.h:929 [inline]
enqueue_timer+0x18/0xa4 kernel/time/timer.c:605
mod_timer+0x14/0x20 kernel/time/timer.c:1161
mrp_periodic_timer_arm net/802/mrp.c:614 [inline]
mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627
call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474
expire_timers+0x98/0xc4 kernel/time/timer.c:1519
To fix it, we can introduce a new active flags to make sure the timer will
not restart.
Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com
Signed-off-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/mrp.h | 1 +
net/802/mrp.c | 18 +++++++++++++-----
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/include/net/mrp.h b/include/net/mrp.h
index 1c308c034e1a..a8102661fd61 100644
--- a/include/net/mrp.h
+++ b/include/net/mrp.h
@@ -120,6 +120,7 @@ struct mrp_applicant {
struct sk_buff *pdu;
struct rb_root mad;
struct rcu_head rcu;
+ bool active;
};
struct mrp_port {
diff --git a/net/802/mrp.c b/net/802/mrp.c
index 35e04cc5390c..c10a432a5b43 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -606,7 +606,10 @@ static void mrp_join_timer(struct timer_list *t)
spin_unlock(&app->lock);
mrp_queue_xmit(app);
- mrp_join_timer_arm(app);
+ spin_lock(&app->lock);
+ if (likely(app->active))
+ mrp_join_timer_arm(app);
+ spin_unlock(&app->lock);
}
static void mrp_periodic_timer_arm(struct mrp_applicant *app)
@@ -620,11 +623,12 @@ static void mrp_periodic_timer(struct timer_list *t)
struct mrp_applicant *app = from_timer(app, t, periodic_timer);
spin_lock(&app->lock);
- mrp_mad_event(app, MRP_EVENT_PERIODIC);
- mrp_pdu_queue(app);
+ if (likely(app->active)) {
+ mrp_mad_event(app, MRP_EVENT_PERIODIC);
+ mrp_pdu_queue(app);
+ mrp_periodic_timer_arm(app);
+ }
spin_unlock(&app->lock);
-
- mrp_periodic_timer_arm(app);
}
static int mrp_pdu_parse_end_mark(struct sk_buff *skb, int *offset)
@@ -872,6 +876,7 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl)
app->dev = dev;
app->app = appl;
app->mad = RB_ROOT;
+ app->active = true;
spin_lock_init(&app->lock);
skb_queue_head_init(&app->queue);
rcu_assign_pointer(dev->mrp_port->applicants[appl->type], app);
@@ -900,6 +905,9 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
RCU_INIT_POINTER(port->applicants[appl->type], NULL);
+ spin_lock_bh(&app->lock);
+ app->active = false;
+ spin_unlock_bh(&app->lock);
/* Delete timer and generate a final TX event to flush out
* all pending messages before the applicant is gone.
*/
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 522/783] ppp: associate skb with a device at tx
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (520 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 521/783] mrp: introduce active flags to prevent UAF when applicant uninit Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 523/783] bpf: Prevent decl_tag from being referenced in func_proto arg Greg Kroah-Hartman
` (270 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Mackerras, linux-ppp,
syzbot+41cab52ab62ee99ed24a, Stanislav Fomichev, David S. Miller,
Sasha Levin
From: Stanislav Fomichev <sdf@google.com>
[ Upstream commit 9f225444467b98579cf28d94f4ad053460dfdb84 ]
Syzkaller triggered flow dissector warning with the following:
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0)
ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0))
ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]})
pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0)
[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0
[ 9.485929] skb_get_poff+0x53/0xa0
[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20
[ 9.485944] ? ppp_send_frame+0xc2/0x5b0
[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60
[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0
[ 9.485968] ? ppp_xmit_process+0x5b/0xb0
[ 9.485974] ? ppp_write+0x12a/0x190
[ 9.485981] ? do_iter_write+0x18e/0x2d0
[ 9.485987] ? __import_iovec+0x30/0x130
[ 9.485997] ? do_pwritev+0x1b6/0x240
[ 9.486016] ? trace_hardirqs_on+0x47/0x50
[ 9.486023] ? __x64_sys_pwritev+0x24/0x30
[ 9.486026] ? do_syscall_64+0x3d/0x80
[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
Flow dissector tries to find skb net namespace either via device
or via socket. Neigher is set in ppp_send_frame, so let's manually
use ppp->dev.
Cc: Paul Mackerras <paulus@samba.org>
Cc: linux-ppp@vger.kernel.org
Reported-by: syzbot+41cab52ab62ee99ed24a@syzkaller.appspotmail.com
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 2b9815ec4a62..b825c6a9b6dd 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1610,6 +1610,8 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb)
int len;
unsigned char *cp;
+ skb->dev = ppp->dev;
+
if (proto < 0x8000) {
#ifdef CONFIG_PPP_FILTER
/* check if we should pass this packet */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 523/783] bpf: Prevent decl_tag from being referenced in func_proto arg
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (521 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 522/783] ppp: associate skb with a device at tx Greg Kroah-Hartman
@ 2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 524/783] ethtool: avoiding integer overflow in ethtool_phys_id() Greg Kroah-Hartman
` (269 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8dd0551dda6020944c5d,
Stanislav Fomichev, Daniel Borkmann, Yonghong Song, Sasha Levin
From: Stanislav Fomichev <sdf@google.com>
[ Upstream commit f17472d4599697d701aa239b4c475a506bccfd19 ]
Syzkaller managed to hit another decl_tag issue:
btf_func_proto_check kernel/bpf/btf.c:4506 [inline]
btf_check_all_types kernel/bpf/btf.c:4734 [inline]
btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763
btf_parse kernel/bpf/btf.c:5042 [inline]
btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709
bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342
__sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034
__do_sys_bpf kernel/bpf/syscall.c:5093 [inline]
__se_sys_bpf kernel/bpf/syscall.c:5091 [inline]
__x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091
do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48
This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being
referenced in func_proto") but for the argument.
Reported-by: syzbot+8dd0551dda6020944c5d@syzkaller.appspotmail.com
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20221123035422.872531-2-sdf@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/btf.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 9232938e3f96..52e704860739 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -3675,6 +3675,11 @@ static int btf_func_proto_check(struct btf_verifier_env *env,
break;
}
+ if (btf_type_is_resolve_source_only(arg_type)) {
+ btf_verifier_log_type(env, t, "Invalid arg#%u", i + 1);
+ return -EINVAL;
+ }
+
if (args[i].name_off &&
(!btf_name_offset_valid(btf, args[i].name_off) ||
!btf_name_valid_identifier(btf, args[i].name_off))) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 524/783] ethtool: avoiding integer overflow in ethtool_phys_id()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (522 preceding siblings ...)
2023-01-12 13:53 ` [PATCH 5.10 523/783] bpf: Prevent decl_tag from being referenced in func_proto arg Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 525/783] media: dvb-frontends: fix leak of memory fw Greg Kroah-Hartman
` (268 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Korotkov, Alexander Lobakin,
Andrew Lunn, Jakub Kicinski, Sasha Levin
From: Maxim Korotkov <korotkov.maxim.s@gmail.com>
[ Upstream commit 64a8f8f7127da228d59a39e2c5e75f86590f90b4 ]
The value of an arithmetic expression "n * id.data" is subject
to possible overflow due to a failure to cast operands to a larger data
type before performing arithmetic. Used macro for multiplication instead
operator for avoiding overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Maxim Korotkov <korotkov.maxim.s@gmail.com>
Reviewed-by: Alexander Lobakin <alexandr.lobakin@intel.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20221122122901.22294-1-korotkov.maxim.s@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ethtool/ioctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 80d2a00d3097..47c2dd4a9b9f 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -1966,7 +1966,8 @@ static int ethtool_phys_id(struct net_device *dev, void __user *useraddr)
} else {
/* Driver expects to be called at twice the frequency in rc */
int n = rc * 2, interval = HZ / n;
- u64 count = n * id.data, i = 0;
+ u64 count = mul_u32_u32(n, id.data);
+ u64 i = 0;
do {
rtnl_lock();
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 525/783] media: dvb-frontends: fix leak of memory fw
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (523 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 524/783] ethtool: avoiding integer overflow in ethtool_phys_id() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 526/783] media: dvbdev: adopts refcnt to avoid UAF Greg Kroah-Hartman
` (267 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yan Lei, Mauro Carvalho Chehab, Sasha Levin
From: Yan Lei <yan_lei@dahuatech.com>
[ Upstream commit a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa ]
Link: https://lore.kernel.org/linux-media/20220410061925.4107-1-chinayanlei2002@163.com
Signed-off-by: Yan Lei <yan_lei@dahuatech.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/bcm3510.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/dvb-frontends/bcm3510.c b/drivers/media/dvb-frontends/bcm3510.c
index da0ff7b44da4..68b92b4419cf 100644
--- a/drivers/media/dvb-frontends/bcm3510.c
+++ b/drivers/media/dvb-frontends/bcm3510.c
@@ -649,6 +649,7 @@ static int bcm3510_download_firmware(struct dvb_frontend* fe)
deb_info("firmware chunk, addr: 0x%04x, len: 0x%04x, total length: 0x%04zx\n",addr,len,fw->size);
if ((ret = bcm3510_write_ram(st,addr,&b[i+4],len)) < 0) {
err("firmware download failed: %d\n",ret);
+ release_firmware(fw);
return ret;
}
i += 4 + len;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 526/783] media: dvbdev: adopts refcnt to avoid UAF
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (524 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 525/783] media: dvb-frontends: fix leak of memory fw Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 527/783] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Greg Kroah-Hartman
` (266 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lin Ma, kernel test robot,
Mauro Carvalho Chehab, Sasha Levin
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ]
dvb_unregister_device() is known that prone to use-after-free.
That is, the cleanup from dvb_unregister_device() releases the dvb_device
even if there are pointers stored in file->private_data still refer to it.
This patch adds a reference counter into struct dvb_device and delays its
deallocation until no pointer refers to the object.
Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-core/dvb_ca_en50221.c | 2 +-
drivers/media/dvb-core/dvb_frontend.c | 2 +-
drivers/media/dvb-core/dvbdev.c | 32 +++++++++++++++++++------
include/media/dvbdev.h | 31 +++++++++++++-----------
4 files changed, 44 insertions(+), 23 deletions(-)
diff --git a/drivers/media/dvb-core/dvb_ca_en50221.c b/drivers/media/dvb-core/dvb_ca_en50221.c
index cfc27629444f..fd476536d32e 100644
--- a/drivers/media/dvb-core/dvb_ca_en50221.c
+++ b/drivers/media/dvb-core/dvb_ca_en50221.c
@@ -157,7 +157,7 @@ static void dvb_ca_private_free(struct dvb_ca_private *ca)
{
unsigned int i;
- dvb_free_device(ca->dvbdev);
+ dvb_device_put(ca->dvbdev);
for (i = 0; i < ca->slot_count; i++)
vfree(ca->slot_info[i].rx_buffer.data);
diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index b28ea7204f23..b04638321b75 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -135,7 +135,7 @@ static void __dvb_frontend_free(struct dvb_frontend *fe)
struct dvb_frontend_private *fepriv = fe->frontend_priv;
if (fepriv)
- dvb_free_device(fepriv->dvbdev);
+ dvb_device_put(fepriv->dvbdev);
dvb_frontend_invoke_release(fe, fe->ops.release);
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index ec9ebff28552..7b28b483e4b2 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -107,7 +107,7 @@ static int dvb_device_open(struct inode *inode, struct file *file)
new_fops = fops_get(dvbdev->fops);
if (!new_fops)
goto fail;
- file->private_data = dvbdev;
+ file->private_data = dvb_device_get(dvbdev);
replace_fops(file, new_fops);
if (file->f_op->open)
err = file->f_op->open(inode, file);
@@ -171,6 +171,9 @@ int dvb_generic_release(struct inode *inode, struct file *file)
}
dvbdev->users++;
+
+ dvb_device_put(dvbdev);
+
return 0;
}
EXPORT_SYMBOL(dvb_generic_release);
@@ -487,6 +490,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
return -ENOMEM;
}
+ kref_init(&dvbdev->ref);
memcpy(dvbdev, template, sizeof(struct dvb_device));
dvbdev->type = type;
dvbdev->id = id;
@@ -517,7 +521,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
#endif
dvbdev->minor = minor;
- dvb_minors[minor] = dvbdev;
+ dvb_minors[minor] = dvb_device_get(dvbdev);
up_write(&minor_rwsem);
ret = dvb_register_media_device(dvbdev, type, minor, demux_sink_pads);
@@ -557,6 +561,7 @@ void dvb_remove_device(struct dvb_device *dvbdev)
down_write(&minor_rwsem);
dvb_minors[dvbdev->minor] = NULL;
+ dvb_device_put(dvbdev);
up_write(&minor_rwsem);
dvb_media_device_free(dvbdev);
@@ -568,21 +573,34 @@ void dvb_remove_device(struct dvb_device *dvbdev)
EXPORT_SYMBOL(dvb_remove_device);
-void dvb_free_device(struct dvb_device *dvbdev)
+static void dvb_free_device(struct kref *ref)
{
- if (!dvbdev)
- return;
+ struct dvb_device *dvbdev = container_of(ref, struct dvb_device, ref);
kfree (dvbdev->fops);
kfree (dvbdev);
}
-EXPORT_SYMBOL(dvb_free_device);
+
+
+struct dvb_device *dvb_device_get(struct dvb_device *dvbdev)
+{
+ kref_get(&dvbdev->ref);
+ return dvbdev;
+}
+EXPORT_SYMBOL(dvb_device_get);
+
+
+void dvb_device_put(struct dvb_device *dvbdev)
+{
+ if (dvbdev)
+ kref_put(&dvbdev->ref, dvb_free_device);
+}
void dvb_unregister_device(struct dvb_device *dvbdev)
{
dvb_remove_device(dvbdev);
- dvb_free_device(dvbdev);
+ dvb_device_put(dvbdev);
}
EXPORT_SYMBOL(dvb_unregister_device);
diff --git a/include/media/dvbdev.h b/include/media/dvbdev.h
index e547cbeee431..6e736587aa1f 100644
--- a/include/media/dvbdev.h
+++ b/include/media/dvbdev.h
@@ -156,6 +156,7 @@ struct dvb_adapter {
*/
struct dvb_device {
struct list_head list_head;
+ struct kref ref;
const struct file_operations *fops;
struct dvb_adapter *adapter;
enum dvb_device_type type;
@@ -187,6 +188,20 @@ struct dvb_device {
void *priv;
};
+/**
+ * dvb_device_get - Increase dvb_device reference
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
+struct dvb_device *dvb_device_get(struct dvb_device *dvbdev);
+
+/**
+ * dvb_device_get - Decrease dvb_device reference
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
+void dvb_device_put(struct dvb_device *dvbdev);
+
/**
* dvb_register_adapter - Registers a new DVB adapter
*
@@ -231,29 +246,17 @@ int dvb_register_device(struct dvb_adapter *adap,
/**
* dvb_remove_device - Remove a registered DVB device
*
- * This does not free memory. To do that, call dvb_free_device().
+ * This does not free memory. dvb_free_device() will do that when
+ * reference counter is empty
*
* @dvbdev: pointer to struct dvb_device
*/
void dvb_remove_device(struct dvb_device *dvbdev);
-/**
- * dvb_free_device - Free memory occupied by a DVB device.
- *
- * Call dvb_unregister_device() before calling this function.
- *
- * @dvbdev: pointer to struct dvb_device
- */
-void dvb_free_device(struct dvb_device *dvbdev);
/**
* dvb_unregister_device - Unregisters a DVB device
*
- * This is a combination of dvb_remove_device() and dvb_free_device().
- * Using this function is usually a mistake, and is often an indicator
- * for a use-after-free bug (when a userspace process keeps a file
- * handle to a detached device).
- *
* @dvbdev: pointer to struct dvb_device
*/
void dvb_unregister_device(struct dvb_device *dvbdev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 527/783] media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (525 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 526/783] media: dvbdev: adopts refcnt to avoid UAF Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 528/783] blk-mq: fix possible memleak when register hctx failed Greg Kroah-Hartman
` (265 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mazin Al Haddad,
Mauro Carvalho Chehab, Sasha Levin, syzbot+f66dd31987e6740657be
From: Mazin Al Haddad <mazinalhaddad05@gmail.com>
[ Upstream commit 94d90fb06b94a90c176270d38861bcba34ce377d ]
Syzbot reports a memory leak in "dvb_usb_adapter_init()".
The leak is due to not accounting for and freeing current iteration's
adapter->priv in case of an error. Currently if an error occurs,
it will exit before incrementing "num_adapters_initalized",
which is used as a reference counter to free all adap->priv
in "dvb_usb_adapter_exit()". There are multiple error paths that
can exit from before incrementing the counter. Including the
error handling paths for "dvb_usb_adapter_stream_init()",
"dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()"
within "dvb_usb_adapter_init()".
This means that in case of an error in any of these functions the
current iteration is not accounted for and the current iteration's
adap->priv is not freed.
Fix this by freeing the current iteration's adap->priv in the
"stream_init_err:" label in the error path. The rest of the
(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit()
as expected using the num_adapters_initalized variable.
Syzbot report:
BUG: memory leak
unreferenced object 0xffff8881172f1a00 (size 512):
comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff844af012>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline]
[<ffffffff844af012>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
[<ffffffff844af012>] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
[<ffffffff830db21d>] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883
[<ffffffff82d3fdc7>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
[<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
[<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
[<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
[<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
[<ffffffff8274af6a>] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782
[<ffffffff8274b786>] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899
[<ffffffff82747c87>] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427
[<ffffffff8274b352>] __device_attach+0x122/0x260 drivers/base/dd.c:970
[<ffffffff827498f6>] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487
[<ffffffff82745cdb>] device_add+0x5fb/0xdf0 drivers/base/core.c:3405
[<ffffffff82d3d202>] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170
[<ffffffff82d4dbfc>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
[<ffffffff82d3f49c>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
[<ffffffff8274ab37>] call_driver_probe drivers/base/dd.c:542 [inline]
[<ffffffff8274ab37>] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621
[<ffffffff8274ae6c>] really_probe drivers/base/dd.c:583 [inline]
[<ffffffff8274ae6c>] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752
Link: https://syzkaller.appspot.com/bug?extid=f66dd31987e6740657be
Reported-and-tested-by: syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-media/20220824012152.539788-1-mazinalhaddad05@gmail.com
Signed-off-by: Mazin Al Haddad <mazinalhaddad05@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/dvb-usb/dvb-usb-init.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c
index 61439c8f33ca..58eea8ab5477 100644
--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c
+++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c
@@ -81,7 +81,7 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
ret = dvb_usb_adapter_stream_init(adap);
if (ret)
- return ret;
+ goto stream_init_err;
ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs);
if (ret)
@@ -114,6 +114,8 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs)
dvb_usb_adapter_dvb_exit(adap);
dvb_init_err:
dvb_usb_adapter_stream_exit(adap);
+stream_init_err:
+ kfree(adap->priv);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 528/783] blk-mq: fix possible memleak when register hctx failed
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (526 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 527/783] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 529/783] libbpf: Avoid enum forward-declarations in public API in C++ mode Greg Kroah-Hartman
` (264 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Ming Lei, Jens Axboe, Sasha Levin
From: Ye Bin <yebin10@huawei.com>
[ Upstream commit 4b7a21c57b14fbcd0e1729150189e5933f5088e9 ]
There's issue as follows when do fault injection test:
unreferenced object 0xffff888132a9f400 (size 512):
comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2....
08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............
backtrace:
[<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0
[<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0
[<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230
[<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910
[<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0
[<00000000a2a34657>] 0xffffffffa2ad310f
[<00000000b173f718>] 0xffffffffa2af824a
[<0000000095a1dabb>] do_one_initcall+0x87/0x2a0
[<00000000f32fdf93>] do_init_module+0xdf/0x320
[<00000000cbe8541e>] load_module+0x3006/0x3390
[<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0
[<00000000a1a29ae8>] do_syscall_64+0x35/0x80
[<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Fault injection context as follows:
kobject_add
blk_mq_register_hctx
blk_mq_sysfs_register
blk_register_queue
device_add_disk
null_add_dev.part.0 [null_blk]
As 'blk_mq_register_hctx' may already add some objects when failed halfway,
but there isn't do fallback, caller don't know which objects add failed.
To solve above issue just do fallback when add objects failed halfway in
'blk_mq_register_hctx'.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20221117022940.873959-1-yebin@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-mq-sysfs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c
index 7b52e7657b2d..f0bc3398f3ed 100644
--- a/block/blk-mq-sysfs.c
+++ b/block/blk-mq-sysfs.c
@@ -242,7 +242,7 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
{
struct request_queue *q = hctx->queue;
struct blk_mq_ctx *ctx;
- int i, ret;
+ int i, j, ret;
if (!hctx->nr_ctx)
return 0;
@@ -254,9 +254,16 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx)
hctx_for_each_ctx(hctx, ctx, i) {
ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu);
if (ret)
- break;
+ goto out;
}
+ return 0;
+out:
+ hctx_for_each_ctx(hctx, ctx, j) {
+ if (j < i)
+ kobject_del(&ctx->kobj);
+ }
+ kobject_del(&hctx->kobj);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 529/783] libbpf: Avoid enum forward-declarations in public API in C++ mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (527 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 528/783] blk-mq: fix possible memleak when register hctx failed Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 530/783] regulator: core: fix use_count leakage when handling boot-on Greg Kroah-Hartman
` (263 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko, Daniel Borkmann,
Sasha Levin
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit b42693415b86f608049cf1b4870adc1dc65e58b0 ]
C++ enum forward declarations are fundamentally not compatible with pure
C enum definitions, and so libbpf's use of `enum bpf_stats_type;`
forward declaration in libbpf/bpf.h public API header is causing C++
compilation issues.
More details can be found in [0], but it comes down to C++ supporting
enum forward declaration only with explicitly specified backing type:
enum bpf_stats_type: int;
In C (and I believe it's a GCC extension also), such forward declaration
is simply:
enum bpf_stats_type;
Further, in Linux UAPI this enum is defined in pure C way:
enum bpf_stats_type { BPF_STATS_RUN_TIME = 0; }
And even though in both cases backing type is int, which can be
confirmed by looking at DWARF information, for C++ compiler actual enum
definition and forward declaration are incompatible.
To eliminate this problem, for C++ mode define input argument as int,
which makes enum unnecessary in libbpf public header. This solves the
issue and as demonstrated by next patch doesn't cause any unwanted
compiler warnings, at least with default warnings setting.
[0] https://stackoverflow.com/questions/42766839/c11-enum-forward-causes-underlying-type-mismatch
[1] Closes: https://github.com/libbpf/libbpf/issues/249
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20221130200013.2997831-1-andrii@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/lib/bpf/bpf.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/lib/bpf/bpf.h b/tools/lib/bpf/bpf.h
index 875dde20d56e..92a3eaa154dd 100644
--- a/tools/lib/bpf/bpf.h
+++ b/tools/lib/bpf/bpf.h
@@ -241,8 +241,15 @@ LIBBPF_API int bpf_task_fd_query(int pid, int fd, __u32 flags, char *buf,
__u32 *buf_len, __u32 *prog_id, __u32 *fd_type,
__u64 *probe_offset, __u64 *probe_addr);
+#ifdef __cplusplus
+/* forward-declaring enums in C++ isn't compatible with pure C enums, so
+ * instead define bpf_enable_stats() as accepting int as an input
+ */
+LIBBPF_API int bpf_enable_stats(int type);
+#else
enum bpf_stats_type; /* defined in up-to-date linux/bpf.h */
LIBBPF_API int bpf_enable_stats(enum bpf_stats_type type);
+#endif
struct bpf_prog_bind_opts {
size_t sz; /* size of this struct for forward/backward compatibility */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 530/783] regulator: core: fix use_count leakage when handling boot-on
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (528 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 529/783] libbpf: Avoid enum forward-declarations in public API in C++ mode Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 531/783] mmc: f-sdh30: Add quirks for broken timeout clock capability Greg Kroah-Hartman
` (262 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rui Zhang, Mark Brown, Sasha Levin
From: Rui Zhang <zr.zhang@vivo.com>
[ Upstream commit 0591b14ce0398125439c759f889647369aa616a0 ]
I found a use_count leakage towards supply regulator of rdev with
boot-on option.
┌───────────────────┐ ┌───────────────────┐
│ regulator_dev A │ │ regulator_dev B │
│ (boot-on) │ │ (boot-on) │
│ use_count=0 │◀──supply──│ use_count=1 │
│ │ │ │
└───────────────────┘ └───────────────────┘
In case of rdev(A) configured with `regulator-boot-on', the use_count
of supplying regulator(B) will increment inside
regulator_enable(rdev->supply).
Thus, B will acts like always-on, and further balanced
regulator_enable/disable cannot actually disable it anymore.
However, B was also configured with `regulator-boot-on', we wish it
could be disabled afterwards.
Signed-off-by: Rui Zhang <zr.zhang@vivo.com>
Link: https://lore.kernel.org/r/20221201033806.2567812-1-zr.zhang@vivo.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 4472c31b9b00..df746ba5c1bc 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -1428,7 +1428,13 @@ static int set_machine_constraints(struct regulator_dev *rdev)
if (rdev->supply_name && !rdev->supply)
return -EPROBE_DEFER;
- if (rdev->supply) {
+ /* If supplying regulator has already been enabled,
+ * it's not intended to have use_count increment
+ * when rdev is only boot-on.
+ */
+ if (rdev->supply &&
+ (rdev->constraints->always_on ||
+ !regulator_is_enabled(rdev->supply))) {
ret = regulator_enable(rdev->supply);
if (ret < 0) {
_regulator_put(rdev->supply);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 531/783] mmc: f-sdh30: Add quirks for broken timeout clock capability
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (529 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 530/783] regulator: core: fix use_count leakage when handling boot-on Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 532/783] mmc: renesas_sdhi: better reset from HS400 mode Greg Kroah-Hartman
` (261 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kunihiko Hayashi, Jassi Brar,
Ulf Hansson, Sasha Levin
From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
[ Upstream commit aae9d3a440736691b3c1cb09ae2c32c4f1ee2e67 ]
There is a case where the timeout clock is not supplied to the capability.
Add a quirk for that.
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Acked-by: Jassi Brar <jaswinder.singh@linaro.org>
Link: https://lore.kernel.org/r/20221111081033.3813-7-hayashi.kunihiko@socionext.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci_f_sdh30.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mmc/host/sdhci_f_sdh30.c b/drivers/mmc/host/sdhci_f_sdh30.c
index 3f5977979cf2..6c4f43e11282 100644
--- a/drivers/mmc/host/sdhci_f_sdh30.c
+++ b/drivers/mmc/host/sdhci_f_sdh30.c
@@ -168,6 +168,9 @@ static int sdhci_f_sdh30_probe(struct platform_device *pdev)
if (reg & SDHCI_CAN_DO_8BIT)
priv->vendor_hs200 = F_SDH30_EMMC_HS200;
+ if (!(reg & SDHCI_TIMEOUT_CLK_MASK))
+ host->quirks |= SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK;
+
ret = sdhci_add_host(host);
if (ret)
goto err_add_host;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 532/783] mmc: renesas_sdhi: better reset from HS400 mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (530 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 531/783] mmc: f-sdh30: Add quirks for broken timeout clock capability Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 533/783] media: si470x: Fix use-after-free in si470x_int_in_callback() Greg Kroah-Hartman
` (260 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Yoshihiro Shimoda,
Ulf Hansson, Sasha Levin
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 0da69dd2155019ed4c444ede0e79ce7a4a6af627 ]
Up to now, HS400 adjustment mode was only disabled on soft reset when a
calibration table was in use. It is safer, though, to disable it as soon
as the instance has an adjustment related quirk set, i.e. bad taps or a
calibration table.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Tested-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/20221120113457.42010-3-wsa+renesas@sang-engineering.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/renesas_sdhi_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/host/renesas_sdhi_core.c b/drivers/mmc/host/renesas_sdhi_core.c
index ac01fb518386..a49b8fe2a098 100644
--- a/drivers/mmc/host/renesas_sdhi_core.c
+++ b/drivers/mmc/host/renesas_sdhi_core.c
@@ -537,7 +537,7 @@ static void renesas_sdhi_reset_hs400_mode(struct tmio_mmc_host *host,
SH_MOBILE_SDHI_SCC_TMPPORT2_HS400OSEL) &
sd_scc_read32(host, priv, SH_MOBILE_SDHI_SCC_TMPPORT2));
- if (priv->adjust_hs400_calib_table)
+ if (priv->quirks && (priv->quirks->hs400_calib_table || priv->quirks->hs400_bad_taps))
renesas_sdhi_adjust_hs400_mode_disable(host);
sd_ctrl_write16(host, CTL_SD_CARD_CLK_CTL, CLK_CTL_SCLKEN |
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 533/783] media: si470x: Fix use-after-free in si470x_int_in_callback()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (531 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 532/783] mmc: renesas_sdhi: better reset from HS400 mode Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 534/783] clk: st: Fix memory leak in st_of_quadfs_setup() Greg Kroah-Hartman
` (259 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9ca7a12fd736d93e0232,
Shigeru Yoshida, Hans Verkuil, Sasha Levin
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 7d21e0b1b41b21d628bf2afce777727bd4479aa5 ]
syzbot reported use-after-free in si470x_int_in_callback() [1]. This
indicates that urb->context, which contains struct si470x_device
object, is freed when si470x_int_in_callback() is called.
The cause of this issue is that si470x_int_in_callback() is called for
freed urb.
si470x_usb_driver_probe() calls si470x_start_usb(), which then calls
usb_submit_urb() and si470x_start(). If si470x_start_usb() fails,
si470x_usb_driver_probe() doesn't kill urb, but it just frees struct
si470x_device object, as depicted below:
si470x_usb_driver_probe()
...
si470x_start_usb()
...
usb_submit_urb()
retval = si470x_start()
return retval
if (retval < 0)
free struct si470x_device object, but don't kill urb
This patch fixes this issue by killing urb when si470x_start_usb()
fails and urb is submitted. If si470x_start_usb() fails and urb is
not submitted, i.e. submitting usb fails, it just frees struct
si470x_device object.
Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/radio/si470x/radio-si470x-usb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c
index 3f8634a46573..1365ae732b79 100644
--- a/drivers/media/radio/si470x/radio-si470x-usb.c
+++ b/drivers/media/radio/si470x/radio-si470x-usb.c
@@ -733,8 +733,10 @@ static int si470x_usb_driver_probe(struct usb_interface *intf,
/* start radio */
retval = si470x_start_usb(radio);
- if (retval < 0)
+ if (retval < 0 && !radio->int_in_running)
goto err_buf;
+ else if (retval < 0) /* in case of radio->int_in_running == 1 */
+ goto err_all;
/* set initial frequency */
si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 534/783] clk: st: Fix memory leak in st_of_quadfs_setup()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (532 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 533/783] media: si470x: Fix use-after-free in si470x_int_in_callback() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 535/783] hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() Greg Kroah-Hartman
` (258 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiu Jianfeng, Patrice Chotard,
Stephen Boyd, Sasha Levin
From: Xiu Jianfeng <xiujianfeng@huawei.com>
[ Upstream commit cfd3ffb36f0d566846163118651d868e607300ba ]
If st_clk_register_quadfs_pll() fails, @lock should be freed before goto
@err_exit, otherwise will cause meory leak issue, fix it.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Link: https://lore.kernel.org/r/20221122133614.184910-1-xiujianfeng@huawei.com
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/st/clkgen-fsyn.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c
index f1adc858b590..0e58a7cda427 100644
--- a/drivers/clk/st/clkgen-fsyn.c
+++ b/drivers/clk/st/clkgen-fsyn.c
@@ -942,9 +942,10 @@ static void __init st_of_quadfs_setup(struct device_node *np,
clk = st_clk_register_quadfs_pll(pll_name, clk_parent_name, data,
reg, lock);
- if (IS_ERR(clk))
+ if (IS_ERR(clk)) {
+ kfree(lock);
goto err_exit;
- else
+ } else
pr_debug("%s: parent %s rate %u\n",
__clk_get_name(clk),
__clk_get_name(clk_get_parent(clk)),
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 535/783] hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (533 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 534/783] clk: st: Fix memory leak in st_of_quadfs_setup() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 536/783] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() Greg Kroah-Hartman
` (257 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+a3e6acd85ded5c16a709,
Hawkins Jiawei, Mike Kravetz, Muchun Song, Ian Kent,
Andrew Morton, Sasha Levin
From: Hawkins Jiawei <yin31149@gmail.com>
[ Upstream commit 26215b7ee923b9251f7bb12c4e5f09dc465d35f2 ]
Syzkaller reports a null-ptr-deref bug as follows:
======================================================
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380
[...]
Call Trace:
<TASK>
vfs_parse_fs_param fs/fs_context.c:148 [inline]
vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129
vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191
generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231
do_new_mount fs/namespace.c:3036 [inline]
path_mount+0x12de/0x1e20 fs/namespace.c:3370
do_mount fs/namespace.c:3383 [inline]
__do_sys_mount fs/namespace.c:3591 [inline]
__se_sys_mount fs/namespace.c:3568 [inline]
__x64_sys_mount+0x27f/0x300 fs/namespace.c:3568
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
[...]
</TASK>
======================================================
According to commit "vfs: parse: deal with zero length string value",
kernel will set the param->string to null pointer in vfs_parse_fs_string()
if fs string has zero length.
Yet the problem is that, hugetlbfs_parse_param() will dereference the
param->string, without checking whether it is a null pointer. To be more
specific, if hugetlbfs_parse_param() parses an illegal mount parameter,
such as "size=,", kernel will constructs struct fs_parameter with null
pointer in vfs_parse_fs_string(), then passes this struct fs_parameter to
hugetlbfs_parse_param(), which triggers the above null-ptr-deref bug.
This patch solves it by adding sanity check on param->string
in hugetlbfs_parse_param().
Link: https://lkml.kernel.org/r/20221020231609.4810-1-yin31149@gmail.com
Reported-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com
Tested-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/0000000000005ad00405eb7148c6@google.com/
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Hawkins Jiawei <yin31149@gmail.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Ian Kent <raven@themaw.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hugetlbfs/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index a2f43f1a85f8..5181e6d4e18c 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -1261,7 +1261,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par
case Opt_size:
/* memparse() will accept a K/M/G without a digit */
- if (!isdigit(param->string[0]))
+ if (!param->string || !isdigit(param->string[0]))
goto bad_val;
ctx->max_size_opt = memparse(param->string, &rest);
ctx->max_val_type = SIZE_STD;
@@ -1271,7 +1271,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par
case Opt_nr_inodes:
/* memparse() will accept a K/M/G without a digit */
- if (!isdigit(param->string[0]))
+ if (!param->string || !isdigit(param->string[0]))
goto bad_val;
ctx->nr_inodes = memparse(param->string, &rest);
return 0;
@@ -1287,7 +1287,7 @@ static int hugetlbfs_parse_param(struct fs_context *fc, struct fs_parameter *par
case Opt_min_size:
/* memparse() will accept a K/M/G without a digit */
- if (!isdigit(param->string[0]))
+ if (!param->string || !isdigit(param->string[0]))
goto bad_val;
ctx->min_size_opt = memparse(param->string, &rest);
ctx->min_val_type = SIZE_STD;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 536/783] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (534 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 535/783] hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 537/783] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() Greg Kroah-Hartman
` (256 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sami Tolvanen, Nathan Chancellor,
Kees Cook, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 96d845a67b7e406cfed7880a724c8ca6121e022e ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c:74:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = fsl_dcu_drm_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
type of 'enum drm_mode_status', not 'int'. Adjust the return type of
fsl_dcu_drm_connector_mode_valid() to match the prototype's to resolve
the warning and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Reported-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102154215.78059-1-nathan@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
index 4d4a715b429d..2c2b92324a2e 100644
--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
+++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c
@@ -60,8 +60,9 @@ static int fsl_dcu_drm_connector_get_modes(struct drm_connector *connector)
return drm_panel_get_modes(fsl_connector->panel, connector);
}
-static int fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
if (mode->hdisplay & 0xf)
return MODE_ERROR;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 537/783] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (535 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 536/783] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 538/783] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() Greg Kroah-Hartman
` (255 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Kees Cook, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit 0ad811cc08a937d875cbad0149c1bab17f84ba05 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = sti_hda_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = sti_dvo_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.mode_valid = sti_hdmi_connector_mode_valid,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
->mode_valid() in 'struct drm_connector_helper_funcs' expects a return
type of 'enum drm_mode_status', not 'int'. Adjust the return type of
sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to
resolve the warning and CFI failure.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221102155623.3042869-1-nathan@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sti/sti_dvo.c | 5 +++--
drivers/gpu/drm/sti/sti_hda.c | 5 +++--
drivers/gpu/drm/sti/sti_hdmi.c | 5 +++--
3 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c
index b0676a73a1d7..11225ac213e1 100644
--- a/drivers/gpu/drm/sti/sti_dvo.c
+++ b/drivers/gpu/drm/sti/sti_dvo.c
@@ -346,8 +346,9 @@ static int sti_dvo_connector_get_modes(struct drm_connector *connector)
#define CLK_TOLERANCE_HZ 50
-static int sti_dvo_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+sti_dvo_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
int target = mode->clock * 1000;
int target_min = target - CLK_TOLERANCE_HZ;
diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c
index 84109800143a..418dfccc2faf 100644
--- a/drivers/gpu/drm/sti/sti_hda.c
+++ b/drivers/gpu/drm/sti/sti_hda.c
@@ -600,8 +600,9 @@ static int sti_hda_connector_get_modes(struct drm_connector *connector)
#define CLK_TOLERANCE_HZ 50
-static int sti_hda_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+sti_hda_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
int target = mode->clock * 1000;
int target_min = target - CLK_TOLERANCE_HZ;
diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
index 412664dfb0b0..1bcee73f5114 100644
--- a/drivers/gpu/drm/sti/sti_hdmi.c
+++ b/drivers/gpu/drm/sti/sti_hdmi.c
@@ -997,8 +997,9 @@ static int sti_hdmi_connector_get_modes(struct drm_connector *connector)
#define CLK_TOLERANCE_HZ 50
-static int sti_hdmi_connector_mode_valid(struct drm_connector *connector,
- struct drm_display_mode *mode)
+static enum drm_mode_status
+sti_hdmi_connector_mode_valid(struct drm_connector *connector,
+ struct drm_display_mode *mode)
{
int target = mode->clock * 1000;
int target_min = target - CLK_TOLERANCE_HZ;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 538/783] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (536 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 537/783] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 539/783] orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() Greg Kroah-Hartman
` (254 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Mike Marshall, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit d23417a5bf3a3afc55de5442eb46e1e60458b0a1 ]
When insert and remove the orangefs module, then debug_help_string will
be leaked:
unreferenced object 0xffff8881652ba000 (size 4096):
comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s)
hex dump (first 32 bytes):
43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key
77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow
backtrace:
[<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0
[<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs]
[<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t]
[<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0
[<000000001d0614ae>] do_init_module+0xdf/0x320
[<00000000efef068c>] load_module+0x2f98/0x3330
[<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0
[<00000000a0da6f99>] do_syscall_64+0x35/0x80
[<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
When remove the module, should always free debug_help_string. Should
always free the allocated buffer when change the free_debug_help_string.
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-debugfs.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 29eaa4544372..a848b6ef9599 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -222,6 +222,8 @@ static void orangefs_kernel_debug_init(void)
void orangefs_debugfs_cleanup(void)
{
debugfs_remove_recursive(debug_dir);
+ kfree(debug_help_string);
+ debug_help_string = NULL;
}
/* open ORANGEFS_KMOD_DEBUG_HELP_FILE */
@@ -671,6 +673,7 @@ int orangefs_prepare_debugfs_help_string(int at_boot)
memset(debug_help_string, 0, DEBUG_HELP_STRING_SIZE);
strlcat(debug_help_string, new, string_size);
mutex_unlock(&orangefs_help_file_lock);
+ kfree(new);
}
rc = 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 539/783] orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (537 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 538/783] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 540/783] hwmon: (jc42) Fix missing unlock on error in jc42_write() Greg Kroah-Hartman
` (253 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Xiaoxu, Mike Marshall, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit 31720a2b109b3080eb77e97b8f6f50a27b4ae599 ]
When insert and remove the orangefs module, there are memory leaked
as below:
unreferenced object 0xffff88816b0cc000 (size 2048):
comm "insmod", pid 783, jiffies 4294813439 (age 65.512s)
hex dump (first 32 bytes):
6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000031ab7788>] kmalloc_trace+0x27/0xa0
[<000000005b405fee>] orangefs_debugfs_init.cold+0xaf/0x17f
[<00000000e5a0085b>] 0xffffffffa02780f9
[<000000004232d9f7>] do_one_initcall+0x87/0x2a0
[<0000000054f22384>] do_init_module+0xdf/0x320
[<000000003263bdea>] load_module+0x2f98/0x3330
[<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0
[<00000000250ae02b>] do_syscall_64+0x35/0x80
[<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0
Use the golbal variable as the buffer rather than dynamic allocate to
slove the problem.
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Mike Marshall <hubcap@omnibond.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/orangefs/orangefs-debugfs.c | 26 +++-----------------------
1 file changed, 3 insertions(+), 23 deletions(-)
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index a848b6ef9599..1b508f543384 100644
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@@ -194,15 +194,10 @@ void orangefs_debugfs_init(int debug_mask)
*/
static void orangefs_kernel_debug_init(void)
{
- int rc = -ENOMEM;
- char *k_buffer = NULL;
+ static char k_buffer[ORANGEFS_MAX_DEBUG_STRING_LEN] = { };
gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: start\n", __func__);
- k_buffer = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
- if (!k_buffer)
- goto out;
-
if (strlen(kernel_debug_string) + 1 < ORANGEFS_MAX_DEBUG_STRING_LEN) {
strcpy(k_buffer, kernel_debug_string);
strcat(k_buffer, "\n");
@@ -213,9 +208,6 @@ static void orangefs_kernel_debug_init(void)
debugfs_create_file(ORANGEFS_KMOD_DEBUG_FILE, 0444, debug_dir, k_buffer,
&kernel_debug_fops);
-
-out:
- gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: rc:%d:\n", __func__, rc);
}
@@ -299,18 +291,13 @@ static int help_show(struct seq_file *m, void *v)
/*
* initialize the client-debug file.
*/
-static int orangefs_client_debug_init(void)
+static void orangefs_client_debug_init(void)
{
- int rc = -ENOMEM;
- char *c_buffer = NULL;
+ static char c_buffer[ORANGEFS_MAX_DEBUG_STRING_LEN] = { };
gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: start\n", __func__);
- c_buffer = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
- if (!c_buffer)
- goto out;
-
if (strlen(client_debug_string) + 1 < ORANGEFS_MAX_DEBUG_STRING_LEN) {
strcpy(c_buffer, client_debug_string);
strcat(c_buffer, "\n");
@@ -324,13 +311,6 @@ static int orangefs_client_debug_init(void)
debug_dir,
c_buffer,
&kernel_debug_fops);
-
- rc = 0;
-
-out:
-
- gossip_debug(GOSSIP_DEBUGFS_DEBUG, "%s: rc:%d:\n", __func__, rc);
- return rc;
}
/* open ORANGEFS_KMOD_DEBUG_FILE or ORANGEFS_CLIENT_DEBUG_FILE.*/
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 540/783] hwmon: (jc42) Fix missing unlock on error in jc42_write()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (538 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 539/783] orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 541/783] ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c Greg Kroah-Hartman
` (252 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yang Yingliang, Martin Blumenstingl,
kernel test robot, Dan Carpenter, Guenter Roeck, Sasha Levin
From: Yang Yingliang <yangyingliang@huawei.com>
[ Upstream commit b744db17abf6a2efc2bfa80870cc88e9799a8ccc ]
Add the missing unlock before return from function jc42_write()
in the error handling case.
Fixes: 37dedaee8bc6 ("hwmon: (jc42) Convert register access and caching to regmap/regcache")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Link: https://lore.kernel.org/r/20221027062931.598247-1-yangyingliang@huawei.com
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/jc42.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/jc42.c b/drivers/hwmon/jc42.c
index 5240bfdfcf2e..52f341d46029 100644
--- a/drivers/hwmon/jc42.c
+++ b/drivers/hwmon/jc42.c
@@ -340,7 +340,7 @@ static int jc42_write(struct device *dev, enum hwmon_sensor_types type,
ret = regmap_read(data->regmap, JC42_REG_TEMP_CRITICAL,
®val);
if (ret)
- return ret;
+ break;
/*
* JC42.4 compliant chips only support four hysteresis values.
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 541/783] ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (539 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 540/783] hwmon: (jc42) Fix missing unlock on error in jc42_write() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 542/783] ALSA: hda: add snd_hdac_stop_streams() helper Greg Kroah-Hartman
` (251 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart, Kai Vehmanen,
Péter Ujfalusi, Ranjani Sridharan, Cezary Rojewski,
Takashi Iwai, Sasha Levin
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
[ Upstream commit 12054f0ce8be7d2003ec068ab27c9eb608397b98 ]
snd_hdac_ext_stop_streams() has really nothing to do with the
extension, it just loops over the bus streams.
Move it to the hdac_stream layer and rename to remove the 'ext'
prefix and add the precision that the chip will also be stopped.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
Reviewed-by: Cezary Rojewski <cezary.rojewski@intel.com>
Link: https://lore.kernel.org/r/20211216231128.344321-2-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: 171107237246 ("ASoC: Intel: Skylake: Fix driver hang during shutdown")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/hdaudio.h | 1 +
include/sound/hdaudio_ext.h | 1 -
sound/hda/ext/hdac_ext_stream.c | 17 -----------------
sound/hda/hdac_stream.c | 16 ++++++++++++++++
sound/soc/intel/skylake/skl.c | 4 ++--
5 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/include/sound/hdaudio.h b/include/sound/hdaudio.h
index 6eed61e6cf8a..63edae565573 100644
--- a/include/sound/hdaudio.h
+++ b/include/sound/hdaudio.h
@@ -562,6 +562,7 @@ int snd_hdac_stream_set_params(struct hdac_stream *azx_dev,
void snd_hdac_stream_start(struct hdac_stream *azx_dev, bool fresh_start);
void snd_hdac_stream_clear(struct hdac_stream *azx_dev);
void snd_hdac_stream_stop(struct hdac_stream *azx_dev);
+void snd_hdac_stop_streams_and_chip(struct hdac_bus *bus);
void snd_hdac_stream_reset(struct hdac_stream *azx_dev);
void snd_hdac_stream_sync_trigger(struct hdac_stream *azx_dev, bool set,
unsigned int streams, unsigned int reg);
diff --git a/include/sound/hdaudio_ext.h b/include/sound/hdaudio_ext.h
index 75048ea178f6..ddcb5b2f0a8e 100644
--- a/include/sound/hdaudio_ext.h
+++ b/include/sound/hdaudio_ext.h
@@ -92,7 +92,6 @@ void snd_hdac_ext_stream_decouple_locked(struct hdac_bus *bus,
struct hdac_ext_stream *azx_dev, bool decouple);
void snd_hdac_ext_stream_decouple(struct hdac_bus *bus,
struct hdac_ext_stream *azx_dev, bool decouple);
-void snd_hdac_ext_stop_streams(struct hdac_bus *bus);
int snd_hdac_ext_stream_set_spib(struct hdac_bus *bus,
struct hdac_ext_stream *stream, u32 value);
diff --git a/sound/hda/ext/hdac_ext_stream.c b/sound/hda/ext/hdac_ext_stream.c
index 1e6e4cf428cd..4276dae2e00a 100644
--- a/sound/hda/ext/hdac_ext_stream.c
+++ b/sound/hda/ext/hdac_ext_stream.c
@@ -475,23 +475,6 @@ int snd_hdac_ext_stream_get_spbmaxfifo(struct hdac_bus *bus,
}
EXPORT_SYMBOL_GPL(snd_hdac_ext_stream_get_spbmaxfifo);
-
-/**
- * snd_hdac_ext_stop_streams - stop all stream if running
- * @bus: HD-audio core bus
- */
-void snd_hdac_ext_stop_streams(struct hdac_bus *bus)
-{
- struct hdac_stream *stream;
-
- if (bus->chip_init) {
- list_for_each_entry(stream, &bus->stream_list, list)
- snd_hdac_stream_stop(stream);
- snd_hdac_bus_stop_chip(bus);
- }
-}
-EXPORT_SYMBOL_GPL(snd_hdac_ext_stop_streams);
-
/**
* snd_hdac_ext_stream_drsm_enable - enable DMA resume for a stream
* @bus: HD-audio core bus
diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c
index ce77a5320163..f9f0ed3042a2 100644
--- a/sound/hda/hdac_stream.c
+++ b/sound/hda/hdac_stream.c
@@ -142,6 +142,22 @@ void snd_hdac_stream_stop(struct hdac_stream *azx_dev)
}
EXPORT_SYMBOL_GPL(snd_hdac_stream_stop);
+/**
+ * snd_hdac_stop_streams_and_chip - stop all streams and chip if running
+ * @bus: HD-audio core bus
+ */
+void snd_hdac_stop_streams_and_chip(struct hdac_bus *bus)
+{
+ struct hdac_stream *stream;
+
+ if (bus->chip_init) {
+ list_for_each_entry(stream, &bus->stream_list, list)
+ snd_hdac_stream_stop(stream);
+ snd_hdac_bus_stop_chip(bus);
+ }
+}
+EXPORT_SYMBOL_GPL(snd_hdac_stop_streams_and_chip);
+
/**
* snd_hdac_stream_reset - reset a stream
* @azx_dev: HD-audio core stream to reset
diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c
index 8b993722f74e..83b1eb70b40a 100644
--- a/sound/soc/intel/skylake/skl.c
+++ b/sound/soc/intel/skylake/skl.c
@@ -439,7 +439,7 @@ static int skl_free(struct hdac_bus *bus)
skl->init_done = 0; /* to be sure */
- snd_hdac_ext_stop_streams(bus);
+ snd_hdac_stop_streams_and_chip(bus);
if (bus->irq >= 0)
free_irq(bus->irq, (void *)bus);
@@ -1100,7 +1100,7 @@ static void skl_shutdown(struct pci_dev *pci)
if (!skl->init_done)
return;
- snd_hdac_ext_stop_streams(bus);
+ snd_hdac_stop_streams_and_chip(bus);
list_for_each_entry(s, &bus->stream_list, list) {
stream = stream_to_hdac_ext_stream(s);
snd_hdac_ext_stream_decouple(bus, stream, false);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 542/783] ALSA: hda: add snd_hdac_stop_streams() helper
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (540 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 541/783] ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 543/783] ASoC: Intel: Skylake: Fix driver hang during shutdown Greg Kroah-Hartman
` (250 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart, Bard Liao,
Péter Ujfalusi, Kai Vehmanen, Takashi Iwai, Sasha Levin
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
[ Upstream commit 24ad3835a6db4f8857975effa6bf47730371a5ff ]
Minor code reuse, no functionality change.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://lore.kernel.org/r/20220919121041.43463-6-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: 171107237246 ("ASoC: Intel: Skylake: Fix driver hang during shutdown")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/sound/hdaudio.h | 1 +
sound/hda/hdac_stream.c | 17 ++++++++++++++---
sound/pci/hda/hda_controller.c | 4 +---
3 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/include/sound/hdaudio.h b/include/sound/hdaudio.h
index 63edae565573..496decb63f80 100644
--- a/include/sound/hdaudio.h
+++ b/include/sound/hdaudio.h
@@ -562,6 +562,7 @@ int snd_hdac_stream_set_params(struct hdac_stream *azx_dev,
void snd_hdac_stream_start(struct hdac_stream *azx_dev, bool fresh_start);
void snd_hdac_stream_clear(struct hdac_stream *azx_dev);
void snd_hdac_stream_stop(struct hdac_stream *azx_dev);
+void snd_hdac_stop_streams(struct hdac_bus *bus);
void snd_hdac_stop_streams_and_chip(struct hdac_bus *bus);
void snd_hdac_stream_reset(struct hdac_stream *azx_dev);
void snd_hdac_stream_sync_trigger(struct hdac_stream *azx_dev, bool set,
diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c
index f9f0ed3042a2..1e0f61affd97 100644
--- a/sound/hda/hdac_stream.c
+++ b/sound/hda/hdac_stream.c
@@ -142,17 +142,28 @@ void snd_hdac_stream_stop(struct hdac_stream *azx_dev)
}
EXPORT_SYMBOL_GPL(snd_hdac_stream_stop);
+/**
+ * snd_hdac_stop_streams - stop all streams
+ * @bus: HD-audio core bus
+ */
+void snd_hdac_stop_streams(struct hdac_bus *bus)
+{
+ struct hdac_stream *stream;
+
+ list_for_each_entry(stream, &bus->stream_list, list)
+ snd_hdac_stream_stop(stream);
+}
+EXPORT_SYMBOL_GPL(snd_hdac_stop_streams);
+
/**
* snd_hdac_stop_streams_and_chip - stop all streams and chip if running
* @bus: HD-audio core bus
*/
void snd_hdac_stop_streams_and_chip(struct hdac_bus *bus)
{
- struct hdac_stream *stream;
if (bus->chip_init) {
- list_for_each_entry(stream, &bus->stream_list, list)
- snd_hdac_stream_stop(stream);
+ snd_hdac_stop_streams(bus);
snd_hdac_bus_stop_chip(bus);
}
}
diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
index 3de7dc34def2..ea76395d71d3 100644
--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -1045,10 +1045,8 @@ EXPORT_SYMBOL_GPL(azx_init_chip);
void azx_stop_all_streams(struct azx *chip)
{
struct hdac_bus *bus = azx_bus(chip);
- struct hdac_stream *s;
- list_for_each_entry(s, &bus->stream_list, list)
- snd_hdac_stream_stop(s);
+ snd_hdac_stop_streams(bus);
}
EXPORT_SYMBOL_GPL(azx_stop_all_streams);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 543/783] ASoC: Intel: Skylake: Fix driver hang during shutdown
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (541 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 542/783] ALSA: hda: add snd_hdac_stop_streams() helper Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 544/783] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() Greg Kroah-Hartman
` (249 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cezary Rojewski, Lukasz Majczak,
Mark Brown, Sasha Levin
From: Cezary Rojewski <cezary.rojewski@intel.com>
[ Upstream commit 171107237246d66bce04f3769d33648f896b4ce3 ]
AudioDSP cores and HDAudio links need to be turned off on shutdown to
ensure no communication or data transfer occurs during the procedure.
Fixes: c5a76a246989 ("ASoC: Intel: Skylake: Add shutdown callback")
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Tested-by: Lukasz Majczak <lma@semihlaf.com>
Link: https://lore.kernel.org/r/20221205085330.857665-6-cezary.rojewski@intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/skylake/skl.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/soc/intel/skylake/skl.c b/sound/soc/intel/skylake/skl.c
index 83b1eb70b40a..2085e12dc611 100644
--- a/sound/soc/intel/skylake/skl.c
+++ b/sound/soc/intel/skylake/skl.c
@@ -1100,7 +1100,10 @@ static void skl_shutdown(struct pci_dev *pci)
if (!skl->init_done)
return;
- snd_hdac_stop_streams_and_chip(bus);
+ snd_hdac_stop_streams(bus);
+ snd_hdac_ext_bus_link_power_down_all(bus);
+ skl_dsp_sleep(skl->dsp);
+
list_for_each_entry(s, &bus->stream_list, list) {
stream = stream_to_hdac_ext_stream(s);
snd_hdac_ext_stream_decouple(bus, stream, false);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 544/783] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (542 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 543/783] ASoC: Intel: Skylake: Fix driver hang during shutdown Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 545/783] ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link() Greg Kroah-Hartman
` (248 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Yufen, Mark Brown, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit 3327d721114c109ba0575f86f8fda3b525404054 ]
The node returned by of_parse_phandle() with refcount incremented,
of_node_put() needs be called when finish using it. So add it in the
error path in mt8173_rt5650_rt5514_dev_probe().
Fixes: 0d1d7a664288 ("ASoC: mediatek: Refine mt8173 driver and change config option")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/r/1670234664-24246-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
index 390da5bf727e..9421b919d462 100644
--- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
+++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5514.c
@@ -200,14 +200,16 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev)
if (!mt8173_rt5650_rt5514_dais[DAI_LINK_CODEC_I2S].codecs[0].of_node) {
dev_err(&pdev->dev,
"Property 'audio-codec' missing or invalid\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
mt8173_rt5650_rt5514_dais[DAI_LINK_CODEC_I2S].codecs[1].of_node =
of_parse_phandle(pdev->dev.of_node, "mediatek,audio-codec", 1);
if (!mt8173_rt5650_rt5514_dais[DAI_LINK_CODEC_I2S].codecs[1].of_node) {
dev_err(&pdev->dev,
"Property 'audio-codec' missing or invalid\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto out;
}
mt8173_rt5650_rt5514_codec_conf[0].dlc.of_node =
mt8173_rt5650_rt5514_dais[DAI_LINK_CODEC_I2S].codecs[1].of_node;
@@ -219,6 +221,7 @@ static int mt8173_rt5650_rt5514_dev_probe(struct platform_device *pdev)
dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n",
__func__, ret);
+out:
of_node_put(platform_node);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 545/783] ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (543 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 544/783] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 546/783] ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume() Greg Kroah-Hartman
` (247 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Yufen, Kuninori Morimoto,
Mark Brown, Sasha Levin
From: Wang Yufen <wangyufen@huawei.com>
[ Upstream commit 8ab2d12c726f0fde0692fa5d81d8019b3dcd62d0 ]
The of_get_next_child() returns a node with refcount incremented, and
decrements the refcount of prev. So in the error path of the while loop,
of_node_put() needs be called for cpu_ep.
Fixes: fce9b90c1ab7 ("ASoC: audio-graph-card: cleanup DAI link loop method - step2")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/1670228127-13835-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/generic/audio-graph-card.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/soc/generic/audio-graph-card.c b/sound/soc/generic/audio-graph-card.c
index bfbee2d716f3..84510ca0b8fd 100644
--- a/sound/soc/generic/audio-graph-card.c
+++ b/sound/soc/generic/audio-graph-card.c
@@ -466,8 +466,10 @@ static int graph_for_each_link(struct asoc_simple_priv *priv,
of_node_put(codec_ep);
of_node_put(codec_port);
- if (ret < 0)
+ if (ret < 0) {
+ of_node_put(cpu_ep);
return ret;
+ }
codec_port_old = codec_port;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 546/783] ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (544 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 545/783] ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 547/783] ASoC: wm8994: Fix potential deadlock Greg Kroah-Hartman
` (246 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Jingjin, Mark Brown, Sasha Levin
From: Wang Jingjin <wangjingjin1@huawei.com>
[ Upstream commit ef0a098efb36660326c133af9b5a04a96a00e3ca ]
The clk_disable_unprepare() should be called in the error handling of
rockchip_pdm_runtime_resume().
Fixes: fc05a5b22253 ("ASoC: rockchip: add support for pdm controller")
Signed-off-by: Wang Jingjin <wangjingjin1@huawei.com>
Link: https://lore.kernel.org/r/20221205032802.2422983-1-wangjingjin1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/rockchip/rockchip_pdm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/rockchip/rockchip_pdm.c b/sound/soc/rockchip/rockchip_pdm.c
index 5adb293d0435..94cfbc90390b 100644
--- a/sound/soc/rockchip/rockchip_pdm.c
+++ b/sound/soc/rockchip/rockchip_pdm.c
@@ -368,6 +368,7 @@ static int rockchip_pdm_runtime_resume(struct device *dev)
ret = clk_prepare_enable(pdm->hclk);
if (ret) {
+ clk_disable_unprepare(pdm->clk);
dev_err(pdm->dev, "hclock enable failed %d\n", ret);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 547/783] ASoC: wm8994: Fix potential deadlock
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (545 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 546/783] ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 548/783] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() Greg Kroah-Hartman
` (245 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marek Szyprowski, Charles Keepax,
Mark Brown, Sasha Levin
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit 9529dc167ffcdfd201b9f0eda71015f174095f7e ]
Fix this by dropping wm8994->accdet_lock while calling
cancel_delayed_work_sync(&wm8994->mic_work) in wm1811_jackdet_irq().
Fixes: c0cc3f166525 ("ASoC: wm8994: Allow a delay between jack insertion and microphone detect")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20221209091657.1183-1-m.szyprowski@samsung.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wm8994.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c
index f57884113406..d3a7480fda43 100644
--- a/sound/soc/codecs/wm8994.c
+++ b/sound/soc/codecs/wm8994.c
@@ -3853,7 +3853,12 @@ static irqreturn_t wm1811_jackdet_irq(int irq, void *data)
} else {
dev_dbg(component->dev, "Jack not detected\n");
+ /* Release wm8994->accdet_lock to avoid deadlock:
+ * cancel_delayed_work_sync() takes wm8994->mic_work internal
+ * lock and wm1811_mic_work takes wm8994->accdet_lock */
+ mutex_unlock(&wm8994->accdet_lock);
cancel_delayed_work_sync(&wm8994->mic_work);
+ mutex_lock(&wm8994->accdet_lock);
snd_soc_component_update_bits(component, WM8958_MICBIAS2,
WM8958_MICB2_DISCH, WM8958_MICB2_DISCH);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 548/783] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (546 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 547/783] ASoC: wm8994: Fix potential deadlock Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 549/783] ASoC: rt5670: Remove unbalanced pm_runtime_put() Greg Kroah-Hartman
` (244 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Jingjin, Mark Brown, Sasha Levin
From: Wang Jingjin <wangjingjin1@huawei.com>
[ Upstream commit 6d94d0090527b1763872275a7ccd44df7219b31e ]
rk_spdif_runtime_resume() may have called clk_prepare_enable() before return
from failed branches, add missing clk_disable_unprepare() in this case.
Fixes: f874b80e1571 ("ASoC: rockchip: Add rockchip SPDIF transceiver driver")
Signed-off-by: Wang Jingjin <wangjingjin1@huawei.com>
Link: https://lore.kernel.org/r/20221208063900.4180790-1-wangjingjin1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/rockchip/rockchip_spdif.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/rockchip/rockchip_spdif.c b/sound/soc/rockchip/rockchip_spdif.c
index 674810851fbc..ccddcd9926af 100644
--- a/sound/soc/rockchip/rockchip_spdif.c
+++ b/sound/soc/rockchip/rockchip_spdif.c
@@ -86,6 +86,7 @@ static int __maybe_unused rk_spdif_runtime_resume(struct device *dev)
ret = clk_prepare_enable(spdif->hclk);
if (ret) {
+ clk_disable_unprepare(spdif->mclk);
dev_err(spdif->dev, "hclk clock enable failed %d\n", ret);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 549/783] ASoC: rt5670: Remove unbalanced pm_runtime_put()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (547 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 548/783] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 550/783] LoadPin: Ignore the "contents" argument of the LSM hooks Greg Kroah-Hartman
` (243 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Mark Brown, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 6c900dcc3f7331a67ed29739d74524e428d137fb ]
For some reason rt5670_i2c_probe() does a pm_runtime_put() at the end
of a successful probe. But it has never done a pm_runtime_get() leading
to the following error being logged into dmesg:
rt5670 i2c-10EC5640:00: Runtime PM usage count underflow!
Fix this by removing the unnecessary pm_runtime_put().
Fixes: 64e89e5f5548 ("ASoC: rt5670: Add runtime PM support")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20221213123319.11285-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/rt5670.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/sound/soc/codecs/rt5670.c b/sound/soc/codecs/rt5670.c
index 47ce074289ca..58227602053f 100644
--- a/sound/soc/codecs/rt5670.c
+++ b/sound/soc/codecs/rt5670.c
@@ -3192,8 +3192,6 @@ static int rt5670_i2c_probe(struct i2c_client *i2c,
if (ret < 0)
goto err;
- pm_runtime_put(&i2c->dev);
-
return 0;
err:
pm_runtime_disable(&i2c->dev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 550/783] LoadPin: Ignore the "contents" argument of the LSM hooks
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (548 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 549/783] ASoC: rt5670: Remove unbalanced pm_runtime_put() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 551/783] pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion Greg Kroah-Hartman
` (242 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Moore, James Morris,
Serge E. Hallyn, linux-security-module, Kees Cook, Ping-Ke Shih,
Sasha Levin
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 1a17e5b513ceebf21100027745b8731b4728edf7 ]
LoadPin only enforces the read-only origin of kernel file reads. Whether
or not it was a partial read isn't important. Remove the overly
conservative checks so that things like partial firmware reads will
succeed (i.e. reading a firmware header).
Fixes: 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook")
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Cc: linux-security-module@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge@hallyn.com>
Tested-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://lore.kernel.org/r/20221209195453.never.494-kees@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/loadpin/loadpin.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/security/loadpin/loadpin.c b/security/loadpin/loadpin.c
index b12f7d986b1e..5fce105a372d 100644
--- a/security/loadpin/loadpin.c
+++ b/security/loadpin/loadpin.c
@@ -118,21 +118,11 @@ static void loadpin_sb_free_security(struct super_block *mnt_sb)
}
}
-static int loadpin_read_file(struct file *file, enum kernel_read_file_id id,
- bool contents)
+static int loadpin_check(struct file *file, enum kernel_read_file_id id)
{
struct super_block *load_root;
const char *origin = kernel_read_file_id_str(id);
- /*
- * If we will not know that we'll be seeing the full contents
- * then we cannot trust a load will be complete and unchanged
- * off disk. Treat all contents=false hooks as if there were
- * no associated file struct.
- */
- if (!contents)
- file = NULL;
-
/* If the file id is excluded, ignore the pinning. */
if ((unsigned int)id < ARRAY_SIZE(ignore_read_file_id) &&
ignore_read_file_id[id]) {
@@ -187,9 +177,25 @@ static int loadpin_read_file(struct file *file, enum kernel_read_file_id id,
return 0;
}
+static int loadpin_read_file(struct file *file, enum kernel_read_file_id id,
+ bool contents)
+{
+ /*
+ * LoadPin only cares about the _origin_ of a file, not its
+ * contents, so we can ignore the "are full contents available"
+ * argument here.
+ */
+ return loadpin_check(file, id);
+}
+
static int loadpin_load_data(enum kernel_load_data_id id, bool contents)
{
- return loadpin_read_file(NULL, (enum kernel_read_file_id) id, contents);
+ /*
+ * LoadPin only cares about the _origin_ of a file, not its
+ * contents, so a NULL file is passed, and we can ignore the
+ * state of "contents".
+ */
+ return loadpin_check(NULL, (enum kernel_read_file_id) id);
}
static struct security_hook_list loadpin_hooks[] __lsm_ro_after_init = {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 551/783] pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (549 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 550/783] LoadPin: Ignore the "contents" argument of the LSM hooks Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 552/783] perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option() Greg Kroah-Hartman
` (241 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Wang, Midas Chien,
Connor OBrien, Kees Cook, Anton Vorontsov, Colin Cross,
Tony Luck, kernel-team, John Stultz, Sasha Levin
From: John Stultz <jstultz@google.com>
[ Upstream commit 76d62f24db07f22ccf9bc18ca793c27d4ebef721 ]
Wei Wang reported seeing priority inversion caused latencies
caused by contention on pmsg_lock, and suggested it be switched
to a rt_mutex.
I was initially hesitant this would help, as the tasks in that
trace all seemed to be SCHED_NORMAL, so the benefit would be
limited to only nice boosting.
However, another similar issue was raised where the priority
inversion was seen did involve a blocked RT task so it is clear
this would be helpful in that case.
Cc: Wei Wang <wvw@google.com>
Cc: Midas Chien<midaschieh@google.com>
Cc: Connor O'Brien <connoro@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Anton Vorontsov <anton@enomsg.org>
Cc: Colin Cross <ccross@android.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: kernel-team@android.com
Fixes: 9d5438f462ab ("pstore: Add pmsg - user-space accessible pstore object")
Reported-by: Wei Wang <wvw@google.com>
Signed-off-by: John Stultz <jstultz@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221214231834.3711880-1-jstultz@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/pmsg.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/pstore/pmsg.c b/fs/pstore/pmsg.c
index d8542ec2f38c..18cf94b597e0 100644
--- a/fs/pstore/pmsg.c
+++ b/fs/pstore/pmsg.c
@@ -7,9 +7,10 @@
#include <linux/device.h>
#include <linux/fs.h>
#include <linux/uaccess.h>
+#include <linux/rtmutex.h>
#include "internal.h"
-static DEFINE_MUTEX(pmsg_lock);
+static DEFINE_RT_MUTEX(pmsg_lock);
static ssize_t write_pmsg(struct file *file, const char __user *buf,
size_t count, loff_t *ppos)
@@ -28,9 +29,9 @@ static ssize_t write_pmsg(struct file *file, const char __user *buf,
if (!access_ok(buf, count))
return -EFAULT;
- mutex_lock(&pmsg_lock);
+ rt_mutex_lock(&pmsg_lock);
ret = psinfo->write_user(&record, buf);
- mutex_unlock(&pmsg_lock);
+ rt_mutex_unlock(&pmsg_lock);
return ret ? ret : count;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 552/783] perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (550 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 551/783] pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 553/783] afs: Fix lost servers_outstanding count Greg Kroah-Hartman
` (240 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Yang Jihong,
Alexander Shishkin, Andi Kleen, Carsten Haitzler, Ian Rogers,
Ingo Molnar, Jiri Olsa, Leo Yan, Mark Rutland, martin.lau,
Masami Hiramatsu, Namhyung Kim, Peter Zijlstra, Ravi Bangoria,
Ravi Bangoria, Arnaldo Carvalho de Melo, Sasha Levin
From: Yang Jihong <yangjihong1@huawei.com>
[ Upstream commit 188ac720d364035008a54d249cf47b4cc100f819 ]
When perf uses quiet mode, perf_quiet_option() sets the 'debug_peo_args'
variable to -1, and display_attr() incorrectly determines the value of
'debug_peo_args'. As a result, unexpected information is displayed.
Before:
# perf record --quiet -- ls > /dev/null
------------------------------------------------------------
perf_event_attr:
size 128
{ sample_period, sample_freq } 4000
sample_type IP|TID|TIME|PERIOD
read_format ID|LOST
disabled 1
inherit 1
mmap 1
comm 1
freq 1
enable_on_exec 1
task 1
precise_ip 3
sample_id_all 1
exclude_guest 1
mmap2 1
comm_exec 1
ksymbol 1
bpf_event 1
------------------------------------------------------------
...
After:
# perf record --quiet -- ls > /dev/null
#
redirect_to_stderr is a similar problem.
Fixes: f78eaef0e0493f60 ("perf tools: Allow to force redirect pr_debug to stderr.")
Fixes: ccd26741f5e6bdf2 ("perf tool: Provide an option to print perf_event_open args and return value")
Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Carsten Haitzler <carsten.haitzler@arm.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: martin.lau@kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ravi Bangoria <ravi.bangoria@amd.com>
Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
Link: https://lore.kernel.org/r/20221220035702.188413-2-yangjihong1@huawei.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/debug.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/perf/util/debug.c b/tools/perf/util/debug.c
index 0af163abaa62..854dd3d2d8de 100644
--- a/tools/perf/util/debug.c
+++ b/tools/perf/util/debug.c
@@ -207,6 +207,10 @@ int perf_quiet_option(void)
opt++;
}
+ /* For debug variables that are used as bool types, set to 0. */
+ redirect_to_stderr = 0;
+ debug_peo_args = 0;
+
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 553/783] afs: Fix lost servers_outstanding count
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (551 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 552/783] perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 554/783] pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES Greg Kroah-Hartman
` (239 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Dionne, David Howells,
linux-afs, Sasha Levin
From: David Howells <dhowells@redhat.com>
[ Upstream commit 36f82c93ee0bd88f1c95a52537906b8178b537f1 ]
The afs_fs_probe_dispatcher() work function is passed a count on
net->servers_outstanding when it is scheduled (which may come via its
timer). This is passed back to the work_item, passed to the timer or
dropped at the end of the dispatcher function.
But, at the top of the dispatcher function, there are two checks which
skip the rest of the function: if the network namespace is being destroyed
or if there are no fileservers to probe. These two return paths, however,
do not drop the count passed to the dispatcher, and so, sometimes, the
destruction of a network namespace, such as induced by rmmod of the kafs
module, may get stuck in afs_purge_servers(), waiting for
net->servers_outstanding to become zero.
Fix this by adding the missing decrements in afs_fs_probe_dispatcher().
Fixes: f6cbb368bcb0 ("afs: Actively poll fileservers to maintain NAT or firewall openings")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
Link: https://lore.kernel.org/r/167164544917.2072364.3759519569649459359.stgit@warthog.procyon.org.uk/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/afs/fs_probe.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/afs/fs_probe.c b/fs/afs/fs_probe.c
index 04d42e49fc59..def80365fe79 100644
--- a/fs/afs/fs_probe.c
+++ b/fs/afs/fs_probe.c
@@ -360,12 +360,15 @@ void afs_fs_probe_dispatcher(struct work_struct *work)
unsigned long nowj, timer_at, poll_at;
bool first_pass = true, set_timer = false;
- if (!net->live)
+ if (!net->live) {
+ afs_dec_servers_outstanding(net);
return;
+ }
_enter("");
if (list_empty(&net->fs_probe_fast) && list_empty(&net->fs_probe_slow)) {
+ afs_dec_servers_outstanding(net);
_leave(" [none]");
return;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 554/783] pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (552 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 553/783] afs: Fix lost servers_outstanding count Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 555/783] ima: Simplify ima_lsm_copy_rule Greg Kroah-Hartman
` (238 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Wang, Midas Chien,
Connor OBrien, Kees Cook, Anton Vorontsov, Colin Cross,
Tony Luck, kernel test robot, kernel-team, John Stultz,
Sasha Levin
From: John Stultz <jstultz@google.com>
[ Upstream commit 2f4fec5943407318b9523f01ce1f5d668c028332 ]
In commit 76d62f24db07 ("pstore: Switch pmsg_lock to an rt_mutex
to avoid priority inversion") I changed a lock to an rt_mutex.
However, its possible that CONFIG_RT_MUTEXES is not enabled,
which then results in a build failure, as the 0day bot detected:
https://lore.kernel.org/linux-mm/202212211244.TwzWZD3H-lkp@intel.com/
Thus this patch changes CONFIG_PSTORE_PMSG to select
CONFIG_RT_MUTEXES, which ensures the build will not fail.
Cc: Wei Wang <wvw@google.com>
Cc: Midas Chien<midaschieh@google.com>
Cc: Connor O'Brien <connoro@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Anton Vorontsov <anton@enomsg.org>
Cc: Colin Cross <ccross@android.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: kernel test robot <lkp@intel.com>
Cc: kernel-team@android.com
Fixes: 76d62f24db07 ("pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: John Stultz <jstultz@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221221051855.15761-1-jstultz@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/pstore/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/pstore/Kconfig b/fs/pstore/Kconfig
index 8efe60487b48..71dbe9a2533f 100644
--- a/fs/pstore/Kconfig
+++ b/fs/pstore/Kconfig
@@ -118,6 +118,7 @@ config PSTORE_CONSOLE
config PSTORE_PMSG
bool "Log user space messages"
depends on PSTORE
+ select RT_MUTEXES
help
When the option is enabled, pstore will export a character
interface /dev/pmsg0 to log user space messages. On reboot
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 555/783] ima: Simplify ima_lsm_copy_rule
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (553 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 554/783] pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 556/783] ALSA: usb-audio: add the quirk for KT0206 device Greg Kroah-Hartman
` (237 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, GUO Zihua, Roberto Sassu,
Mimi Zohar, Sasha Levin
From: GUO Zihua <guozihua@huawei.com>
[ Upstream commit d57378d3aa4d864d9e590482602068af1b20c0c5 ]
Currently ima_lsm_copy_rule() set the arg_p field of the source rule to
NULL, so that the source rule could be freed afterward. It does not make
sense for this behavior to be inside a "copy" function. So move it
outside and let the caller handle this field.
ima_lsm_copy_rule() now produce a shallow copy of the original entry
including args_p field. Meaning only the lsm.rule and the rule itself
should be freed for the original rule. Thus, instead of calling
ima_lsm_free_rule() which frees lsm.rule as well as args_p field, free
the lsm.rule directly.
Signed-off-by: GUO Zihua <guozihua@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/integrity/ima/ima_policy.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index a83ce111cf50..96ecb7d25403 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -370,12 +370,6 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
nentry->lsm[i].type = entry->lsm[i].type;
nentry->lsm[i].args_p = entry->lsm[i].args_p;
- /*
- * Remove the reference from entry so that the associated
- * memory will not be freed during a later call to
- * ima_lsm_free_rule(entry).
- */
- entry->lsm[i].args_p = NULL;
ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
nentry->lsm[i].args_p,
@@ -389,6 +383,7 @@ static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
static int ima_lsm_update_rule(struct ima_rule_entry *entry)
{
+ int i;
struct ima_rule_entry *nentry;
nentry = ima_lsm_copy_rule(entry);
@@ -403,7 +398,8 @@ static int ima_lsm_update_rule(struct ima_rule_entry *entry)
* references and the entry itself. All other memory refrences will now
* be owned by nentry.
*/
- ima_lsm_free_rule(entry);
+ for (i = 0; i < MAX_LSM_RULES; i++)
+ ima_filter_rule_free(entry->lsm[i].rule);
kfree(entry);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 556/783] ALSA: usb-audio: add the quirk for KT0206 device
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (554 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 555/783] ima: Simplify ima_lsm_copy_rule Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 557/783] ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB Greg Kroah-Hartman
` (236 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, wangdicheng, Takashi Iwai
From: wangdicheng <wangdicheng@kylinos.cn>
commit 696b66ac26ef953aed5783ef26a252ec8f207013 upstream.
Add relevant information to the quirks-table.h file.
The test passes and the sound source file plays normally.
Signed-off-by: wangdicheng <wangdicheng@kylinos.cn>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/SG2PR02MB587849631CB96809CF90DBED8A1A9@SG2PR02MB5878.apcprd02.prod.outlook.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks-table.h | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -76,6 +76,8 @@
{ USB_DEVICE_VENDOR_SPEC(0x041e, 0x3f0a) },
/* E-Mu 0204 USB */
{ USB_DEVICE_VENDOR_SPEC(0x041e, 0x3f19) },
+/* Ktmicro Usb_audio device */
+{ USB_DEVICE_VENDOR_SPEC(0x31b2, 0x0011) },
/*
* Creative Technology, Ltd Live! Cam Sync HD [VF0770]
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 557/783] ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (555 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 556/783] ALSA: usb-audio: add the quirk for KT0206 device Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 558/783] ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list Greg Kroah-Hartman
` (235 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Edward Pacman, Takashi Iwai
From: Edward Pacman <edward@edward-p.xyz>
commit 4bf5bf54476dffe60e6b6d8d539f67309ff599e2 upstream.
Lenovo TianYi510Pro-14IOB (17aa:3742)
require quirk for enabling headset-mic
Signed-off-by: Edward Pacman <edward@edward-p.xyz>
Cc: <stable@vger.kernel.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216756
Link: https://lore.kernel.org/r/20221207133218.18989-1-edward@edward-p.xyz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10514,6 +10514,17 @@ static void alc897_fixup_lenovo_headset_
}
}
+static void alc897_fixup_lenovo_headset_mode(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+{
+ struct alc_spec *spec = codec->spec;
+
+ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
+ spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
+ spec->gen.hp_automute_hook = alc897_hp_automute_hook;
+ }
+}
+
static const struct coef_fw alc668_coefs[] = {
WRITE_COEF(0x01, 0xbebe), WRITE_COEF(0x02, 0xaaaa), WRITE_COEF(0x03, 0x0),
WRITE_COEF(0x04, 0x0180), WRITE_COEF(0x06, 0x0), WRITE_COEF(0x07, 0x0f80),
@@ -10597,6 +10608,8 @@ enum {
ALC897_FIXUP_LENOVO_HEADSET_MIC,
ALC897_FIXUP_HEADSET_MIC_PIN,
ALC897_FIXUP_HP_HSMIC_VERB,
+ ALC897_FIXUP_LENOVO_HEADSET_MODE,
+ ALC897_FIXUP_HEADSET_MIC_PIN2,
};
static const struct hda_fixup alc662_fixups[] = {
@@ -11023,6 +11036,19 @@ static const struct hda_fixup alc662_fix
{ }
},
},
+ [ALC897_FIXUP_LENOVO_HEADSET_MODE] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc897_fixup_lenovo_headset_mode,
+ },
+ [ALC897_FIXUP_HEADSET_MIC_PIN2] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+ { 0x1a, 0x01a11140 }, /* use as headset mic, without its own jack detect */
+ { }
+ },
+ .chained = true,
+ .chain_id = ALC897_FIXUP_LENOVO_HEADSET_MODE
+ },
};
static const struct snd_pci_quirk alc662_fixup_tbl[] = {
@@ -11075,6 +11101,7 @@ static const struct snd_pci_quirk alc662
SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN),
SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN),
SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3742, "Lenovo TianYi510Pro-14IOB", ALC897_FIXUP_HEADSET_MIC_PIN2),
SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
SND_PCI_QUIRK(0x1849, 0x5892, "ASRock B150M", ALC892_FIXUP_ASROCK_MOBO),
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 558/783] ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (556 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 557/783] ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 559/783] usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode Greg Kroah-Hartman
` (234 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jiao Zhou, Takashi Iwai
From: Jiao Zhou <jiaozhou@google.com>
commit 31b573946ea55e1ea0e08ae8e83bcf879b30f83a upstream.
HDMI audio is not working on the HP EliteDesk 800 G6 because the pin is
unconnected. This issue can be resolved by using the 'hdajackretask'
tool to override the unconnected pin to force it to connect.
Signed-off-by: Jiao Zhou <jiaozhou@google.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221206185311.3669950-1-jiaozhou@google.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1965,6 +1965,7 @@ static int hdmi_add_cvt(struct hda_codec
static const struct snd_pci_quirk force_connect_list[] = {
SND_PCI_QUIRK(0x103c, 0x870f, "HP", 1),
SND_PCI_QUIRK(0x103c, 0x871a, "HP", 1),
+ SND_PCI_QUIRK(0x103c, 0x8711, "HP", 1),
SND_PCI_QUIRK(0x1462, 0xec94, "MS-7C94", 1),
{}
};
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 559/783] usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (557 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 558/783] ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 560/783] usb: dwc3: core: defer probe on ulpi_read_id timeout Greg Kroah-Hartman
` (233 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Sven Peter
From: Sven Peter <sven@svenpeter.dev>
commit 62c73bfea048e66168df09da6d3e4510ecda40bb upstream.
dwc->desired_dr_role is changed by dwc3_set_mode inside a spinlock but
then read by __dwc3_set_mode outside of that lock. This can lead to a
race condition when very quick successive role switch events happen:
CPU A
dwc3_set_mode(DWC3_GCTL_PRTCAP_HOST) // first role switch event
spin_lock_irqsave(&dwc->lock, flags);
dwc->desired_dr_role = mode; // DWC3_GCTL_PRTCAP_HOST
spin_unlock_irqrestore(&dwc->lock, flags);
queue_work(system_freezable_wq, &dwc->drd_work);
CPU B
__dwc3_set_mode
// ....
spin_lock_irqsave(&dwc->lock, flags);
// desired_dr_role is DWC3_GCTL_PRTCAP_HOST
dwc3_set_prtcap(dwc, dwc->desired_dr_role);
spin_unlock_irqrestore(&dwc->lock, flags);
CPU A
dwc3_set_mode(DWC3_GCTL_PRTCAP_DEVICE) // second event
spin_lock_irqsave(&dwc->lock, flags);
dwc->desired_dr_role = mode; // DWC3_GCTL_PRTCAP_DEVICE
spin_unlock_irqrestore(&dwc->lock, flags);
CPU B (continues running __dwc3_set_mode)
switch (dwc->desired_dr_role) { // DWC3_GCTL_PRTCAP_DEVICE
// ....
case DWC3_GCTL_PRTCAP_DEVICE:
// ....
ret = dwc3_gadget_init(dwc);
We then have DWC3_GCTL.DWC3_GCTL_PRTCAPDIR = DWC3_GCTL_PRTCAP_HOST and
dwc->current_dr_role = DWC3_GCTL_PRTCAP_HOST but initialized the
controller in device mode. It's also possible to get into a state
where both host and device are intialized at the same time.
Fix this race by creating a local copy of desired_dr_role inside
__dwc3_set_mode while holding dwc->lock.
Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly")
Cc: stable <stable@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Sven Peter <sven@svenpeter.dev>
Link: https://lore.kernel.org/r/20221128161526.79730-1-sven@svenpeter.dev
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -120,21 +120,25 @@ static void __dwc3_set_mode(struct work_
unsigned long flags;
int ret;
u32 reg;
+ u32 desired_dr_role;
mutex_lock(&dwc->mutex);
+ spin_lock_irqsave(&dwc->lock, flags);
+ desired_dr_role = dwc->desired_dr_role;
+ spin_unlock_irqrestore(&dwc->lock, flags);
pm_runtime_get_sync(dwc->dev);
if (dwc->current_dr_role == DWC3_GCTL_PRTCAP_OTG)
dwc3_otg_update(dwc, 0);
- if (!dwc->desired_dr_role)
+ if (!desired_dr_role)
goto out;
- if (dwc->desired_dr_role == dwc->current_dr_role)
+ if (desired_dr_role == dwc->current_dr_role)
goto out;
- if (dwc->desired_dr_role == DWC3_GCTL_PRTCAP_OTG && dwc->edev)
+ if (desired_dr_role == DWC3_GCTL_PRTCAP_OTG && dwc->edev)
goto out;
switch (dwc->current_dr_role) {
@@ -162,7 +166,7 @@ static void __dwc3_set_mode(struct work_
*/
if (dwc->current_dr_role && ((DWC3_IP_IS(DWC3) ||
DWC3_VER_IS_PRIOR(DWC31, 190A)) &&
- dwc->desired_dr_role != DWC3_GCTL_PRTCAP_OTG)) {
+ desired_dr_role != DWC3_GCTL_PRTCAP_OTG)) {
reg = dwc3_readl(dwc->regs, DWC3_GCTL);
reg |= DWC3_GCTL_CORESOFTRESET;
dwc3_writel(dwc->regs, DWC3_GCTL, reg);
@@ -182,11 +186,11 @@ static void __dwc3_set_mode(struct work_
spin_lock_irqsave(&dwc->lock, flags);
- dwc3_set_prtcap(dwc, dwc->desired_dr_role);
+ dwc3_set_prtcap(dwc, desired_dr_role);
spin_unlock_irqrestore(&dwc->lock, flags);
- switch (dwc->desired_dr_role) {
+ switch (desired_dr_role) {
case DWC3_GCTL_PRTCAP_HOST:
ret = dwc3_host_init(dwc);
if (ret) {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 560/783] usb: dwc3: core: defer probe on ulpi_read_id timeout
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (558 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 559/783] usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 561/783] HID: wacom: Ensure bootloader PID is usable in hidraw mode Greg Kroah-Hartman
` (232 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Ferry Toth
From: Ferry Toth <ftoth@exalondelft.nl>
commit 63130462c919ece0ad0d9bb5a1f795ef8d79687e upstream.
Since commit 0f0101719138 ("usb: dwc3: Don't switch OTG -> peripheral
if extcon is present"), Dual Role support on Intel Merrifield platform
broke due to rearranging the call to dwc3_get_extcon().
It appears to be caused by ulpi_read_id() masking the timeout on the first
test write. In the past dwc3 probe continued by calling dwc3_core_soft_reset()
followed by dwc3_get_extcon() which happend to return -EPROBE_DEFER.
On deferred probe ulpi_read_id() finally succeeded. Due to above mentioned
rearranging -EPROBE_DEFER is not returned and probe completes without phy.
On Intel Merrifield the timeout on the first test write issue is reproducible
but it is difficult to find the root cause. Using a mainline kernel and
rootfs with buildroot ulpi_read_id() succeeds. As soon as adding
ftrace / bootconfig to find out why, ulpi_read_id() fails and we can't
analyze the flow. Using another rootfs ulpi_read_id() fails even without
adding ftrace. We suspect the issue is some kind of timing / race, but
merely retrying ulpi_read_id() does not resolve the issue.
As we now changed ulpi_read_id() to return -ETIMEDOUT in this case, we
need to handle the error by calling dwc3_core_soft_reset() and request
-EPROBE_DEFER. On deferred probe ulpi_read_id() is retried and succeeds.
Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
Link: https://lore.kernel.org/r/20221205201527.13525-3-ftoth@exalondelft.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -960,8 +960,13 @@ static int dwc3_core_init(struct dwc3 *d
if (!dwc->ulpi_ready) {
ret = dwc3_core_ulpi_init(dwc);
- if (ret)
+ if (ret) {
+ if (ret == -ETIMEDOUT) {
+ dwc3_core_soft_reset(dwc);
+ ret = -EPROBE_DEFER;
+ }
goto err0;
+ }
dwc->ulpi_ready = true;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 561/783] HID: wacom: Ensure bootloader PID is usable in hidraw mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (559 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 560/783] usb: dwc3: core: defer probe on ulpi_read_id timeout Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 562/783] HID: mcp2221: dont connect hidraw Greg Kroah-Hartman
` (231 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gerecke, Tatsunosuke Tobita,
Jiri Kosina
From: Jason Gerecke <killertofu@gmail.com>
commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream.
Some Wacom devices have a special "bootloader" mode that is used for
firmware flashing. When operating in this mode, the device cannot be
used for input, and the HID descriptor is not able to be processed by
the driver. The driver generates an "Unknown device_type" warning and
then returns an error code from wacom_probe(). This is a problem because
userspace still needs to be able to interact with the device via hidraw
to perform the firmware flash.
This commit adds a non-generic device definition for 056a:0094 which
is used when devices are in "bootloader" mode. It marks the devices
with a special BOOTLOADER type that is recognized by wacom_probe() and
wacom_raw_event(). When we see this type we ensure a hidraw device is
created and otherwise keep our hands off so that userspace is in full
control.
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Tested-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_sys.c | 8 ++++++++
drivers/hid/wacom_wac.c | 4 ++++
drivers/hid/wacom_wac.h | 1 +
3 files changed, 13 insertions(+)
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -160,6 +160,9 @@ static int wacom_raw_event(struct hid_de
{
struct wacom *wacom = hid_get_drvdata(hdev);
+ if (wacom->wacom_wac.features.type == BOOTLOADER)
+ return 0;
+
if (size > WACOM_PKGLEN_MAX)
return 1;
@@ -2786,6 +2789,11 @@ static int wacom_probe(struct hid_device
return error;
}
+ if (features->type == BOOTLOADER) {
+ hid_warn(hdev, "Using device in hidraw-only mode");
+ return hid_hw_start(hdev, HID_CONNECT_HIDRAW);
+ }
+
error = wacom_parse_and_register(wacom, false);
if (error)
return error;
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -4782,6 +4782,9 @@ static const struct wacom_features wacom
static const struct wacom_features wacom_features_HID_ANY_ID =
{ "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID };
+static const struct wacom_features wacom_features_0x94 =
+ { "Wacom Bootloader", .type = BOOTLOADER };
+
#define USB_DEVICE_WACOM(prod) \
HID_DEVICE(BUS_USB, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
.driver_data = (kernel_ulong_t)&wacom_features_##prod
@@ -4855,6 +4858,7 @@ const struct hid_device_id wacom_ids[] =
{ USB_DEVICE_WACOM(0x84) },
{ USB_DEVICE_WACOM(0x90) },
{ USB_DEVICE_WACOM(0x93) },
+ { USB_DEVICE_WACOM(0x94) },
{ USB_DEVICE_WACOM(0x97) },
{ USB_DEVICE_WACOM(0x9A) },
{ USB_DEVICE_WACOM(0x9F) },
--- a/drivers/hid/wacom_wac.h
+++ b/drivers/hid/wacom_wac.h
@@ -242,6 +242,7 @@ enum {
MTTPC,
MTTPC_B,
HID_GENERIC,
+ BOOTLOADER,
MAX_TYPE
};
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 562/783] HID: mcp2221: dont connect hidraw
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (560 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 561/783] HID: wacom: Ensure bootloader PID is usable in hidraw mode Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 563/783] reiserfs: Add missing calls to reiserfs_security_free() Greg Kroah-Hartman
` (230 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sven Zühlsdorf, Enrik Berkhan,
Benjamin Tissoires
From: Enrik Berkhan <Enrik.Berkhan@inka.de>
commit 67c90d14018775556d5420382ace86521421f9ff upstream.
The MCP2221 driver should not connect to the hidraw userspace interface,
as it needs exclusive access to the chip.
If you want to use /dev/hidrawX with the MCP2221, you need to avoid
binding this driver to the device and use the hid generic driver instead
(e.g. using udev rules).
Cc: stable@vger.kernel.org
Reported-by: Sven Zühlsdorf <sven.zuehlsdorf@vigem.de>
Signed-off-by: Enrik Berkhan <Enrik.Berkhan@inka.de>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20221103222714.21566-2-Enrik.Berkhan@inka.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-mcp2221.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/hid/hid-mcp2221.c
+++ b/drivers/hid/hid-mcp2221.c
@@ -840,12 +840,19 @@ static int mcp2221_probe(struct hid_devi
return ret;
}
- ret = hid_hw_start(hdev, HID_CONNECT_HIDRAW);
+ /*
+ * This driver uses the .raw_event callback and therefore does not need any
+ * HID_CONNECT_xxx flags.
+ */
+ ret = hid_hw_start(hdev, 0);
if (ret) {
hid_err(hdev, "can't start hardware\n");
return ret;
}
+ hid_info(hdev, "USB HID v%x.%02x Device [%s] on %s\n", hdev->version >> 8,
+ hdev->version & 0xff, hdev->name, hdev->phys);
+
ret = hid_hw_open(hdev);
if (ret) {
hid_err(hdev, "can't open device\n");
@@ -870,8 +877,7 @@ static int mcp2221_probe(struct hid_devi
mcp->adapter.retries = 1;
mcp->adapter.dev.parent = &hdev->dev;
snprintf(mcp->adapter.name, sizeof(mcp->adapter.name),
- "MCP2221 usb-i2c bridge on hidraw%d",
- ((struct hidraw *)hdev->hidraw)->minor);
+ "MCP2221 usb-i2c bridge");
ret = i2c_add_adapter(&mcp->adapter);
if (ret) {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 563/783] reiserfs: Add missing calls to reiserfs_security_free()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (561 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 562/783] HID: mcp2221: dont connect hidraw Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 564/783] iio: adc: ad_sigma_delta: do not use internal iio_dev lock Greg Kroah-Hartman
` (229 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Mahoney, Tetsuo Handa,
Mimi Zohar, Roberto Sassu, Paul Moore
From: Roberto Sassu <roberto.sassu@huawei.com>
commit 572302af1258459e124437b8f3369357447afac7 upstream.
Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes
during inode creation") defined reiserfs_security_free() to free the name
and value of a security xattr allocated by the active LSM through
security_old_inode_init_security(). However, this function is not called
in the reiserfs code.
Thus, add a call to reiserfs_security_free() whenever
reiserfs_security_init() is called, and initialize value to NULL, to avoid
to call kfree() on an uninitialized pointer.
Finally, remove the kfree() for the xattr name, as it is not allocated
anymore.
Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation")
Cc: stable@vger.kernel.org
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reported-by: Mimi Zohar <zohar@linux.ibm.com>
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/reiserfs/namei.c | 4 ++++
fs/reiserfs/xattr_security.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/fs/reiserfs/namei.c
+++ b/fs/reiserfs/namei.c
@@ -695,6 +695,7 @@ static int reiserfs_create(struct inode
out_failed:
reiserfs_write_unlock(dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
@@ -778,6 +779,7 @@ static int reiserfs_mknod(struct inode *
out_failed:
reiserfs_write_unlock(dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
@@ -876,6 +878,7 @@ static int reiserfs_mkdir(struct inode *
retval = journal_end(&th);
out_failed:
reiserfs_write_unlock(dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
@@ -1191,6 +1194,7 @@ static int reiserfs_symlink(struct inode
retval = journal_end(&th);
out_failed:
reiserfs_write_unlock(parent_dir->i_sb);
+ reiserfs_security_free(&security);
return retval;
}
--- a/fs/reiserfs/xattr_security.c
+++ b/fs/reiserfs/xattr_security.c
@@ -49,6 +49,7 @@ int reiserfs_security_init(struct inode
int error;
sec->name = NULL;
+ sec->value = NULL;
/* Don't add selinux attributes on xattrs - they'll never get used */
if (IS_PRIVATE(dir))
@@ -94,7 +95,6 @@ int reiserfs_security_write(struct reise
void reiserfs_security_free(struct reiserfs_security_handle *sec)
{
- kfree(sec->name);
kfree(sec->value);
sec->name = NULL;
sec->value = NULL;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 564/783] iio: adc: ad_sigma_delta: do not use internal iio_dev lock
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (562 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 563/783] reiserfs: Add missing calls to reiserfs_security_free() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 565/783] iio: adc128s052: add proper .data members in adc128_of_match table Greg Kroah-Hartman
` (228 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nuno Sá,
Miquel Raynal, Jonathan Cameron, Stable
From: Nuno Sá <nuno.sa@analog.com>
commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream.
Drop 'mlock' usage by making use of iio_device_claim_direct_mode().
This change actually makes sure we cannot do a single conversion while
buffering is enable. Note there was a potential race in the previous
code since we were only acquiring the lock after checking if the bus is
enabled.
Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Cc: <Stable@vger.kernel.org> #No rush as race is very old.
Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad_sigma_delta.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -280,10 +280,10 @@ int ad_sigma_delta_single_conversion(str
unsigned int data_reg;
int ret = 0;
- if (iio_buffer_enabled(indio_dev))
- return -EBUSY;
+ ret = iio_device_claim_direct_mode(indio_dev);
+ if (ret)
+ return ret;
- mutex_lock(&indio_dev->mlock);
ad_sigma_delta_set_channel(sigma_delta, chan->address);
spi_bus_lock(sigma_delta->spi->master);
@@ -322,7 +322,7 @@ out:
ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
sigma_delta->bus_locked = false;
spi_bus_unlock(sigma_delta->spi->master);
- mutex_unlock(&indio_dev->mlock);
+ iio_device_release_direct_mode(indio_dev);
if (ret)
return ret;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 565/783] iio: adc128s052: add proper .data members in adc128_of_match table
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (563 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 564/783] iio: adc: ad_sigma_delta: do not use internal iio_dev lock Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 566/783] regulator: core: fix deadlock on regulator enable Greg Kroah-Hartman
` (227 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rasmus Villemoes, Andy Shevchenko,
Stable, Jonathan Cameron
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
commit e2af60f5900c6ade53477b494ffb54690eee11f5 upstream.
Prior to commit bd5d54e4d49d ("iio: adc128s052: add ACPI _HID
AANT1280"), the driver unconditionally used spi_get_device_id() to get
the index into the adc128_config array.
However, with that commit, OF-based boards now incorrectly treat all
supported sensors as if they are an adc128s052, because all the .data
members of the adc128_of_match table are implicitly 0. Our board,
which has an adc122s021, thus exposes 8 channels whereas it really
only has two.
Fixes: bd5d54e4d49d ("iio: adc128s052: add ACPI _HID AANT1280")
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20221115132324.1078169-1-linux@rasmusvillemoes.dk
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ti-adc128s052.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/iio/adc/ti-adc128s052.c
+++ b/drivers/iio/adc/ti-adc128s052.c
@@ -193,13 +193,13 @@ static int adc128_remove(struct spi_devi
}
static const struct of_device_id adc128_of_match[] = {
- { .compatible = "ti,adc128s052", },
- { .compatible = "ti,adc122s021", },
- { .compatible = "ti,adc122s051", },
- { .compatible = "ti,adc122s101", },
- { .compatible = "ti,adc124s021", },
- { .compatible = "ti,adc124s051", },
- { .compatible = "ti,adc124s101", },
+ { .compatible = "ti,adc128s052", .data = (void*)0L, },
+ { .compatible = "ti,adc122s021", .data = (void*)1L, },
+ { .compatible = "ti,adc122s051", .data = (void*)1L, },
+ { .compatible = "ti,adc122s101", .data = (void*)1L, },
+ { .compatible = "ti,adc124s021", .data = (void*)2L, },
+ { .compatible = "ti,adc124s051", .data = (void*)2L, },
+ { .compatible = "ti,adc124s101", .data = (void*)2L, },
{ /* sentinel */ },
};
MODULE_DEVICE_TABLE(of, adc128_of_match);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 566/783] regulator: core: fix deadlock on regulator enable
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (564 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 565/783] iio: adc128s052: add proper .data members in adc128_of_match table Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 567/783] gcov: add support for checksum field Greg Kroah-Hartman
` (226 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johan Hovold, Mark Brown
From: Johan Hovold <johan+linaro@kernel.org>
commit cb3543cff90a4448ed560ac86c98033ad5fecda9 upstream.
When updating the operating mode as part of regulator enable, the caller
has already locked the regulator tree and drms_uA_update() must not try
to do the same in order not to trigger a deadlock.
The lock inversion is reported by lockdep as:
======================================================
WARNING: possible circular locking dependency detected
6.1.0-next-20221215 #142 Not tainted
------------------------------------------------------
udevd/154 is trying to acquire lock:
ffffc11f123d7e50 (regulator_list_mutex){+.+.}-{3:3}, at: regulator_lock_dependent+0x54/0x280
but task is already holding lock:
ffff80000e4c36e8 (regulator_ww_class_acquire){+.+.}-{0:0}, at: regulator_enable+0x34/0x80
which lock already depends on the new lock.
...
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(regulator_ww_class_acquire);
lock(regulator_list_mutex);
lock(regulator_ww_class_acquire);
lock(regulator_list_mutex);
*** DEADLOCK ***
just before probe of a Qualcomm UFS controller (occasionally) deadlocks
when enabling one of its regulators.
Fixes: 9243a195be7a ("regulator: core: Change voltage setting path")
Fixes: f8702f9e4aa7 ("regulator: core: Use ww_mutex for regulators locking")
Cc: stable@vger.kernel.org # 5.0
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20221215104646.19818-1-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -980,7 +980,7 @@ static int drms_uA_update(struct regulat
/* get input voltage */
input_uV = 0;
if (rdev->supply)
- input_uV = regulator_get_voltage(rdev->supply);
+ input_uV = regulator_get_voltage_rdev(rdev->supply->rdev);
if (input_uV <= 0)
input_uV = rdev->constraints->input_uV;
if (input_uV <= 0) {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 567/783] gcov: add support for checksum field
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (565 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 566/783] regulator: core: fix deadlock on regulator enable Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 568/783] ovl: fix use inode directly in rcu-walk mode Greg Kroah-Hartman
` (225 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rickard x Andersson,
Peter Oberparleiter, Martin Liska, Andrew Morton
From: Rickard x Andersson <rickaran@axis.com>
commit e96b95c2b7a63a454b6498e2df67aac14d046d13 upstream.
In GCC version 12.1 a checksum field was added.
This patch fixes a kernel crash occurring during boot when using
gcov-kernel with GCC version 12.2. The crash occurred on a system running
on i.MX6SX.
Link: https://lkml.kernel.org/r/20221220102318.3418501-1-rickaran@axis.com
Fixes: 977ef30a7d88 ("gcov: support GCC 12.1 and newer compilers")
Signed-off-by: Rickard x Andersson <rickaran@axis.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Tested-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Martin Liska <mliska@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/gcov/gcc_4_7.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/kernel/gcov/gcc_4_7.c
+++ b/kernel/gcov/gcc_4_7.c
@@ -85,6 +85,7 @@ struct gcov_fn_info {
* @version: gcov version magic indicating the gcc version used for compilation
* @next: list head for a singly-linked list
* @stamp: uniquifying time stamp
+ * @checksum: unique object checksum
* @filename: name of the associated gcov data file
* @merge: merge functions (null for unused counter type)
* @n_functions: number of instrumented functions
@@ -97,6 +98,10 @@ struct gcov_info {
unsigned int version;
struct gcov_info *next;
unsigned int stamp;
+ /* Since GCC 12.1 a checksum field is added. */
+#if (__GNUC__ >= 12)
+ unsigned int checksum;
+#endif
const char *filename;
void (*merge[GCOV_COUNTERS])(gcov_type *, unsigned int);
unsigned int n_functions;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 568/783] ovl: fix use inode directly in rcu-walk mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (566 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 567/783] gcov: add support for checksum field Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 569/783] media: dvbdev: fix build warning due to comments Greg Kroah-Hartman
` (224 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Zhongjin, Miklos Szeredi,
syzbot+a4055c78774bbf3498bb
From: Chen Zhongjin <chenzhongjin@huawei.com>
commit 672e4268b2863d7e4978dfed29552b31c2f9bd4e upstream.
ovl_dentry_revalidate_common() can be called in rcu-walk mode. As document
said, "in rcu-walk mode, d_parent and d_inode should not be used without
care".
Check inode here to protect access under rcu-walk mode.
Fixes: bccece1ead36 ("ovl: allow remote upper")
Reported-and-tested-by: syzbot+a4055c78774bbf3498bb@syzkaller.appspotmail.com
Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com>
Cc: <stable@vger.kernel.org> # v5.7
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/super.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -138,11 +138,16 @@ static int ovl_dentry_revalidate_common(
unsigned int flags, bool weak)
{
struct ovl_entry *oe = dentry->d_fsdata;
+ struct inode *inode = d_inode_rcu(dentry);
struct dentry *upper;
unsigned int i;
int ret = 1;
- upper = ovl_dentry_upper(dentry);
+ /* Careful in RCU mode */
+ if (!inode)
+ return -ECHILD;
+
+ upper = ovl_i_dentry_upper(inode);
if (upper)
ret = ovl_revalidate_real(upper, flags, weak);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 569/783] media: dvbdev: fix build warning due to comments
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (567 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 568/783] ovl: fix use inode directly in rcu-walk mode Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 570/783] media: dvbdev: fix refcnt bug Greg Kroah-Hartman
` (223 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephen Rothwell, Lin Ma,
Hans Verkuil, Mauro Carvalho Chehab
From: Lin Ma <linma@zju.edu.cn>
commit 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 upstream.
Previous commit that introduces reference counter does not add proper
comments, which will lead to warning when building htmldocs. Fix them.
Reported-by: "Stephen Rothwell" <sfr@canb.auug.org.au>
Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/media/dvbdev.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/media/dvbdev.h
+++ b/include/media/dvbdev.h
@@ -126,6 +126,7 @@ struct dvb_adapter {
* struct dvb_device - represents a DVB device node
*
* @list_head: List head with all DVB devices
+ * @ref: reference counter
* @fops: pointer to struct file_operations
* @adapter: pointer to the adapter that holds this device node
* @type: type of the device, as defined by &enum dvb_device_type.
@@ -196,7 +197,7 @@ struct dvb_device {
struct dvb_device *dvb_device_get(struct dvb_device *dvbdev);
/**
- * dvb_device_get - Decrease dvb_device reference
+ * dvb_device_put - Decrease dvb_device reference
*
* @dvbdev: pointer to struct dvb_device
*/
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 570/783] media: dvbdev: fix refcnt bug
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (568 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 569/783] media: dvbdev: fix build warning due to comments Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 571/783] pwm: tegra: Fix 32 bit build Greg Kroah-Hartman
` (222 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+fce48a3dd3368645bd6c, Lin Ma,
Hans Verkuil, Mauro Carvalho Chehab
From: Lin Ma <linma@zju.edu.cn>
commit 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 upstream.
Previous commit initialize the dvbdev->ref before the template copy,
which will overwrite the reference and cause refcnt bug.
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
...
RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__refcount_add include/linux/refcount.h:199 [inline]
__refcount_inc include/linux/refcount.h:250 [inline]
refcount_inc include/linux/refcount.h:267 [inline]
kref_get include/linux/kref.h:45 [inline]
dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
...
Just place the kref_init at correct position.
Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvbdev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -490,8 +490,8 @@ int dvb_register_device(struct dvb_adapt
return -ENOMEM;
}
- kref_init(&dvbdev->ref);
memcpy(dvbdev, template, sizeof(struct dvb_device));
+ kref_init(&dvbdev->ref);
dvbdev->type = type;
dvbdev->id = id;
dvbdev->adapter = adap;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 571/783] pwm: tegra: Fix 32 bit build
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (569 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 570/783] media: dvbdev: fix refcnt bug Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 572/783] usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init Greg Kroah-Hartman
` (221 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steven Price, Uwe Kleine-König,
Jon Hunter, Sasha Levin
From: Steven Price <steven.price@arm.com>
[ Upstream commit dd1f1da4ada5d8ac774c2ebe97230637820b3323 ]
The value of NSEC_PER_SEC << PWM_DUTY_WIDTH doesn't fix within a 32 bit
integer causing a build warning/error (and the value truncated):
drivers/pwm/pwm-tegra.c: In function ‘tegra_pwm_config’:
drivers/pwm/pwm-tegra.c:148:53: error: result of ‘1000000000 << 8’ requires 39 bits to represent, but ‘long int’ only has 32 bits [-Werror=shift-overflow=]
148 | required_clk_rate = DIV_ROUND_UP_ULL(NSEC_PER_SEC << PWM_DUTY_WIDTH,
| ^~
Explicitly cast to a u64 to ensure the correct result.
Fixes: cfcb68817fb3 ("pwm: tegra: Improve required rate calculation")
Signed-off-by: Steven Price <steven.price@arm.com>
Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pwm/pwm-tegra.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pwm/pwm-tegra.c b/drivers/pwm/pwm-tegra.c
index 36cc1452cb7a..f3528c56e894 100644
--- a/drivers/pwm/pwm-tegra.c
+++ b/drivers/pwm/pwm-tegra.c
@@ -142,7 +142,7 @@ static int tegra_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
* source clock rate as required_clk_rate, PWM controller will
* be able to configure the requested period.
*/
- required_clk_rate = DIV_ROUND_UP_ULL(NSEC_PER_SEC << PWM_DUTY_WIDTH,
+ required_clk_rate = DIV_ROUND_UP_ULL((u64)NSEC_PER_SEC << PWM_DUTY_WIDTH,
period_ns);
err = clk_set_rate(pc->clk, required_clk_rate);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 572/783] usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (570 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 571/783] pwm: tegra: Fix 32 bit build Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 573/783] cifs: fix oops during encryption Greg Kroah-Hartman
` (220 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Thinh Nguyen, Miaoqian Lin,
Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 97a48da1619ba6bd42a0e5da0a03aa490a9496b1 ]
of_icc_get() alloc resources for path handle, we should release it when not
need anymore. Like the release in dwc3_qcom_interconnect_exit() function.
Add icc_put() in error handling to fix this.
Fixes: bea46b981515 ("usb: dwc3: qcom: Add interconnect support in dwc3 driver")
Cc: stable <stable@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Link: https://lore.kernel.org/r/20221206081731.818107-1-linmq006@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/dwc3-qcom.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/dwc3/dwc3-qcom.c b/drivers/usb/dwc3/dwc3-qcom.c
index ca3a35fd8f74..528e36cc58ea 100644
--- a/drivers/usb/dwc3/dwc3-qcom.c
+++ b/drivers/usb/dwc3/dwc3-qcom.c
@@ -258,7 +258,8 @@ static int dwc3_qcom_interconnect_init(struct dwc3_qcom *qcom)
if (IS_ERR(qcom->icc_path_apps)) {
dev_err(dev, "failed to get apps-usb path: %ld\n",
PTR_ERR(qcom->icc_path_apps));
- return PTR_ERR(qcom->icc_path_apps);
+ ret = PTR_ERR(qcom->icc_path_apps);
+ goto put_path_ddr;
}
if (usb_get_maximum_speed(&qcom->dwc3->dev) >= USB_SPEED_SUPER ||
@@ -271,17 +272,23 @@ static int dwc3_qcom_interconnect_init(struct dwc3_qcom *qcom)
if (ret) {
dev_err(dev, "failed to set bandwidth for usb-ddr path: %d\n", ret);
- return ret;
+ goto put_path_apps;
}
ret = icc_set_bw(qcom->icc_path_apps,
APPS_USB_AVG_BW, APPS_USB_PEAK_BW);
if (ret) {
dev_err(dev, "failed to set bandwidth for apps-usb path: %d\n", ret);
- return ret;
+ goto put_path_apps;
}
return 0;
+
+put_path_apps:
+ icc_put(qcom->icc_path_apps);
+put_path_ddr:
+ icc_put(qcom->icc_path_ddr);
+ return ret;
}
/**
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 573/783] cifs: fix oops during encryption
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (571 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 572/783] usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 574/783] nvme-pci: fix doorbell buffer value endianness Greg Kroah-Hartman
` (219 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE),
Steve French, Sasha Levin
From: Paulo Alcantara <pc@cjr.nz>
[ Upstream commit f7f291e14dde32a07b1f0aa06921d28f875a7b54 ]
When running xfstests against Azure the following oops occurred on an
arm64 system
Unable to handle kernel write to read-only memory at virtual address
ffff0001221cf000
Mem abort info:
ESR = 0x9600004f
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x0f: level 3 permission fault
Data abort info:
ISV = 0, ISS = 0x0000004f
CM = 0, WnR = 1
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000000294f3000
[ffff0001221cf000] pgd=18000001ffff8003, p4d=18000001ffff8003,
pud=18000001ff82e003, pmd=18000001ff71d003, pte=00600001221cf787
Internal error: Oops: 9600004f [#1] PREEMPT SMP
...
pstate: 80000005 (Nzcv daif -PAN -UAO -TCO BTYPE=--)
pc : __memcpy+0x40/0x230
lr : scatterwalk_copychunks+0xe0/0x200
sp : ffff800014e92de0
x29: ffff800014e92de0 x28: ffff000114f9de80 x27: 0000000000000008
x26: 0000000000000008 x25: ffff800014e92e78 x24: 0000000000000008
x23: 0000000000000001 x22: 0000040000000000 x21: ffff000000000000
x20: 0000000000000001 x19: ffff0001037c4488 x18: 0000000000000014
x17: 235e1c0d6efa9661 x16: a435f9576b6edd6c x15: 0000000000000058
x14: 0000000000000001 x13: 0000000000000008 x12: ffff000114f2e590
x11: ffffffffffffffff x10: 0000040000000000 x9 : ffff8000105c3580
x8 : 2e9413b10000001a x7 : 534b4410fb86b005 x6 : 534b4410fb86b005
x5 : ffff0001221cf008 x4 : ffff0001037c4490 x3 : 0000000000000001
x2 : 0000000000000008 x1 : ffff0001037c4488 x0 : ffff0001221cf000
Call trace:
__memcpy+0x40/0x230
scatterwalk_map_and_copy+0x98/0x100
crypto_ccm_encrypt+0x150/0x180
crypto_aead_encrypt+0x2c/0x40
crypt_message+0x750/0x880
smb3_init_transform_rq+0x298/0x340
smb_send_rqst.part.11+0xd8/0x180
smb_send_rqst+0x3c/0x100
compound_send_recv+0x534/0xbc0
smb2_query_info_compound+0x32c/0x440
smb2_set_ea+0x438/0x4c0
cifs_xattr_set+0x5d4/0x7c0
This is because in scatterwalk_copychunks(), we attempted to write to
a buffer (@sign) that was allocated in the stack (vmalloc area) by
crypt_message() and thus accessing its remaining 8 (x2) bytes ended up
crossing a page boundary.
To simply fix it, we could just pass @sign kmalloc'd from
crypt_message() and then we're done. Luckily, we don't seem to pass
any other vmalloc'd buffers in smb_rqst::rq_iov...
Instead, let's map the correct pages and offsets from vmalloc buffers
as well in cifs_sg_set_buf() and then avoiding such oopses.
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/cifsglob.h | 69 +++++++++++++++++++++
fs/cifs/cifsproto.h | 4 +-
fs/cifs/misc.c | 4 +-
fs/cifs/smb2ops.c | 143 +++++++++++++++++++++-----------------------
4 files changed, 141 insertions(+), 79 deletions(-)
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 196285b0fe46..92a7628560cc 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -22,6 +22,8 @@
#include <linux/in.h>
#include <linux/in6.h>
#include <linux/slab.h>
+#include <linux/scatterlist.h>
+#include <linux/mm.h>
#include <linux/mempool.h>
#include <linux/workqueue.h>
#include "cifs_fs_sb.h"
@@ -30,6 +32,7 @@
#include <linux/scatterlist.h>
#include <uapi/linux/cifs/cifs_mount.h>
#include "smb2pdu.h"
+#include "smb2glob.h"
#define CIFS_MAGIC_NUMBER 0xFF534D42 /* the first four bytes of SMB PDUs */
@@ -2046,4 +2049,70 @@ static inline bool is_tcon_dfs(struct cifs_tcon *tcon)
tcon->share_flags & (SHI1005_FLAGS_DFS | SHI1005_FLAGS_DFS_ROOT);
}
+static inline unsigned int cifs_get_num_sgs(const struct smb_rqst *rqst,
+ int num_rqst,
+ const u8 *sig)
+{
+ unsigned int len, skip;
+ unsigned int nents = 0;
+ unsigned long addr;
+ int i, j;
+
+ /* Assumes the first rqst has a transform header as the first iov.
+ * I.e.
+ * rqst[0].rq_iov[0] is transform header
+ * rqst[0].rq_iov[1+] data to be encrypted/decrypted
+ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
+ */
+ for (i = 0; i < num_rqst; i++) {
+ /*
+ * The first rqst has a transform header where the
+ * first 20 bytes are not part of the encrypted blob.
+ */
+ for (j = 0; j < rqst[i].rq_nvec; j++) {
+ struct kvec *iov = &rqst[i].rq_iov[j];
+
+ skip = (i == 0) && (j == 0) ? 20 : 0;
+ addr = (unsigned long)iov->iov_base + skip;
+ if (unlikely(is_vmalloc_addr((void *)addr))) {
+ len = iov->iov_len - skip;
+ nents += DIV_ROUND_UP(offset_in_page(addr) + len,
+ PAGE_SIZE);
+ } else {
+ nents++;
+ }
+ }
+ nents += rqst[i].rq_npages;
+ }
+ nents += DIV_ROUND_UP(offset_in_page(sig) + SMB2_SIGNATURE_SIZE, PAGE_SIZE);
+ return nents;
+}
+
+/* We can not use the normal sg_set_buf() as we will sometimes pass a
+ * stack object as buf.
+ */
+static inline struct scatterlist *cifs_sg_set_buf(struct scatterlist *sg,
+ const void *buf,
+ unsigned int buflen)
+{
+ unsigned long addr = (unsigned long)buf;
+ unsigned int off = offset_in_page(addr);
+
+ addr &= PAGE_MASK;
+ if (unlikely(is_vmalloc_addr((void *)addr))) {
+ do {
+ unsigned int len = min_t(unsigned int, buflen, PAGE_SIZE - off);
+
+ sg_set_page(sg++, vmalloc_to_page((void *)addr), len, off);
+
+ off = 0;
+ addr += PAGE_SIZE;
+ buflen -= len;
+ } while (buflen);
+ } else {
+ sg_set_page(sg++, virt_to_page(addr), buflen, off);
+ }
+ return sg;
+}
+
#endif /* _CIFS_GLOB_H */
diff --git a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
index a6ca4eda9a5a..ca34cc1e1931 100644
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -602,8 +602,8 @@ int cifs_alloc_hash(const char *name, struct crypto_shash **shash,
struct sdesc **sdesc);
void cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc);
-extern void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page,
- unsigned int *len, unsigned int *offset);
+void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page,
+ unsigned int *len, unsigned int *offset);
struct cifs_chan *
cifs_ses_find_chan(struct cifs_ses *ses, struct TCP_Server_Info *server);
int cifs_try_adding_channels(struct cifs_ses *ses);
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index 9d740916a8ee..9044b0fca9a3 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -974,8 +974,8 @@ cifs_free_hash(struct crypto_shash **shash, struct sdesc **sdesc)
* Input: rqst - a smb_rqst, page - a page index for rqst
* Output: *len - the length for this page, *offset - the offset for this page
*/
-void rqst_page_get_length(struct smb_rqst *rqst, unsigned int page,
- unsigned int *len, unsigned int *offset)
+void rqst_page_get_length(const struct smb_rqst *rqst, unsigned int page,
+ unsigned int *len, unsigned int *offset)
{
*len = rqst->rq_pagesz;
*offset = (page == 0) ? rqst->rq_offset : 0;
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 72368b656b33..844db4652dd1 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -4164,69 +4164,82 @@ fill_transform_hdr(struct smb2_transform_hdr *tr_hdr, unsigned int orig_len,
memcpy(&tr_hdr->SessionId, &shdr->SessionId, 8);
}
-/* We can not use the normal sg_set_buf() as we will sometimes pass a
- * stack object as buf.
- */
-static inline void smb2_sg_set_buf(struct scatterlist *sg, const void *buf,
- unsigned int buflen)
+static void *smb2_aead_req_alloc(struct crypto_aead *tfm, const struct smb_rqst *rqst,
+ int num_rqst, const u8 *sig, u8 **iv,
+ struct aead_request **req, struct scatterlist **sgl,
+ unsigned int *num_sgs)
{
- void *addr;
- /*
- * VMAP_STACK (at least) puts stack into the vmalloc address space
- */
- if (is_vmalloc_addr(buf))
- addr = vmalloc_to_page(buf);
- else
- addr = virt_to_page(buf);
- sg_set_page(sg, addr, buflen, offset_in_page(buf));
+ unsigned int req_size = sizeof(**req) + crypto_aead_reqsize(tfm);
+ unsigned int iv_size = crypto_aead_ivsize(tfm);
+ unsigned int len;
+ u8 *p;
+
+ *num_sgs = cifs_get_num_sgs(rqst, num_rqst, sig);
+
+ len = iv_size;
+ len += crypto_aead_alignmask(tfm) & ~(crypto_tfm_ctx_alignment() - 1);
+ len = ALIGN(len, crypto_tfm_ctx_alignment());
+ len += req_size;
+ len = ALIGN(len, __alignof__(struct scatterlist));
+ len += *num_sgs * sizeof(**sgl);
+
+ p = kmalloc(len, GFP_ATOMIC);
+ if (!p)
+ return NULL;
+
+ *iv = (u8 *)PTR_ALIGN(p, crypto_aead_alignmask(tfm) + 1);
+ *req = (struct aead_request *)PTR_ALIGN(*iv + iv_size,
+ crypto_tfm_ctx_alignment());
+ *sgl = (struct scatterlist *)PTR_ALIGN((u8 *)*req + req_size,
+ __alignof__(struct scatterlist));
+ return p;
}
-/* Assumes the first rqst has a transform header as the first iov.
- * I.e.
- * rqst[0].rq_iov[0] is transform header
- * rqst[0].rq_iov[1+] data to be encrypted/decrypted
- * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
- */
-static struct scatterlist *
-init_sg(int num_rqst, struct smb_rqst *rqst, u8 *sign)
+static void *smb2_get_aead_req(struct crypto_aead *tfm, const struct smb_rqst *rqst,
+ int num_rqst, const u8 *sig, u8 **iv,
+ struct aead_request **req, struct scatterlist **sgl)
{
- unsigned int sg_len;
+ unsigned int off, len, skip;
struct scatterlist *sg;
- unsigned int i;
- unsigned int j;
- unsigned int idx = 0;
- int skip;
-
- sg_len = 1;
- for (i = 0; i < num_rqst; i++)
- sg_len += rqst[i].rq_nvec + rqst[i].rq_npages;
+ unsigned int num_sgs;
+ unsigned long addr;
+ int i, j;
+ void *p;
- sg = kmalloc_array(sg_len, sizeof(struct scatterlist), GFP_KERNEL);
- if (!sg)
+ p = smb2_aead_req_alloc(tfm, rqst, num_rqst, sig, iv, req, sgl, &num_sgs);
+ if (!p)
return NULL;
- sg_init_table(sg, sg_len);
+ sg_init_table(*sgl, num_sgs);
+ sg = *sgl;
+
+ /* Assumes the first rqst has a transform header as the first iov.
+ * I.e.
+ * rqst[0].rq_iov[0] is transform header
+ * rqst[0].rq_iov[1+] data to be encrypted/decrypted
+ * rqst[1+].rq_iov[0+] data to be encrypted/decrypted
+ */
for (i = 0; i < num_rqst; i++) {
+ /*
+ * The first rqst has a transform header where the
+ * first 20 bytes are not part of the encrypted blob.
+ */
for (j = 0; j < rqst[i].rq_nvec; j++) {
- /*
- * The first rqst has a transform header where the
- * first 20 bytes are not part of the encrypted blob
- */
- skip = (i == 0) && (j == 0) ? 20 : 0;
- smb2_sg_set_buf(&sg[idx++],
- rqst[i].rq_iov[j].iov_base + skip,
- rqst[i].rq_iov[j].iov_len - skip);
- }
+ struct kvec *iov = &rqst[i].rq_iov[j];
+ skip = (i == 0) && (j == 0) ? 20 : 0;
+ addr = (unsigned long)iov->iov_base + skip;
+ len = iov->iov_len - skip;
+ sg = cifs_sg_set_buf(sg, (void *)addr, len);
+ }
for (j = 0; j < rqst[i].rq_npages; j++) {
- unsigned int len, offset;
-
- rqst_page_get_length(&rqst[i], j, &len, &offset);
- sg_set_page(&sg[idx++], rqst[i].rq_pages[j], len, offset);
+ rqst_page_get_length(&rqst[i], j, &len, &off);
+ sg_set_page(sg++, rqst[i].rq_pages[j], len, off);
}
}
- smb2_sg_set_buf(&sg[idx], sign, SMB2_SIGNATURE_SIZE);
- return sg;
+ cifs_sg_set_buf(sg, sig, SMB2_SIGNATURE_SIZE);
+
+ return p;
}
static int
@@ -4270,11 +4283,11 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
u8 sign[SMB2_SIGNATURE_SIZE] = {};
u8 key[SMB3_ENC_DEC_KEY_SIZE];
struct aead_request *req;
- char *iv;
- unsigned int iv_len;
+ u8 *iv;
DECLARE_CRYPTO_WAIT(wait);
struct crypto_aead *tfm;
unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
+ void *creq;
rc = smb2_get_enc_key(server, tr_hdr->SessionId, enc, key);
if (rc) {
@@ -4309,32 +4322,15 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
return rc;
}
- req = aead_request_alloc(tfm, GFP_KERNEL);
- if (!req) {
- cifs_server_dbg(VFS, "%s: Failed to alloc aead request\n", __func__);
+ creq = smb2_get_aead_req(tfm, rqst, num_rqst, sign, &iv, &req, &sg);
+ if (unlikely(!creq))
return -ENOMEM;
- }
if (!enc) {
memcpy(sign, &tr_hdr->Signature, SMB2_SIGNATURE_SIZE);
crypt_len += SMB2_SIGNATURE_SIZE;
}
- sg = init_sg(num_rqst, rqst, sign);
- if (!sg) {
- cifs_server_dbg(VFS, "%s: Failed to init sg\n", __func__);
- rc = -ENOMEM;
- goto free_req;
- }
-
- iv_len = crypto_aead_ivsize(tfm);
- iv = kzalloc(iv_len, GFP_KERNEL);
- if (!iv) {
- cifs_server_dbg(VFS, "%s: Failed to alloc iv\n", __func__);
- rc = -ENOMEM;
- goto free_sg;
- }
-
if ((server->cipher_type == SMB2_ENCRYPTION_AES128_GCM) ||
(server->cipher_type == SMB2_ENCRYPTION_AES256_GCM))
memcpy(iv, (char *)tr_hdr->Nonce, SMB3_AES_GCM_NONCE);
@@ -4343,6 +4339,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
memcpy(iv + 1, (char *)tr_hdr->Nonce, SMB3_AES_CCM_NONCE);
}
+ aead_request_set_tfm(req, tfm);
aead_request_set_crypt(req, sg, sg, crypt_len, iv);
aead_request_set_ad(req, assoc_data_len);
@@ -4355,11 +4352,7 @@ crypt_message(struct TCP_Server_Info *server, int num_rqst,
if (!rc && enc)
memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
- kfree(iv);
-free_sg:
- kfree(sg);
-free_req:
- kfree(req);
+ kfree_sensitive(creq);
return rc;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 574/783] nvme-pci: fix doorbell buffer value endianness
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (572 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 573/783] cifs: fix oops during encryption Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 575/783] nvme-pci: fix mempool alloc size Greg Kroah-Hartman
` (218 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guenter Roeck, Klaus Jensen,
Christoph Hellwig, Sasha Levin
From: Klaus Jensen <k.jensen@samsung.com>
[ Upstream commit b5f96cb719d8ba220b565ddd3ba4ac0d8bcfb130 ]
When using shadow doorbells, the event index and the doorbell values are
written to host memory. Prior to this patch, the values written would
erroneously be written in host endianness. This causes trouble on
big-endian platforms. Fix this by adding missing endian conversions.
This issue was noticed by Guenter while testing various big-endian
platforms under QEMU[1]. A similar fix required for hw/nvme in QEMU is
up for review as well[2].
[1]: https://lore.kernel.org/qemu-devel/20221209110022.GA3396194@roeck-us.net/
[2]: https://lore.kernel.org/qemu-devel/20221212114409.34972-4-its@irrelevant.dk/
Fixes: f9f38e33389c ("nvme: improve performance for virtual NVMe devices")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Klaus Jensen <k.jensen@samsung.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index c222d7bf6ce1..948b027a75d3 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -139,9 +139,9 @@ struct nvme_dev {
mempool_t *iod_mempool;
/* shadow doorbell buffer support: */
- u32 *dbbuf_dbs;
+ __le32 *dbbuf_dbs;
dma_addr_t dbbuf_dbs_dma_addr;
- u32 *dbbuf_eis;
+ __le32 *dbbuf_eis;
dma_addr_t dbbuf_eis_dma_addr;
/* host memory buffer support: */
@@ -209,10 +209,10 @@ struct nvme_queue {
#define NVMEQ_SQ_CMB 1
#define NVMEQ_DELETE_ERROR 2
#define NVMEQ_POLLED 3
- u32 *dbbuf_sq_db;
- u32 *dbbuf_cq_db;
- u32 *dbbuf_sq_ei;
- u32 *dbbuf_cq_ei;
+ __le32 *dbbuf_sq_db;
+ __le32 *dbbuf_cq_db;
+ __le32 *dbbuf_sq_ei;
+ __le32 *dbbuf_cq_ei;
struct completion delete_done;
};
@@ -334,11 +334,11 @@ static inline int nvme_dbbuf_need_event(u16 event_idx, u16 new_idx, u16 old)
}
/* Update dbbuf and return true if an MMIO is required */
-static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db,
- volatile u32 *dbbuf_ei)
+static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db,
+ volatile __le32 *dbbuf_ei)
{
if (dbbuf_db) {
- u16 old_value;
+ u16 old_value, event_idx;
/*
* Ensure that the queue is written before updating
@@ -346,8 +346,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db,
*/
wmb();
- old_value = *dbbuf_db;
- *dbbuf_db = value;
+ old_value = le32_to_cpu(*dbbuf_db);
+ *dbbuf_db = cpu_to_le32(value);
/*
* Ensure that the doorbell is updated before reading the event
@@ -357,7 +357,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, u32 *dbbuf_db,
*/
mb();
- if (!nvme_dbbuf_need_event(*dbbuf_ei, value, old_value))
+ event_idx = le32_to_cpu(*dbbuf_ei);
+ if (!nvme_dbbuf_need_event(event_idx, value, old_value))
return false;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 575/783] nvme-pci: fix mempool alloc size
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (573 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 574/783] nvme-pci: fix doorbell buffer value endianness Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 576/783] nvme-pci: fix page size checks Greg Kroah-Hartman
` (217 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jens Axboe, Keith Busch,
Kanchan Joshi, Chaitanya Kulkarni, Christoph Hellwig,
Sasha Levin
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit c89a529e823d51dd23c7ec0c047c7a454a428541 ]
Convert the max size to bytes to match the units of the divisor that
calculates the worst-case number of PRP entries.
The result is used to determine how many PRP Lists are required. The
code was previously rounding this to 1 list, but we can require 2 in the
worst case. In that scenario, the driver would corrupt memory beyond the
size provided by the mempool.
While unlikely to occur (you'd need a 4MB in exactly 127 phys segments
on a queue that doesn't support SGLs), this memory corruption has been
observed by kfence.
Cc: Jens Axboe <axboe@kernel.dk>
Fixes: 943e942e6266f ("nvme-pci: limit max IO size and segments to avoid high order allocations")
Signed-off-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 948b027a75d3..0452fb96df69 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -372,8 +372,8 @@ static bool nvme_dbbuf_update_and_check_event(u16 value, __le32 *dbbuf_db,
*/
static int nvme_pci_npages_prp(void)
{
- unsigned nprps = DIV_ROUND_UP(NVME_MAX_KB_SZ + NVME_CTRL_PAGE_SIZE,
- NVME_CTRL_PAGE_SIZE);
+ unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE;
+ unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE);
return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 576/783] nvme-pci: fix page size checks
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (574 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 575/783] nvme-pci: fix mempool alloc size Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 577/783] ata: ahci: Fix PCS quirk application for suspend Greg Kroah-Hartman
` (216 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Keith Busch, Christoph Hellwig, Sasha Levin
From: Keith Busch <kbusch@kernel.org>
[ Upstream commit 841734234a28fd5cd0889b84bd4d93a0988fa11e ]
The size allocated out of the dma pool is at most NVME_CTRL_PAGE_SIZE,
which may be smaller than the PAGE_SIZE.
Fixes: c61b82c7b7134 ("nvme-pci: fix PRP pool size")
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/pci.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 0452fb96df69..67dd68462b81 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -33,7 +33,7 @@
#define SQ_SIZE(q) ((q)->q_depth << (q)->sqes)
#define CQ_SIZE(q) ((q)->q_depth * sizeof(struct nvme_completion))
-#define SGES_PER_PAGE (PAGE_SIZE / sizeof(struct nvme_sgl_desc))
+#define SGES_PER_PAGE (NVME_CTRL_PAGE_SIZE / sizeof(struct nvme_sgl_desc))
/*
* These can be higher, but we need to ensure that any command doesn't
@@ -374,7 +374,7 @@ static int nvme_pci_npages_prp(void)
{
unsigned max_bytes = (NVME_MAX_KB_SZ * 1024) + NVME_CTRL_PAGE_SIZE;
unsigned nprps = DIV_ROUND_UP(max_bytes, NVME_CTRL_PAGE_SIZE);
- return DIV_ROUND_UP(8 * nprps, PAGE_SIZE - 8);
+ return DIV_ROUND_UP(8 * nprps, NVME_CTRL_PAGE_SIZE - 8);
}
/*
@@ -384,7 +384,7 @@ static int nvme_pci_npages_prp(void)
static int nvme_pci_npages_sgl(void)
{
return DIV_ROUND_UP(NVME_MAX_SEGS * sizeof(struct nvme_sgl_desc),
- PAGE_SIZE);
+ NVME_CTRL_PAGE_SIZE);
}
static size_t nvme_pci_iod_alloc_size(void)
@@ -735,7 +735,7 @@ static void nvme_pci_sgl_set_seg(struct nvme_sgl_desc *sge,
sge->length = cpu_to_le32(entries * sizeof(*sge));
sge->type = NVME_SGL_FMT_LAST_SEG_DESC << 4;
} else {
- sge->length = cpu_to_le32(PAGE_SIZE);
+ sge->length = cpu_to_le32(NVME_CTRL_PAGE_SIZE);
sge->type = NVME_SGL_FMT_SEG_DESC << 4;
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 577/783] ata: ahci: Fix PCS quirk application for suspend
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (575 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 576/783] nvme-pci: fix page size checks Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 578/783] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Greg Kroah-Hartman
` (215 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adam Vodopjan, Damien Le Moal, Sasha Levin
From: Adam Vodopjan <grozzly@protonmail.com>
[ Upstream commit 37e14e4f3715428b809e4df9a9958baa64c77d51 ]
Since kernel 5.3.4 my laptop (ICH8M controller) does not see Kingston
SV300S37A60G SSD disk connected into a SATA connector on wake from
suspend. The problem was introduced in c312ef176399 ("libata/ahci: Drop
PCS quirk for Denverton and beyond"): the quirk is not applied on wake
from suspend as it originally was.
It is worth to mention the commit contained another bug: the quirk is
not applied at all to controllers which require it. The fix commit
09d6ac8dc51a ("libata/ahci: Fix PCS quirk application") landed in 5.3.8.
So testing my patch anywhere between commits c312ef176399 and
09d6ac8dc51a is pointless.
Not all disks trigger the problem. For example nothing bad happens with
Western Digital WD5000LPCX HDD.
Test hardware:
- Acer 5920G with ICH8M SATA controller
- sda: some SATA HDD connnected into the DVD drive IDE port with a
SATA-IDE caddy. It is a boot disk
- sdb: Kingston SV300S37A60G SSD connected into the only SATA port
Sample "dmesg --notime | grep -E '^(sd |ata)'" output on wake:
sd 0:0:0:0: [sda] Starting disk
sd 2:0:0:0: [sdb] Starting disk
ata4: SATA link down (SStatus 4 SControl 300)
ata3: SATA link down (SStatus 4 SControl 300)
ata1.00: ACPI cmd ef/03:0c:00:00:00:a0 (SET FEATURES) filtered out
ata1.00: ACPI cmd ef/03:42:00:00:00:a0 (SET FEATURES) filtered out
ata1: FORCE: cable set to 80c
ata5: SATA link down (SStatus 0 SControl 300)
ata3: SATA link down (SStatus 4 SControl 300)
ata3: SATA link down (SStatus 4 SControl 300)
ata3.00: disabled
sd 2:0:0:0: rejecting I/O to offline device
ata3.00: detaching (SCSI 2:0:0:0)
sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_NO_CONNECT
driverbyte=DRIVER_OK
sd 2:0:0:0: [sdb] Synchronizing SCSI cache
sd 2:0:0:0: [sdb] Synchronize Cache(10) failed: Result:
hostbyte=DID_BAD_TARGET driverbyte=DRIVER_OK
sd 2:0:0:0: [sdb] Stopping disk
sd 2:0:0:0: [sdb] Start/Stop Unit failed: Result: hostbyte=DID_BAD_TARGET
driverbyte=DRIVER_OK
Commit c312ef176399 dropped ahci_pci_reset_controller() which internally
calls ahci_reset_controller() and applies the PCS quirk if needed after
that. It was called each time a reset was required instead of just
ahci_reset_controller(). This patch puts the function back in place.
Fixes: c312ef176399 ("libata/ahci: Drop PCS quirk for Denverton and beyond")
Signed-off-by: Adam Vodopjan <grozzly@protonmail.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/ahci.c | 32 +++++++++++++++++++++++---------
1 file changed, 23 insertions(+), 9 deletions(-)
diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
index ff2add0101fe..7ca9fa9a75e2 100644
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -83,6 +83,7 @@ enum board_ids {
static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
static void ahci_remove_one(struct pci_dev *dev);
static void ahci_shutdown_one(struct pci_dev *dev);
+static void ahci_intel_pcs_quirk(struct pci_dev *pdev, struct ahci_host_priv *hpriv);
static int ahci_vt8251_hardreset(struct ata_link *link, unsigned int *class,
unsigned long deadline);
static int ahci_avn_hardreset(struct ata_link *link, unsigned int *class,
@@ -664,6 +665,25 @@ static void ahci_pci_save_initial_config(struct pci_dev *pdev,
ahci_save_initial_config(&pdev->dev, hpriv);
}
+static int ahci_pci_reset_controller(struct ata_host *host)
+{
+ struct pci_dev *pdev = to_pci_dev(host->dev);
+ struct ahci_host_priv *hpriv = host->private_data;
+ int rc;
+
+ rc = ahci_reset_controller(host);
+ if (rc)
+ return rc;
+
+ /*
+ * If platform firmware failed to enable ports, try to enable
+ * them here.
+ */
+ ahci_intel_pcs_quirk(pdev, hpriv);
+
+ return 0;
+}
+
static void ahci_pci_init_controller(struct ata_host *host)
{
struct ahci_host_priv *hpriv = host->private_data;
@@ -865,7 +885,7 @@ static int ahci_pci_device_runtime_resume(struct device *dev)
struct ata_host *host = pci_get_drvdata(pdev);
int rc;
- rc = ahci_reset_controller(host);
+ rc = ahci_pci_reset_controller(host);
if (rc)
return rc;
ahci_pci_init_controller(host);
@@ -900,7 +920,7 @@ static int ahci_pci_device_resume(struct device *dev)
ahci_mcp89_apple_enable(pdev);
if (pdev->dev.power.power_state.event == PM_EVENT_SUSPEND) {
- rc = ahci_reset_controller(host);
+ rc = ahci_pci_reset_controller(host);
if (rc)
return rc;
@@ -1785,12 +1805,6 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
/* save initial config */
ahci_pci_save_initial_config(pdev, hpriv);
- /*
- * If platform firmware failed to enable ports, try to enable
- * them here.
- */
- ahci_intel_pcs_quirk(pdev, hpriv);
-
/* prepare host */
if (hpriv->cap & HOST_CAP_NCQ) {
pi.flags |= ATA_FLAG_NCQ;
@@ -1900,7 +1914,7 @@ static int ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
if (rc)
return rc;
- rc = ahci_reset_controller(host);
+ rc = ahci_pci_reset_controller(host);
if (rc)
return rc;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 578/783] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (576 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 577/783] ata: ahci: Fix PCS quirk application for suspend Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 579/783] nvmet: dont defer passthrough commands with trivial effects to the workqueue Greg Kroah-Hartman
` (214 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Keith Busch,
Sagi Grimberg, Kanchan Joshi, Sasha Levin
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 685e6311637e46f3212439ce2789f8a300e5050f ]
3 << 16 does not generate the correct mask for bits 16, 17 and 18.
Use the GENMASK macro to generate the correct mask instead.
Fixes: 84fef62d135b ("nvme: check admin passthru command effects")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/nvme.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/nvme.h b/include/linux/nvme.h
index bfed36e342cc..fe39ed9e9303 100644
--- a/include/linux/nvme.h
+++ b/include/linux/nvme.h
@@ -7,6 +7,7 @@
#ifndef _LINUX_NVME_H
#define _LINUX_NVME_H
+#include <linux/bits.h>
#include <linux/types.h>
#include <linux/uuid.h>
@@ -528,7 +529,7 @@ enum {
NVME_CMD_EFFECTS_NCC = 1 << 2,
NVME_CMD_EFFECTS_NIC = 1 << 3,
NVME_CMD_EFFECTS_CCC = 1 << 4,
- NVME_CMD_EFFECTS_CSE_MASK = 3 << 16,
+ NVME_CMD_EFFECTS_CSE_MASK = GENMASK(18, 16),
NVME_CMD_EFFECTS_UUID_SEL = 1 << 19,
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 579/783] nvmet: dont defer passthrough commands with trivial effects to the workqueue
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (577 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 578/783] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 580/783] objtool: Fix SEGFAULT Greg Kroah-Hartman
` (213 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Keith Busch,
Sagi Grimberg, Kanchan Joshi, Sasha Levin
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 2a459f6933e1c459bffb7cc73fd6c900edc714bd ]
Mask out the "Command Supported" and "Logical Block Content Change" bits
and only defer execution of commands that have non-trivial effects to
the workqueue for synchronous execution. This allows to execute admin
commands asynchronously on controllers that provide a Command Supported
and Effects log page, and will keep allowing to execute Write commands
asynchronously once command effects on I/O commands are taken into
account.
Fixes: c1fef73f793b ("nvmet: add passthru code to process commands")
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/passthru.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/nvme/target/passthru.c b/drivers/nvme/target/passthru.c
index d24251ece502..f76d01028df0 100644
--- a/drivers/nvme/target/passthru.c
+++ b/drivers/nvme/target/passthru.c
@@ -259,14 +259,13 @@ static void nvmet_passthru_execute_cmd(struct nvmet_req *req)
}
/*
- * If there are effects for the command we are about to execute, or
- * an end_req function we need to use nvme_execute_passthru_rq()
- * synchronously in a work item seeing the end_req function and
- * nvme_passthru_end() can't be called in the request done callback
- * which is typically in interrupt context.
+ * If a command needs post-execution fixups, or there are any
+ * non-trivial effects, make sure to execute the command synchronously
+ * in a workqueue so that nvme_passthru_end gets called.
*/
effects = nvme_command_effects(ctrl, ns, req->cmd->common.opcode);
- if (req->p.use_workqueue || effects) {
+ if (req->p.use_workqueue ||
+ (effects & ~(NVME_CMD_EFFECTS_CSUPP | NVME_CMD_EFFECTS_LBCC))) {
INIT_WORK(&req->p.work, nvmet_passthru_execute_cmd_work);
req->p.rq = rq;
schedule_work(&req->p.work);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 580/783] objtool: Fix SEGFAULT
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (578 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 579/783] nvmet: dont defer passthrough commands with trivial effects to the workqueue Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 581/783] powerpc/rtas: avoid device tree lookups in rtas_os_term() Greg Kroah-Hartman
` (212 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Naveen N. Rao, Josh Poimboeuf,
Peter Zijlstra (Intel),
Christophe Leroy, Michael Ellerman, Sasha Levin
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit efb11fdb3e1a9f694fa12b70b21e69e55ec59c36 ]
find_insn() will return NULL in case of failure. Check insn in order
to avoid a kernel Oops for NULL pointer dereference.
Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221114175754.1131267-9-sv@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/check.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index 5d64b673da2d..700984e7f5ba 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -196,7 +196,7 @@ static bool __dead_end_function(struct objtool_file *file, struct symbol *func,
return false;
insn = find_insn(file, func->sec, func->offset);
- if (!insn->func)
+ if (!insn || !insn->func)
return false;
func_for_each_insn(file, func, insn) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 581/783] powerpc/rtas: avoid device tree lookups in rtas_os_term()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (579 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 580/783] objtool: Fix SEGFAULT Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 582/783] powerpc/rtas: avoid scheduling " Greg Kroah-Hartman
` (211 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Nicholas Piggin,
Andrew Donnellan, Michael Ellerman, Sasha Levin
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit ed2213bfb192ab51f09f12e9b49b5d482c6493f3 ]
rtas_os_term() is called during panic. Its behavior depends on a couple
of conditions in the /rtas node of the device tree, the traversal of
which entails locking and local IRQ state changes. If the kernel panics
while devtree_lock is held, rtas_os_term() as currently written could
hang.
Instead of discovering the relevant characteristics at panic time,
cache them in file-static variables at boot. Note the lookup for
"ibm,extended-os-term" is converted to of_property_read_bool() since it
is a boolean property, not an RTAS function token.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
[mpe: Incorporate suggested change from Nick]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221118150751.469393-4-nathanl@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/rtas.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index bf962051af0a..aa66317a9a49 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -715,6 +715,7 @@ void __noreturn rtas_halt(void)
/* Must be in the RMO region, so we place it here */
static char rtas_os_term_buf[2048];
+static s32 ibm_os_term_token = RTAS_UNKNOWN_SERVICE;
void rtas_os_term(char *str)
{
@@ -726,14 +727,13 @@ void rtas_os_term(char *str)
* this property may terminate the partition which we want to avoid
* since it interferes with panic_timeout.
*/
- if (RTAS_UNKNOWN_SERVICE == rtas_token("ibm,os-term") ||
- RTAS_UNKNOWN_SERVICE == rtas_token("ibm,extended-os-term"))
+ if (ibm_os_term_token == RTAS_UNKNOWN_SERVICE)
return;
snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str);
do {
- status = rtas_call(rtas_token("ibm,os-term"), 1, 1, NULL,
+ status = rtas_call(ibm_os_term_token, 1, 1, NULL,
__pa(rtas_os_term_buf));
} while (rtas_busy_delay(status));
@@ -1267,6 +1267,13 @@ void __init rtas_initialize(void)
no_entry = of_property_read_u32(rtas.dev, "linux,rtas-entry", &entry);
rtas.entry = no_entry ? rtas.base : entry;
+ /*
+ * Discover these now to avoid device tree lookups in the
+ * panic path.
+ */
+ if (of_property_read_bool(rtas.dev, "ibm,extended-os-term"))
+ ibm_os_term_token = rtas_token("ibm,os-term");
+
/* If RTAS was found, allocate the RMO buffer for it and look for
* the stop-self token if any
*/
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 582/783] powerpc/rtas: avoid scheduling in rtas_os_term()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (580 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 581/783] powerpc/rtas: avoid device tree lookups in rtas_os_term() Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 583/783] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Greg Kroah-Hartman
` (210 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Lynch, Nicholas Piggin,
Andrew Donnellan, Michael Ellerman, Sasha Levin
From: Nathan Lynch <nathanl@linux.ibm.com>
[ Upstream commit 6c606e57eecc37d6b36d732b1ff7e55b7dc32dd4 ]
It's unsafe to use rtas_busy_delay() to handle a busy status from
the ibm,os-term RTAS function in rtas_os_term():
Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:618
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
preempt_count: 2, expected: 0
CPU: 7 PID: 1 Comm: swapper/0 Tainted: G D 6.0.0-rc5-02182-gf8553a572277-dirty #9
Call Trace:
[c000000007b8f000] [c000000001337110] dump_stack_lvl+0xb4/0x110 (unreliable)
[c000000007b8f040] [c0000000002440e4] __might_resched+0x394/0x3c0
[c000000007b8f0e0] [c00000000004f680] rtas_busy_delay+0x120/0x1b0
[c000000007b8f100] [c000000000052d04] rtas_os_term+0xb8/0xf4
[c000000007b8f180] [c0000000001150fc] pseries_panic+0x50/0x68
[c000000007b8f1f0] [c000000000036354] ppc_panic_platform_handler+0x34/0x50
[c000000007b8f210] [c0000000002303c4] notifier_call_chain+0xd4/0x1c0
[c000000007b8f2b0] [c0000000002306cc] atomic_notifier_call_chain+0xac/0x1c0
[c000000007b8f2f0] [c0000000001d62b8] panic+0x228/0x4d0
[c000000007b8f390] [c0000000001e573c] do_exit+0x140c/0x1420
[c000000007b8f480] [c0000000001e586c] make_task_dead+0xdc/0x200
Use rtas_busy_delay_time() instead, which signals without side effects
whether to attempt the ibm,os-term RTAS call again.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Reviewed-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20221118150751.469393-5-nathanl@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/rtas.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/rtas.c b/arch/powerpc/kernel/rtas.c
index aa66317a9a49..014229c40435 100644
--- a/arch/powerpc/kernel/rtas.c
+++ b/arch/powerpc/kernel/rtas.c
@@ -732,10 +732,15 @@ void rtas_os_term(char *str)
snprintf(rtas_os_term_buf, 2048, "OS panic: %s", str);
+ /*
+ * Keep calling as long as RTAS returns a "try again" status,
+ * but don't use rtas_busy_delay(), which potentially
+ * schedules.
+ */
do {
status = rtas_call(ibm_os_term_token, 1, 1, NULL,
__pa(rtas_os_term_buf));
- } while (rtas_busy_delay(status));
+ } while (rtas_busy_delay_time(status));
if (status != 0)
printk(KERN_EMERG "ibm,os-term call failed %d\n", status);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 583/783] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (581 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 582/783] powerpc/rtas: avoid scheduling " Greg Kroah-Hartman
@ 2023-01-12 13:54 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 584/783] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
` (209 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akito, José Expósito,
Jiri Kosina, Sasha Levin
From: José Expósito <jose.exposito89@gmail.com>
[ Upstream commit 4eab1c2fe06c98a4dff258dd64800b6986c101e9 ]
The HID descriptor of this device contains two mouse collections, one
for mouse emulation and the other for the trackpoint.
Both collections get merged and, because the first one defines X and Y,
the movemenent events reported by the trackpoint collection are
ignored.
Set the MT_CLS_WIN_8_FORCE_MULTI_INPUT class for this device to be able
to receive its reports.
This fix is similar to/based on commit 40d5bb87377a ("HID: multitouch:
enable multi-input as a quirk for some devices").
Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/825
Reported-by: Akito <the@akito.ooo>
Tested-by: Akito <the@akito.ooo>
Signed-off-by: José Expósito <jose.exposito89@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-multitouch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index a78ce16d4782..ea8c52f0aa78 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -1912,6 +1912,10 @@ static const struct hid_device_id mt_devices[] = {
HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
USB_VENDOR_ID_ELAN, 0x313a) },
+ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
+ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_ELAN, 0x3148) },
+
/* Elitegroup panel */
{ .driver_data = MT_CLS_SERIAL,
MT_USB_DEVICE(USB_VENDOR_ID_ELITEGROUP,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 584/783] HID: plantronics: Additional PIDs for double volume key presses quirk
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (582 preceding siblings ...)
2023-01-12 13:54 ` [PATCH 5.10 583/783] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 585/783] pstore/zone: Use GFP_ATOMIC to allocate zone buffer Greg Kroah-Hartman
` (208 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Terry Junge, Jiri Kosina, Sasha Levin
From: Terry Junge <linuxhid@cosmicgizmosystems.com>
[ Upstream commit 3d57f36c89d8ba32b2c312f397a37fd1a2dc7cfc ]
I no longer work for Plantronics (aka Poly, aka HP) and do not have
access to the headsets in order to test. However, as noted by Maxim,
the other 32xx models that share the same base code set as the 3220
would need the same quirk. This patch adds the PIDs for the rest of
the Blackwire 32XX product family that require the quirk.
Plantronics Blackwire 3210 Series (047f:c055)
Plantronics Blackwire 3215 Series (047f:c057)
Plantronics Blackwire 3225 Series (047f:c058)
Quote from previous patch by Maxim Mikityanskiy
Plantronics Blackwire 3220 Series (047f:c056) sends HID reports twice
for each volume key press. This patch adds a quirk to hid-plantronics
for this product ID, which will ignore the second volume key press if
it happens within 5 ms from the last one that was handled.
The patch was tested on the mentioned model only, it shouldn't affect
other models, however, this quirk might be needed for them too.
Auto-repeat (when a key is held pressed) is not affected, because the
rate is about 3 times per second, which is far less frequent than once
in 5 ms.
End quote
Signed-off-by: Terry Junge <linuxhid@cosmicgizmosystems.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 3 +++
drivers/hid/hid-plantronics.c | 9 +++++++++
2 files changed, 12 insertions(+)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 2001566be3f5..09c3f30f10d3 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -948,7 +948,10 @@
#define USB_DEVICE_ID_ORTEK_IHOME_IMAC_A210S 0x8003
#define USB_VENDOR_ID_PLANTRONICS 0x047f
+#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES 0xc055
#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES 0xc056
+#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES 0xc057
+#define USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES 0xc058
#define USB_VENDOR_ID_PANASONIC 0x04da
#define USB_DEVICE_ID_PANABOARD_UBT780 0x1044
diff --git a/drivers/hid/hid-plantronics.c b/drivers/hid/hid-plantronics.c
index e81b7cec2d12..3d414ae194ac 100644
--- a/drivers/hid/hid-plantronics.c
+++ b/drivers/hid/hid-plantronics.c
@@ -198,9 +198,18 @@ static int plantronics_probe(struct hid_device *hdev,
}
static const struct hid_device_id plantronics_devices[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
+ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3210_SERIES),
+ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
{ HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3220_SERIES),
.driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
+ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3215_SERIES),
+ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS,
+ USB_DEVICE_ID_PLANTRONICS_BLACKWIRE_3225_SERIES),
+ .driver_data = PLT_QUIRK_DOUBLE_VOLUME_KEYS },
{ HID_USB_DEVICE(USB_VENDOR_ID_PLANTRONICS, HID_ANY_ID) },
{ }
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 585/783] pstore/zone: Use GFP_ATOMIC to allocate zone buffer
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (583 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 584/783] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 586/783] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
` (207 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Qiujun Huang, WeiXiong Liao, Kees Cook
From: Qiujun Huang <hqjagain@gmail.com>
commit 99b3b837855b987563bcfb397cf9ddd88262814b upstream.
There is a case found when triggering a panic_on_oom, pstore fails to dump
kmsg. Because psz_kmsg_write_record can't get the new buffer.
Handle this by using GFP_ATOMIC to allocate a buffer at lower watermark.
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Fixes: 335426c6dcdd ("pstore/zone: Provide way to skip "broken" zone for MTD devices")
Cc: WeiXiong Liao <gmpy.liaowx@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/CAJRQjofRCF7wjrYmw3D7zd5QZnwHQq+F8U-mJDJ6NZ4bddYdLA@mail.gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/pstore/zone.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/pstore/zone.c
+++ b/fs/pstore/zone.c
@@ -761,7 +761,7 @@ static inline int notrace psz_kmsg_write
/* avoid destroying old data, allocate a new one */
len = zone->buffer_size + sizeof(*zone->buffer);
zone->oldbuf = zone->buffer;
- zone->buffer = kzalloc(len, GFP_KERNEL);
+ zone->buffer = kzalloc(len, GFP_ATOMIC);
if (!zone->buffer) {
zone->buffer = zone->oldbuf;
return -ENOMEM;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 586/783] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (584 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 585/783] pstore/zone: Use GFP_ATOMIC to allocate zone buffer Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 587/783] binfmt: Fix error return code in load_elf_fdpic_binary() Greg Kroah-Hartman
` (206 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Garg, Viacheslav Dubeyko,
Andrew Morton
From: Aditya Garg <gargaditya08@live.com>
commit 9f2b5debc07073e6dfdd774e3594d0224b991927 upstream.
Despite specifying UID and GID in mount command, the specified UID and GID
were not being assigned. This patch fixes this issue.
Link: https://lkml.kernel.org/r/C0264BF5-059C-45CF-B8DA-3A3BD2C803A2@live.com
Signed-off-by: Aditya Garg <gargaditya08@live.com>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfsplus/hfsplus_fs.h | 2 ++
fs/hfsplus/inode.c | 4 ++--
fs/hfsplus/options.c | 4 ++++
3 files changed, 8 insertions(+), 2 deletions(-)
--- a/fs/hfsplus/hfsplus_fs.h
+++ b/fs/hfsplus/hfsplus_fs.h
@@ -198,6 +198,8 @@ struct hfsplus_sb_info {
#define HFSPLUS_SB_HFSX 3
#define HFSPLUS_SB_CASEFOLD 4
#define HFSPLUS_SB_NOBARRIER 5
+#define HFSPLUS_SB_UID 6
+#define HFSPLUS_SB_GID 7
static inline struct hfsplus_sb_info *HFSPLUS_SB(struct super_block *sb)
{
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -187,11 +187,11 @@ static void hfsplus_get_perms(struct ino
mode = be16_to_cpu(perms->mode);
i_uid_write(inode, be32_to_cpu(perms->owner));
- if (!i_uid_read(inode) && !mode)
+ if ((test_bit(HFSPLUS_SB_UID, &sbi->flags)) || (!i_uid_read(inode) && !mode))
inode->i_uid = sbi->uid;
i_gid_write(inode, be32_to_cpu(perms->group));
- if (!i_gid_read(inode) && !mode)
+ if ((test_bit(HFSPLUS_SB_GID, &sbi->flags)) || (!i_gid_read(inode) && !mode))
inode->i_gid = sbi->gid;
if (dir) {
--- a/fs/hfsplus/options.c
+++ b/fs/hfsplus/options.c
@@ -140,6 +140,8 @@ int hfsplus_parse_options(char *input, s
if (!uid_valid(sbi->uid)) {
pr_err("invalid uid specified\n");
return 0;
+ } else {
+ set_bit(HFSPLUS_SB_UID, &sbi->flags);
}
break;
case opt_gid:
@@ -151,6 +153,8 @@ int hfsplus_parse_options(char *input, s
if (!gid_valid(sbi->gid)) {
pr_err("invalid gid specified\n");
return 0;
+ } else {
+ set_bit(HFSPLUS_SB_GID, &sbi->flags);
}
break;
case opt_part:
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 587/783] binfmt: Fix error return code in load_elf_fdpic_binary()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (585 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 586/783] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 588/783] ovl: Use ovl mounters fsuid and fsgid in ovl_link() Greg Kroah-Hartman
` (205 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wang Yufen, Kees Cook
From: Wang Yufen <wangyufen@huawei.com>
commit e7f703ff2507f4e9f496da96cd4b78fd3026120c upstream.
Fix to return a negative error code from create_elf_fdpic_tables()
instead of 0.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/1669945261-30271-1-git-send-email-wangyufen@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/binfmt_elf_fdpic.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -434,8 +434,9 @@ static int load_elf_fdpic_binary(struct
current->mm->start_stack = current->mm->start_brk + stack_size;
#endif
- if (create_elf_fdpic_tables(bprm, current->mm,
- &exec_params, &interp_params) < 0)
+ retval = create_elf_fdpic_tables(bprm, current->mm, &exec_params,
+ &interp_params);
+ if (retval < 0)
goto error;
kdebug("- start_code %lx", current->mm->start_code);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 588/783] ovl: Use ovl mounters fsuid and fsgid in ovl_link()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (586 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 587/783] binfmt: Fix error return code in load_elf_fdpic_binary() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 589/783] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
` (204 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Tianci, Jiachen Zhang,
Christian Brauner (Microsoft),
Miklos Szeredi
From: Zhang Tianci <zhangtianci.1997@bytedance.com>
commit 5b0db51215e895a361bc63132caa7cca36a53d6a upstream.
There is a wrong case of link() on overlay:
$ mkdir /lower /fuse /merge
$ mount -t fuse /fuse
$ mkdir /fuse/upper /fuse/work
$ mount -t overlay /merge -o lowerdir=/lower,upperdir=/fuse/upper,\
workdir=work
$ touch /merge/file
$ chown bin.bin /merge/file // the file's caller becomes "bin"
$ ln /merge/file /merge/lnkfile
Then we will get an error(EACCES) because fuse daemon checks the link()'s
caller is "bin", it denied this request.
In the changing history of ovl_link(), there are two key commits:
The first is commit bb0d2b8ad296 ("ovl: fix sgid on directory") which
overrides the cred's fsuid/fsgid using the new inode. The new inode's
owner is initialized by inode_init_owner(), and inode->fsuid is
assigned to the current user. So the override fsuid becomes the
current user. We know link() is actually modifying the directory, so
the caller must have the MAY_WRITE permission on the directory. The
current caller may should have this permission. This is acceptable
to use the caller's fsuid.
The second is commit 51f7e52dc943 ("ovl: share inode for hard link")
which removed the inode creation in ovl_link(). This commit move
inode_init_owner() into ovl_create_object(), so the ovl_link() just
give the old inode to ovl_create_or_link(). Then the override fsuid
becomes the old inode's fsuid, neither the caller nor the overlay's
mounter! So this is incorrect.
Fix this bug by using ovl mounter's fsuid/fsgid to do underlying
fs's link().
Link: https://lore.kernel.org/all/20220817102952.xnvesg3a7rbv576x@wittgenstein/T
Link: https://lore.kernel.org/lkml/20220825130552.29587-1-zhangtianci.1997@bytedance.com/t
Signed-off-by: Zhang Tianci <zhangtianci.1997@bytedance.com>
Signed-off-by: Jiachen Zhang <zhangjiachen.jaycee@bytedance.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Fixes: 51f7e52dc943 ("ovl: share inode for hard link")
Cc: <stable@vger.kernel.org> # v4.8
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/dir.c | 46 ++++++++++++++++++++++++++++++----------------
1 file changed, 30 insertions(+), 16 deletions(-)
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -586,28 +586,42 @@ static int ovl_create_or_link(struct den
goto out_revert_creds;
}
- err = -ENOMEM;
- override_cred = prepare_creds();
- if (override_cred) {
+ if (!attr->hardlink) {
+ err = -ENOMEM;
+ override_cred = prepare_creds();
+ if (!override_cred)
+ goto out_revert_creds;
+ /*
+ * In the creation cases(create, mkdir, mknod, symlink),
+ * ovl should transfer current's fs{u,g}id to underlying
+ * fs. Because underlying fs want to initialize its new
+ * inode owner using current's fs{u,g}id. And in this
+ * case, the @inode is a new inode that is initialized
+ * in inode_init_owner() to current's fs{u,g}id. So use
+ * the inode's i_{u,g}id to override the cred's fs{u,g}id.
+ *
+ * But in the other hardlink case, ovl_link() does not
+ * create a new inode, so just use the ovl mounter's
+ * fs{u,g}id.
+ */
override_cred->fsuid = inode->i_uid;
override_cred->fsgid = inode->i_gid;
- if (!attr->hardlink) {
- err = security_dentry_create_files_as(dentry,
- attr->mode, &dentry->d_name, old_cred,
- override_cred);
- if (err) {
- put_cred(override_cred);
- goto out_revert_creds;
- }
+ err = security_dentry_create_files_as(dentry,
+ attr->mode, &dentry->d_name, old_cred,
+ override_cred);
+ if (err) {
+ put_cred(override_cred);
+ goto out_revert_creds;
}
put_cred(override_creds(override_cred));
put_cred(override_cred);
-
- if (!ovl_dentry_is_whiteout(dentry))
- err = ovl_create_upper(dentry, inode, attr);
- else
- err = ovl_create_over_whiteout(dentry, inode, attr);
}
+
+ if (!ovl_dentry_is_whiteout(dentry))
+ err = ovl_create_upper(dentry, inode, attr);
+ else
+ err = ovl_create_over_whiteout(dentry, inode, attr);
+
out_revert_creds:
revert_creds(old_cred);
return err;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 589/783] ALSA: line6: correct midi status byte when receiving data from podxt
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (587 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 588/783] ovl: Use ovl mounters fsuid and fsgid in ovl_link() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 590/783] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
` (203 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Artem Egorkine, Takashi Iwai
From: Artem Egorkine <arteme@gmail.com>
commit 8508fa2e7472f673edbeedf1b1d2b7a6bb898ecc upstream.
A PODxt device sends 0xb2, 0xc2 or 0xf2 as a status byte for MIDI
messages over USB that should otherwise have a 0xb0, 0xc0 or 0xf0
status byte. This is usually corrected by the driver on other OSes.
This fixes MIDI sysex messages sent by PODxt.
[ tiwai: fixed white spaces ]
Signed-off-by: Artem Egorkine <arteme@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221225105728.1153989-1-arteme@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/line6/driver.c | 3 ++-
sound/usb/line6/midi.c | 3 ++-
sound/usb/line6/midibuf.c | 25 +++++++++++++++++--------
sound/usb/line6/midibuf.h | 5 ++++-
sound/usb/line6/pod.c | 3 ++-
5 files changed, 27 insertions(+), 12 deletions(-)
--- a/sound/usb/line6/driver.c
+++ b/sound/usb/line6/driver.c
@@ -304,7 +304,8 @@ static void line6_data_received(struct u
for (;;) {
done =
line6_midibuf_read(mb, line6->buffer_message,
- LINE6_MIDI_MESSAGE_MAXLEN);
+ LINE6_MIDI_MESSAGE_MAXLEN,
+ LINE6_MIDIBUF_READ_RX);
if (done <= 0)
break;
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -56,7 +56,8 @@ static void line6_midi_transmit(struct s
for (;;) {
done = line6_midibuf_read(mb, chunk,
- LINE6_FALLBACK_MAXPACKETSIZE);
+ LINE6_FALLBACK_MAXPACKETSIZE,
+ LINE6_MIDIBUF_READ_TX);
if (done == 0)
break;
--- a/sound/usb/line6/midibuf.c
+++ b/sound/usb/line6/midibuf.c
@@ -9,6 +9,7 @@
#include "midibuf.h"
+
static int midibuf_message_length(unsigned char code)
{
int message_length;
@@ -20,12 +21,7 @@ static int midibuf_message_length(unsign
message_length = length[(code >> 4) - 8];
} else {
- /*
- Note that according to the MIDI specification 0xf2 is
- the "Song Position Pointer", but this is used by Line 6
- to send sysex messages to the host.
- */
- static const int length[] = { -1, 2, -1, 2, -1, -1, 1, 1, 1, 1,
+ static const int length[] = { -1, 2, 2, 2, -1, -1, 1, 1, 1, -1,
1, 1, 1, -1, 1, 1
};
message_length = length[code & 0x0f];
@@ -125,7 +121,7 @@ int line6_midibuf_write(struct midi_buff
}
int line6_midibuf_read(struct midi_buffer *this, unsigned char *data,
- int length)
+ int length, int read_type)
{
int bytes_used;
int length1, length2;
@@ -148,9 +144,22 @@ int line6_midibuf_read(struct midi_buffe
length1 = this->size - this->pos_read;
- /* check MIDI command length */
command = this->buf[this->pos_read];
+ /*
+ PODxt always has status byte lower nibble set to 0010,
+ when it means to send 0000, so we correct if here so
+ that control/program changes come on channel 1 and
+ sysex message status byte is correct
+ */
+ if (read_type == LINE6_MIDIBUF_READ_RX) {
+ if (command == 0xb2 || command == 0xc2 || command == 0xf2) {
+ unsigned char fixed = command & 0xf0;
+ this->buf[this->pos_read] = fixed;
+ command = fixed;
+ }
+ }
+ /* check MIDI command length */
if (command & 0x80) {
midi_length = midibuf_message_length(command);
this->command_prev = command;
--- a/sound/usb/line6/midibuf.h
+++ b/sound/usb/line6/midibuf.h
@@ -8,6 +8,9 @@
#ifndef MIDIBUF_H
#define MIDIBUF_H
+#define LINE6_MIDIBUF_READ_TX 0
+#define LINE6_MIDIBUF_READ_RX 1
+
struct midi_buffer {
unsigned char *buf;
int size;
@@ -23,7 +26,7 @@ extern void line6_midibuf_destroy(struct
extern int line6_midibuf_ignore(struct midi_buffer *mb, int length);
extern int line6_midibuf_init(struct midi_buffer *mb, int size, int split);
extern int line6_midibuf_read(struct midi_buffer *mb, unsigned char *data,
- int length);
+ int length, int read_type);
extern void line6_midibuf_reset(struct midi_buffer *mb);
extern int line6_midibuf_write(struct midi_buffer *mb, unsigned char *data,
int length);
--- a/sound/usb/line6/pod.c
+++ b/sound/usb/line6/pod.c
@@ -159,8 +159,9 @@ static struct line6_pcm_properties pod_p
.bytes_per_channel = 3 /* SNDRV_PCM_FMTBIT_S24_3LE */
};
+
static const char pod_version_header[] = {
- 0xf2, 0x7e, 0x7f, 0x06, 0x02
+ 0xf0, 0x7e, 0x7f, 0x06, 0x02
};
static char *pod_alloc_sysex_buffer(struct usb_line6_pod *pod, int code,
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 590/783] ALSA: line6: fix stack overflow in line6_midi_transmit
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (588 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 589/783] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 591/783] pnode: terminate at peers of source Greg Kroah-Hartman
` (202 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Artem Egorkine, Takashi Iwai
From: Artem Egorkine <arteme@gmail.com>
commit b8800d324abb50160560c636bfafe2c81001b66c upstream.
Correctly calculate available space including the size of the chunk
buffer. This fixes a buffer overflow when multiple MIDI sysex
messages are sent to a PODxt device.
Signed-off-by: Artem Egorkine <arteme@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221225105728.1153989-2-arteme@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/line6/midi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/usb/line6/midi.c
+++ b/sound/usb/line6/midi.c
@@ -44,7 +44,8 @@ static void line6_midi_transmit(struct s
int req, done;
for (;;) {
- req = min(line6_midibuf_bytes_free(mb), line6->max_packet_size);
+ req = min3(line6_midibuf_bytes_free(mb), line6->max_packet_size,
+ LINE6_FALLBACK_MAXPACKETSIZE);
done = snd_rawmidi_transmit_peek(substream, chunk, req);
if (done == 0)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 591/783] pnode: terminate at peers of source
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (589 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 590/783] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 592/783] md: fix a crash in mempool_free Greg Kroah-Hartman
` (201 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ditang Chen,
Seth Forshee (Digital Ocean), Christian Brauner (Microsoft)
From: Christian Brauner <brauner@kernel.org>
commit 11933cf1d91d57da9e5c53822a540bbdc2656c16 upstream.
The propagate_mnt() function handles mount propagation when creating
mounts and propagates the source mount tree @source_mnt to all
applicable nodes of the destination propagation mount tree headed by
@dest_mnt.
Unfortunately it contains a bug where it fails to terminate at peers of
@source_mnt when looking up copies of the source mount that become
masters for copies of the source mount tree mounted on top of slaves in
the destination propagation tree causing a NULL dereference.
Once the mechanics of the bug are understood it's easy to trigger.
Because of unprivileged user namespaces it is available to unprivileged
users.
While fixing this bug we've gotten confused multiple times due to
unclear terminology or missing concepts. So let's start this with some
clarifications:
* The terms "master" or "peer" denote a shared mount. A shared mount
belongs to a peer group.
* A peer group is a set of shared mounts that propagate to each other.
They are identified by a peer group id. The peer group id is available
in @shared_mnt->mnt_group_id.
Shared mounts within the same peer group have the same peer group id.
The peers in a peer group can be reached via @shared_mnt->mnt_share.
* The terms "slave mount" or "dependent mount" denote a mount that
receives propagation from a peer in a peer group. IOW, shared mounts
may have slave mounts and slave mounts have shared mounts as their
master. Slave mounts of a given peer in a peer group are listed on
that peers slave list available at @shared_mnt->mnt_slave_list.
* The term "master mount" denotes a mount in a peer group. IOW, it
denotes a shared mount or a peer mount in a peer group. The term
"master mount" - or "master" for short - is mostly used when talking
in the context of slave mounts that receive propagation from a master
mount. A master mount of a slave identifies the closest peer group a
slave mount receives propagation from. The master mount of a slave can
be identified via @slave_mount->mnt_master. Different slaves may point
to different masters in the same peer group.
* Multiple peers in a peer group can have non-empty ->mnt_slave_lists.
Non-empty ->mnt_slave_lists of peers don't intersect. Consequently, to
ensure all slave mounts of a peer group are visited the
->mnt_slave_lists of all peers in a peer group have to be walked.
* Slave mounts point to a peer in the closest peer group they receive
propagation from via @slave_mnt->mnt_master (see above). Together with
these peers they form a propagation group (see below). The closest
peer group can thus be identified through the peer group id
@slave_mnt->mnt_master->mnt_group_id of the peer/master that a slave
mount receives propagation from.
* A shared-slave mount is a slave mount to a peer group pg1 while also
a peer in another peer group pg2. IOW, a peer group may receive
propagation from another peer group.
If a peer group pg1 is a slave to another peer group pg2 then all
peers in peer group pg1 point to the same peer in peer group pg2 via
->mnt_master. IOW, all peers in peer group pg1 appear on the same
->mnt_slave_list. IOW, they cannot be slaves to different peer groups.
* A pure slave mount is a slave mount that is a slave to a peer group
but is not a peer in another peer group.
* A propagation group denotes the set of mounts consisting of a single
peer group pg1 and all slave mounts and shared-slave mounts that point
to a peer in that peer group via ->mnt_master. IOW, all slave mounts
such that @slave_mnt->mnt_master->mnt_group_id is equal to
@shared_mnt->mnt_group_id.
The concept of a propagation group makes it easier to talk about a
single propagation level in a propagation tree.
For example, in propagate_mnt() the immediate peers of @dest_mnt and
all slaves of @dest_mnt's peer group form a propagation group propg1.
So a shared-slave mount that is a slave in propg1 and that is a peer
in another peer group pg2 forms another propagation group propg2
together with all slaves that point to that shared-slave mount in
their ->mnt_master.
* A propagation tree refers to all mounts that receive propagation
starting from a specific shared mount.
For example, for propagate_mnt() @dest_mnt is the start of a
propagation tree. The propagation tree ecompasses all mounts that
receive propagation from @dest_mnt's peer group down to the leafs.
With that out of the way let's get to the actual algorithm.
We know that @dest_mnt is guaranteed to be a pure shared mount or a
shared-slave mount. This is guaranteed by a check in
attach_recursive_mnt(). So propagate_mnt() will first propagate the
source mount tree to all peers in @dest_mnt's peer group:
for (n = next_peer(dest_mnt); n != dest_mnt; n = next_peer(n)) {
ret = propagate_one(n);
if (ret)
goto out;
}
Notice, that the peer propagation loop of propagate_mnt() doesn't
propagate @dest_mnt itself. @dest_mnt is mounted directly in
attach_recursive_mnt() after we propagated to the destination
propagation tree.
The mount that will be mounted on top of @dest_mnt is @source_mnt. This
copy was created earlier even before we entered attach_recursive_mnt()
and doesn't concern us a lot here.
It's just important to notice that when propagate_mnt() is called
@source_mnt will not yet have been mounted on top of @dest_mnt. Thus,
@source_mnt->mnt_parent will either still point to @source_mnt or - in
the case @source_mnt is moved and thus already attached - still to its
former parent.
For each peer @m in @dest_mnt's peer group propagate_one() will create a
new copy of the source mount tree and mount that copy @child on @m such
that @child->mnt_parent points to @m after propagate_one() returns.
propagate_one() will stash the last destination propagation node @m in
@last_dest and the last copy it created for the source mount tree in
@last_source.
Hence, if we call into propagate_one() again for the next destination
propagation node @m, @last_dest will point to the previous destination
propagation node and @last_source will point to the previous copy of the
source mount tree and mounted on @last_dest.
Each new copy of the source mount tree is created from the previous copy
of the source mount tree. This will become important later.
The peer loop in propagate_mnt() is straightforward. We iterate through
the peers copying and updating @last_source and @last_dest as we go
through them and mount each copy of the source mount tree @child on a
peer @m in @dest_mnt's peer group.
After propagate_mnt() handled the peers in @dest_mnt's peer group
propagate_mnt() will propagate the source mount tree down the
propagation tree that @dest_mnt's peer group propagates to:
for (m = next_group(dest_mnt, dest_mnt); m;
m = next_group(m, dest_mnt)) {
/* everything in that slave group */
n = m;
do {
ret = propagate_one(n);
if (ret)
goto out;
n = next_peer(n);
} while (n != m);
}
The next_group() helper will recursively walk the destination
propagation tree, descending into each propagation group of the
propagation tree.
The important part is that it takes care to propagate the source mount
tree to all peers in the peer group of a propagation group before it
propagates to the slaves to those peers in the propagation group. IOW,
it creates and mounts copies of the source mount tree that become
masters before it creates and mounts copies of the source mount tree
that become slaves to these masters.
It is important to remember that propagating the source mount tree to
each mount @m in the destination propagation tree simply means that we
create and mount new copies @child of the source mount tree on @m such
that @child->mnt_parent points to @m.
Since we know that each node @m in the destination propagation tree
headed by @dest_mnt's peer group will be overmounted with a copy of the
source mount tree and since we know that the propagation properties of
each copy of the source mount tree we create and mount at @m will mostly
mirror the propagation properties of @m. We can use that information to
create and mount the copies of the source mount tree that become masters
before their slaves.
The easy case is always when @m and @last_dest are peers in a peer group
of a given propagation group. In that case we know that we can simply
copy @last_source without having to figure out what the master for the
new copy @child of the source mount tree needs to be as we've done that
in a previous call to propagate_one().
The hard case is when we're dealing with a slave mount or a shared-slave
mount @m in a destination propagation group that we need to create and
mount a copy of the source mount tree on.
For each propagation group in the destination propagation tree we
propagate the source mount tree to we want to make sure that the copies
@child of the source mount tree we create and mount on slaves @m pick an
ealier copy of the source mount tree that we mounted on a master @m of
the destination propagation group as their master. This is a mouthful
but as far as we can tell that's the core of it all.
But, if we keep track of the masters in the destination propagation tree
@m we can use the information to find the correct master for each copy
of the source mount tree we create and mount at the slaves in the
destination propagation tree @m.
Let's walk through the base case as that's still fairly easy to grasp.
If we're dealing with the first slave in the propagation group that
@dest_mnt is in then we don't yet have marked any masters in the
destination propagation tree.
We know the master for the first slave to @dest_mnt's peer group is
simple @dest_mnt. So we expect this algorithm to yield a copy of the
source mount tree that was mounted on a peer in @dest_mnt's peer group
as the master for the copy of the source mount tree we want to mount at
the first slave @m:
for (n = m; ; n = p) {
p = n->mnt_master;
if (p == dest_master || IS_MNT_MARKED(p))
break;
}
For the first slave we walk the destination propagation tree all the way
up to a peer in @dest_mnt's peer group. IOW, the propagation hierarchy
can be walked by walking up the @mnt->mnt_master hierarchy of the
destination propagation tree @m. We will ultimately find a peer in
@dest_mnt's peer group and thus ultimately @dest_mnt->mnt_master.
Btw, here the assumption we listed at the beginning becomes important.
Namely, that peers in a peer group pg1 that are slaves in another peer
group pg2 appear on the same ->mnt_slave_list. IOW, all slaves who are
peers in peer group pg1 point to the same peer in peer group pg2 via
their ->mnt_master. Otherwise the termination condition in the code
above would be wrong and next_group() would be broken too.
So the first iteration sets:
n = m;
p = n->mnt_master;
such that @p now points to a peer or @dest_mnt itself. We walk up one
more level since we don't have any marked mounts. So we end up with:
n = dest_mnt;
p = dest_mnt->mnt_master;
If @dest_mnt's peer group is not slave to another peer group then @p is
now NULL. If @dest_mnt's peer group is a slave to another peer group
then @p now points to @dest_mnt->mnt_master points which is a master
outside the propagation tree we're dealing with.
Now we need to figure out the master for the copy of the source mount
tree we're about to create and mount on the first slave of @dest_mnt's
peer group:
do {
struct mount *parent = last_source->mnt_parent;
if (last_source == first_source)
break;
done = parent->mnt_master == p;
if (done && peers(n, parent))
break;
last_source = last_source->mnt_master;
} while (!done);
We know that @last_source->mnt_parent points to @last_dest and
@last_dest is the last peer in @dest_mnt's peer group we propagated to
in the peer loop in propagate_mnt().
Consequently, @last_source is the last copy we created and mount on that
last peer in @dest_mnt's peer group. So @last_source is the master we
want to pick.
We know that @last_source->mnt_parent->mnt_master points to
@last_dest->mnt_master. We also know that @last_dest->mnt_master is
either NULL or points to a master outside of the destination propagation
tree and so does @p. Hence:
done = parent->mnt_master == p;
is trivially true in the base condition.
We also know that for the first slave mount of @dest_mnt's peer group
that @last_dest either points @dest_mnt itself because it was
initialized to:
last_dest = dest_mnt;
at the beginning of propagate_mnt() or it will point to a peer of
@dest_mnt in its peer group. In both cases it is guaranteed that on the
first iteration @n and @parent are peers (Please note the check for
peers here as that's important.):
if (done && peers(n, parent))
break;
So, as we expected, we select @last_source, which referes to the last
copy of the source mount tree we mounted on the last peer in @dest_mnt's
peer group, as the master of the first slave in @dest_mnt's peer group.
The rest is taken care of by clone_mnt(last_source, ...). We'll skip
over that part otherwise this becomes a blogpost.
At the end of propagate_mnt() we now mark @m->mnt_master as the first
master in the destination propagation tree that is distinct from
@dest_mnt->mnt_master. IOW, we mark @dest_mnt itself as a master.
By marking @dest_mnt or one of it's peers we are able to easily find it
again when we later lookup masters for other copies of the source mount
tree we mount copies of the source mount tree on slaves @m to
@dest_mnt's peer group. This, in turn allows us to find the master we
selected for the copies of the source mount tree we mounted on master in
the destination propagation tree again.
The important part is to realize that the code makes use of the fact
that the last copy of the source mount tree stashed in @last_source was
mounted on top of the previous destination propagation node @last_dest.
What this means is that @last_source allows us to walk the destination
propagation hierarchy the same way each destination propagation node @m
does.
If we take @last_source, which is the copy of @source_mnt we have
mounted on @last_dest in the previous iteration of propagate_one(), then
we know @last_source->mnt_parent points to @last_dest but we also know
that as we walk through the destination propagation tree that
@last_source->mnt_master will point to an earlier copy of the source
mount tree we mounted one an earlier destination propagation node @m.
IOW, @last_source->mnt_parent will be our hook into the destination
propagation tree and each consecutive @last_source->mnt_master will lead
us to an earlier propagation node @m via
@last_source->mnt_master->mnt_parent.
Hence, by walking up @last_source->mnt_master, each of which is mounted
on a node that is a master @m in the destination propagation tree we can
also walk up the destination propagation hierarchy.
So, for each new destination propagation node @m we use the previous
copy of @last_source and the fact it's mounted on the previous
propagation node @last_dest via @last_source->mnt_master->mnt_parent to
determine what the master of the new copy of @last_source needs to be.
The goal is to find the _closest_ master that the new copy of the source
mount tree we are about to create and mount on a slave @m in the
destination propagation tree needs to pick. IOW, we want to find a
suitable master in the propagation group.
As the propagation structure of the source mount propagation tree we
create mirrors the propagation structure of the destination propagation
tree we can find @m's closest master - i.e., a marked master - which is
a peer in the closest peer group that @m receives propagation from. We
store that closest master of @m in @p as before and record the slave to
that master in @n
We then search for this master @p via @last_source by walking up the
master hierarchy starting from the last copy of the source mount tree
stored in @last_source that we created and mounted on the previous
destination propagation node @m.
We will try to find the master by walking @last_source->mnt_master and
by comparing @last_source->mnt_master->mnt_parent->mnt_master to @p. If
we find @p then we can figure out what earlier copy of the source mount
tree needs to be the master for the new copy of the source mount tree
we're about to create and mount at the current destination propagation
node @m.
If @last_source->mnt_master->mnt_parent and @n are peers then we know
that the closest master they receive propagation from is
@last_source->mnt_master->mnt_parent->mnt_master. If not then the
closest immediate peer group that they receive propagation from must be
one level higher up.
This builds on the earlier clarification at the beginning that all peers
in a peer group which are slaves of other peer groups all point to the
same ->mnt_master, i.e., appear on the same ->mnt_slave_list, of the
closest peer group that they receive propagation from.
However, terminating the walk has corner cases.
If the closest marked master for a given destination node @m cannot be
found by walking up the master hierarchy via @last_source->mnt_master
then we need to terminate the walk when we encounter @source_mnt again.
This isn't an arbitrary termination. It simply means that the new copy
of the source mount tree we're about to create has a copy of the source
mount tree we created and mounted on a peer in @dest_mnt's peer group as
its master. IOW, @source_mnt is the peer in the closest peer group that
the new copy of the source mount tree receives propagation from.
We absolutely have to stop @source_mnt because @last_source->mnt_master
either points outside the propagation hierarchy we're dealing with or it
is NULL because @source_mnt isn't a shared-slave.
So continuing the walk past @source_mnt would cause a NULL dereference
via @last_source->mnt_master->mnt_parent. And so we have to stop the
walk when we encounter @source_mnt again.
One scenario where this can happen is when we first handled a series of
slaves of @dest_mnt's peer group and then encounter peers in a new peer
group that is a slave to @dest_mnt's peer group. We handle them and then
we encounter another slave mount to @dest_mnt that is a pure slave to
@dest_mnt's peer group. That pure slave will have a peer in @dest_mnt's
peer group as its master. Consequently, the new copy of the source mount
tree will need to have @source_mnt as it's master. So we walk the
propagation hierarchy all the way up to @source_mnt based on
@last_source->mnt_master.
So terminate on @source_mnt, easy peasy. Except, that the check misses
something that the rest of the algorithm already handles.
If @dest_mnt has peers in it's peer group the peer loop in
propagate_mnt():
for (n = next_peer(dest_mnt); n != dest_mnt; n = next_peer(n)) {
ret = propagate_one(n);
if (ret)
goto out;
}
will consecutively update @last_source with each previous copy of the
source mount tree we created and mounted at the previous peer in
@dest_mnt's peer group. So after that loop terminates @last_source will
point to whatever copy of the source mount tree was created and mounted
on the last peer in @dest_mnt's peer group.
Furthermore, if there is even a single additional peer in @dest_mnt's
peer group then @last_source will __not__ point to @source_mnt anymore.
Because, as we mentioned above, @dest_mnt isn't even handled in this
loop but directly in attach_recursive_mnt(). So it can't even accidently
come last in that peer loop.
So the first time we handle a slave mount @m of @dest_mnt's peer group
the copy of the source mount tree we create will make the __last copy of
the source mount tree we created and mounted on the last peer in
@dest_mnt's peer group the master of the new copy of the source mount
tree we create and mount on the first slave of @dest_mnt's peer group__.
But this means that the termination condition that checks for
@source_mnt is wrong. The @source_mnt cannot be found anymore by
propagate_one(). Instead it will find the last copy of the source mount
tree we created and mounted for the last peer of @dest_mnt's peer group
again. And that is a peer of @source_mnt not @source_mnt itself.
IOW, we fail to terminate the loop correctly and ultimately dereference
@last_source->mnt_master->mnt_parent. When @source_mnt's peer group
isn't slave to another peer group then @last_source->mnt_master is NULL
causing the splat below.
For example, assume @dest_mnt is a pure shared mount and has three peers
in its peer group:
===================================================================================
mount-id mount-parent-id peer-group-id
===================================================================================
(@dest_mnt) mnt_master[216] 309 297 shared:216
\
(@source_mnt) mnt_master[218]: 609 609 shared:218
(1) mnt_master[216]: 607 605 shared:216
\
(P1) mnt_master[218]: 624 607 shared:218
(2) mnt_master[216]: 576 574 shared:216
\
(P2) mnt_master[218]: 625 576 shared:218
(3) mnt_master[216]: 545 543 shared:216
\
(P3) mnt_master[218]: 626 545 shared:218
After this sequence has been processed @last_source will point to (P3),
the copy generated for the third peer in @dest_mnt's peer group we
handled. So the copy of the source mount tree (P4) we create and mount
on the first slave of @dest_mnt's peer group:
===================================================================================
mount-id mount-parent-id peer-group-id
===================================================================================
mnt_master[216] 309 297 shared:216
/
/
(S0) mnt_slave 483 481 master:216
\
\ (P3) mnt_master[218] 626 545 shared:218
\ /
\/
(P4) mnt_slave 627 483 master:218
will pick the last copy of the source mount tree (P3) as master, not (S0).
When walking the propagation hierarchy via @last_source's master
hierarchy we encounter (P3) but not (S0), i.e., @source_mnt.
We can fix this in multiple ways:
(1) By setting @last_source to @source_mnt after we processed the peers
in @dest_mnt's peer group right after the peer loop in
propagate_mnt().
(2) By changing the termination condition that relies on finding exactly
@source_mnt to finding a peer of @source_mnt.
(3) By only moving @last_source when we actually venture into a new peer
group or some clever variant thereof.
The first two options are minimally invasive and what we want as a fix.
The third option is more intrusive but something we'd like to explore in
the near future.
This passes all LTP tests and specifically the mount propagation
testsuite part of it. It also holds up against all known reproducers of
this issues.
Final words.
First, this is a clever but __worringly__ underdocumented algorithm.
There isn't a single detailed comment to be found in next_group(),
propagate_one() or anywhere else in that file for that matter. This has
been a giant pain to understand and work through and a bug like this is
insanely difficult to fix without a detailed understanding of what's
happening. Let's not talk about the amount of time that was sunk into
fixing this.
Second, all the cool kids with access to
unshare --mount --user --map-root --propagation=unchanged
are going to have a lot of fun. IOW, triggerable by unprivileged users
while namespace_lock() lock is held.
[ 115.848393] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ 115.848967] #PF: supervisor read access in kernel mode
[ 115.849386] #PF: error_code(0x0000) - not-present page
[ 115.849803] PGD 0 P4D 0
[ 115.850012] Oops: 0000 [#1] PREEMPT SMP PTI
[ 115.850354] CPU: 0 PID: 15591 Comm: mount Not tainted 6.1.0-rc7 #3
[ 115.850851] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS
VirtualBox 12/01/2006
[ 115.851510] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
[ 115.851924] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
02 4d
[ 115.853441] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
[ 115.853865] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
[ 115.854458] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
[ 115.855044] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
[ 115.855693] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
[ 115.856304] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
[ 115.856859] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
knlGS:0000000000000000
[ 115.857531] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 115.858006] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
[ 115.858598] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 115.859393] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 115.860099] Call Trace:
[ 115.860358] <TASK>
[ 115.860535] propagate_mnt+0x14d/0x190
[ 115.860848] attach_recursive_mnt+0x274/0x3e0
[ 115.861212] path_mount+0x8c8/0xa60
[ 115.861503] __x64_sys_mount+0xf6/0x140
[ 115.861819] do_syscall_64+0x5b/0x80
[ 115.862117] ? do_faccessat+0x123/0x250
[ 115.862435] ? syscall_exit_to_user_mode+0x17/0x40
[ 115.862826] ? do_syscall_64+0x67/0x80
[ 115.863133] ? syscall_exit_to_user_mode+0x17/0x40
[ 115.863527] ? do_syscall_64+0x67/0x80
[ 115.863835] ? do_syscall_64+0x67/0x80
[ 115.864144] ? do_syscall_64+0x67/0x80
[ 115.864452] ? exc_page_fault+0x70/0x170
[ 115.864775] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 115.865187] RIP: 0033:0x7f92c92b0ebe
[ 115.865480] Code: 48 8b 0d 75 4f 0c 00 f7 d8 64 89 01 48 83 c8 ff
c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 42 4f 0c 00 f7 d8 64 89
01 48
[ 115.866984] RSP: 002b:00007fff000aa728 EFLAGS: 00000246 ORIG_RAX:
00000000000000a5
[ 115.867607] RAX: ffffffffffffffda RBX: 000055a77888d6b0 RCX: 00007f92c92b0ebe
[ 115.868240] RDX: 000055a77888d8e0 RSI: 000055a77888e6e0 RDI: 000055a77888e620
[ 115.868823] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[ 115.869403] R10: 0000000000001000 R11: 0000000000000246 R12: 000055a77888e620
[ 115.869994] R13: 000055a77888d8e0 R14: 00000000ffffffff R15: 00007f92c93e4076
[ 115.870581] </TASK>
[ 115.870763] Modules linked in: nft_fib_inet nft_fib_ipv4
nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6
nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 ip_set rfkill nf_tables nfnetlink qrtr snd_intel8x0
sunrpc snd_ac97_codec ac97_bus snd_pcm snd_timer intel_rapl_msr
intel_rapl_common snd vboxguest intel_powerclamp video rapl joydev
soundcore i2c_piix4 wmi fuse zram xfs vmwgfx crct10dif_pclmul
crc32_pclmul crc32c_intel polyval_clmulni polyval_generic
drm_ttm_helper ttm e1000 ghash_clmulni_intel serio_raw ata_generic
pata_acpi scsi_dh_rdac scsi_dh_emc scsi_dh_alua dm_multipath
[ 115.875288] CR2: 0000000000000010
[ 115.875641] ---[ end trace 0000000000000000 ]---
[ 115.876135] RIP: 0010:propagate_one.part.0+0x7f/0x1a0
[ 115.876551] Code: 75 eb 4c 8b 05 c2 25 37 02 4c 89 ca 48 8b 4a 10
49 39 d0 74 1e 48 3b 81 e0 00 00 00 74 26 48 8b 92 e0 00 00 00 be 01
00 00 00 <48> 8b 4a 10 49 39 d0 75 e2 40 84 f6 74 38 4c 89 05 84 25 37
02 4d
[ 115.878086] RSP: 0018:ffffb8d5443d7d50 EFLAGS: 00010282
[ 115.878511] RAX: ffff8e4d87c41c80 RBX: ffff8e4d88ded780 RCX: ffff8e4da4333a00
[ 115.879128] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e4d88ded780
[ 115.879715] RBP: ffff8e4d88ded780 R08: ffff8e4da4338000 R09: ffff8e4da43388c0
[ 115.880359] R10: 0000000000000002 R11: ffffb8d540158000 R12: ffffb8d5443d7da8
[ 115.880962] R13: ffff8e4d88ded780 R14: 0000000000000000 R15: 0000000000000000
[ 115.881548] FS: 00007f92c90c9800(0000) GS:ffff8e4dfdc00000(0000)
knlGS:0000000000000000
[ 115.882234] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 115.882713] CR2: 0000000000000010 CR3: 0000000022f4c002 CR4: 00000000000706f0
[ 115.883314] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 115.883966] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: f2ebb3a921c1 ("smarter propagate_mnt()")
Fixes: 5ec0811d3037 ("propogate_mnt: Handle the first propogated copy being a slave")
Cc: <stable@vger.kernel.org>
Reported-by: Ditang Chen <ditang.c@gmail.com>
Signed-off-by: Seth Forshee (Digital Ocean) <sforshee@kernel.org>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
If there are no big objections I'll get this to Linus rather sooner than later.
---
fs/pnode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/pnode.c
+++ b/fs/pnode.c
@@ -244,7 +244,7 @@ static int propagate_one(struct mount *m
}
do {
struct mount *parent = last_source->mnt_parent;
- if (last_source == first_source)
+ if (peers(last_source, first_source))
break;
done = parent->mnt_master == p;
if (done && peers(n, parent))
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 592/783] md: fix a crash in mempool_free
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (590 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 591/783] pnode: terminate at peers of source Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 593/783] mm, compaction: fix fast_isolate_around() to stay within boundaries Greg Kroah-Hartman
` (200 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Song Liu
From: Mikulas Patocka <mpatocka@redhat.com>
commit 341097ee53573e06ab9fc675d96a052385b851fa upstream.
There's a crash in mempool_free when running the lvm test
shell/lvchange-rebuild-raid.sh.
The reason for the crash is this:
* super_written calls atomic_dec_and_test(&mddev->pending_writes) and
wake_up(&mddev->sb_wait). Then it calls rdev_dec_pending(rdev, mddev)
and bio_put(bio).
* so, the process that waited on sb_wait and that is woken up is racing
with bio_put(bio).
* if the process wins the race, it calls bioset_exit before bio_put(bio)
is executed.
* bio_put(bio) attempts to free a bio into a destroyed bio set - causing
a crash in mempool_free.
We fix this bug by moving bio_put before atomic_dec_and_test.
We also move rdev_dec_pending before atomic_dec_and_test as suggested by
Neil Brown.
The function md_end_flush has a similar bug - we must call bio_put before
we decrement the number of in-progress bios.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 11557f0067 P4D 11557f0067 PUD 0
Oops: 0002 [#1] PREEMPT SMP
CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 6.1.0-rc3 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Workqueue: kdelayd flush_expired_bios [dm_delay]
RIP: 0010:mempool_free+0x47/0x80
Code: 48 89 ef 5b 5d ff e0 f3 c3 48 89 f7 e8 32 45 3f 00 48 63 53 08 48 89 c6 3b 53 04 7d 2d 48 8b 43 10 8d 4a 01 48 89 df 89 4b 08 <48> 89 2c d0 e8 b0 45 3f 00 48 8d 7b 30 5b 5d 31 c9 ba 01 00 00 00
RSP: 0018:ffff88910036bda8 EFLAGS: 00010093
RAX: 0000000000000000 RBX: ffff8891037b65d8 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000202 RDI: ffff8891037b65d8
RBP: ffff8891447ba240 R08: 0000000000012908 R09: 00000000003d0900
R10: 0000000000000000 R11: 0000000000173544 R12: ffff889101a14000
R13: ffff8891562ac300 R14: ffff889102b41440 R15: ffffe8ffffa00d05
FS: 0000000000000000(0000) GS:ffff88942fa00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000001102e99000 CR4: 00000000000006b0
Call Trace:
<TASK>
clone_endio+0xf4/0x1c0 [dm_mod]
clone_endio+0xf4/0x1c0 [dm_mod]
__submit_bio+0x76/0x120
submit_bio_noacct_nocheck+0xb6/0x2a0
flush_expired_bios+0x28/0x2f [dm_delay]
process_one_work+0x1b4/0x300
worker_thread+0x45/0x3e0
? rescuer_thread+0x380/0x380
kthread+0xc2/0x100
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in: brd dm_delay dm_raid dm_mod af_packet uvesafb cfbfillrect cfbimgblt cn cfbcopyarea fb font fbdev tun autofs4 binfmt_misc configfs ipv6 virtio_rng virtio_balloon rng_core virtio_net pcspkr net_failover failover qemu_fw_cfg button mousedev raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq raid6_pq async_xor xor async_tx raid1 raid0 md_mod sd_mod t10_pi crc64_rocksoft crc64 virtio_scsi scsi_mod evdev psmouse bsg scsi_common [last unloaded: brd]
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/md.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -555,13 +555,14 @@ static void md_end_flush(struct bio *bio
struct md_rdev *rdev = bio->bi_private;
struct mddev *mddev = rdev->mddev;
+ bio_put(bio);
+
rdev_dec_pending(rdev, mddev);
if (atomic_dec_and_test(&mddev->flush_pending)) {
/* The pre-request flush has finished */
queue_work(md_wq, &mddev->flush_work);
}
- bio_put(bio);
}
static void md_submit_flush_data(struct work_struct *ws);
@@ -966,10 +967,12 @@ static void super_written(struct bio *bi
} else
clear_bit(LastDev, &rdev->flags);
+ bio_put(bio);
+
+ rdev_dec_pending(rdev, mddev);
+
if (atomic_dec_and_test(&mddev->pending_writes))
wake_up(&mddev->sb_wait);
- rdev_dec_pending(rdev, mddev);
- bio_put(bio);
}
void md_super_write(struct mddev *mddev, struct md_rdev *rdev,
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 593/783] mm, compaction: fix fast_isolate_around() to stay within boundaries
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (591 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 592/783] md: fix a crash in mempool_free Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 594/783] f2fs: should put a page when checking the summary info Greg Kroah-Hartman
` (199 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, NARIBAYASHI Akira, David Rientjes,
Mel Gorman, Vlastimil Babka, Andrew Morton
From: NARIBAYASHI Akira <a.naribayashi@fujitsu.com>
commit be21b32afe470c5ae98e27e49201158a47032942 upstream.
Depending on the memory configuration, isolate_freepages_block() may scan
pages out of the target range and causes panic.
Panic can occur on systems with multiple zones in a single pageblock.
The reason it is rare is that it only happens in special
configurations. Depending on how many similar systems there are, it
may be a good idea to fix this problem for older kernels as well.
The problem is that pfn as argument of fast_isolate_around() could be out
of the target range. Therefore we should consider the case where pfn <
start_pfn, and also the case where end_pfn < pfn.
This problem should have been addressd by the commit 6e2b7044c199 ("mm,
compaction: make fast_isolate_freepages() stay within zone") but there was
an oversight.
Case1: pfn < start_pfn
<at memory compaction for node Y>
| node X's zone | node Y's zone
+-----------------+------------------------------...
pageblock ^ ^ ^
+-----------+-----------+-----------+-----------+...
^ ^ ^
^ ^ end_pfn
^ start_pfn = cc->zone->zone_start_pfn
pfn
<---------> scanned range by "Scan After"
Case2: end_pfn < pfn
<at memory compaction for node X>
| node X's zone | node Y's zone
+-----------------+------------------------------...
pageblock ^ ^ ^
+-----------+-----------+-----------+-----------+...
^ ^ ^
^ ^ pfn
^ end_pfn
start_pfn
<---------> scanned range by "Scan Before"
It seems that there is no good reason to skip nr_isolated pages just after
given pfn. So let perform simple scan from start to end instead of
dividing the scan into "Before" and "After".
Link: https://lkml.kernel.org/r/20221026112438.236336-1-a.naribayashi@fujitsu.com
Fixes: 6e2b7044c199 ("mm, compaction: make fast_isolate_freepages() stay within zone").
Signed-off-by: NARIBAYASHI Akira <a.naribayashi@fujitsu.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/compaction.c | 18 +++++-------------
1 file changed, 5 insertions(+), 13 deletions(-)
--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -1245,7 +1245,7 @@ move_freelist_tail(struct list_head *fre
}
static void
-fast_isolate_around(struct compact_control *cc, unsigned long pfn, unsigned long nr_isolated)
+fast_isolate_around(struct compact_control *cc, unsigned long pfn)
{
unsigned long start_pfn, end_pfn;
struct page *page;
@@ -1266,21 +1266,13 @@ fast_isolate_around(struct compact_contr
if (!page)
return;
- /* Scan before */
- if (start_pfn != pfn) {
- isolate_freepages_block(cc, &start_pfn, pfn, &cc->freepages, 1, false);
- if (cc->nr_freepages >= cc->nr_migratepages)
- return;
- }
-
- /* Scan after */
- start_pfn = pfn + nr_isolated;
- if (start_pfn < end_pfn)
- isolate_freepages_block(cc, &start_pfn, end_pfn, &cc->freepages, 1, false);
+ isolate_freepages_block(cc, &start_pfn, end_pfn, &cc->freepages, 1, false);
/* Skip this pageblock in the future as it's full or nearly full */
if (cc->nr_freepages < cc->nr_migratepages)
set_pageblock_skip(page);
+
+ return;
}
/* Search orders in round-robin fashion */
@@ -1456,7 +1448,7 @@ fast_isolate_freepages(struct compact_co
return cc->free_pfn;
low_pfn = page_to_pfn(page);
- fast_isolate_around(cc, low_pfn, nr_isolated);
+ fast_isolate_around(cc, low_pfn);
return low_pfn;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 594/783] f2fs: should put a page when checking the summary info
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (592 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 593/783] mm, compaction: fix fast_isolate_around() to stay within boundaries Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 595/783] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
` (198 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pavel Machek, Chao Yu, Jaegeuk Kim
From: Pavel Machek <pavel@denx.de>
commit c3db3c2fd9992c08f49aa93752d3c103c3a4f6aa upstream.
The commit introduces another bug.
Cc: stable@vger.kernel.org
Fixes: c6ad7fd16657e ("f2fs: fix to do sanity check on summary info")
Signed-off-by: Pavel Machek <pavel@denx.de>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1008,6 +1008,7 @@ static bool is_alive(struct f2fs_sb_info
if (ofs_in_node >= max_addrs) {
f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
ofs_in_node, dni->ino, dni->nid, max_addrs);
+ f2fs_put_page(node_page, 1);
return false;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 595/783] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (593 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 594/783] f2fs: should put a page when checking the summary info Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 596/783] tpm: acpi: Call acpi_put_table() to fix memory leak Greg Kroah-Hartman
` (197 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Deren Wu, Ulf Hansson
From: Deren Wu <deren.wu@mediatek.com>
commit 4a44cd249604e29e7b90ae796d7692f5773dd348 upstream.
vub300_enable_sdio_irq() works with mutex and need TASK_RUNNING here.
Ensure that we mark current as TASK_RUNNING for sleepable context.
[ 77.554641] do not call blocking ops when !TASK_RUNNING; state=1 set at [<ffffffff92a72c1d>] sdio_irq_thread+0x17d/0x5b0
[ 77.554652] WARNING: CPU: 2 PID: 1983 at kernel/sched/core.c:9813 __might_sleep+0x116/0x160
[ 77.554905] CPU: 2 PID: 1983 Comm: ksdioirqd/mmc1 Tainted: G OE 6.1.0-rc5 #1
[ 77.554910] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, BIOS BECFL357.86A.0081.2020.0504.1834 05/04/2020
[ 77.554912] RIP: 0010:__might_sleep+0x116/0x160
[ 77.554920] RSP: 0018:ffff888107b7fdb8 EFLAGS: 00010282
[ 77.554923] RAX: 0000000000000000 RBX: ffff888118c1b740 RCX: 0000000000000000
[ 77.554926] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffed1020f6ffa9
[ 77.554928] RBP: ffff888107b7fde0 R08: 0000000000000001 R09: ffffed1043ea60ba
[ 77.554930] R10: ffff88821f5305cb R11: ffffed1043ea60b9 R12: ffffffff93aa3a60
[ 77.554932] R13: 000000000000011b R14: 7fffffffffffffff R15: ffffffffc0558660
[ 77.554934] FS: 0000000000000000(0000) GS:ffff88821f500000(0000) knlGS:0000000000000000
[ 77.554937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 77.554939] CR2: 00007f8a44010d68 CR3: 000000024421a003 CR4: 00000000003706e0
[ 77.554942] Call Trace:
[ 77.554944] <TASK>
[ 77.554952] mutex_lock+0x78/0xf0
[ 77.554973] vub300_enable_sdio_irq+0x103/0x3c0 [vub300]
[ 77.554981] sdio_irq_thread+0x25c/0x5b0
[ 77.555006] kthread+0x2b8/0x370
[ 77.555017] ret_from_fork+0x1f/0x30
[ 77.555023] </TASK>
[ 77.555025] ---[ end trace 0000000000000000 ]---
Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/87dc45b122d26d63c80532976813c9365d7160b3.1670140888.git.deren.wu@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/vub300.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mmc/host/vub300.c
+++ b/drivers/mmc/host/vub300.c
@@ -2049,6 +2049,7 @@ static void vub300_enable_sdio_irq(struc
return;
kref_get(&vub300->kref);
if (enable) {
+ set_current_state(TASK_RUNNING);
mutex_lock(&vub300->irq_mutex);
if (vub300->irqs_queued) {
vub300->irqs_queued -= 1;
@@ -2064,6 +2065,7 @@ static void vub300_enable_sdio_irq(struc
vub300_queue_poll_work(vub300, 0);
}
mutex_unlock(&vub300->irq_mutex);
+ set_current_state(TASK_INTERRUPTIBLE);
} else {
vub300->irq_enabled = 0;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 596/783] tpm: acpi: Call acpi_put_table() to fix memory leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (594 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 595/783] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 597/783] tpm: tpm_crb: Add the missed " Greg Kroah-Hartman
` (196 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hanjun Guo, Jarkko Sakkinen
From: Hanjun Guo <guohanjun@huawei.com>
commit 8740a12ca2e2959531ad253bac99ada338b33d80 upstream.
The start and length of the event log area are obtained from
TPM2 or TCPA table, so we call acpi_get_table() to get the
ACPI information, but the acpi_get_table() should be coupled with
acpi_put_table() to release the ACPI memory, add the acpi_put_table()
properly to fix the memory leak.
While we are at it, remove the redundant empty line at the
end of the tpm_read_log_acpi().
Fixes: 0bfb23746052 ("tpm: Move eventlog files to a subdirectory")
Fixes: 85467f63a05c ("tpm: Add support for event log pointer found in TPM2 ACPI table")
Cc: stable@vger.kernel.org
Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/eventlog/acpi.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/char/tpm/eventlog/acpi.c
+++ b/drivers/char/tpm/eventlog/acpi.c
@@ -90,16 +90,21 @@ int tpm_read_log_acpi(struct tpm_chip *c
return -ENODEV;
if (tbl->header.length <
- sizeof(*tbl) + sizeof(struct acpi_tpm2_phy))
+ sizeof(*tbl) + sizeof(struct acpi_tpm2_phy)) {
+ acpi_put_table((struct acpi_table_header *)tbl);
return -ENODEV;
+ }
tpm2_phy = (void *)tbl + sizeof(*tbl);
len = tpm2_phy->log_area_minimum_length;
start = tpm2_phy->log_area_start_address;
- if (!start || !len)
+ if (!start || !len) {
+ acpi_put_table((struct acpi_table_header *)tbl);
return -ENODEV;
+ }
+ acpi_put_table((struct acpi_table_header *)tbl);
format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_2;
} else {
/* Find TCPA entry in RSDT (ACPI_LOGICAL_ADDRESSING) */
@@ -120,8 +125,10 @@ int tpm_read_log_acpi(struct tpm_chip *c
break;
}
+ acpi_put_table((struct acpi_table_header *)buff);
format = EFI_TCG2_EVENT_LOG_FORMAT_TCG_1_2;
}
+
if (!len) {
dev_warn(&chip->dev, "%s: TCPA log area empty\n", __func__);
return -EIO;
@@ -156,5 +163,4 @@ err:
kfree(log->bios_event_log);
log->bios_event_log = NULL;
return ret;
-
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 597/783] tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (595 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 596/783] tpm: acpi: Call acpi_put_table() to fix memory leak Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 598/783] tpm: tpm_tis: " Greg Kroah-Hartman
` (195 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hanjun Guo, Jarkko Sakkinen
From: Hanjun Guo <guohanjun@huawei.com>
commit 37e90c374dd11cf4919c51e847c6d6ced0abc555 upstream.
In crb_acpi_add(), we get the TPM2 table to retrieve information
like start method, and then assign them to the priv data, so the
TPM2 table is not used after the init, should be freed, call
acpi_put_table() to fix the memory leak.
Fixes: 30fc8d138e91 ("tpm: TPM 2.0 CRB Interface")
Cc: stable@vger.kernel.org
Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_crb.c | 29 ++++++++++++++++++++---------
1 file changed, 20 insertions(+), 9 deletions(-)
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -676,12 +676,16 @@ static int crb_acpi_add(struct acpi_devi
/* Should the FIFO driver handle this? */
sm = buf->start_method;
- if (sm == ACPI_TPM2_MEMORY_MAPPED)
- return -ENODEV;
+ if (sm == ACPI_TPM2_MEMORY_MAPPED) {
+ rc = -ENODEV;
+ goto out;
+ }
priv = devm_kzalloc(dev, sizeof(struct crb_priv), GFP_KERNEL);
- if (!priv)
- return -ENOMEM;
+ if (!priv) {
+ rc = -ENOMEM;
+ goto out;
+ }
if (sm == ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC) {
if (buf->header.length < (sizeof(*buf) + sizeof(*crb_smc))) {
@@ -689,7 +693,8 @@ static int crb_acpi_add(struct acpi_devi
FW_BUG "TPM2 ACPI table has wrong size %u for start method type %d\n",
buf->header.length,
ACPI_TPM2_COMMAND_BUFFER_WITH_ARM_SMC);
- return -EINVAL;
+ rc = -EINVAL;
+ goto out;
}
crb_smc = ACPI_ADD_PTR(struct tpm2_crb_smc, buf, sizeof(*buf));
priv->smc_func_id = crb_smc->smc_func_id;
@@ -700,17 +705,23 @@ static int crb_acpi_add(struct acpi_devi
rc = crb_map_io(device, priv, buf);
if (rc)
- return rc;
+ goto out;
chip = tpmm_chip_alloc(dev, &tpm_crb);
- if (IS_ERR(chip))
- return PTR_ERR(chip);
+ if (IS_ERR(chip)) {
+ rc = PTR_ERR(chip);
+ goto out;
+ }
dev_set_drvdata(&chip->dev, priv);
chip->acpi_dev_handle = device->handle;
chip->flags = TPM_CHIP_FLAG_TPM2;
- return tpm_chip_register(chip);
+ rc = tpm_chip_register(chip);
+
+out:
+ acpi_put_table((struct acpi_table_header *)buf);
+ return rc;
}
static int crb_acpi_remove(struct acpi_device *device)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 598/783] tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (596 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 597/783] tpm: tpm_crb: Add the missed " Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 599/783] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails Greg Kroah-Hartman
` (194 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hanjun Guo, Jarkko Sakkinen
From: Hanjun Guo <guohanjun@huawei.com>
commit db9622f762104459ff87ecdf885cc42c18053fd9 upstream.
In check_acpi_tpm2(), we get the TPM2 table just to make
sure the table is there, not used after the init, so the
acpi_put_table() should be added to release the ACPI memory.
Fixes: 4cb586a188d4 ("tpm_tis: Consolidate the platform and acpi probe flow")
Cc: stable@vger.kernel.org
Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_tis.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -125,6 +125,7 @@ static int check_acpi_tpm2(struct device
const struct acpi_device_id *aid = acpi_match_device(tpm_acpi_tbl, dev);
struct acpi_table_tpm2 *tbl;
acpi_status st;
+ int ret = 0;
if (!aid || aid->driver_data != DEVICE_IS_TPM2)
return 0;
@@ -132,8 +133,7 @@ static int check_acpi_tpm2(struct device
/* If the ACPI TPM2 signature is matched then a global ACPI_SIG_TPM2
* table is mandatory
*/
- st =
- acpi_get_table(ACPI_SIG_TPM2, 1, (struct acpi_table_header **)&tbl);
+ st = acpi_get_table(ACPI_SIG_TPM2, 1, (struct acpi_table_header **)&tbl);
if (ACPI_FAILURE(st) || tbl->header.length < sizeof(*tbl)) {
dev_err(dev, FW_BUG "failed to get TPM2 ACPI table\n");
return -EINVAL;
@@ -141,9 +141,10 @@ static int check_acpi_tpm2(struct device
/* The tpm2_crb driver handles this device */
if (tbl->start_method != ACPI_TPM2_MEMORY_MAPPED)
- return -ENODEV;
+ ret = -ENODEV;
- return 0;
+ acpi_put_table((struct acpi_table_header *)tbl);
+ return ret;
}
#else
static int check_acpi_tpm2(struct device *dev)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 599/783] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (597 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 598/783] tpm: tpm_tis: " Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 600/783] kcsan: Instrument memcpy/memset/memmove with newer Clang Greg Kroah-Hartman
` (193 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, Jeff Layton
From: Chuck Lever <chuck.lever@oracle.com>
commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream.
Fixes: 030d794bf498 ("SUNRPC: Use gssproxy upcall for server RPCGSS authentication.")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: <stable@vger.kernel.org>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sunrpc/auth_gss/svcauth_gss.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1156,18 +1156,23 @@ static int gss_read_proxy_verf(struct sv
return res;
inlen = svc_getnl(argv);
- if (inlen > (argv->iov_len + rqstp->rq_arg.page_len))
+ if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) {
+ kfree(in_handle->data);
return SVC_DENIED;
+ }
pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
- if (!in_token->pages)
+ if (!in_token->pages) {
+ kfree(in_handle->data);
return SVC_DENIED;
+ }
in_token->page_base = 0;
in_token->page_len = inlen;
for (i = 0; i < pages; i++) {
in_token->pages[i] = alloc_page(GFP_KERNEL);
if (!in_token->pages[i]) {
+ kfree(in_handle->data);
gss_free_in_token_pages(in_token);
return SVC_DENIED;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 600/783] kcsan: Instrument memcpy/memset/memmove with newer Clang
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (598 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 599/783] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 601/783] ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio Greg Kroah-Hartman
` (192 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Marco Elver, Paul E. McKenney
From: Marco Elver <elver@google.com>
commit 7c201739beef1a586d806463f1465429cdce34c5 upstream.
With Clang version 16+, -fsanitize=thread will turn
memcpy/memset/memmove calls in instrumented functions into
__tsan_memcpy/__tsan_memset/__tsan_memmove calls respectively.
Add these functions to the core KCSAN runtime, so that we (a) catch data
races with mem* functions, and (b) won't run into linker errors with
such newer compilers.
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
[ elver@google.com: adjust check_access() call for v5.15 and earlier. ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kcsan/core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
--- a/kernel/kcsan/core.c
+++ b/kernel/kcsan/core.c
@@ -9,10 +9,12 @@
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/list.h>
+#include <linux/minmax.h>
#include <linux/moduleparam.h>
#include <linux/percpu.h>
#include <linux/preempt.h>
#include <linux/sched.h>
+#include <linux/string.h>
#include <linux/uaccess.h>
#include "atomic.h"
@@ -1045,3 +1047,51 @@ EXPORT_SYMBOL(__tsan_atomic_thread_fence
void __tsan_atomic_signal_fence(int memorder);
void __tsan_atomic_signal_fence(int memorder) { }
EXPORT_SYMBOL(__tsan_atomic_signal_fence);
+
+#ifdef __HAVE_ARCH_MEMSET
+void *__tsan_memset(void *s, int c, size_t count);
+noinline void *__tsan_memset(void *s, int c, size_t count)
+{
+ /*
+ * Instead of not setting up watchpoints where accessed size is greater
+ * than MAX_ENCODABLE_SIZE, truncate checked size to MAX_ENCODABLE_SIZE.
+ */
+ size_t check_len = min_t(size_t, count, MAX_ENCODABLE_SIZE);
+
+ check_access(s, check_len, KCSAN_ACCESS_WRITE);
+ return memset(s, c, count);
+}
+#else
+void *__tsan_memset(void *s, int c, size_t count) __alias(memset);
+#endif
+EXPORT_SYMBOL(__tsan_memset);
+
+#ifdef __HAVE_ARCH_MEMMOVE
+void *__tsan_memmove(void *dst, const void *src, size_t len);
+noinline void *__tsan_memmove(void *dst, const void *src, size_t len)
+{
+ size_t check_len = min_t(size_t, len, MAX_ENCODABLE_SIZE);
+
+ check_access(dst, check_len, KCSAN_ACCESS_WRITE);
+ check_access(src, check_len, 0);
+ return memmove(dst, src, len);
+}
+#else
+void *__tsan_memmove(void *dst, const void *src, size_t len) __alias(memmove);
+#endif
+EXPORT_SYMBOL(__tsan_memmove);
+
+#ifdef __HAVE_ARCH_MEMCPY
+void *__tsan_memcpy(void *dst, const void *src, size_t len);
+noinline void *__tsan_memcpy(void *dst, const void *src, size_t len)
+{
+ size_t check_len = min_t(size_t, len, MAX_ENCODABLE_SIZE);
+
+ check_access(dst, check_len, KCSAN_ACCESS_WRITE);
+ check_access(src, check_len, 0);
+ return memcpy(dst, src, len);
+}
+#else
+void *__tsan_memcpy(void *dst, const void *src, size_t len) __alias(memcpy);
+#endif
+EXPORT_SYMBOL(__tsan_memcpy);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 601/783] ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (599 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 600/783] kcsan: Instrument memcpy/memset/memmove with newer Clang Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 602/783] ASoC/SoundWire: dai: expand stream concept beyond SoundWire Greg Kroah-Hartman
` (191 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart, Rander Wang,
Ranjani Sridharan, Bard Liao, Mark Brown, Takashi Iwai
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
commit 636110411ca726f19ef8e87b0be51bb9a4cdef06 upstream.
Overloading the tx_mask with a linear value is asking for trouble and
only works because the codec_dai hw_params() is called before the
cpu_dai hw_params().
Move to the more generic set_stream() API to pass the hdac_stream
information.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Rander Wang <rander.wang@intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@intel.com>
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Link: https://lore.kernel.org/r/20211224021034.26635-6-yung-chuan.liao@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/hdac_hda.c | 22 +++++++++++-----------
sound/soc/intel/skylake/skl-pcm.c | 7 ++-----
sound/soc/sof/intel/hda-dai.c | 7 ++-----
3 files changed, 15 insertions(+), 21 deletions(-)
--- a/sound/soc/codecs/hdac_hda.c
+++ b/sound/soc/codecs/hdac_hda.c
@@ -46,9 +46,8 @@ static int hdac_hda_dai_hw_params(struct
struct snd_soc_dai *dai);
static int hdac_hda_dai_hw_free(struct snd_pcm_substream *substream,
struct snd_soc_dai *dai);
-static int hdac_hda_dai_set_tdm_slot(struct snd_soc_dai *dai,
- unsigned int tx_mask, unsigned int rx_mask,
- int slots, int slot_width);
+static int hdac_hda_dai_set_stream(struct snd_soc_dai *dai, void *stream,
+ int direction);
static struct hda_pcm *snd_soc_find_pcm_from_dai(struct hdac_hda_priv *hda_pvt,
struct snd_soc_dai *dai);
@@ -58,7 +57,7 @@ static const struct snd_soc_dai_ops hdac
.prepare = hdac_hda_dai_prepare,
.hw_params = hdac_hda_dai_hw_params,
.hw_free = hdac_hda_dai_hw_free,
- .set_tdm_slot = hdac_hda_dai_set_tdm_slot,
+ .set_stream = hdac_hda_dai_set_stream,
};
static struct snd_soc_dai_driver hdac_hda_dais[] = {
@@ -180,21 +179,22 @@ static struct snd_soc_dai_driver hdac_hd
};
-static int hdac_hda_dai_set_tdm_slot(struct snd_soc_dai *dai,
- unsigned int tx_mask, unsigned int rx_mask,
- int slots, int slot_width)
+static int hdac_hda_dai_set_stream(struct snd_soc_dai *dai,
+ void *stream, int direction)
{
struct snd_soc_component *component = dai->component;
struct hdac_hda_priv *hda_pvt;
struct hdac_hda_pcm *pcm;
+ struct hdac_stream *hstream;
+
+ if (!stream)
+ return -EINVAL;
hda_pvt = snd_soc_component_get_drvdata(component);
pcm = &hda_pvt->pcm[dai->id];
+ hstream = (struct hdac_stream *)stream;
- if (tx_mask)
- pcm->stream_tag[SNDRV_PCM_STREAM_PLAYBACK] = tx_mask;
- else
- pcm->stream_tag[SNDRV_PCM_STREAM_CAPTURE] = rx_mask;
+ pcm->stream_tag[direction] = hstream->stream_tag;
return 0;
}
--- a/sound/soc/intel/skylake/skl-pcm.c
+++ b/sound/soc/intel/skylake/skl-pcm.c
@@ -563,11 +563,8 @@ static int skl_link_hw_params(struct snd
stream_tag = hdac_stream(link_dev)->stream_tag;
- /* set the stream tag in the codec dai dma params */
- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
- snd_soc_dai_set_tdm_slot(codec_dai, stream_tag, 0, 0, 0);
- else
- snd_soc_dai_set_tdm_slot(codec_dai, 0, stream_tag, 0, 0);
+ /* set the hdac_stream in the codec dai */
+ snd_soc_dai_set_stream(codec_dai, hdac_stream(link_dev), substream->stream);
p_params.s_fmt = snd_pcm_format_width(params_format(params));
p_params.ch = params_channels(params);
--- a/sound/soc/sof/intel/hda-dai.c
+++ b/sound/soc/sof/intel/hda-dai.c
@@ -236,11 +236,8 @@ static int hda_link_hw_params(struct snd
if (!link)
return -EINVAL;
- /* set the stream tag in the codec dai dma params */
- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
- snd_soc_dai_set_tdm_slot(codec_dai, stream_tag, 0, 0, 0);
- else
- snd_soc_dai_set_tdm_slot(codec_dai, 0, stream_tag, 0, 0);
+ /* set the hdac_stream in the codec dai */
+ snd_soc_dai_set_stream(codec_dai, hdac_stream(link_dev), substream->stream);
p_params.s_fmt = snd_pcm_format_width(params_format(params));
p_params.ch = params_channels(params);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 602/783] ASoC/SoundWire: dai: expand stream concept beyond SoundWire
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (600 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 601/783] ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 603/783] net/mlx5e: Fix nullptr in mlx5e_tc_add_fdb_flow() Greg Kroah-Hartman
` (190 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Louis Bossart, Rander Wang,
Ranjani Sridharan, Bard Liao, Vinod Koul, Mark Brown,
Takashi Iwai
From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
commit e8444560b4d9302a511f0996f4cfdf85b628f4ca upstream.
The HDAudio ASoC support relies on the set_tdm_slots() helper to store
the HDaudio stream tag in the tx_mask. This only works because of the
pre-existing order in soc-pcm.c, where the hw_params() is handled for
codec_dais *before* cpu_dais. When the order is reversed, the
stream_tag is used as a mask in the codec fixup functions:
/* fixup params based on TDM slot masks */
if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK &&
codec_dai->tx_mask)
soc_pcm_codec_params_fixup(&codec_params,
codec_dai->tx_mask);
As a result of this confusion, the codec_params_fixup() ends-up
generating bad channel masks, depending on what stream_tag was
allocated.
We could add a flag to state that the tx_mask is really not a mask,
but it would be quite ugly to persist in overloading concepts.
Instead, this patch suggests a more generic get/set 'stream' API based
on the existing model for SoundWire. We can expand the concept to
store 'stream' opaque information that is specific to different DAI
types. In the case of HDAudio DAIs, we only need to store a stream tag
as an unsigned char pointer. The TDM rx_ and tx_masks should really
only be used to store masks.
Rename get_sdw_stream/set_sdw_stream callbacks and helpers as
get_stream/set_stream. No functionality change beyond the rename.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Reviewed-by: Rander Wang <rander.wang@intel.com>
Reviewed-by: Ranjani Sridharan <ranjani.sridharan@intel.com>
Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
Acked-By: Vinod Koul <vkoul@kernel.org>
Link: https://lore.kernel.org/r/20211224021034.26635-5-yung-chuan.liao@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soundwire/intel.c | 8 ++++----
drivers/soundwire/qcom.c | 8 ++++----
drivers/soundwire/stream.c | 4 ++--
include/sound/soc-dai.h | 32 ++++++++++++++++----------------
sound/soc/codecs/max98373-sdw.c | 2 +-
sound/soc/codecs/rt1308-sdw.c | 2 +-
sound/soc/codecs/rt5682-sdw.c | 2 +-
sound/soc/codecs/rt700.c | 2 +-
sound/soc/codecs/rt711.c | 2 +-
sound/soc/codecs/rt715.c | 2 +-
sound/soc/codecs/wsa881x.c | 2 +-
sound/soc/intel/boards/sof_sdw.c | 6 +++---
sound/soc/qcom/sdm845.c | 4 ++--
13 files changed, 38 insertions(+), 38 deletions(-)
--- a/drivers/soundwire/intel.c
+++ b/drivers/soundwire/intel.c
@@ -1140,8 +1140,8 @@ static const struct snd_soc_dai_ops inte
.prepare = intel_prepare,
.hw_free = intel_hw_free,
.shutdown = intel_shutdown,
- .set_sdw_stream = intel_pcm_set_sdw_stream,
- .get_sdw_stream = intel_get_sdw_stream,
+ .set_stream = intel_pcm_set_sdw_stream,
+ .get_stream = intel_get_sdw_stream,
};
static const struct snd_soc_dai_ops intel_pdm_dai_ops = {
@@ -1150,8 +1150,8 @@ static const struct snd_soc_dai_ops inte
.prepare = intel_prepare,
.hw_free = intel_hw_free,
.shutdown = intel_shutdown,
- .set_sdw_stream = intel_pdm_set_sdw_stream,
- .get_sdw_stream = intel_get_sdw_stream,
+ .set_stream = intel_pdm_set_sdw_stream,
+ .get_stream = intel_get_sdw_stream,
};
static const struct snd_soc_component_driver dai_component = {
--- a/drivers/soundwire/qcom.c
+++ b/drivers/soundwire/qcom.c
@@ -649,8 +649,8 @@ static int qcom_swrm_startup(struct snd_
ctrl->sruntime[dai->id] = sruntime;
for_each_rtd_codec_dais(rtd, i, codec_dai) {
- ret = snd_soc_dai_set_sdw_stream(codec_dai, sruntime,
- substream->stream);
+ ret = snd_soc_dai_set_stream(codec_dai, sruntime,
+ substream->stream);
if (ret < 0 && ret != -ENOTSUPP) {
dev_err(dai->dev, "Failed to set sdw stream on %s",
codec_dai->name);
@@ -676,8 +676,8 @@ static const struct snd_soc_dai_ops qcom
.hw_free = qcom_swrm_hw_free,
.startup = qcom_swrm_startup,
.shutdown = qcom_swrm_shutdown,
- .set_sdw_stream = qcom_swrm_set_sdw_stream,
- .get_sdw_stream = qcom_swrm_get_sdw_stream,
+ .set_stream = qcom_swrm_set_sdw_stream,
+ .get_stream = qcom_swrm_get_sdw_stream,
};
static const struct snd_soc_component_driver qcom_swrm_dai_component = {
--- a/drivers/soundwire/stream.c
+++ b/drivers/soundwire/stream.c
@@ -1860,7 +1860,7 @@ static int set_stream(struct snd_pcm_sub
/* Set stream pointer on all DAIs */
for_each_rtd_dais(rtd, i, dai) {
- ret = snd_soc_dai_set_sdw_stream(dai, sdw_stream, substream->stream);
+ ret = snd_soc_dai_set_stream(dai, sdw_stream, substream->stream);
if (ret < 0) {
dev_err(rtd->dev, "failed to set stream pointer on dai %s", dai->name);
break;
@@ -1931,7 +1931,7 @@ void sdw_shutdown_stream(void *sdw_subst
/* Find stream from first CPU DAI */
dai = asoc_rtd_to_cpu(rtd, 0);
- sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
+ sdw_stream = snd_soc_dai_get_stream(dai, substream->stream);
if (IS_ERR(sdw_stream)) {
dev_err(rtd->dev, "no stream found for DAI %s", dai->name);
--- a/include/sound/soc-dai.h
+++ b/include/sound/soc-dai.h
@@ -239,9 +239,9 @@ struct snd_soc_dai_ops {
unsigned int *rx_num, unsigned int *rx_slot);
int (*set_tristate)(struct snd_soc_dai *dai, int tristate);
- int (*set_sdw_stream)(struct snd_soc_dai *dai,
- void *stream, int direction);
- void *(*get_sdw_stream)(struct snd_soc_dai *dai, int direction);
+ int (*set_stream)(struct snd_soc_dai *dai,
+ void *stream, int direction);
+ void *(*get_stream)(struct snd_soc_dai *dai, int direction);
/*
* DAI digital mute - optional.
@@ -446,42 +446,42 @@ static inline void *snd_soc_dai_get_drvd
}
/**
- * snd_soc_dai_set_sdw_stream() - Configures a DAI for SDW stream operation
+ * snd_soc_dai_set_stream() - Configures a DAI for stream operation
* @dai: DAI
- * @stream: STREAM
+ * @stream: STREAM (opaque structure depending on DAI type)
* @direction: Stream direction(Playback/Capture)
- * SoundWire subsystem doesn't have a notion of direction and we reuse
+ * Some subsystems, such as SoundWire, don't have a notion of direction and we reuse
* the ASoC stream direction to configure sink/source ports.
* Playback maps to source ports and Capture for sink ports.
*
* This should be invoked with NULL to clear the stream set previously.
* Returns 0 on success, a negative error code otherwise.
*/
-static inline int snd_soc_dai_set_sdw_stream(struct snd_soc_dai *dai,
- void *stream, int direction)
+static inline int snd_soc_dai_set_stream(struct snd_soc_dai *dai,
+ void *stream, int direction)
{
- if (dai->driver->ops->set_sdw_stream)
- return dai->driver->ops->set_sdw_stream(dai, stream, direction);
+ if (dai->driver->ops->set_stream)
+ return dai->driver->ops->set_stream(dai, stream, direction);
else
return -ENOTSUPP;
}
/**
- * snd_soc_dai_get_sdw_stream() - Retrieves SDW stream from DAI
+ * snd_soc_dai_get_stream() - Retrieves stream from DAI
* @dai: DAI
* @direction: Stream direction(Playback/Capture)
*
* This routine only retrieves that was previously configured
- * with snd_soc_dai_get_sdw_stream()
+ * with snd_soc_dai_get_stream()
*
* Returns pointer to stream or an ERR_PTR value, e.g.
* ERR_PTR(-ENOTSUPP) if callback is not supported;
*/
-static inline void *snd_soc_dai_get_sdw_stream(struct snd_soc_dai *dai,
- int direction)
+static inline void *snd_soc_dai_get_stream(struct snd_soc_dai *dai,
+ int direction)
{
- if (dai->driver->ops->get_sdw_stream)
- return dai->driver->ops->get_sdw_stream(dai, direction);
+ if (dai->driver->ops->get_stream)
+ return dai->driver->ops->get_stream(dai, direction);
else
return ERR_PTR(-ENOTSUPP);
}
--- a/sound/soc/codecs/max98373-sdw.c
+++ b/sound/soc/codecs/max98373-sdw.c
@@ -728,7 +728,7 @@ static int max98373_sdw_set_tdm_slot(str
static const struct snd_soc_dai_ops max98373_dai_sdw_ops = {
.hw_params = max98373_sdw_dai_hw_params,
.hw_free = max98373_pcm_hw_free,
- .set_sdw_stream = max98373_set_sdw_stream,
+ .set_stream = max98373_set_sdw_stream,
.shutdown = max98373_shutdown,
.set_tdm_slot = max98373_sdw_set_tdm_slot,
};
--- a/sound/soc/codecs/rt1308-sdw.c
+++ b/sound/soc/codecs/rt1308-sdw.c
@@ -613,7 +613,7 @@ static const struct snd_soc_component_dr
static const struct snd_soc_dai_ops rt1308_aif_dai_ops = {
.hw_params = rt1308_sdw_hw_params,
.hw_free = rt1308_sdw_pcm_hw_free,
- .set_sdw_stream = rt1308_set_sdw_stream,
+ .set_stream = rt1308_set_sdw_stream,
.shutdown = rt1308_sdw_shutdown,
.set_tdm_slot = rt1308_sdw_set_tdm_slot,
};
--- a/sound/soc/codecs/rt5682-sdw.c
+++ b/sound/soc/codecs/rt5682-sdw.c
@@ -272,7 +272,7 @@ static int rt5682_sdw_hw_free(struct snd
static struct snd_soc_dai_ops rt5682_sdw_ops = {
.hw_params = rt5682_sdw_hw_params,
.hw_free = rt5682_sdw_hw_free,
- .set_sdw_stream = rt5682_set_sdw_stream,
+ .set_stream = rt5682_set_sdw_stream,
.shutdown = rt5682_sdw_shutdown,
};
--- a/sound/soc/codecs/rt700.c
+++ b/sound/soc/codecs/rt700.c
@@ -1005,7 +1005,7 @@ static int rt700_pcm_hw_free(struct snd_
static struct snd_soc_dai_ops rt700_ops = {
.hw_params = rt700_pcm_hw_params,
.hw_free = rt700_pcm_hw_free,
- .set_sdw_stream = rt700_set_sdw_stream,
+ .set_stream = rt700_set_sdw_stream,
.shutdown = rt700_shutdown,
};
--- a/sound/soc/codecs/rt711.c
+++ b/sound/soc/codecs/rt711.c
@@ -1059,7 +1059,7 @@ static int rt711_pcm_hw_free(struct snd_
static struct snd_soc_dai_ops rt711_ops = {
.hw_params = rt711_pcm_hw_params,
.hw_free = rt711_pcm_hw_free,
- .set_sdw_stream = rt711_set_sdw_stream,
+ .set_stream = rt711_set_sdw_stream,
.shutdown = rt711_shutdown,
};
--- a/sound/soc/codecs/rt715.c
+++ b/sound/soc/codecs/rt715.c
@@ -686,7 +686,7 @@ static int rt715_pcm_hw_free(struct snd_
static struct snd_soc_dai_ops rt715_ops = {
.hw_params = rt715_pcm_hw_params,
.hw_free = rt715_pcm_hw_free,
- .set_sdw_stream = rt715_set_sdw_stream,
+ .set_stream = rt715_set_sdw_stream,
.shutdown = rt715_shutdown,
};
--- a/sound/soc/codecs/wsa881x.c
+++ b/sound/soc/codecs/wsa881x.c
@@ -1026,7 +1026,7 @@ static struct snd_soc_dai_ops wsa881x_da
.hw_params = wsa881x_hw_params,
.hw_free = wsa881x_hw_free,
.mute_stream = wsa881x_digital_mute,
- .set_sdw_stream = wsa881x_set_sdw_stream,
+ .set_stream = wsa881x_set_sdw_stream,
};
static struct snd_soc_dai_driver wsa881x_dais[] = {
--- a/sound/soc/intel/boards/sof_sdw.c
+++ b/sound/soc/intel/boards/sof_sdw.c
@@ -231,7 +231,7 @@ int sdw_prepare(struct snd_pcm_substream
/* Find stream from first CPU DAI */
dai = asoc_rtd_to_cpu(rtd, 0);
- sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
+ sdw_stream = snd_soc_dai_get_stream(dai, substream->stream);
if (IS_ERR(sdw_stream)) {
dev_err(rtd->dev, "no stream found for DAI %s", dai->name);
@@ -251,7 +251,7 @@ int sdw_trigger(struct snd_pcm_substream
/* Find stream from first CPU DAI */
dai = asoc_rtd_to_cpu(rtd, 0);
- sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
+ sdw_stream = snd_soc_dai_get_stream(dai, substream->stream);
if (IS_ERR(sdw_stream)) {
dev_err(rtd->dev, "no stream found for DAI %s", dai->name);
@@ -290,7 +290,7 @@ int sdw_hw_free(struct snd_pcm_substream
/* Find stream from first CPU DAI */
dai = asoc_rtd_to_cpu(rtd, 0);
- sdw_stream = snd_soc_dai_get_sdw_stream(dai, substream->stream);
+ sdw_stream = snd_soc_dai_get_stream(dai, substream->stream);
if (IS_ERR(sdw_stream)) {
dev_err(rtd->dev, "no stream found for DAI %s", dai->name);
--- a/sound/soc/qcom/sdm845.c
+++ b/sound/soc/qcom/sdm845.c
@@ -56,8 +56,8 @@ static int sdm845_slim_snd_hw_params(str
int ret = 0, i;
for_each_rtd_codec_dais(rtd, i, codec_dai) {
- sruntime = snd_soc_dai_get_sdw_stream(codec_dai,
- substream->stream);
+ sruntime = snd_soc_dai_get_stream(codec_dai,
+ substream->stream);
if (sruntime != ERR_PTR(-ENOTSUPP))
pdata->sruntime[cpu_dai->id] = sruntime;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 603/783] net/mlx5e: Fix nullptr in mlx5e_tc_add_fdb_flow()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (601 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 602/783] ASoC/SoundWire: dai: expand stream concept beyond SoundWire Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 604/783] wifi: rtlwifi: remove always-true condition pointed out by GCC 12 Greg Kroah-Hartman
` (189 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dima Chumak, Vlad Buslov,
Saeed Mahameed, Nikita Zhandarovich
From: Dima Chumak <dchumak@nvidia.com>
commit fe7738eb3ca3631a75844e790f6cb576c0fe7b00 upstream.
The result of __dev_get_by_index() is not checked for NULL, which then
passed to mlx5e_attach_encap() and gets dereferenced.
Also, in case of a successful lookup, the net_device reference count is
not incremented, which may result in net_device pointer becoming invalid
at any time during mlx5e_attach_encap() execution.
Fix by using dev_get_by_index(), which does proper reference counting on
the net_device pointer. Also, handle nullptr return value when mirred
device is not found.
It's safe to call dev_put() on the mirred net_device pointer, right
after mlx5e_attach_encap() call, because it's not being saved/copied
down the call chain.
Fixes: 3c37745ec614 ("net/mlx5e: Properly deal with encap flows add/del under neigh update")
Addresses-Coverity: ("Dereference null return value")
Signed-off-by: Dima Chumak <dchumak@nvidia.com>
Reviewed-by: Vlad Buslov <vladbu@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -1344,9 +1344,9 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv
struct netlink_ext_ack *extack)
{
struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
- struct net_device *out_dev, *encap_dev = NULL;
struct mlx5e_tc_flow_parse_attr *parse_attr;
struct mlx5_flow_attr *attr = flow->attr;
+ struct net_device *encap_dev = NULL;
struct mlx5_esw_flow_attr *esw_attr;
struct mlx5_fc *counter = NULL;
struct mlx5e_rep_priv *rpriv;
@@ -1391,16 +1391,22 @@ mlx5e_tc_add_fdb_flow(struct mlx5e_priv
esw_attr = attr->esw_attr;
for (out_index = 0; out_index < MLX5_MAX_FLOW_FWD_VPORTS; out_index++) {
+ struct net_device *out_dev;
int mirred_ifindex;
if (!(esw_attr->dests[out_index].flags & MLX5_ESW_DEST_ENCAP))
continue;
mirred_ifindex = parse_attr->mirred_ifindex[out_index];
- out_dev = __dev_get_by_index(dev_net(priv->netdev),
- mirred_ifindex);
+ out_dev = dev_get_by_index(dev_net(priv->netdev), mirred_ifindex);
+ if (!out_dev) {
+ NL_SET_ERR_MSG_MOD(extack, "Requested mirred device not found");
+ err = -ENODEV;
+ return err;
+ }
err = mlx5e_attach_encap(priv, flow, out_dev, out_index,
extack, &encap_dev, &encap_valid);
+ dev_put(out_dev);
if (err)
return err;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 604/783] wifi: rtlwifi: remove always-true condition pointed out by GCC 12
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (602 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 603/783] net/mlx5e: Fix nullptr in mlx5e_tc_add_fdb_flow() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 605/783] wifi: rtlwifi: 8192de: correct checking of IQK reload Greg Kroah-Hartman
` (188 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalle Valo, Jakub Kicinski,
Semyon Verchenko
From: Jakub Kicinski <kuba@kernel.org>
commit ee3db469dd317e82f57b13aa3bc61be5cb60c2b4 upstream.
The .value is a two-dim array, not a pointer.
struct iqk_matrix_regs {
bool iqk_done;
long value[1][IQK_MATRIX_REG_NUM];
};
Acked-by: Kalle Valo <kvalo@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Semyon Verchenko <semverchenko@factor-ts.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
@@ -2385,10 +2385,7 @@ void rtl92d_phy_reload_iqk_setting(struc
rtl_dbg(rtlpriv, COMP_SCAN, DBG_LOUD,
"Just Read IQK Matrix reg for channel:%d....\n",
channel);
- if ((rtlphy->iqk_matrix[indexforchannel].
- value[0] != NULL)
- /*&&(regea4 != 0) */)
- _rtl92d_phy_patha_fill_iqk_matrix(hw, true,
+ _rtl92d_phy_patha_fill_iqk_matrix(hw, true,
rtlphy->iqk_matrix[
indexforchannel].value, 0,
(rtlphy->iqk_matrix[
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 605/783] wifi: rtlwifi: 8192de: correct checking of IQK reload
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (603 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 604/783] wifi: rtlwifi: remove always-true condition pointed out by GCC 12 Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 606/783] torture: Exclude "NOHZ tick-stop error" from fatal errors Greg Kroah-Hartman
` (187 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Kalle Valo, Semyon Verchenko
From: Ping-Ke Shih <pkshih@realtek.com>
commit 93fbc1ebd978cf408ef5765e9c1630fce9a8621b upstream.
Since IQK could spend time, we make a cache of IQK result matrix that looks
like iqk_matrix[channel_idx].val[x][y], and we can reload the matrix if we
have made a cache. To determine a cache is made, we check
iqk_matrix[channel_idx].val[0][0].
The initial commit 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines")
make a mistake that checks incorrect iqk_matrix[channel_idx].val[0] that
is always true, and this mistake is found by commit ee3db469dd31
("wifi: rtlwifi: remove always-true condition pointed out by GCC 12"), so
I recall the vendor driver to find fix and apply the correctness.
Fixes: 7274a8c22980 ("rtlwifi: rtl8192de: Merge phy routines")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220801113345.42016-1-pkshih@realtek.com
Signed-off-by: Semyon Verchenko <semverchenko@factor-ts.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c
@@ -2385,11 +2385,10 @@ void rtl92d_phy_reload_iqk_setting(struc
rtl_dbg(rtlpriv, COMP_SCAN, DBG_LOUD,
"Just Read IQK Matrix reg for channel:%d....\n",
channel);
- _rtl92d_phy_patha_fill_iqk_matrix(hw, true,
- rtlphy->iqk_matrix[
- indexforchannel].value, 0,
- (rtlphy->iqk_matrix[
- indexforchannel].value[0][2] == 0));
+ if (rtlphy->iqk_matrix[indexforchannel].value[0][0] != 0)
+ _rtl92d_phy_patha_fill_iqk_matrix(hw, true,
+ rtlphy->iqk_matrix[indexforchannel].value, 0,
+ rtlphy->iqk_matrix[indexforchannel].value[0][2] == 0);
if (IS_92D_SINGLEPHY(rtlhal->version)) {
if ((rtlphy->iqk_matrix[
indexforchannel].value[0][4] != 0)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 606/783] torture: Exclude "NOHZ tick-stop error" from fatal errors
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (604 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 605/783] wifi: rtlwifi: 8192de: correct checking of IQK reload Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 607/783] rcu: Prevent lockdep-RCU splats on lock acquisition/release Greg Kroah-Hartman
` (186 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, Joel Fernandes (Google)
From: Paul E. McKenney <paulmck@kernel.org>
commit 8d68e68a781db80606c8e8f3e4383be6974878fd upstream.
The "NOHZ tick-stop error: Non-RCU local softirq work is pending"
warning happens frequently and appears to be irrelevant to the various
torture tests. This commit therefore filters it out.
If there proves to be a need to pay attention to it a later commit will
add an "advice" category to allow the user to immediately see that
although something happened, it was not an indictment of the system
being tortured.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/rcutorture/bin/console-badness.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/testing/selftests/rcutorture/bin/console-badness.sh
+++ b/tools/testing/selftests/rcutorture/bin/console-badness.sh
@@ -13,4 +13,5 @@
egrep 'Badness|WARNING:|Warn|BUG|===========|Call Trace:|Oops:|detected stalls on CPUs/tasks:|self-detected stall on CPU|Stall ended before state dump start|\?\?\? Writer stall state|rcu_.*kthread starved for|!!!' |
grep -v 'ODEBUG: ' |
grep -v 'This means that this is a DEBUG kernel and it is' |
-grep -v 'Warning: unable to open an initial console'
+grep -v 'Warning: unable to open an initial console' |
+grep -v 'NOHZ tick-stop error: Non-RCU local softirq work is pending, handler'
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 607/783] rcu: Prevent lockdep-RCU splats on lock acquisition/release
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (605 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 606/783] torture: Exclude "NOHZ tick-stop error" from fatal errors Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 608/783] net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO Greg Kroah-Hartman
` (185 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, Joel Fernandes (Google)
From: Paul E. McKenney <paulmck@kernel.org>
commit 4d60b475f858ebdb06c1339f01a890f287b5e587 upstream.
The rcu_cpu_starting() and rcu_report_dead() functions transition the
current CPU between online and offline state from an RCU perspective.
Unfortunately, this means that the rcu_cpu_starting() function's lock
acquisition and the rcu_report_dead() function's lock releases happen
while the CPU is offline from an RCU perspective, which can result
in lockdep-RCU splats about using RCU from an offline CPU. And this
situation can also result in too-short grace periods, especially in
guest OSes that are subject to vCPU preemption.
This commit therefore uses sequence-count-like synchronization to forgive
use of RCU while RCU thinks a CPU is offline across the full extent of
the rcu_cpu_starting() and rcu_report_dead() function's lock acquisitions
and releases.
One approach would have been to use the actual sequence-count primitives
provided by the Linux kernel. Unfortunately, the resulting code looks
completely broken and wrong, and is likely to result in patches that
break RCU in an attempt to address this appearance of broken wrongness.
Plus there is no net savings in lines of code, given the additional
explicit memory barriers required.
Therefore, this sequence count is instead implemented by a new ->ofl_seq
field in the rcu_node structure. If this counter's value is an odd
number, RCU forgives RCU read-side critical sections on other CPUs covered
by the same rcu_node structure, even if those CPUs are offline from
an RCU perspective. In addition, if a given leaf rcu_node structure's
->ofl_seq counter value is an odd number, rcu_gp_init() delays starting
the grace period until that counter value changes.
[ paulmck: Apply Peter Zijlstra feedback. ]
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/rcu/tree.c | 21 ++++++++++++++++++++-
kernel/rcu/tree.h | 1 +
2 files changed, 21 insertions(+), 1 deletion(-)
--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -1157,7 +1157,7 @@ bool rcu_lockdep_current_cpu_online(void
preempt_disable_notrace();
rdp = this_cpu_ptr(&rcu_data);
rnp = rdp->mynode;
- if (rdp->grpmask & rcu_rnp_online_cpus(rnp))
+ if (rdp->grpmask & rcu_rnp_online_cpus(rnp) || READ_ONCE(rnp->ofl_seq) & 0x1)
ret = true;
preempt_enable_notrace();
return ret;
@@ -1724,6 +1724,7 @@ static void rcu_strict_gp_boundary(void
*/
static bool rcu_gp_init(void)
{
+ unsigned long firstseq;
unsigned long flags;
unsigned long oldmask;
unsigned long mask;
@@ -1767,6 +1768,12 @@ static bool rcu_gp_init(void)
*/
rcu_state.gp_state = RCU_GP_ONOFF;
rcu_for_each_leaf_node(rnp) {
+ smp_mb(); // Pair with barriers used when updating ->ofl_seq to odd values.
+ firstseq = READ_ONCE(rnp->ofl_seq);
+ if (firstseq & 0x1)
+ while (firstseq == READ_ONCE(rnp->ofl_seq))
+ schedule_timeout_idle(1); // Can't wake unless RCU is watching.
+ smp_mb(); // Pair with barriers used when updating ->ofl_seq to even values.
raw_spin_lock(&rcu_state.ofl_lock);
raw_spin_lock_irq_rcu_node(rnp);
if (rnp->qsmaskinit == rnp->qsmaskinitnext &&
@@ -4107,6 +4114,9 @@ void rcu_cpu_starting(unsigned int cpu)
rnp = rdp->mynode;
mask = rdp->grpmask;
+ WRITE_ONCE(rnp->ofl_seq, rnp->ofl_seq + 1);
+ WARN_ON_ONCE(!(rnp->ofl_seq & 0x1));
+ smp_mb(); // Pair with rcu_gp_cleanup()'s ->ofl_seq barrier().
raw_spin_lock_irqsave_rcu_node(rnp, flags);
WRITE_ONCE(rnp->qsmaskinitnext, rnp->qsmaskinitnext | mask);
newcpu = !(rnp->expmaskinitnext & mask);
@@ -4124,6 +4134,9 @@ void rcu_cpu_starting(unsigned int cpu)
} else {
raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
}
+ smp_mb(); // Pair with rcu_gp_cleanup()'s ->ofl_seq barrier().
+ WRITE_ONCE(rnp->ofl_seq, rnp->ofl_seq + 1);
+ WARN_ON_ONCE(rnp->ofl_seq & 0x1);
smp_mb(); /* Ensure RCU read-side usage follows above initialization. */
}
@@ -4150,6 +4163,9 @@ void rcu_report_dead(unsigned int cpu)
/* Remove outgoing CPU from mask in the leaf rcu_node structure. */
mask = rdp->grpmask;
+ WRITE_ONCE(rnp->ofl_seq, rnp->ofl_seq + 1);
+ WARN_ON_ONCE(!(rnp->ofl_seq & 0x1));
+ smp_mb(); // Pair with rcu_gp_cleanup()'s ->ofl_seq barrier().
raw_spin_lock(&rcu_state.ofl_lock);
raw_spin_lock_irqsave_rcu_node(rnp, flags); /* Enforce GP memory-order guarantee. */
rdp->rcu_ofl_gp_seq = READ_ONCE(rcu_state.gp_seq);
@@ -4162,6 +4178,9 @@ void rcu_report_dead(unsigned int cpu)
WRITE_ONCE(rnp->qsmaskinitnext, rnp->qsmaskinitnext & ~mask);
raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
raw_spin_unlock(&rcu_state.ofl_lock);
+ smp_mb(); // Pair with rcu_gp_cleanup()'s ->ofl_seq barrier().
+ WRITE_ONCE(rnp->ofl_seq, rnp->ofl_seq + 1);
+ WARN_ON_ONCE(rnp->ofl_seq & 0x1);
rdp->cpu_started = false;
}
--- a/kernel/rcu/tree.h
+++ b/kernel/rcu/tree.h
@@ -56,6 +56,7 @@ struct rcu_node {
/* Initialized from ->qsmaskinitnext at the */
/* beginning of each grace period. */
unsigned long qsmaskinitnext;
+ unsigned long ofl_seq; /* CPU-hotplug operation sequence count. */
/* Online CPUs for next grace period. */
unsigned long expmask; /* CPUs or groups that need to check in */
/* to allow the current expedited GP */
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 608/783] net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (606 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 607/783] rcu: Prevent lockdep-RCU splats on lock acquisition/release Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 609/783] net/af_packet: make sure to pull mac header Greg Kroah-Hartman
` (184 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hangbin Liu, Willem de Bruijn,
Michael S. Tsirkin, Paolo Abeni, Tudor Ambarus
From: Hangbin Liu <liuhangbin@gmail.com>
commit dfed913e8b55a0c2c4906f1242fd38fd9a116e49 upstream.
Currently, the kernel drops GSO VLAN tagged packet if it's created with
socket(AF_PACKET, SOCK_RAW, 0) plus virtio_net_hdr.
The reason is AF_PACKET doesn't adjust the skb network header if there is
a VLAN tag. Then after virtio_net_hdr_set_proto() called, the skb->protocol
will be set to ETH_P_IP/IPv6. And in later inet/ipv6_gso_segment() the skb
is dropped as network header position is invalid.
Let's handle VLAN packets by adjusting network header position in
packet_parse_headers(). The adjustment is safe and does not affect the
later xmit as tap device also did that.
In packet_snd(), packet_parse_headers() need to be moved before calling
virtio_net_hdr_set_proto(), so we can set correct skb->protocol and
network header first.
There is no need to update tpacket_snd() as it calls packet_parse_headers()
in tpacket_fill_skb(), which is already before calling virtio_net_hdr_*
functions.
skb->no_fcs setting is also moved upper to make all skb settings together
and keep consistency with function packet_sendmsg_spkt().
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://lore.kernel.org/r/20220425014502.985464-1-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1885,12 +1885,20 @@ oom:
static void packet_parse_headers(struct sk_buff *skb, struct socket *sock)
{
+ int depth;
+
if ((!skb->protocol || skb->protocol == htons(ETH_P_ALL)) &&
sock->type == SOCK_RAW) {
skb_reset_mac_header(skb);
skb->protocol = dev_parse_header_protocol(skb);
}
+ /* Move network header to the right position for VLAN tagged packets */
+ if (likely(skb->dev->type == ARPHRD_ETHER) &&
+ eth_type_vlan(skb->protocol) &&
+ __vlan_get_protocol(skb, skb->protocol, &depth) != 0)
+ skb_set_network_header(skb, depth);
+
skb_probe_transport_header(skb);
}
@@ -3005,6 +3013,11 @@ static int packet_snd(struct socket *soc
skb->mark = sockc.mark;
skb->tstamp = sockc.transmit_time;
+ if (unlikely(extra_len == 4))
+ skb->no_fcs = 1;
+
+ packet_parse_headers(skb, sock);
+
if (has_vnet_hdr) {
err = virtio_net_hdr_to_skb(skb, &vnet_hdr, vio_le());
if (err)
@@ -3013,11 +3026,6 @@ static int packet_snd(struct socket *soc
virtio_net_hdr_set_proto(skb, &vnet_hdr);
}
- packet_parse_headers(skb, sock);
-
- if (unlikely(extra_len == 4))
- skb->no_fcs = 1;
-
err = po->xmit(skb);
if (unlikely(err != 0)) {
if (err > 0)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 609/783] net/af_packet: make sure to pull mac header
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (607 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 608/783] net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 610/783] media: stv0288: use explicitly signed char Greg Kroah-Hartman
` (183 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, syzbot, Hangbin Liu,
Willem de Bruijn, Michael S. Tsirkin, Jakub Kicinski,
Tudor Ambarus
From: Eric Dumazet <edumazet@google.com>
commit e9d3f80935b6607dcdc5682b00b1d4b28e0a0c5d upstream.
GSO assumes skb->head contains link layer headers.
tun device in some case can provide base 14 bytes,
regardless of VLAN being used or not.
After blamed commit, we can end up setting a network
header offset of 18+, we better pull the missing
bytes to avoid a posible crash in GSO.
syzbot report was:
kernel BUG at include/linux/skbuff.h:2699!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 3601 Comm: syz-executor210 Not tainted 5.18.0-syzkaller-11338-g2c5ca23f7414 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__skb_pull include/linux/skbuff.h:2699 [inline]
RIP: 0010:skb_mac_gso_segment+0x48f/0x530 net/core/gro.c:136
Code: 00 48 c7 c7 00 96 d4 8a c6 05 cb d3 45 06 01 e8 26 bb d0 01 e9 2f fd ff ff 49 c7 c4 ea ff ff ff e9 f1 fe ff ff e8 91 84 19 fa <0f> 0b 48 89 df e8 97 44 66 fa e9 7f fd ff ff e8 ad 44 66 fa e9 48
RSP: 0018:ffffc90002e2f4b8 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000012 RCX: 0000000000000000
RDX: ffff88805bb58000 RSI: ffffffff8760ed0f RDI: 0000000000000004
RBP: 0000000000005dbc R08: 0000000000000004 R09: 0000000000000fe0
R10: 0000000000000fe4 R11: 0000000000000000 R12: 0000000000000fe0
R13: ffff88807194d780 R14: 1ffff920005c5e9b R15: 0000000000000012
FS: 000055555730f300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200015c0 CR3: 0000000071ff8000 CR4: 0000000000350ee0
Call Trace:
<TASK>
__skb_gso_segment+0x327/0x6e0 net/core/dev.c:3411
skb_gso_segment include/linux/netdevice.h:4749 [inline]
validate_xmit_skb+0x6bc/0xf10 net/core/dev.c:3669
validate_xmit_skb_list+0xbc/0x120 net/core/dev.c:3719
sch_direct_xmit+0x3d1/0xbe0 net/sched/sch_generic.c:327
__dev_xmit_skb net/core/dev.c:3815 [inline]
__dev_queue_xmit+0x14a1/0x3a00 net/core/dev.c:4219
packet_snd net/packet/af_packet.c:3071 [inline]
packet_sendmsg+0x21cb/0x5550 net/packet/af_packet.c:3102
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:734
____sys_sendmsg+0x6eb/0x810 net/socket.c:2492
___sys_sendmsg+0xf3/0x170 net/socket.c:2546
__sys_sendmsg net/socket.c:2575 [inline]
__do_sys_sendmsg net/socket.c:2584 [inline]
__se_sys_sendmsg net/socket.c:2582 [inline]
__x64_sys_sendmsg+0x132/0x220 net/socket.c:2582
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f4b95da06c9
Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd7defc4c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ffd7defc4f0 RCX: 00007f4b95da06c9
RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003
RBP: 0000000000000003 R08: bb1414ac00000050 R09: bb1414ac00000050
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd7defc4e0 R14: 00007ffd7defc4d8 R15: 00007ffd7defc4d4
</TASK>
Fixes: dfed913e8b55 ("net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1896,8 +1896,10 @@ static void packet_parse_headers(struct
/* Move network header to the right position for VLAN tagged packets */
if (likely(skb->dev->type == ARPHRD_ETHER) &&
eth_type_vlan(skb->protocol) &&
- __vlan_get_protocol(skb, skb->protocol, &depth) != 0)
- skb_set_network_header(skb, depth);
+ __vlan_get_protocol(skb, skb->protocol, &depth) != 0) {
+ if (pskb_may_pull(skb, depth))
+ skb_set_network_header(skb, depth);
+ }
skb_probe_transport_header(skb);
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 610/783] media: stv0288: use explicitly signed char
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (608 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 609/783] net/af_packet: make sure to pull mac header Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 611/783] soc: qcom: Select REMAP_MMIO for LLCC driver Greg Kroah-Hartman
` (182 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mauro Carvalho Chehab, linux-media,
Jason A. Donenfeld
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit 7392134428c92a4cb541bd5c8f4f5c8d2e88364d upstream.
With char becoming unsigned by default, and with `char` alone being
ambiguous and based on architecture, signed chars need to be marked
explicitly as such. Use `s8` and `u8` types here, since that's what
surrounding code does. This fixes:
drivers/media/dvb-frontends/stv0288.c:471 stv0288_set_frontend() warn: assigning (-9) to unsigned variable 'tm'
drivers/media/dvb-frontends/stv0288.c:471 stv0288_set_frontend() warn: we never enter this loop
Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: linux-media@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-frontends/stv0288.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/media/dvb-frontends/stv0288.c
+++ b/drivers/media/dvb-frontends/stv0288.c
@@ -440,9 +440,8 @@ static int stv0288_set_frontend(struct d
struct stv0288_state *state = fe->demodulator_priv;
struct dtv_frontend_properties *c = &fe->dtv_property_cache;
- char tm;
- unsigned char tda[3];
- u8 reg, time_out = 0;
+ u8 tda[3], reg, time_out = 0;
+ s8 tm;
dprintk("%s : FE_SET_FRONTEND\n", __func__);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 611/783] soc: qcom: Select REMAP_MMIO for LLCC driver
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (609 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 610/783] media: stv0288: use explicitly signed char Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 612/783] kest.pl: Fix grub2 menu handling for rebooting Greg Kroah-Hartman
` (181 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov,
Manivannan Sadhasivam, Bjorn Andersson
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
commit 5d2fe2d7b616b8baa18348ead857b504fc2de336 upstream.
LLCC driver uses REGMAP_MMIO for accessing the hardware registers. So
select the dependency in Kconfig. Without this, there will be errors
while building the driver with COMPILE_TEST only:
ERROR: modpost: "__devm_regmap_init_mmio_clk" [drivers/soc/qcom/llcc-qcom.ko] undefined!
make[1]: *** [scripts/Makefile.modpost:126: Module.symvers] Error 1
make: *** [Makefile:1944: modpost] Error 2
Cc: <stable@vger.kernel.org> # 4.19
Fixes: a3134fb09e0b ("drivers: soc: Add LLCC driver")
Reported-by: Borislav Petkov <bp@alien8.de>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221129071201.30024-2-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/Kconfig | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/soc/qcom/Kconfig
+++ b/drivers/soc/qcom/Kconfig
@@ -63,6 +63,7 @@ config QCOM_GSBI
config QCOM_LLCC
tristate "Qualcomm Technologies, Inc. LLCC driver"
depends on ARCH_QCOM || COMPILE_TEST
+ select REGMAP_MMIO
help
Qualcomm Technologies, Inc. platform specific
Last Level Cache Controller(LLCC) driver for platforms such as,
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 612/783] kest.pl: Fix grub2 menu handling for rebooting
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (610 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 611/783] soc: qcom: Select REMAP_MMIO for LLCC driver Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 613/783] ktest.pl minconfig: Unset configs instead of just removing them Greg Kroah-Hartman
` (180 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley (VMware),
Steven Rostedt
From: Steven Rostedt <rostedt@goodmis.org>
commit 26df05a8c1420ad3de314fdd407e7fc2058cc7aa upstream.
grub2 has submenus where to use grub-reboot, it requires:
grub-reboot X>Y
where X is the main index and Y is the submenu. Thus if you have:
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux ...
[...]
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option ...
menuentry 'Debian GNU/Linux, with Linux 6.0.0-4-amd64' --class debian --class gnu-linux ...
[...]
}
menuentry 'Debian GNU/Linux, with Linux 6.0.0-4-amd64 (recovery mode)' --class debian --class gnu-linux ...
[...]
}
menuentry 'Debian GNU/Linux, with Linux test' --class debian --class gnu-linux ...
[...]
}
And wanted to boot to the "Linux test" kernel, you need to run:
# grub-reboot 1>2
As 1 is the second top menu (the submenu) and 2 is the third of the sub
menu entries.
Have the grub.cfg parsing for grub2 handle such cases.
Cc: stable@vger.kernel.org
Fixes: a15ba91361d46 ("ktest: Add support for grub2")
Reviewed-by: John 'Warthog9' Hawley (VMware) <warthog9@eaglescrag.net>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/ktest.pl | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -1912,7 +1912,7 @@ sub run_scp_mod {
sub _get_grub_index {
- my ($command, $target, $skip) = @_;
+ my ($command, $target, $skip, $submenu) = @_;
return if (defined($grub_number) && defined($last_grub_menu) &&
$last_grub_menu eq $grub_menu && defined($last_machine) &&
@@ -1929,11 +1929,16 @@ sub _get_grub_index {
my $found = 0;
+ my $submenu_number = 0;
+
while (<IN>) {
if (/$target/) {
$grub_number++;
$found = 1;
last;
+ } elsif (defined($submenu) && /$submenu/) {
+ $submenu_number++;
+ $grub_number = -1;
} elsif (/$skip/) {
$grub_number++;
}
@@ -1942,6 +1947,9 @@ sub _get_grub_index {
dodie "Could not find '$grub_menu' through $command on $machine"
if (!$found);
+ if ($submenu_number > 0) {
+ $grub_number = "$submenu_number>$grub_number";
+ }
doprint "$grub_number\n";
$last_grub_menu = $grub_menu;
$last_machine = $machine;
@@ -1952,6 +1960,7 @@ sub get_grub_index {
my $command;
my $target;
my $skip;
+ my $submenu;
my $grub_menu_qt;
if ($reboot_type !~ /^grub/) {
@@ -1966,8 +1975,9 @@ sub get_grub_index {
$skip = '^\s*title\s';
} elsif ($reboot_type eq "grub2") {
$command = "cat $grub_file";
- $target = '^menuentry.*' . $grub_menu_qt;
- $skip = '^menuentry\s|^submenu\s';
+ $target = '^\s*menuentry.*' . $grub_menu_qt;
+ $skip = '^\s*menuentry';
+ $submenu = '^\s*submenu\s';
} elsif ($reboot_type eq "grub2bls") {
$command = $grub_bls_get;
$target = '^title=.*' . $grub_menu_qt;
@@ -1976,7 +1986,7 @@ sub get_grub_index {
return;
}
- _get_grub_index($command, $target, $skip);
+ _get_grub_index($command, $target, $skip, $submenu);
}
sub wait_for_input
@@ -2040,7 +2050,7 @@ sub reboot_to {
if ($reboot_type eq "grub") {
run_ssh "'(echo \"savedefault --default=$grub_number --once\" | grub --batch)'";
} elsif (($reboot_type eq "grub2") or ($reboot_type eq "grub2bls")) {
- run_ssh "$grub_reboot $grub_number";
+ run_ssh "$grub_reboot \"'$grub_number'\"";
} elsif ($reboot_type eq "syslinux") {
run_ssh "$syslinux --once \\\"$syslinux_label\\\" $syslinux_path";
} elsif (defined $reboot_script) {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 613/783] ktest.pl minconfig: Unset configs instead of just removing them
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (611 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 612/783] kest.pl: Fix grub2 menu handling for rebooting Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 614/783] jbd2: use the correct print format Greg Kroah-Hartman
` (179 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Warthog9 Hawley (VMware),
Steven Rostedt (Google)
From: Steven Rostedt <rostedt@goodmis.org>
commit ef784eebb56425eed6e9b16e7d47e5c00dcf9c38 upstream.
After a full run of a make_min_config test, I noticed there were a lot of
CONFIGs still enabled that really should not be. Looking at them, I
noticed they were all defined as "default y". The issue is that the test
simple removes the config and re-runs make oldconfig, which enables it
again because it is set to default 'y'. Instead, explicitly disable the
config with writing "# CONFIG_FOO is not set" to the file to keep it from
being set again.
With this change, one of my box's minconfigs went from 768 configs set,
down to 521 configs set.
Link: https://lkml.kernel.org/r/20221202115936.016fce23@gandalf.local.home
Cc: stable@vger.kernel.org
Fixes: 0a05c769a9de5 ("ktest: Added config_bisect test type")
Reviewed-by: John 'Warthog9' Hawley (VMware) <warthog9@eaglescrag.net>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/ktest/ktest.pl | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/testing/ktest/ktest.pl
+++ b/tools/testing/ktest/ktest.pl
@@ -3773,9 +3773,10 @@ sub test_this_config {
# .config to make sure it is missing the config that
# we had before
my %configs = %min_configs;
- delete $configs{$config};
+ $configs{$config} = "# $config is not set";
make_new_config ((values %configs), (values %keep_configs));
make_oldconfig;
+ delete $configs{$config};
undef %configs;
assign_configs \%configs, $output_config;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 614/783] jbd2: use the correct print format
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (612 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 613/783] ktest.pl minconfig: Unset configs instead of just removing them Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 615/783] arm64: dts: qcom: sdm845-db845c: correct SPI2 pins drive strength Greg Kroah-Hartman
` (178 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bixuan Cui, Jason Yan, Theodore Tso, stable
From: Bixuan Cui <cuibixuan@linux.alibaba.com>
commit d87a7b4c77a997d5388566dd511ca8e6b8e8a0a8 upstream.
The print format error was found when using ftrace event:
<...>-1406 [000] .... 23599442.895823: jbd2_end_commit: dev 252,8 transaction -1866216965 sync 0 head -1866217368
<...>-1406 [000] .... 23599442.896299: jbd2_start_commit: dev 252,8 transaction -1866216964 sync 0
Use the correct print format for transaction, head and tid.
Fixes: 879c5e6b7cb4 ('jbd2: convert instrumentation from markers to tracepoints')
Signed-off-by: Bixuan Cui <cuibixuan@linux.alibaba.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Link: https://lore.kernel.org/r/1665488024-95172-1-git-send-email-cuibixuan@linux.alibaba.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/jbd2.h | 44 ++++++++++++++++++++++----------------------
1 file changed, 22 insertions(+), 22 deletions(-)
--- a/include/trace/events/jbd2.h
+++ b/include/trace/events/jbd2.h
@@ -40,7 +40,7 @@ DECLARE_EVENT_CLASS(jbd2_commit,
TP_STRUCT__entry(
__field( dev_t, dev )
__field( char, sync_commit )
- __field( int, transaction )
+ __field( tid_t, transaction )
),
TP_fast_assign(
@@ -49,7 +49,7 @@ DECLARE_EVENT_CLASS(jbd2_commit,
__entry->transaction = commit_transaction->t_tid;
),
- TP_printk("dev %d,%d transaction %d sync %d",
+ TP_printk("dev %d,%d transaction %u sync %d",
MAJOR(__entry->dev), MINOR(__entry->dev),
__entry->transaction, __entry->sync_commit)
);
@@ -97,8 +97,8 @@ TRACE_EVENT(jbd2_end_commit,
TP_STRUCT__entry(
__field( dev_t, dev )
__field( char, sync_commit )
- __field( int, transaction )
- __field( int, head )
+ __field( tid_t, transaction )
+ __field( tid_t, head )
),
TP_fast_assign(
@@ -108,7 +108,7 @@ TRACE_EVENT(jbd2_end_commit,
__entry->head = journal->j_tail_sequence;
),
- TP_printk("dev %d,%d transaction %d sync %d head %d",
+ TP_printk("dev %d,%d transaction %u sync %d head %u",
MAJOR(__entry->dev), MINOR(__entry->dev),
__entry->transaction, __entry->sync_commit, __entry->head)
);
@@ -134,14 +134,14 @@ TRACE_EVENT(jbd2_submit_inode_data,
);
DECLARE_EVENT_CLASS(jbd2_handle_start_class,
- TP_PROTO(dev_t dev, unsigned long tid, unsigned int type,
+ TP_PROTO(dev_t dev, tid_t tid, unsigned int type,
unsigned int line_no, int requested_blocks),
TP_ARGS(dev, tid, type, line_no, requested_blocks),
TP_STRUCT__entry(
__field( dev_t, dev )
- __field( unsigned long, tid )
+ __field( tid_t, tid )
__field( unsigned int, type )
__field( unsigned int, line_no )
__field( int, requested_blocks)
@@ -155,28 +155,28 @@ DECLARE_EVENT_CLASS(jbd2_handle_start_cl
__entry->requested_blocks = requested_blocks;
),
- TP_printk("dev %d,%d tid %lu type %u line_no %u "
+ TP_printk("dev %d,%d tid %u type %u line_no %u "
"requested_blocks %d",
MAJOR(__entry->dev), MINOR(__entry->dev), __entry->tid,
__entry->type, __entry->line_no, __entry->requested_blocks)
);
DEFINE_EVENT(jbd2_handle_start_class, jbd2_handle_start,
- TP_PROTO(dev_t dev, unsigned long tid, unsigned int type,
+ TP_PROTO(dev_t dev, tid_t tid, unsigned int type,
unsigned int line_no, int requested_blocks),
TP_ARGS(dev, tid, type, line_no, requested_blocks)
);
DEFINE_EVENT(jbd2_handle_start_class, jbd2_handle_restart,
- TP_PROTO(dev_t dev, unsigned long tid, unsigned int type,
+ TP_PROTO(dev_t dev, tid_t tid, unsigned int type,
unsigned int line_no, int requested_blocks),
TP_ARGS(dev, tid, type, line_no, requested_blocks)
);
TRACE_EVENT(jbd2_handle_extend,
- TP_PROTO(dev_t dev, unsigned long tid, unsigned int type,
+ TP_PROTO(dev_t dev, tid_t tid, unsigned int type,
unsigned int line_no, int buffer_credits,
int requested_blocks),
@@ -184,7 +184,7 @@ TRACE_EVENT(jbd2_handle_extend,
TP_STRUCT__entry(
__field( dev_t, dev )
- __field( unsigned long, tid )
+ __field( tid_t, tid )
__field( unsigned int, type )
__field( unsigned int, line_no )
__field( int, buffer_credits )
@@ -200,7 +200,7 @@ TRACE_EVENT(jbd2_handle_extend,
__entry->requested_blocks = requested_blocks;
),
- TP_printk("dev %d,%d tid %lu type %u line_no %u "
+ TP_printk("dev %d,%d tid %u type %u line_no %u "
"buffer_credits %d requested_blocks %d",
MAJOR(__entry->dev), MINOR(__entry->dev), __entry->tid,
__entry->type, __entry->line_no, __entry->buffer_credits,
@@ -208,7 +208,7 @@ TRACE_EVENT(jbd2_handle_extend,
);
TRACE_EVENT(jbd2_handle_stats,
- TP_PROTO(dev_t dev, unsigned long tid, unsigned int type,
+ TP_PROTO(dev_t dev, tid_t tid, unsigned int type,
unsigned int line_no, int interval, int sync,
int requested_blocks, int dirtied_blocks),
@@ -217,7 +217,7 @@ TRACE_EVENT(jbd2_handle_stats,
TP_STRUCT__entry(
__field( dev_t, dev )
- __field( unsigned long, tid )
+ __field( tid_t, tid )
__field( unsigned int, type )
__field( unsigned int, line_no )
__field( int, interval )
@@ -237,7 +237,7 @@ TRACE_EVENT(jbd2_handle_stats,
__entry->dirtied_blocks = dirtied_blocks;
),
- TP_printk("dev %d,%d tid %lu type %u line_no %u interval %d "
+ TP_printk("dev %d,%d tid %u type %u line_no %u interval %d "
"sync %d requested_blocks %d dirtied_blocks %d",
MAJOR(__entry->dev), MINOR(__entry->dev), __entry->tid,
__entry->type, __entry->line_no, __entry->interval,
@@ -246,14 +246,14 @@ TRACE_EVENT(jbd2_handle_stats,
);
TRACE_EVENT(jbd2_run_stats,
- TP_PROTO(dev_t dev, unsigned long tid,
+ TP_PROTO(dev_t dev, tid_t tid,
struct transaction_run_stats_s *stats),
TP_ARGS(dev, tid, stats),
TP_STRUCT__entry(
__field( dev_t, dev )
- __field( unsigned long, tid )
+ __field( tid_t, tid )
__field( unsigned long, wait )
__field( unsigned long, request_delay )
__field( unsigned long, running )
@@ -279,7 +279,7 @@ TRACE_EVENT(jbd2_run_stats,
__entry->blocks_logged = stats->rs_blocks_logged;
),
- TP_printk("dev %d,%d tid %lu wait %u request_delay %u running %u "
+ TP_printk("dev %d,%d tid %u wait %u request_delay %u running %u "
"locked %u flushing %u logging %u handle_count %u "
"blocks %u blocks_logged %u",
MAJOR(__entry->dev), MINOR(__entry->dev), __entry->tid,
@@ -294,14 +294,14 @@ TRACE_EVENT(jbd2_run_stats,
);
TRACE_EVENT(jbd2_checkpoint_stats,
- TP_PROTO(dev_t dev, unsigned long tid,
+ TP_PROTO(dev_t dev, tid_t tid,
struct transaction_chp_stats_s *stats),
TP_ARGS(dev, tid, stats),
TP_STRUCT__entry(
__field( dev_t, dev )
- __field( unsigned long, tid )
+ __field( tid_t, tid )
__field( unsigned long, chp_time )
__field( __u32, forced_to_close )
__field( __u32, written )
@@ -317,7 +317,7 @@ TRACE_EVENT(jbd2_checkpoint_stats,
__entry->dropped = stats->cs_dropped;
),
- TP_printk("dev %d,%d tid %lu chp_time %u forced_to_close %u "
+ TP_printk("dev %d,%d tid %u chp_time %u forced_to_close %u "
"written %u dropped %u",
MAJOR(__entry->dev), MINOR(__entry->dev), __entry->tid,
jiffies_to_msecs(__entry->chp_time),
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 615/783] arm64: dts: qcom: sdm845-db845c: correct SPI2 pins drive strength
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (613 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 614/783] jbd2: use the correct print format Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 616/783] mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K Greg Kroah-Hartman
` (177 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Douglas Anderson, Neil Armstrong, Bjorn Andersson
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 9905370560d9c29adc15f4937c5a0c0dac05f0b4 upstream.
The pin configuration (done with generic pin controller helpers and
as expressed by bindings) requires children nodes with either:
1. "pins" property and the actual configuration,
2. another set of nodes with above point.
The qup_spi2_default pin configuration uses alreaady the second method
with a "pinmux" child, so configure drive-strength similarly in
"pinconf". Otherwise the PIN drive strength would not be applied.
Fixes: 8d23a0040475 ("arm64: dts: qcom: db845c: add Low speed expansion i2c and spi nodes")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221010114417.29859-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
+++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
@@ -1045,7 +1045,10 @@
/* PINCTRL - additions to nodes defined in sdm845.dtsi */
&qup_spi2_default {
- drive-strength = <16>;
+ pinconf {
+ pins = "gpio27", "gpio28", "gpio29", "gpio30";
+ drive-strength = <16>;
+ };
};
&qup_uart3_default{
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 616/783] mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (614 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 615/783] arm64: dts: qcom: sdm845-db845c: correct SPI2 pins drive strength Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 617/783] btrfs: fix resolving backrefs for inline extent followed by prealloc Greg Kroah-Hartman
` (176 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wenchao Chen, Ulf Hansson
From: Wenchao Chen <wenchao.chen@unisoc.com>
commit ff874dbc4f868af128b412a9bd92637103cf11d7 upstream.
When the clock is less than 400K, some SD cards fail to initialize
because CLK_AUTO is enabled.
Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller")
Signed-off-by: Wenchao Chen <wenchao.chen@unisoc.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20221207051909.32126-1-wenchao.chen@unisoc.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-sprd.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/mmc/host/sdhci-sprd.c
+++ b/drivers/mmc/host/sdhci-sprd.c
@@ -224,13 +224,15 @@ static inline void _sdhci_sprd_set_clock
div = ((div & 0x300) >> 2) | ((div & 0xFF) << 8);
sdhci_enable_clk(host, div);
- /* enable auto gate sdhc_enable_auto_gate */
- val = sdhci_readl(host, SDHCI_SPRD_REG_32_BUSY_POSI);
- mask = SDHCI_SPRD_BIT_OUTR_CLK_AUTO_EN |
- SDHCI_SPRD_BIT_INNR_CLK_AUTO_EN;
- if (mask != (val & mask)) {
- val |= mask;
- sdhci_writel(host, val, SDHCI_SPRD_REG_32_BUSY_POSI);
+ /* Enable CLK_AUTO when the clock is greater than 400K. */
+ if (clk > 400000) {
+ val = sdhci_readl(host, SDHCI_SPRD_REG_32_BUSY_POSI);
+ mask = SDHCI_SPRD_BIT_OUTR_CLK_AUTO_EN |
+ SDHCI_SPRD_BIT_INNR_CLK_AUTO_EN;
+ if (mask != (val & mask)) {
+ val |= mask;
+ sdhci_writel(host, val, SDHCI_SPRD_REG_32_BUSY_POSI);
+ }
}
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 617/783] btrfs: fix resolving backrefs for inline extent followed by prealloc
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (615 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 616/783] mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 618/783] ARM: ux500: do not directly dereference __iomem Greg Kroah-Hartman
` (175 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Boris Burkov, David Sterba
From: Boris Burkov <boris@bur.io>
commit 560840afc3e63bbe5d9c5ef6b2ecf8f3589adff6 upstream.
If a file consists of an inline extent followed by a regular or prealloc
extent, then a legitimate attempt to resolve a logical address in the
non-inline region will result in add_all_parents reading the invalid
offset field of the inline extent. If the inline extent item is placed
in the leaf eb s.t. it is the first item, attempting to access the
offset field will not only be meaningless, it will go past the end of
the eb and cause this panic:
[17.626048] BTRFS warning (device dm-2): bad eb member end: ptr 0x3fd4 start 30834688 member offset 16377 size 8
[17.631693] general protection fault, probably for non-canonical address 0x5088000000000: 0000 [#1] SMP PTI
[17.635041] CPU: 2 PID: 1267 Comm: btrfs Not tainted 5.12.0-07246-g75175d5adc74-dirty #199
[17.637969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
[17.641995] RIP: 0010:btrfs_get_64+0xe7/0x110
[17.649890] RSP: 0018:ffffc90001f73a08 EFLAGS: 00010202
[17.651652] RAX: 0000000000000001 RBX: ffff88810c42d000 RCX: 0000000000000000
[17.653921] RDX: 0005088000000000 RSI: ffffc90001f73a0f RDI: 0000000000000001
[17.656174] RBP: 0000000000000ff9 R08: 0000000000000007 R09: c0000000fffeffff
[17.658441] R10: ffffc90001f73790 R11: ffffc90001f73788 R12: ffff888106afe918
[17.661070] R13: 0000000000003fd4 R14: 0000000000003f6f R15: cdcdcdcdcdcdcdcd
[17.663617] FS: 00007f64e7627d80(0000) GS:ffff888237c80000(0000) knlGS:0000000000000000
[17.666525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[17.668664] CR2: 000055d4a39152e8 CR3: 000000010c596002 CR4: 0000000000770ee0
[17.671253] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[17.673634] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[17.676034] PKRU: 55555554
[17.677004] Call Trace:
[17.677877] add_all_parents+0x276/0x480
[17.679325] find_parent_nodes+0xfae/0x1590
[17.680771] btrfs_find_all_leafs+0x5e/0xa0
[17.682217] iterate_extent_inodes+0xce/0x260
[17.683809] ? btrfs_inode_flags_to_xflags+0x50/0x50
[17.685597] ? iterate_inodes_from_logical+0xa1/0xd0
[17.687404] iterate_inodes_from_logical+0xa1/0xd0
[17.689121] ? btrfs_inode_flags_to_xflags+0x50/0x50
[17.691010] btrfs_ioctl_logical_to_ino+0x131/0x190
[17.692946] btrfs_ioctl+0x104a/0x2f60
[17.694384] ? selinux_file_ioctl+0x182/0x220
[17.695995] ? __x64_sys_ioctl+0x84/0xc0
[17.697394] __x64_sys_ioctl+0x84/0xc0
[17.698697] do_syscall_64+0x33/0x40
[17.700017] entry_SYSCALL_64_after_hwframe+0x44/0xae
[17.701753] RIP: 0033:0x7f64e72761b7
[17.709355] RSP: 002b:00007ffefb067f58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[17.712088] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f64e72761b7
[17.714667] RDX: 00007ffefb067fb0 RSI: 00000000c0389424 RDI: 0000000000000003
[17.717386] RBP: 00007ffefb06d188 R08: 000055d4a390d2b0 R09: 00007f64e7340a60
[17.719938] R10: 0000000000000231 R11: 0000000000000246 R12: 0000000000000001
[17.722383] R13: 0000000000000000 R14: 00000000c0389424 R15: 000055d4a38fd2a0
[17.724839] Modules linked in:
Fix the bug by detecting the inline extent item in add_all_parents and
skipping to the next extent item.
CC: stable@vger.kernel.org # 4.9+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Boris Burkov <boris@bur.io>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/backref.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/btrfs/backref.c
+++ b/fs/btrfs/backref.c
@@ -432,6 +432,7 @@ static int add_all_parents(struct btrfs_
u64 wanted_disk_byte = ref->wanted_disk_byte;
u64 count = 0;
u64 data_offset;
+ u8 type;
if (level != 0) {
eb = path->nodes[level];
@@ -486,6 +487,9 @@ static int add_all_parents(struct btrfs_
continue;
}
fi = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item);
+ type = btrfs_file_extent_type(eb, fi);
+ if (type == BTRFS_FILE_EXTENT_INLINE)
+ goto next;
disk_byte = btrfs_file_extent_disk_bytenr(eb, fi);
data_offset = btrfs_file_extent_offset(eb, fi);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 618/783] ARM: ux500: do not directly dereference __iomem
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (616 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 617/783] btrfs: fix resolving backrefs for inline extent followed by prealloc Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 619/783] arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength Greg Kroah-Hartman
` (174 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, kernel test robot,
Jason A. Donenfeld
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit 65b0e307a1a9193571db12910f382f84195a3d29 upstream.
Sparse reports that calling add_device_randomness() on `uid` is a
violation of address spaces. And indeed the next usage uses readl()
properly, but that was left out when passing it toadd_device_
randomness(). So instead copy the whole thing to the stack first.
Fixes: 4040d10a3d44 ("ARM: ux500: add DB serial number to entropy pool")
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/202210230819.loF90KDh-lkp@intel.com/
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://lore.kernel.org/r/20221108123755.207438-1-Jason@zx2c4.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/ux500/ux500-soc-id.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/soc/ux500/ux500-soc-id.c
+++ b/drivers/soc/ux500/ux500-soc-id.c
@@ -167,20 +167,18 @@ ATTRIBUTE_GROUPS(ux500_soc);
static const char *db8500_read_soc_id(struct device_node *backupram)
{
void __iomem *base;
- void __iomem *uid;
const char *retstr;
+ u32 uid[5];
base = of_iomap(backupram, 0);
if (!base)
return NULL;
- uid = base + 0x1fc0;
+ memcpy_fromio(uid, base + 0x1fc0, sizeof(uid));
/* Throw these device-specific numbers into the entropy pool */
- add_device_randomness(uid, 0x14);
+ add_device_randomness(uid, sizeof(uid));
retstr = kasprintf(GFP_KERNEL, "%08x%08x%08x%08x%08x",
- readl((u32 *)uid+0),
- readl((u32 *)uid+1), readl((u32 *)uid+2),
- readl((u32 *)uid+3), readl((u32 *)uid+4));
+ uid[0], uid[1], uid[2], uid[3], uid[4]);
iounmap(base);
return retstr;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 619/783] arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (617 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 618/783] ARM: ux500: do not directly dereference __iomem Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 620/783] selftests: Use optional USERCFLAGS and USERLDFLAGS Greg Kroah-Hartman
` (173 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Steev Klimaszewski, Konrad Dybcio, Bjorn Andersson
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit fd49776d8f458bba5499384131eddc0b8bcaf50c upstream.
The pin configuration (done with generic pin controller helpers and
as expressed by bindings) requires children nodes with either:
1. "pins" property and the actual configuration,
2. another set of nodes with above point.
The qup_i2c12_default pin configuration used second method - with a
"pinmux" child.
Fixes: 44acee207844 ("arm64: dts: qcom: Add Lenovo Yoga C630")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Tested-by: Steev Klimaszewski <steev@kali.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@somainline.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20220930192039.240486-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
+++ b/arch/arm64/boot/dts/qcom/sdm850-lenovo-yoga-c630.dts
@@ -322,8 +322,10 @@
};
&qup_i2c12_default {
- drive-strength = <2>;
- bias-disable;
+ pinmux {
+ drive-strength = <2>;
+ bias-disable;
+ };
};
&qup_uart6_default {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 620/783] selftests: Use optional USERCFLAGS and USERLDFLAGS
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (618 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 619/783] arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 621/783] PM/devfreq: governor: Add a private governor_data for governor Greg Kroah-Hartman
` (172 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shuah Khan, Mickaël Salaün
From: Mickaël Salaün <mic@digikod.net>
commit de3ee3f63400a23954e7c1ad1cb8c20f29ab6fe3 upstream.
This change enables to extend CFLAGS and LDFLAGS from command line, e.g.
to extend compiler checks: make USERCFLAGS=-Werror USERLDFLAGS=-static
USERCFLAGS and USERLDFLAGS are documented in
Documentation/kbuild/makefiles.rst and Documentation/kbuild/kbuild.rst
This should be backported (down to 5.10) to improve previous kernel
versions testing as well.
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220909103901.1503436-1-mic@digikod.net
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/lib.mk | 5 +++++
1 file changed, 5 insertions(+)
--- a/tools/testing/selftests/lib.mk
+++ b/tools/testing/selftests/lib.mk
@@ -128,6 +128,11 @@ endef
clean:
$(CLEAN)
+# Enables to extend CFLAGS and LDFLAGS from command line, e.g.
+# make USERCFLAGS=-Werror USERLDFLAGS=-static
+CFLAGS += $(USERCFLAGS)
+LDFLAGS += $(USERLDFLAGS)
+
# When make O= with kselftest target from main level
# the following aren't defined.
#
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 621/783] PM/devfreq: governor: Add a private governor_data for governor
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (619 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 620/783] selftests: Use optional USERCFLAGS and USERLDFLAGS Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 622/783] cpufreq: Init completion before kobject_init_and_add() Greg Kroah-Hartman
` (171 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chanwoo Choi, MyungJoo Ham,
Kant Fan, Chanwoo Choi
From: Kant Fan <kant@allwinnertech.com>
commit 5fdded8448924e3631d466eea499b11606c43640 upstream.
The member void *data in the structure devfreq can be overwrite
by governor_userspace. For example:
1. The device driver assigned the devfreq governor to simple_ondemand
by the function devfreq_add_device() and init the devfreq member
void *data to a pointer of a static structure devfreq_simple_ondemand_data
by the function devfreq_add_device().
2. The user changed the devfreq governor to userspace by the command
"echo userspace > /sys/class/devfreq/.../governor".
3. The governor userspace alloced a dynamic memory for the struct
userspace_data and assigend the member void *data of devfreq to
this memory by the function userspace_init().
4. The user changed the devfreq governor back to simple_ondemand
by the command "echo simple_ondemand > /sys/class/devfreq/.../governor".
5. The governor userspace exited and assigned the member void *data
in the structure devfreq to NULL by the function userspace_exit().
6. The governor simple_ondemand fetched the static information of
devfreq_simple_ondemand_data in the function
devfreq_simple_ondemand_func() but the member void *data of devfreq was
assigned to NULL by the function userspace_exit().
7. The information of upthreshold and downdifferential is lost
and the governor simple_ondemand can't work correctly.
The member void *data in the structure devfreq is designed for
a static pointer used in a governor and inited by the function
devfreq_add_device(). This patch add an element named governor_data
in the devfreq structure which can be used by a governor(E.g userspace)
who want to assign a private data to do some private things.
Fixes: ce26c5bb9569 ("PM / devfreq: Add basic governors")
Cc: stable@vger.kernel.org # 5.10+
Reviewed-by: Chanwoo Choi <cwchoi00@gmail.com>
Acked-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Kant Fan <kant@allwinnertech.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/devfreq/devfreq.c | 6 ++----
drivers/devfreq/governor_userspace.c | 12 ++++++------
include/linux/devfreq.h | 7 ++++---
3 files changed, 12 insertions(+), 13 deletions(-)
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -740,8 +740,7 @@ static void devfreq_dev_release(struct d
* @dev: the device to add devfreq feature.
* @profile: device-specific profile to run devfreq.
* @governor_name: name of the policy to choose frequency.
- * @data: private data for the governor. The devfreq framework does not
- * touch this value.
+ * @data: devfreq driver pass to governors, governor should not change it.
*/
struct devfreq *devfreq_add_device(struct device *dev,
struct devfreq_dev_profile *profile,
@@ -953,8 +952,7 @@ static void devm_devfreq_dev_release(str
* @dev: the device to add devfreq feature.
* @profile: device-specific profile to run devfreq.
* @governor_name: name of the policy to choose frequency.
- * @data: private data for the governor. The devfreq framework does not
- * touch this value.
+ * @data: devfreq driver pass to governors, governor should not change it.
*
* This function manages automatically the memory of devfreq device using device
* resource management and simplify the free operation for memory of devfreq
--- a/drivers/devfreq/governor_userspace.c
+++ b/drivers/devfreq/governor_userspace.c
@@ -21,7 +21,7 @@ struct userspace_data {
static int devfreq_userspace_func(struct devfreq *df, unsigned long *freq)
{
- struct userspace_data *data = df->data;
+ struct userspace_data *data = df->governor_data;
if (data->valid)
*freq = data->user_frequency;
@@ -40,7 +40,7 @@ static ssize_t store_freq(struct device
int err = 0;
mutex_lock(&devfreq->lock);
- data = devfreq->data;
+ data = devfreq->governor_data;
sscanf(buf, "%lu", &wanted);
data->user_frequency = wanted;
@@ -60,7 +60,7 @@ static ssize_t show_freq(struct device *
int err = 0;
mutex_lock(&devfreq->lock);
- data = devfreq->data;
+ data = devfreq->governor_data;
if (data->valid)
err = sprintf(buf, "%lu\n", data->user_frequency);
@@ -91,7 +91,7 @@ static int userspace_init(struct devfreq
goto out;
}
data->valid = false;
- devfreq->data = data;
+ devfreq->governor_data = data;
err = sysfs_create_group(&devfreq->dev.kobj, &dev_attr_group);
out:
@@ -107,8 +107,8 @@ static void userspace_exit(struct devfre
if (devfreq->dev.kobj.sd)
sysfs_remove_group(&devfreq->dev.kobj, &dev_attr_group);
- kfree(devfreq->data);
- devfreq->data = NULL;
+ kfree(devfreq->governor_data);
+ devfreq->governor_data = NULL;
}
static int devfreq_userspace_handler(struct devfreq *devfreq,
--- a/include/linux/devfreq.h
+++ b/include/linux/devfreq.h
@@ -146,8 +146,8 @@ struct devfreq_stats {
* @work: delayed work for load monitoring.
* @previous_freq: previously configured frequency value.
* @last_status: devfreq user device info, performance statistics
- * @data: Private data of the governor. The devfreq framework does not
- * touch this.
+ * @data: devfreq driver pass to governors, governor should not change it.
+ * @governor_data: private data for governors, devfreq core doesn't touch it.
* @user_min_freq_req: PM QoS minimum frequency request from user (via sysfs)
* @user_max_freq_req: PM QoS maximum frequency request from user (via sysfs)
* @scaling_min_freq: Limit minimum frequency requested by OPP interface
@@ -183,7 +183,8 @@ struct devfreq {
unsigned long previous_freq;
struct devfreq_dev_status last_status;
- void *data; /* private data for governors */
+ void *data;
+ void *governor_data;
struct dev_pm_qos_request user_min_freq_req;
struct dev_pm_qos_request user_max_freq_req;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 622/783] cpufreq: Init completion before kobject_init_and_add()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (620 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 621/783] PM/devfreq: governor: Add a private governor_data for governor Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 623/783] ALSA: patch_realtek: Fix Dell Inspiron Plus 16 Greg Kroah-Hartman
` (170 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yongqiang Liu, Viresh Kumar,
Rafael J. Wysocki
From: Yongqiang Liu <liuyongqiang13@huawei.com>
commit 5c51054896bcce1d33d39fead2af73fec24f40b6 upstream.
In cpufreq_policy_alloc(), it will call uninitialed completion in
cpufreq_sysfs_release() when kobject_init_and_add() fails. And
that will cause a crash such as the following page fault in complete:
BUG: unable to handle page fault for address: fffffffffffffff8
[..]
RIP: 0010:complete+0x98/0x1f0
[..]
Call Trace:
kobject_put+0x1be/0x4c0
cpufreq_online.cold+0xee/0x1fd
cpufreq_add_dev+0x183/0x1e0
subsys_interface_register+0x3f5/0x4e0
cpufreq_register_driver+0x3b7/0x670
acpi_cpufreq_init+0x56c/0x1000 [acpi_cpufreq]
do_one_initcall+0x13d/0x780
do_init_module+0x1c3/0x630
load_module+0x6e67/0x73b0
__do_sys_finit_module+0x181/0x240
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: 4ebe36c94aed ("cpufreq: Fix kobject memleak")
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: 5.2+ <stable@vger.kernel.org> # 5.2+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/cpufreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/cpufreq/cpufreq.c
+++ b/drivers/cpufreq/cpufreq.c
@@ -1211,6 +1211,7 @@ static struct cpufreq_policy *cpufreq_po
if (!zalloc_cpumask_var(&policy->real_cpus, GFP_KERNEL))
goto err_free_rcpumask;
+ init_completion(&policy->kobj_unregister);
ret = kobject_init_and_add(&policy->kobj, &ktype_cpufreq,
cpufreq_global_kobject, "policy%u", cpu);
if (ret) {
@@ -1249,7 +1250,6 @@ static struct cpufreq_policy *cpufreq_po
init_rwsem(&policy->rwsem);
spin_lock_init(&policy->transition_lock);
init_waitqueue_head(&policy->transition_wait);
- init_completion(&policy->kobj_unregister);
INIT_WORK(&policy->update, handle_update);
policy->cpu = cpu;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 623/783] ALSA: patch_realtek: Fix Dell Inspiron Plus 16
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (621 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 622/783] cpufreq: Init completion before kobject_init_and_add() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 624/783] ALSA: hda/realtek: Apply dual codec fixup for Dell Latitude laptops Greg Kroah-Hartman
` (169 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philipp Jungkamp, Takashi Iwai, Sasha Levin
From: Philipp Jungkamp <p.jungkamp@gmx.net>
[ Upstream commit 2912cdda734d9136615ed05636d9fcbca2a7a3c5 ]
The Dell Inspiron Plus 16, in both laptop and 2in1 form factor, has top
speakers connected on NID 0x17, which the codec reports as unconnected.
These speakers should be connected to the DAC on NID 0x03.
Signed-off-by: Philipp Jungkamp <p.jungkamp@gmx.net>
Link: https://lore.kernel.org/r/20221205163713.7476-1-p.jungkamp@gmx.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Stable-dep-of: a4517c4f3423 ("ALSA: hda/realtek: Apply dual codec fixup for Dell Latitude laptops")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 37 +++++++++++++++++++++++++++++++++++
1 file changed, 37 insertions(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index e0bca0b029ed..72d6456bd1eb 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6654,6 +6654,34 @@ static void alc256_fixup_mic_no_presence_and_resume(struct hda_codec *codec,
}
}
+static void alc295_fixup_dell_inspiron_top_speakers(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+{
+ static const struct hda_pintbl pincfgs[] = {
+ { 0x14, 0x90170151 },
+ { 0x17, 0x90170150 },
+ { }
+ };
+ static const hda_nid_t conn[] = { 0x02, 0x03 };
+ static const hda_nid_t preferred_pairs[] = {
+ 0x14, 0x02,
+ 0x17, 0x03,
+ 0x21, 0x02,
+ 0
+ };
+ struct alc_spec *spec = codec->spec;
+
+ alc_fixup_no_shutup(codec, fix, action);
+
+ switch (action) {
+ case HDA_FIXUP_ACT_PRE_PROBE:
+ snd_hda_apply_pincfgs(codec, pincfgs);
+ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
+ spec->gen.preferred_dacs = preferred_pairs;
+ break;
+ }
+}
+
enum {
ALC269_FIXUP_GPIO2,
ALC269_FIXUP_SONY_VAIO,
@@ -6884,6 +6912,7 @@ enum {
ALC285_FIXUP_LEGION_Y9000X_SPEAKERS,
ALC285_FIXUP_LEGION_Y9000X_AUTOMUTE,
ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED,
+ ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS,
};
/* A special fixup for Lenovo C940 and Yoga Duet 7;
@@ -8704,6 +8733,12 @@ static const struct hda_fixup alc269_fixups[] = {
.chained = true,
.chain_id = ALC285_FIXUP_HP_MUTE_LED,
},
+ [ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc295_fixup_dell_inspiron_top_speakers,
+ .chained = true,
+ .chain_id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE,
+ },
};
static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -8803,6 +8838,8 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x1028, 0x0a9e, "Dell Latitude 5430", ALC269_FIXUP_DELL4_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x0b19, "Dell XPS 15 9520", ALC289_FIXUP_DUAL_SPK),
SND_PCI_QUIRK(0x1028, 0x0b1a, "Dell Precision 5570", ALC289_FIXUP_DUAL_SPK),
+ SND_PCI_QUIRK(0x1028, 0x0b37, "Dell Inspiron 16 Plus 7620 2-in-1", ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS),
+ SND_PCI_QUIRK(0x1028, 0x0b71, "Dell Inspiron 16 Plus 7620", ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS),
SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 624/783] ALSA: hda/realtek: Apply dual codec fixup for Dell Latitude laptops
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (622 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 623/783] ALSA: patch_realtek: Fix Dell Inspiron Plus 16 Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 625/783] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort Greg Kroah-Hartman
` (168 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chris Chiu, Takashi Iwai, Sasha Levin
From: Chris Chiu <chris.chiu@canonical.com>
[ Upstream commit a4517c4f3423c7c448f2c359218f97c1173523a1 ]
The Dell Latiture 3340/3440/3540 laptops with Realtek ALC3204 have
dual codecs and need the ALC1220_FIXUP_GB_DUAL_CODECS to fix the
conflicts of Master controls. The existing headset mic fixup for
Dell is also required to enable the jack sense and the headset mic.
Introduce a new fixup to fix the dual codec and headset mic issues
for particular Dell laptops since other old Dell laptops with the
same codec configuration are already well handled by the fixup in
alc269_fallback_pin_fixup_tbl[].
Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221226114303.4027500-1-chris.chiu@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6913,6 +6913,7 @@ enum {
ALC285_FIXUP_LEGION_Y9000X_AUTOMUTE,
ALC285_FIXUP_HP_SPEAKERS_MICMUTE_LED,
ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS,
+ ALC236_FIXUP_DELL_DUAL_CODECS,
};
/* A special fixup for Lenovo C940 and Yoga Duet 7;
@@ -8739,6 +8740,12 @@ static const struct hda_fixup alc269_fix
.chained = true,
.chain_id = ALC269_FIXUP_DELL4_MIC_NO_PRESENCE,
},
+ [ALC236_FIXUP_DELL_DUAL_CODECS] = {
+ .type = HDA_FIXUP_PINS,
+ .v.func = alc1220_fixup_gb_dual_codecs,
+ .chained = true,
+ .chain_id = ALC255_FIXUP_DELL1_MIC_NO_PRESENCE,
+ },
};
static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -8840,6 +8847,12 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1028, 0x0b1a, "Dell Precision 5570", ALC289_FIXUP_DUAL_SPK),
SND_PCI_QUIRK(0x1028, 0x0b37, "Dell Inspiron 16 Plus 7620 2-in-1", ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS),
SND_PCI_QUIRK(0x1028, 0x0b71, "Dell Inspiron 16 Plus 7620", ALC295_FIXUP_DELL_INSPIRON_TOP_SPEAKERS),
+ SND_PCI_QUIRK(0x1028, 0x0c19, "Dell Precision 3340", ALC236_FIXUP_DELL_DUAL_CODECS),
+ SND_PCI_QUIRK(0x1028, 0x0c1a, "Dell Precision 3340", ALC236_FIXUP_DELL_DUAL_CODECS),
+ SND_PCI_QUIRK(0x1028, 0x0c1b, "Dell Precision 3440", ALC236_FIXUP_DELL_DUAL_CODECS),
+ SND_PCI_QUIRK(0x1028, 0x0c1c, "Dell Precision 3540", ALC236_FIXUP_DELL_DUAL_CODECS),
+ SND_PCI_QUIRK(0x1028, 0x0c1d, "Dell Precision 3440", ALC236_FIXUP_DELL_DUAL_CODECS),
+ SND_PCI_QUIRK(0x1028, 0x0c1e, "Dell Precision 3540", ALC236_FIXUP_DELL_DUAL_CODECS),
SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x164b, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x1586, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC2),
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 625/783] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (623 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 624/783] ALSA: hda/realtek: Apply dual codec fixup for Dell Latitude laptops Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 626/783] dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata Greg Kroah-Hartman
` (167 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Mike Snitzer
From: Mike Snitzer <snitzer@kernel.org>
commit 352b837a5541690d4f843819028cf2b8be83d424 upstream.
Same ABBA deadlock pattern fixed in commit 4b60f452ec51 ("dm thin: Fix
ABBA deadlock between shrink_slab and dm_pool_abort_metadata") to
DM-cache's metadata.
Reported-by: Zhihao Cheng <chengzhihao1@huawei.com>
Cc: stable@vger.kernel.org
Fixes: 028ae9f76f29 ("dm cache: add fail io mode and needs_check flag")
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-metadata.c | 54 +++++++++++++++++++++++++++++++++++------
1 file changed, 47 insertions(+), 7 deletions(-)
--- a/drivers/md/dm-cache-metadata.c
+++ b/drivers/md/dm-cache-metadata.c
@@ -551,11 +551,13 @@ static int __create_persistent_data_obje
return r;
}
-static void __destroy_persistent_data_objects(struct dm_cache_metadata *cmd)
+static void __destroy_persistent_data_objects(struct dm_cache_metadata *cmd,
+ bool destroy_bm)
{
dm_sm_destroy(cmd->metadata_sm);
dm_tm_destroy(cmd->tm);
- dm_block_manager_destroy(cmd->bm);
+ if (destroy_bm)
+ dm_block_manager_destroy(cmd->bm);
}
typedef unsigned long (*flags_mutator)(unsigned long);
@@ -826,7 +828,7 @@ static struct dm_cache_metadata *lookup_
cmd2 = lookup(bdev);
if (cmd2) {
mutex_unlock(&table_lock);
- __destroy_persistent_data_objects(cmd);
+ __destroy_persistent_data_objects(cmd, true);
kfree(cmd);
return cmd2;
}
@@ -874,7 +876,7 @@ void dm_cache_metadata_close(struct dm_c
mutex_unlock(&table_lock);
if (!cmd->fail_io)
- __destroy_persistent_data_objects(cmd);
+ __destroy_persistent_data_objects(cmd, true);
kfree(cmd);
}
}
@@ -1808,14 +1810,52 @@ int dm_cache_metadata_needs_check(struct
int dm_cache_metadata_abort(struct dm_cache_metadata *cmd)
{
- int r;
+ int r = -EINVAL;
+ struct dm_block_manager *old_bm = NULL, *new_bm = NULL;
+
+ /* fail_io is double-checked with cmd->root_lock held below */
+ if (unlikely(cmd->fail_io))
+ return r;
+
+ /*
+ * Replacement block manager (new_bm) is created and old_bm destroyed outside of
+ * cmd root_lock to avoid ABBA deadlock that would result (due to life-cycle of
+ * shrinker associated with the block manager's bufio client vs cmd root_lock).
+ * - must take shrinker_rwsem without holding cmd->root_lock
+ */
+ new_bm = dm_block_manager_create(cmd->bdev, DM_CACHE_METADATA_BLOCK_SIZE << SECTOR_SHIFT,
+ CACHE_MAX_CONCURRENT_LOCKS);
WRITE_LOCK(cmd);
- __destroy_persistent_data_objects(cmd);
- r = __create_persistent_data_objects(cmd, false);
+ if (cmd->fail_io) {
+ WRITE_UNLOCK(cmd);
+ goto out;
+ }
+
+ __destroy_persistent_data_objects(cmd, false);
+ old_bm = cmd->bm;
+ if (IS_ERR(new_bm)) {
+ DMERR("could not create block manager during abort");
+ cmd->bm = NULL;
+ r = PTR_ERR(new_bm);
+ goto out_unlock;
+ }
+
+ cmd->bm = new_bm;
+ r = __open_or_format_metadata(cmd, false);
+ if (r) {
+ cmd->bm = NULL;
+ goto out_unlock;
+ }
+ new_bm = NULL;
+out_unlock:
if (r)
cmd->fail_io = true;
WRITE_UNLOCK(cmd);
+ dm_block_manager_destroy(old_bm);
+out:
+ if (new_bm && !IS_ERR(new_bm))
+ dm_block_manager_destroy(new_bm);
return r;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 626/783] dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (624 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 625/783] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 627/783] dm thin: Use last transactions pmd->root when commit failed Greg Kroah-Hartman
` (166 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Mike Snitzer
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 8111964f1b8524c4bb56b02cd9c7a37725ea21fd upstream.
Following concurrent processes:
P1(drop cache) P2(kworker)
drop_caches_sysctl_handler
drop_slab
shrink_slab
down_read(&shrinker_rwsem) - LOCK A
do_shrink_slab
super_cache_scan
prune_icache_sb
dispose_list
evict
ext4_evict_inode
ext4_clear_inode
ext4_discard_preallocations
ext4_mb_load_buddy_gfp
ext4_mb_init_cache
ext4_read_block_bitmap_nowait
ext4_read_bh_nowait
submit_bh
dm_submit_bio
do_worker
process_deferred_bios
commit
metadata_operation_failed
dm_pool_abort_metadata
down_write(&pmd->root_lock) - LOCK B
__destroy_persistent_data_objects
dm_block_manager_destroy
dm_bufio_client_destroy
unregister_shrinker
down_write(&shrinker_rwsem)
thin_map |
dm_thin_find_block ↓
down_read(&pmd->root_lock) --> ABBA deadlock
, which triggers hung task:
[ 76.974820] INFO: task kworker/u4:3:63 blocked for more than 15 seconds.
[ 76.976019] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910
[ 76.978521] task:kworker/u4:3 state:D stack:0 pid:63 ppid:2
[ 76.978534] Workqueue: dm-thin do_worker
[ 76.978552] Call Trace:
[ 76.978564] __schedule+0x6ba/0x10f0
[ 76.978582] schedule+0x9d/0x1e0
[ 76.978588] rwsem_down_write_slowpath+0x587/0xdf0
[ 76.978600] down_write+0xec/0x110
[ 76.978607] unregister_shrinker+0x2c/0xf0
[ 76.978616] dm_bufio_client_destroy+0x116/0x3d0
[ 76.978625] dm_block_manager_destroy+0x19/0x40
[ 76.978629] __destroy_persistent_data_objects+0x5e/0x70
[ 76.978636] dm_pool_abort_metadata+0x8e/0x100
[ 76.978643] metadata_operation_failed+0x86/0x110
[ 76.978649] commit+0x6a/0x230
[ 76.978655] do_worker+0xc6e/0xd90
[ 76.978702] process_one_work+0x269/0x630
[ 76.978714] worker_thread+0x266/0x630
[ 76.978730] kthread+0x151/0x1b0
[ 76.978772] INFO: task test.sh:2646 blocked for more than 15 seconds.
[ 76.979756] Not tainted 6.1.0-rc4-00011-g8f17dd350364-dirty #910
[ 76.982111] task:test.sh state:D stack:0 pid:2646 ppid:2459
[ 76.982128] Call Trace:
[ 76.982139] __schedule+0x6ba/0x10f0
[ 76.982155] schedule+0x9d/0x1e0
[ 76.982159] rwsem_down_read_slowpath+0x4f4/0x910
[ 76.982173] down_read+0x84/0x170
[ 76.982177] dm_thin_find_block+0x4c/0xd0
[ 76.982183] thin_map+0x201/0x3d0
[ 76.982188] __map_bio+0x5b/0x350
[ 76.982195] dm_submit_bio+0x2b6/0x930
[ 76.982202] __submit_bio+0x123/0x2d0
[ 76.982209] submit_bio_noacct_nocheck+0x101/0x3e0
[ 76.982222] submit_bio_noacct+0x389/0x770
[ 76.982227] submit_bio+0x50/0xc0
[ 76.982232] submit_bh_wbc+0x15e/0x230
[ 76.982238] submit_bh+0x14/0x20
[ 76.982241] ext4_read_bh_nowait+0xc5/0x130
[ 76.982247] ext4_read_block_bitmap_nowait+0x340/0xc60
[ 76.982254] ext4_mb_init_cache+0x1ce/0xdc0
[ 76.982259] ext4_mb_load_buddy_gfp+0x987/0xfa0
[ 76.982263] ext4_discard_preallocations+0x45d/0x830
[ 76.982274] ext4_clear_inode+0x48/0xf0
[ 76.982280] ext4_evict_inode+0xcf/0xc70
[ 76.982285] evict+0x119/0x2b0
[ 76.982290] dispose_list+0x43/0xa0
[ 76.982294] prune_icache_sb+0x64/0x90
[ 76.982298] super_cache_scan+0x155/0x210
[ 76.982303] do_shrink_slab+0x19e/0x4e0
[ 76.982310] shrink_slab+0x2bd/0x450
[ 76.982317] drop_slab+0xcc/0x1a0
[ 76.982323] drop_caches_sysctl_handler+0xb7/0xe0
[ 76.982327] proc_sys_call_handler+0x1bc/0x300
[ 76.982331] proc_sys_write+0x17/0x20
[ 76.982334] vfs_write+0x3d3/0x570
[ 76.982342] ksys_write+0x73/0x160
[ 76.982347] __x64_sys_write+0x1e/0x30
[ 76.982352] do_syscall_64+0x35/0x80
[ 76.982357] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Function metadata_operation_failed() is called when operations failed
on dm pool metadata, dm pool will destroy and recreate metadata. So,
shrinker will be unregistered and registered, which could down write
shrinker_rwsem under pmd_write_lock.
Fix it by allocating dm_block_manager before locking pmd->root_lock
and destroying old dm_block_manager after unlocking pmd->root_lock,
then old dm_block_manager is replaced with new dm_block_manager under
pmd->root_lock. So, shrinker register/unregister could be done without
holding pmd->root_lock.
Fetch a reproducer in [Link].
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216676
Cc: stable@vger.kernel.org #v5.2+
Fixes: e49e582965b3 ("dm thin: add read only and fail io modes")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-thin-metadata.c | 51 +++++++++++++++++++++++++++++++++++-------
1 file changed, 43 insertions(+), 8 deletions(-)
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -753,13 +753,15 @@ static int __create_persistent_data_obje
return r;
}
-static void __destroy_persistent_data_objects(struct dm_pool_metadata *pmd)
+static void __destroy_persistent_data_objects(struct dm_pool_metadata *pmd,
+ bool destroy_bm)
{
dm_sm_destroy(pmd->data_sm);
dm_sm_destroy(pmd->metadata_sm);
dm_tm_destroy(pmd->nb_tm);
dm_tm_destroy(pmd->tm);
- dm_block_manager_destroy(pmd->bm);
+ if (destroy_bm)
+ dm_block_manager_destroy(pmd->bm);
}
static int __begin_transaction(struct dm_pool_metadata *pmd)
@@ -966,7 +968,7 @@ int dm_pool_metadata_close(struct dm_poo
}
pmd_write_unlock(pmd);
if (!pmd->fail_io)
- __destroy_persistent_data_objects(pmd);
+ __destroy_persistent_data_objects(pmd, true);
kfree(pmd);
return 0;
@@ -1873,19 +1875,52 @@ static void __set_abort_with_changes_fla
int dm_pool_abort_metadata(struct dm_pool_metadata *pmd)
{
int r = -EINVAL;
+ struct dm_block_manager *old_bm = NULL, *new_bm = NULL;
+
+ /* fail_io is double-checked with pmd->root_lock held below */
+ if (unlikely(pmd->fail_io))
+ return r;
+
+ /*
+ * Replacement block manager (new_bm) is created and old_bm destroyed outside of
+ * pmd root_lock to avoid ABBA deadlock that would result (due to life-cycle of
+ * shrinker associated with the block manager's bufio client vs pmd root_lock).
+ * - must take shrinker_rwsem without holding pmd->root_lock
+ */
+ new_bm = dm_block_manager_create(pmd->bdev, THIN_METADATA_BLOCK_SIZE << SECTOR_SHIFT,
+ THIN_MAX_CONCURRENT_LOCKS);
pmd_write_lock(pmd);
- if (pmd->fail_io)
+ if (pmd->fail_io) {
+ pmd_write_unlock(pmd);
goto out;
+ }
__set_abort_with_changes_flags(pmd);
- __destroy_persistent_data_objects(pmd);
- r = __create_persistent_data_objects(pmd, false);
+ __destroy_persistent_data_objects(pmd, false);
+ old_bm = pmd->bm;
+ if (IS_ERR(new_bm)) {
+ DMERR("could not create block manager during abort");
+ pmd->bm = NULL;
+ r = PTR_ERR(new_bm);
+ goto out_unlock;
+ }
+
+ pmd->bm = new_bm;
+ r = __open_or_format_metadata(pmd, false);
+ if (r) {
+ pmd->bm = NULL;
+ goto out_unlock;
+ }
+ new_bm = NULL;
+out_unlock:
if (r)
pmd->fail_io = true;
-
-out:
pmd_write_unlock(pmd);
+ dm_block_manager_destroy(old_bm);
+out:
+ if (new_bm && !IS_ERR(new_bm))
+ dm_block_manager_destroy(new_bm);
return r;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 627/783] dm thin: Use last transactions pmd->root when commit failed
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (625 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 626/783] dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 628/783] dm thin: resume even if in FAIL mode Greg Kroah-Hartman
` (165 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Joe Thornber, Mike Snitzer
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 7991dbff6849f67e823b7cc0c15e5a90b0549b9f upstream.
Recently we found a softlock up problem in dm thin pool btree lookup
code due to corrupted metadata:
Kernel panic - not syncing: softlockup: hung tasks
CPU: 7 PID: 2669225 Comm: kworker/u16:3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Workqueue: dm-thin do_worker [dm_thin_pool]
Call Trace:
<IRQ>
dump_stack+0x9c/0xd3
panic+0x35d/0x6b9
watchdog_timer_fn.cold+0x16/0x25
__run_hrtimer+0xa2/0x2d0
</IRQ>
RIP: 0010:__relink_lru+0x102/0x220 [dm_bufio]
__bufio_new+0x11f/0x4f0 [dm_bufio]
new_read+0xa3/0x1e0 [dm_bufio]
dm_bm_read_lock+0x33/0xd0 [dm_persistent_data]
ro_step+0x63/0x100 [dm_persistent_data]
btree_lookup_raw.constprop.0+0x44/0x220 [dm_persistent_data]
dm_btree_lookup+0x16f/0x210 [dm_persistent_data]
dm_thin_find_block+0x12c/0x210 [dm_thin_pool]
__process_bio_read_only+0xc5/0x400 [dm_thin_pool]
process_thin_deferred_bios+0x1a4/0x4a0 [dm_thin_pool]
process_one_work+0x3c5/0x730
Following process may generate a broken btree mixed with fresh and
stale btree nodes, which could get dm thin trapped in an infinite loop
while looking up data block:
Transaction 1: pmd->root = A, A->B->C // One path in btree
pmd->root = X, X->Y->Z // Copy-up
Transaction 2: X,Z is updated on disk, Y write failed.
// Commit failed, dm thin becomes read-only.
process_bio_read_only
dm_thin_find_block
__find_block
dm_btree_lookup(pmd->root)
The pmd->root points to a broken btree, Y may contain stale node
pointing to any block, for example X, which gets dm thin trapped into
a dead loop while looking up Z.
Fix this by setting pmd->root in __open_metadata(), so that dm thin
will use the last transaction's pmd->root if commit failed.
Fetch a reproducer in [Link].
Linke: https://bugzilla.kernel.org/show_bug.cgi?id=216790
Cc: stable@vger.kernel.org
Fixes: 991d9fa02da0 ("dm: add thin provisioning target")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Acked-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-thin-metadata.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/md/dm-thin-metadata.c
+++ b/drivers/md/dm-thin-metadata.c
@@ -701,6 +701,15 @@ static int __open_metadata(struct dm_poo
goto bad_cleanup_data_sm;
}
+ /*
+ * For pool metadata opening process, root setting is redundant
+ * because it will be set again in __begin_transaction(). But dm
+ * pool aborting process really needs to get last transaction's
+ * root to avoid accessing broken btree.
+ */
+ pmd->root = le64_to_cpu(disk_super->data_mapping_root);
+ pmd->details_root = le64_to_cpu(disk_super->device_details_root);
+
__setup_btree_details(pmd);
dm_bm_unlock(sblock);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 628/783] dm thin: resume even if in FAIL mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (626 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 627/783] dm thin: Use last transactions pmd->root when commit failed Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 629/783] dm thin: Fix UAF in run_timer_softirq() Greg Kroah-Hartman
` (164 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Meng, Mike Snitzer
From: Luo Meng <luomeng12@huawei.com>
commit 19eb1650afeb1aa86151f61900e9e5f1de5d8d02 upstream.
If a thinpool set fail_io while suspending, resume will fail with:
device-mapper: resume ioctl on vg-thinpool failed: Invalid argument
The thin-pool also can't be removed if an in-flight bio is in the
deferred list.
This can be easily reproduced using:
echo "offline" > /sys/block/sda/device/state
dd if=/dev/zero of=/dev/mapper/thin bs=4K count=1
dmsetup suspend /dev/mapper/pool
mkfs.ext4 /dev/mapper/thin
dmsetup resume /dev/mapper/pool
The root cause is maybe_resize_data_dev() will check fail_io and return
error before called dm_resume.
Fix this by adding FAIL mode check at the end of pool_preresume().
Cc: stable@vger.kernel.org
Fixes: da105ed5fd7e ("dm thin metadata: introduce dm_pool_abort_metadata")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-thin.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -3566,20 +3566,28 @@ static int pool_preresume(struct dm_targ
*/
r = bind_control_target(pool, ti);
if (r)
- return r;
+ goto out;
r = maybe_resize_data_dev(ti, &need_commit1);
if (r)
- return r;
+ goto out;
r = maybe_resize_metadata_dev(ti, &need_commit2);
if (r)
- return r;
+ goto out;
if (need_commit1 || need_commit2)
(void) commit(pool);
+out:
+ /*
+ * When a thin-pool is PM_FAIL, it cannot be rebuilt if
+ * bio is in deferred list. Therefore need to return 0
+ * to allow pool_resume() to flush IO.
+ */
+ if (r && get_pool_mode(pool) == PM_FAIL)
+ r = 0;
- return 0;
+ return r;
}
static void pool_suspend_active_thins(struct pool *pool)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 629/783] dm thin: Fix UAF in run_timer_softirq()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (627 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 628/783] dm thin: resume even if in FAIL mode Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 630/783] dm integrity: Fix UAF in dm_integrity_dtr() Greg Kroah-Hartman
` (163 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Meng, Mike Snitzer
From: Luo Meng <luomeng12@huawei.com>
commit 88430ebcbc0ec637b710b947738839848c20feff upstream.
When dm_resume() and dm_destroy() are concurrent, it will
lead to UAF, as follows:
BUG: KASAN: use-after-free in __run_timers+0x173/0x710
Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0
<snip>
Call Trace:
<IRQ>
dump_stack_lvl+0x73/0x9f
print_report.cold+0x132/0xaa2
_raw_spin_lock_irqsave+0xcd/0x160
__run_timers+0x173/0x710
kasan_report+0xad/0x110
__run_timers+0x173/0x710
__asan_store8+0x9c/0x140
__run_timers+0x173/0x710
call_timer_fn+0x310/0x310
pvclock_clocksource_read+0xfa/0x250
kvm_clock_read+0x2c/0x70
kvm_clock_get_cycles+0xd/0x20
ktime_get+0x5c/0x110
lapic_next_event+0x38/0x50
clockevents_program_event+0xf1/0x1e0
run_timer_softirq+0x49/0x90
__do_softirq+0x16e/0x62c
__irq_exit_rcu+0x1fa/0x270
irq_exit_rcu+0x12/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
One of the concurrency UAF can be shown as below:
use free
do_resume |
__find_device_hash_cell |
dm_get |
atomic_inc(&md->holders) |
| dm_destroy
| __dm_destroy
| if (!dm_suspended_md(md))
| atomic_read(&md->holders)
| msleep(1)
dm_resume |
__dm_resume |
dm_table_resume_targets |
pool_resume |
do_waker #add delay work |
dm_put |
atomic_dec(&md->holders) |
| dm_table_destroy
| pool_dtr
| __pool_dec
| __pool_destroy
| destroy_workqueue
| kfree(pool) # free pool
time out
__do_softirq
run_timer_softirq # pool has already been freed
This can be easily reproduced using:
1. create thin-pool
2. dmsetup suspend pool
3. dmsetup resume pool
4. dmsetup remove_all # Concurrent with 3
The root cause of this UAF bug is that dm_resume() adds timer after
dm_destroy() skips cancelling the timer because of suspend status.
After timeout, it will call run_timer_softirq(), however pool has
already been freed. The concurrency UAF bug will happen.
Therefore, cancelling timer again in __pool_destroy().
Cc: stable@vger.kernel.org
Fixes: 991d9fa02da0d ("dm: add thin provisioning target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-thin.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -2907,6 +2907,8 @@ static void __pool_destroy(struct pool *
dm_bio_prison_destroy(pool->prison);
dm_kcopyd_client_destroy(pool->copier);
+ cancel_delayed_work_sync(&pool->waker);
+ cancel_delayed_work_sync(&pool->no_space_timeout);
if (pool->wq)
destroy_workqueue(pool->wq);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 630/783] dm integrity: Fix UAF in dm_integrity_dtr()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (628 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 629/783] dm thin: Fix UAF in run_timer_softirq() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 631/783] dm clone: Fix UAF in clone_dtr() Greg Kroah-Hartman
` (162 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Meng, Mike Snitzer
From: Luo Meng <luomeng12@huawei.com>
commit f50cb2cbabd6c4a60add93d72451728f86e4791c upstream.
Dm_integrity also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in dm_integrity_dtr().
Cc: stable@vger.kernel.org
Fixes: 7eada909bfd7a ("dm: add integrity target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-integrity.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/md/dm-integrity.c
+++ b/drivers/md/dm-integrity.c
@@ -4388,6 +4388,8 @@ static void dm_integrity_dtr(struct dm_t
BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress));
BUG_ON(!list_empty(&ic->wait_list));
+ if (ic->mode == 'B')
+ cancel_delayed_work_sync(&ic->bitmap_flush_work);
if (ic->metadata_wq)
destroy_workqueue(ic->metadata_wq);
if (ic->wait_wq)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 631/783] dm clone: Fix UAF in clone_dtr()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (629 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 630/783] dm integrity: Fix UAF in dm_integrity_dtr() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 632/783] dm cache: Fix UAF in destroy() Greg Kroah-Hartman
` (161 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Meng, Mike Snitzer
From: Luo Meng <luomeng12@huawei.com>
commit e4b5957c6f749a501c464f92792f1c8e26b61a94 upstream.
Dm_clone also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in clone_dtr().
Cc: stable@vger.kernel.org
Fixes: 7431b7835f554 ("dm: add clone target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-clone-target.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/md/dm-clone-target.c
+++ b/drivers/md/dm-clone-target.c
@@ -1966,6 +1966,7 @@ static void clone_dtr(struct dm_target *
mempool_exit(&clone->hydration_pool);
dm_kcopyd_client_destroy(clone->kcopyd_client);
+ cancel_delayed_work_sync(&clone->waker);
destroy_workqueue(clone->wq);
hash_table_exit(clone);
dm_clone_metadata_close(clone->cmd);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 632/783] dm cache: Fix UAF in destroy()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (630 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 631/783] dm clone: Fix UAF in clone_dtr() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 633/783] dm cache: set needs_check flag after aborting metadata Greg Kroah-Hartman
` (160 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luo Meng, Mike Snitzer
From: Luo Meng <luomeng12@huawei.com>
commit 6a459d8edbdbe7b24db42a5a9f21e6aa9e00c2aa upstream.
Dm_cache also has the same UAF problem when dm_resume()
and dm_destroy() are concurrent.
Therefore, cancelling timer again in destroy().
Cc: stable@vger.kernel.org
Fixes: c6b4fcbad044e ("dm: add cache target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-target.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -1965,6 +1965,7 @@ static void destroy(struct cache *cache)
if (cache->prison)
dm_bio_prison_destroy_v2(cache->prison);
+ cancel_delayed_work_sync(&cache->waker);
if (cache->wq)
destroy_workqueue(cache->wq);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 633/783] dm cache: set needs_check flag after aborting metadata
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (631 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 632/783] dm cache: Fix UAF in destroy() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 634/783] tracing/hist: Fix out-of-bound write on action_data.var_ref_idx Greg Kroah-Hartman
` (159 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mike Snitzer
From: Mike Snitzer <snitzer@kernel.org>
commit 6b9973861cb2e96dcd0bb0f1baddc5c034207c5c upstream.
Otherwise the commit that will be aborted will be associated with the
metadata objects that will be torn down. Must write needs_check flag
to metadata with a reset block manager.
Found through code-inspection (and compared against dm-thin.c).
Cc: stable@vger.kernel.org
Fixes: 028ae9f76f29 ("dm cache: add fail io mode and needs_check flag")
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-cache-target.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/md/dm-cache-target.c
+++ b/drivers/md/dm-cache-target.c
@@ -985,16 +985,16 @@ static void abort_transaction(struct cac
if (get_cache_mode(cache) >= CM_READ_ONLY)
return;
- if (dm_cache_metadata_set_needs_check(cache->cmd)) {
- DMERR("%s: failed to set 'needs_check' flag in metadata", dev_name);
- set_cache_mode(cache, CM_FAIL);
- }
-
DMERR_LIMIT("%s: aborting current metadata transaction", dev_name);
if (dm_cache_metadata_abort(cache->cmd)) {
DMERR("%s: failed to abort metadata transaction", dev_name);
set_cache_mode(cache, CM_FAIL);
}
+
+ if (dm_cache_metadata_set_needs_check(cache->cmd)) {
+ DMERR("%s: failed to set 'needs_check' flag in metadata", dev_name);
+ set_cache_mode(cache, CM_FAIL);
+ }
}
static void metadata_operation_failed(struct cache *cache, const char *op, int r)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 634/783] tracing/hist: Fix out-of-bound write on action_data.var_ref_idx
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (632 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 633/783] dm cache: set needs_check flag after aborting metadata Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 635/783] perf/core: Call LSM hook after copying perf_event_attr Greg Kroah-Hartman
` (158 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, mhiramat, zanussi, Zheng Yejian,
Steven Rostedt (Google)
From: Zheng Yejian <zhengyejian1@huawei.com>
commit 82470f7d9044842618c847a7166de2b7458157a7 upstream.
When generate a synthetic event with many params and then create a trace
action for it [1], kernel panic happened [2].
It is because that in trace_action_create() 'data->n_params' is up to
SYNTH_FIELDS_MAX (current value is 64), and array 'data->var_ref_idx'
keeps indices into array 'hist_data->var_refs' for each synthetic event
param, but the length of 'data->var_ref_idx' is TRACING_MAP_VARS_MAX
(current value is 16), so out-of-bound write happened when 'data->n_params'
more than 16. In this case, 'data->match_data.event' is overwritten and
eventually cause the panic.
To solve the issue, adjust the length of 'data->var_ref_idx' to be
SYNTH_FIELDS_MAX and add sanity checks to avoid out-of-bound write.
[1]
# cd /sys/kernel/tracing/
# echo "my_synth_event int v1; int v2; int v3; int v4; int v5; int v6;\
int v7; int v8; int v9; int v10; int v11; int v12; int v13; int v14;\
int v15; int v16; int v17; int v18; int v19; int v20; int v21; int v22;\
int v23; int v24; int v25; int v26; int v27; int v28; int v29; int v30;\
int v31; int v32; int v33; int v34; int v35; int v36; int v37; int v38;\
int v39; int v40; int v41; int v42; int v43; int v44; int v45; int v46;\
int v47; int v48; int v49; int v50; int v51; int v52; int v53; int v54;\
int v55; int v56; int v57; int v58; int v59; int v60; int v61; int v62;\
int v63" >> synthetic_events
# echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="bash"' >> \
events/sched/sched_waking/trigger
# echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,pid,\
pid,pid,pid,pid,pid,pid,pid,pid,pid)" >> events/sched/sched_switch/trigger
[2]
BUG: unable to handle page fault for address: ffff91c900000000
PGD 61001067 P4D 61001067 PUD 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 322 Comm: bash Tainted: G W 6.1.0-rc8+ #229
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014
RIP: 0010:strcmp+0xc/0x30
Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee
c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14
07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3
RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000
RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000
R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580
R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538
FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0
Call Trace:
<TASK>
__find_event_file+0x55/0x90
action_create+0x76c/0x1060
event_hist_trigger_parse+0x146d/0x2060
? event_trigger_write+0x31/0xd0
trigger_process_regex+0xbb/0x110
event_trigger_write+0x6b/0xd0
vfs_write+0xc8/0x3e0
? alloc_fd+0xc0/0x160
? preempt_count_add+0x4d/0xa0
? preempt_count_add+0x70/0xa0
ksys_write+0x5f/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f1d1d0cf077
Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e
fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74
RSP: 002b:00007ffcebb0e568 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000143 RCX: 00007f1d1d0cf077
RDX: 0000000000000143 RSI: 00005639265aa7e0 RDI: 0000000000000001
RBP: 00005639265aa7e0 R08: 000000000000000a R09: 0000000000000142
R10: 000056392639c017 R11: 0000000000000246 R12: 0000000000000143
R13: 00007f1d1d1ae6a0 R14: 00007f1d1d1aa4a0 R15: 00007f1d1d1a98a0
</TASK>
Modules linked in:
CR2: ffff91c900000000
---[ end trace 0000000000000000 ]---
RIP: 0010:strcmp+0xc/0x30
Code: 75 f7 31 d2 44 0f b6 04 16 44 88 04 11 48 83 c2 01 45 84 c0 75 ee
c3 cc cc cc cc 0f 1f 00 31 c0 eb 08 48 83 c0 01 84 d2 74 13 <0f> b6 14
07 3a 14 06 74 ef 19 c0 83 c8 01 c3 cc cc cc cc 31 c3
RSP: 0018:ffff9b3b00f53c48 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffffba958a68 RCX: 0000000000000000
RDX: 0000000000000010 RSI: ffff91c943d33a90 RDI: ffff91c900000000
RBP: ffff91c900000000 R08: 00000018d604b529 R09: 0000000000000000
R10: ffff91c9483eddb1 R11: ffff91ca483eddab R12: ffff91c946171580
R13: ffff91c9479f0538 R14: ffff91c9457c2848 R15: ffff91c9479f0538
FS: 00007f1d1cfbe740(0000) GS:ffff91c9bdc80000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff91c900000000 CR3: 0000000006316000 CR4: 00000000000006e0
Link: https://lore.kernel.org/linux-trace-kernel/20221207035143.2278781-1-zhengyejian1@huawei.com
Cc: <mhiramat@kernel.org>
Cc: <zanussi@kernel.org>
Cc: stable@vger.kernel.org
Fixes: d380dcde9a07 ("tracing: Fix now invalid var_ref_vals assumption in trace action")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_hist.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -417,7 +417,7 @@ struct action_data {
* event param, and is passed to the synthetic event
* invocation.
*/
- unsigned int var_ref_idx[TRACING_MAP_VARS_MAX];
+ unsigned int var_ref_idx[SYNTH_FIELDS_MAX];
struct synth_event *synth_event;
bool use_trace_keyword;
char *synth_event_name;
@@ -1846,7 +1846,9 @@ static struct hist_field *create_var_ref
return ref_field;
}
}
-
+ /* Sanity check to avoid out-of-bound write on 'hist_data->var_refs' */
+ if (hist_data->n_var_refs >= TRACING_MAP_VARS_MAX)
+ return NULL;
ref_field = create_hist_field(var_field->hist_data, NULL, flags, NULL);
if (ref_field) {
if (init_var_ref(ref_field, var_field, system, event_name)) {
@@ -3449,6 +3451,10 @@ static int trace_action_create(struct hi
lockdep_assert_held(&event_mutex);
+ /* Sanity check to avoid out-of-bound write on 'data->var_ref_idx' */
+ if (data->n_params > SYNTH_FIELDS_MAX)
+ return -EINVAL;
+
if (data->use_trace_keyword)
synth_event_name = data->synth_event_name;
else
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 635/783] perf/core: Call LSM hook after copying perf_event_attr
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (633 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 634/783] tracing/hist: Fix out-of-bound write on action_data.var_ref_idx Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 636/783] KVM: nVMX: Inject #GP, not #UD, if "generic" VMXON CR0/CR4 check fails Greg Kroah-Hartman
` (157 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Peter Zijlstra (Intel),
Joel Fernandes (Google)
From: Namhyung Kim <namhyung@kernel.org>
commit 0a041ebca4956292cadfb14a63ace3a9c1dcb0a3 upstream.
It passes the attr struct to the security_perf_event_open() but it's
not initialized yet.
Fixes: da97e18458fb ("perf_event: Add support for LSM and SELinux checks")
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20221220223140.4020470-1-namhyung@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11781,12 +11781,12 @@ SYSCALL_DEFINE5(perf_event_open,
if (flags & ~PERF_FLAG_ALL)
return -EINVAL;
- /* Do we allow access to perf_event_open(2) ? */
- err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
+ err = perf_copy_attr(attr_uptr, &attr);
if (err)
return err;
- err = perf_copy_attr(attr_uptr, &attr);
+ /* Do we allow access to perf_event_open(2) ? */
+ err = security_perf_event_open(&attr, PERF_SECURITY_OPEN);
if (err)
return err;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 636/783] KVM: nVMX: Inject #GP, not #UD, if "generic" VMXON CR0/CR4 check fails
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (634 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 635/783] perf/core: Call LSM hook after copying perf_event_attr Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 637/783] x86/microcode/intel: Do not retry microcode reloading on the APs Greg Kroah-Hartman
` (156 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Li, Sean Christopherson
From: Sean Christopherson <seanjc@google.com>
commit 9cc409325ddd776f6fd6293d5ce93ce1248af6e4 upstream.
Inject #GP for if VMXON is attempting with a CR0/CR4 that fails the
generic "is CRx valid" check, but passes the CR4.VMXE check, and do the
generic checks _after_ handling the post-VMXON VM-Fail.
The CR4.VMXE check, and all other #UD cases, are special pre-conditions
that are enforced prior to pivoting on the current VMX mode, i.e. occur
before interception if VMXON is attempted in VMX non-root mode.
All other CR0/CR4 checks generate #GP and effectively have lower priority
than the post-VMXON check.
Per the SDM:
IF (register operand) or (CR0.PE = 0) or (CR4.VMXE = 0) or ...
THEN #UD;
ELSIF not in VMX operation
THEN
IF (CPL > 0) or (in A20M mode) or
(the values of CR0 and CR4 are not supported in VMX operation)
THEN #GP(0);
ELSIF in VMX non-root operation
THEN VMexit;
ELSIF CPL > 0
THEN #GP(0);
ELSE VMfail("VMXON executed in VMX root operation");
FI;
which, if re-written without ELSIF, yields:
IF (register operand) or (CR0.PE = 0) or (CR4.VMXE = 0) or ...
THEN #UD
IF in VMX non-root operation
THEN VMexit;
IF CPL > 0
THEN #GP(0)
IF in VMX operation
THEN VMfail("VMXON executed in VMX root operation");
IF (in A20M mode) or
(the values of CR0 and CR4 are not supported in VMX operation)
THEN #GP(0);
Note, KVM unconditionally forwards VMXON VM-Exits that occur in L2 to L1,
i.e. there is no need to check the vCPU is not in VMX non-root mode. Add
a comment to explain why unconditionally forwarding such exits is
functionally correct.
Reported-by: Eric Li <ercli@ucdavis.edu>
Fixes: c7d855c2aff2 ("KVM: nVMX: Inject #UD if VMXON is attempted with incompatible CR0/CR4")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Link: https://lore.kernel.org/r/20221006001956.329314-1-seanjc@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 44 +++++++++++++++++++++++++++++++++-----------
1 file changed, 33 insertions(+), 11 deletions(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4901,24 +4901,35 @@ static int handle_vmon(struct kvm_vcpu *
| FEAT_CTL_VMX_ENABLED_OUTSIDE_SMX;
/*
- * Note, KVM cannot rely on hardware to perform the CR0/CR4 #UD checks
- * that have higher priority than VM-Exit (see Intel SDM's pseudocode
- * for VMXON), as KVM must load valid CR0/CR4 values into hardware while
- * running the guest, i.e. KVM needs to check the _guest_ values.
+ * Manually check CR4.VMXE checks, KVM must force CR4.VMXE=1 to enter
+ * the guest and so cannot rely on hardware to perform the check,
+ * which has higher priority than VM-Exit (see Intel SDM's pseudocode
+ * for VMXON).
*
- * Rely on hardware for the other two pre-VM-Exit checks, !VM86 and
- * !COMPATIBILITY modes. KVM may run the guest in VM86 to emulate Real
- * Mode, but KVM will never take the guest out of those modes.
+ * Rely on hardware for the other pre-VM-Exit checks, CR0.PE=1, !VM86
+ * and !COMPATIBILITY modes. For an unrestricted guest, KVM doesn't
+ * force any of the relevant guest state. For a restricted guest, KVM
+ * does force CR0.PE=1, but only to also force VM86 in order to emulate
+ * Real Mode, and so there's no need to check CR0.PE manually.
*/
- if (!nested_host_cr0_valid(vcpu, kvm_read_cr0(vcpu)) ||
- !nested_host_cr4_valid(vcpu, kvm_read_cr4(vcpu))) {
+ if (!kvm_read_cr4_bits(vcpu, X86_CR4_VMXE)) {
kvm_queue_exception(vcpu, UD_VECTOR);
return 1;
}
/*
- * CPL=0 and all other checks that are lower priority than VM-Exit must
- * be checked manually.
+ * The CPL is checked for "not in VMX operation" and for "in VMX root",
+ * and has higher priority than the VM-Fail due to being post-VMXON,
+ * i.e. VMXON #GPs outside of VMX non-root if CPL!=0. In VMX non-root,
+ * VMXON causes VM-Exit and KVM unconditionally forwards VMXON VM-Exits
+ * from L2 to L1, i.e. there's no need to check for the vCPU being in
+ * VMX non-root.
+ *
+ * Forwarding the VM-Exit unconditionally, i.e. without performing the
+ * #UD checks (see above), is functionally ok because KVM doesn't allow
+ * L1 to run L2 without CR4.VMXE=0, and because KVM never modifies L2's
+ * CR0 or CR4, i.e. it's L2's responsibility to emulate #UDs that are
+ * missed by hardware due to shadowing CR0 and/or CR4.
*/
if (vmx_get_cpl(vcpu)) {
kvm_inject_gp(vcpu, 0);
@@ -4928,6 +4939,17 @@ static int handle_vmon(struct kvm_vcpu *
if (vmx->nested.vmxon)
return nested_vmx_fail(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION);
+ /*
+ * Invalid CR0/CR4 generates #GP. These checks are performed if and
+ * only if the vCPU isn't already in VMX operation, i.e. effectively
+ * have lower priority than the VM-Fail above.
+ */
+ if (!nested_host_cr0_valid(vcpu, kvm_read_cr0(vcpu)) ||
+ !nested_host_cr4_valid(vcpu, kvm_read_cr4(vcpu))) {
+ kvm_inject_gp(vcpu, 0);
+ return 1;
+ }
+
if ((vmx->msr_ia32_feature_control & VMXON_NEEDED_FEATURES)
!= VMXON_NEEDED_FEATURES) {
kvm_inject_gp(vcpu, 0);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 637/783] x86/microcode/intel: Do not retry microcode reloading on the APs
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (635 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 636/783] KVM: nVMX: Inject #GP, not #UD, if "generic" VMXON CR0/CR4 check fails Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 638/783] ftrace/x86: Add back ftrace_expected for ftrace bug reports Greg Kroah-Hartman
` (155 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ashok Raj, Borislav Petkov (AMD),
Thomas Gleixner
From: Ashok Raj <ashok.raj@intel.com>
commit be1b670f61443aa5d0d01782e9b8ea0ee825d018 upstream.
The retries in load_ucode_intel_ap() were in place to support systems
with mixed steppings. Mixed steppings are no longer supported and there is
only one microcode image at a time. Any retries will simply reattempt to
apply the same image over and over without making progress.
[ bp: Zap the circumstantial reasoning from the commit message. ]
Fixes: 06b8534cb728 ("x86/microcode: Rework microcode loading")
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20221129210832.107850-3-ashok.raj@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/microcode/intel.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -659,7 +659,6 @@ void load_ucode_intel_ap(void)
else
iup = &intel_ucode_patch;
-reget:
if (!*iup) {
patch = __load_ucode_intel(&uci);
if (!patch)
@@ -670,12 +669,7 @@ reget:
uci.mc = *iup;
- if (apply_microcode_early(&uci, true)) {
- /* Mixed-silicon system? Try to refetch the proper patch: */
- *iup = NULL;
-
- goto reget;
- }
+ apply_microcode_early(&uci, true);
}
static struct microcode_intel *find_patch(struct ucode_cpu_info *uci)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 638/783] ftrace/x86: Add back ftrace_expected for ftrace bug reports
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (636 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 637/783] x86/microcode/intel: Do not retry microcode reloading on the APs Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 639/783] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK Greg Kroah-Hartman
` (154 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Andrew Morton,
Peter Zijlstra, Thomas Gleixner, x86, Borislav Petkov,
Ingo Molnar, Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit fd3dc56253acbe9c641a66d312d8393cd55eb04c upstream.
After someone reported a bug report with a failed modification due to the
expected value not matching what was found, it came to my attention that
the ftrace_expected is no longer set when that happens. This makes for
debugging the issue a bit more difficult.
Set ftrace_expected to the expected code before calling ftrace_bug, so
that it shows what was expected and why it failed.
Link: https://lore.kernel.org/all/CA+wXwBQ-VhK+hpBtYtyZP-NiX4g8fqRRWithFOHQW-0coQ3vLg@mail.gmail.com/
Link: https://lore.kernel.org/linux-trace-kernel/20221209105247.01d4e51d@gandalf.local.home
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "x86@kernel.org" <x86@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: stable@vger.kernel.org
Fixes: 768ae4406a5c ("x86/ftrace: Use text_poke()")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/ftrace.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/kernel/ftrace.c
+++ b/arch/x86/kernel/ftrace.c
@@ -219,7 +219,9 @@ void ftrace_replace_code(int enable)
ret = ftrace_verify_code(rec->ip, old);
if (ret) {
+ ftrace_expected = old;
ftrace_bug(ret, rec);
+ ftrace_expected = NULL;
return;
}
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 639/783] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (637 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 638/783] ftrace/x86: Add back ftrace_expected for ftrace bug reports Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 640/783] tracing/hist: Fix wrong return value in parse_action_params() Greg Kroah-Hartman
` (153 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra, Masami Hiramatsu (Google)
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit 1993bf97992df2d560287f3c4120eda57426843d upstream.
Since the CONFIG_RETHUNK and CONFIG_SLS will use INT3 for stopping
speculative execution after RET instruction, kprobes always failes to
check the probed instruction boundary by decoding the function body if
the probed address is after such sequence. (Note that some conditional
code blocks will be placed after function return, if compiler decides
it is not on the hot path.)
This is because kprobes expects kgdb puts the INT3 as a software
breakpoint and it will replace the original instruction.
But these INT3 are not such purpose, it doesn't need to recover the
original instruction.
To avoid this issue, kprobes checks whether the INT3 is owned by
kgdb or not, and if so, stop decoding and make it fail. The other
INT3 will come from CONFIG_RETHUNK/CONFIG_SLS and those can be
treated as a one-byte instruction.
Fixes: e463a09af2f0 ("x86: Add straight-line-speculation mitigation")
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/167146051026.1374301.392728975473572291.stgit@devnote3
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/kprobes/core.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -37,6 +37,7 @@
#include <linux/extable.h>
#include <linux/kdebug.h>
#include <linux/kallsyms.h>
+#include <linux/kgdb.h>
#include <linux/ftrace.h>
#include <linux/kasan.h>
#include <linux/moduleloader.h>
@@ -306,12 +307,15 @@ static int can_probe(unsigned long paddr
kernel_insn_init(&insn, (void *)__addr, MAX_INSN_SIZE);
insn_get_length(&insn);
+#ifdef CONFIG_KGDB
/*
- * Another debugging subsystem might insert this breakpoint.
- * In that case, we can't recover it.
+ * If there is a dynamically installed kgdb sw breakpoint,
+ * this function should not be probed.
*/
- if (insn.opcode.bytes[0] == INT3_INSN_OPCODE)
+ if (insn.opcode.bytes[0] == INT3_INSN_OPCODE &&
+ kgdb_has_hit_break(addr))
return 0;
+#endif
addr += insn.length;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 640/783] tracing/hist: Fix wrong return value in parse_action_params()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (638 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 639/783] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 641/783] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line Greg Kroah-Hartman
` (152 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, mhiramat, zanussi, Zheng Yejian,
Steven Rostedt (Google)
From: Zheng Yejian <zhengyejian1@huawei.com>
commit 2cc6a528882d0e0ccbc1bca5f95b8c963cedac54 upstream.
When number of synth fields is more than SYNTH_FIELDS_MAX,
parse_action_params() should return -EINVAL.
Link: https://lore.kernel.org/linux-trace-kernel/20221207034635.2253990-1-zhengyejian1@huawei.com
Cc: <mhiramat@kernel.org>
Cc: <zanussi@kernel.org>
Cc: stable@vger.kernel.org
Fixes: c282a386a397 ("tracing: Add 'onmatch' hist trigger action support")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_hist.c | 1 +
1 file changed, 1 insertion(+)
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -3115,6 +3115,7 @@ static int parse_action_params(struct tr
while (params) {
if (data->n_params >= SYNTH_FIELDS_MAX) {
hist_err(tr, HIST_ERR_TOO_MANY_PARAMS, 0);
+ ret = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 641/783] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (639 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 640/783] tracing/hist: Fix wrong return value in parse_action_params() Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 642/783] staging: media: tegra-video: fix chan->mipi value on error Greg Kroah-Hartman
` (151 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Yang Jihong,
Steven Rostedt (Google)
From: Yang Jihong <yangjihong1@huawei.com>
commit c1ac03af6ed45d05786c219d102f37eb44880f28 upstream.
print_trace_line may overflow seq_file buffer. If the event is not
consumed, the while loop keeps peeking this event, causing a infinite loop.
Link: https://lkml.kernel.org/r/20221129113009.182425-1-yangjihong1@huawei.com
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: stable@vger.kernel.org
Fixes: 088b1e427dbba ("ftrace: pipe fixes")
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6371,7 +6371,20 @@ waitagain:
ret = print_trace_line(iter);
if (ret == TRACE_TYPE_PARTIAL_LINE) {
- /* don't print partial lines */
+ /*
+ * If one print_trace_line() fills entire trace_seq in one shot,
+ * trace_seq_to_user() will returns -EBUSY because save_len == 0,
+ * In this case, we need to consume it, otherwise, loop will peek
+ * this event next time, resulting in an infinite loop.
+ */
+ if (save_len == 0) {
+ iter->seq.full = 0;
+ trace_seq_puts(&iter->seq, "[LINE TOO BIG]\n");
+ trace_consume(iter);
+ break;
+ }
+
+ /* In other cases, don't print partial lines */
iter->seq.seq.len = save_len;
break;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 642/783] staging: media: tegra-video: fix chan->mipi value on error
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (640 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 641/783] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 643/783] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod Greg Kroah-Hartman
` (150 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Luca Ceresoli, Hans Verkuil
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
commit 10b5ce6743c839fa75336042c64e2479caec9430 upstream.
chan->mipi takes the return value of tegra_mipi_request() which can be a
valid pointer or an error. However chan->mipi is checked in several places,
including error-cleanup code in tegra_csi_channels_cleanup(), as 'if
(chan->mipi)', which suggests the initial intent was that chan->mipi should
be either NULL or a valid pointer, never an error. As a consequence,
cleanup code in case of tegra_mipi_request() errors would dereference an
invalid pointer.
Fix by ensuring chan->mipi always contains either NULL or a void pointer.
Also add that to the documentation.
Fixes: 523c857e34ce ("media: tegra-video: Add CSI MIPI pads calibration")
Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/tegra-video/csi.c | 1 +
drivers/staging/media/tegra-video/csi.h | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/staging/media/tegra-video/csi.c
+++ b/drivers/staging/media/tegra-video/csi.c
@@ -435,6 +435,7 @@ static int tegra_csi_channel_alloc(struc
chan->mipi = tegra_mipi_request(csi->dev, node);
if (IS_ERR(chan->mipi)) {
ret = PTR_ERR(chan->mipi);
+ chan->mipi = NULL;
dev_err(csi->dev, "failed to get mipi device: %d\n", ret);
}
--- a/drivers/staging/media/tegra-video/csi.h
+++ b/drivers/staging/media/tegra-video/csi.h
@@ -50,7 +50,7 @@ struct tegra_csi;
* @framerate: active framerate for TPG
* @h_blank: horizontal blanking for TPG active format
* @v_blank: vertical blanking for TPG active format
- * @mipi: mipi device for corresponding csi channel pads
+ * @mipi: mipi device for corresponding csi channel pads, or NULL if not applicable (TPG, error)
* @pixel_rate: active pixel rate from the sensor on this channel
*/
struct tegra_csi_channel {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 643/783] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (641 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 642/783] staging: media: tegra-video: fix chan->mipi value on error Greg Kroah-Hartman
@ 2023-01-12 13:55 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 644/783] media: dvb-core: Fix double free in dvb_register_device() Greg Kroah-Hartman
` (149 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Arnd Bergmann,
Nick Desaulniers, Russell King (Oracle)
From: Nick Desaulniers <ndesaulniers@google.com>
commit 3220022038b9a3845eea762af85f1c5694b9f861 upstream.
clang-15's ability to elide loops completely became more aggressive when
it can deduce how a variable is being updated in a loop. Counting down
one variable by an increment of another can be replaced by a modulo
operation.
For 64b variables on 32b ARM EABI targets, this can result in the
compiler generating calls to __aeabi_uldivmod, which it does for a do
while loop in float64_rem().
For the kernel, we'd generally prefer that developers not open code 64b
division via binary / operators and instead use the more explicit
helpers from div64.h. On arm-linux-gnuabi targets, failure to do so can
result in linkage failures due to undefined references to
__aeabi_uldivmod().
While developers can avoid open coding divisions on 64b variables, the
compiler doesn't know that the Linux kernel has a partial implementation
of a compiler runtime (--rtlib) to enforce this convention.
It's also undecidable for the compiler whether the code in question
would be faster to execute the loop vs elide it and do the 64b division.
While I actively avoid using the internal -mllvm command line flags, I
think we get better code than using barrier() here, which will force
reloads+spills in the loop for all toolchains.
Link: https://github.com/ClangBuiltLinux/linux/issues/1666
Reported-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/nwfpe/Makefile | 6 ++++++
1 file changed, 6 insertions(+)
--- a/arch/arm/nwfpe/Makefile
+++ b/arch/arm/nwfpe/Makefile
@@ -11,3 +11,9 @@ nwfpe-y += fpa11.o fpa11_cpdo.o fpa11
entry.o
nwfpe-$(CONFIG_FPE_NWFPE_XP) += extended_cpdo.o
+
+# Try really hard to avoid generating calls to __aeabi_uldivmod() from
+# float64_rem() due to loop elision.
+ifdef CONFIG_CC_IS_CLANG
+CFLAGS_softfloat.o += -mllvm -replexitval=never
+endif
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 644/783] media: dvb-core: Fix double free in dvb_register_device()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (642 preceding siblings ...)
2023-01-12 13:55 ` [PATCH 5.10 643/783] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 645/783] media: dvb-core: Fix UAF due to refcount races at releasing Greg Kroah-Hartman
` (148 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wenwen Wang, Keita Suzuki,
Mauro Carvalho Chehab
From: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
commit 6b0d0477fce747d4137aa65856318b55fba72198 upstream.
In function dvb_register_device() -> dvb_register_media_device() ->
dvb_create_media_entity(), dvb->entity is allocated and initialized. If
the initialization fails, it frees the dvb->entity, and return an error
code. The caller takes the error code and handles the error by calling
dvb_media_device_free(), which unregisters the entity and frees the
field again if it is not NULL. As dvb->entity may not NULLed in
dvb_create_media_entity() when the allocation of dvbdev->pad fails, a
double free may occur. This may also cause an Use After free in
media_device_unregister_entity().
Fix this by storing NULL to dvb->entity when it is freed.
Link: https://lore.kernel.org/linux-media/20220426052921.2088416-1-keitasuzuki.park@sslab.ics.keio.ac.jp
Fixes: fcd5ce4b3936 ("media: dvb-core: fix a memory leak bug")
Cc: stable@vger.kernel.org
Cc: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dvbdev.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -345,6 +345,7 @@ static int dvb_create_media_entity(struc
GFP_KERNEL);
if (!dvbdev->pads) {
kfree(dvbdev->entity);
+ dvbdev->entity = NULL;
return -ENOMEM;
}
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 645/783] media: dvb-core: Fix UAF due to refcount races at releasing
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (643 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 644/783] media: dvb-core: Fix double free in dvb_register_device() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 646/783] cifs: fix confusing debug message Greg Kroah-Hartman
` (147 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Takashi Iwai, Hans Verkuil
From: Takashi Iwai <tiwai@suse.de>
commit fd3d91ab1c6ab0628fe642dd570b56302c30a792 upstream.
The dvb-core tries to sync the releases of opened files at
dvb_dmxdev_release() with two refcounts: dvbdev->users and
dvr_dvbdev->users. A problem is present in those two syncs: when yet
another dvb_demux_open() is called during those sync waits,
dvb_demux_open() continues to process even if the device is being
closed. This includes the increment of the former refcount, resulting
in the leftover refcount after the sync of the latter refcount at
dvb_dmxdev_release(). It ends up with use-after-free, since the
function believes that all usages were gone and releases the
resources.
This patch addresses the problem by adding the check of dmxdev->exit
flag at dvb_demux_open(), just like dvb_dvr_open() already does. With
the exit flag check, the second call of dvb_demux_open() fails, hence
the further corruption can be avoided.
Also for avoiding the races of the dmxdev->exit flag reference, this
patch serializes the dmxdev->exit set up and the sync waits with the
dmxdev->mutex lock at dvb_dmxdev_release(). Without the mutex lock,
dvb_demux_open() (or dvb_dvr_open()) may run concurrently with
dvb_dmxdev_release(), which allows to skip the exit flag check and
continue the open process that is being closed.
CVE-2022-41218 is assigned to those bugs above.
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/20220908132754.30532-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/dvb-core/dmxdev.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/media/dvb-core/dmxdev.c
+++ b/drivers/media/dvb-core/dmxdev.c
@@ -800,6 +800,11 @@ static int dvb_demux_open(struct inode *
if (mutex_lock_interruptible(&dmxdev->mutex))
return -ERESTARTSYS;
+ if (dmxdev->exit) {
+ mutex_unlock(&dmxdev->mutex);
+ return -ENODEV;
+ }
+
for (i = 0; i < dmxdev->filternum; i++)
if (dmxdev->filter[i].state == DMXDEV_STATE_FREE)
break;
@@ -1458,7 +1463,10 @@ EXPORT_SYMBOL(dvb_dmxdev_init);
void dvb_dmxdev_release(struct dmxdev *dmxdev)
{
+ mutex_lock(&dmxdev->mutex);
dmxdev->exit = 1;
+ mutex_unlock(&dmxdev->mutex);
+
if (dmxdev->dvbdev->users > 1) {
wait_event(dmxdev->dvbdev->wait_queue,
dmxdev->dvbdev->users == 1);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 646/783] cifs: fix confusing debug message
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (644 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 645/783] media: dvb-core: Fix UAF due to refcount races at releasing Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 647/783] cifs: fix missing display of three mount options Greg Kroah-Hartman
` (146 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE), Steve French
From: Paulo Alcantara <pc@cjr.nz>
commit a85ceafd41927e41a4103d228a993df7edd8823b upstream.
Since rc was initialised to -ENOMEM in cifs_get_smb_ses(), when an
existing smb session was found, free_xid() would be called and then
print
CIFS: fs/cifs/connect.c: Existing tcp session with server found
CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 44 with uid: 0
CIFS: fs/cifs/connect.c: Existing smb sess found (status=1)
CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid = 44) rc = -12
Fix this by initialising rc to 0 and then let free_xid() print this
instead
CIFS: fs/cifs/connect.c: Existing tcp session with server found
CIFS: fs/cifs/connect.c: VFS: in cifs_get_smb_ses as Xid: 14 with uid: 0
CIFS: fs/cifs/connect.c: Existing smb sess found (status=1)
CIFS: fs/cifs/connect.c: VFS: leaving cifs_get_smb_ses (xid = 14) rc = 0
Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/connect.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3038,7 +3038,7 @@ cifs_set_cifscreds(struct smb_vol *vol _
struct cifs_ses *
cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
{
- int rc = -ENOMEM;
+ int rc = 0;
unsigned int xid;
struct cifs_ses *ses;
struct sockaddr_in *addr = (struct sockaddr_in *)&server->dstaddr;
@@ -3080,6 +3080,8 @@ cifs_get_smb_ses(struct TCP_Server_Info
return ses;
}
+ rc = -ENOMEM;
+
cifs_dbg(FYI, "Existing smb sess not found\n");
ses = sesInfoAlloc();
if (ses == NULL)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 647/783] cifs: fix missing display of three mount options
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (645 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 646/783] cifs: fix confusing debug message Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 648/783] rtc: ds1347: fix value written to century register Greg Kroah-Hartman
` (145 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (SUSE), Steve French
From: Steve French <stfrench@microsoft.com>
commit 2bfd81043e944af0e52835ef6d9b41795af22341 upstream.
Three mount options: "tcpnodelay" and "noautotune" and "noblocksend"
were not displayed when passed in on cifs/smb3 mounts (e.g. displayed
in /proc/mounts e.g.). No change to defaults so these are not
displayed if not specified on mount.
Cc: stable@vger.kernel.org
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsfs.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -619,9 +619,15 @@ cifs_show_options(struct seq_file *s, st
seq_printf(s, ",echo_interval=%lu",
tcon->ses->server->echo_interval / HZ);
- /* Only display max_credits if it was overridden on mount */
+ /* Only display the following if overridden on mount */
if (tcon->ses->server->max_credits != SMB2_MAX_CREDITS_AVAILABLE)
seq_printf(s, ",max_credits=%u", tcon->ses->server->max_credits);
+ if (tcon->ses->server->tcp_nodelay)
+ seq_puts(s, ",tcpnodelay");
+ if (tcon->ses->server->noautotune)
+ seq_puts(s, ",noautotune");
+ if (tcon->ses->server->noblocksnd)
+ seq_puts(s, ",noblocksend");
if (tcon->snapshot_time)
seq_printf(s, ",snapshot=%llu", tcon->snapshot_time);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 648/783] rtc: ds1347: fix value written to century register
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (646 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 647/783] cifs: fix missing display of three mount options Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 649/783] md/bitmap: Fix bitmap chunk size overflow issues Greg Kroah-Hartman
` (144 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott, Alexandre Belloni
From: Ian Abbott <abbotti@mev.co.uk>
commit 4dfe05bdc1ade79b943d4979a2e2a8b5ef68fbb5 upstream.
In `ds1347_set_time()`, the wrong value is being written to the
`DS1347_CENTURY_REG` register. It needs to be converted to BCD. Fix
it.
Fixes: 147dae76dbb9 ("rtc: ds1347: handle century register")
Cc: <stable@vger.kernel.org> # v5.5+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20221027163249.447416-1-abbotti@mev.co.uk
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/rtc-ds1347.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rtc/rtc-ds1347.c
+++ b/drivers/rtc/rtc-ds1347.c
@@ -112,7 +112,7 @@ static int ds1347_set_time(struct device
return err;
century = (dt->tm_year / 100) + 19;
- err = regmap_write(map, DS1347_CENTURY_REG, century);
+ err = regmap_write(map, DS1347_CENTURY_REG, bin2bcd(century));
if (err)
return err;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 649/783] md/bitmap: Fix bitmap chunk size overflow issues
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (647 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 648/783] rtc: ds1347: fix value written to century register Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 650/783] efi: Add iMac Pro 2017 to uefi skip cert quirk Greg Kroah-Hartman
` (143 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian-Ewald Mueller, Jack Wang, Song Liu
From: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
commit 4555211190798b6b6fa2c37667d175bf67945c78 upstream.
- limit bitmap chunk size internal u64 variable to values not overflowing
the u32 bitmap superblock structure variable stored on persistent media
- assign bitmap chunk size internal u64 variable from unsigned values to
avoid possible sign extension artifacts when assigning from a s32 value
The bug has been there since at least kernel 4.0.
Steps to reproduce it:
1: mdadm -C /dev/mdx -l 1 --bitmap=internal --bitmap-chunk=256M -e 1.2
-n2 /dev/rnbd1 /dev/rnbd2
2 resize member device rnbd1 and rnbd2 to 8 TB
3 mdadm --grow /dev/mdx --size=max
The bitmap_chunksize will overflow without patch.
Cc: stable@vger.kernel.org
Signed-off-by: Florian-Ewald Mueller <florian-ewald.mueller@ionos.com>
Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/md-bitmap.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/drivers/md/md-bitmap.c
+++ b/drivers/md/md-bitmap.c
@@ -486,7 +486,7 @@ void md_bitmap_print_sb(struct bitmap *b
sb = kmap_atomic(bitmap->storage.sb_page);
pr_debug("%s: bitmap file superblock:\n", bmname(bitmap));
pr_debug(" magic: %08x\n", le32_to_cpu(sb->magic));
- pr_debug(" version: %d\n", le32_to_cpu(sb->version));
+ pr_debug(" version: %u\n", le32_to_cpu(sb->version));
pr_debug(" uuid: %08x.%08x.%08x.%08x\n",
le32_to_cpu(*(__le32 *)(sb->uuid+0)),
le32_to_cpu(*(__le32 *)(sb->uuid+4)),
@@ -497,11 +497,11 @@ void md_bitmap_print_sb(struct bitmap *b
pr_debug("events cleared: %llu\n",
(unsigned long long) le64_to_cpu(sb->events_cleared));
pr_debug(" state: %08x\n", le32_to_cpu(sb->state));
- pr_debug(" chunksize: %d B\n", le32_to_cpu(sb->chunksize));
- pr_debug(" daemon sleep: %ds\n", le32_to_cpu(sb->daemon_sleep));
+ pr_debug(" chunksize: %u B\n", le32_to_cpu(sb->chunksize));
+ pr_debug(" daemon sleep: %us\n", le32_to_cpu(sb->daemon_sleep));
pr_debug(" sync size: %llu KB\n",
(unsigned long long)le64_to_cpu(sb->sync_size)/2);
- pr_debug("max write behind: %d\n", le32_to_cpu(sb->write_behind));
+ pr_debug("max write behind: %u\n", le32_to_cpu(sb->write_behind));
kunmap_atomic(sb);
}
@@ -2106,7 +2106,8 @@ int md_bitmap_resize(struct bitmap *bitm
bytes = DIV_ROUND_UP(chunks, 8);
if (!bitmap->mddev->bitmap_info.external)
bytes += sizeof(bitmap_super_t);
- } while (bytes > (space << 9));
+ } while (bytes > (space << 9) && (chunkshift + BITMAP_BLOCK_SHIFT) <
+ (BITS_PER_BYTE * sizeof(((bitmap_super_t *)0)->chunksize) - 1));
} else
chunkshift = ffz(~chunksize) - BITMAP_BLOCK_SHIFT;
@@ -2151,7 +2152,7 @@ int md_bitmap_resize(struct bitmap *bitm
bitmap->counts.missing_pages = pages;
bitmap->counts.chunkshift = chunkshift;
bitmap->counts.chunks = chunks;
- bitmap->mddev->bitmap_info.chunksize = 1 << (chunkshift +
+ bitmap->mddev->bitmap_info.chunksize = 1UL << (chunkshift +
BITMAP_BLOCK_SHIFT);
blocks = min(old_counts.chunks << old_counts.chunkshift,
@@ -2177,8 +2178,8 @@ int md_bitmap_resize(struct bitmap *bitm
bitmap->counts.missing_pages = old_counts.pages;
bitmap->counts.chunkshift = old_counts.chunkshift;
bitmap->counts.chunks = old_counts.chunks;
- bitmap->mddev->bitmap_info.chunksize = 1 << (old_counts.chunkshift +
- BITMAP_BLOCK_SHIFT);
+ bitmap->mddev->bitmap_info.chunksize =
+ 1UL << (old_counts.chunkshift + BITMAP_BLOCK_SHIFT);
blocks = old_counts.chunks << old_counts.chunkshift;
pr_warn("Could not pre-allocate in-memory bitmap for cluster raid\n");
break;
@@ -2519,6 +2520,9 @@ chunksize_store(struct mddev *mddev, con
if (csize < 512 ||
!is_power_of_2(csize))
return -EINVAL;
+ if (BITS_PER_LONG > 32 && csize >= (1ULL << (BITS_PER_BYTE *
+ sizeof(((bitmap_super_t *)0)->chunksize))))
+ return -EOVERFLOW;
mddev->bitmap_info.chunksize = csize;
return len;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 650/783] efi: Add iMac Pro 2017 to uefi skip cert quirk
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (648 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 649/783] md/bitmap: Fix bitmap chunk size overflow issues Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 651/783] wifi: wilc1000: sdio: fix module autoloading Greg Kroah-Hartman
` (142 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aditya Garg, Mimi Zohar
From: Aditya Garg <gargaditya08@live.com>
commit 0be56a116220f9e5731a6609e66a11accfe8d8e2 upstream.
The iMac Pro 2017 is also a T2 Mac. Thus add it to the list of uefi skip
cert.
Cc: stable@vger.kernel.org
Fixes: 155ca952c7ca ("efi: Do not import certificates from UEFI Secure Boot for T2 Macs")
Link: https://lore.kernel.org/linux-integrity/9D46D92F-1381-4F10-989C-1A12CD2FFDD8@live.com/
Signed-off-by: Aditya Garg <gargaditya08@live.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/integrity/platform_certs/load_uefi.c | 1 +
1 file changed, 1 insertion(+)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -34,6 +34,7 @@ static const struct dmi_system_id uefi_s
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
+ { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMacPro1,1") },
{ }
};
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 651/783] wifi: wilc1000: sdio: fix module autoloading
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (649 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 650/783] efi: Add iMac Pro 2017 to uefi skip cert quirk Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 652/783] ASoC: jz4740-i2s: Handle independent FIFO flush bits Greg Kroah-Hartman
` (141 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Walle, Kalle Valo
From: Michael Walle <michael@walle.cc>
commit 57d545b5a3d6ce3a8fb6b093f02bfcbb908973f3 upstream.
There are no SDIO module aliases included in the driver, therefore,
module autoloading isn't working. Add the proper MODULE_DEVICE_TABLE().
Cc: stable@vger.kernel.org
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221027171221.491937-1-michael@walle.cc
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/microchip/wilc1000/sdio.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/microchip/wilc1000/sdio.c
+++ b/drivers/net/wireless/microchip/wilc1000/sdio.c
@@ -20,6 +20,7 @@ static const struct sdio_device_id wilc_
{ SDIO_DEVICE(SDIO_VENDOR_ID_MICROCHIP_WILC, SDIO_DEVICE_ID_MICROCHIP_WILC1000) },
{ },
};
+MODULE_DEVICE_TABLE(sdio, wilc_sdio_ids);
#define WILC_SDIO_BLOCK_SIZE 512
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 652/783] ASoC: jz4740-i2s: Handle independent FIFO flush bits
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (650 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 651/783] wifi: wilc1000: sdio: fix module autoloading Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 653/783] ipmi: fix long wait in unload when IPMI disconnect Greg Kroah-Hartman
` (140 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul Cercueil, Aidan MacDonald, Mark Brown
From: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
commit 8b3a9ad86239f80ed569e23c3954a311f66481d6 upstream.
On the JZ4740, there is a single bit that flushes (empties) both
the transmit and receive FIFO. Later SoCs have independent flush
bits for each FIFO.
Independent FIFOs can be flushed before the snd_soc_dai_active()
check because it won't disturb other active streams. This ensures
that the FIFO we're about to use is always flushed before starting
up. With shared FIFOs we can't do that because if another substream
is active, flushing its FIFO would cause underrun errors.
This also fixes a bug: since we were only setting the JZ4740's
flush bit, which corresponds to the TX FIFO flush bit on other
SoCs, other SoCs were not having their RX FIFO flushed at all.
Fixes: 967beb2e8777 ("ASoC: jz4740: Add jz4780 support")
Reviewed-by: Paul Cercueil <paul@crapouillou.net>
Cc: stable@vger.kernel.org
Signed-off-by: Aidan MacDonald <aidanmacdonald.0x0@gmail.com>
Link: https://lore.kernel.org/r/20221023143328.160866-2-aidanmacdonald.0x0@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/jz4740/jz4740-i2s.c | 39 ++++++++++++++++++++++++++++++++++-----
1 file changed, 34 insertions(+), 5 deletions(-)
--- a/sound/soc/jz4740/jz4740-i2s.c
+++ b/sound/soc/jz4740/jz4740-i2s.c
@@ -59,7 +59,8 @@
#define JZ_AIC_CTRL_MONO_TO_STEREO BIT(11)
#define JZ_AIC_CTRL_SWITCH_ENDIANNESS BIT(10)
#define JZ_AIC_CTRL_SIGNED_TO_UNSIGNED BIT(9)
-#define JZ_AIC_CTRL_FLUSH BIT(8)
+#define JZ_AIC_CTRL_TFLUSH BIT(8)
+#define JZ_AIC_CTRL_RFLUSH BIT(7)
#define JZ_AIC_CTRL_ENABLE_ROR_INT BIT(6)
#define JZ_AIC_CTRL_ENABLE_TUR_INT BIT(5)
#define JZ_AIC_CTRL_ENABLE_RFS_INT BIT(4)
@@ -94,6 +95,8 @@ enum jz47xx_i2s_version {
struct i2s_soc_info {
enum jz47xx_i2s_version version;
struct snd_soc_dai_driver *dai;
+
+ bool shared_fifo_flush;
};
struct jz4740_i2s {
@@ -122,19 +125,44 @@ static inline void jz4740_i2s_write(cons
writel(value, i2s->base + reg);
}
+static inline void jz4740_i2s_set_bits(const struct jz4740_i2s *i2s,
+ unsigned int reg, uint32_t bits)
+{
+ uint32_t value = jz4740_i2s_read(i2s, reg);
+ value |= bits;
+ jz4740_i2s_write(i2s, reg, value);
+}
+
static int jz4740_i2s_startup(struct snd_pcm_substream *substream,
struct snd_soc_dai *dai)
{
struct jz4740_i2s *i2s = snd_soc_dai_get_drvdata(dai);
- uint32_t conf, ctrl;
+ uint32_t conf;
int ret;
+ /*
+ * When we can flush FIFOs independently, only flush the FIFO
+ * that is starting up. We can do this when the DAI is active
+ * because it does not disturb other active substreams.
+ */
+ if (!i2s->soc_info->shared_fifo_flush) {
+ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH);
+ else
+ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_RFLUSH);
+ }
+
if (snd_soc_dai_active(dai))
return 0;
- ctrl = jz4740_i2s_read(i2s, JZ_REG_AIC_CTRL);
- ctrl |= JZ_AIC_CTRL_FLUSH;
- jz4740_i2s_write(i2s, JZ_REG_AIC_CTRL, ctrl);
+ /*
+ * When there is a shared flush bit for both FIFOs, the TFLUSH
+ * bit flushes both FIFOs. Flushing while the DAI is active would
+ * cause FIFO underruns in other active substreams so we have to
+ * guard this behind the snd_soc_dai_active() check.
+ */
+ if (i2s->soc_info->shared_fifo_flush)
+ jz4740_i2s_set_bits(i2s, JZ_REG_AIC_CTRL, JZ_AIC_CTRL_TFLUSH);
ret = clk_prepare_enable(i2s->clk_i2s);
if (ret)
@@ -467,6 +495,7 @@ static struct snd_soc_dai_driver jz4740_
static const struct i2s_soc_info jz4740_i2s_soc_info = {
.version = JZ_I2S_JZ4740,
.dai = &jz4740_i2s_dai,
+ .shared_fifo_flush = true,
};
static const struct i2s_soc_info jz4760_i2s_soc_info = {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 653/783] ipmi: fix long wait in unload when IPMI disconnect
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (651 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 652/783] ASoC: jz4740-i2s: Handle independent FIFO flush bits Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 654/783] mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type() Greg Kroah-Hartman
` (139 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhang Yuchen, Corey Minyard
From: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
commit f6f1234d98cce69578bfac79df147a1f6660596c upstream.
When fixing the problem mentioned in PATCH1, we also found
the following problem:
If the IPMI is disconnected and in the sending process, the
uninstallation driver will be stuck for a long time.
The main problem is that uninstalling the driver waits for curr_msg to
be sent or HOSED. After stopping tasklet, the only place to trigger the
timeout mechanism is the circular poll in shutdown_smi.
The poll function delays 10us and calls smi_event_handler(smi_info,10).
Smi_event_handler deducts 10us from kcs->ibf_timeout.
But the poll func is followed by schedule_timeout_uninterruptible(1).
The time consumed here is not counted in kcs->ibf_timeout.
So when 10us is deducted from kcs->ibf_timeout, at least 1 jiffies has
actually passed. The waiting time has increased by more than a
hundredfold.
Now instead of calling poll(). call smi_event_handler() directly and
calculate the elapsed time.
For verification, you can directly use ebpf to check the kcs->
ibf_timeout for each call to kcs_event() when IPMI is disconnected.
Decrement at normal rate before unloading. The decrement rate becomes
very slow after unloading.
$ bpftrace -e 'kprobe:kcs_event {printf("kcs->ibftimeout : %d\n",
*(arg0+584));}'
Signed-off-by: Zhang Yuchen <zhangyuchen.lcr@bytedance.com>
Message-Id: <20221007092617.87597-3-zhangyuchen.lcr@bytedance.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_si_intf.c | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
--- a/drivers/char/ipmi/ipmi_si_intf.c
+++ b/drivers/char/ipmi/ipmi_si_intf.c
@@ -2160,6 +2160,20 @@ skip_fallback_noirq:
}
module_init(init_ipmi_si);
+static void wait_msg_processed(struct smi_info *smi_info)
+{
+ unsigned long jiffies_now;
+ long time_diff;
+
+ while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
+ jiffies_now = jiffies;
+ time_diff = (((long)jiffies_now - (long)smi_info->last_timeout_jiffies)
+ * SI_USEC_PER_JIFFY);
+ smi_event_handler(smi_info, time_diff);
+ schedule_timeout_uninterruptible(1);
+ }
+}
+
static void shutdown_smi(void *send_info)
{
struct smi_info *smi_info = send_info;
@@ -2194,16 +2208,13 @@ static void shutdown_smi(void *send_info
* in the BMC. Note that timers and CPU interrupts are off,
* so no need for locks.
*/
- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
- poll(smi_info);
- schedule_timeout_uninterruptible(1);
- }
+ wait_msg_processed(smi_info);
+
if (smi_info->handlers)
disable_si_irq(smi_info);
- while (smi_info->curr_msg || (smi_info->si_state != SI_NORMAL)) {
- poll(smi_info);
- schedule_timeout_uninterruptible(1);
- }
+
+ wait_msg_processed(smi_info);
+
if (smi_info->handlers)
smi_info->handlers->cleanup(smi_info->si_sm);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 654/783] mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (652 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 653/783] ipmi: fix long wait in unload when IPMI disconnect Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 655/783] ima: Fix a potential NULL pointer access in ima_restore_measurement_list Greg Kroah-Hartman
` (138 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin, Tudor Ambarus
From: Alexander Sverdlin <alexander.sverdlin@nokia.com>
commit 2ebc336be08160debfe27f87660cf550d710f3e9 upstream.
Erase can be zeroed in spi_nor_parse_4bait() or
spi_nor_init_non_uniform_erase_map(). In practice it happened with
mt25qu256a, which supports 4K, 32K, 64K erases with 3b address commands,
but only 4K and 64K erase with 4b address commands.
Fixes: dc92843159a7 ("mtd: spi-nor: fix erase_type array to indicate current map conf")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211119081412.29732-1-alexander.sverdlin@nokia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/spi-nor/core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/mtd/spi-nor/core.c
+++ b/drivers/mtd/spi-nor/core.c
@@ -1220,6 +1220,8 @@ spi_nor_find_best_erase_type(const struc
continue;
erase = &map->erase_type[i];
+ if (!erase->size)
+ continue;
/* Alignment is not mandatory for overlaid regions */
if (region->offset & SNOR_OVERLAID_REGION &&
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 655/783] ima: Fix a potential NULL pointer access in ima_restore_measurement_list
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (653 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 654/783] mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 656/783] ipmi: fix use after free in _ipmi_destroy_user() Greg Kroah-Hartman
` (137 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jiaming Li, Huaxin Lu,
Stefan Berger, Mimi Zohar
From: Huaxin Lu <luhuaxin1@huawei.com>
commit 11220db412edae8dba58853238f53258268bdb88 upstream.
In restore_template_fmt, when kstrdup fails, a non-NULL value will still be
returned, which causes a NULL pointer access in template_desc_init_fields.
Fixes: c7d09367702e ("ima: support restoring multiple template formats")
Cc: stable@kernel.org
Co-developed-by: Jiaming Li <lijiaming30@huawei.com>
Signed-off-by: Jiaming Li <lijiaming30@huawei.com>
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/integrity/ima/ima_template.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/security/integrity/ima/ima_template.c
+++ b/security/integrity/ima/ima_template.c
@@ -290,8 +290,11 @@ static struct ima_template_desc *restore
template_desc->name = "";
template_desc->fmt = kstrdup(template_name, GFP_KERNEL);
- if (!template_desc->fmt)
+ if (!template_desc->fmt) {
+ kfree(template_desc);
+ template_desc = NULL;
goto out;
+ }
spin_lock(&template_list);
list_add_tail_rcu(&template_desc->list, &defined_templates);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 656/783] ipmi: fix use after free in _ipmi_destroy_user()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (654 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 655/783] ima: Fix a potential NULL pointer access in ima_restore_measurement_list Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 657/783] PCI: Fix pci_device_is_present() for VFs by checking PF Greg Kroah-Hartman
` (136 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Corey Minyard
From: Dan Carpenter <error27@gmail.com>
commit a92ce570c81dc0feaeb12a429b4bc65686d17967 upstream.
The intf_free() function frees the "intf" pointer so we cannot
dereference it again on the next line.
Fixes: cbb79863fc31 ("ipmi: Don't allow device module unload when in use")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Message-Id: <Y3M8xa1drZv4CToE@kili>
Cc: <stable@vger.kernel.org> # 5.5+
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_msghandler.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -1284,6 +1284,7 @@ static void _ipmi_destroy_user(struct ip
unsigned long flags;
struct cmd_rcvr *rcvr;
struct cmd_rcvr *rcvrs = NULL;
+ struct module *owner;
if (!acquire_ipmi_user(user, &i)) {
/*
@@ -1345,8 +1346,9 @@ static void _ipmi_destroy_user(struct ip
kfree(rcvr);
}
+ owner = intf->owner;
kref_put(&intf->refcount, intf_free);
- module_put(intf->owner);
+ module_put(owner);
}
int ipmi_destroy_user(struct ipmi_user *user)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 657/783] PCI: Fix pci_device_is_present() for VFs by checking PF
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (655 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 656/783] ipmi: fix use after free in _ipmi_destroy_user() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 658/783] PCI/sysfs: Fix double free in error path Greg Kroah-Hartman
` (135 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wei Gong, Michael S. Tsirkin, Bjorn Helgaas
From: Michael S. Tsirkin <mst@redhat.com>
commit 98b04dd0b4577894520493d96bc4623387767445 upstream.
pci_device_is_present() previously didn't work for VFs because it reads the
Vendor and Device ID, which are 0xffff for VFs, which looks like they
aren't present. Check the PF instead.
Wei Gong reported that if virtio I/O is in progress when the driver is
unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O
operation hangs, which may result in output like this:
task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002
Call Trace:
schedule+0x4f/0xc0
blk_mq_freeze_queue_wait+0x69/0xa0
blk_mq_freeze_queue+0x1b/0x20
blk_cleanup_queue+0x3d/0xd0
virtblk_remove+0x3c/0xb0 [virtio_blk]
virtio_dev_remove+0x4b/0x80
...
device_unregister+0x1b/0x60
unregister_virtio_device+0x18/0x30
virtio_pci_remove+0x41/0x80
pci_device_remove+0x3e/0xb0
This happened because pci_device_is_present(VF) returned "false" in
virtio_pci_remove(), so it called virtio_break_device(). The broken vq
meant that vring_interrupt() skipped the vq.callback() that would have
completed the virtio I/O operation via virtblk_done().
[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag]
Link: https://lore.kernel.org/r/20221026060912.173250-1-mst@redhat.com
Reported-by: Wei Gong <gongwei833x@gmail.com>
Tested-by: Wei Gong <gongwei833x@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/pci/pci.c
+++ b/drivers/pci/pci.c
@@ -6152,6 +6152,8 @@ bool pci_device_is_present(struct pci_de
{
u32 v;
+ /* Check PF if pdev is a VF, since VF Vendor/Device IDs are 0xffff */
+ pdev = pci_physfn(pdev);
if (pci_dev_is_disconnected(pdev))
return false;
return pci_bus_read_dev_vendor_id(pdev->bus, pdev->devfn, &v, 0);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 658/783] PCI/sysfs: Fix double free in error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (656 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 657/783] PCI: Fix pci_device_is_present() for VFs by checking PF Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 659/783] crypto: n2 - add missing hash statesize Greg Kroah-Hartman
` (134 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sascha Hauer, Bjorn Helgaas
From: Sascha Hauer <s.hauer@pengutronix.de>
commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream.
When pci_create_attr() fails, pci_remove_resource_files() is called which
will iterate over the res_attr[_wc] arrays and frees every non NULL entry.
To avoid a double free here set the array entry only after it's clear we
successfully initialized it.
Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails")
Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/pci-sysfs.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -1141,11 +1141,9 @@ static int pci_create_attr(struct pci_de
sysfs_bin_attr_init(res_attr);
if (write_combine) {
- pdev->res_attr_wc[num] = res_attr;
sprintf(res_attr_name, "resource%d_wc", num);
res_attr->mmap = pci_mmap_resource_wc;
} else {
- pdev->res_attr[num] = res_attr;
sprintf(res_attr_name, "resource%d", num);
if (pci_resource_flags(pdev, num) & IORESOURCE_IO) {
res_attr->read = pci_read_resource_io;
@@ -1161,10 +1159,17 @@ static int pci_create_attr(struct pci_de
res_attr->size = pci_resource_len(pdev, num);
res_attr->private = (void *)(unsigned long)num;
retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr);
- if (retval)
+ if (retval) {
kfree(res_attr);
+ return retval;
+ }
+
+ if (write_combine)
+ pdev->res_attr_wc[num] = res_attr;
+ else
+ pdev->res_attr[num] = res_attr;
- return retval;
+ return 0;
}
/**
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 659/783] crypto: n2 - add missing hash statesize
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (657 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 658/783] PCI/sysfs: Fix double free in error path Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 660/783] driver core: Fix bus_type.match() error handling in __driver_attach() Greg Kroah-Hartman
` (133 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rolf Eike Beer, Corentin Labbe,
Herbert Xu, stable
From: Corentin Labbe <clabbe@baylibre.com>
commit 76a4e874593543a2dff91d249c95bac728df2774 upstream.
Add missing statesize to hash templates.
This is mandatory otherwise no algorithms can be registered as the core
requires statesize to be set.
CC: stable@kernel.org # 4.3+
Reported-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/n2_core.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/crypto/n2_core.c
+++ b/drivers/crypto/n2_core.c
@@ -1228,6 +1228,7 @@ struct n2_hash_tmpl {
const u8 *hash_init;
u8 hw_op_hashsz;
u8 digest_size;
+ u8 statesize;
u8 block_size;
u8 auth_type;
u8 hmac_type;
@@ -1259,6 +1260,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_HMAC_MD5,
.hw_op_hashsz = MD5_DIGEST_SIZE,
.digest_size = MD5_DIGEST_SIZE,
+ .statesize = sizeof(struct md5_state),
.block_size = MD5_HMAC_BLOCK_SIZE },
{ .name = "sha1",
.hash_zero = sha1_zero_message_hash,
@@ -1267,6 +1269,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_HMAC_SHA1,
.hw_op_hashsz = SHA1_DIGEST_SIZE,
.digest_size = SHA1_DIGEST_SIZE,
+ .statesize = sizeof(struct sha1_state),
.block_size = SHA1_BLOCK_SIZE },
{ .name = "sha256",
.hash_zero = sha256_zero_message_hash,
@@ -1275,6 +1278,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_HMAC_SHA256,
.hw_op_hashsz = SHA256_DIGEST_SIZE,
.digest_size = SHA256_DIGEST_SIZE,
+ .statesize = sizeof(struct sha256_state),
.block_size = SHA256_BLOCK_SIZE },
{ .name = "sha224",
.hash_zero = sha224_zero_message_hash,
@@ -1283,6 +1287,7 @@ static const struct n2_hash_tmpl hash_tm
.hmac_type = AUTH_TYPE_RESERVED,
.hw_op_hashsz = SHA256_DIGEST_SIZE,
.digest_size = SHA224_DIGEST_SIZE,
+ .statesize = sizeof(struct sha256_state),
.block_size = SHA224_BLOCK_SIZE },
};
#define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls)
@@ -1423,6 +1428,7 @@ static int __n2_register_one_ahash(const
halg = &ahash->halg;
halg->digestsize = tmpl->digest_size;
+ halg->statesize = tmpl->statesize;
base = &halg->base;
snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 660/783] driver core: Fix bus_type.match() error handling in __driver_attach()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (658 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 659/783] crypto: n2 - add missing hash statesize Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 661/783] iommu/amd: Fix ivrs_acpihid cmdline parsing code Greg Kroah-Hartman
` (132 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Saravana Kannan, Isaac J. Manjarres
From: Isaac J. Manjarres <isaacmanjarres@google.com>
commit 27c0d217340e47ec995557f61423ef415afba987 upstream.
When a driver registers with a bus, it will attempt to match with every
device on the bus through the __driver_attach() function. Currently, if
the bus_type.match() function encounters an error that is not
-EPROBE_DEFER, __driver_attach() will return a negative error code, which
causes the driver registration logic to stop trying to match with the
remaining devices on the bus.
This behavior is not correct; a failure while matching a driver to a
device does not mean that the driver won't be able to match and bind
with other devices on the bus. Update the logic in __driver_attach()
to reflect this.
Fixes: 656b8035b0ee ("ARM: 8524/1: driver cohandle -EPROBE_DEFER from bus_type.match()")
Cc: stable@vger.kernel.org
Cc: Saravana Kannan <saravanak@google.com>
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
Link: https://lore.kernel.org/r/20220921001414.4046492-1-isaacmanjarres@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/dd.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -1088,7 +1088,11 @@ static int __driver_attach(struct device
return 0;
} else if (ret < 0) {
dev_dbg(dev, "Bus failed to match device: %d\n", ret);
- return ret;
+ /*
+ * Driver could not match with device, but may match with
+ * another device on the bus.
+ */
+ return 0;
} /* ret > 0 means positive match */
if (driver_allows_async_probing(drv)) {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 661/783] iommu/amd: Fix ivrs_acpihid cmdline parsing code
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (659 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 660/783] driver core: Fix bus_type.match() error handling in __driver_attach() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 662/783] remoteproc: core: Do pm_relax when in RPROC_OFFLINE state Greg Kroah-Hartman
` (131 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kim Phillips, Suravee Suthikulpanit,
Joerg Roedel
From: Kim Phillips <kim.phillips@amd.com>
commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream.
The second (UID) strcmp in acpi_dev_hid_uid_match considers
"0" and "00" different, which can prevent device registration.
Have the AMD IOMMU driver's ivrs_acpihid parsing code remove
any leading zeroes to make the UID strcmp succeed. Now users
can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect
the same behaviour.
Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Cc: stable@vger.kernel.org
Cc: Suravee Suthikulpanit <Suravee.Suthikulpanit@amd.com>
Cc: Joerg Roedel <jroedel@suse.de>
Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/amd/init.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/iommu/amd/init.c
+++ b/drivers/iommu/amd/init.c
@@ -3126,6 +3126,13 @@ static int __init parse_ivrs_acpihid(cha
return 1;
}
+ /*
+ * Ignore leading zeroes after ':', so e.g., AMDI0095:00
+ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match
+ */
+ while (*uid == '0' && *(uid + 1))
+ uid++;
+
i = early_acpihid_map_size++;
memcpy(early_acpihid_map[i].hid, hid, strlen(hid));
memcpy(early_acpihid_map[i].uid, uid, strlen(uid));
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 662/783] remoteproc: core: Do pm_relax when in RPROC_OFFLINE state
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (660 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 661/783] iommu/amd: Fix ivrs_acpihid cmdline parsing code Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 663/783] parisc: led: Fix potential null-ptr-deref in start_task() Greg Kroah-Hartman
` (130 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Maria Yu, Mathieu Poirier
From: Maria Yu <quic_aiquny@quicinc.com>
commit 11c7f9e3131ad14b27a957496088fa488b153a48 upstream.
Make sure that pm_relax() happens even when the remoteproc
is stopped before the crash handler work is scheduled.
Signed-off-by: Maria Yu <quic_aiquny@quicinc.com>
Cc: stable <stable@vger.kernel.org>
Fixes: a781e5aa5911 ("remoteproc: core: Prevent system suspend during remoteproc recovery")
Link: https://lore.kernel.org/r/20221206015957.2616-2-quic_aiquny@quicinc.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/remoteproc/remoteproc_core.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/remoteproc/remoteproc_core.c
+++ b/drivers/remoteproc/remoteproc_core.c
@@ -1741,12 +1741,18 @@ static void rproc_crash_handler_work(str
mutex_lock(&rproc->lock);
- if (rproc->state == RPROC_CRASHED || rproc->state == RPROC_OFFLINE) {
+ if (rproc->state == RPROC_CRASHED) {
/* handle only the first crash detected */
mutex_unlock(&rproc->lock);
return;
}
+ if (rproc->state == RPROC_OFFLINE) {
+ /* Don't recover if the remote processor was stopped */
+ mutex_unlock(&rproc->lock);
+ goto out;
+ }
+
rproc->state = RPROC_CRASHED;
dev_err(dev, "handling crash #%u in %s\n", ++rproc->crash_cnt,
rproc->name);
@@ -1756,6 +1762,7 @@ static void rproc_crash_handler_work(str
if (!rproc->recovery_disabled)
rproc_trigger_recovery(rproc);
+out:
pm_relax(rproc->dev.parent);
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 663/783] parisc: led: Fix potential null-ptr-deref in start_task()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (661 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 662/783] remoteproc: core: Do pm_relax when in RPROC_OFFLINE state Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 664/783] device_cgroup: Roll back to original exceptions after copy failure Greg Kroah-Hartman
` (129 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shang XiaoJing, Helge Deller
From: Shang XiaoJing <shangxiaojing@huawei.com>
commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream.
start_task() calls create_singlethread_workqueue() and not checked the
ret value, which may return NULL. And a null-ptr-deref may happen:
start_task()
create_singlethread_workqueue() # failed, led_wq is NULL
queue_delayed_work()
queue_delayed_work_on()
__queue_delayed_work() # warning here, but continue
__queue_work() # access wq->flags, null-ptr-deref
Check the ret value and return -ENOMEM if it is NULL.
Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.")
Signed-off-by: Shang XiaoJing <shangxiaojing@huawei.com>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/led.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/parisc/led.c
+++ b/drivers/parisc/led.c
@@ -137,6 +137,9 @@ static int start_task(void)
/* Create the work queue and queue the LED task */
led_wq = create_singlethread_workqueue("led_wq");
+ if (!led_wq)
+ return -ENOMEM;
+
queue_delayed_work(led_wq, &led_task, 0);
return 0;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 664/783] device_cgroup: Roll back to original exceptions after copy failure
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (662 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 663/783] parisc: led: Fix potential null-ptr-deref in start_task() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 665/783] drm/connector: send hotplug uevent on connector cleanup Greg Kroah-Hartman
` (128 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Weiyang, Aristeu Rozanski, Paul Moore
From: Wang Weiyang <wangweiyang2@huawei.com>
commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream.
When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's
exceptions will be cleaned and A's behavior is changed to
DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's
whitelist. If copy failure occurs, just return leaving A to grant
permissions to all devices. And A may grant more permissions than
parent.
Backup A's whitelist and recover original exceptions after copy
failure.
Cc: stable@vger.kernel.org
Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: Aristeu Rozanski <aris@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/device_cgroup.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -81,6 +81,17 @@ free_and_exit:
return -ENOMEM;
}
+static void dev_exceptions_move(struct list_head *dest, struct list_head *orig)
+{
+ struct dev_exception_item *ex, *tmp;
+
+ lockdep_assert_held(&devcgroup_mutex);
+
+ list_for_each_entry_safe(ex, tmp, orig, list) {
+ list_move_tail(&ex->list, dest);
+ }
+}
+
/*
* called under devcgroup_mutex
*/
@@ -603,11 +614,13 @@ static int devcgroup_update_access(struc
int count, rc = 0;
struct dev_exception_item ex;
struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent);
+ struct dev_cgroup tmp_devcgrp;
if (!capable(CAP_SYS_ADMIN))
return -EPERM;
memset(&ex, 0, sizeof(ex));
+ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp));
b = buffer;
switch (*b) {
@@ -619,15 +632,27 @@ static int devcgroup_update_access(struc
if (!may_allow_all(parent))
return -EPERM;
- dev_exception_clean(devcgroup);
- devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
- if (!parent)
+ if (!parent) {
+ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+ dev_exception_clean(devcgroup);
break;
+ }
+ INIT_LIST_HEAD(&tmp_devcgrp.exceptions);
+ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions,
+ &devcgroup->exceptions);
+ if (rc)
+ return rc;
+ dev_exception_clean(devcgroup);
rc = dev_exceptions_copy(&devcgroup->exceptions,
&parent->exceptions);
- if (rc)
+ if (rc) {
+ dev_exceptions_move(&devcgroup->exceptions,
+ &tmp_devcgrp.exceptions);
return rc;
+ }
+ devcgroup->behavior = DEVCG_DEFAULT_ALLOW;
+ dev_exception_clean(&tmp_devcgrp);
break;
case DEVCG_DENY:
if (css_has_online_children(&devcgroup->css))
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 665/783] drm/connector: send hotplug uevent on connector cleanup
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (663 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 664/783] device_cgroup: Roll back to original exceptions after copy failure Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 666/783] drm/vmwgfx: Validate the box size for the snooped cursor Greg Kroah-Hartman
` (127 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Ser, Daniel Vetter,
Lyude Paul, Jonas Ådahl
From: Simon Ser <contact@emersion.fr>
commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream.
A typical DP-MST unplug removes a KMS connector. However care must
be taken to properly synchronize with user-space. The expected
sequence of events is the following:
1. The kernel notices that the DP-MST port is gone.
2. The kernel marks the connector as disconnected, then sends a
uevent to make user-space re-scan the connector list.
3. User-space notices the connector goes from connected to disconnected,
disables it.
4. Kernel handles the IOCTL disabling the connector. On success,
the very last reference to the struct drm_connector is dropped and
drm_connector_cleanup() is called.
5. The connector is removed from the list, and a uevent is sent to tell
user-space that the connector disappeared.
The very last step was missing. As a result, user-space thought the
connector still existed and could try to disable it again. Since the
kernel no longer knows about the connector, that would end up with
EINVAL and confused user-space.
Fix this by sending a hotplug uevent from drm_connector_cleanup().
Signed-off-by: Simon Ser <contact@emersion.fr>
Cc: stable@vger.kernel.org
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Lyude Paul <lyude@redhat.com>
Cc: Jonas Ådahl <jadahl@redhat.com>
Tested-by: Jonas Ådahl <jadahl@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_connector.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/drm_connector.c
+++ b/drivers/gpu/drm/drm_connector.c
@@ -484,6 +484,9 @@ void drm_connector_cleanup(struct drm_co
mutex_destroy(&connector->mutex);
memset(connector, 0, sizeof(*connector));
+
+ if (dev->registered)
+ drm_sysfs_hotplug_event(dev);
}
EXPORT_SYMBOL(drm_connector_cleanup);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 666/783] drm/vmwgfx: Validate the box size for the snooped cursor
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (664 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 665/783] drm/connector: send hotplug uevent on connector cleanup Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 667/783] drm/i915/dsi: fix VBT send packet port selection for dual link DSI Greg Kroah-Hartman
` (126 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zack Rusin, Michael Banack, Martin Krastev
From: Zack Rusin <zackr@vmware.com>
commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream.
Invalid userspace dma surface copies could potentially overflow
the memcpy from the surface to the snooped image leading to crashes.
To fix it the dimensions of the copybox have to be validated
against the expected size of the snooped cursor.
Signed-off-by: Zack Rusin <zackr@vmware.com>
Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes")
Cc: <stable@vger.kernel.org> # v3.2+
Reviewed-by: Michael Banack <banackm@vmware.com>
Reviewed-by: Martin Krastev <krastevm@vmware.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
@@ -182,7 +182,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur
if (cmd->dma.guest.ptr.offset % PAGE_SIZE ||
box->x != 0 || box->y != 0 || box->z != 0 ||
box->srcx != 0 || box->srcy != 0 || box->srcz != 0 ||
- box->d != 1 || box_count != 1) {
+ box->d != 1 || box_count != 1 ||
+ box->w > 64 || box->h > 64) {
/* TODO handle none page aligned offsets */
/* TODO handle more dst & src != 0 */
/* TODO handle more then one copy */
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 667/783] drm/i915/dsi: fix VBT send packet port selection for dual link DSI
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (665 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 666/783] drm/vmwgfx: Validate the box size for the snooped cursor Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 668/783] drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init() Greg Kroah-Hartman
` (125 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mikko Kovanen, Jani Nikula, Rodrigo Vivi
From: Mikko Kovanen <mikko.kovanen@aavamobile.com>
commit f9cdf4130671d767071607d0a7568c9bd36a68d0 upstream.
intel_dsi->ports contains bitmask of enabled ports and correspondingly
logic for selecting port for VBT packet sending must use port specific
bitmask when deciding appropriate port.
Fixes: 08c59dde71b7 ("drm/i915/dsi: fix VBT send packet port selection for ICL+")
Cc: stable@vger.kernel.org
Signed-off-by: Mikko Kovanen <mikko.kovanen@aavamobile.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/DBBPR09MB466592B16885D99ABBF2393A91119@DBBPR09MB4665.eurprd09.prod.outlook.com
(cherry picked from commit 8d58bb7991c45f6b60710cc04c9498c6ea96db90)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/display/intel_dsi_vbt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
+++ b/drivers/gpu/drm/i915/display/intel_dsi_vbt.c
@@ -133,9 +133,9 @@ static enum port intel_dsi_seq_port_to_p
return ffs(intel_dsi->ports) - 1;
if (seq_port) {
- if (intel_dsi->ports & PORT_B)
+ if (intel_dsi->ports & BIT(PORT_B))
return PORT_B;
- else if (intel_dsi->ports & PORT_C)
+ else if (intel_dsi->ports & BIT(PORT_C))
return PORT_C;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 668/783] drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (666 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 667/783] drm/i915/dsi: fix VBT send packet port selection for dual link DSI Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 669/783] ext4: silence the warning when evicting inode with dioread_nolock Greg Kroah-Hartman
` (124 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuan Can, Paul Cercueil
From: Yuan Can <yuancan@huawei.com>
commit 47078311b8efebdefd5b3b2f87e2b02b14f49c66 upstream.
A problem about modprobe ingenic-drm failed is triggered with the following
log given:
[ 303.561088] Error: Driver 'ingenic-ipu' is already registered, aborting...
modprobe: ERROR: could not insert 'ingenic_drm': Device or resource busy
The reason is that ingenic_drm_init() returns platform_driver_register()
directly without checking its return value, if platform_driver_register()
failed, it returns without unregistering ingenic_ipu_driver_ptr, resulting
the ingenic-drm can never be installed later.
A simple call graph is shown as below:
ingenic_drm_init()
platform_driver_register() # ingenic_ipu_driver_ptr are registered
platform_driver_register()
driver_register()
bus_add_driver()
priv = kzalloc(...) # OOM happened
# return without unregister ingenic_ipu_driver_ptr
Fixing this problem by checking the return value of
platform_driver_register() and do platform_unregister_drivers() if
error happened.
Fixes: fc1acf317b01 ("drm/ingenic: Add support for the IPU")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Cercueil <paul@crapouillou.net>
Link: https://patchwork.freedesktop.org/patch/msgid/20221104064512.8569-1-yuancan@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/ingenic/ingenic-drm-drv.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
+++ b/drivers/gpu/drm/ingenic/ingenic-drm-drv.c
@@ -1120,7 +1120,11 @@ static int ingenic_drm_init(void)
return err;
}
- return platform_driver_register(&ingenic_drm_driver);
+ err = platform_driver_register(&ingenic_drm_driver);
+ if (IS_ENABLED(CONFIG_DRM_INGENIC_IPU) && err)
+ platform_driver_unregister(ingenic_ipu_driver_ptr);
+
+ return err;
}
module_init(ingenic_drm_init);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 669/783] ext4: silence the warning when evicting inode with dioread_nolock
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (667 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 668/783] drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 670/783] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop Greg Kroah-Hartman
` (123 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Zhang Yi, Jan Kara, Theodore Tso
From: Zhang Yi <yi.zhang@huawei.com>
commit bc12ac98ea2e1b70adc6478c8b473a0003b659d3 upstream.
When evicting an inode with default dioread_nolock, it could be raced by
the unwritten extents converting kworker after writeback some new
allocated dirty blocks. It convert unwritten extents to written, the
extents could be merged to upper level and free extent blocks, so it
could mark the inode dirty again even this inode has been marked
I_FREEING. But the inode->i_io_list check and warning in
ext4_evict_inode() missing this corner case. Fortunately,
ext4_evict_inode() will wait all extents converting finished before this
check, so it will not lead to inode use-after-free problem, every thing
is OK besides this warning. The WARN_ON_ONCE was originally designed
for finding inode use-after-free issues in advance, but if we add
current dioread_nolock case in, it will become not quite useful, so fix
this warning by just remove this check.
======
WARNING: CPU: 7 PID: 1092 at fs/ext4/inode.c:227
ext4_evict_inode+0x875/0xc60
...
RIP: 0010:ext4_evict_inode+0x875/0xc60
...
Call Trace:
<TASK>
evict+0x11c/0x2b0
iput+0x236/0x3a0
do_unlinkat+0x1b4/0x490
__x64_sys_unlinkat+0x4c/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fa933c1115b
======
rm kworker
ext4_end_io_end()
vfs_unlink()
ext4_unlink()
ext4_convert_unwritten_io_end_vec()
ext4_convert_unwritten_extents()
ext4_map_blocks()
ext4_ext_map_blocks()
ext4_ext_try_to_merge_up()
__mark_inode_dirty()
check !I_FREEING
locked_inode_to_wb_and_lock_list()
iput()
iput_final()
evict()
ext4_evict_inode()
truncate_inode_pages_final() //wait release io_end
inode_io_list_move_locked()
ext4_release_io_end()
trigger WARN_ON_ONCE()
Cc: stable@kernel.org
Fixes: ceff86fddae8 ("ext4: Avoid freeing inodes on dirty list")
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220629112647.4141034-1-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -223,13 +223,13 @@ void ext4_evict_inode(struct inode *inod
/*
* For inodes with journalled data, transaction commit could have
- * dirtied the inode. Flush worker is ignoring it because of I_FREEING
- * flag but we still need to remove the inode from the writeback lists.
+ * dirtied the inode. And for inodes with dioread_nolock, unwritten
+ * extents converting worker could merge extents and also have dirtied
+ * the inode. Flush worker is ignoring it because of I_FREEING flag but
+ * we still need to remove the inode from the writeback lists.
*/
- if (!list_empty_careful(&inode->i_io_list)) {
- WARN_ON_ONCE(!ext4_should_journal_data(inode));
+ if (!list_empty_careful(&inode->i_io_list))
inode_io_list_del(inode);
- }
/*
* Protect us against freezing - iput() caller didn't have to have any
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 670/783] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (668 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 669/783] ext4: silence the warning when evicting inode with dioread_nolock Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 671/783] ext4: fix use-after-free in ext4_orphan_cleanup Greg Kroah-Hartman
` (122 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li,
Ritesh Harjani (IBM),
Theodore Tso
From: Baokun Li <libaokun1@huawei.com>
commit eee22187b53611e173161e38f61de1c7ecbeb876 upstream.
In do_writepages, if the value returned by ext4_writepages is "-ENOMEM"
and "wbc->sync_mode == WB_SYNC_ALL", retry until the condition is not met.
In __ext4_get_inode_loc, if the bh returned by sb_getblk is NULL,
the function returns -ENOMEM.
In __getblk_slow, if the return value of grow_buffers is less than 0,
the function returns NULL.
When the three processes are connected in series like the following stack,
an infinite loop may occur:
do_writepages <--- keep retrying
ext4_writepages
mpage_map_and_submit_extent
mpage_map_one_extent
ext4_map_blocks
ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_ext_convert_to_initialized
ext4_split_extent
ext4_split_extent_at
__ext4_ext_dirty
__ext4_mark_inode_dirty
ext4_reserve_inode_write
ext4_get_inode_loc
__ext4_get_inode_loc <--- return -ENOMEM
sb_getblk
__getblk_gfp
__getblk_slow <--- return NULL
grow_buffers
grow_dev_page <--- return -ENXIO
ret = (block < end_block) ? 1 : -ENXIO;
In this issue, bg_inode_table_hi is overwritten as an incorrect value.
As a result, `block < end_block` cannot be met in grow_dev_page.
Therefore, __ext4_get_inode_loc always returns '-ENOMEM' and do_writepages
keeps retrying. As a result, the writeback process is in the D state due
to an infinite loop.
Add a check on inode table block in the __ext4_get_inode_loc function by
referring to ext4_read_inode_bitmap to avoid this infinite loop.
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20220817132701.3015912-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4386,9 +4386,17 @@ static int __ext4_get_inode_loc(struct s
inodes_per_block = EXT4_SB(sb)->s_inodes_per_block;
inode_offset = ((ino - 1) %
EXT4_INODES_PER_GROUP(sb));
- block = ext4_inode_table(sb, gdp) + (inode_offset / inodes_per_block);
iloc->offset = (inode_offset % inodes_per_block) * EXT4_INODE_SIZE(sb);
+ block = ext4_inode_table(sb, gdp);
+ if ((block <= le32_to_cpu(EXT4_SB(sb)->s_es->s_first_data_block)) ||
+ (block >= ext4_blocks_count(EXT4_SB(sb)->s_es))) {
+ ext4_error(sb, "Invalid inode table block %llu in "
+ "block_group %u", block, iloc->block_group);
+ return -EFSCORRUPTED;
+ }
+ block += (inode_offset / inodes_per_block);
+
bh = sb_getblk(sb, block);
if (unlikely(!bh))
return -ENOMEM;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 671/783] ext4: fix use-after-free in ext4_orphan_cleanup
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (669 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 670/783] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 672/783] ext4: fix undefined behavior in bit shift for ext4_check_flag_values Greg Kroah-Hartman
` (121 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso, stable
From: Baokun Li <libaokun1@huawei.com>
commit a71248b1accb2b42e4980afef4fa4a27fa0e36f5 upstream.
I caught a issue as follows:
==================================================================
BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0
Read of size 8 at addr ffff88814b13f378 by task mount/710
CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370
Call Trace:
<TASK>
dump_stack_lvl+0x73/0x9f
print_report+0x25d/0x759
kasan_report+0xc0/0x120
__asan_load8+0x99/0x140
__list_add_valid+0x28/0x1a0
ext4_orphan_cleanup+0x564/0x9d0 [ext4]
__ext4_fill_super+0x48e2/0x5300 [ext4]
ext4_fill_super+0x19f/0x3a0 [ext4]
get_tree_bdev+0x27b/0x450
ext4_get_tree+0x19/0x30 [ext4]
vfs_get_tree+0x49/0x150
path_mount+0xaae/0x1350
do_mount+0xe2/0x110
__x64_sys_mount+0xf0/0x190
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
[...]
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_orphan_cleanup
--- loop1: assume last_orphan is 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan)
ext4_truncate --> return 0
ext4_inode_attach_jinode --> return -ENOMEM
iput(inode) --> free inode<12>
--- loop2: last_orphan is still 12 ---
list_add(&EXT4_I(inode)->i_orphan, &EXT4_SB(sb)->s_orphan);
// use inode<12> and trigger UAF
To solve this issue, we need to propagate the return value of
ext4_inode_attach_jinode() appropriately.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221102080633.1630225-1-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4285,7 +4285,8 @@ int ext4_truncate(struct inode *inode)
/* If we zero-out tail of the page, we have to create jinode for jbd2 */
if (inode->i_size & (inode->i_sb->s_blocksize - 1)) {
- if (ext4_inode_attach_jinode(inode) < 0)
+ err = ext4_inode_attach_jinode(inode);
+ if (err)
goto out_trace;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 672/783] ext4: fix undefined behavior in bit shift for ext4_check_flag_values
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (670 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 671/783] ext4: fix use-after-free in ext4_orphan_cleanup Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 673/783] ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode Greg Kroah-Hartman
` (120 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gaosheng Cui, Theodore Tso, stable
From: Gaosheng Cui <cuigaosheng1@huawei.com>
commit 3bf678a0f9c017c9ba7c581541dbc8453452a7ae upstream.
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. The UBSAN warning calltrace like below:
UBSAN: shift-out-of-bounds in fs/ext4/ext4.h:591:2
left shift of 1 by 31 places cannot be represented in type 'int'
Call Trace:
<TASK>
dump_stack_lvl+0x7d/0xa5
dump_stack+0x15/0x1b
ubsan_epilogue+0xe/0x4e
__ubsan_handle_shift_out_of_bounds+0x1e7/0x20c
ext4_init_fs+0x5a/0x277
do_one_initcall+0x76/0x430
kernel_init_freeable+0x3b3/0x422
kernel_init+0x24/0x1e0
ret_from_fork+0x1f/0x30
</TASK>
Fixes: 9a4c80194713 ("ext4: ensure Inode flags consistency are checked at build time")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Link: https://lore.kernel.org/r/20221031055833.3966222-1-cuigaosheng1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -553,7 +553,7 @@ enum {
*
* It's not paranoia if the Murphy's Law really *is* out to get you. :-)
*/
-#define TEST_FLAG_VALUE(FLAG) (EXT4_##FLAG##_FL == (1 << EXT4_INODE_##FLAG))
+#define TEST_FLAG_VALUE(FLAG) (EXT4_##FLAG##_FL == (1U << EXT4_INODE_##FLAG))
#define CHECK_FLAG_VALUE(FLAG) BUILD_BUG_ON(!TEST_FLAG_VALUE(FLAG))
static inline void ext4_check_flag_values(void)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 673/783] ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (671 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 672/783] ext4: fix undefined behavior in bit shift for ext4_check_flag_values Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 674/783] ext4: add helper to check quota inums Greg Kroah-Hartman
` (119 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jason Yan, Jan Kara,
Theodore Tso, stable
From: Baokun Li <libaokun1@huawei.com>
commit 63b1e9bccb71fe7d7e3ddc9877dbdc85e5d2d023 upstream.
There are many places that will get unhappy (and crash) when ext4_iget()
returns a bad inode. However, if iget the boot loader inode, allows a bad
inode to be returned, because the inode may not be initialized. This
mechanism can be used to bypass some checks and cause panic. To solve this
problem, we add a special iget flag EXT4_IGET_BAD. Only with this flag
we'd be returning bad inode from ext4_iget(), otherwise we always return
the error code if the inode is bad inode.(suggested by Jan Kara)
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221026042310.3839669-4-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 3 ++-
fs/ext4/inode.c | 8 +++++++-
fs/ext4/ioctl.c | 3 ++-
3 files changed, 11 insertions(+), 3 deletions(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2842,7 +2842,8 @@ int do_journal_get_write_access(handle_t
typedef enum {
EXT4_IGET_NORMAL = 0,
EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */
- EXT4_IGET_HANDLE = 0x0002 /* Inode # is from a handle */
+ EXT4_IGET_HANDLE = 0x0002, /* Inode # is from a handle */
+ EXT4_IGET_BAD = 0x0004 /* Allow to iget a bad inode */
} ext4_iget_flags;
extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4969,8 +4969,14 @@ struct inode *__ext4_iget(struct super_b
if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb))
ext4_error_inode(inode, function, line, 0,
"casefold flag without casefold feature");
- brelse(iloc.bh);
+ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) {
+ ext4_error_inode(inode, function, line, 0,
+ "bad inode without EXT4_IGET_BAD flag");
+ ret = -EUCLEAN;
+ goto bad_inode;
+ }
+ brelse(iloc.bh);
unlock_new_inode(inode);
return inode;
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -121,7 +121,8 @@ static long swap_inode_boot_loader(struc
blkcnt_t blocks;
unsigned short bytes;
- inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO, EXT4_IGET_SPECIAL);
+ inode_bl = ext4_iget(sb, EXT4_BOOT_LOADER_INO,
+ EXT4_IGET_SPECIAL | EXT4_IGET_BAD);
if (IS_ERR(inode_bl))
return PTR_ERR(inode_bl);
ei_bl = EXT4_I(inode_bl);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 674/783] ext4: add helper to check quota inums
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (672 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 673/783] ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 675/783] ext4: fix bug_on in __es_tree_search caused by bad quota inode Greg Kroah-Hartman
` (118 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jason Yan, Jan Kara,
Theodore Tso, stable
From: Baokun Li <libaokun1@huawei.com>
commit 07342ec259df2a35d6a34aebce010567a80a0e15 upstream.
Before quota is enabled, a check on the preset quota inums in
ext4_super_block is added to prevent wrong quota inodes from being loaded.
In addition, when the quota fails to be enabled, the quota type and quota
inum are printed to facilitate fault locating.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221026042310.3839669-3-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 28 +++++++++++++++++++++++++---
1 file changed, 25 insertions(+), 3 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -6385,6 +6385,20 @@ static int ext4_quota_on(struct super_bl
return err;
}
+static inline bool ext4_check_quota_inum(int type, unsigned long qf_inum)
+{
+ switch (type) {
+ case USRQUOTA:
+ return qf_inum == EXT4_USR_QUOTA_INO;
+ case GRPQUOTA:
+ return qf_inum == EXT4_GRP_QUOTA_INO;
+ case PRJQUOTA:
+ return qf_inum >= EXT4_GOOD_OLD_FIRST_INO;
+ default:
+ BUG();
+ }
+}
+
static int ext4_quota_enable(struct super_block *sb, int type, int format_id,
unsigned int flags)
{
@@ -6401,9 +6415,16 @@ static int ext4_quota_enable(struct supe
if (!qf_inums[type])
return -EPERM;
+ if (!ext4_check_quota_inum(type, qf_inums[type])) {
+ ext4_error(sb, "Bad quota inum: %lu, type: %d",
+ qf_inums[type], type);
+ return -EUCLEAN;
+ }
+
qf_inode = ext4_iget(sb, qf_inums[type], EXT4_IGET_SPECIAL);
if (IS_ERR(qf_inode)) {
- ext4_error(sb, "Bad quota inode # %lu", qf_inums[type]);
+ ext4_error(sb, "Bad quota inode: %lu, type: %d",
+ qf_inums[type], type);
return PTR_ERR(qf_inode);
}
@@ -6442,8 +6463,9 @@ static int ext4_enable_quotas(struct sup
if (err) {
ext4_warning(sb,
"Failed to enable quota tracking "
- "(type=%d, err=%d). Please run "
- "e2fsck to fix.", type, err);
+ "(type=%d, err=%d, ino=%lu). "
+ "Please run e2fsck to fix.", type,
+ err, qf_inums[type]);
for (type--; type >= 0; type--) {
struct inode *inode;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 675/783] ext4: fix bug_on in __es_tree_search caused by bad quota inode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (673 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 674/783] ext4: add helper to check quota inums Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 676/783] ext4: fix reserved cluster accounting in __es_remove_extent() Greg Kroah-Hartman
` (117 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Chaitanya Kulkarni,
Jason Yan, Jan Kara, Theodore Tso, stable
From: Baokun Li <libaokun1@huawei.com>
commit d323877484765aaacbb2769b06e355c2041ed115 upstream.
We got a issue as fllows:
==================================================================
kernel BUG at fs/ext4/extents_status.c:202!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 810 Comm: mount Not tainted 6.1.0-rc1-next-g9631525255e3 #352
RIP: 0010:__es_tree_search.isra.0+0xb8/0xe0
RSP: 0018:ffffc90001227900 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000077512a0f RCX: 0000000000000000
RDX: 0000000000000002 RSI: 0000000000002a10 RDI: ffff8881004cd0c8
RBP: ffff888177512ac8 R08: 47ffffffffffffff R09: 0000000000000001
R10: 0000000000000001 R11: 00000000000679af R12: 0000000000002a10
R13: ffff888177512d88 R14: 0000000077512a10 R15: 0000000000000000
FS: 00007f4bd76dbc40(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005653bf993cf8 CR3: 000000017bfdf000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
ext4_es_cache_extent+0xe2/0x210
ext4_cache_extents+0xd2/0x110
ext4_find_extent+0x5d5/0x8c0
ext4_ext_map_blocks+0x9c/0x1d30
ext4_map_blocks+0x431/0xa50
ext4_getblk+0x82/0x340
ext4_bread+0x14/0x110
ext4_quota_read+0xf0/0x180
v2_read_header+0x24/0x90
v2_check_quota_file+0x2f/0xa0
dquot_load_quota_sb+0x26c/0x760
dquot_load_quota_inode+0xa5/0x190
ext4_enable_quotas+0x14c/0x300
__ext4_fill_super+0x31cc/0x32c0
ext4_fill_super+0x115/0x2d0
get_tree_bdev+0x1d2/0x360
ext4_get_tree+0x19/0x30
vfs_get_tree+0x26/0xe0
path_mount+0x81d/0xfc0
do_mount+0x8d/0xc0
__x64_sys_mount+0xc0/0x160
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
==================================================================
Above issue may happen as follows:
-------------------------------------
ext4_fill_super
ext4_orphan_cleanup
ext4_enable_quotas
ext4_quota_enable
ext4_iget --> get error inode <5>
ext4_ext_check_inode --> Wrong imode makes it escape inspection
make_bad_inode(inode) --> EXT4_BOOT_LOADER_INO set imode
dquot_load_quota_inode
vfs_setup_quota_inode --> check pass
dquot_load_quota_sb
v2_check_quota_file
v2_read_header
ext4_quota_read
ext4_bread
ext4_getblk
ext4_map_blocks
ext4_ext_map_blocks
ext4_find_extent
ext4_cache_extents
ext4_es_cache_extent
__es_tree_search.isra.0
ext4_es_end --> Wrong extents trigger BUG_ON
In the above issue, s_usr_quota_inum is set to 5, but inode<5> contains
incorrect imode and disordered extents. Because 5 is EXT4_BOOT_LOADER_INO,
the ext4_ext_check_inode check in the ext4_iget function can be bypassed,
finally, the extents that are not checked trigger the BUG_ON in the
__es_tree_search function. To solve this issue, check whether the inode is
bad_inode in vfs_setup_quota_inode().
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221026042310.3839669-2-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/quota/dquot.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/quota/dquot.c
+++ b/fs/quota/dquot.c
@@ -2319,6 +2319,8 @@ static int vfs_setup_quota_inode(struct
struct super_block *sb = inode->i_sb;
struct quota_info *dqopt = sb_dqopt(sb);
+ if (is_bad_inode(inode))
+ return -EUCLEAN;
if (!S_ISREG(inode->i_mode))
return -EACCES;
if (IS_RDONLY(inode))
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 676/783] ext4: fix reserved cluster accounting in __es_remove_extent()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (674 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 675/783] ext4: fix bug_on in __es_tree_search caused by bad quota inode Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 677/783] ext4: check and assert if marking an no_delete evicting inode dirty Greg Kroah-Hartman
` (116 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+05a0f0ccab4a25626e38, Ye Bin,
Eric Whitney, Theodore Tso, stable
From: Ye Bin <yebin10@huawei.com>
commit 1da18e38cb97e9521e93d63034521a9649524f64 upstream.
When bigalloc is enabled, reserved cluster accounting for delayed
allocation is handled in extent_status.c. With a corrupted file
system, it's possible for this accounting to be incorrect,
dsicovered by Syzbot:
EXT4-fs error (device loop0): ext4_validate_block_bitmap:398: comm rep:
bg 0: block 5: invalid block bitmap
EXT4-fs (loop0): Delayed block allocation failed for inode 18 at logical
offset 0 with max blocks 32 with error 28
EXT4-fs (loop0): This should not happen!! Data will be lost
EXT4-fs (loop0): Total free blocks count 0
EXT4-fs (loop0): Free/Dirty block details
EXT4-fs (loop0): free_blocks=0
EXT4-fs (loop0): dirty_blocks=32
EXT4-fs (loop0): Block reservation details
EXT4-fs (loop0): i_reserved_data_blocks=2
EXT4-fs (loop0): Inode 18 (00000000845cd634):
i_reserved_data_blocks (1) not cleared!
Above issue happens as follows:
Assume:
sbi->s_cluster_ratio = 16
Step1:
Insert delay block [0, 31] -> ei->i_reserved_data_blocks=2
Step2:
ext4_writepages
mpage_map_and_submit_extent -> return failed
mpage_release_unused_pages -> to release [0, 30]
ext4_es_remove_extent -> remove lblk=0 end=30
__es_remove_extent -> len1=0 len2=31-30=1
__es_remove_extent:
...
if (len2 > 0) {
...
if (len1 > 0) {
...
} else {
es->es_lblk = end + 1;
es->es_len = len2;
...
}
if (count_reserved)
count_rsvd(inode, lblk, ...);
goto out; -> will return but didn't calculate 'reserved'
...
Step3:
ext4_destroy_inode -> trigger "i_reserved_data_blocks (1) not cleared!"
To solve above issue if 'len2>0' call 'get_rsvd()' before goto out.
Reported-by: syzbot+05a0f0ccab4a25626e38@syzkaller.appspotmail.com
Fixes: 8fcc3a580651 ("ext4: rework reserved cluster accounting when invalidating pages")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Eric Whitney <enwlinux@gmail.com>
Link: https://lore.kernel.org/r/20221208033426.1832460-2-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents_status.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -1372,7 +1372,7 @@ retry:
if (count_reserved)
count_rsvd(inode, lblk, orig_es.es_len - len1 - len2,
&orig_es, &rc);
- goto out;
+ goto out_get_reserved;
}
if (len1 > 0) {
@@ -1414,6 +1414,7 @@ retry:
}
}
+out_get_reserved:
if (count_reserved)
*reserved = get_rsvd(inode, end, es, &rc);
out:
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 677/783] ext4: check and assert if marking an no_delete evicting inode dirty
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (675 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 676/783] ext4: fix reserved cluster accounting in __es_remove_extent() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 678/783] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode Greg Kroah-Hartman
` (115 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Zhang Yi, Theodore Tso, stable
From: Zhang Yi <yi.zhang@huawei.com>
commit 318cdc822c63b6e2befcfdc2088378ae6fa18def upstream.
In ext4_evict_inode(), if we evicting an inode in the 'no_delete' path,
it cannot be raced by another mark_inode_dirty(). If it happens,
someone else may accidentally dirty it without holding inode refcount
and probably cause use-after-free issues in the writeback procedure.
It's indiscoverable and hard to debug, so add an WARN_ON_ONCE() to
check and detect this issue in advance.
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220629112647.4141034-2-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -336,6 +336,12 @@ stop_handle:
ext4_xattr_inode_array_free(ea_inode_array);
return;
no_delete:
+ /*
+ * Check out some where else accidentally dirty the evicting inode,
+ * which may probably cause inode use-after-free issues later.
+ */
+ WARN_ON_ONCE(!list_empty_careful(&inode->i_io_list));
+
if (!list_empty(&EXT4_I(inode)->i_fc_list))
ext4_fc_mark_ineligible(inode->i_sb, EXT4_FC_REASON_NOMEM);
ext4_clear_inode(inode); /* We must guarantee clearing of inode... */
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 678/783] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (676 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 677/783] ext4: check and assert if marking an no_delete evicting inode dirty Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 679/783] ext4: init quota for old.inode in ext4_rename Greg Kroah-Hartman
` (114 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jason Yan, Jan Kara,
Theodore Tso, stable
From: Baokun Li <libaokun1@huawei.com>
commit 991ed014de0840c5dc405b679168924afb2952ac upstream.
We got a issue as fllows:
==================================================================
kernel BUG at fs/ext4/extents_status.c:203!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 1 PID: 945 Comm: cat Not tainted 6.0.0-next-20221007-dirty #349
RIP: 0010:ext4_es_end.isra.0+0x34/0x42
RSP: 0018:ffffc9000143b768 EFLAGS: 00010203
RAX: 0000000000000000 RBX: ffff8881769cd0b8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8fc27cf7 RDI: 00000000ffffffff
RBP: ffff8881769cd0bc R08: 0000000000000000 R09: ffffc9000143b5f8
R10: 0000000000000001 R11: 0000000000000001 R12: ffff8881769cd0a0
R13: ffff8881768e5668 R14: 00000000768e52f0 R15: 0000000000000000
FS: 00007f359f7f05c0(0000)GS:ffff88842fd00000(0000)knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f359f5a2000 CR3: 000000017130c000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__es_tree_search.isra.0+0x6d/0xf5
ext4_es_cache_extent+0xfa/0x230
ext4_cache_extents+0xd2/0x110
ext4_find_extent+0x5d5/0x8c0
ext4_ext_map_blocks+0x9c/0x1d30
ext4_map_blocks+0x431/0xa50
ext4_mpage_readpages+0x48e/0xe40
ext4_readahead+0x47/0x50
read_pages+0x82/0x530
page_cache_ra_unbounded+0x199/0x2a0
do_page_cache_ra+0x47/0x70
page_cache_ra_order+0x242/0x400
ondemand_readahead+0x1e8/0x4b0
page_cache_sync_ra+0xf4/0x110
filemap_get_pages+0x131/0xb20
filemap_read+0xda/0x4b0
generic_file_read_iter+0x13a/0x250
ext4_file_read_iter+0x59/0x1d0
vfs_read+0x28f/0x460
ksys_read+0x73/0x160
__x64_sys_read+0x1e/0x30
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
==================================================================
In the above issue, ioctl invokes the swap_inode_boot_loader function to
swap inode<5> and inode<12>. However, inode<5> contain incorrect imode and
disordered extents, and i_nlink is set to 1. The extents check for inode in
the ext4_iget function can be bypassed bacause 5 is EXT4_BOOT_LOADER_INO.
While links_count is set to 1, the extents are not initialized in
swap_inode_boot_loader. After the ioctl command is executed successfully,
the extents are swapped to inode<12>, in this case, run the `cat` command
to view inode<12>. And Bug_ON is triggered due to the incorrect extents.
When the boot loader inode is not initialized, its imode can be one of the
following:
1) the imode is a bad type, which is marked as bad_inode in ext4_iget and
set to S_IFREG.
2) the imode is good type but not S_IFREG.
3) the imode is S_IFREG.
The BUG_ON may be triggered by bypassing the check in cases 1 and 2.
Therefore, when the boot loader inode is bad_inode or its imode is not
S_IFREG, initialize the inode to avoid triggering the BUG.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221026042310.3839669-5-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -171,7 +171,7 @@ static long swap_inode_boot_loader(struc
/* Protect extent tree against block allocations via delalloc */
ext4_double_down_write_data_sem(inode, inode_bl);
- if (inode_bl->i_nlink == 0) {
+ if (is_bad_inode(inode_bl) || !S_ISREG(inode_bl->i_mode)) {
/* this inode has never been used as a BOOT_LOADER */
set_nlink(inode_bl, 1);
i_uid_write(inode_bl, 0);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 679/783] ext4: init quota for old.inode in ext4_rename
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (677 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 678/783] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 680/783] ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline Greg Kroah-Hartman
` (113 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+98346927678ac3059c77, Ye Bin,
Jan Kara, Theodore Tso, stable
From: Ye Bin <yebin10@huawei.com>
commit fae381a3d79bb94aa2eb752170d47458d778b797 upstream.
Syzbot found the following issue:
ext4_parse_param: s_want_extra_isize=128
ext4_inode_info_init: s_want_extra_isize=32
ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828
__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128
__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128
ext4_xattr_block_set: inode=ffff88823869a2c8
------------[ cut here ]------------
WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980
Modules linked in:
RIP: 0010:ext4_xattr_block_set.cold+0x22/0x980
RSP: 0018:ffff888227d3f3b0 EFLAGS: 00010202
RAX: 0000000000000001 RBX: ffff88823007a000 RCX: 0000000000000000
RDX: 0000000000000a03 RSI: 0000000000000040 RDI: ffff888230078178
RBP: 0000000000000000 R08: 000000000000002c R09: ffffed1075c7df8e
R10: ffff8883ae3efc6b R11: ffffed1075c7df8d R12: 0000000000000000
R13: ffff88823869a2c8 R14: ffff8881012e0460 R15: dffffc0000000000
FS: 00007f350ac1f740(0000) GS:ffff8883ae200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f350a6ed6a0 CR3: 0000000237456000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? ext4_xattr_set_entry+0x3b7/0x2320
? ext4_xattr_block_set+0x0/0x2020
? ext4_xattr_set_entry+0x0/0x2320
? ext4_xattr_check_entries+0x77/0x310
? ext4_xattr_ibody_set+0x23b/0x340
ext4_xattr_move_to_block+0x594/0x720
ext4_expand_extra_isize_ea+0x59a/0x10f0
__ext4_expand_extra_isize+0x278/0x3f0
__ext4_mark_inode_dirty.cold+0x347/0x410
ext4_rename+0xed3/0x174f
vfs_rename+0x13a7/0x2510
do_renameat2+0x55d/0x920
__x64_sys_rename+0x7d/0xb0
do_syscall_64+0x3b/0xa0
entry_SYSCALL_64_after_hwframe+0x72/0xdc
As 'ext4_rename' will modify 'old.inode' ctime and mark inode dirty,
which may trigger expand 'extra_isize' and allocate block. If inode
didn't init quota will lead to warning. To solve above issue, init
'old.inode' firstly in 'ext4_rename'.
Reported-by: syzbot+98346927678ac3059c77@syzkaller.appspotmail.com
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221107015335.2524319-1-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3844,6 +3844,9 @@ static int ext4_rename(struct inode *old
retval = dquot_initialize(old.dir);
if (retval)
return retval;
+ retval = dquot_initialize(old.inode);
+ if (retval)
+ return retval;
retval = dquot_initialize(new.dir);
if (retval)
return retval;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 680/783] ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (678 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 679/783] ext4: init quota for old.inode in ext4_rename Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 681/783] ext4: fix corruption when online resizing a 1K bigalloc fs Greg Kroah-Hartman
` (112 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Whitney, Theodore Tso, stable
From: Eric Whitney <enwlinux@gmail.com>
commit 131294c35ed6f777bd4e79d42af13b5c41bf2775 upstream.
When converting files with inline data to extents, delayed allocations
made on a file system created with both the bigalloc and inline options
can result in invalid extent status cache content, incorrect reserved
cluster counts, kernel memory leaks, and potential kernel panics.
With bigalloc, the code that determines whether a block must be
delayed allocated searches the extent tree to see if that block maps
to a previously allocated cluster. If not, the block is delayed
allocated, and otherwise, it isn't. However, if the inline option is
also used, and if the file containing the block is marked as able to
store data inline, there isn't a valid extent tree associated with
the file. The current code in ext4_clu_mapped() calls
ext4_find_extent() to search the non-existent tree for a previously
allocated cluster anyway, which typically finds nothing, as desired.
However, a side effect of the search can be to cache invalid content
from the non-existent tree (garbage) in the extent status tree,
including bogus entries in the pending reservation tree.
To fix this, avoid searching the extent tree when allocating blocks
for bigalloc + inline files that are being converted from inline to
extent mapped.
Signed-off-by: Eric Whitney <enwlinux@gmail.com>
Link: https://lore.kernel.org/r/20221117152207.2424-1-enwlinux@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -5802,6 +5802,14 @@ int ext4_clu_mapped(struct inode *inode,
struct ext4_extent *extent;
ext4_lblk_t first_lblk, first_lclu, last_lclu;
+ /*
+ * if data can be stored inline, the logical cluster isn't
+ * mapped - no physical clusters have been allocated, and the
+ * file has no extents
+ */
+ if (ext4_test_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA))
+ return 0;
+
/* search for the extent closest to the first block in the cluster */
path = ext4_find_extent(inode, EXT4_C2B(sbi, lclu), NULL, 0);
if (IS_ERR(path)) {
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 681/783] ext4: fix corruption when online resizing a 1K bigalloc fs
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (679 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 680/783] ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 682/783] ext4: fix error code return to user-space in ext4_get_branch() Greg Kroah-Hartman
` (111 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, stable, Theodore Tso
From: Baokun Li <libaokun1@huawei.com>
commit 0aeaa2559d6d53358fca3e3fce73807367adca74 upstream.
When a backup superblock is updated in update_backups(), the primary
superblock's offset in the group (that is, sbi->s_sbh->b_blocknr) is used
as the backup superblock's offset in its group. However, when the block
size is 1K and bigalloc is enabled, the two offsets are not equal. This
causes the backup group descriptors to be overwritten by the superblock
in update_backups(). Moreover, if meta_bg is enabled, the file system will
be corrupted because this feature uses backup group descriptors.
To solve this issue, we use a more accurate ext4_group_first_block_no() as
the offset of the backup superblock in its group.
Fixes: d77147ff443b ("ext4: add support for online resizing with bigalloc")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20221117040341.1380702-4-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/resize.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/ext4/resize.c
+++ b/fs/ext4/resize.c
@@ -1545,8 +1545,8 @@ exit_journal:
int meta_bg = ext4_has_feature_meta_bg(sb);
sector_t old_gdb = 0;
- update_backups(sb, sbi->s_sbh->b_blocknr, (char *)es,
- sizeof(struct ext4_super_block), 0);
+ update_backups(sb, ext4_group_first_block_no(sb, 0),
+ (char *)es, sizeof(struct ext4_super_block), 0);
for (; gdb_num <= gdb_num_end; gdb_num++) {
struct buffer_head *gdb_bh;
@@ -1753,7 +1753,7 @@ errout:
if (test_opt(sb, DEBUG))
printk(KERN_DEBUG "EXT4-fs: extended group to %llu "
"blocks\n", ext4_blocks_count(es));
- update_backups(sb, EXT4_SB(sb)->s_sbh->b_blocknr,
+ update_backups(sb, ext4_group_first_block_no(sb, 0),
(char *)es, sizeof(struct ext4_super_block), 0);
}
return err;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 682/783] ext4: fix error code return to user-space in ext4_get_branch()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (680 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 681/783] ext4: fix corruption when online resizing a 1K bigalloc fs Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 683/783] ext4: avoid BUG_ON when creating xattrs Greg Kroah-Hartman
` (110 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luís Henriques, Theodore Tso, stable
From: Luís Henriques <lhenriques@suse.de>
commit 26d75a16af285a70863ba6a81f85d81e7e65da50 upstream.
If a block is out of range in ext4_get_branch(), -ENOMEM will be returned
to user-space. Obviously, this error code isn't really useful. This
patch fixes it by making sure the right error code (-EFSCORRUPTED) is
propagated to user-space. EUCLEAN is more informative than ENOMEM.
Signed-off-by: Luís Henriques <lhenriques@suse.de>
Link: https://lore.kernel.org/r/20221109181445.17843-1-lhenriques@suse.de
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/indirect.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -148,6 +148,7 @@ static Indirect *ext4_get_branch(struct
struct super_block *sb = inode->i_sb;
Indirect *p = chain;
struct buffer_head *bh;
+ unsigned int key;
int ret = -EIO;
*err = 0;
@@ -156,7 +157,13 @@ static Indirect *ext4_get_branch(struct
if (!p->key)
goto no_block;
while (--depth) {
- bh = sb_getblk(sb, le32_to_cpu(p->key));
+ key = le32_to_cpu(p->key);
+ if (key > ext4_blocks_count(EXT4_SB(sb)->s_es)) {
+ /* the block was out of range */
+ ret = -EFSCORRUPTED;
+ goto failure;
+ }
+ bh = sb_getblk(sb, key);
if (unlikely(!bh)) {
ret = -ENOMEM;
goto failure;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 683/783] ext4: avoid BUG_ON when creating xattrs
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (681 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 682/783] ext4: fix error code return to user-space in ext4_get_branch() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 684/783] ext4: fix inode leak in ext4_xattr_inode_create() on an error path Greg Kroah-Hartman
` (109 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Sandeen, Jan Kara,
Theodore Tso, stable
From: Jan Kara <jack@suse.cz>
commit b40ebaf63851b3a401b0dc9263843538f64f5ce6 upstream.
Commit fb0a387dcdcd ("ext4: limit block allocations for indirect-block
files to < 2^32") added code to try to allocate xattr block with 32-bit
block number for indirect block based files on the grounds that these
files cannot use larger block numbers. It also added BUG_ON when
allocated block could not fit into 32 bits. This is however bogus
reasoning because xattr block is stored in inode->i_file_acl and
inode->i_file_acl_hi and as such even indirect block based files can
happily use full 48 bits for xattr block number. The proper handling
seems to be there basically since 64-bit block number support was added.
So remove the bogus limitation and BUG_ON.
Cc: Eric Sandeen <sandeen@redhat.com>
Fixes: fb0a387dcdcd ("ext4: limit block allocations for indirect-block files to < 2^32")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221121130929.32031-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 8 --------
1 file changed, 8 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -2049,19 +2049,11 @@ inserted:
goal = ext4_group_first_block_no(sb,
EXT4_I(inode)->i_block_group);
-
- /* non-extent files can't have physical blocks past 2^32 */
- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)))
- goal = goal & EXT4_MAX_BLOCK_FILE_PHYS;
-
block = ext4_new_meta_blocks(handle, inode, goal, 0,
NULL, &error);
if (error)
goto cleanup;
- if (!(ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)))
- BUG_ON(block > EXT4_MAX_BLOCK_FILE_PHYS);
-
ea_idebug(inode, "creating block %llu",
(unsigned long long)block);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 684/783] ext4: fix inode leak in ext4_xattr_inode_create() on an error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (682 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 683/783] ext4: avoid BUG_ON when creating xattrs Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 685/783] ext4: initialize quota before expanding inode in setproject ioctl Greg Kroah-Hartman
` (108 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso, stable
From: Ye Bin <yebin10@huawei.com>
commit e4db04f7d3dbbe16680e0ded27ea2a65b10f766a upstream.
There is issue as follows when do setxattr with inject fault:
[localhost]# fsck.ext4 -fn /dev/sda
e2fsck 1.46.6-rc1 (12-Sep-2022)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Unattached zero-length inode 15. Clear? no
Unattached inode 15
Connect to /lost+found? no
Pass 5: Checking group summary information
/dev/sda: ********** WARNING: Filesystem still has errors **********
/dev/sda: 15/655360 files (0.0% non-contiguous), 66755/2621440 blocks
This occurs in 'ext4_xattr_inode_create()'. If 'ext4_mark_inode_dirty()'
fails, dropping i_nlink of the inode is needed. Or will lead to inode leak.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221208023233.1231330-5-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1425,6 +1425,9 @@ static struct inode *ext4_xattr_inode_cr
if (!err)
err = ext4_inode_attach_jinode(ea_inode);
if (err) {
+ if (ext4_xattr_inode_dec_ref(handle, ea_inode))
+ ext4_warning_inode(ea_inode,
+ "cleanup dec ref error %d", err);
iput(ea_inode);
return ERR_PTR(err);
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 685/783] ext4: initialize quota before expanding inode in setproject ioctl
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (683 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 684/783] ext4: fix inode leak in ext4_xattr_inode_create() on an error path Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 686/783] ext4: avoid unaccounted block allocation when expanding inode Greg Kroah-Hartman
` (107 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, stable, Theodore Tso
From: Jan Kara <jack@suse.cz>
commit 1485f726c6dec1a1f85438f2962feaa3d585526f upstream.
Make sure we initialize quotas before possibly expanding inode space
(and thus maybe needing to allocate external xattr block) in
ext4_ioctl_setproject(). This prevents not accounting the necessary
block allocation.
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20221207115937.26601-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ioctl.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -495,6 +495,10 @@ static int ext4_ioctl_setproject(struct
if (ext4_is_quota_file(inode))
return err;
+ err = dquot_initialize(inode);
+ if (err)
+ return err;
+
err = ext4_get_inode_loc(inode, &iloc);
if (err)
return err;
@@ -510,10 +514,6 @@ static int ext4_ioctl_setproject(struct
brelse(iloc.bh);
}
- err = dquot_initialize(inode);
- if (err)
- return err;
-
handle = ext4_journal_start(inode, EXT4_HT_QUOTA,
EXT4_QUOTA_INIT_BLOCKS(sb) +
EXT4_QUOTA_DEL_BLOCKS(sb) + 3);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 686/783] ext4: avoid unaccounted block allocation when expanding inode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (684 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 685/783] ext4: initialize quota before expanding inode in setproject ioctl Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 687/783] ext4: allocate extended attribute value in vmalloc area Greg Kroah-Hartman
` (106 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengfei Xu, Jan Kara, stable, Theodore Tso
From: Jan Kara <jack@suse.cz>
commit 8994d11395f8165b3deca1971946f549f0822630 upstream.
When expanding inode space in ext4_expand_extra_isize_ea() we may need
to allocate external xattr block. If quota is not initialized for the
inode, the block allocation will not be accounted into quota usage. Make
sure the quota is initialized before we try to expand inode space.
Reported-by: Pengfei Xu <pengfei.xu@intel.com>
Link: https://lore.kernel.org/all/Y5BT+k6xWqthZc1P@xpf.sh.intel.com
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20221207115937.26601-2-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5879,6 +5879,14 @@ static int __ext4_expand_extra_isize(str
return 0;
}
+ /*
+ * We may need to allocate external xattr block so we need quotas
+ * initialized. Here we can be called with various locks held so we
+ * cannot affort to initialize quotas ourselves. So just bail.
+ */
+ if (dquot_initialize_needed(inode))
+ return -EAGAIN;
+
/* try to expand with EAs present */
error = ext4_expand_extra_isize_ea(inode, new_extra_isize,
raw_inode, handle);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 687/783] ext4: allocate extended attribute value in vmalloc area
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (685 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 686/783] ext4: avoid unaccounted block allocation when expanding inode Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 688/783] drm/amdgpu: handle polaris10/11 overlap asics (v2) Greg Kroah-Hartman
` (105 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ye Bin, Jan Kara, Theodore Tso, stable
From: Ye Bin <yebin10@huawei.com>
commit cc12a6f25e07ed05d5825a1664b67a970842b2ca upstream.
Now, extended attribute value maximum length is 64K. The memory
requested here does not need continuous physical addresses, so it is
appropriate to use kvmalloc to request memory. At the same time, it
can also cope with the situation that the extended attribute will
become longer in the future.
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221208023233.1231330-3-yebin@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -2551,7 +2551,7 @@ static int ext4_xattr_move_to_block(hand
is = kzalloc(sizeof(struct ext4_xattr_ibody_find), GFP_NOFS);
bs = kzalloc(sizeof(struct ext4_xattr_block_find), GFP_NOFS);
- buffer = kmalloc(value_size, GFP_NOFS);
+ buffer = kvmalloc(value_size, GFP_NOFS);
b_entry_name = kmalloc(entry->e_name_len + 1, GFP_NOFS);
if (!is || !bs || !buffer || !b_entry_name) {
error = -ENOMEM;
@@ -2603,7 +2603,7 @@ static int ext4_xattr_move_to_block(hand
error = 0;
out:
kfree(b_entry_name);
- kfree(buffer);
+ kvfree(buffer);
if (is)
brelse(is->iloc.bh);
if (bs)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 688/783] drm/amdgpu: handle polaris10/11 overlap asics (v2)
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (686 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 687/783] ext4: allocate extended attribute value in vmalloc area Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 689/783] drm/amdgpu: make display pinning more flexible (v2) Greg Kroah-Hartman
` (104 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luben Tuikov, Alex Deucher
From: Alex Deucher <alexander.deucher@amd.com>
commit 1d4624cd72b912b2680c08d0be48338a1629a858 upstream.
Some special polaris 10 chips overlap with the polaris11
DID range. Handle this properly in the driver.
v2: use local flags for other function calls.
Acked-by: Luben Tuikov <luben.tuikov@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
@@ -1121,6 +1121,15 @@ static int amdgpu_pci_probe(struct pci_d
"See modparam exp_hw_support\n");
return -ENODEV;
}
+ /* differentiate between P10 and P11 asics with the same DID */
+ if (pdev->device == 0x67FF &&
+ (pdev->revision == 0xE3 ||
+ pdev->revision == 0xE7 ||
+ pdev->revision == 0xF3 ||
+ pdev->revision == 0xF7)) {
+ flags &= ~AMD_ASIC_MASK;
+ flags |= CHIP_POLARIS10;
+ }
/* Due to hardware bugs, S/G Display on raven requires a 1:1 IOMMU mapping,
* however, SME requires an indirect IOMMU mapping because the encryption
@@ -1190,12 +1199,12 @@ static int amdgpu_pci_probe(struct pci_d
ddev->pdev = pdev;
pci_set_drvdata(pdev, ddev);
- ret = amdgpu_driver_load_kms(adev, ent->driver_data);
+ ret = amdgpu_driver_load_kms(adev, flags);
if (ret)
goto err_pci;
retry_init:
- ret = drm_dev_register(ddev, ent->driver_data);
+ ret = drm_dev_register(ddev, flags);
if (ret == -EAGAIN && ++retry <= 3) {
DRM_INFO("retry init %d\n", retry);
/* Don't request EX mode too frequently which is attacking */
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 689/783] drm/amdgpu: make display pinning more flexible (v2)
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (687 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 688/783] drm/amdgpu: handle polaris10/11 overlap asics (v2) Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 690/783] ARM: renumber bits related to _TIF_WORK_MASK Greg Kroah-Hartman
` (103 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luben Tuikov, Christian König,
Alex Deucher
From: Alex Deucher <alexander.deucher@amd.com>
commit 81d0bcf9900932633d270d5bc4a54ff599c6ebdb upstream.
Only apply the static threshold for Stoney and Carrizo.
This hardware has certain requirements that don't allow
mixing of GTT and VRAM. Newer asics do not have these
requirements so we should be able to be more flexible
with where buffers end up.
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2270
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2291
Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2255
Acked-by: Luben Tuikov <luben.tuikov@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
@@ -1531,7 +1531,8 @@ u64 amdgpu_bo_gpu_offset_no_check(struct
uint32_t amdgpu_bo_get_preferred_pin_domain(struct amdgpu_device *adev,
uint32_t domain)
{
- if (domain == (AMDGPU_GEM_DOMAIN_VRAM | AMDGPU_GEM_DOMAIN_GTT)) {
+ if ((domain == (AMDGPU_GEM_DOMAIN_VRAM | AMDGPU_GEM_DOMAIN_GTT)) &&
+ ((adev->asic_type == CHIP_CARRIZO) || (adev->asic_type == CHIP_STONEY))) {
domain = AMDGPU_GEM_DOMAIN_VRAM;
if (adev->gmc.real_vram_size <= AMDGPU_SG_THRESHOLD)
domain = AMDGPU_GEM_DOMAIN_GTT;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 690/783] ARM: renumber bits related to _TIF_WORK_MASK
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (688 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 689/783] drm/amdgpu: make display pinning more flexible (v2) Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 691/783] perf/x86/intel/uncore: Generalize I/O stacks to PMON mapping procedure Greg Kroah-Hartman
` (102 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Russell King (Oracle), Jens Axboe, Hui Tang
From: Jens Axboe <axboe@kernel.dk>
commit 191f8453fc99a537ea78b727acea739782378b0d upstream.
We want to ensure that the mask related to calling do_work_pending()
is within the first 16 bits. Move bits unrelated to that outside of
that range, to avoid spuriously calling do_work_pending() when we don't
need to.
Cc: stable@vger.kernel.org
Fixes: 32d59773da38 ("arm: add support for TIF_NOTIFY_SIGNAL")
Reported-and-tested-by: Hui Tang <tanghui20@huawei.com>
Suggested-by: Russell King (Oracle) <linux@armlinux.org.uk>
Link: https://lore.kernel.org/lkml/7ecb8f3c-2aeb-a905-0d4a-aa768b9649b5@huawei.com/
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/include/asm/thread_info.h | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- a/arch/arm/include/asm/thread_info.h
+++ b/arch/arm/include/asm/thread_info.h
@@ -133,15 +133,16 @@ extern int vfp_restore_user_hwstate(stru
#define TIF_NEED_RESCHED 1 /* rescheduling necessary */
#define TIF_NOTIFY_RESUME 2 /* callback before returning to user */
#define TIF_UPROBE 3 /* breakpointed or singlestepping */
-#define TIF_SYSCALL_TRACE 4 /* syscall trace active */
-#define TIF_SYSCALL_AUDIT 5 /* syscall auditing active */
-#define TIF_SYSCALL_TRACEPOINT 6 /* syscall tracepoint instrumentation */
-#define TIF_SECCOMP 7 /* seccomp syscall filtering active */
-#define TIF_NOTIFY_SIGNAL 8 /* signal notifications exist */
+#define TIF_NOTIFY_SIGNAL 4 /* signal notifications exist */
#define TIF_USING_IWMMXT 17
#define TIF_MEMDIE 18 /* is terminating due to OOM killer */
-#define TIF_RESTORE_SIGMASK 20
+#define TIF_RESTORE_SIGMASK 19
+#define TIF_SYSCALL_TRACE 20 /* syscall trace active */
+#define TIF_SYSCALL_AUDIT 21 /* syscall auditing active */
+#define TIF_SYSCALL_TRACEPOINT 22 /* syscall tracepoint instrumentation */
+#define TIF_SECCOMP 23 /* seccomp syscall filtering active */
+
#define _TIF_SIGPENDING (1 << TIF_SIGPENDING)
#define _TIF_NEED_RESCHED (1 << TIF_NEED_RESCHED)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 691/783] perf/x86/intel/uncore: Generalize I/O stacks to PMON mapping procedure
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (689 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 690/783] ARM: renumber bits related to _TIF_WORK_MASK Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 692/783] perf/x86/intel/uncore: Clear attr_update properly Greg Kroah-Hartman
` (101 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Antonov,
Peter Zijlstra (Intel),
Kan Liang, Sasha Levin
From: Alexander Antonov <alexander.antonov@linux.intel.com>
[ Upstream commit f471fac77b41a2573c7b677ef790bf18a0e64195 ]
Currently I/O stacks to IIO PMON mapping is available on Skylake servers
only and need to make code more general to easily enable further platforms.
So, introduce get_topology() callback in struct intel_uncore_type which
allows to move common code to separate function and make mapping procedure
more general.
Signed-off-by: Alexander Antonov <alexander.antonov@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Link: https://lkml.kernel.org/r/20210426131614.16205-2-alexander.antonov@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/uncore.h | 1 +
arch/x86/events/intel/uncore_snbep.c | 28 +++++++++++++++++++++-------
2 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/arch/x86/events/intel/uncore.h b/arch/x86/events/intel/uncore.h
index 9efea154349d..4e2953a9eff0 100644
--- a/arch/x86/events/intel/uncore.h
+++ b/arch/x86/events/intel/uncore.h
@@ -84,6 +84,7 @@ struct intel_uncore_type {
/*
* Optional callbacks for managing mapping of Uncore units to PMONs
*/
+ int (*get_topology)(struct intel_uncore_type *type);
int (*set_mapping)(struct intel_uncore_type *type);
void (*cleanup_mapping)(struct intel_uncore_type *type);
};
diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index 2fd49cd515f5..03e34a440cdf 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -3643,12 +3643,19 @@ static inline u8 skx_iio_stack(struct intel_uncore_pmu *pmu, int die)
}
static umode_t
-skx_iio_mapping_visible(struct kobject *kobj, struct attribute *attr, int die)
+pmu_iio_mapping_visible(struct kobject *kobj, struct attribute *attr,
+ int die, int zero_bus_pmu)
{
struct intel_uncore_pmu *pmu = dev_to_uncore_pmu(kobj_to_dev(kobj));
- /* Root bus 0x00 is valid only for die 0 AND pmu_idx = 0. */
- return (!skx_iio_stack(pmu, die) && pmu->pmu_idx) ? 0 : attr->mode;
+ return (!skx_iio_stack(pmu, die) && pmu->pmu_idx != zero_bus_pmu) ? 0 : attr->mode;
+}
+
+static umode_t
+skx_iio_mapping_visible(struct kobject *kobj, struct attribute *attr, int die)
+{
+ /* Root bus 0x00 is valid only for pmu_idx = 0. */
+ return pmu_iio_mapping_visible(kobj, attr, die, 0);
}
static ssize_t skx_iio_mapping_show(struct device *dev,
@@ -3740,7 +3747,8 @@ static const struct attribute_group *skx_iio_attr_update[] = {
NULL,
};
-static int skx_iio_set_mapping(struct intel_uncore_type *type)
+static int
+pmu_iio_set_mapping(struct intel_uncore_type *type, struct attribute_group *ag)
{
char buf[64];
int ret;
@@ -3748,8 +3756,8 @@ static int skx_iio_set_mapping(struct intel_uncore_type *type)
struct attribute **attrs = NULL;
struct dev_ext_attribute *eas = NULL;
- ret = skx_iio_get_topology(type);
- if (ret)
+ ret = type->get_topology(type);
+ if (ret < 0)
goto clear_attr_update;
ret = -ENOMEM;
@@ -3775,7 +3783,7 @@ static int skx_iio_set_mapping(struct intel_uncore_type *type)
eas[die].var = (void *)die;
attrs[die] = &eas[die].attr.attr;
}
- skx_iio_mapping_group.attrs = attrs;
+ ag->attrs = attrs;
return 0;
err:
@@ -3791,6 +3799,11 @@ static int skx_iio_set_mapping(struct intel_uncore_type *type)
return ret;
}
+static int skx_iio_set_mapping(struct intel_uncore_type *type)
+{
+ return pmu_iio_set_mapping(type, &skx_iio_mapping_group);
+}
+
static void skx_iio_cleanup_mapping(struct intel_uncore_type *type)
{
struct attribute **attr = skx_iio_mapping_group.attrs;
@@ -3821,6 +3834,7 @@ static struct intel_uncore_type skx_uncore_iio = {
.ops = &skx_uncore_iio_ops,
.format_group = &skx_uncore_iio_format_group,
.attr_update = skx_iio_attr_update,
+ .get_topology = skx_iio_get_topology,
.set_mapping = skx_iio_set_mapping,
.cleanup_mapping = skx_iio_cleanup_mapping,
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 692/783] perf/x86/intel/uncore: Clear attr_update properly
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (690 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 691/783] perf/x86/intel/uncore: Generalize I/O stacks to PMON mapping procedure Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 693/783] btrfs: replace strncpy() with strscpy() Greg Kroah-Hartman
` (100 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Antonov,
Peter Zijlstra (Intel),
Kan Liang, Sasha Levin
From: Alexander Antonov <alexander.antonov@linux.intel.com>
[ Upstream commit 6532783310e2b2f50dc13f46c49aa6546cb6e7a3 ]
Current clear_attr_update procedure in pmu_set_mapping() sets attr_update
field in NULL that is not correct because intel_uncore_type pmu types can
contain several groups in attr_update field. For example, SPR platform
already has uncore_alias_group to update and then UPI topology group will
be added in next patches.
Fix current behavior and clear attr_update group related to mapping only.
Fixes: bb42b3d39781 ("perf/x86/intel/uncore: Expose an Uncore unit to IIO PMON mapping")
Signed-off-by: Alexander Antonov <alexander.antonov@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20221117122833.3103580-4-alexander.antonov@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/intel/uncore_snbep.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/arch/x86/events/intel/uncore_snbep.c b/arch/x86/events/intel/uncore_snbep.c
index 03e34a440cdf..ad084a5a1463 100644
--- a/arch/x86/events/intel/uncore_snbep.c
+++ b/arch/x86/events/intel/uncore_snbep.c
@@ -3747,6 +3747,21 @@ static const struct attribute_group *skx_iio_attr_update[] = {
NULL,
};
+static void pmu_clear_mapping_attr(const struct attribute_group **groups,
+ struct attribute_group *ag)
+{
+ int i;
+
+ for (i = 0; groups[i]; i++) {
+ if (groups[i] == ag) {
+ for (i++; groups[i]; i++)
+ groups[i - 1] = groups[i];
+ groups[i - 1] = NULL;
+ break;
+ }
+ }
+}
+
static int
pmu_iio_set_mapping(struct intel_uncore_type *type, struct attribute_group *ag)
{
@@ -3795,7 +3810,7 @@ pmu_iio_set_mapping(struct intel_uncore_type *type, struct attribute_group *ag)
clear_topology:
kfree(type->topology);
clear_attr_update:
- type->attr_update = NULL;
+ pmu_clear_mapping_attr(type->attr_update, ag);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 693/783] btrfs: replace strncpy() with strscpy()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (691 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 692/783] perf/x86/intel/uncore: Clear attr_update properly Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 694/783] x86/mce: Get rid of msr_ops Greg Kroah-Hartman
` (99 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Artem Chernyshev, David Sterba, Sasha Levin
[ Upstream commit 63d5429f68a3d4c4aa27e65a05196c17f86c41d6 ]
Using strncpy() on NUL-terminated strings are deprecated. To avoid
possible forming of non-terminated string strscpy() should be used.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
CC: stable@vger.kernel.org # 4.9+
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ioctl.c | 9 +++------
fs/btrfs/rcu-string.h | 6 +++++-
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index a17076a05c4d..fc335b5e44df 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3401,13 +3401,10 @@ static long btrfs_ioctl_dev_info(struct btrfs_fs_info *fs_info,
di_args->bytes_used = btrfs_device_get_bytes_used(dev);
di_args->total_bytes = btrfs_device_get_total_bytes(dev);
memcpy(di_args->uuid, dev->uuid, sizeof(di_args->uuid));
- if (dev->name) {
- strncpy(di_args->path, rcu_str_deref(dev->name),
- sizeof(di_args->path) - 1);
- di_args->path[sizeof(di_args->path) - 1] = 0;
- } else {
+ if (dev->name)
+ strscpy(di_args->path, rcu_str_deref(dev->name), sizeof(di_args->path));
+ else
di_args->path[0] = '\0';
- }
out:
rcu_read_unlock();
diff --git a/fs/btrfs/rcu-string.h b/fs/btrfs/rcu-string.h
index 5c1a617eb25d..5c2b66d155ef 100644
--- a/fs/btrfs/rcu-string.h
+++ b/fs/btrfs/rcu-string.h
@@ -18,7 +18,11 @@ static inline struct rcu_string *rcu_string_strdup(const char *src, gfp_t mask)
(len * sizeof(char)), mask);
if (!ret)
return ret;
- strncpy(ret->str, src, len);
+ /* Warn if the source got unexpectedly truncated. */
+ if (WARN_ON(strscpy(ret->str, src, len) < 0)) {
+ kfree(ret);
+ return NULL;
+ }
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 694/783] x86/mce: Get rid of msr_ops
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (692 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 693/783] btrfs: replace strncpy() with strscpy() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 695/783] x86/MCE/AMD: Clear DFR errors found in THR handler Greg Kroah-Hartman
` (98 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov, Tony Luck, Sasha Levin
From: Borislav Petkov <bp@suse.de>
[ Upstream commit 8121b8f947be0033f567619be204639a50cad298 ]
Avoid having indirect calls and use a normal function which returns the
proper MSR address based on ->smca setting.
No functional changes.
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Link: https://lkml.kernel.org/r/20210922165101.18951-4-bp@alien8.de
Stable-dep-of: bc1b705b0eee ("x86/MCE/AMD: Clear DFR errors found in THR handler")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/mce/amd.c | 10 ++--
arch/x86/kernel/cpu/mce/core.c | 95 ++++++++++--------------------
arch/x86/kernel/cpu/mce/internal.h | 12 ++--
3 files changed, 42 insertions(+), 75 deletions(-)
diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c
index 09f7c652346a..34ebe1aea1c7 100644
--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -513,7 +513,7 @@ static u32 get_block_address(u32 current_addr, u32 low, u32 high,
/* Fall back to method we used for older processors: */
switch (block) {
case 0:
- addr = msr_ops.misc(bank);
+ addr = mca_msr_reg(bank, MCA_MISC);
break;
case 1:
offset = ((low & MASK_BLKPTR_LO) >> 21);
@@ -965,8 +965,8 @@ static void log_error_deferred(unsigned int bank)
{
bool defrd;
- defrd = _log_error_bank(bank, msr_ops.status(bank),
- msr_ops.addr(bank), 0);
+ defrd = _log_error_bank(bank, mca_msr_reg(bank, MCA_STATUS),
+ mca_msr_reg(bank, MCA_ADDR), 0);
if (!mce_flags.smca)
return;
@@ -996,7 +996,7 @@ static void amd_deferred_error_interrupt(void)
static void log_error_thresholding(unsigned int bank, u64 misc)
{
- _log_error_bank(bank, msr_ops.status(bank), msr_ops.addr(bank), misc);
+ _log_error_bank(bank, mca_msr_reg(bank, MCA_STATUS), mca_msr_reg(bank, MCA_ADDR), misc);
}
static void log_and_reset_block(struct threshold_block *block)
@@ -1384,7 +1384,7 @@ static int threshold_create_bank(struct threshold_bank **bp, unsigned int cpu,
}
}
- err = allocate_threshold_blocks(cpu, b, bank, 0, msr_ops.misc(bank));
+ err = allocate_threshold_blocks(cpu, b, bank, 0, mca_msr_reg(bank, MCA_MISC));
if (err)
goto out_kobj;
diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
index 5cf1a024408b..1906387a0faf 100644
--- a/arch/x86/kernel/cpu/mce/core.c
+++ b/arch/x86/kernel/cpu/mce/core.c
@@ -176,53 +176,27 @@ void mce_unregister_decode_chain(struct notifier_block *nb)
}
EXPORT_SYMBOL_GPL(mce_unregister_decode_chain);
-static inline u32 ctl_reg(int bank)
+u32 mca_msr_reg(int bank, enum mca_msr reg)
{
- return MSR_IA32_MCx_CTL(bank);
-}
-
-static inline u32 status_reg(int bank)
-{
- return MSR_IA32_MCx_STATUS(bank);
-}
-
-static inline u32 addr_reg(int bank)
-{
- return MSR_IA32_MCx_ADDR(bank);
-}
-
-static inline u32 misc_reg(int bank)
-{
- return MSR_IA32_MCx_MISC(bank);
-}
-
-static inline u32 smca_ctl_reg(int bank)
-{
- return MSR_AMD64_SMCA_MCx_CTL(bank);
-}
-
-static inline u32 smca_status_reg(int bank)
-{
- return MSR_AMD64_SMCA_MCx_STATUS(bank);
-}
+ if (mce_flags.smca) {
+ switch (reg) {
+ case MCA_CTL: return MSR_AMD64_SMCA_MCx_CTL(bank);
+ case MCA_ADDR: return MSR_AMD64_SMCA_MCx_ADDR(bank);
+ case MCA_MISC: return MSR_AMD64_SMCA_MCx_MISC(bank);
+ case MCA_STATUS: return MSR_AMD64_SMCA_MCx_STATUS(bank);
+ }
+ }
-static inline u32 smca_addr_reg(int bank)
-{
- return MSR_AMD64_SMCA_MCx_ADDR(bank);
-}
+ switch (reg) {
+ case MCA_CTL: return MSR_IA32_MCx_CTL(bank);
+ case MCA_ADDR: return MSR_IA32_MCx_ADDR(bank);
+ case MCA_MISC: return MSR_IA32_MCx_MISC(bank);
+ case MCA_STATUS: return MSR_IA32_MCx_STATUS(bank);
+ }
-static inline u32 smca_misc_reg(int bank)
-{
- return MSR_AMD64_SMCA_MCx_MISC(bank);
+ return 0;
}
-struct mca_msr_regs msr_ops = {
- .ctl = ctl_reg,
- .status = status_reg,
- .addr = addr_reg,
- .misc = misc_reg
-};
-
static void __print_mce(struct mce *m)
{
pr_emerg(HW_ERR "CPU %d: Machine Check%s: %Lx Bank %d: %016Lx\n",
@@ -371,11 +345,11 @@ static int msr_to_offset(u32 msr)
if (msr == mca_cfg.rip_msr)
return offsetof(struct mce, ip);
- if (msr == msr_ops.status(bank))
+ if (msr == mca_msr_reg(bank, MCA_STATUS))
return offsetof(struct mce, status);
- if (msr == msr_ops.addr(bank))
+ if (msr == mca_msr_reg(bank, MCA_ADDR))
return offsetof(struct mce, addr);
- if (msr == msr_ops.misc(bank))
+ if (msr == mca_msr_reg(bank, MCA_MISC))
return offsetof(struct mce, misc);
if (msr == MSR_IA32_MCG_STATUS)
return offsetof(struct mce, mcgstatus);
@@ -694,10 +668,10 @@ static struct notifier_block mce_default_nb = {
static noinstr void mce_read_aux(struct mce *m, int i)
{
if (m->status & MCI_STATUS_MISCV)
- m->misc = mce_rdmsrl(msr_ops.misc(i));
+ m->misc = mce_rdmsrl(mca_msr_reg(i, MCA_MISC));
if (m->status & MCI_STATUS_ADDRV) {
- m->addr = mce_rdmsrl(msr_ops.addr(i));
+ m->addr = mce_rdmsrl(mca_msr_reg(i, MCA_ADDR));
/*
* Mask the reported address by the reported granularity.
@@ -767,7 +741,7 @@ bool machine_check_poll(enum mcp_flags flags, mce_banks_t *b)
m.bank = i;
barrier();
- m.status = mce_rdmsrl(msr_ops.status(i));
+ m.status = mce_rdmsrl(mca_msr_reg(i, MCA_STATUS));
/* If this entry is not valid, ignore it */
if (!(m.status & MCI_STATUS_VAL))
@@ -835,7 +809,7 @@ bool machine_check_poll(enum mcp_flags flags, mce_banks_t *b)
/*
* Clear state for this bank.
*/
- mce_wrmsrl(msr_ops.status(i), 0);
+ mce_wrmsrl(mca_msr_reg(i, MCA_STATUS), 0);
}
/*
@@ -860,7 +834,7 @@ static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
int i;
for (i = 0; i < this_cpu_read(mce_num_banks); i++) {
- m->status = mce_rdmsrl(msr_ops.status(i));
+ m->status = mce_rdmsrl(mca_msr_reg(i, MCA_STATUS));
if (!(m->status & MCI_STATUS_VAL))
continue;
@@ -1149,7 +1123,7 @@ static void mce_clear_state(unsigned long *toclear)
for (i = 0; i < this_cpu_read(mce_num_banks); i++) {
if (test_bit(i, toclear))
- mce_wrmsrl(msr_ops.status(i), 0);
+ mce_wrmsrl(mca_msr_reg(i, MCA_STATUS), 0);
}
}
@@ -1208,7 +1182,7 @@ static void __mc_scan_banks(struct mce *m, struct pt_regs *regs, struct mce *fin
m->addr = 0;
m->bank = i;
- m->status = mce_rdmsrl(msr_ops.status(i));
+ m->status = mce_rdmsrl(mca_msr_reg(i, MCA_STATUS));
if (!(m->status & MCI_STATUS_VAL))
continue;
@@ -1704,8 +1678,8 @@ static void __mcheck_cpu_init_clear_banks(void)
if (!b->init)
continue;
- wrmsrl(msr_ops.ctl(i), b->ctl);
- wrmsrl(msr_ops.status(i), 0);
+ wrmsrl(mca_msr_reg(i, MCA_CTL), b->ctl);
+ wrmsrl(mca_msr_reg(i, MCA_STATUS), 0);
}
}
@@ -1731,7 +1705,7 @@ static void __mcheck_cpu_check_banks(void)
if (!b->init)
continue;
- rdmsrl(msr_ops.ctl(i), msrval);
+ rdmsrl(mca_msr_reg(i, MCA_CTL), msrval);
b->init = !!msrval;
}
}
@@ -1890,13 +1864,6 @@ static void __mcheck_cpu_init_early(struct cpuinfo_x86 *c)
mce_flags.succor = !!cpu_has(c, X86_FEATURE_SUCCOR);
mce_flags.smca = !!cpu_has(c, X86_FEATURE_SMCA);
mce_flags.amd_threshold = 1;
-
- if (mce_flags.smca) {
- msr_ops.ctl = smca_ctl_reg;
- msr_ops.status = smca_status_reg;
- msr_ops.addr = smca_addr_reg;
- msr_ops.misc = smca_misc_reg;
- }
}
}
@@ -2272,7 +2239,7 @@ static void mce_disable_error_reporting(void)
struct mce_bank *b = &mce_banks[i];
if (b->init)
- wrmsrl(msr_ops.ctl(i), 0);
+ wrmsrl(mca_msr_reg(i, MCA_CTL), 0);
}
return;
}
@@ -2624,7 +2591,7 @@ static void mce_reenable_cpu(void)
struct mce_bank *b = &mce_banks[i];
if (b->init)
- wrmsrl(msr_ops.ctl(i), b->ctl);
+ wrmsrl(mca_msr_reg(i, MCA_CTL), b->ctl);
}
}
diff --git a/arch/x86/kernel/cpu/mce/internal.h b/arch/x86/kernel/cpu/mce/internal.h
index 88dcc79cfb07..3a485c0d5791 100644
--- a/arch/x86/kernel/cpu/mce/internal.h
+++ b/arch/x86/kernel/cpu/mce/internal.h
@@ -168,14 +168,14 @@ struct mce_vendor_flags {
extern struct mce_vendor_flags mce_flags;
-struct mca_msr_regs {
- u32 (*ctl) (int bank);
- u32 (*status) (int bank);
- u32 (*addr) (int bank);
- u32 (*misc) (int bank);
+enum mca_msr {
+ MCA_CTL,
+ MCA_STATUS,
+ MCA_ADDR,
+ MCA_MISC,
};
-extern struct mca_msr_regs msr_ops;
+u32 mca_msr_reg(int bank, enum mca_msr reg);
/* Decide whether to add MCE record to MCE event pool or filter it out. */
extern bool filter_mce(struct mce *m);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 695/783] x86/MCE/AMD: Clear DFR errors found in THR handler
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (693 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 694/783] x86/mce: Get rid of msr_ops Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 696/783] media: s5p-mfc: Fix to handle reference queue during finishing Greg Kroah-Hartman
` (97 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yazen Ghannam, Borislav Petkov, Sasha Levin
From: Yazen Ghannam <yazen.ghannam@amd.com>
[ Upstream commit bc1b705b0eee4c645ad8b3bbff3c8a66e9688362 ]
AMD's MCA Thresholding feature counts errors of all severity levels, not
just correctable errors. If a deferred error causes the threshold limit
to be reached (it was the error that caused the overflow), then both a
deferred error interrupt and a thresholding interrupt will be triggered.
The order of the interrupts is not guaranteed. If the threshold
interrupt handler is executed first, then it will clear MCA_STATUS for
the error. It will not check or clear MCA_DESTAT which also holds a copy
of the deferred error. When the deferred error interrupt handler runs it
will not find an error in MCA_STATUS, but it will find the error in
MCA_DESTAT. This will cause two errors to be logged.
Check for deferred errors when handling a threshold interrupt. If a bank
contains a deferred error, then clear the bank's MCA_DESTAT register.
Define a new helper function to do the deferred error check and clearing
of MCA_DESTAT.
[ bp: Simplify, convert comment to passive voice. ]
Fixes: 37d43acfd79f ("x86/mce/AMD: Redo error logging from APIC LVT interrupt handlers")
Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220621155943.33623-1-yazen.ghannam@amd.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/cpu/mce/amd.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
diff --git a/arch/x86/kernel/cpu/mce/amd.c b/arch/x86/kernel/cpu/mce/amd.c
index 34ebe1aea1c7..4f9b7c1cfc36 100644
--- a/arch/x86/kernel/cpu/mce/amd.c
+++ b/arch/x86/kernel/cpu/mce/amd.c
@@ -952,6 +952,24 @@ _log_error_bank(unsigned int bank, u32 msr_stat, u32 msr_addr, u64 misc)
return status & MCI_STATUS_DEFERRED;
}
+static bool _log_error_deferred(unsigned int bank, u32 misc)
+{
+ if (!_log_error_bank(bank, mca_msr_reg(bank, MCA_STATUS),
+ mca_msr_reg(bank, MCA_ADDR), misc))
+ return false;
+
+ /*
+ * Non-SMCA systems don't have MCA_DESTAT/MCA_DEADDR registers.
+ * Return true here to avoid accessing these registers.
+ */
+ if (!mce_flags.smca)
+ return true;
+
+ /* Clear MCA_DESTAT if the deferred error was logged from MCA_STATUS. */
+ wrmsrl(MSR_AMD64_SMCA_MCx_DESTAT(bank), 0);
+ return true;
+}
+
/*
* We have three scenarios for checking for Deferred errors:
*
@@ -963,19 +981,8 @@ _log_error_bank(unsigned int bank, u32 msr_stat, u32 msr_addr, u64 misc)
*/
static void log_error_deferred(unsigned int bank)
{
- bool defrd;
-
- defrd = _log_error_bank(bank, mca_msr_reg(bank, MCA_STATUS),
- mca_msr_reg(bank, MCA_ADDR), 0);
-
- if (!mce_flags.smca)
- return;
-
- /* Clear MCA_DESTAT if we logged the deferred error from MCA_STATUS. */
- if (defrd) {
- wrmsrl(MSR_AMD64_SMCA_MCx_DESTAT(bank), 0);
+ if (_log_error_deferred(bank, 0))
return;
- }
/*
* Only deferred errors are logged in MCA_DE{STAT,ADDR} so just check
@@ -996,7 +1003,7 @@ static void amd_deferred_error_interrupt(void)
static void log_error_thresholding(unsigned int bank, u64 misc)
{
- _log_error_bank(bank, mca_msr_reg(bank, MCA_STATUS), mca_msr_reg(bank, MCA_ADDR), misc);
+ _log_error_deferred(bank, misc);
}
static void log_and_reset_block(struct threshold_block *block)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 696/783] media: s5p-mfc: Fix to handle reference queue during finishing
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (694 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 695/783] x86/MCE/AMD: Clear DFR errors found in THR handler Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 697/783] media: s5p-mfc: Clear workbit to handle error condition Greg Kroah-Hartman
` (96 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-fsd, Smitha T Murthy,
Hans Verkuil, Sasha Levin
From: Smitha T Murthy <smitha.t@samsung.com>
[ Upstream commit d8a46bc4e1e0446459daa77c4ce14218d32dacf9 ]
On receiving last buffer driver puts MFC to MFCINST_FINISHING state which
in turn skips transferring of frame from SRC to REF queue. This causes
driver to stop MFC encoding and last frame is lost.
This patch guarantees safe handling of frames during MFCINST_FINISHING and
correct clearing of workbit to avoid early stopping of encoding.
Fixes: af9357467810 ("[media] MFC: Add MFC 5.1 V4L2 driver")
Cc: stable@vger.kernel.org
Cc: linux-fsd@tesla.com
Signed-off-by: Smitha T Murthy <smitha.t@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/s5p-mfc/s5p_mfc_enc.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c b/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c
index acc2217dd7e9..62a1ad347fa7 100644
--- a/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc_enc.c
@@ -1218,6 +1218,7 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx)
unsigned long mb_y_addr, mb_c_addr;
int slice_type;
unsigned int strm_size;
+ bool src_ready;
slice_type = s5p_mfc_hw_call(dev->mfc_ops, get_enc_slice_type, dev);
strm_size = s5p_mfc_hw_call(dev->mfc_ops, get_enc_strm_size, dev);
@@ -1257,7 +1258,8 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx)
}
}
}
- if ((ctx->src_queue_cnt > 0) && (ctx->state == MFCINST_RUNNING)) {
+ if (ctx->src_queue_cnt > 0 && (ctx->state == MFCINST_RUNNING ||
+ ctx->state == MFCINST_FINISHING)) {
mb_entry = list_entry(ctx->src_queue.next, struct s5p_mfc_buf,
list);
if (mb_entry->flags & MFC_BUF_FLAG_USED) {
@@ -1288,7 +1290,13 @@ static int enc_post_frame_start(struct s5p_mfc_ctx *ctx)
vb2_set_plane_payload(&mb_entry->b->vb2_buf, 0, strm_size);
vb2_buffer_done(&mb_entry->b->vb2_buf, VB2_BUF_STATE_DONE);
}
- if ((ctx->src_queue_cnt == 0) || (ctx->dst_queue_cnt == 0))
+
+ src_ready = true;
+ if (ctx->state == MFCINST_RUNNING && ctx->src_queue_cnt == 0)
+ src_ready = false;
+ if (ctx->state == MFCINST_FINISHING && ctx->ref_queue_cnt == 0)
+ src_ready = false;
+ if (!src_ready || ctx->dst_queue_cnt == 0)
clear_work_bit(ctx);
return 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 697/783] media: s5p-mfc: Clear workbit to handle error condition
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (695 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 696/783] media: s5p-mfc: Fix to handle reference queue during finishing Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 698/783] media: s5p-mfc: Fix in register read and write for H264 Greg Kroah-Hartman
` (95 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-fsd, Smitha T Murthy,
Hans Verkuil, Sasha Levin
From: Smitha T Murthy <smitha.t@samsung.com>
[ Upstream commit d3f3c2fe54e30b0636496d842ffbb5ad3a547f9b ]
During error on CLOSE_INSTANCE command, ctx_work_bits was not getting
cleared. During consequent mfc execution NULL pointer dereferencing of
this context led to kernel panic. This patch fixes this issue by making
sure to clear ctx_work_bits always.
Fixes: 818cd91ab8c6 ("[media] s5p-mfc: Extract open/close MFC instance commands")
Cc: stable@vger.kernel.org
Cc: linux-fsd@tesla.com
Signed-off-by: Smitha T Murthy <smitha.t@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c b/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
index da138c314963..58822ec5370e 100644
--- a/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c
@@ -468,8 +468,10 @@ void s5p_mfc_close_mfc_inst(struct s5p_mfc_dev *dev, struct s5p_mfc_ctx *ctx)
s5p_mfc_hw_call(dev->mfc_ops, try_run, dev);
/* Wait until instance is returned or timeout occurred */
if (s5p_mfc_wait_for_done_ctx(ctx,
- S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET, 0))
+ S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET, 0)){
+ clear_work_bit_irqsave(ctx);
mfc_err("Err returning instance\n");
+ }
/* Free resources */
s5p_mfc_hw_call(dev->mfc_ops, release_codec_buffers, ctx);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 698/783] media: s5p-mfc: Fix in register read and write for H264
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (696 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 697/783] media: s5p-mfc: Clear workbit to handle error condition Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 699/783] perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor Greg Kroah-Hartman
` (94 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-fsd, Smitha T Murthy,
Hans Verkuil, Sasha Levin
From: Smitha T Murthy <smitha.t@samsung.com>
[ Upstream commit 06710cd5d2436135046898d7e4b9408c8bb99446 ]
Few of the H264 encoder registers written were not getting reflected
since the read values were not stored and getting overwritten.
Fixes: 6a9c6f681257 ("[media] s5p-mfc: Add variants to access mfc registers")
Cc: stable@vger.kernel.org
Cc: linux-fsd@tesla.com
Signed-off-by: Smitha T Murthy <smitha.t@samsung.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c b/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c
index a1453053e31a..ef8169f6c428 100644
--- a/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc_opr_v6.c
@@ -1060,7 +1060,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
}
/* aspect ratio VUI */
- readl(mfc_regs->e_h264_options);
+ reg = readl(mfc_regs->e_h264_options);
reg &= ~(0x1 << 5);
reg |= ((p_h264->vui_sar & 0x1) << 5);
writel(reg, mfc_regs->e_h264_options);
@@ -1083,7 +1083,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
/* intra picture period for H.264 open GOP */
/* control */
- readl(mfc_regs->e_h264_options);
+ reg = readl(mfc_regs->e_h264_options);
reg &= ~(0x1 << 4);
reg |= ((p_h264->open_gop & 0x1) << 4);
writel(reg, mfc_regs->e_h264_options);
@@ -1097,23 +1097,23 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
}
/* 'WEIGHTED_BI_PREDICTION' for B is disable */
- readl(mfc_regs->e_h264_options);
+ reg = readl(mfc_regs->e_h264_options);
reg &= ~(0x3 << 9);
writel(reg, mfc_regs->e_h264_options);
/* 'CONSTRAINED_INTRA_PRED_ENABLE' is disable */
- readl(mfc_regs->e_h264_options);
+ reg = readl(mfc_regs->e_h264_options);
reg &= ~(0x1 << 14);
writel(reg, mfc_regs->e_h264_options);
/* ASO */
- readl(mfc_regs->e_h264_options);
+ reg = readl(mfc_regs->e_h264_options);
reg &= ~(0x1 << 6);
reg |= ((p_h264->aso & 0x1) << 6);
writel(reg, mfc_regs->e_h264_options);
/* hier qp enable */
- readl(mfc_regs->e_h264_options);
+ reg = readl(mfc_regs->e_h264_options);
reg &= ~(0x1 << 8);
reg |= ((p_h264->open_gop & 0x1) << 8);
writel(reg, mfc_regs->e_h264_options);
@@ -1134,7 +1134,7 @@ static int s5p_mfc_set_enc_params_h264(struct s5p_mfc_ctx *ctx)
writel(reg, mfc_regs->e_h264_num_t_layer);
/* frame packing SEI generation */
- readl(mfc_regs->e_h264_options);
+ reg = readl(mfc_regs->e_h264_options);
reg &= ~(0x1 << 25);
reg |= ((p_h264->sei_frame_packing & 0x1) << 25);
writel(reg, mfc_regs->e_h264_options);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 699/783] perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (697 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 698/783] media: s5p-mfc: Fix in register read and write for H264 Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 700/783] perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data Greg Kroah-Hartman
` (93 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Namhyung Kim,
Alexander Shishkin, Ingo Molnar, Jiri Olsa, Mark Rutland,
Peter Zijlstra, Steven Rostedt (VMware),
Arnaldo Carvalho de Melo, Sasha Levin
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit f828929ab7f0dc3353e4a617f94f297fa8f3dec3 ]
Use dwarf_attr_integrate() instead of dwarf_attr() for generic attribute
acccessor functions, so that it can find the specified attribute from
abstact origin DIE etc.
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Link: https://lore.kernel.org/r/166731051988.2100653.13595339994343449770.stgit@devnote3
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Stable-dep-of: a9dfc46c67b5 ("perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/dwarf-aux.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
index 4343356f3cf9..dc02685a1eec 100644
--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -308,7 +308,7 @@ static int die_get_attr_udata(Dwarf_Die *tp_die, unsigned int attr_name,
{
Dwarf_Attribute attr;
- if (dwarf_attr(tp_die, attr_name, &attr) == NULL ||
+ if (dwarf_attr_integrate(tp_die, attr_name, &attr) == NULL ||
dwarf_formudata(&attr, result) != 0)
return -ENOENT;
@@ -321,7 +321,7 @@ static int die_get_attr_sdata(Dwarf_Die *tp_die, unsigned int attr_name,
{
Dwarf_Attribute attr;
- if (dwarf_attr(tp_die, attr_name, &attr) == NULL ||
+ if (dwarf_attr_integrate(tp_die, attr_name, &attr) == NULL ||
dwarf_formsdata(&attr, result) != 0)
return -ENOENT;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 700/783] perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (698 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 699/783] perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 701/783] x86/kprobes: Convert to insn_decode() Greg Kroah-Hartman
` (92 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Namhyung Kim,
Alexander Shishkin, Ingo Molnar, Jiri Olsa, Mark Rutland,
Masami Hiramatsu, Peter Zijlstra, Steven Rostedt (VMware),
Arnaldo Carvalho de Melo, Sasha Levin
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit a9dfc46c67b52ad43b8e335e28f4cf8002c67793 ]
DWARF version 5 standard Sec 2.14 says that
Any debugging information entry representing the declaration of an object,
module, subprogram or type may have DW_AT_decl_file, DW_AT_decl_line and
DW_AT_decl_column attributes, each of whose value is an unsigned integer
constant.
So it should be an unsigned integer data. Also, even though the standard
doesn't clearly say the DW_AT_call_file is signed or unsigned, the
elfutils (eu-readelf) interprets it as unsigned integer data and it is
natural to handle it as unsigned integer data as same as DW_AT_decl_file.
This changes the DW_AT_call_file as unsigned integer data too.
Fixes: 3f4460a28fb2f73d ("perf probe: Filter out redundant inline-instances")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Link: https://lore.kernel.org/r/166761727445.480106.3738447577082071942.stgit@devnote3
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/dwarf-aux.c | 21 ++++-----------------
1 file changed, 4 insertions(+), 17 deletions(-)
diff --git a/tools/perf/util/dwarf-aux.c b/tools/perf/util/dwarf-aux.c
index dc02685a1eec..f8a10d5148f6 100644
--- a/tools/perf/util/dwarf-aux.c
+++ b/tools/perf/util/dwarf-aux.c
@@ -315,19 +315,6 @@ static int die_get_attr_udata(Dwarf_Die *tp_die, unsigned int attr_name,
return 0;
}
-/* Get attribute and translate it as a sdata */
-static int die_get_attr_sdata(Dwarf_Die *tp_die, unsigned int attr_name,
- Dwarf_Sword *result)
-{
- Dwarf_Attribute attr;
-
- if (dwarf_attr_integrate(tp_die, attr_name, &attr) == NULL ||
- dwarf_formsdata(&attr, result) != 0)
- return -ENOENT;
-
- return 0;
-}
-
/**
* die_is_signed_type - Check whether a type DIE is signed or not
* @tp_die: a DIE of a type
@@ -467,9 +454,9 @@ int die_get_data_member_location(Dwarf_Die *mb_die, Dwarf_Word *offs)
/* Get the call file index number in CU DIE */
static int die_get_call_fileno(Dwarf_Die *in_die)
{
- Dwarf_Sword idx;
+ Dwarf_Word idx;
- if (die_get_attr_sdata(in_die, DW_AT_call_file, &idx) == 0)
+ if (die_get_attr_udata(in_die, DW_AT_call_file, &idx) == 0)
return (int)idx;
else
return -ENOENT;
@@ -478,9 +465,9 @@ static int die_get_call_fileno(Dwarf_Die *in_die)
/* Get the declared file index number in CU DIE */
static int die_get_decl_fileno(Dwarf_Die *pdie)
{
- Dwarf_Sword idx;
+ Dwarf_Word idx;
- if (die_get_attr_sdata(pdie, DW_AT_decl_file, &idx) == 0)
+ if (die_get_attr_udata(pdie, DW_AT_decl_file, &idx) == 0)
return (int)idx;
else
return -ENOENT;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 701/783] x86/kprobes: Convert to insn_decode()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (699 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 700/783] perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 702/783] x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK Greg Kroah-Hartman
` (91 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Borislav Petkov, Masami Hiramatsu,
Sasha Levin
From: Borislav Petkov <bp@suse.de>
[ Upstream commit 77e768ec1391dc0d6cd89822aa60b9a1c1bd8128 ]
Simplify code, improve decoding error checking.
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Link: https://lkml.kernel.org/r/20210304174237.31945-12-bp@alien8.de
Stable-dep-of: 63dc6325ff41 ("x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/kprobes/core.c | 17 +++++++++++------
arch/x86/kernel/kprobes/opt.c | 9 +++++++--
2 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
index 97e1d2a9898f..5de757099186 100644
--- a/arch/x86/kernel/kprobes/core.c
+++ b/arch/x86/kernel/kprobes/core.c
@@ -293,6 +293,8 @@ static int can_probe(unsigned long paddr)
/* Decode instructions */
addr = paddr - offset;
while (addr < paddr) {
+ int ret;
+
/*
* Check if the instruction has been modified by another
* kprobe, in which case we replace the breakpoint by the
@@ -304,8 +306,10 @@ static int can_probe(unsigned long paddr)
__addr = recover_probed_instruction(buf, addr);
if (!__addr)
return 0;
- kernel_insn_init(&insn, (void *)__addr, MAX_INSN_SIZE);
- insn_get_length(&insn);
+
+ ret = insn_decode(&insn, (void *)__addr, MAX_INSN_SIZE, INSN_MODE_KERN);
+ if (ret < 0)
+ return 0;
#ifdef CONFIG_KGDB
/*
@@ -351,8 +355,8 @@ static int is_IF_modifier(kprobe_opcode_t *insn)
int __copy_instruction(u8 *dest, u8 *src, u8 *real, struct insn *insn)
{
kprobe_opcode_t buf[MAX_INSN_SIZE];
- unsigned long recovered_insn =
- recover_probed_instruction(buf, (unsigned long)src);
+ unsigned long recovered_insn = recover_probed_instruction(buf, (unsigned long)src);
+ int ret;
if (!recovered_insn || !insn)
return 0;
@@ -362,8 +366,9 @@ int __copy_instruction(u8 *dest, u8 *src, u8 *real, struct insn *insn)
MAX_INSN_SIZE))
return 0;
- kernel_insn_init(insn, dest, MAX_INSN_SIZE);
- insn_get_length(insn);
+ ret = insn_decode(insn, dest, MAX_INSN_SIZE, INSN_MODE_KERN);
+ if (ret < 0)
+ return 0;
/* We can not probe force emulate prefixed instruction */
if (insn_has_emulate_prefix(insn))
diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
index 08eb23074f92..4299fc865732 100644
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -312,6 +312,8 @@ static int can_optimize(unsigned long paddr)
addr = paddr - offset;
while (addr < paddr - offset + size) { /* Decode until function end */
unsigned long recovered_insn;
+ int ret;
+
if (search_exception_tables(addr))
/*
* Since some fixup code will jumps into this function,
@@ -321,8 +323,11 @@ static int can_optimize(unsigned long paddr)
recovered_insn = recover_probed_instruction(buf, addr);
if (!recovered_insn)
return 0;
- kernel_insn_init(&insn, (void *)recovered_insn, MAX_INSN_SIZE);
- insn_get_length(&insn);
+
+ ret = insn_decode(&insn, (void *)recovered_insn, MAX_INSN_SIZE, INSN_MODE_KERN);
+ if (ret < 0)
+ return 0;
+
/*
* In the case of detecting unknown breakpoint, this could be
* a padding INT3 between functions. Let's check that all the
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 702/783] x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (700 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 701/783] x86/kprobes: Convert to insn_decode() Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 703/783] staging: media: tegra-video: fix device_node use after free Greg Kroah-Hartman
` (90 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra,
Masami Hiramatsu (Google),
Sasha Levin
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
[ Upstream commit 63dc6325ff41ee9e570bde705ac34a39c5dbeb44 ]
Since the CONFIG_RETHUNK and CONFIG_SLS will use INT3 for stopping
speculative execution after function return, kprobe jump optimization
always fails on the functions with such INT3 inside the function body.
(It already checks the INT3 padding between functions, but not inside
the function)
To avoid this issue, as same as kprobes, check whether the INT3 comes
from kgdb or not, and if so, stop decoding and make it fail. The other
INT3 will come from CONFIG_RETHUNK/CONFIG_SLS and those can be
treated as a one-byte instruction.
Fixes: e463a09af2f0 ("x86: Add straight-line-speculation mitigation")
Suggested-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/167146051929.1374301.7419382929328081706.stgit@devnote3
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/kprobes/opt.c | 28 ++++++++--------------------
1 file changed, 8 insertions(+), 20 deletions(-)
diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
index 4299fc865732..3d6201492006 100644
--- a/arch/x86/kernel/kprobes/opt.c
+++ b/arch/x86/kernel/kprobes/opt.c
@@ -15,6 +15,7 @@
#include <linux/extable.h>
#include <linux/kdebug.h>
#include <linux/kallsyms.h>
+#include <linux/kgdb.h>
#include <linux/ftrace.h>
#include <linux/objtool.h>
#include <linux/pgtable.h>
@@ -272,19 +273,6 @@ static int insn_is_indirect_jump(struct insn *insn)
return ret;
}
-static bool is_padding_int3(unsigned long addr, unsigned long eaddr)
-{
- unsigned char ops;
-
- for (; addr < eaddr; addr++) {
- if (get_kernel_nofault(ops, (void *)addr) < 0 ||
- ops != INT3_INSN_OPCODE)
- return false;
- }
-
- return true;
-}
-
/* Decode whole function to ensure any instructions don't jump into target */
static int can_optimize(unsigned long paddr)
{
@@ -327,15 +315,15 @@ static int can_optimize(unsigned long paddr)
ret = insn_decode(&insn, (void *)recovered_insn, MAX_INSN_SIZE, INSN_MODE_KERN);
if (ret < 0)
return 0;
-
+#ifdef CONFIG_KGDB
/*
- * In the case of detecting unknown breakpoint, this could be
- * a padding INT3 between functions. Let's check that all the
- * rest of the bytes are also INT3.
+ * If there is a dynamically installed kgdb sw breakpoint,
+ * this function should not be probed.
*/
- if (insn.opcode.bytes[0] == INT3_INSN_OPCODE)
- return is_padding_int3(addr, paddr - offset + size) ? 1 : 0;
-
+ if (insn.opcode.bytes[0] == INT3_INSN_OPCODE &&
+ kgdb_has_hit_break(addr))
+ return 0;
+#endif
/* Recover address */
insn.kaddr = (void *)addr;
insn.next_byte = (void *)(addr + insn.length);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 703/783] staging: media: tegra-video: fix device_node use after free
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (701 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 702/783] x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK Greg Kroah-Hartman
@ 2023-01-12 13:56 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 704/783] ravb: Fix "failed to switch device to config mode" message during unbind Greg Kroah-Hartman
` (89 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sowjanya Komatineni, Luca Ceresoli,
Hans Verkuil, Sasha Levin
From: Luca Ceresoli <luca.ceresoli@bootlin.com>
[ Upstream commit c4d344163c3a7f90712525f931a6c016bbb35e18 ]
At probe time this code path is followed:
* tegra_csi_init
* tegra_csi_channels_alloc
* for_each_child_of_node(node, channel) -- iterates over channels
* automatically gets 'channel'
* tegra_csi_channel_alloc()
* saves into chan->of_node a pointer to the channel OF node
* automatically gets and puts 'channel'
* now the node saved in chan->of_node has refcount 0, can disappear
* tegra_csi_channels_init
* iterates over channels
* tegra_csi_channel_init -- uses chan->of_node
After that, chan->of_node keeps storing the node until the device is
removed.
of_node_get() the node and of_node_put() it during teardown to avoid any
risk.
Fixes: 1ebaeb09830f ("media: tegra-video: Add support for external sensor capture")
Cc: stable@vger.kernel.org
Cc: Sowjanya Komatineni <skomatineni@nvidia.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/tegra-video/csi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/tegra-video/csi.c b/drivers/staging/media/tegra-video/csi.c
index edfdf6db457d..dc5d432a09e8 100644
--- a/drivers/staging/media/tegra-video/csi.c
+++ b/drivers/staging/media/tegra-video/csi.c
@@ -420,7 +420,7 @@ static int tegra_csi_channel_alloc(struct tegra_csi *csi,
chan->csi = csi;
chan->csi_port_num = port_num;
chan->numlanes = lanes;
- chan->of_node = node;
+ chan->of_node = of_node_get(node);
chan->numpads = num_pads;
if (num_pads & 0x2) {
chan->pads[0].flags = MEDIA_PAD_FL_SINK;
@@ -621,6 +621,7 @@ static void tegra_csi_channels_cleanup(struct tegra_csi *csi)
media_entity_cleanup(&subdev->entity);
}
+ of_node_put(chan->of_node);
list_del(&chan->list);
kfree(chan);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 704/783] ravb: Fix "failed to switch device to config mode" message during unbind
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (702 preceding siblings ...)
2023-01-12 13:56 ` [PATCH 5.10 703/783] staging: media: tegra-video: fix device_node use after free Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 705/783] riscv/stacktrace: Fix stack output without ra on the stack top Greg Kroah-Hartman
` (88 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biju Das, Leon Romanovsky,
Paolo Abeni, Sasha Levin
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit c72a7e42592b2e18d862cf120876070947000d7a ]
This patch fixes the error "ravb 11c20000.ethernet eth0: failed to switch
device to config mode" during unbind.
We are doing register access after pm_runtime_put_sync().
We usually do cleanup in reverse order of init. Currently in
remove(), the "pm_runtime_put_sync" is not in reverse order.
Probe
reset_control_deassert(rstc);
pm_runtime_enable(&pdev->dev);
pm_runtime_get_sync(&pdev->dev);
remove
pm_runtime_put_sync(&pdev->dev);
unregister_netdev(ndev);
..
ravb_mdio_release(priv);
pm_runtime_disable(&pdev->dev);
Consider the call to unregister_netdev()
unregister_netdev->unregister_netdevice_queue->rollback_registered_many
that calls the below functions which access the registers after
pm_runtime_put_sync()
1) ravb_get_stats
2) ravb_close
Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Cc: stable@vger.kernel.org
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20221214105118.2495313-1-biju.das.jz@bp.renesas.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/renesas/ravb_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
index 9e7b85e178fd..9ec6d63691aa 100644
--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -2253,11 +2253,11 @@ static int ravb_remove(struct platform_device *pdev)
priv->desc_bat_dma);
/* Set reset mode */
ravb_write(ndev, CCC_OPC_RESET, CCC);
- pm_runtime_put_sync(&pdev->dev);
unregister_netdev(ndev);
netif_napi_del(&priv->napi[RAVB_NC]);
netif_napi_del(&priv->napi[RAVB_BE]);
ravb_mdio_release(priv);
+ pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
free_netdev(ndev);
platform_set_drvdata(pdev, NULL);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 705/783] riscv/stacktrace: Fix stack output without ra on the stack top
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (703 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 704/783] ravb: Fix "failed to switch device to config mode" message during unbind Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 706/783] riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument Greg Kroah-Hartman
` (87 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chen Huang, Kefeng Wang,
Palmer Dabbelt, Sasha Levin
From: Chen Huang <chenhuang5@huawei.com>
[ Upstream commit f766f77a74f5784d8d4d3c36b1900731f97d08d0 ]
When a function doesn't have a callee, then it will not
push ra into the stack, such as lkdtm_BUG() function,
addi sp,sp,-16
sd s0,8(sp)
addi s0,sp,16
ebreak
The struct stackframe use {fp,ra} to get information from
stack, if walk_stackframe() with pr_regs, we will obtain
wrong value and bad stacktrace,
[<ffffffe00066c56c>] lkdtm_BUG+0x6/0x8
---[ end trace 18da3fbdf08e25d5 ]---
Correct the next fp and pc, after that, full stacktrace
shown as expects,
[<ffffffe00066c56c>] lkdtm_BUG+0x6/0x8
[<ffffffe0008b24a4>] lkdtm_do_action+0x14/0x1c
[<ffffffe00066c372>] direct_entry+0xc0/0x10a
[<ffffffe000439f86>] full_proxy_write+0x42/0x6a
[<ffffffe000309626>] vfs_write+0x7e/0x214
[<ffffffe00030992a>] ksys_write+0x98/0xc0
[<ffffffe000309960>] sys_write+0xe/0x16
[<ffffffe0002014bc>] ret_from_syscall+0x0/0x2
---[ end trace 61917f3d9a9fadcd ]---
Signed-off-by: Chen Huang <chenhuang5@huawei.com>
Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Stable-dep-of: 5c3022e4a616 ("riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/stacktrace.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 595342910c3f..6cbde6b43fd2 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -57,9 +57,15 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
/* Unwind stack frame */
frame = (struct stackframe *)fp - 1;
sp = fp;
- fp = frame->fp;
- pc = ftrace_graph_ret_addr(current, NULL, frame->ra,
- (unsigned long *)(fp - 8));
+ if (regs && (regs->epc == pc) && (frame->fp & 0x7)) {
+ fp = frame->ra;
+ pc = regs->ra;
+ } else {
+ fp = frame->fp;
+ pc = ftrace_graph_ret_addr(current, NULL, frame->ra,
+ (unsigned long *)(fp - 8));
+ }
+
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 706/783] riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (704 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 705/783] riscv/stacktrace: Fix stack output without ra on the stack top Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 707/783] ext4: goto right label failed_mount3a Greg Kroah-Hartman
` (86 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guo Ren, Guo Ren, Palmer Dabbelt,
Sasha Levin
From: Guo Ren <guoren@linux.alibaba.com>
[ Upstream commit 5c3022e4a616d800cf5f4c3a981d7992179e44a1 ]
The 'retp' is a pointer to the return address on the stack, so we
must pass the current return address pointer as the 'retp'
argument to ftrace_push_return_trace(). Not parent function's
return address on the stack.
Fixes: b785ec129bd9 ("riscv/ftrace: Add HAVE_FUNCTION_GRAPH_RET_ADDR_PTR support")
Signed-off-by: Guo Ren <guoren@linux.alibaba.com>
Signed-off-by: Guo Ren <guoren@kernel.org>
Link: https://lore.kernel.org/r/20221109064937.3643993-2-guoren@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/kernel/stacktrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index 6cbde6b43fd2..1e53fbe5eb78 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -63,7 +63,7 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
} else {
fp = frame->fp;
pc = ftrace_graph_ret_addr(current, NULL, frame->ra,
- (unsigned long *)(fp - 8));
+ &frame->ra);
}
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 707/783] ext4: goto right label failed_mount3a
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (705 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 706/783] riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 708/783] ext4: correct inconsistent error msg in nojournal mode Greg Kroah-Hartman
` (85 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Yan, Jan Kara,
Ritesh Harjani (IBM),
Theodore Tso, Sasha Levin
From: Jason Yan <yanaijie@huawei.com>
[ Upstream commit 43bd6f1b49b61f43de4d4e33661b8dbe8c911f14 ]
Before these two branches neither loaded the journal nor created the
xattr cache. So the right label to goto is 'failed_mount3a'. Although
this did not cause any issues because the error handler validated if the
pointer is null. However this still made me confused when reading
the code. So it's still worth to modify to goto the right label.
Signed-off-by: Jason Yan <yanaijie@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20220916141527.1012715-2-yanaijie@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 89481b5fa8c0 ("ext4: correct inconsistent error msg in nojournal mode")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index aa7bcc856de9..eb82c1d4883c 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4809,30 +4809,30 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
ext4_has_feature_journal_needs_recovery(sb)) {
ext4_msg(sb, KERN_ERR, "required journal recovery "
"suppressed and not mounted read-only");
- goto failed_mount_wq;
+ goto failed_mount3a;
} else {
/* Nojournal mode, all journal mount options are illegal */
if (test_opt2(sb, EXPLICIT_JOURNAL_CHECKSUM)) {
ext4_msg(sb, KERN_ERR, "can't mount with "
"journal_checksum, fs mounted w/o journal");
- goto failed_mount_wq;
+ goto failed_mount3a;
}
if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) {
ext4_msg(sb, KERN_ERR, "can't mount with "
"journal_async_commit, fs mounted w/o journal");
- goto failed_mount_wq;
+ goto failed_mount3a;
}
if (sbi->s_commit_interval != JBD2_DEFAULT_MAX_COMMIT_AGE*HZ) {
ext4_msg(sb, KERN_ERR, "can't mount with "
"commit=%lu, fs mounted w/o journal",
sbi->s_commit_interval / HZ);
- goto failed_mount_wq;
+ goto failed_mount3a;
}
if (EXT4_MOUNT_DATA_FLAGS &
(sbi->s_mount_opt ^ sbi->s_def_mount_opt)) {
ext4_msg(sb, KERN_ERR, "can't mount with "
"data=, fs mounted w/o journal");
- goto failed_mount_wq;
+ goto failed_mount3a;
}
sbi->s_def_mount_opt &= ~EXT4_MOUNT_JOURNAL_CHECKSUM;
clear_opt(sb, JOURNAL_CHECKSUM);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 708/783] ext4: correct inconsistent error msg in nojournal mode
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (706 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 707/783] ext4: goto right label failed_mount3a Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 709/783] mm/highmem: Lift memcpy_[to|from]_page to core Greg Kroah-Hartman
` (84 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Theodore Tso,
stable, Sasha Levin
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 89481b5fa8c0640e62ba84c6020cee895f7ac643 ]
When we used the journal_async_commit mounting option in nojournal mode,
the kernel told me that "can't mount with journal_checksum", was very
confusing. I find that when we mount with journal_async_commit, both the
JOURNAL_ASYNC_COMMIT and EXPLICIT_JOURNAL_CHECKSUM flags are set. However,
in the error branch, CHECKSUM is checked before ASYNC_COMMIT. As a result,
the above inconsistency occurs, and the ASYNC_COMMIT branch becomes dead
code that cannot be executed. Therefore, we exchange the positions of the
two judgments to make the error msg more accurate.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20221109074343.4184862-1-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index eb82c1d4883c..43f06a71d612 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4812,14 +4812,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
goto failed_mount3a;
} else {
/* Nojournal mode, all journal mount options are illegal */
- if (test_opt2(sb, EXPLICIT_JOURNAL_CHECKSUM)) {
+ if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) {
ext4_msg(sb, KERN_ERR, "can't mount with "
- "journal_checksum, fs mounted w/o journal");
+ "journal_async_commit, fs mounted w/o journal");
goto failed_mount3a;
}
- if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) {
+
+ if (test_opt2(sb, EXPLICIT_JOURNAL_CHECKSUM)) {
ext4_msg(sb, KERN_ERR, "can't mount with "
- "journal_async_commit, fs mounted w/o journal");
+ "journal_checksum, fs mounted w/o journal");
goto failed_mount3a;
}
if (sbi->s_commit_interval != JBD2_DEFAULT_MAX_COMMIT_AGE*HZ) {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 709/783] mm/highmem: Lift memcpy_[to|from]_page to core
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (707 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 708/783] ext4: correct inconsistent error msg in nojournal mode Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 710/783] ext4: use memcpy_to_page() in pagecache_write() Greg Kroah-Hartman
` (83 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Pismenny, Or Gerlitz,
Dave Hansen, Matthew Wilcox, Christoph Hellwig, Dan Williams,
Al Viro, Eric Biggers, Chaitanya Kulkarni, Christoph Hellwig,
Ira Weiny, David Sterba, Sasha Levin
From: Ira Weiny <ira.weiny@intel.com>
[ Upstream commit bb90d4bc7b6a536b2e4db45f4763e467c2008251 ]
Working through a conversion to a call kmap_local_page() instead of
kmap() revealed many places where the pattern kmap/memcpy/kunmap
occurred.
Eric Biggers, Matthew Wilcox, Christoph Hellwig, Dan Williams, and Al
Viro all suggested putting this code into helper functions. Al Viro
further pointed out that these functions already existed in the iov_iter
code.[1]
Various locations for the lifted functions were considered.
Headers like mm.h or string.h seem ok but don't really portray the
functionality well. pagemap.h made some sense but is for page cache
functionality.[2]
Another alternative would be to create a new header for the promoted
memcpy functions, but it masks the fact that these are designed to copy
to/from pages using the kernel direct mappings and complicates matters
with a new header.
Placing these functions in 'highmem.h' is suboptimal especially with the
changes being proposed in the functionality of kmap. From a caller
perspective including/using 'highmem.h' implies that the functions
defined in that header are only required when highmem is in use which is
increasingly not the case with modern processors. However, highmem.h is
where all the current functions like this reside (zero_user(),
clear_highpage(), clear_user_highpage(), copy_user_highpage(), and
copy_highpage()). So it makes the most sense even though it is
distasteful for some.[3]
Lift memcpy_to_page() and memcpy_from_page() to pagemap.h.
[1] https://lore.kernel.org/lkml/20201013200149.GI3576660@ZenIV.linux.org.uk/
https://lore.kernel.org/lkml/20201013112544.GA5249@infradead.org/
[2] https://lore.kernel.org/lkml/20201208122316.GH7338@casper.infradead.org/
[3] https://lore.kernel.org/lkml/20201013200149.GI3576660@ZenIV.linux.org.uk/#t
https://lore.kernel.org/lkml/20201208163814.GN1563847@iweiny-DESK2.sc.intel.com/
Cc: Boris Pismenny <borisp@mellanox.com>
Cc: Or Gerlitz <gerlitz.or@gmail.com>
Cc: Dave Hansen <dave.hansen@intel.com>
Suggested-by: Matthew Wilcox <willy@infradead.org>
Suggested-by: Christoph Hellwig <hch@infradead.org>
Suggested-by: Dan Williams <dan.j.williams@intel.com>
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Suggested-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 956510c0c743 ("fs: ext4: initialize fsdata in pagecache_write()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/highmem.h | 18 ++++++++++++++++++
lib/iov_iter.c | 14 --------------
2 files changed, 18 insertions(+), 14 deletions(-)
diff --git a/include/linux/highmem.h b/include/linux/highmem.h
index 14e6202ce47f..b25df1f8d48d 100644
--- a/include/linux/highmem.h
+++ b/include/linux/highmem.h
@@ -345,4 +345,22 @@ static inline void copy_highpage(struct page *to, struct page *from)
#endif
+static inline void memcpy_from_page(char *to, struct page *page,
+ size_t offset, size_t len)
+{
+ char *from = kmap_atomic(page);
+
+ memcpy(to, from + offset, len);
+ kunmap_atomic(from);
+}
+
+static inline void memcpy_to_page(struct page *page, size_t offset,
+ const char *from, size_t len)
+{
+ char *to = kmap_atomic(page);
+
+ memcpy(to + offset, from, len);
+ kunmap_atomic(to);
+}
+
#endif /* _LINUX_HIGHMEM_H */
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 650554964f18..6e30113303ba 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -467,20 +467,6 @@ void iov_iter_init(struct iov_iter *i, unsigned int direction,
}
EXPORT_SYMBOL(iov_iter_init);
-static void memcpy_from_page(char *to, struct page *page, size_t offset, size_t len)
-{
- char *from = kmap_atomic(page);
- memcpy(to, from + offset, len);
- kunmap_atomic(from);
-}
-
-static void memcpy_to_page(struct page *page, size_t offset, const char *from, size_t len)
-{
- char *to = kmap_atomic(page);
- memcpy(to + offset, from, len);
- kunmap_atomic(to);
-}
-
static void memzero_page(struct page *page, size_t offset, size_t len)
{
char *addr = kmap_atomic(page);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 710/783] ext4: use memcpy_to_page() in pagecache_write()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (708 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 709/783] mm/highmem: Lift memcpy_[to|from]_page to core Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 711/783] fs: ext4: initialize fsdata " Greg Kroah-Hartman
` (82 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kulkarni, Theodore Tso,
Sasha Levin
From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
[ Upstream commit bd256fda92efe97b692dc72e246d35fa724d42d8 ]
Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Link: https://lore.kernel.org/r/20210207190425.38107-7-chaitanya.kulkarni@wdc.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 956510c0c743 ("fs: ext4: initialize fsdata in pagecache_write()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/verity.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/fs/ext4/verity.c b/fs/ext4/verity.c
index 35be8e7ec2a0..130070ec491b 100644
--- a/fs/ext4/verity.c
+++ b/fs/ext4/verity.c
@@ -80,7 +80,6 @@ static int pagecache_write(struct inode *inode, const void *buf, size_t count,
PAGE_SIZE - offset_in_page(pos));
struct page *page;
void *fsdata;
- void *addr;
int res;
res = pagecache_write_begin(NULL, inode->i_mapping, pos, n, 0,
@@ -88,9 +87,7 @@ static int pagecache_write(struct inode *inode, const void *buf, size_t count,
if (res)
return res;
- addr = kmap_atomic(page);
- memcpy(addr + offset_in_page(pos), buf, n);
- kunmap_atomic(addr);
+ memcpy_to_page(page, offset_in_page(pos), buf, n);
res = pagecache_write_end(NULL, inode->i_mapping, pos, n, n,
page, fsdata);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 711/783] fs: ext4: initialize fsdata in pagecache_write()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (709 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 710/783] ext4: use memcpy_to_page() in pagecache_write() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 712/783] ext4: move functions in super.c Greg Kroah-Hartman
` (81 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers,
syzbot+9767be679ef5016b6082, Alexander Potapenko, Eric Biggers,
Theodore Tso, stable, Sasha Levin
From: Alexander Potapenko <glider@google.com>
[ Upstream commit 956510c0c7439e90b8103aaeaf4da92878c622f0 ]
When aops->write_begin() does not initialize fsdata, KMSAN reports
an error passing the latter to aops->write_end().
Fix this by unconditionally initializing fsdata.
Cc: Eric Biggers <ebiggers@kernel.org>
Fixes: c93d8f885809 ("ext4: add basic fs-verity support")
Reported-by: syzbot+9767be679ef5016b6082@syzkaller.appspotmail.com
Signed-off-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221121112134.407362-1-glider@google.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/verity.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/verity.c b/fs/ext4/verity.c
index 130070ec491b..e3019f920222 100644
--- a/fs/ext4/verity.c
+++ b/fs/ext4/verity.c
@@ -79,7 +79,7 @@ static int pagecache_write(struct inode *inode, const void *buf, size_t count,
size_t n = min_t(size_t, count,
PAGE_SIZE - offset_in_page(pos));
struct page *page;
- void *fsdata;
+ void *fsdata = NULL;
int res;
res = pagecache_write_begin(NULL, inode->i_mapping, pos, n, 0,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 712/783] ext4: move functions in super.c
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (710 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 711/783] fs: ext4: initialize fsdata " Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 713/783] ext4: simplify ext4 error translation Greg Kroah-Hartman
` (80 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Andreas Dilger,
Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 4067662388f97d0f360e568820d9d5bac6a3c9fa ]
Just move error info related functions in super.c close to
ext4_handle_error(). We'll want to combine save_error_info() with
ext4_handle_error() and this makes change more obvious and saves a
forward declaration as well. No functional change.
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20201127113405.26867-6-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 196 ++++++++++++++++++++++++------------------------
1 file changed, 98 insertions(+), 98 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 43f06a71d612..982341939a27 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -417,104 +417,6 @@ static time64_t __ext4_get_tstamp(__le32 *lo, __u8 *hi)
#define ext4_get_tstamp(es, tstamp) \
__ext4_get_tstamp(&(es)->tstamp, &(es)->tstamp ## _hi)
-static void __save_error_info(struct super_block *sb, int error,
- __u32 ino, __u64 block,
- const char *func, unsigned int line)
-{
- struct ext4_super_block *es = EXT4_SB(sb)->s_es;
- int err;
-
- EXT4_SB(sb)->s_mount_state |= EXT4_ERROR_FS;
- if (bdev_read_only(sb->s_bdev))
- return;
- es->s_state |= cpu_to_le16(EXT4_ERROR_FS);
- ext4_update_tstamp(es, s_last_error_time);
- strncpy(es->s_last_error_func, func, sizeof(es->s_last_error_func));
- es->s_last_error_line = cpu_to_le32(line);
- es->s_last_error_ino = cpu_to_le32(ino);
- es->s_last_error_block = cpu_to_le64(block);
- switch (error) {
- case EIO:
- err = EXT4_ERR_EIO;
- break;
- case ENOMEM:
- err = EXT4_ERR_ENOMEM;
- break;
- case EFSBADCRC:
- err = EXT4_ERR_EFSBADCRC;
- break;
- case 0:
- case EFSCORRUPTED:
- err = EXT4_ERR_EFSCORRUPTED;
- break;
- case ENOSPC:
- err = EXT4_ERR_ENOSPC;
- break;
- case ENOKEY:
- err = EXT4_ERR_ENOKEY;
- break;
- case EROFS:
- err = EXT4_ERR_EROFS;
- break;
- case EFBIG:
- err = EXT4_ERR_EFBIG;
- break;
- case EEXIST:
- err = EXT4_ERR_EEXIST;
- break;
- case ERANGE:
- err = EXT4_ERR_ERANGE;
- break;
- case EOVERFLOW:
- err = EXT4_ERR_EOVERFLOW;
- break;
- case EBUSY:
- err = EXT4_ERR_EBUSY;
- break;
- case ENOTDIR:
- err = EXT4_ERR_ENOTDIR;
- break;
- case ENOTEMPTY:
- err = EXT4_ERR_ENOTEMPTY;
- break;
- case ESHUTDOWN:
- err = EXT4_ERR_ESHUTDOWN;
- break;
- case EFAULT:
- err = EXT4_ERR_EFAULT;
- break;
- default:
- err = EXT4_ERR_UNKNOWN;
- }
- es->s_last_error_errcode = err;
- if (!es->s_first_error_time) {
- es->s_first_error_time = es->s_last_error_time;
- es->s_first_error_time_hi = es->s_last_error_time_hi;
- strncpy(es->s_first_error_func, func,
- sizeof(es->s_first_error_func));
- es->s_first_error_line = cpu_to_le32(line);
- es->s_first_error_ino = es->s_last_error_ino;
- es->s_first_error_block = es->s_last_error_block;
- es->s_first_error_errcode = es->s_last_error_errcode;
- }
- /*
- * Start the daily error reporting function if it hasn't been
- * started already
- */
- if (!es->s_error_count)
- mod_timer(&EXT4_SB(sb)->s_err_report, jiffies + 24*60*60*HZ);
- le32_add_cpu(&es->s_error_count, 1);
-}
-
-static void save_error_info(struct super_block *sb, int error,
- __u32 ino, __u64 block,
- const char *func, unsigned int line)
-{
- __save_error_info(sb, error, ino, block, func, line);
- if (!bdev_read_only(sb->s_bdev))
- ext4_commit_super(sb, 1);
-}
-
/*
* The del_gendisk() function uninitializes the disk-specific data
* structures, including the bdi structure, without telling anyone
@@ -643,6 +545,104 @@ static bool system_going_down(void)
|| system_state == SYSTEM_RESTART;
}
+static void __save_error_info(struct super_block *sb, int error,
+ __u32 ino, __u64 block,
+ const char *func, unsigned int line)
+{
+ struct ext4_super_block *es = EXT4_SB(sb)->s_es;
+ int err;
+
+ EXT4_SB(sb)->s_mount_state |= EXT4_ERROR_FS;
+ if (bdev_read_only(sb->s_bdev))
+ return;
+ es->s_state |= cpu_to_le16(EXT4_ERROR_FS);
+ ext4_update_tstamp(es, s_last_error_time);
+ strncpy(es->s_last_error_func, func, sizeof(es->s_last_error_func));
+ es->s_last_error_line = cpu_to_le32(line);
+ es->s_last_error_ino = cpu_to_le32(ino);
+ es->s_last_error_block = cpu_to_le64(block);
+ switch (error) {
+ case EIO:
+ err = EXT4_ERR_EIO;
+ break;
+ case ENOMEM:
+ err = EXT4_ERR_ENOMEM;
+ break;
+ case EFSBADCRC:
+ err = EXT4_ERR_EFSBADCRC;
+ break;
+ case 0:
+ case EFSCORRUPTED:
+ err = EXT4_ERR_EFSCORRUPTED;
+ break;
+ case ENOSPC:
+ err = EXT4_ERR_ENOSPC;
+ break;
+ case ENOKEY:
+ err = EXT4_ERR_ENOKEY;
+ break;
+ case EROFS:
+ err = EXT4_ERR_EROFS;
+ break;
+ case EFBIG:
+ err = EXT4_ERR_EFBIG;
+ break;
+ case EEXIST:
+ err = EXT4_ERR_EEXIST;
+ break;
+ case ERANGE:
+ err = EXT4_ERR_ERANGE;
+ break;
+ case EOVERFLOW:
+ err = EXT4_ERR_EOVERFLOW;
+ break;
+ case EBUSY:
+ err = EXT4_ERR_EBUSY;
+ break;
+ case ENOTDIR:
+ err = EXT4_ERR_ENOTDIR;
+ break;
+ case ENOTEMPTY:
+ err = EXT4_ERR_ENOTEMPTY;
+ break;
+ case ESHUTDOWN:
+ err = EXT4_ERR_ESHUTDOWN;
+ break;
+ case EFAULT:
+ err = EXT4_ERR_EFAULT;
+ break;
+ default:
+ err = EXT4_ERR_UNKNOWN;
+ }
+ es->s_last_error_errcode = err;
+ if (!es->s_first_error_time) {
+ es->s_first_error_time = es->s_last_error_time;
+ es->s_first_error_time_hi = es->s_last_error_time_hi;
+ strncpy(es->s_first_error_func, func,
+ sizeof(es->s_first_error_func));
+ es->s_first_error_line = cpu_to_le32(line);
+ es->s_first_error_ino = es->s_last_error_ino;
+ es->s_first_error_block = es->s_last_error_block;
+ es->s_first_error_errcode = es->s_last_error_errcode;
+ }
+ /*
+ * Start the daily error reporting function if it hasn't been
+ * started already
+ */
+ if (!es->s_error_count)
+ mod_timer(&EXT4_SB(sb)->s_err_report, jiffies + 24*60*60*HZ);
+ le32_add_cpu(&es->s_error_count, 1);
+}
+
+static void save_error_info(struct super_block *sb, int error,
+ __u32 ino, __u64 block,
+ const char *func, unsigned int line)
+{
+ __save_error_info(sb, error, ino, block, func, line);
+ if (!bdev_read_only(sb->s_bdev))
+ ext4_commit_super(sb, 1);
+}
+
/* Deal with the reporting of failure conditions on a filesystem such as
* inconsistencies detected or read IO failures.
*
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 713/783] ext4: simplify ext4 error translation
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (711 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 712/783] ext4: move functions in super.c Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 714/783] ext4: fix various seppling typos Greg Kroah-Hartman
` (79 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Andreas Dilger,
Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 02a7780e4d2fcf438ac6773bc469e7ada2af56be ]
We convert errno's to ext4 on-disk format error codes in
save_error_info(). Add a function and a bit of macro magic to make this
simpler.
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20201127113405.26867-7-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 95 +++++++++++++++++++++----------------------------
1 file changed, 40 insertions(+), 55 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 982341939a27..ced84ed4e592 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -545,76 +545,61 @@ static bool system_going_down(void)
|| system_state == SYSTEM_RESTART;
}
+struct ext4_err_translation {
+ int code;
+ int errno;
+};
+
+#define EXT4_ERR_TRANSLATE(err) { .code = EXT4_ERR_##err, .errno = err }
+
+static struct ext4_err_translation err_translation[] = {
+ EXT4_ERR_TRANSLATE(EIO),
+ EXT4_ERR_TRANSLATE(ENOMEM),
+ EXT4_ERR_TRANSLATE(EFSBADCRC),
+ EXT4_ERR_TRANSLATE(EFSCORRUPTED),
+ EXT4_ERR_TRANSLATE(ENOSPC),
+ EXT4_ERR_TRANSLATE(ENOKEY),
+ EXT4_ERR_TRANSLATE(EROFS),
+ EXT4_ERR_TRANSLATE(EFBIG),
+ EXT4_ERR_TRANSLATE(EEXIST),
+ EXT4_ERR_TRANSLATE(ERANGE),
+ EXT4_ERR_TRANSLATE(EOVERFLOW),
+ EXT4_ERR_TRANSLATE(EBUSY),
+ EXT4_ERR_TRANSLATE(ENOTDIR),
+ EXT4_ERR_TRANSLATE(ENOTEMPTY),
+ EXT4_ERR_TRANSLATE(ESHUTDOWN),
+ EXT4_ERR_TRANSLATE(EFAULT),
+};
+
+static int ext4_errno_to_code(int errno)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(err_translation); i++)
+ if (err_translation[i].errno == errno)
+ return err_translation[i].code;
+ return EXT4_ERR_UNKNOWN;
+}
+
static void __save_error_info(struct super_block *sb, int error,
__u32 ino, __u64 block,
const char *func, unsigned int line)
{
struct ext4_super_block *es = EXT4_SB(sb)->s_es;
- int err;
EXT4_SB(sb)->s_mount_state |= EXT4_ERROR_FS;
if (bdev_read_only(sb->s_bdev))
return;
+ /* We default to EFSCORRUPTED error... */
+ if (error == 0)
+ error = EFSCORRUPTED;
es->s_state |= cpu_to_le16(EXT4_ERROR_FS);
ext4_update_tstamp(es, s_last_error_time);
strncpy(es->s_last_error_func, func, sizeof(es->s_last_error_func));
es->s_last_error_line = cpu_to_le32(line);
es->s_last_error_ino = cpu_to_le32(ino);
es->s_last_error_block = cpu_to_le64(block);
- switch (error) {
- case EIO:
- err = EXT4_ERR_EIO;
- break;
- case ENOMEM:
- err = EXT4_ERR_ENOMEM;
- break;
- case EFSBADCRC:
- err = EXT4_ERR_EFSBADCRC;
- break;
- case 0:
- case EFSCORRUPTED:
- err = EXT4_ERR_EFSCORRUPTED;
- break;
- case ENOSPC:
- err = EXT4_ERR_ENOSPC;
- break;
- case ENOKEY:
- err = EXT4_ERR_ENOKEY;
- break;
- case EROFS:
- err = EXT4_ERR_EROFS;
- break;
- case EFBIG:
- err = EXT4_ERR_EFBIG;
- break;
- case EEXIST:
- err = EXT4_ERR_EEXIST;
- break;
- case ERANGE:
- err = EXT4_ERR_ERANGE;
- break;
- case EOVERFLOW:
- err = EXT4_ERR_EOVERFLOW;
- break;
- case EBUSY:
- err = EXT4_ERR_EBUSY;
- break;
- case ENOTDIR:
- err = EXT4_ERR_ENOTDIR;
- break;
- case ENOTEMPTY:
- err = EXT4_ERR_ENOTEMPTY;
- break;
- case ESHUTDOWN:
- err = EXT4_ERR_ESHUTDOWN;
- break;
- case EFAULT:
- err = EXT4_ERR_EFAULT;
- break;
- default:
- err = EXT4_ERR_UNKNOWN;
- }
- es->s_last_error_errcode = err;
+ es->s_last_error_errcode = ext4_errno_to_code(error);
if (!es->s_first_error_time) {
es->s_first_error_time = es->s_last_error_time;
es->s_first_error_time_hi = es->s_last_error_time_hi;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 714/783] ext4: fix various seppling typos
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (712 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 713/783] ext4: simplify ext4 error translation Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 715/783] ext4: fix leaking uninitialized memory in fast-commit journal Greg Kroah-Hartman
` (78 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bhaskar Chowdhury, Theodore Tso,
Sasha Levin
From: Bhaskar Chowdhury <unixbhaskar@gmail.com>
[ Upstream commit 3088e5a5153cda27ec26461e5edf2821e15e802c ]
Signed-off-by: Bhaskar Chowdhury <unixbhaskar@gmail.com>
Link: https://lore.kernel.org/r/cover.1616840203.git.unixbhaskar@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/fast_commit.c | 2 +-
fs/ext4/indirect.c | 2 +-
fs/ext4/inline.c | 2 +-
fs/ext4/inode.c | 2 +-
fs/ext4/mballoc.h | 2 +-
fs/ext4/migrate.c | 6 +++---
fs/ext4/namei.c | 2 +-
fs/ext4/xattr.c | 2 +-
8 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index 41dcf21558c4..3b2d6106a703 100644
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -66,7 +66,7 @@
* Fast Commit Ineligibility
* -------------------------
* Not all operations are supported by fast commits today (e.g extended
- * attributes). Fast commit ineligiblity is marked by calling one of the
+ * attributes). Fast commit ineligibility is marked by calling one of the
* two following functions:
*
* - ext4_fc_mark_ineligible(): This makes next fast commit operation to fall
diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c
index b7d130f4b5e4..237983cd8cdc 100644
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -712,7 +712,7 @@ static int ext4_ind_trunc_restart_fn(handle_t *handle, struct inode *inode,
/*
* Truncate transactions can be complex and absolutely huge. So we need to
- * be able to restart the transaction at a conventient checkpoint to make
+ * be able to restart the transaction at a convenient checkpoint to make
* sure we don't overflow the journal.
*
* Try to extend this transaction for the purposes of truncation. If
diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
index 88bd1d1cca23..77377befbb1c 100644
--- a/fs/ext4/inline.c
+++ b/fs/ext4/inline.c
@@ -799,7 +799,7 @@ ext4_journalled_write_inline_data(struct inode *inode,
* clear the inode state safely.
* 2. The inode has inline data, then we need to read the data, make it
* update and dirty so that ext4_da_writepages can handle it. We don't
- * need to start the journal since the file's metatdata isn't changed now.
+ * need to start the journal since the file's metadata isn't changed now.
*/
static int ext4_da_convert_inline_data_to_extent(struct address_space *mapping,
struct inode *inode,
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index d7dbe1eb9da0..2d3004b3fc56 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3885,7 +3885,7 @@ static int __ext4_block_zero_page_range(handle_t *handle,
* starting from file offset 'from'. The range to be zero'd must
* be contained with in one block. If the specified range exceeds
* the end of the block it will be shortened to end of the block
- * that cooresponds to 'from'
+ * that corresponds to 'from'
*/
static int ext4_block_zero_page_range(handle_t *handle,
struct address_space *mapping, loff_t from, loff_t length)
diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
index e75b4749aa1c..7be6288e48ec 100644
--- a/fs/ext4/mballoc.h
+++ b/fs/ext4/mballoc.h
@@ -59,7 +59,7 @@
* by the stream allocator, which purpose is to pack requests
* as close each to other as possible to produce smooth I/O traffic
* We use locality group prealloc space for stream request.
- * We can tune the same via /proc/fs/ext4/<parition>/stream_req
+ * We can tune the same via /proc/fs/ext4/<partition>/stream_req
*/
#define MB_DEFAULT_STREAM_THRESHOLD 16 /* 64K */
diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
index 4bfe2252d9a4..b0ea646454ac 100644
--- a/fs/ext4/migrate.c
+++ b/fs/ext4/migrate.c
@@ -32,7 +32,7 @@ static int finish_range(handle_t *handle, struct inode *inode,
newext.ee_block = cpu_to_le32(lb->first_block);
newext.ee_len = cpu_to_le16(lb->last_block - lb->first_block + 1);
ext4_ext_store_pblock(&newext, lb->first_pblock);
- /* Locking only for convinience since we are operating on temp inode */
+ /* Locking only for convenience since we are operating on temp inode */
down_write(&EXT4_I(inode)->i_data_sem);
path = ext4_find_extent(inode, lb->first_block, NULL, 0);
if (IS_ERR(path)) {
@@ -43,8 +43,8 @@ static int finish_range(handle_t *handle, struct inode *inode,
/*
* Calculate the credit needed to inserting this extent
- * Since we are doing this in loop we may accumalate extra
- * credit. But below we try to not accumalate too much
+ * Since we are doing this in loop we may accumulate extra
+ * credit. But below we try to not accumulate too much
* of them by restarting the journal.
*/
needed = ext4_ext_calc_credits_for_single_extent(inode,
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index c17d5f399f9e..ce4962bb62bc 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -995,7 +995,7 @@ static int ext4_htree_next_block(struct inode *dir, __u32 hash,
* If the hash is 1, then continue only if the next page has a
* continuation hash of any value. This is used for readdir
* handling. Otherwise, check to see if the hash matches the
- * desired contiuation hash. If it doesn't, return since
+ * desired continuation hash. If it doesn't, return since
* there's no point to read in the successive index pages.
*/
bhash = dx_get_hash(p->at);
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 795ef72f0d3c..74d045b426dd 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1617,7 +1617,7 @@ static int ext4_xattr_set_entry(struct ext4_xattr_info *i,
* If storing the value in an external inode is an option,
* reserve space for xattr entries/names in the external
* attribute block so that a long value does not occupy the
- * whole space and prevent futher entries being added.
+ * whole space and prevent further entries being added.
*/
if (ext4_has_feature_ea_inode(inode->i_sb) &&
new_size && is_block &&
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 715/783] ext4: fix leaking uninitialized memory in fast-commit journal
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (713 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 714/783] ext4: fix various seppling typos Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 716/783] ext4: use kmemdup() to replace kmalloc + memcpy Greg Kroah-Hartman
` (77 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Biggers, Theodore Tso, Sasha Levin
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit 594bc43b410316d70bb42aeff168837888d96810 ]
When space at the end of fast-commit journal blocks is unused, make sure
to zero it out so that uninitialized memory is not leaked to disk.
Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
Cc: <stable@vger.kernel.org> # v5.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221106224841.279231-4-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/fast_commit.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
index 3b2d6106a703..eaa26477bceb 100644
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -628,6 +628,9 @@ static u8 *ext4_fc_reserve_space(struct super_block *sb, int len, u32 *crc)
*crc = ext4_chksum(sbi, *crc, tl, sizeof(*tl));
if (pad_len > 0)
ext4_fc_memzero(sb, tl + 1, pad_len, crc);
+ /* Don't leak uninitialized memory in the unused last byte. */
+ *((u8 *)(tl + 1) + pad_len) = 0;
+
ext4_fc_submit_bh(sb);
ret = jbd2_fc_get_buf(EXT4_SB(sb)->s_journal, &bh);
@@ -684,6 +687,8 @@ static int ext4_fc_write_tail(struct super_block *sb, u32 crc)
dst += sizeof(tail.fc_tid);
tail.fc_crc = cpu_to_le32(crc);
ext4_fc_memcpy(sb, dst, &tail.fc_crc, sizeof(tail.fc_crc), NULL);
+ dst += sizeof(tail.fc_crc);
+ memset(dst, 0, bsize - off); /* Don't leak uninitialized memory. */
ext4_fc_submit_bh(sb);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 716/783] ext4: use kmemdup() to replace kmalloc + memcpy
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (714 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 715/783] ext4: fix leaking uninitialized memory in fast-commit journal Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 717/783] mbcache: dont reclaim used entries Greg Kroah-Hartman
` (76 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuqi Zhang, Ritesh Harjani,
Theodore Tso, Sasha Levin
From: Shuqi Zhang <zhangshuqi3@huawei.com>
[ Upstream commit 4efd9f0d120c55b08852ee5605dbb02a77089a5d ]
Replace kmalloc + memcpy with kmemdup()
Signed-off-by: Shuqi Zhang <zhangshuqi3@huawei.com>
Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20220525030120.803330-1-zhangshuqi3@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44e84a9b776 ("ext4: fix deadlock due to mbcache entry corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/xattr.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 74d045b426dd..0b682c92bfe9 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1890,11 +1890,10 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
unlock_buffer(bs->bh);
ea_bdebug(bs->bh, "cloning");
- s->base = kmalloc(bs->bh->b_size, GFP_NOFS);
+ s->base = kmemdup(BHDR(bs->bh), bs->bh->b_size, GFP_NOFS);
error = -ENOMEM;
if (s->base == NULL)
goto cleanup;
- memcpy(s->base, BHDR(bs->bh), bs->bh->b_size);
s->first = ENTRY(header(s->base)+1);
header(s->base)->h_refcount = cpu_to_le32(1);
s->here = ENTRY(s->base + offset);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 717/783] mbcache: dont reclaim used entries
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (715 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 716/783] ext4: use kmemdup() to replace kmalloc + memcpy Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 718/783] mbcache: add functions to delete entry if unused Greg Kroah-Hartman
` (75 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 58318914186c157477b978b1739dfe2f1b9dc0fe ]
Do not reclaim entries that are currently used by somebody from a
shrinker. Firstly, these entries are likely useful. Secondly, we will
need to keep such entries to protect pending increment of xattr block
refcount.
CC: stable@vger.kernel.org
Fixes: 82939d7999df ("ext4: convert to mbcache2")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44e84a9b776 ("ext4: fix deadlock due to mbcache entry corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/mbcache.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/mbcache.c b/fs/mbcache.c
index 97c54d3a2227..cfc28129fb6f 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -288,7 +288,7 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache,
while (nr_to_scan-- && !list_empty(&cache->c_list)) {
entry = list_first_entry(&cache->c_list,
struct mb_cache_entry, e_list);
- if (entry->e_referenced) {
+ if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) {
entry->e_referenced = 0;
list_move_tail(&entry->e_list, &cache->c_list);
continue;
@@ -302,6 +302,14 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache,
spin_unlock(&cache->c_list_lock);
head = mb_cache_entry_head(cache, entry->e_key);
hlist_bl_lock(head);
+ /* Now a reliable check if the entry didn't get used... */
+ if (atomic_read(&entry->e_refcnt) > 2) {
+ hlist_bl_unlock(head);
+ spin_lock(&cache->c_list_lock);
+ list_add_tail(&entry->e_list, &cache->c_list);
+ cache->c_entry_count++;
+ continue;
+ }
if (!hlist_bl_unhashed(&entry->e_hash_list)) {
hlist_bl_del_init(&entry->e_hash_list);
atomic_dec(&entry->e_refcnt);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 718/783] mbcache: add functions to delete entry if unused
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (716 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 717/783] mbcache: dont reclaim used entries Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 719/783] ext4: remove EA inode entry from mbcache on inode eviction Greg Kroah-Hartman
` (74 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 3dc96bba65f53daa217f0a8f43edad145286a8f5 ]
Add function mb_cache_entry_delete_or_get() to delete mbcache entry if
it is unused and also add a function to wait for entry to become unused
- mb_cache_entry_wait_unused(). We do not share code between the two
deleting function as one of them will go away soon.
CC: stable@vger.kernel.org
Fixes: 82939d7999df ("ext4: convert to mbcache2")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-2-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44e84a9b776 ("ext4: fix deadlock due to mbcache entry corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/mbcache.c | 66 +++++++++++++++++++++++++++++++++++++++--
include/linux/mbcache.h | 10 ++++++-
2 files changed, 73 insertions(+), 3 deletions(-)
diff --git a/fs/mbcache.c b/fs/mbcache.c
index cfc28129fb6f..2010bc80a3f2 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -11,7 +11,7 @@
/*
* Mbcache is a simple key-value store. Keys need not be unique, however
* key-value pairs are expected to be unique (we use this fact in
- * mb_cache_entry_delete()).
+ * mb_cache_entry_delete_or_get()).
*
* Ext2 and ext4 use this cache for deduplication of extended attribute blocks.
* Ext4 also uses it for deduplication of xattr values stored in inodes.
@@ -125,6 +125,19 @@ void __mb_cache_entry_free(struct mb_cache_entry *entry)
}
EXPORT_SYMBOL(__mb_cache_entry_free);
+/*
+ * mb_cache_entry_wait_unused - wait to be the last user of the entry
+ *
+ * @entry - entry to work on
+ *
+ * Wait to be the last user of the entry.
+ */
+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry)
+{
+ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3);
+}
+EXPORT_SYMBOL(mb_cache_entry_wait_unused);
+
static struct mb_cache_entry *__entry_find(struct mb_cache *cache,
struct mb_cache_entry *entry,
u32 key)
@@ -217,7 +230,7 @@ struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key,
}
EXPORT_SYMBOL(mb_cache_entry_get);
-/* mb_cache_entry_delete - remove a cache entry
+/* mb_cache_entry_delete - try to remove a cache entry
* @cache - cache we work with
* @key - key
* @value - value
@@ -254,6 +267,55 @@ void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value)
}
EXPORT_SYMBOL(mb_cache_entry_delete);
+/* mb_cache_entry_delete_or_get - remove a cache entry if it has no users
+ * @cache - cache we work with
+ * @key - key
+ * @value - value
+ *
+ * Remove entry from cache @cache with key @key and value @value. The removal
+ * happens only if the entry is unused. The function returns NULL in case the
+ * entry was successfully removed or there's no entry in cache. Otherwise the
+ * function grabs reference of the entry that we failed to delete because it
+ * still has users and return it.
+ */
+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
+ u32 key, u64 value)
+{
+ struct hlist_bl_node *node;
+ struct hlist_bl_head *head;
+ struct mb_cache_entry *entry;
+
+ head = mb_cache_entry_head(cache, key);
+ hlist_bl_lock(head);
+ hlist_bl_for_each_entry(entry, node, head, e_hash_list) {
+ if (entry->e_key == key && entry->e_value == value) {
+ if (atomic_read(&entry->e_refcnt) > 2) {
+ atomic_inc(&entry->e_refcnt);
+ hlist_bl_unlock(head);
+ return entry;
+ }
+ /* We keep hash list reference to keep entry alive */
+ hlist_bl_del_init(&entry->e_hash_list);
+ hlist_bl_unlock(head);
+ spin_lock(&cache->c_list_lock);
+ if (!list_empty(&entry->e_list)) {
+ list_del_init(&entry->e_list);
+ if (!WARN_ONCE(cache->c_entry_count == 0,
+ "mbcache: attempt to decrement c_entry_count past zero"))
+ cache->c_entry_count--;
+ atomic_dec(&entry->e_refcnt);
+ }
+ spin_unlock(&cache->c_list_lock);
+ mb_cache_entry_put(cache, entry);
+ return NULL;
+ }
+ }
+ hlist_bl_unlock(head);
+
+ return NULL;
+}
+EXPORT_SYMBOL(mb_cache_entry_delete_or_get);
+
/* mb_cache_entry_touch - cache entry got used
* @cache - cache the entry belongs to
* @entry - entry that got used
diff --git a/include/linux/mbcache.h b/include/linux/mbcache.h
index 20f1e3ff6013..8eca7f25c432 100644
--- a/include/linux/mbcache.h
+++ b/include/linux/mbcache.h
@@ -30,15 +30,23 @@ void mb_cache_destroy(struct mb_cache *cache);
int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
u64 value, bool reusable);
void __mb_cache_entry_free(struct mb_cache_entry *entry);
+void mb_cache_entry_wait_unused(struct mb_cache_entry *entry);
static inline int mb_cache_entry_put(struct mb_cache *cache,
struct mb_cache_entry *entry)
{
- if (!atomic_dec_and_test(&entry->e_refcnt))
+ unsigned int cnt = atomic_dec_return(&entry->e_refcnt);
+
+ if (cnt > 0) {
+ if (cnt <= 3)
+ wake_up_var(&entry->e_refcnt);
return 0;
+ }
__mb_cache_entry_free(entry);
return 1;
}
+struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
+ u32 key, u64 value);
void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value);
struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key,
u64 value);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 719/783] ext4: remove EA inode entry from mbcache on inode eviction
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (717 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 718/783] mbcache: add functions to delete entry if unused Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 720/783] ext4: unindent codeblock in ext4_xattr_block_set() Greg Kroah-Hartman
` (73 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 6bc0d63dad7f9f54d381925ee855b402f652fa39 ]
Currently we remove EA inode from mbcache as soon as its xattr refcount
drops to zero. However there can be pending attempts to reuse the inode
and thus refcount handling code has to handle the situation when
refcount increases from zero anyway. So save some work and just keep EA
inode in mbcache until it is getting evicted. At that moment we are sure
following iget() of EA inode will fail anyway (or wait for eviction to
finish and load things from the disk again) and so removing mbcache
entry at that moment is fine and simplifies the code a bit.
CC: stable@vger.kernel.org
Fixes: 82939d7999df ("ext4: convert to mbcache2")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-3-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44e84a9b776 ("ext4: fix deadlock due to mbcache entry corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inode.c | 2 ++
fs/ext4/xattr.c | 24 ++++++++----------------
fs/ext4/xattr.h | 1 +
3 files changed, 11 insertions(+), 16 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 2d3004b3fc56..355343cf4609 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -179,6 +179,8 @@ void ext4_evict_inode(struct inode *inode)
trace_ext4_evict_inode(inode);
+ if (EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)
+ ext4_evict_ea_inode(inode);
if (inode->i_nlink) {
/*
* When journalling data dirty buffers are tracked only in the
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 0b682c92bfe9..0555f32f0fd4 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -436,6 +436,14 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
return err;
}
+/* Remove entry from mbcache when EA inode is getting evicted */
+void ext4_evict_ea_inode(struct inode *inode)
+{
+ if (EA_INODE_CACHE(inode))
+ mb_cache_entry_delete(EA_INODE_CACHE(inode),
+ ext4_xattr_inode_get_hash(inode), inode->i_ino);
+}
+
static int
ext4_xattr_inode_verify_hashes(struct inode *ea_inode,
struct ext4_xattr_entry *entry, void *buffer,
@@ -972,10 +980,8 @@ int __ext4_xattr_set_credits(struct super_block *sb, struct inode *inode,
static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
int ref_change)
{
- struct mb_cache *ea_inode_cache = EA_INODE_CACHE(ea_inode);
struct ext4_iloc iloc;
s64 ref_count;
- u32 hash;
int ret;
inode_lock(ea_inode);
@@ -998,14 +1004,6 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
set_nlink(ea_inode, 1);
ext4_orphan_del(handle, ea_inode);
-
- if (ea_inode_cache) {
- hash = ext4_xattr_inode_get_hash(ea_inode);
- mb_cache_entry_create(ea_inode_cache,
- GFP_NOFS, hash,
- ea_inode->i_ino,
- true /* reusable */);
- }
}
} else {
WARN_ONCE(ref_count < 0, "EA inode %lu ref_count=%lld",
@@ -1018,12 +1016,6 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
clear_nlink(ea_inode);
ext4_orphan_add(handle, ea_inode);
-
- if (ea_inode_cache) {
- hash = ext4_xattr_inode_get_hash(ea_inode);
- mb_cache_entry_delete(ea_inode_cache, hash,
- ea_inode->i_ino);
- }
}
}
diff --git a/fs/ext4/xattr.h b/fs/ext4/xattr.h
index 87e5863bb493..b357872ab83b 100644
--- a/fs/ext4/xattr.h
+++ b/fs/ext4/xattr.h
@@ -191,6 +191,7 @@ extern void ext4_xattr_inode_array_free(struct ext4_xattr_inode_array *array);
extern int ext4_expand_extra_isize_ea(struct inode *inode, int new_extra_isize,
struct ext4_inode *raw_inode, handle_t *handle);
+extern void ext4_evict_ea_inode(struct inode *inode);
extern const struct xattr_handler *ext4_xattr_handlers[];
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 720/783] ext4: unindent codeblock in ext4_xattr_block_set()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (718 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 719/783] ext4: remove EA inode entry from mbcache on inode eviction Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 721/783] ext4: fix race when reusing xattr blocks Greg Kroah-Hartman
` (72 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit fd48e9acdf26d0cbd80051de07d4a735d05d29b2 ]
Remove unnecessary else (and thus indentation level) from a code block
in ext4_xattr_block_set(). It will also make following code changes
easier. No functional changes.
CC: stable@vger.kernel.org
Fixes: 82939d7999df ("ext4: convert to mbcache2")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-4-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44e84a9b776 ("ext4: fix deadlock due to mbcache entry corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/xattr.c | 77 ++++++++++++++++++++++++-------------------------
1 file changed, 38 insertions(+), 39 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 0555f32f0fd4..9d5ccc90eb63 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1846,6 +1846,8 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
#define header(x) ((struct ext4_xattr_header *)(x))
if (s->base) {
+ int offset = (char *)s->here - bs->bh->b_data;
+
BUFFER_TRACE(bs->bh, "get_write_access");
error = ext4_journal_get_write_access(handle, bs->bh);
if (error)
@@ -1877,49 +1879,46 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
if (error)
goto cleanup;
goto inserted;
- } else {
- int offset = (char *)s->here - bs->bh->b_data;
+ }
+ unlock_buffer(bs->bh);
+ ea_bdebug(bs->bh, "cloning");
+ s->base = kmemdup(BHDR(bs->bh), bs->bh->b_size, GFP_NOFS);
+ error = -ENOMEM;
+ if (s->base == NULL)
+ goto cleanup;
+ s->first = ENTRY(header(s->base)+1);
+ header(s->base)->h_refcount = cpu_to_le32(1);
+ s->here = ENTRY(s->base + offset);
+ s->end = s->base + bs->bh->b_size;
- unlock_buffer(bs->bh);
- ea_bdebug(bs->bh, "cloning");
- s->base = kmemdup(BHDR(bs->bh), bs->bh->b_size, GFP_NOFS);
- error = -ENOMEM;
- if (s->base == NULL)
+ /*
+ * If existing entry points to an xattr inode, we need
+ * to prevent ext4_xattr_set_entry() from decrementing
+ * ref count on it because the reference belongs to the
+ * original block. In this case, make the entry look
+ * like it has an empty value.
+ */
+ if (!s->not_found && s->here->e_value_inum) {
+ ea_ino = le32_to_cpu(s->here->e_value_inum);
+ error = ext4_xattr_inode_iget(inode, ea_ino,
+ le32_to_cpu(s->here->e_hash),
+ &tmp_inode);
+ if (error)
goto cleanup;
- s->first = ENTRY(header(s->base)+1);
- header(s->base)->h_refcount = cpu_to_le32(1);
- s->here = ENTRY(s->base + offset);
- s->end = s->base + bs->bh->b_size;
- /*
- * If existing entry points to an xattr inode, we need
- * to prevent ext4_xattr_set_entry() from decrementing
- * ref count on it because the reference belongs to the
- * original block. In this case, make the entry look
- * like it has an empty value.
- */
- if (!s->not_found && s->here->e_value_inum) {
- ea_ino = le32_to_cpu(s->here->e_value_inum);
- error = ext4_xattr_inode_iget(inode, ea_ino,
- le32_to_cpu(s->here->e_hash),
- &tmp_inode);
- if (error)
- goto cleanup;
-
- if (!ext4_test_inode_state(tmp_inode,
- EXT4_STATE_LUSTRE_EA_INODE)) {
- /*
- * Defer quota free call for previous
- * inode until success is guaranteed.
- */
- old_ea_inode_quota = le32_to_cpu(
- s->here->e_value_size);
- }
- iput(tmp_inode);
-
- s->here->e_value_inum = 0;
- s->here->e_value_size = 0;
+ if (!ext4_test_inode_state(tmp_inode,
+ EXT4_STATE_LUSTRE_EA_INODE)) {
+ /*
+ * Defer quota free call for previous
+ * inode until success is guaranteed.
+ */
+ old_ea_inode_quota = le32_to_cpu(
+ s->here->e_value_size);
}
+ iput(tmp_inode);
+
+ s->here->e_value_inum = 0;
+ s->here->e_value_size = 0;
}
} else {
/* Allocate a buffer where we construct the new block. */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 721/783] ext4: fix race when reusing xattr blocks
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (719 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 720/783] ext4: unindent codeblock in ext4_xattr_block_set() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 722/783] mbcache: automatically delete entries from cache on freeing Greg Kroah-Hartman
` (71 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Theodore Tso, Sasha Levin,
Ritesh Harjani
From: Jan Kara <jack@suse.cz>
[ Upstream commit 65f8b80053a1b2fd602daa6814e62d6fa90e5e9b ]
When ext4_xattr_block_set() decides to remove xattr block the following
race can happen:
CPU1 CPU2
ext4_xattr_block_set() ext4_xattr_release_block()
new_bh = ext4_xattr_block_cache_find()
lock_buffer(bh);
ref = le32_to_cpu(BHDR(bh)->h_refcount);
if (ref == 1) {
...
mb_cache_entry_delete();
unlock_buffer(bh);
ext4_free_blocks();
...
ext4_forget(..., bh, ...);
jbd2_journal_revoke(..., bh);
ext4_journal_get_write_access(..., new_bh, ...)
do_get_write_access()
jbd2_journal_cancel_revoke(..., new_bh);
Later the code in ext4_xattr_block_set() finds out the block got freed
and cancels reusal of the block but the revoke stays canceled and so in
case of block reuse and journal replay the filesystem can get corrupted.
If the race works out slightly differently, we can also hit assertions
in the jbd2 code.
Fix the problem by making sure that once matching mbcache entry is
found, code dropping the last xattr block reference (or trying to modify
xattr block in place) waits until the mbcache entry reference is
dropped. This way code trying to reuse xattr block is protected from
someone trying to drop the last reference to xattr block.
Reported-and-tested-by: Ritesh Harjani <ritesh.list@gmail.com>
CC: stable@vger.kernel.org
Fixes: 82939d7999df ("ext4: convert to mbcache2")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-5-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44e84a9b776 ("ext4: fix deadlock due to mbcache entry corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/xattr.c | 67 +++++++++++++++++++++++++++++++++----------------
1 file changed, 45 insertions(+), 22 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 9d5ccc90eb63..35251afdf770 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -439,9 +439,16 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
/* Remove entry from mbcache when EA inode is getting evicted */
void ext4_evict_ea_inode(struct inode *inode)
{
- if (EA_INODE_CACHE(inode))
- mb_cache_entry_delete(EA_INODE_CACHE(inode),
- ext4_xattr_inode_get_hash(inode), inode->i_ino);
+ struct mb_cache_entry *oe;
+
+ if (!EA_INODE_CACHE(inode))
+ return;
+ /* Wait for entry to get unused so that we can remove it */
+ while ((oe = mb_cache_entry_delete_or_get(EA_INODE_CACHE(inode),
+ ext4_xattr_inode_get_hash(inode), inode->i_ino))) {
+ mb_cache_entry_wait_unused(oe);
+ mb_cache_entry_put(EA_INODE_CACHE(inode), oe);
+ }
}
static int
@@ -1223,6 +1230,7 @@ ext4_xattr_release_block(handle_t *handle, struct inode *inode,
if (error)
goto out;
+retry_ref:
lock_buffer(bh);
hash = le32_to_cpu(BHDR(bh)->h_hash);
ref = le32_to_cpu(BHDR(bh)->h_refcount);
@@ -1232,9 +1240,18 @@ ext4_xattr_release_block(handle_t *handle, struct inode *inode,
* This must happen under buffer lock for
* ext4_xattr_block_set() to reliably detect freed block
*/
- if (ea_block_cache)
- mb_cache_entry_delete(ea_block_cache, hash,
- bh->b_blocknr);
+ if (ea_block_cache) {
+ struct mb_cache_entry *oe;
+
+ oe = mb_cache_entry_delete_or_get(ea_block_cache, hash,
+ bh->b_blocknr);
+ if (oe) {
+ unlock_buffer(bh);
+ mb_cache_entry_wait_unused(oe);
+ mb_cache_entry_put(ea_block_cache, oe);
+ goto retry_ref;
+ }
+ }
get_bh(bh);
unlock_buffer(bh);
@@ -1862,9 +1879,20 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
* ext4_xattr_block_set() to reliably detect modified
* block
*/
- if (ea_block_cache)
- mb_cache_entry_delete(ea_block_cache, hash,
- bs->bh->b_blocknr);
+ if (ea_block_cache) {
+ struct mb_cache_entry *oe;
+
+ oe = mb_cache_entry_delete_or_get(ea_block_cache,
+ hash, bs->bh->b_blocknr);
+ if (oe) {
+ /*
+ * Xattr block is getting reused. Leave
+ * it alone.
+ */
+ mb_cache_entry_put(ea_block_cache, oe);
+ goto clone_block;
+ }
+ }
ea_bdebug(bs->bh, "modifying in-place");
error = ext4_xattr_set_entry(i, s, handle, inode,
true /* is_block */);
@@ -1880,6 +1908,7 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
goto cleanup;
goto inserted;
}
+clone_block:
unlock_buffer(bs->bh);
ea_bdebug(bs->bh, "cloning");
s->base = kmemdup(BHDR(bs->bh), bs->bh->b_size, GFP_NOFS);
@@ -1985,18 +2014,13 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
lock_buffer(new_bh);
/*
* We have to be careful about races with
- * freeing, rehashing or adding references to
- * xattr block. Once we hold buffer lock xattr
- * block's state is stable so we can check
- * whether the block got freed / rehashed or
- * not. Since we unhash mbcache entry under
- * buffer lock when freeing / rehashing xattr
- * block, checking whether entry is still
- * hashed is reliable. Same rules hold for
- * e_reusable handling.
+ * adding references to xattr block. Once we
+ * hold buffer lock xattr block's state is
+ * stable so we can check the additional
+ * reference fits.
*/
- if (hlist_bl_unhashed(&ce->e_hash_list) ||
- !ce->e_reusable) {
+ ref = le32_to_cpu(BHDR(new_bh)->h_refcount) + 1;
+ if (ref > EXT4_XATTR_REFCOUNT_MAX) {
/*
* Undo everything and check mbcache
* again.
@@ -2011,9 +2035,8 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
new_bh = NULL;
goto inserted;
}
- ref = le32_to_cpu(BHDR(new_bh)->h_refcount) + 1;
BHDR(new_bh)->h_refcount = cpu_to_le32(ref);
- if (ref >= EXT4_XATTR_REFCOUNT_MAX)
+ if (ref == EXT4_XATTR_REFCOUNT_MAX)
ce->e_reusable = 0;
ea_bdebug(new_bh, "reusing; refcount now=%d",
ref);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 722/783] mbcache: automatically delete entries from cache on freeing
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (720 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 721/783] ext4: fix race when reusing xattr blocks Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 723/783] ext4: fix deadlock due to mbcache entry corruption Greg Kroah-Hartman
` (70 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 307af6c879377c1c63e71cbdd978201f9c7ee8df ]
Use the fact that entries with elevated refcount are not removed from
the hash and just move removal of the entry from the hash to the entry
freeing time. When doing this we also change the generic code to hold
one reference to the cache entry, not two of them, which makes code
somewhat more obvious.
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220712105436.32204-10-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44e84a9b776 ("ext4: fix deadlock due to mbcache entry corruption")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/mbcache.c | 108 +++++++++++++++-------------------------
include/linux/mbcache.h | 24 ++++++---
2 files changed, 55 insertions(+), 77 deletions(-)
diff --git a/fs/mbcache.c b/fs/mbcache.c
index 2010bc80a3f2..950f1829a7fd 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -90,7 +90,7 @@ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
return -ENOMEM;
INIT_LIST_HEAD(&entry->e_list);
- /* One ref for hash, one ref returned */
+ /* Initial hash reference */
atomic_set(&entry->e_refcnt, 1);
entry->e_key = key;
entry->e_value = value;
@@ -106,21 +106,28 @@ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
}
}
hlist_bl_add_head(&entry->e_hash_list, head);
- hlist_bl_unlock(head);
-
+ /*
+ * Add entry to LRU list before it can be found by
+ * mb_cache_entry_delete() to avoid races
+ */
spin_lock(&cache->c_list_lock);
list_add_tail(&entry->e_list, &cache->c_list);
- /* Grab ref for LRU list */
- atomic_inc(&entry->e_refcnt);
cache->c_entry_count++;
spin_unlock(&cache->c_list_lock);
+ hlist_bl_unlock(head);
return 0;
}
EXPORT_SYMBOL(mb_cache_entry_create);
-void __mb_cache_entry_free(struct mb_cache_entry *entry)
+void __mb_cache_entry_free(struct mb_cache *cache, struct mb_cache_entry *entry)
{
+ struct hlist_bl_head *head;
+
+ head = mb_cache_entry_head(cache, entry->e_key);
+ hlist_bl_lock(head);
+ hlist_bl_del(&entry->e_hash_list);
+ hlist_bl_unlock(head);
kmem_cache_free(mb_entry_cache, entry);
}
EXPORT_SYMBOL(__mb_cache_entry_free);
@@ -134,7 +141,7 @@ EXPORT_SYMBOL(__mb_cache_entry_free);
*/
void mb_cache_entry_wait_unused(struct mb_cache_entry *entry)
{
- wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 3);
+ wait_var_event(&entry->e_refcnt, atomic_read(&entry->e_refcnt) <= 2);
}
EXPORT_SYMBOL(mb_cache_entry_wait_unused);
@@ -155,10 +162,9 @@ static struct mb_cache_entry *__entry_find(struct mb_cache *cache,
while (node) {
entry = hlist_bl_entry(node, struct mb_cache_entry,
e_hash_list);
- if (entry->e_key == key && entry->e_reusable) {
- atomic_inc(&entry->e_refcnt);
+ if (entry->e_key == key && entry->e_reusable &&
+ atomic_inc_not_zero(&entry->e_refcnt))
goto out;
- }
node = node->next;
}
entry = NULL;
@@ -218,10 +224,9 @@ struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key,
head = mb_cache_entry_head(cache, key);
hlist_bl_lock(head);
hlist_bl_for_each_entry(entry, node, head, e_hash_list) {
- if (entry->e_key == key && entry->e_value == value) {
- atomic_inc(&entry->e_refcnt);
+ if (entry->e_key == key && entry->e_value == value &&
+ atomic_inc_not_zero(&entry->e_refcnt))
goto out;
- }
}
entry = NULL;
out:
@@ -281,37 +286,25 @@ EXPORT_SYMBOL(mb_cache_entry_delete);
struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
u32 key, u64 value)
{
- struct hlist_bl_node *node;
- struct hlist_bl_head *head;
struct mb_cache_entry *entry;
- head = mb_cache_entry_head(cache, key);
- hlist_bl_lock(head);
- hlist_bl_for_each_entry(entry, node, head, e_hash_list) {
- if (entry->e_key == key && entry->e_value == value) {
- if (atomic_read(&entry->e_refcnt) > 2) {
- atomic_inc(&entry->e_refcnt);
- hlist_bl_unlock(head);
- return entry;
- }
- /* We keep hash list reference to keep entry alive */
- hlist_bl_del_init(&entry->e_hash_list);
- hlist_bl_unlock(head);
- spin_lock(&cache->c_list_lock);
- if (!list_empty(&entry->e_list)) {
- list_del_init(&entry->e_list);
- if (!WARN_ONCE(cache->c_entry_count == 0,
- "mbcache: attempt to decrement c_entry_count past zero"))
- cache->c_entry_count--;
- atomic_dec(&entry->e_refcnt);
- }
- spin_unlock(&cache->c_list_lock);
- mb_cache_entry_put(cache, entry);
- return NULL;
- }
- }
- hlist_bl_unlock(head);
+ entry = mb_cache_entry_get(cache, key, value);
+ if (!entry)
+ return NULL;
+ /*
+ * Drop the ref we got from mb_cache_entry_get() and the initial hash
+ * ref if we are the last user
+ */
+ if (atomic_cmpxchg(&entry->e_refcnt, 2, 0) != 2)
+ return entry;
+
+ spin_lock(&cache->c_list_lock);
+ if (!list_empty(&entry->e_list))
+ list_del_init(&entry->e_list);
+ cache->c_entry_count--;
+ spin_unlock(&cache->c_list_lock);
+ __mb_cache_entry_free(cache, entry);
return NULL;
}
EXPORT_SYMBOL(mb_cache_entry_delete_or_get);
@@ -343,42 +336,24 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache,
unsigned long nr_to_scan)
{
struct mb_cache_entry *entry;
- struct hlist_bl_head *head;
unsigned long shrunk = 0;
spin_lock(&cache->c_list_lock);
while (nr_to_scan-- && !list_empty(&cache->c_list)) {
entry = list_first_entry(&cache->c_list,
struct mb_cache_entry, e_list);
- if (entry->e_referenced || atomic_read(&entry->e_refcnt) > 2) {
+ /* Drop initial hash reference if there is no user */
+ if (entry->e_referenced ||
+ atomic_cmpxchg(&entry->e_refcnt, 1, 0) != 1) {
entry->e_referenced = 0;
list_move_tail(&entry->e_list, &cache->c_list);
continue;
}
list_del_init(&entry->e_list);
cache->c_entry_count--;
- /*
- * We keep LRU list reference so that entry doesn't go away
- * from under us.
- */
spin_unlock(&cache->c_list_lock);
- head = mb_cache_entry_head(cache, entry->e_key);
- hlist_bl_lock(head);
- /* Now a reliable check if the entry didn't get used... */
- if (atomic_read(&entry->e_refcnt) > 2) {
- hlist_bl_unlock(head);
- spin_lock(&cache->c_list_lock);
- list_add_tail(&entry->e_list, &cache->c_list);
- cache->c_entry_count++;
- continue;
- }
- if (!hlist_bl_unhashed(&entry->e_hash_list)) {
- hlist_bl_del_init(&entry->e_hash_list);
- atomic_dec(&entry->e_refcnt);
- }
- hlist_bl_unlock(head);
- if (mb_cache_entry_put(cache, entry))
- shrunk++;
+ __mb_cache_entry_free(cache, entry);
+ shrunk++;
cond_resched();
spin_lock(&cache->c_list_lock);
}
@@ -470,11 +445,6 @@ void mb_cache_destroy(struct mb_cache *cache)
* point.
*/
list_for_each_entry_safe(entry, next, &cache->c_list, e_list) {
- if (!hlist_bl_unhashed(&entry->e_hash_list)) {
- hlist_bl_del_init(&entry->e_hash_list);
- atomic_dec(&entry->e_refcnt);
- } else
- WARN_ON(1);
list_del(&entry->e_list);
WARN_ON(atomic_read(&entry->e_refcnt) != 1);
mb_cache_entry_put(cache, entry);
diff --git a/include/linux/mbcache.h b/include/linux/mbcache.h
index 8eca7f25c432..e9d5ece87794 100644
--- a/include/linux/mbcache.h
+++ b/include/linux/mbcache.h
@@ -13,8 +13,16 @@ struct mb_cache;
struct mb_cache_entry {
/* List of entries in cache - protected by cache->c_list_lock */
struct list_head e_list;
- /* Hash table list - protected by hash chain bitlock */
+ /*
+ * Hash table list - protected by hash chain bitlock. The entry is
+ * guaranteed to be hashed while e_refcnt > 0.
+ */
struct hlist_bl_node e_hash_list;
+ /*
+ * Entry refcount. Once it reaches zero, entry is unhashed and freed.
+ * While refcount > 0, the entry is guaranteed to stay in the hash and
+ * e.g. mb_cache_entry_try_delete() will fail.
+ */
atomic_t e_refcnt;
/* Key in hash - stable during lifetime of the entry */
u32 e_key;
@@ -29,20 +37,20 @@ void mb_cache_destroy(struct mb_cache *cache);
int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
u64 value, bool reusable);
-void __mb_cache_entry_free(struct mb_cache_entry *entry);
+void __mb_cache_entry_free(struct mb_cache *cache,
+ struct mb_cache_entry *entry);
void mb_cache_entry_wait_unused(struct mb_cache_entry *entry);
-static inline int mb_cache_entry_put(struct mb_cache *cache,
- struct mb_cache_entry *entry)
+static inline void mb_cache_entry_put(struct mb_cache *cache,
+ struct mb_cache_entry *entry)
{
unsigned int cnt = atomic_dec_return(&entry->e_refcnt);
if (cnt > 0) {
- if (cnt <= 3)
+ if (cnt <= 2)
wake_up_var(&entry->e_refcnt);
- return 0;
+ return;
}
- __mb_cache_entry_free(entry);
- return 1;
+ __mb_cache_entry_free(cache, entry);
}
struct mb_cache_entry *mb_cache_entry_delete_or_get(struct mb_cache *cache,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 723/783] ext4: fix deadlock due to mbcache entry corruption
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (721 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 722/783] mbcache: automatically delete entries from cache on freeing Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 724/783] SUNRPC: ensure the matching upcall is in-flight upon downcall Greg Kroah-Hartman
` (69 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thilo Fromm, Jan Kara,
Andreas Dilger, Theodore Tso, Sasha Levin, Jeremi Piotrowski
From: Jan Kara <jack@suse.cz>
[ Upstream commit a44e84a9b7764c72896f7241a0ec9ac7e7ef38dd ]
When manipulating xattr blocks, we can deadlock infinitely looping
inside ext4_xattr_block_set() where we constantly keep finding xattr
block for reuse in mbcache but we are unable to reuse it because its
reference count is too big. This happens because cache entry for the
xattr block is marked as reusable (e_reusable set) although its
reference count is too big. When this inconsistency happens, this
inconsistent state is kept indefinitely and so ext4_xattr_block_set()
keeps retrying indefinitely.
The inconsistent state is caused by non-atomic update of e_reusable bit.
e_reusable is part of a bitfield and e_reusable update can race with
update of e_referenced bit in the same bitfield resulting in loss of one
of the updates. Fix the problem by using atomic bitops instead.
This bug has been around for many years, but it became *much* easier
to hit after commit 65f8b80053a1 ("ext4: fix race when reusing xattr
blocks").
Cc: stable@vger.kernel.org
Fixes: 6048c64b2609 ("mbcache: add reusable flag to cache entries")
Fixes: 65f8b80053a1 ("ext4: fix race when reusing xattr blocks")
Reported-and-tested-by: Jeremi Piotrowski <jpiotrowski@linux.microsoft.com>
Reported-by: Thilo Fromm <t-lo@linux.microsoft.com>
Link: https://lore.kernel.org/r/c77bf00f-4618-7149-56f1-b8d1664b9d07@linux.microsoft.com/
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/20221123193950.16758-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/xattr.c | 4 ++--
fs/mbcache.c | 14 ++++++++------
include/linux/mbcache.h | 9 +++++++--
3 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
index 35251afdf770..6bf1c62eff04 100644
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -1275,7 +1275,7 @@ ext4_xattr_release_block(handle_t *handle, struct inode *inode,
ce = mb_cache_entry_get(ea_block_cache, hash,
bh->b_blocknr);
if (ce) {
- ce->e_reusable = 1;
+ set_bit(MBE_REUSABLE_B, &ce->e_flags);
mb_cache_entry_put(ea_block_cache, ce);
}
}
@@ -2037,7 +2037,7 @@ ext4_xattr_block_set(handle_t *handle, struct inode *inode,
}
BHDR(new_bh)->h_refcount = cpu_to_le32(ref);
if (ref == EXT4_XATTR_REFCOUNT_MAX)
- ce->e_reusable = 0;
+ clear_bit(MBE_REUSABLE_B, &ce->e_flags);
ea_bdebug(new_bh, "reusing; refcount now=%d",
ref);
ext4_xattr_block_csum_set(inode, new_bh);
diff --git a/fs/mbcache.c b/fs/mbcache.c
index 950f1829a7fd..7a12ae87c806 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -94,8 +94,9 @@ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
atomic_set(&entry->e_refcnt, 1);
entry->e_key = key;
entry->e_value = value;
- entry->e_reusable = reusable;
- entry->e_referenced = 0;
+ entry->e_flags = 0;
+ if (reusable)
+ set_bit(MBE_REUSABLE_B, &entry->e_flags);
head = mb_cache_entry_head(cache, key);
hlist_bl_lock(head);
hlist_bl_for_each_entry(dup, dup_node, head, e_hash_list) {
@@ -162,7 +163,8 @@ static struct mb_cache_entry *__entry_find(struct mb_cache *cache,
while (node) {
entry = hlist_bl_entry(node, struct mb_cache_entry,
e_hash_list);
- if (entry->e_key == key && entry->e_reusable &&
+ if (entry->e_key == key &&
+ test_bit(MBE_REUSABLE_B, &entry->e_flags) &&
atomic_inc_not_zero(&entry->e_refcnt))
goto out;
node = node->next;
@@ -318,7 +320,7 @@ EXPORT_SYMBOL(mb_cache_entry_delete_or_get);
void mb_cache_entry_touch(struct mb_cache *cache,
struct mb_cache_entry *entry)
{
- entry->e_referenced = 1;
+ set_bit(MBE_REFERENCED_B, &entry->e_flags);
}
EXPORT_SYMBOL(mb_cache_entry_touch);
@@ -343,9 +345,9 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache,
entry = list_first_entry(&cache->c_list,
struct mb_cache_entry, e_list);
/* Drop initial hash reference if there is no user */
- if (entry->e_referenced ||
+ if (test_bit(MBE_REFERENCED_B, &entry->e_flags) ||
atomic_cmpxchg(&entry->e_refcnt, 1, 0) != 1) {
- entry->e_referenced = 0;
+ clear_bit(MBE_REFERENCED_B, &entry->e_flags);
list_move_tail(&entry->e_list, &cache->c_list);
continue;
}
diff --git a/include/linux/mbcache.h b/include/linux/mbcache.h
index e9d5ece87794..591bc4cefe1d 100644
--- a/include/linux/mbcache.h
+++ b/include/linux/mbcache.h
@@ -10,6 +10,12 @@
struct mb_cache;
+/* Cache entry flags */
+enum {
+ MBE_REFERENCED_B = 0,
+ MBE_REUSABLE_B
+};
+
struct mb_cache_entry {
/* List of entries in cache - protected by cache->c_list_lock */
struct list_head e_list;
@@ -26,8 +32,7 @@ struct mb_cache_entry {
atomic_t e_refcnt;
/* Key in hash - stable during lifetime of the entry */
u32 e_key;
- u32 e_referenced:1;
- u32 e_reusable:1;
+ unsigned long e_flags;
/* User provided value - stable during lifetime of the entry */
u64 e_value;
};
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 724/783] SUNRPC: ensure the matching upcall is in-flight upon downcall
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (722 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 723/783] ext4: fix deadlock due to mbcache entry corruption Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 725/783] bpf: pull before calling skb_postpull_rcsum() Greg Kroah-Hartman
` (68 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, minoura makoto, Hiroshi Shimamoto,
Trond Myklebust, Trond Myklebust, Sasha Levin
From: minoura makoto <minoura@valinux.co.jp>
[ Upstream commit b18cba09e374637a0a3759d856a6bca94c133952 ]
Commit 9130b8dbc6ac ("SUNRPC: allow for upcalls for the same uid
but different gss service") introduced `auth` argument to
__gss_find_upcall(), but in gss_pipe_downcall() it was left as NULL
since it (and auth->service) was not (yet) determined.
When multiple upcalls with the same uid and different service are
ongoing, it could happen that __gss_find_upcall(), which returns the
first match found in the pipe->in_downcall list, could not find the
correct gss_msg corresponding to the downcall we are looking for.
Moreover, it might return a msg which is not sent to rpc.gssd yet.
We could see mount.nfs process hung in D state with multiple mount.nfs
are executed in parallel. The call trace below is of CentOS 7.9
kernel-3.10.0-1160.24.1.el7.x86_64 but we observed the same hang w/
elrepo kernel-ml-6.0.7-1.el7.
PID: 71258 TASK: ffff91ebd4be0000 CPU: 36 COMMAND: "mount.nfs"
#0 [ffff9203ca3234f8] __schedule at ffffffffa3b8899f
#1 [ffff9203ca323580] schedule at ffffffffa3b88eb9
#2 [ffff9203ca323590] gss_cred_init at ffffffffc0355818 [auth_rpcgss]
#3 [ffff9203ca323658] rpcauth_lookup_credcache at ffffffffc0421ebc
[sunrpc]
#4 [ffff9203ca3236d8] gss_lookup_cred at ffffffffc0353633 [auth_rpcgss]
#5 [ffff9203ca3236e8] rpcauth_lookupcred at ffffffffc0421581 [sunrpc]
#6 [ffff9203ca323740] rpcauth_refreshcred at ffffffffc04223d3 [sunrpc]
#7 [ffff9203ca3237a0] call_refresh at ffffffffc04103dc [sunrpc]
#8 [ffff9203ca3237b8] __rpc_execute at ffffffffc041e1c9 [sunrpc]
#9 [ffff9203ca323820] rpc_execute at ffffffffc0420a48 [sunrpc]
The scenario is like this. Let's say there are two upcalls for
services A and B, A -> B in pipe->in_downcall, B -> A in pipe->pipe.
When rpc.gssd reads pipe to get the upcall msg corresponding to
service B from pipe->pipe and then writes the response, in
gss_pipe_downcall the msg corresponding to service A will be picked
because only uid is used to find the msg and it is before the one for
B in pipe->in_downcall. And the process waiting for the msg
corresponding to service A will be woken up.
Actual scheduing of that process might be after rpc.gssd processes the
next msg. In rpc_pipe_generic_upcall it clears msg->errno (for A).
The process is scheduled to see gss_msg->ctx == NULL and
gss_msg->msg.errno == 0, therefore it cannot break the loop in
gss_create_upcall and is never woken up after that.
This patch adds a simple check to ensure that a msg which is not
sent to rpc.gssd yet is not chosen as the matching upcall upon
receiving a downcall.
Signed-off-by: minoura makoto <minoura@valinux.co.jp>
Signed-off-by: Hiroshi Shimamoto <h-shimamoto@nec.com>
Tested-by: Hiroshi Shimamoto <h-shimamoto@nec.com>
Cc: Trond Myklebust <trondmy@hammerspace.com>
Fixes: 9130b8dbc6ac ("SUNRPC: allow for upcalls for same uid but different gss service")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sunrpc/rpc_pipe_fs.h | 5 +++++
net/sunrpc/auth_gss/auth_gss.c | 19 +++++++++++++++++--
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/include/linux/sunrpc/rpc_pipe_fs.h b/include/linux/sunrpc/rpc_pipe_fs.h
index cd188a527d16..3b35b6f6533a 100644
--- a/include/linux/sunrpc/rpc_pipe_fs.h
+++ b/include/linux/sunrpc/rpc_pipe_fs.h
@@ -92,6 +92,11 @@ extern ssize_t rpc_pipe_generic_upcall(struct file *, struct rpc_pipe_msg *,
char __user *, size_t);
extern int rpc_queue_upcall(struct rpc_pipe *, struct rpc_pipe_msg *);
+/* returns true if the msg is in-flight, i.e., already eaten by the peer */
+static inline bool rpc_msg_is_inflight(const struct rpc_pipe_msg *msg) {
+ return (msg->copied != 0 && list_empty(&msg->list));
+}
+
struct rpc_clnt;
extern struct dentry *rpc_create_client_dir(struct dentry *, const char *, struct rpc_clnt *);
extern int rpc_remove_client_dir(struct rpc_clnt *);
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 5f42aa5fc612..2ff66a6a7e54 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -301,7 +301,7 @@ __gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth
list_for_each_entry(pos, &pipe->in_downcall, list) {
if (!uid_eq(pos->uid, uid))
continue;
- if (auth && pos->auth->service != auth->service)
+ if (pos->auth->service != auth->service)
continue;
refcount_inc(&pos->count);
return pos;
@@ -685,6 +685,21 @@ gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred)
return err;
}
+static struct gss_upcall_msg *
+gss_find_downcall(struct rpc_pipe *pipe, kuid_t uid)
+{
+ struct gss_upcall_msg *pos;
+ list_for_each_entry(pos, &pipe->in_downcall, list) {
+ if (!uid_eq(pos->uid, uid))
+ continue;
+ if (!rpc_msg_is_inflight(&pos->msg))
+ continue;
+ refcount_inc(&pos->count);
+ return pos;
+ }
+ return NULL;
+}
+
#define MSG_BUF_MAXSIZE 1024
static ssize_t
@@ -731,7 +746,7 @@ gss_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
err = -ENOENT;
/* Find a matching upcall */
spin_lock(&pipe->lock);
- gss_msg = __gss_find_upcall(pipe, uid, NULL);
+ gss_msg = gss_find_downcall(pipe, uid);
if (gss_msg == NULL) {
spin_unlock(&pipe->lock);
goto err_put_ctx;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 725/783] bpf: pull before calling skb_postpull_rcsum()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (723 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 724/783] SUNRPC: ensure the matching upcall is in-flight upon downcall Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 726/783] drm/panfrost: Fix GEM handle creation ref-counting Greg Kroah-Hartman
` (67 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anand Parthasarathy, Jakub Kicinski,
Stanislav Fomichev, Martin KaFai Lau, Sasha Levin
From: Jakub Kicinski <kuba@kernel.org>
[ Upstream commit 54c3f1a81421f85e60ae2eaae7be3727a09916ee ]
Anand hit a BUG() when pulling off headers on egress to a SW tunnel.
We get to skb_checksum_help() with an invalid checksum offset
(commit d7ea0d9df2a6 ("net: remove two BUG() from skb_checksum_help()")
converted those BUGs to WARN_ONs()).
He points out oddness in how skb_postpull_rcsum() gets used.
Indeed looks like we should pull before "postpull", otherwise
the CHECKSUM_PARTIAL fixup from skb_postpull_rcsum() will not
be able to do its job:
if (skb->ip_summed == CHECKSUM_PARTIAL &&
skb_checksum_start_offset(skb) < 0)
skb->ip_summed = CHECKSUM_NONE;
Reported-by: Anand Parthasarathy <anpartha@meta.com>
Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/r/20221220004701.402165-1-kuba@kernel.org
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index e3cdbd4996e0..a5df0cf46bbf 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3201,15 +3201,18 @@ static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len)
static int bpf_skb_generic_pop(struct sk_buff *skb, u32 off, u32 len)
{
+ void *old_data;
+
/* skb_ensure_writable() is not needed here, as we're
* already working on an uncloned skb.
*/
if (unlikely(!pskb_may_pull(skb, off + len)))
return -ENOMEM;
- skb_postpull_rcsum(skb, skb->data + off, len);
- memmove(skb->data + len, skb->data, off);
+ old_data = skb->data;
__skb_pull(skb, len);
+ skb_postpull_rcsum(skb, old_data + off, len);
+ memmove(skb->data, old_data, off);
return 0;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 726/783] drm/panfrost: Fix GEM handle creation ref-counting
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (724 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 725/783] bpf: pull before calling skb_postpull_rcsum() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 727/783] vmxnet3: correctly report csum_level for encapsulated packet Greg Kroah-Hartman
` (66 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Clark, Steven Price, Rob Clark,
Sasha Levin
From: Steven Price <steven.price@arm.com>
[ Upstream commit 4217c6ac817451d5116687f3cc6286220dc43d49 ]
panfrost_gem_create_with_handle() previously returned a BO but with the
only reference being from the handle, which user space could in theory
guess and release, causing a use-after-free. Additionally if the call to
panfrost_gem_mapping_get() in panfrost_ioctl_create_bo() failed then
a(nother) reference on the BO was dropped.
The _create_with_handle() is a problematic pattern, so ditch it and
instead create the handle in panfrost_ioctl_create_bo(). If the call to
panfrost_gem_mapping_get() fails then this means that user space has
indeed gone behind our back and freed the handle. In which case just
return an error code.
Reported-by: Rob Clark <robdclark@chromium.org>
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Signed-off-by: Steven Price <steven.price@arm.com>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221219140130.410578-1-steven.price@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panfrost/panfrost_drv.c | 27 ++++++++++++++++---------
drivers/gpu/drm/panfrost/panfrost_gem.c | 16 +--------------
drivers/gpu/drm/panfrost/panfrost_gem.h | 5 +----
3 files changed, 20 insertions(+), 28 deletions(-)
diff --git a/drivers/gpu/drm/panfrost/panfrost_drv.c b/drivers/gpu/drm/panfrost/panfrost_drv.c
index 1dfc457bbefc..4af25c0b6570 100644
--- a/drivers/gpu/drm/panfrost/panfrost_drv.c
+++ b/drivers/gpu/drm/panfrost/panfrost_drv.c
@@ -81,6 +81,7 @@ static int panfrost_ioctl_create_bo(struct drm_device *dev, void *data,
struct panfrost_gem_object *bo;
struct drm_panfrost_create_bo *args = data;
struct panfrost_gem_mapping *mapping;
+ int ret;
if (!args->size || args->pad ||
(args->flags & ~(PANFROST_BO_NOEXEC | PANFROST_BO_HEAP)))
@@ -91,21 +92,29 @@ static int panfrost_ioctl_create_bo(struct drm_device *dev, void *data,
!(args->flags & PANFROST_BO_NOEXEC))
return -EINVAL;
- bo = panfrost_gem_create_with_handle(file, dev, args->size, args->flags,
- &args->handle);
+ bo = panfrost_gem_create(dev, args->size, args->flags);
if (IS_ERR(bo))
return PTR_ERR(bo);
+ ret = drm_gem_handle_create(file, &bo->base.base, &args->handle);
+ if (ret)
+ goto out;
+
mapping = panfrost_gem_mapping_get(bo, priv);
- if (!mapping) {
- drm_gem_object_put(&bo->base.base);
- return -EINVAL;
+ if (mapping) {
+ args->offset = mapping->mmnode.start << PAGE_SHIFT;
+ panfrost_gem_mapping_put(mapping);
+ } else {
+ /* This can only happen if the handle from
+ * drm_gem_handle_create() has already been guessed and freed
+ * by user space
+ */
+ ret = -EINVAL;
}
- args->offset = mapping->mmnode.start << PAGE_SHIFT;
- panfrost_gem_mapping_put(mapping);
-
- return 0;
+out:
+ drm_gem_object_put(&bo->base.base);
+ return ret;
}
/**
diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c
index 1d917cea5ceb..c843fbfdb878 100644
--- a/drivers/gpu/drm/panfrost/panfrost_gem.c
+++ b/drivers/gpu/drm/panfrost/panfrost_gem.c
@@ -232,12 +232,8 @@ struct drm_gem_object *panfrost_gem_create_object(struct drm_device *dev, size_t
}
struct panfrost_gem_object *
-panfrost_gem_create_with_handle(struct drm_file *file_priv,
- struct drm_device *dev, size_t size,
- u32 flags,
- uint32_t *handle)
+panfrost_gem_create(struct drm_device *dev, size_t size, u32 flags)
{
- int ret;
struct drm_gem_shmem_object *shmem;
struct panfrost_gem_object *bo;
@@ -253,16 +249,6 @@ panfrost_gem_create_with_handle(struct drm_file *file_priv,
bo->noexec = !!(flags & PANFROST_BO_NOEXEC);
bo->is_heap = !!(flags & PANFROST_BO_HEAP);
- /*
- * Allocate an id of idr table where the obj is registered
- * and handle has the id what user can see.
- */
- ret = drm_gem_handle_create(file_priv, &shmem->base, handle);
- /* drop reference from allocate - handle holds it now. */
- drm_gem_object_put(&shmem->base);
- if (ret)
- return ERR_PTR(ret);
-
return bo;
}
diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.h b/drivers/gpu/drm/panfrost/panfrost_gem.h
index 8088d5fd8480..ad2877eeeccd 100644
--- a/drivers/gpu/drm/panfrost/panfrost_gem.h
+++ b/drivers/gpu/drm/panfrost/panfrost_gem.h
@@ -69,10 +69,7 @@ panfrost_gem_prime_import_sg_table(struct drm_device *dev,
struct sg_table *sgt);
struct panfrost_gem_object *
-panfrost_gem_create_with_handle(struct drm_file *file_priv,
- struct drm_device *dev, size_t size,
- u32 flags,
- uint32_t *handle);
+panfrost_gem_create(struct drm_device *dev, size_t size, u32 flags);
int panfrost_gem_open(struct drm_gem_object *obj, struct drm_file *file_priv);
void panfrost_gem_close(struct drm_gem_object *obj,
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 727/783] vmxnet3: correctly report csum_level for encapsulated packet
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (725 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 726/783] drm/panfrost: Fix GEM handle creation ref-counting Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 728/783] veth: Fix race with AF_XDP exposing old or uninitialized descriptors Greg Kroah-Hartman
` (65 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ronak Doshi, Peng Li,
Jakub Kicinski, Sasha Levin
From: Ronak Doshi <doshir@vmware.com>
[ Upstream commit 3d8f2c4269d08f8793e946279dbdf5e972cc4911 ]
Commit dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload
support") added support for encapsulation offload. However, the
pathc did not report correctly the csum_level for encapsulated packet.
This patch fixes this issue by reporting correct csum level for the
encapsulated packet.
Fixes: dacce2be3312 ("vmxnet3: add geneve and vxlan tunnel offload support")
Signed-off-by: Ronak Doshi <doshir@vmware.com>
Acked-by: Peng Li <lpeng@vmware.com>
Link: https://lore.kernel.org/r/20221220202556.24421-1-doshir@vmware.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/vmxnet3/vmxnet3_drv.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/vmxnet3/vmxnet3_drv.c b/drivers/net/vmxnet3/vmxnet3_drv.c
index 43a4bcdd92c1..3b889fed9882 100644
--- a/drivers/net/vmxnet3/vmxnet3_drv.c
+++ b/drivers/net/vmxnet3/vmxnet3_drv.c
@@ -1236,6 +1236,10 @@ vmxnet3_rx_csum(struct vmxnet3_adapter *adapter,
(le32_to_cpu(gdesc->dword[3]) &
VMXNET3_RCD_CSUM_OK) == VMXNET3_RCD_CSUM_OK) {
skb->ip_summed = CHECKSUM_UNNECESSARY;
+ if ((le32_to_cpu(gdesc->dword[0]) &
+ (1UL << VMXNET3_RCD_HDR_INNER_SHIFT))) {
+ skb->csum_level = 1;
+ }
WARN_ON_ONCE(!(gdesc->rcd.tcp || gdesc->rcd.udp) &&
!(le32_to_cpu(gdesc->dword[0]) &
(1UL << VMXNET3_RCD_HDR_INNER_SHIFT)));
@@ -1245,6 +1249,10 @@ vmxnet3_rx_csum(struct vmxnet3_adapter *adapter,
} else if (gdesc->rcd.v6 && (le32_to_cpu(gdesc->dword[3]) &
(1 << VMXNET3_RCD_TUC_SHIFT))) {
skb->ip_summed = CHECKSUM_UNNECESSARY;
+ if ((le32_to_cpu(gdesc->dword[0]) &
+ (1UL << VMXNET3_RCD_HDR_INNER_SHIFT))) {
+ skb->csum_level = 1;
+ }
WARN_ON_ONCE(!(gdesc->rcd.tcp || gdesc->rcd.udp) &&
!(le32_to_cpu(gdesc->dword[0]) &
(1UL << VMXNET3_RCD_HDR_INNER_SHIFT)));
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 728/783] veth: Fix race with AF_XDP exposing old or uninitialized descriptors
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (726 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 727/783] vmxnet3: correctly report csum_level for encapsulated packet Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 729/783] nfsd: shut down the NFSv4 state objects before the filecache Greg Kroah-Hartman
` (64 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Magnus Karlsson, Shawn Bohrer,
Paolo Abeni, Sasha Levin
From: Shawn Bohrer <sbohrer@cloudflare.com>
[ Upstream commit fa349e396e4886d742fd6501c599ec627ef1353b ]
When AF_XDP is used on on a veth interface the RX ring is updated in two
steps. veth_xdp_rcv() removes packet descriptors from the FILL ring
fills them and places them in the RX ring updating the cached_prod
pointer. Later xdp_do_flush() syncs the RX ring prod pointer with the
cached_prod pointer allowing user-space to see the recently filled in
descriptors. The rings are intended to be SPSC, however the existing
order in veth_poll allows the xdp_do_flush() to run concurrently with
another CPU creating a race condition that allows user-space to see old
or uninitialized descriptors in the RX ring. This bug has been observed
in production systems.
To summarize, we are expecting this ordering:
CPU 0 __xsk_rcv_zc()
CPU 0 __xsk_map_flush()
CPU 2 __xsk_rcv_zc()
CPU 2 __xsk_map_flush()
But we are seeing this order:
CPU 0 __xsk_rcv_zc()
CPU 2 __xsk_rcv_zc()
CPU 0 __xsk_map_flush()
CPU 2 __xsk_map_flush()
This occurs because we rely on NAPI to ensure that only one napi_poll
handler is running at a time for the given veth receive queue.
napi_schedule_prep() will prevent multiple instances from getting
scheduled. However calling napi_complete_done() signals that this
napi_poll is complete and allows subsequent calls to
napi_schedule_prep() and __napi_schedule() to succeed in scheduling a
concurrent napi_poll before the xdp_do_flush() has been called. For the
veth driver a concurrent call to napi_schedule_prep() and
__napi_schedule() can occur on a different CPU because the veth xmit
path can additionally schedule a napi_poll creating the race.
The fix as suggested by Magnus Karlsson, is to simply move the
xdp_do_flush() call before napi_complete_done(). This syncs the
producer ring pointers before another instance of napi_poll can be
scheduled on another CPU. It will also slightly improve performance by
moving the flush closer to when the descriptors were placed in the
RX ring.
Fixes: d1396004dd86 ("veth: Add XDP TX and REDIRECT")
Suggested-by: Magnus Karlsson <magnus.karlsson@gmail.com>
Signed-off-by: Shawn Bohrer <sbohrer@cloudflare.com>
Link: https://lore.kernel.org/r/20221220185903.1105011-1-sbohrer@cloudflare.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/veth.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 5be8ed910553..5aa23a036ed3 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -849,6 +849,9 @@ static int veth_poll(struct napi_struct *napi, int budget)
xdp_set_return_frame_no_direct();
done = veth_xdp_rcv(rq, budget, &bq, &stats);
+ if (stats.xdp_redirect > 0)
+ xdp_do_flush();
+
if (done < budget && napi_complete_done(napi, done)) {
/* Write rx_notify_masked before reading ptr_ring */
smp_store_mb(rq->rx_notify_masked, false);
@@ -862,8 +865,6 @@ static int veth_poll(struct napi_struct *napi, int budget)
if (stats.xdp_tx > 0)
veth_xdp_flush(rq, &bq);
- if (stats.xdp_redirect > 0)
- xdp_do_flush();
xdp_clear_return_frame_no_direct();
return done;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 729/783] nfsd: shut down the NFSv4 state objects before the filecache
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (727 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 728/783] veth: Fix race with AF_XDP exposing old or uninitialized descriptors Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 730/783] net: hns3: add interrupts re-initialization while doing VF FLR Greg Kroah-Hartman
` (63 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Chuck Lever,
Sasha Levin, Wang Yugui
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit 789e1e10f214c00ca18fc6610824c5b9876ba5f2 ]
Currently, we shut down the filecache before trying to clean up the
stateids that depend on it. This leads to the kernel trying to free an
nfsd_file twice, and a refcount overput on the nf_mark.
Change the shutdown procedure to tear down all of the stateids prior
to shutting down the filecache.
Reported-and-tested-by: Wang Yugui <wangyugui@e16-tech.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Fixes: 5e113224c17e ("nfsd: nfsd_file cache entries should be per net namespace")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfssvc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
index 9323e30a7eaf..c7fffe1453bd 100644
--- a/fs/nfsd/nfssvc.c
+++ b/fs/nfsd/nfssvc.c
@@ -426,8 +426,8 @@ static void nfsd_shutdown_net(struct net *net)
{
struct nfsd_net *nn = net_generic(net, nfsd_net_id);
- nfsd_file_cache_shutdown_net(net);
nfs4_state_shutdown_net(net);
+ nfsd_file_cache_shutdown_net(net);
if (nn->lockd_up) {
lockd_down(net);
nn->lockd_up = false;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 730/783] net: hns3: add interrupts re-initialization while doing VF FLR
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (728 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 729/783] nfsd: shut down the NFSv4 state objects before the filecache Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 731/783] net: sched: fix memory leak in tcindex_set_parms Greg Kroah-Hartman
` (62 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jie Wang, Hao Lan, Jakub Kicinski,
Sasha Levin
From: Jie Wang <wangjie125@huawei.com>
[ Upstream commit 09e6b30eeb254f1818a008cace3547159e908dfd ]
Currently keep alive message between PF and VF may be lost and the VF is
unalive in PF. So the VF will not do reset during PF FLR reset process.
This would make the allocated interrupt resources of VF invalid and VF
would't receive or respond to PF any more.
So this patch adds VF interrupts re-initialization during VF FLR for VF
recovery in above cases.
Fixes: 862d969a3a4d ("net: hns3: do VF's pci re-initialization while PF doing FLR")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Hao Lan <lanhao@huawei.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index d6580e942724..f7f3e4bbc477 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -3089,7 +3089,8 @@ static int hclgevf_pci_reset(struct hclgevf_dev *hdev)
struct pci_dev *pdev = hdev->pdev;
int ret = 0;
- if (hdev->reset_type == HNAE3_VF_FULL_RESET &&
+ if ((hdev->reset_type == HNAE3_VF_FULL_RESET ||
+ hdev->reset_type == HNAE3_FLR_RESET) &&
test_bit(HCLGEVF_STATE_IRQ_INITED, &hdev->state)) {
hclgevf_misc_irq_uninit(hdev);
hclgevf_uninit_msi(hdev);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 731/783] net: sched: fix memory leak in tcindex_set_parms
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (729 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 730/783] net: hns3: add interrupts re-initialization while doing VF FLR Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 732/783] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure Greg Kroah-Hartman
` (61 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+232ebdbd36706c965ebf,
Cong Wang, Jakub Kicinski, Paolo Abeni, Dmitry Vyukov,
Hawkins Jiawei, David S. Miller, Sasha Levin
From: Hawkins Jiawei <yin31149@gmail.com>
[ Upstream commit 399ab7fe0fa0d846881685fd4e57e9a8ef7559f7 ]
Syzkaller reports a memory leak as follows:
====================================
BUG: memory leak
unreferenced object 0xffff88810c287f00 (size 256):
comm "syz-executor105", pid 3600, jiffies 4294943292 (age 12.990s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff814cf9f0>] kmalloc_trace+0x20/0x90 mm/slab_common.c:1046
[<ffffffff839c9e07>] kmalloc include/linux/slab.h:576 [inline]
[<ffffffff839c9e07>] kmalloc_array include/linux/slab.h:627 [inline]
[<ffffffff839c9e07>] kcalloc include/linux/slab.h:659 [inline]
[<ffffffff839c9e07>] tcf_exts_init include/net/pkt_cls.h:250 [inline]
[<ffffffff839c9e07>] tcindex_set_parms+0xa7/0xbe0 net/sched/cls_tcindex.c:342
[<ffffffff839caa1f>] tcindex_change+0xdf/0x120 net/sched/cls_tcindex.c:553
[<ffffffff8394db62>] tc_new_tfilter+0x4f2/0x1100 net/sched/cls_api.c:2147
[<ffffffff8389e91c>] rtnetlink_rcv_msg+0x4dc/0x5d0 net/core/rtnetlink.c:6082
[<ffffffff839eba67>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2540
[<ffffffff839eab87>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
[<ffffffff839eab87>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345
[<ffffffff839eb046>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921
[<ffffffff8383e796>] sock_sendmsg_nosec net/socket.c:714 [inline]
[<ffffffff8383e796>] sock_sendmsg+0x56/0x80 net/socket.c:734
[<ffffffff8383eb08>] ____sys_sendmsg+0x178/0x410 net/socket.c:2482
[<ffffffff83843678>] ___sys_sendmsg+0xa8/0x110 net/socket.c:2536
[<ffffffff838439c5>] __sys_sendmmsg+0x105/0x330 net/socket.c:2622
[<ffffffff83843c14>] __do_sys_sendmmsg net/socket.c:2651 [inline]
[<ffffffff83843c14>] __se_sys_sendmmsg net/socket.c:2648 [inline]
[<ffffffff83843c14>] __x64_sys_sendmmsg+0x24/0x30 net/socket.c:2648
[<ffffffff84605fd5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84605fd5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<ffffffff84800087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
====================================
Kernel uses tcindex_change() to change an existing
filter properties.
Yet the problem is that, during the process of changing,
if `old_r` is retrieved from `p->perfect`, then
kernel uses tcindex_alloc_perfect_hash() to newly
allocate filter results, uses tcindex_filter_result_init()
to clear the old filter result, without destroying
its tcf_exts structure, which triggers the above memory leak.
To be more specific, there are only two source for the `old_r`,
according to the tcindex_lookup(). `old_r` is retrieved from
`p->perfect`, or `old_r` is retrieved from `p->h`.
* If `old_r` is retrieved from `p->perfect`, kernel uses
tcindex_alloc_perfect_hash() to newly allocate the
filter results. Then `r` is assigned with `cp->perfect + handle`,
which is newly allocated. So condition `old_r && old_r != r` is
true in this situation, and kernel uses tcindex_filter_result_init()
to clear the old filter result, without destroying
its tcf_exts structure
* If `old_r` is retrieved from `p->h`, then `p->perfect` is NULL
according to the tcindex_lookup(). Considering that `cp->h`
is directly copied from `p->h` and `p->perfect` is NULL,
`r` is assigned with `tcindex_lookup(cp, handle)`, whose value
should be the same as `old_r`, so condition `old_r && old_r != r`
is false in this situation, kernel ignores using
tcindex_filter_result_init() to clear the old filter result.
So only when `old_r` is retrieved from `p->perfect` does kernel use
tcindex_filter_result_init() to clear the old filter result, which
triggers the above memory leak.
Considering that there already exists a tc_filter_wq workqueue
to destroy the old tcindex_data by tcindex_partial_destroy_work()
at the end of tcindex_set_parms(), this patch solves
this memory leak bug by removing this old filter result
clearing part and delegating it to the tc_filter_wq workqueue.
Note that this patch doesn't introduce any other issues. If
`old_r` is retrieved from `p->perfect`, this patch just
delegates old filter result clearing part to the
tc_filter_wq workqueue; If `old_r` is retrieved from `p->h`,
kernel doesn't reach the old filter result clearing part, so
removing this part has no effect.
[Thanks to the suggestion from Jakub Kicinski, Cong Wang, Paolo Abeni
and Dmitry Vyukov]
Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()")
Link: https://lore.kernel.org/all/0000000000001de5c505ebc9ec59@google.com/
Reported-by: syzbot+232ebdbd36706c965ebf@syzkaller.appspotmail.com
Tested-by: syzbot+232ebdbd36706c965ebf@syzkaller.appspotmail.com
Cc: Cong Wang <cong.wang@bytedance.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/cls_tcindex.c | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index e9a8a2c86bbd..86250221d08d 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -332,7 +332,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
struct tcindex_filter_result *r, struct nlattr **tb,
struct nlattr *est, bool ovr, struct netlink_ext_ack *extack)
{
- struct tcindex_filter_result new_filter_result, *old_r = r;
+ struct tcindex_filter_result new_filter_result;
struct tcindex_data *cp = NULL, *oldp;
struct tcindex_filter *f = NULL; /* make gcc behave */
struct tcf_result cr = {};
@@ -401,7 +401,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
err = tcindex_filter_result_init(&new_filter_result, cp, net);
if (err < 0)
goto errout_alloc;
- if (old_r)
+ if (r)
cr = r->res;
err = -EBUSY;
@@ -478,14 +478,6 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
tcf_bind_filter(tp, &cr, base);
}
- if (old_r && old_r != r) {
- err = tcindex_filter_result_init(old_r, cp, net);
- if (err < 0) {
- kfree(f);
- goto errout_alloc;
- }
- }
-
oldp = p;
r->res = cr;
tcf_exts_change(&r->exts, &e);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 732/783] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (730 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 731/783] net: sched: fix memory leak in tcindex_set_parms Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 733/783] nfc: Fix potential resource leaks Greg Kroah-Hartman
` (60 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Swiatkowski, Daniil Tatianin,
David S. Miller, Sasha Levin
From: Daniil Tatianin <d-tatianin@yandex-team.ru>
[ Upstream commit 13a7c8964afcd8ca43c0b6001ebb0127baa95362 ]
adapter->dcb would get silently freed inside qlcnic_dcb_enable() in
case qlcnic_dcb_attach() would return an error, which always happens
under OOM conditions. This would lead to use-after-free because both
of the existing callers invoke qlcnic_dcb_get_info() on the obtained
pointer, which is potentially freed at that point.
Propagate errors from qlcnic_dcb_enable(), and instead free the dcb
pointer at callsite using qlcnic_dcb_free(). This also removes the now
unused qlcnic_clear_dcb_ops() helper, which was a simple wrapper around
kfree() also causing memory leaks for partially initialized dcb.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Fixes: 3c44bba1d270 ("qlcnic: Disable DCB operations from SR-IOV VFs")
Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 8 +++++++-
drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h | 10 ++--------
drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 8 +++++++-
3 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
index d2c190732d3e..beeeec8516b8 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
@@ -2505,7 +2505,13 @@ int qlcnic_83xx_init(struct qlcnic_adapter *adapter, int pci_using_dac)
goto disable_mbx_intr;
qlcnic_83xx_clear_function_resources(adapter);
- qlcnic_dcb_enable(adapter->dcb);
+
+ err = qlcnic_dcb_enable(adapter->dcb);
+ if (err) {
+ qlcnic_dcb_free(adapter->dcb);
+ goto disable_mbx_intr;
+ }
+
qlcnic_83xx_initialize_nic(adapter, 1);
qlcnic_dcb_get_info(adapter->dcb);
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h
index 7519773eaca6..22afa2be85fd 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.h
@@ -41,11 +41,6 @@ struct qlcnic_dcb {
unsigned long state;
};
-static inline void qlcnic_clear_dcb_ops(struct qlcnic_dcb *dcb)
-{
- kfree(dcb);
-}
-
static inline int qlcnic_dcb_get_hw_capability(struct qlcnic_dcb *dcb)
{
if (dcb && dcb->ops->get_hw_capability)
@@ -112,9 +107,8 @@ static inline void qlcnic_dcb_init_dcbnl_ops(struct qlcnic_dcb *dcb)
dcb->ops->init_dcbnl_ops(dcb);
}
-static inline void qlcnic_dcb_enable(struct qlcnic_dcb *dcb)
+static inline int qlcnic_dcb_enable(struct qlcnic_dcb *dcb)
{
- if (dcb && qlcnic_dcb_attach(dcb))
- qlcnic_clear_dcb_ops(dcb);
+ return dcb ? qlcnic_dcb_attach(dcb) : 0;
}
#endif
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
index 27c07b2412f4..44b745293fd0 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c
@@ -2622,7 +2622,13 @@ qlcnic_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
"Device does not support MSI interrupts\n");
if (qlcnic_82xx_check(adapter)) {
- qlcnic_dcb_enable(adapter->dcb);
+ err = qlcnic_dcb_enable(adapter->dcb);
+ if (err) {
+ qlcnic_dcb_free(adapter->dcb);
+ dev_err(&pdev->dev, "Failed to enable DCB\n");
+ goto err_out_free_hw;
+ }
+
qlcnic_dcb_get_info(adapter->dcb);
err = qlcnic_setup_intr(adapter);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 733/783] nfc: Fix potential resource leaks
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (731 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 732/783] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 734/783] vhost/vsock: Fix error handling in vhost_vsock_init() Greg Kroah-Hartman
` (59 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, David S. Miller, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit df49908f3c52d211aea5e2a14a93bbe67a2cb3af ]
nfc_get_device() take reference for the device, add missing
nfc_put_device() to release it when not need anymore.
Also fix the style warnning by use error EOPNOTSUPP instead of
ENOTSUPP.
Fixes: 5ce3f32b5264 ("NFC: netlink: SE API implementation")
Fixes: 29e76924cf08 ("nfc: netlink: Add capability to reply to vendor_cmd with data")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nfc/netlink.c | 52 ++++++++++++++++++++++++++++++++++-------------
1 file changed, 38 insertions(+), 14 deletions(-)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index b8939ebaa6d3..610caea4feec 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -1497,6 +1497,7 @@ static int nfc_genl_se_io(struct sk_buff *skb, struct genl_info *info)
u32 dev_idx, se_idx;
u8 *apdu;
size_t apdu_len;
+ int rc;
if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
!info->attrs[NFC_ATTR_SE_INDEX] ||
@@ -1510,25 +1511,37 @@ static int nfc_genl_se_io(struct sk_buff *skb, struct genl_info *info)
if (!dev)
return -ENODEV;
- if (!dev->ops || !dev->ops->se_io)
- return -ENOTSUPP;
+ if (!dev->ops || !dev->ops->se_io) {
+ rc = -EOPNOTSUPP;
+ goto put_dev;
+ }
apdu_len = nla_len(info->attrs[NFC_ATTR_SE_APDU]);
- if (apdu_len == 0)
- return -EINVAL;
+ if (apdu_len == 0) {
+ rc = -EINVAL;
+ goto put_dev;
+ }
apdu = nla_data(info->attrs[NFC_ATTR_SE_APDU]);
- if (!apdu)
- return -EINVAL;
+ if (!apdu) {
+ rc = -EINVAL;
+ goto put_dev;
+ }
ctx = kzalloc(sizeof(struct se_io_ctx), GFP_KERNEL);
- if (!ctx)
- return -ENOMEM;
+ if (!ctx) {
+ rc = -ENOMEM;
+ goto put_dev;
+ }
ctx->dev_idx = dev_idx;
ctx->se_idx = se_idx;
- return nfc_se_io(dev, se_idx, apdu, apdu_len, se_io_cb, ctx);
+ rc = nfc_se_io(dev, se_idx, apdu, apdu_len, se_io_cb, ctx);
+
+put_dev:
+ nfc_put_device(dev);
+ return rc;
}
static int nfc_genl_vendor_cmd(struct sk_buff *skb,
@@ -1551,14 +1564,21 @@ static int nfc_genl_vendor_cmd(struct sk_buff *skb,
subcmd = nla_get_u32(info->attrs[NFC_ATTR_VENDOR_SUBCMD]);
dev = nfc_get_device(dev_idx);
- if (!dev || !dev->vendor_cmds || !dev->n_vendor_cmds)
+ if (!dev)
return -ENODEV;
+ if (!dev->vendor_cmds || !dev->n_vendor_cmds) {
+ err = -ENODEV;
+ goto put_dev;
+ }
+
if (info->attrs[NFC_ATTR_VENDOR_DATA]) {
data = nla_data(info->attrs[NFC_ATTR_VENDOR_DATA]);
data_len = nla_len(info->attrs[NFC_ATTR_VENDOR_DATA]);
- if (data_len == 0)
- return -EINVAL;
+ if (data_len == 0) {
+ err = -EINVAL;
+ goto put_dev;
+ }
} else {
data = NULL;
data_len = 0;
@@ -1573,10 +1593,14 @@ static int nfc_genl_vendor_cmd(struct sk_buff *skb,
dev->cur_cmd_info = info;
err = cmd->doit(dev, data, data_len);
dev->cur_cmd_info = NULL;
- return err;
+ goto put_dev;
}
- return -EOPNOTSUPP;
+ err = -EOPNOTSUPP;
+
+put_dev:
+ nfc_put_device(dev);
+ return err;
}
/* message building helper */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 734/783] vhost/vsock: Fix error handling in vhost_vsock_init()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (732 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 733/783] nfc: Fix potential resource leaks Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 735/783] vringh: fix range used in iotlb_translate() Greg Kroah-Hartman
` (58 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuan Can, Michael S. Tsirkin,
Stefano Garzarella, Jason Wang, Sasha Levin
From: Yuan Can <yuancan@huawei.com>
[ Upstream commit 7a4efe182ca61fb3e5307e69b261c57cbf434cd4 ]
A problem about modprobe vhost_vsock failed is triggered with the
following log given:
modprobe: ERROR: could not insert 'vhost_vsock': Device or resource busy
The reason is that vhost_vsock_init() returns misc_register() directly
without checking its return value, if misc_register() failed, it returns
without calling vsock_core_unregister() on vhost_transport, resulting the
vhost_vsock can never be installed later.
A simple call graph is shown as below:
vhost_vsock_init()
vsock_core_register() # register vhost_transport
misc_register()
device_create_with_groups()
device_create_groups_vargs()
dev = kzalloc(...) # OOM happened
# return without unregister vhost_transport
Fix by calling vsock_core_unregister() when misc_register() returns error.
Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Message-Id: <20221108101705.45981-1-yuancan@huawei.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vsock.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
index b0153617fe0e..7bce5f982e58 100644
--- a/drivers/vhost/vsock.c
+++ b/drivers/vhost/vsock.c
@@ -854,7 +854,14 @@ static int __init vhost_vsock_init(void)
VSOCK_TRANSPORT_F_H2G);
if (ret < 0)
return ret;
- return misc_register(&vhost_vsock_misc);
+
+ ret = misc_register(&vhost_vsock_misc);
+ if (ret) {
+ vsock_core_unregister(&vhost_transport.transport);
+ return ret;
+ }
+
+ return 0;
};
static void __exit vhost_vsock_exit(void)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 735/783] vringh: fix range used in iotlb_translate()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (733 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 734/783] vhost/vsock: Fix error handling in vhost_vsock_init() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 736/783] vhost: fix range used in translate_desc() Greg Kroah-Hartman
` (57 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Stefano Garzarella,
Michael S. Tsirkin, Sasha Levin
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit f85efa9b0f5381874f727bd98f56787840313f0b ]
vhost_iotlb_itree_first() requires `start` and `last` parameters
to search for a mapping that overlaps the range.
In iotlb_translate() we cyclically call vhost_iotlb_itree_first(),
incrementing `addr` by the amount already translated, so rightly
we move the `start` parameter passed to vhost_iotlb_itree_first(),
but we should hold the `last` parameter constant.
Let's fix it by saving the `last` parameter value before incrementing
`addr` in the loop.
Fixes: 9ad9c49cfe97 ("vringh: IOTLB support")
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20221109102503.18816-2-sgarzare@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vringh.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
index 5a0340c85dc6..48f4ec2ba40a 100644
--- a/drivers/vhost/vringh.c
+++ b/drivers/vhost/vringh.c
@@ -1077,7 +1077,7 @@ static int iotlb_translate(const struct vringh *vrh,
struct vhost_iotlb_map *map;
struct vhost_iotlb *iotlb = vrh->iotlb;
int ret = 0;
- u64 s = 0;
+ u64 s = 0, last = addr + len - 1;
while (len > s) {
u64 size, pa, pfn;
@@ -1087,8 +1087,7 @@ static int iotlb_translate(const struct vringh *vrh,
break;
}
- map = vhost_iotlb_itree_first(iotlb, addr,
- addr + len - 1);
+ map = vhost_iotlb_itree_first(iotlb, addr, last);
if (!map || map->start > addr) {
ret = -EINVAL;
break;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 736/783] vhost: fix range used in translate_desc()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (734 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 735/783] vringh: fix range used in iotlb_translate() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 737/783] net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path Greg Kroah-Hartman
` (56 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Wang, Stefano Garzarella,
Michael S. Tsirkin, Sasha Levin
From: Stefano Garzarella <sgarzare@redhat.com>
[ Upstream commit 98047313cdb46828093894d0ac8b1183b8b317f9 ]
vhost_iotlb_itree_first() requires `start` and `last` parameters
to search for a mapping that overlaps the range.
In translate_desc() we cyclically call vhost_iotlb_itree_first(),
incrementing `addr` by the amount already translated, so rightly
we move the `start` parameter passed to vhost_iotlb_itree_first(),
but we should hold the `last` parameter constant.
Let's fix it by saving the `last` parameter value before incrementing
`addr` in the loop.
Fixes: a9709d6874d5 ("vhost: convert pre sorted vhost memory array to interval tree")
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20221109102503.18816-3-sgarzare@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vhost/vhost.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
index f41463ab4031..da00a5c57db6 100644
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -2041,7 +2041,7 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
struct vhost_dev *dev = vq->dev;
struct vhost_iotlb *umem = dev->iotlb ? dev->iotlb : dev->umem;
struct iovec *_iov;
- u64 s = 0;
+ u64 s = 0, last = addr + len - 1;
int ret = 0;
while ((u64)len > s) {
@@ -2051,7 +2051,7 @@ static int translate_desc(struct vhost_virtqueue *vq, u64 addr, u32 len,
break;
}
- map = vhost_iotlb_itree_first(umem, addr, addr + len - 1);
+ map = vhost_iotlb_itree_first(umem, addr, last);
if (map == NULL || map->start > addr) {
if (umem != dev->iotlb) {
ret = -EFAULT;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 737/783] net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (735 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 736/783] vhost: fix range used in translate_desc() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 738/783] net/mlx5: Avoid recovery in probe flows Greg Kroah-Hartman
` (55 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Saeed Mahameed, Sasha Levin
From: Jiri Pirko <jiri@nvidia.com>
[ Upstream commit 2a35b2c2e6a252eda2134aae6a756861d9299531 ]
There are two cleanup calls missing in mlx5_init_once() error path.
Add them making the error path flow to be the same as
mlx5_cleanup_once().
Fixes: 52ec462eca9b ("net/mlx5: Add reserved-gids support")
Fixes: 7c39afb394c7 ("net/mlx5: PTP code migration to driver core section")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
index 8246b6285d5a..29bc1df28aeb 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -906,6 +906,8 @@ static int mlx5_init_once(struct mlx5_core_dev *dev)
err_tables_cleanup:
mlx5_geneve_destroy(dev->geneve);
mlx5_vxlan_destroy(dev->vxlan);
+ mlx5_cleanup_clock(dev);
+ mlx5_cleanup_reserved_gids(dev);
mlx5_cq_debugfs_cleanup(dev);
mlx5_fw_reset_cleanup(dev);
err_events_cleanup:
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 738/783] net/mlx5: Avoid recovery in probe flows
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (736 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 737/783] net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 739/783] net/mlx5e: IPoIB, Dont allow CQE compression to be turned on by default Greg Kroah-Hartman
` (54 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Moshe Shemesh,
Saeed Mahameed, Sasha Levin
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit 9078e843efec530f279a155f262793c58b0746bd ]
Currently, recovery is done without considering whether the device is
still in probe flow.
This may lead to recovery before device have finished probed
successfully. e.g.: while mlx5_init_one() is running. Recovery flow is
using functionality that is loaded only by mlx5_init_one(), and there
is no point in running recovery without mlx5_init_one() finished
successfully.
Fix it by waiting for probe flow to finish and checking whether the
device is probed before trying to perform recovery.
Fixes: 51d138c2610a ("net/mlx5: Fix health error state handling")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/health.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/health.c b/drivers/net/ethernet/mellanox/mlx5/core/health.c
index 0c32c485eb58..b21054514736 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
@@ -618,6 +618,12 @@ static void mlx5_fw_fatal_reporter_err_work(struct work_struct *work)
priv = container_of(health, struct mlx5_priv, health);
dev = container_of(priv, struct mlx5_core_dev, priv);
+ mutex_lock(&dev->intf_state_mutex);
+ if (test_bit(MLX5_DROP_NEW_HEALTH_WORK, &health->flags)) {
+ mlx5_core_err(dev, "health works are not permitted at this stage\n");
+ return;
+ }
+ mutex_unlock(&dev->intf_state_mutex);
enter_error_state(dev, false);
if (IS_ERR_OR_NULL(health->fw_fatal_reporter)) {
if (mlx5_health_try_recover(dev))
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 739/783] net/mlx5e: IPoIB, Dont allow CQE compression to be turned on by default
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (737 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 738/783] net/mlx5: Avoid recovery in probe flows Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 740/783] net/mlx5e: Fix hw mtu initializing at XDP SQ allocation Greg Kroah-Hartman
` (53 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Gal Pressman,
Saeed Mahameed, Sasha Levin
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit b12d581e83e3ae1080c32ab83f123005bd89a840 ]
mlx5e_build_nic_params will turn CQE compression on if the hardware
capability is enabled and the slow_pci_heuristic condition is detected.
As IPoIB doesn't support CQE compression, make sure to disable the
feature in the IPoIB profile init.
Please note that the feature is not exposed to the user for IPoIB
interfaces, so it can't be subsequently turned on.
Fixes: b797a684b0dd ("net/mlx5e: Enable CQE compression when PCI is slower than link")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
index 5c6a376aa62e..0e7fd200b426 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c
@@ -69,6 +69,10 @@ static void mlx5i_build_nic_params(struct mlx5_core_dev *mdev,
params->lro_en = false;
params->hard_mtu = MLX5_IB_GRH_BYTES + MLX5_IPOIB_HARD_LEN;
params->tunneled_offload_en = false;
+
+ /* CQE compression is not supported for IPoIB */
+ params->rx_cqe_compress_def = false;
+ MLX5E_SET_PFLAG(params, MLX5E_PFLAG_RX_CQE_COMPRESS, params->rx_cqe_compress_def);
}
/* Called directly after IPoIB netdevice was created to initialize SW structs */
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 740/783] net/mlx5e: Fix hw mtu initializing at XDP SQ allocation
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (738 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 739/783] net/mlx5e: IPoIB, Dont allow CQE compression to be turned on by default Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 741/783] net: amd-xgbe: add missed tasklet_kill Greg Kroah-Hartman
` (52 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adham Faris, Tariq Toukan,
Saeed Mahameed, Sasha Levin
From: Adham Faris <afaris@nvidia.com>
[ Upstream commit 1e267ab88dc44c48f556218f7b7f14c76f7aa066 ]
Current xdp xmit functions logic (mlx5e_xmit_xdp_frame_mpwqe or
mlx5e_xmit_xdp_frame), validates xdp packet length by comparing it to
hw mtu (configured at xdp sq allocation) before xmiting it. This check
does not account for ethernet fcs length (calculated and filled by the
nic). Hence, when we try sending packets with length > (hw-mtu -
ethernet-fcs-size), the device port drops it and tx_errors_phy is
incremented. Desired behavior is to catch these packets and drop them
by the driver.
Fix this behavior in XDP SQ allocation function (mlx5e_alloc_xdpsq) by
subtracting ethernet FCS header size (4 Bytes) from current hw mtu
value, since ethernet FCS is calculated and written to ethernet frames
by the nic.
Fixes: d8bec2b29a82 ("net/mlx5e: Support bpf_xdp_adjust_head()")
Signed-off-by: Adham Faris <afaris@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
index cfc3bfcb04a2..5673a4113253 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
@@ -992,7 +992,7 @@ static int mlx5e_alloc_xdpsq(struct mlx5e_channel *c,
sq->channel = c;
sq->uar_map = mdev->mlx5e_res.bfreg.map;
sq->min_inline_mode = params->tx_min_inline_mode;
- sq->hw_mtu = MLX5E_SW2HW_MTU(params, params->sw_mtu);
+ sq->hw_mtu = MLX5E_SW2HW_MTU(params, params->sw_mtu) - ETH_FCS_LEN;
sq->xsk_pool = xsk_pool;
sq->stats = sq->xsk_pool ?
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 741/783] net: amd-xgbe: add missed tasklet_kill
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (739 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 740/783] net/mlx5e: Fix hw mtu initializing at XDP SQ allocation Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 742/783] net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe Greg Kroah-Hartman
` (51 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiguang Xiao, David S. Miller, Sasha Levin
From: Jiguang Xiao <jiguang.xiao@windriver.com>
[ Upstream commit d530ece70f16f912e1d1bfeea694246ab78b0a4b ]
The driver does not call tasklet_kill in several places.
Add the calls to fix it.
Fixes: 85b85c853401 ("amd-xgbe: Re-issue interrupt if interrupt status not cleared")
Signed-off-by: Jiguang Xiao <jiguang.xiao@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 3 +++
drivers/net/ethernet/amd/xgbe/xgbe-i2c.c | 4 +++-
drivers/net/ethernet/amd/xgbe/xgbe-mdio.c | 4 +++-
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
index a816b30bca04..a5d6faf7b89e 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
@@ -1064,6 +1064,9 @@ static void xgbe_free_irqs(struct xgbe_prv_data *pdata)
devm_free_irq(pdata->dev, pdata->dev_irq, pdata);
+ tasklet_kill(&pdata->tasklet_dev);
+ tasklet_kill(&pdata->tasklet_ecc);
+
if (pdata->vdata->ecc_support && (pdata->dev_irq != pdata->ecc_irq))
devm_free_irq(pdata->dev, pdata->ecc_irq, pdata);
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-i2c.c b/drivers/net/ethernet/amd/xgbe/xgbe-i2c.c
index 22d4fc547a0a..a9ccc4258ee5 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-i2c.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-i2c.c
@@ -447,8 +447,10 @@ static void xgbe_i2c_stop(struct xgbe_prv_data *pdata)
xgbe_i2c_disable(pdata);
xgbe_i2c_clear_all_interrupts(pdata);
- if (pdata->dev_irq != pdata->i2c_irq)
+ if (pdata->dev_irq != pdata->i2c_irq) {
devm_free_irq(pdata->dev, pdata->i2c_irq, pdata);
+ tasklet_kill(&pdata->tasklet_i2c);
+ }
}
static int xgbe_i2c_start(struct xgbe_prv_data *pdata)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
index 4e97b4869522..0c5c1b155683 100644
--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
+++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
@@ -1390,8 +1390,10 @@ static void xgbe_phy_stop(struct xgbe_prv_data *pdata)
/* Disable auto-negotiation */
xgbe_an_disable_all(pdata);
- if (pdata->dev_irq != pdata->an_irq)
+ if (pdata->dev_irq != pdata->an_irq) {
devm_free_irq(pdata->dev, pdata->an_irq, pdata);
+ tasklet_kill(&pdata->tasklet_an);
+ }
pdata->phy_if.phy_impl.stop(pdata);
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 742/783] net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (740 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 741/783] net: amd-xgbe: add missed tasklet_kill Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 743/783] RDMA/mlx5: Fix validation of max_rd_atomic caps for DC Greg Kroah-Hartman
` (50 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, David S. Miller, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit d039535850ee47079d59527e96be18d8e0daa84b ]
of_phy_find_device() return device node with refcount incremented.
Call put_device() to relese it when not needed anymore.
Fixes: ab4e6ee578e8 ("net: phy: xgmiitorgmii: Check phy_driver ready before accessing")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/xilinx_gmii2rgmii.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/phy/xilinx_gmii2rgmii.c b/drivers/net/phy/xilinx_gmii2rgmii.c
index 151c2a3f0b3a..7a78dfdfa5bd 100644
--- a/drivers/net/phy/xilinx_gmii2rgmii.c
+++ b/drivers/net/phy/xilinx_gmii2rgmii.c
@@ -82,6 +82,7 @@ static int xgmiitorgmii_probe(struct mdio_device *mdiodev)
if (!priv->phy_dev->drv) {
dev_info(dev, "Attached phy not ready\n");
+ put_device(&priv->phy_dev->mdio.dev);
return -EPROBE_DEFER;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 743/783] RDMA/mlx5: Fix validation of max_rd_atomic caps for DC
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (741 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 742/783] net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 744/783] drm/meson: Reduce the FIFO lines held when AFBC is not used Greg Kroah-Hartman
` (49 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maor Gottlieb, Leon Romanovsky, Sasha Levin
From: Maor Gottlieb <maorg@nvidia.com>
[ Upstream commit 8de8482fe5732fbef4f5af82bc0c0362c804cd1f ]
Currently, when modifying DC, we validate max_rd_atomic user attribute
against the RC cap, validate against DC. RC and DC QP types have different
device limitations.
This can cause userspace created DC QPs to malfunction.
Fixes: c32a4f296e1d ("IB/mlx5: Add support for DC Initiator QP")
Link: https://lore.kernel.org/r/0c5aee72cea188c3bb770f4207cce7abc9b6fc74.1672231736.git.leonro@nvidia.com
Signed-off-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mlx5/qp.c | 49 +++++++++++++++++++++++----------
1 file changed, 35 insertions(+), 14 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 7a2bec0ac005..0caff276f2c1 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -4258,6 +4258,40 @@ static bool mlx5_ib_modify_qp_allowed(struct mlx5_ib_dev *dev,
return false;
}
+static int validate_rd_atomic(struct mlx5_ib_dev *dev, struct ib_qp_attr *attr,
+ int attr_mask, enum ib_qp_type qp_type)
+{
+ int log_max_ra_res;
+ int log_max_ra_req;
+
+ if (qp_type == MLX5_IB_QPT_DCI) {
+ log_max_ra_res = 1 << MLX5_CAP_GEN(dev->mdev,
+ log_max_ra_res_dc);
+ log_max_ra_req = 1 << MLX5_CAP_GEN(dev->mdev,
+ log_max_ra_req_dc);
+ } else {
+ log_max_ra_res = 1 << MLX5_CAP_GEN(dev->mdev,
+ log_max_ra_res_qp);
+ log_max_ra_req = 1 << MLX5_CAP_GEN(dev->mdev,
+ log_max_ra_req_qp);
+ }
+
+ if (attr_mask & IB_QP_MAX_QP_RD_ATOMIC &&
+ attr->max_rd_atomic > log_max_ra_res) {
+ mlx5_ib_dbg(dev, "invalid max_rd_atomic value %d\n",
+ attr->max_rd_atomic);
+ return false;
+ }
+
+ if (attr_mask & IB_QP_MAX_DEST_RD_ATOMIC &&
+ attr->max_dest_rd_atomic > log_max_ra_req) {
+ mlx5_ib_dbg(dev, "invalid max_dest_rd_atomic value %d\n",
+ attr->max_dest_rd_atomic);
+ return false;
+ }
+ return true;
+}
+
int mlx5_ib_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
int attr_mask, struct ib_udata *udata)
{
@@ -4352,21 +4386,8 @@ int mlx5_ib_modify_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr,
}
}
- if (attr_mask & IB_QP_MAX_QP_RD_ATOMIC &&
- attr->max_rd_atomic >
- (1 << MLX5_CAP_GEN(dev->mdev, log_max_ra_res_qp))) {
- mlx5_ib_dbg(dev, "invalid max_rd_atomic value %d\n",
- attr->max_rd_atomic);
- goto out;
- }
-
- if (attr_mask & IB_QP_MAX_DEST_RD_ATOMIC &&
- attr->max_dest_rd_atomic >
- (1 << MLX5_CAP_GEN(dev->mdev, log_max_ra_req_qp))) {
- mlx5_ib_dbg(dev, "invalid max_dest_rd_atomic value %d\n",
- attr->max_dest_rd_atomic);
+ if (!validate_rd_atomic(dev, attr, attr_mask, qp_type))
goto out;
- }
if (cur_state == new_state && cur_state == IB_QPS_RESET) {
err = 0;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 744/783] drm/meson: Reduce the FIFO lines held when AFBC is not used
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (742 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 743/783] RDMA/mlx5: Fix validation of max_rd_atomic caps for DC Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 745/783] filelock: new helper: vfs_inode_has_locks Greg Kroah-Hartman
` (48 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Carlo Caione, Martin Blumenstingl,
Neil Armstrong, Sasha Levin
From: Carlo Caione <ccaione@baylibre.com>
[ Upstream commit 3b754ed6d1cd90017e66e5cc16f3923e4a952ffc ]
Having a bigger number of FIFO lines held after vsync is only useful to
SoCs using AFBC to give time to the AFBC decoder to be reset, configured
and enabled again.
For SoCs not using AFBC this, on the contrary, is causing on some
displays issues and a few pixels vertical offset in the displayed image.
Conditionally increase the number of lines held after vsync only for
SoCs using AFBC, leaving the default value for all the others.
Fixes: 24e0d4058eff ("drm/meson: hold 32 lines after vsync to give time for AFBC start")
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Acked-by: Neil Armstrong <neil.armstrong@linaro.org>
[narmstrong: added fixes tag]
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20221216-afbc_s905x-v1-0-033bebf780d9@baylibre.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/meson/meson_viu.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/meson/meson_viu.c b/drivers/gpu/drm/meson/meson_viu.c
index d4b907889a21..cd399b0b7181 100644
--- a/drivers/gpu/drm/meson/meson_viu.c
+++ b/drivers/gpu/drm/meson/meson_viu.c
@@ -436,15 +436,14 @@ void meson_viu_init(struct meson_drm *priv)
/* Initialize OSD1 fifo control register */
reg = VIU_OSD_DDR_PRIORITY_URGENT |
- VIU_OSD_HOLD_FIFO_LINES(31) |
VIU_OSD_FIFO_DEPTH_VAL(32) | /* fifo_depth_val: 32*8=256 */
VIU_OSD_WORDS_PER_BURST(4) | /* 4 words in 1 burst */
VIU_OSD_FIFO_LIMITS(2); /* fifo_lim: 2*16=32 */
if (meson_vpu_is_compatible(priv, VPU_COMPATIBLE_G12A))
- reg |= VIU_OSD_BURST_LENGTH_32;
+ reg |= (VIU_OSD_BURST_LENGTH_32 | VIU_OSD_HOLD_FIFO_LINES(31));
else
- reg |= VIU_OSD_BURST_LENGTH_64;
+ reg |= (VIU_OSD_BURST_LENGTH_64 | VIU_OSD_HOLD_FIFO_LINES(4));
writel_relaxed(reg, priv->io_base + _REG(VIU_OSD1_FIFO_CTRL_STAT));
writel_relaxed(reg, priv->io_base + _REG(VIU_OSD2_FIFO_CTRL_STAT));
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 745/783] filelock: new helper: vfs_inode_has_locks
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (743 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 744/783] drm/meson: Reduce the FIFO lines held when AFBC is not used Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 746/783] ceph: switch to vfs_inode_has_locks() to fix file lock bug Greg Kroah-Hartman
` (47 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiubo Li, Christoph Hellwig,
Jeff Layton, Sasha Levin
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit ab1ddef98a715eddb65309ffa83267e4e84a571e ]
Ceph has a need to know whether a particular inode has any locks set on
it. It's currently tracking that by a num_locks field in its
filp->private_data, but that's problematic as it tries to decrement this
field when releasing locks and that can race with the file being torn
down.
Add a new vfs_inode_has_locks helper that just returns whether any locks
are currently held on the inode.
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Stable-dep-of: 461ab10ef7e6 ("ceph: switch to vfs_inode_has_locks() to fix file lock bug")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/locks.c | 23 +++++++++++++++++++++++
include/linux/fs.h | 6 ++++++
2 files changed, 29 insertions(+)
diff --git a/fs/locks.c b/fs/locks.c
index 32c948fe2944..12d72c3d8756 100644
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -2813,6 +2813,29 @@ int vfs_cancel_lock(struct file *filp, struct file_lock *fl)
}
EXPORT_SYMBOL_GPL(vfs_cancel_lock);
+/**
+ * vfs_inode_has_locks - are any file locks held on @inode?
+ * @inode: inode to check for locks
+ *
+ * Return true if there are any FL_POSIX or FL_FLOCK locks currently
+ * set on @inode.
+ */
+bool vfs_inode_has_locks(struct inode *inode)
+{
+ struct file_lock_context *ctx;
+ bool ret;
+
+ ctx = smp_load_acquire(&inode->i_flctx);
+ if (!ctx)
+ return false;
+
+ spin_lock(&ctx->flc_lock);
+ ret = !list_empty(&ctx->flc_posix) || !list_empty(&ctx->flc_flock);
+ spin_unlock(&ctx->flc_lock);
+ return ret;
+}
+EXPORT_SYMBOL_GPL(vfs_inode_has_locks);
+
#ifdef CONFIG_PROC_FS
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 9a477e537361..74e19bccbf73 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1145,6 +1145,7 @@ extern int locks_delete_block(struct file_lock *);
extern int vfs_test_lock(struct file *, struct file_lock *);
extern int vfs_lock_file(struct file *, unsigned int, struct file_lock *, struct file_lock *);
extern int vfs_cancel_lock(struct file *filp, struct file_lock *fl);
+bool vfs_inode_has_locks(struct inode *inode);
extern int locks_lock_inode_wait(struct inode *inode, struct file_lock *fl);
extern int __break_lease(struct inode *inode, unsigned int flags, unsigned int type);
extern void lease_get_mtime(struct inode *, struct timespec64 *time);
@@ -1257,6 +1258,11 @@ static inline int vfs_cancel_lock(struct file *filp, struct file_lock *fl)
return 0;
}
+static inline bool vfs_inode_has_locks(struct inode *inode)
+{
+ return false;
+}
+
static inline int locks_lock_inode_wait(struct inode *inode, struct file_lock *fl)
{
return -ENOLCK;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 746/783] ceph: switch to vfs_inode_has_locks() to fix file lock bug
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (744 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 745/783] filelock: new helper: vfs_inode_has_locks Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 747/783] gpio: sifive: Fix refcount leak in sifive_gpio_probe Greg Kroah-Hartman
` (46 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiubo Li, Jeff Layton, Ilya Dryomov,
Sasha Levin
From: Xiubo Li <xiubli@redhat.com>
[ Upstream commit 461ab10ef7e6ea9b41a0571a7fc6a72af9549a3c ]
For the POSIX locks they are using the same owner, which is the
thread id. And multiple POSIX locks could be merged into single one,
so when checking whether the 'file' has locks may fail.
For a file where some openers use locking and others don't is a
really odd usage pattern though. Locks are like stoplights -- they
only work if everyone pays attention to them.
Just switch ceph_get_caps() to check whether any locks are set on
the inode. If there are POSIX/OFD/FLOCK locks on the file at the
time, we should set CHECK_FILELOCK, regardless of what fd was used
to set the lock.
Fixes: ff5d913dfc71 ("ceph: return -EIO if read/write against filp that lost file locks")
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/caps.c | 2 +-
fs/ceph/locks.c | 4 ----
fs/ceph/super.h | 1 -
3 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 51562d36fa83..210496dc2fd4 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -2957,7 +2957,7 @@ int ceph_get_caps(struct file *filp, int need, int want,
while (true) {
flags &= CEPH_FILE_MODE_MASK;
- if (atomic_read(&fi->num_locks))
+ if (vfs_inode_has_locks(inode))
flags |= CHECK_FILELOCK;
_got = 0;
ret = try_get_cap_refs(inode, need, want, endoff,
diff --git a/fs/ceph/locks.c b/fs/ceph/locks.c
index 048a435a29be..674d6ea89f71 100644
--- a/fs/ceph/locks.c
+++ b/fs/ceph/locks.c
@@ -32,18 +32,14 @@ void __init ceph_flock_init(void)
static void ceph_fl_copy_lock(struct file_lock *dst, struct file_lock *src)
{
- struct ceph_file_info *fi = dst->fl_file->private_data;
struct inode *inode = file_inode(dst->fl_file);
atomic_inc(&ceph_inode(inode)->i_filelock_ref);
- atomic_inc(&fi->num_locks);
}
static void ceph_fl_release_lock(struct file_lock *fl)
{
- struct ceph_file_info *fi = fl->fl_file->private_data;
struct inode *inode = file_inode(fl->fl_file);
struct ceph_inode_info *ci = ceph_inode(inode);
- atomic_dec(&fi->num_locks);
if (atomic_dec_and_test(&ci->i_filelock_ref)) {
/* clear error when all locks are released */
spin_lock(&ci->i_ceph_lock);
diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index 4db305fd2a02..8716cb618cbb 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -772,7 +772,6 @@ struct ceph_file_info {
struct list_head rw_contexts;
u32 filp_gen;
- atomic_t num_locks;
};
struct ceph_dir_file_info {
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 747/783] gpio: sifive: Fix refcount leak in sifive_gpio_probe
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (745 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 746/783] ceph: switch to vfs_inode_has_locks() to fix file lock bug Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 748/783] net: sched: atm: dont intepret cls results when asked to drop Greg Kroah-Hartman
` (45 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miaoqian Lin, Bartosz Golaszewski,
Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 694175cd8a1643cde3acb45c9294bca44a8e08e9 ]
of_irq_find_parent() returns a node pointer with refcount incremented,
We should use of_node_put() on it when not needed anymore.
Add missing of_node_put() to avoid refcount leak.
Fixes: 96868dce644d ("gpio/sifive: Add GPIO driver for SiFive SoCs")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-sifive.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpio/gpio-sifive.c b/drivers/gpio/gpio-sifive.c
index 4f28fa73450c..a42ffb9f3057 100644
--- a/drivers/gpio/gpio-sifive.c
+++ b/drivers/gpio/gpio-sifive.c
@@ -195,6 +195,7 @@ static int sifive_gpio_probe(struct platform_device *pdev)
return -ENODEV;
}
parent = irq_find_host(irq_parent);
+ of_node_put(irq_parent);
if (!parent) {
dev_err(dev, "no IRQ parent domain\n");
return -ENODEV;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 748/783] net: sched: atm: dont intepret cls results when asked to drop
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (746 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 747/783] gpio: sifive: Fix refcount leak in sifive_gpio_probe Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 749/783] net: sched: cbq: " Greg Kroah-Hartman
` (44 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, David S. Miller,
Sasha Levin
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit a2965c7be0522eaa18808684b7b82b248515511b ]
If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
res.class contains a valid pointer
Fixes: b0188d4dbe5f ("[NET_SCHED]: sch_atm: Lindent")
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_atm.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index 794c7377cd7e..95967ce1f370 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -396,10 +396,13 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch,
result = tcf_classify(skb, fl, &res, true);
if (result < 0)
continue;
+ if (result == TC_ACT_SHOT)
+ goto done;
+
flow = (struct atm_flow_data *)res.class;
if (!flow)
flow = lookup_flow(sch, res.classid);
- goto done;
+ goto drop;
}
}
flow = NULL;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 749/783] net: sched: cbq: dont intepret cls results when asked to drop
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (747 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 748/783] net: sched: atm: dont intepret cls results when asked to drop Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 750/783] netfilter: ipset: fix hash:net,port,net hang with /0 subnet Greg Kroah-Hartman
` (43 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kyle Zeng, Jamal Hadi Salim,
David S. Miller, Sasha Levin
From: Jamal Hadi Salim <jhs@mojatatu.com>
[ Upstream commit caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12 ]
If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume that
res.class contains a valid pointer
Sample splat reported by Kyle Zeng
[ 5.405624] 0: reclassify loop, rule prio 0, protocol 800
[ 5.406326] ==================================================================
[ 5.407240] BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x54b/0xea0
[ 5.407987] Read of size 1 at addr ffff88800e3122aa by task poc/299
[ 5.408731]
[ 5.408897] CPU: 0 PID: 299 Comm: poc Not tainted 5.10.155+ #15
[ 5.409516] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
[ 5.410439] Call Trace:
[ 5.410764] dump_stack+0x87/0xcd
[ 5.411153] print_address_description+0x7a/0x6b0
[ 5.411687] ? vprintk_func+0xb9/0xc0
[ 5.411905] ? printk+0x76/0x96
[ 5.412110] ? cbq_enqueue+0x54b/0xea0
[ 5.412323] kasan_report+0x17d/0x220
[ 5.412591] ? cbq_enqueue+0x54b/0xea0
[ 5.412803] __asan_report_load1_noabort+0x10/0x20
[ 5.413119] cbq_enqueue+0x54b/0xea0
[ 5.413400] ? __kasan_check_write+0x10/0x20
[ 5.413679] __dev_queue_xmit+0x9c0/0x1db0
[ 5.413922] dev_queue_xmit+0xc/0x10
[ 5.414136] ip_finish_output2+0x8bc/0xcd0
[ 5.414436] __ip_finish_output+0x472/0x7a0
[ 5.414692] ip_finish_output+0x5c/0x190
[ 5.414940] ip_output+0x2d8/0x3c0
[ 5.415150] ? ip_mc_finish_output+0x320/0x320
[ 5.415429] __ip_queue_xmit+0x753/0x1760
[ 5.415664] ip_queue_xmit+0x47/0x60
[ 5.415874] __tcp_transmit_skb+0x1ef9/0x34c0
[ 5.416129] tcp_connect+0x1f5e/0x4cb0
[ 5.416347] tcp_v4_connect+0xc8d/0x18c0
[ 5.416577] __inet_stream_connect+0x1ae/0xb40
[ 5.416836] ? local_bh_enable+0x11/0x20
[ 5.417066] ? lock_sock_nested+0x175/0x1d0
[ 5.417309] inet_stream_connect+0x5d/0x90
[ 5.417548] ? __inet_stream_connect+0xb40/0xb40
[ 5.417817] __sys_connect+0x260/0x2b0
[ 5.418037] __x64_sys_connect+0x76/0x80
[ 5.418267] do_syscall_64+0x31/0x50
[ 5.418477] entry_SYSCALL_64_after_hwframe+0x61/0xc6
[ 5.418770] RIP: 0033:0x473bb7
[ 5.418952] Code: 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00
00 00 90 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2a 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 18 89 54 24 0c 48 89 34
24 89
[ 5.420046] RSP: 002b:00007fffd20eb0f8 EFLAGS: 00000246 ORIG_RAX:
000000000000002a
[ 5.420472] RAX: ffffffffffffffda RBX: 00007fffd20eb578 RCX: 0000000000473bb7
[ 5.420872] RDX: 0000000000000010 RSI: 00007fffd20eb110 RDI: 0000000000000007
[ 5.421271] RBP: 00007fffd20eb150 R08: 0000000000000001 R09: 0000000000000004
[ 5.421671] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[ 5.422071] R13: 00007fffd20eb568 R14: 00000000004fc740 R15: 0000000000000002
[ 5.422471]
[ 5.422562] Allocated by task 299:
[ 5.422782] __kasan_kmalloc+0x12d/0x160
[ 5.423007] kasan_kmalloc+0x5/0x10
[ 5.423208] kmem_cache_alloc_trace+0x201/0x2e0
[ 5.423492] tcf_proto_create+0x65/0x290
[ 5.423721] tc_new_tfilter+0x137e/0x1830
[ 5.423957] rtnetlink_rcv_msg+0x730/0x9f0
[ 5.424197] netlink_rcv_skb+0x166/0x300
[ 5.424428] rtnetlink_rcv+0x11/0x20
[ 5.424639] netlink_unicast+0x673/0x860
[ 5.424870] netlink_sendmsg+0x6af/0x9f0
[ 5.425100] __sys_sendto+0x58d/0x5a0
[ 5.425315] __x64_sys_sendto+0xda/0xf0
[ 5.425539] do_syscall_64+0x31/0x50
[ 5.425764] entry_SYSCALL_64_after_hwframe+0x61/0xc6
[ 5.426065]
[ 5.426157] The buggy address belongs to the object at ffff88800e312200
[ 5.426157] which belongs to the cache kmalloc-128 of size 128
[ 5.426955] The buggy address is located 42 bytes to the right of
[ 5.426955] 128-byte region [ffff88800e312200, ffff88800e312280)
[ 5.427688] The buggy address belongs to the page:
[ 5.427992] page:000000009875fabc refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0xe312
[ 5.428562] flags: 0x100000000000200(slab)
[ 5.428812] raw: 0100000000000200 dead000000000100 dead000000000122
ffff888007843680
[ 5.429325] raw: 0000000000000000 0000000000100010 00000001ffffffff
ffff88800e312401
[ 5.429875] page dumped because: kasan: bad access detected
[ 5.430214] page->mem_cgroup:ffff88800e312401
[ 5.430471]
[ 5.430564] Memory state around the buggy address:
[ 5.430846] ffff88800e312180: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 5.431267] ffff88800e312200: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 fc
[ 5.431705] >ffff88800e312280: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 5.432123] ^
[ 5.432391] ffff88800e312300: 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 fc
[ 5.432810] ffff88800e312380: fc fc fc fc fc fc fc fc fc fc fc fc
fc fc fc fc
[ 5.433229] ==================================================================
[ 5.433648] Disabling lock debugging due to kernel taint
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_cbq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 9a3dff02b7a2..3da5eb313c24 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -231,6 +231,8 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
result = tcf_classify(skb, fl, &res, true);
if (!fl || result < 0)
goto fallback;
+ if (result == TC_ACT_SHOT)
+ return NULL;
cl = (void *)res.class;
if (!cl) {
@@ -251,8 +253,6 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
case TC_ACT_TRAP:
*qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
fallthrough;
- case TC_ACT_SHOT:
- return NULL;
case TC_ACT_RECLASSIFY:
return cbq_reclassify(skb, cl);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 750/783] netfilter: ipset: fix hash:net,port,net hang with /0 subnet
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (748 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 749/783] net: sched: cbq: " Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 751/783] netfilter: ipset: Rework long task execution when adding/deleting entries Greg Kroah-Hartman
` (42 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches,
Марк
Коренберг,
Jozsef Kadlecsik, Pablo Neira Ayuso, Sasha Levin
From: Jozsef Kadlecsik <kadlec@netfilter.org>
[ Upstream commit a31d47be64b9b74f8cfedffe03e0a8a1f9e51f23 ]
The hash:net,port,net set type supports /0 subnets. However, the patch
commit 5f7b51bf09baca8e titled "netfilter: ipset: Limit the maximal range
of consecutive elements to add/delete" did not take into account it and
resulted in an endless loop. The bug is actually older but the patch
5f7b51bf09baca8e brings it out earlier.
Handle /0 subnets properly in hash:net,port,net set types.
Fixes: 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete")
Reported-by: Марк Коренберг <socketpair@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/ipset/ip_set_hash_netportnet.c | 40 ++++++++++----------
1 file changed, 21 insertions(+), 19 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 6446f4fccc72..144346faffc1 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -172,17 +172,26 @@ hash_netportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
}
+static u32
+hash_netportnet4_range_to_cidr(u32 from, u32 to, u8 *cidr)
+{
+ if (from == 0 && to == UINT_MAX) {
+ *cidr = 0;
+ return to;
+ }
+ return ip_set_range_to_cidr(from, to, cidr);
+}
+
static int
hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_netportnet4 *h = set->data;
+ struct hash_netportnet4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netportnet4_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0, p = 0, port, port_to;
- u32 ip2_from = 0, ip2_to = 0, ip2, ipn;
- u64 n = 0, m = 0;
+ u32 ip2_from = 0, ip2_to = 0, ip2, i = 0;
bool with_ports = false;
int ret;
@@ -284,19 +293,6 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
} else {
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
}
- ipn = ip;
- do {
- ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr[0]);
- n++;
- } while (ipn++ < ip_to);
- ipn = ip2_from;
- do {
- ipn = ip_set_range_to_cidr(ipn, ip2_to, &e.cidr[1]);
- m++;
- } while (ipn++ < ip2_to);
-
- if (n*m*(port_to - port + 1) > IPSET_MAX_RANGE)
- return -ERANGE;
if (retried) {
ip = ntohl(h->next.ip[0]);
@@ -309,13 +305,19 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
do {
e.ip[0] = htonl(ip);
- ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
+ ip = hash_netportnet4_range_to_cidr(ip, ip_to, &e.cidr[0]);
for (; p <= port_to; p++) {
e.port = htons(p);
do {
+ i++;
e.ip[1] = htonl(ip2);
- ip2 = ip_set_range_to_cidr(ip2, ip2_to,
- &e.cidr[1]);
+ if (i > IPSET_MAX_RANGE) {
+ hash_netportnet4_data_next(&h->next,
+ &e);
+ return -ERANGE;
+ }
+ ip2 = hash_netportnet4_range_to_cidr(ip2,
+ ip2_to, &e.cidr[1]);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 751/783] netfilter: ipset: Rework long task execution when adding/deleting entries
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (749 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 750/783] netfilter: ipset: fix hash:net,port,net hang with /0 subnet Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 752/783] perf tools: Fix resources leak in perf_data__open_dir() Greg Kroah-Hartman
` (41 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9204e7399656300bf271,
Jozsef Kadlecsik, Pablo Neira Ayuso, Sasha Levin
From: Jozsef Kadlecsik <kadlec@netfilter.org>
[ Upstream commit 5e29dc36bd5e2166b834ceb19990d9e68a734d7d ]
When adding/deleting large number of elements in one step in ipset, it can
take a reasonable amount of time and can result in soft lockup errors. The
patch 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of
consecutive elements to add/delete") tried to fix it by limiting the max
elements to process at all. However it was not enough, it is still possible
that we get hung tasks. Lowering the limit is not reasonable, so the
approach in this patch is as follows: rely on the method used at resizing
sets and save the state when we reach a smaller internal batch limit,
unlock/lock and proceed from the saved state. Thus we can avoid long
continuous tasks and at the same time removed the limit to add/delete large
number of elements in one step.
The nfnl mutex is held during the whole operation which prevents one to
issue other ipset commands in parallel.
Fixes: 5f7b51bf09ba ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete")
Reported-by: syzbot+9204e7399656300bf271@syzkaller.appspotmail.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netfilter/ipset/ip_set.h | 2 +-
net/netfilter/ipset/ip_set_core.c | 7 ++++---
net/netfilter/ipset/ip_set_hash_ip.c | 14 ++++++-------
net/netfilter/ipset/ip_set_hash_ipmark.c | 13 ++++++------
net/netfilter/ipset/ip_set_hash_ipport.c | 13 ++++++------
net/netfilter/ipset/ip_set_hash_ipportip.c | 13 ++++++------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 13 +++++++-----
net/netfilter/ipset/ip_set_hash_net.c | 17 +++++++--------
net/netfilter/ipset/ip_set_hash_netiface.c | 15 ++++++--------
net/netfilter/ipset/ip_set_hash_netnet.c | 23 +++++++--------------
net/netfilter/ipset/ip_set_hash_netport.c | 19 +++++++----------
11 files changed, 68 insertions(+), 81 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 53c9a17ecb3e..62f7e7e257c1 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -199,7 +199,7 @@ struct ip_set_region {
};
/* Max range where every element is added/deleted in one step */
-#define IPSET_MAX_RANGE (1<<20)
+#define IPSET_MAX_RANGE (1<<14)
/* The core set type structure */
struct ip_set_type {
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index c17a7dda0163..1bf6ab83644b 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1708,9 +1708,10 @@ call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
ret = set->variant->uadt(set, tb, adt, &lineno, flags, retried);
ip_set_unlock(set);
retried = true;
- } while (ret == -EAGAIN &&
- set->variant->resize &&
- (ret = set->variant->resize(set, retried)) == 0);
+ } while (ret == -ERANGE ||
+ (ret == -EAGAIN &&
+ set->variant->resize &&
+ (ret = set->variant->resize(set, retried)) == 0));
if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
return 0;
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index d7a81b2250e7..8720dc3bb689 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -97,11 +97,11 @@ static int
hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_ip4 *h = set->data;
+ struct hash_ip4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ip4_elem e = { 0 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, hosts;
+ u32 ip = 0, ip_to = 0, hosts, i = 0;
int ret = 0;
if (tb[IPSET_ATTR_LINENO])
@@ -146,14 +146,14 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
- /* 64bit division is not allowed on 32bit */
- if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE)
- return -ERANGE;
-
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to;) {
+ for (; ip <= ip_to; i++) {
e.ip = htonl(ip);
+ if (i > IPSET_MAX_RANGE) {
+ hash_ip4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index eefce34a34f0..cbb05cb188f2 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -96,11 +96,11 @@ static int
hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_ipmark4 *h = set->data;
+ struct hash_ipmark4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipmark4_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip, ip_to = 0;
+ u32 ip, ip_to = 0, i = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -147,13 +147,14 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
ip_set_mask_from_to(ip, ip_to, cidr);
}
- if (((u64)ip_to - ip + 1) > IPSET_MAX_RANGE)
- return -ERANGE;
-
if (retried)
ip = ntohl(h->next.ip);
- for (; ip <= ip_to; ip++) {
+ for (; ip <= ip_to; ip++, i++) {
e.ip = htonl(ip);
+ if (i > IPSET_MAX_RANGE) {
+ hash_ipmark4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 4a54e9e8ae59..c560f7873eca 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -104,11 +104,11 @@ static int
hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_ipport4 *h = set->data;
+ struct hash_ipport4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipport4_elem e = { .ip = 0 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip, ip_to = 0, p = 0, port, port_to;
+ u32 ip, ip_to = 0, p = 0, port, port_to, i = 0;
bool with_ports = false;
int ret;
@@ -172,17 +172,18 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(port, port_to);
}
- if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE)
- return -ERANGE;
-
if (retried)
ip = ntohl(h->next.ip);
for (; ip <= ip_to; ip++) {
p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
: port;
- for (; p <= port_to; p++) {
+ for (; p <= port_to; p++, i++) {
e.ip = htonl(ip);
e.port = htons(p);
+ if (i > IPSET_MAX_RANGE) {
+ hash_ipport4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 09737de5ecc3..b7eb8d1e77d9 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -107,11 +107,11 @@ static int
hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_ipportip4 *h = set->data;
+ struct hash_ipportip4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportip4_elem e = { .ip = 0 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip, ip_to = 0, p = 0, port, port_to;
+ u32 ip, ip_to = 0, p = 0, port, port_to, i = 0;
bool with_ports = false;
int ret;
@@ -179,17 +179,18 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(port, port_to);
}
- if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE)
- return -ERANGE;
-
if (retried)
ip = ntohl(h->next.ip);
for (; ip <= ip_to; ip++) {
p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
: port;
- for (; p <= port_to; p++) {
+ for (; p <= port_to; p++, i++) {
e.ip = htonl(ip);
e.port = htons(p);
+ if (i > IPSET_MAX_RANGE) {
+ hash_ipportip4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 02685371a682..16c5641ced53 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -159,12 +159,12 @@ static int
hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_ipportnet4 *h = set->data;
+ struct hash_ipportnet4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0, p = 0, port, port_to;
- u32 ip2_from = 0, ip2_to = 0, ip2;
+ u32 ip2_from = 0, ip2_to = 0, ip2, i = 0;
bool with_ports = false;
u8 cidr;
int ret;
@@ -252,9 +252,6 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
swap(port, port_to);
}
- if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE)
- return -ERANGE;
-
ip2_to = ip2_from;
if (tb[IPSET_ATTR_IP2_TO]) {
ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2_TO], &ip2_to);
@@ -281,9 +278,15 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
for (; p <= port_to; p++) {
e.port = htons(p);
do {
+ i++;
e.ip2 = htonl(ip2);
ip2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr);
e.cidr = cidr - 1;
+ if (i > IPSET_MAX_RANGE) {
+ hash_ipportnet4_data_next(&h->next,
+ &e);
+ return -ERANGE;
+ }
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 9d1beaacb973..5ab5873d1d16 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -135,11 +135,11 @@ static int
hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_net4 *h = set->data;
+ struct hash_net4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_net4_elem e = { .cidr = HOST_MASK };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, ipn, n = 0;
+ u32 ip = 0, ip_to = 0, i = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -187,19 +187,16 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ip + UINT_MAX == ip_to)
return -IPSET_ERR_HASH_RANGE;
}
- ipn = ip;
- do {
- ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr);
- n++;
- } while (ipn++ < ip_to);
-
- if (n > IPSET_MAX_RANGE)
- return -ERANGE;
if (retried)
ip = ntohl(h->next.ip);
do {
+ i++;
e.ip = htonl(ip);
+ if (i > IPSET_MAX_RANGE) {
+ hash_net4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index c3ada9c63fa3..7ef240380a45 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -201,7 +201,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, ipn, n = 0;
+ u32 ip = 0, ip_to = 0, i = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -255,19 +255,16 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
} else {
ip_set_mask_from_to(ip, ip_to, e.cidr);
}
- ipn = ip;
- do {
- ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr);
- n++;
- } while (ipn++ < ip_to);
-
- if (n > IPSET_MAX_RANGE)
- return -ERANGE;
if (retried)
ip = ntohl(h->next.ip);
do {
+ i++;
e.ip = htonl(ip);
+ if (i > IPSET_MAX_RANGE) {
+ hash_netiface4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
ret = adtfn(set, &e, &ext, &ext, flags);
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
index b1411bc91a40..15f4b0292f0d 100644
--- a/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -162,13 +162,12 @@ static int
hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_netnet4 *h = set->data;
+ struct hash_netnet4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netnet4_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0;
- u32 ip2 = 0, ip2_from = 0, ip2_to = 0, ipn;
- u64 n = 0, m = 0;
+ u32 ip2 = 0, ip2_from = 0, ip2_to = 0, i = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -244,19 +243,6 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
} else {
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
}
- ipn = ip;
- do {
- ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr[0]);
- n++;
- } while (ipn++ < ip_to);
- ipn = ip2_from;
- do {
- ipn = ip_set_range_to_cidr(ipn, ip2_to, &e.cidr[1]);
- m++;
- } while (ipn++ < ip2_to);
-
- if (n*m > IPSET_MAX_RANGE)
- return -ERANGE;
if (retried) {
ip = ntohl(h->next.ip[0]);
@@ -269,7 +255,12 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
e.ip[0] = htonl(ip);
ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
do {
+ i++;
e.ip[1] = htonl(ip2);
+ if (i > IPSET_MAX_RANGE) {
+ hash_netnet4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ip2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index d26d13528fe8..e73ba50afe96 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -153,12 +153,11 @@ static int
hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
{
- const struct hash_netport4 *h = set->data;
+ struct hash_netport4 *h = set->data;
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netport4_elem e = { .cidr = HOST_MASK - 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 port, port_to, p = 0, ip = 0, ip_to = 0, ipn;
- u64 n = 0;
+ u32 port, port_to, p = 0, ip = 0, ip_to = 0, i = 0;
bool with_ports = false;
u8 cidr;
int ret;
@@ -235,14 +234,6 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
} else {
ip_set_mask_from_to(ip, ip_to, e.cidr + 1);
}
- ipn = ip;
- do {
- ipn = ip_set_range_to_cidr(ipn, ip_to, &cidr);
- n++;
- } while (ipn++ < ip_to);
-
- if (n*(port_to - port + 1) > IPSET_MAX_RANGE)
- return -ERANGE;
if (retried) {
ip = ntohl(h->next.ip);
@@ -254,8 +245,12 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
e.ip = htonl(ip);
ip = ip_set_range_to_cidr(ip, ip_to, &cidr);
e.cidr = cidr - 1;
- for (; p <= port_to; p++) {
+ for (; p <= port_to; p++, i++) {
e.port = htons(p);
+ if (i > IPSET_MAX_RANGE) {
+ hash_netport4_data_next(&h->next, &e);
+ return -ERANGE;
+ }
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 752/783] perf tools: Fix resources leak in perf_data__open_dir()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (750 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 751/783] netfilter: ipset: Rework long task execution when adding/deleting entries Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 753/783] drivers/net/bonding/bond_3ad: return when theres no aggregator Greg Kroah-Hartman
` (40 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Miaoqian Lin,
Alexander Shishkin, Alexey Bayduraev, Ingo Molnar, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra,
Arnaldo Carvalho de Melo, Sasha Levin
From: Miaoqian Lin <linmq006@gmail.com>
[ Upstream commit 0a6564ebd953c4590663c9a3c99a3ea9920ade6f ]
In perf_data__open_dir(), opendir() opens the directory stream. Add
missing closedir() to release it after use.
Fixes: eb6176709b235b96 ("perf data: Add perf_data__open_dir_data function")
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexey Bayduraev <alexey.v.bayduraev@linux.intel.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20221229090903.1402395-1-linmq006@gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/data.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/perf/util/data.c b/tools/perf/util/data.c
index 48754083791d..29d32ba046b5 100644
--- a/tools/perf/util/data.c
+++ b/tools/perf/util/data.c
@@ -127,6 +127,7 @@ int perf_data__open_dir(struct perf_data *data)
file->size = st.st_size;
}
+ closedir(dir);
if (!files)
return -EINVAL;
@@ -135,6 +136,7 @@ int perf_data__open_dir(struct perf_data *data)
return 0;
out_err:
+ closedir(dir);
close_dir(files, nr);
return ret;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 753/783] drivers/net/bonding/bond_3ad: return when theres no aggregator
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (751 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 752/783] perf tools: Fix resources leak in perf_data__open_dir() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 754/783] usb: rndis_host: Secure rndis_query check against int overflow Greg Kroah-Hartman
` (39 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniil Tatianin, Jiri Pirko,
David S. Miller, Sasha Levin
From: Daniil Tatianin <d-tatianin@yandex-team.ru>
[ Upstream commit 9c807965483f42df1d053b7436eedd6cf28ece6f ]
Otherwise we would dereference a NULL aggregator pointer when calling
__set_agg_ports_ready on the line below.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_3ad.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/bonding/bond_3ad.c b/drivers/net/bonding/bond_3ad.c
index acb6ff0be5ff..320e5461853f 100644
--- a/drivers/net/bonding/bond_3ad.c
+++ b/drivers/net/bonding/bond_3ad.c
@@ -1520,6 +1520,7 @@ static void ad_port_selection_logic(struct port *port, bool *update_slave_arr)
slave_err(bond->dev, port->slave->dev,
"Port %d did not find a suitable aggregator\n",
port->actor_port_number);
+ return;
}
}
/* if all aggregator's ports are READY_N == TRUE, set ready=TRUE
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 754/783] usb: rndis_host: Secure rndis_query check against int overflow
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (752 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 753/783] drivers/net/bonding/bond_3ad: return when theres no aggregator Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 755/783] drm/i915: unpin on error in intel_vgpu_shadow_mm_pin() Greg Kroah-Hartman
` (38 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Szymon Heidrich, David S. Miller,
Sasha Levin
From: Szymon Heidrich <szymon.heidrich@gmail.com>
[ Upstream commit c7dd13805f8b8fc1ce3b6d40f6aff47e66b72ad2 ]
Variables off and len typed as uint32 in rndis_query function
are controlled by incoming RNDIS response message thus their
value may be manipulated. Setting off to a unexpectetly large
value will cause the sum with len and 8 to overflow and pass
the implemented validation step. Consequently the response
pointer will be referring to a location past the expected
buffer boundaries allowing information leakage e.g. via
RNDIS_OID_802_3_PERMANENT_ADDRESS OID.
Fixes: ddda08624013 ("USB: rndis_host, various cleanups")
Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/usb/rndis_host.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/rndis_host.c b/drivers/net/usb/rndis_host.c
index 1505fe3f87ed..1ff723e15d52 100644
--- a/drivers/net/usb/rndis_host.c
+++ b/drivers/net/usb/rndis_host.c
@@ -255,7 +255,8 @@ static int rndis_query(struct usbnet *dev, struct usb_interface *intf,
off = le32_to_cpu(u.get_c->offset);
len = le32_to_cpu(u.get_c->len);
- if (unlikely((8 + off + len) > CONTROL_BUFFER_SIZE))
+ if (unlikely((off > CONTROL_BUFFER_SIZE - 8) ||
+ (len > CONTROL_BUFFER_SIZE - 8 - off)))
goto response_error;
if (*reply_len != -1 && len != *reply_len)
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 755/783] drm/i915: unpin on error in intel_vgpu_shadow_mm_pin()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (753 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 754/783] usb: rndis_host: Secure rndis_query check against int overflow Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 756/783] caif: fix memory leak in cfctrl_linkup_request() Greg Kroah-Hartman
` (37 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Zhenyu Wang, Sasha Levin
From: Dan Carpenter <error27@gmail.com>
[ Upstream commit 3792fc508c095abd84b10ceae12bd773e61fdc36 ]
Call intel_vgpu_unpin_mm() on this error path.
Fixes: 418741480809 ("drm/i915/gvt: Adding ppgtt to GVT GEM context after shadow pdps settled.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/Y3OQ5tgZIVxyQ/WV@kili
Reviewed-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/gvt/scheduler.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/i915/gvt/scheduler.c b/drivers/gpu/drm/i915/gvt/scheduler.c
index aed2ef6466a2..2bb6203298bc 100644
--- a/drivers/gpu/drm/i915/gvt/scheduler.c
+++ b/drivers/gpu/drm/i915/gvt/scheduler.c
@@ -647,6 +647,7 @@ intel_vgpu_shadow_mm_pin(struct intel_vgpu_workload *workload)
if (workload->shadow_mm->type != INTEL_GVT_MM_PPGTT ||
!workload->shadow_mm->ppgtt_mm.shadowed) {
+ intel_vgpu_unpin_mm(workload->shadow_mm);
gvt_vgpu_err("workload shadow ppgtt isn't ready\n");
return -EINVAL;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 756/783] caif: fix memory leak in cfctrl_linkup_request()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (754 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 755/783] drm/i915: unpin on error in intel_vgpu_shadow_mm_pin() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 757/783] udf: Fix extension of the last extent in the file Greg Kroah-Hartman
` (36 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhengchao Shao, Jiri Pirko,
Paolo Abeni, Sasha Levin
From: Zhengchao Shao <shaozhengchao@huawei.com>
[ Upstream commit fe69230f05897b3de758427b574fc98025dfc907 ]
When linktype is unknown or kzalloc failed in cfctrl_linkup_request(),
pkt is not released. Add release process to error path.
Fixes: b482cd2053e3 ("net-caif: add CAIF core protocol stack")
Fixes: 8d545c8f958f ("caif: Disconnect without waiting for response")
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://lore.kernel.org/r/20230104065146.1153009-1-shaozhengchao@huawei.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/caif/cfctrl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index 2809cbd6b7f7..d8cb4b2a076b 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -269,11 +269,15 @@ int cfctrl_linkup_request(struct cflayer *layer,
default:
pr_warn("Request setup of bad link type = %d\n",
param->linktype);
+ cfpkt_destroy(pkt);
return -EINVAL;
}
req = kzalloc(sizeof(*req), GFP_KERNEL);
- if (!req)
+ if (!req) {
+ cfpkt_destroy(pkt);
return -ENOMEM;
+ }
+
req->client_layer = user_layer;
req->cmd = CFCTRL_CMD_LINK_SETUP;
req->param = *param;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 757/783] udf: Fix extension of the last extent in the file
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (755 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 756/783] caif: fix memory leak in cfctrl_linkup_request() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 758/783] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet Greg Kroah-Hartman
` (35 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Kara, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 83c7423d1eb6806d13c521d1002cc1a012111719 ]
When extending the last extent in the file within the last block, we
wrongly computed the length of the last extent. This is mostly a
cosmetical problem since the extent does not contain any data and the
length will be fixed up by following operations but still.
Fixes: 1f3868f06855 ("udf: Fix extending file within last block")
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index e94a18bb7f99..2132bfab67f3 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -599,7 +599,7 @@ static void udf_do_extend_final_block(struct inode *inode,
*/
if (new_elen <= (last_ext->extLength & UDF_EXTENT_LENGTH_MASK))
return;
- added_bytes = (last_ext->extLength & UDF_EXTENT_LENGTH_MASK) - new_elen;
+ added_bytes = new_elen - (last_ext->extLength & UDF_EXTENT_LENGTH_MASK);
last_ext->extLength += added_bytes;
UDF_I(inode)->i_lenExtents += added_bytes;
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 758/783] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (756 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 757/783] udf: Fix extension of the last extent in the file Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 759/783] nvme: fix multipath crash caused by flush request when blktrace is enabled Greg Kroah-Hartman
` (34 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Pierre-Louis Bossart,
Mark Brown, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit a1dec9d70b6ad97087b60b81d2492134a84208c6 ]
The Advantech MICA-071 tablet deviates from the defaults for
a non CR Bay Trail based tablet in several ways:
1. It uses an analog MIC on IN3 rather then using DMIC1
2. It only has 1 speaker
3. It needs the OVCD current threshold to be set to 1500uA instead of
the default 2000uA to reliable differentiate between headphones vs
headsets
Add a quirk with these settings for this tablet.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20221213123246.11226-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcr_rt5640.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index 3020a993f6ef..8a99cb6dfcd6 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -430,6 +430,21 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
BYT_RT5640_SSP0_AIF1 |
BYT_RT5640_MCLK_EN),
},
+ {
+ /* Advantech MICA-071 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Advantech"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "MICA-071"),
+ },
+ /* OVCD Th = 1500uA to reliable detect head-phones vs -set */
+ .driver_data = (void *)(BYT_RT5640_IN3_MAP |
+ BYT_RT5640_JD_SRC_JD2_IN4N |
+ BYT_RT5640_OVCD_TH_1500UA |
+ BYT_RT5640_OVCD_SF_0P75 |
+ BYT_RT5640_MONO_SPEAKER |
+ BYT_RT5640_DIFF_MIC |
+ BYT_RT5640_MCLK_EN),
+ },
{
.matches = {
DMI_EXACT_MATCH(DMI_SYS_VENDOR, "ARCHOS"),
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 759/783] nvme: fix multipath crash caused by flush request when blktrace is enabled
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (757 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 758/783] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 760/783] x86/bugs: Flush IBP in ib_prctl_set() Greg Kroah-Hartman
` (33 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yanjun Zhang, Christoph Hellwig,
Sasha Levin
From: Yanjun Zhang <zhangyanjun@cestc.cn>
[ Upstream commit 3659fb5ac29a5e6102bebe494ac789fd47fb78f4 ]
The flush request initialized by blk_kick_flush has NULL bio,
and it may be dealt with nvme_end_req during io completion.
When blktrace is enabled, nvme_trace_bio_complete with multipath
activated trying to access NULL pointer bio from flush request
results in the following crash:
[ 2517.831677] BUG: kernel NULL pointer dereference, address: 000000000000001a
[ 2517.835213] #PF: supervisor read access in kernel mode
[ 2517.838724] #PF: error_code(0x0000) - not-present page
[ 2517.842222] PGD 7b2d51067 P4D 0
[ 2517.845684] Oops: 0000 [#1] SMP NOPTI
[ 2517.849125] CPU: 2 PID: 732 Comm: kworker/2:1H Kdump: loaded Tainted: G S 5.15.67-0.cl9.x86_64 #1
[ 2517.852723] Hardware name: XFUSION 2288H V6/BC13MBSBC, BIOS 1.13 07/27/2022
[ 2517.856358] Workqueue: nvme_tcp_wq nvme_tcp_io_work [nvme_tcp]
[ 2517.859993] RIP: 0010:blk_add_trace_bio_complete+0x6/0x30
[ 2517.863628] Code: 1f 44 00 00 48 8b 46 08 31 c9 ba 04 00 10 00 48 8b 80 50 03 00 00 48 8b 78 50 e9 e5 fe ff ff 0f 1f 44 00 00 41 54 49 89 f4 55 <0f> b6 7a 1a 48 89 d5 e8 3e 1c 2b 00 48 89 ee 4c 89 e7 5d 89 c1 ba
[ 2517.871269] RSP: 0018:ff7f6a008d9dbcd0 EFLAGS: 00010286
[ 2517.875081] RAX: ff3d5b4be00b1d50 RBX: 0000000002040002 RCX: ff3d5b0a270f2000
[ 2517.878966] RDX: 0000000000000000 RSI: ff3d5b0b021fb9f8 RDI: 0000000000000000
[ 2517.882849] RBP: ff3d5b0b96a6fa00 R08: 0000000000000001 R09: 0000000000000000
[ 2517.886718] R10: 000000000000000c R11: 000000000000000c R12: ff3d5b0b021fb9f8
[ 2517.890575] R13: 0000000002000000 R14: ff3d5b0b021fb1b0 R15: 0000000000000018
[ 2517.894434] FS: 0000000000000000(0000) GS:ff3d5b42bfc80000(0000) knlGS:0000000000000000
[ 2517.898299] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2517.902157] CR2: 000000000000001a CR3: 00000004f023e005 CR4: 0000000000771ee0
[ 2517.906053] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2517.909930] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2517.913761] PKRU: 55555554
[ 2517.917558] Call Trace:
[ 2517.921294] <TASK>
[ 2517.924982] nvme_complete_rq+0x1c3/0x1e0 [nvme_core]
[ 2517.928715] nvme_tcp_recv_pdu+0x4d7/0x540 [nvme_tcp]
[ 2517.932442] nvme_tcp_recv_skb+0x4f/0x240 [nvme_tcp]
[ 2517.936137] ? nvme_tcp_recv_pdu+0x540/0x540 [nvme_tcp]
[ 2517.939830] tcp_read_sock+0x9c/0x260
[ 2517.943486] nvme_tcp_try_recv+0x65/0xa0 [nvme_tcp]
[ 2517.947173] nvme_tcp_io_work+0x64/0x90 [nvme_tcp]
[ 2517.950834] process_one_work+0x1e8/0x390
[ 2517.954473] worker_thread+0x53/0x3c0
[ 2517.958069] ? process_one_work+0x390/0x390
[ 2517.961655] kthread+0x10c/0x130
[ 2517.965211] ? set_kthread_struct+0x40/0x40
[ 2517.968760] ret_from_fork+0x1f/0x30
[ 2517.972285] </TASK>
To avoid this situation, add a NULL check for req->bio before
calling trace_block_bio_complete.
Signed-off-by: Yanjun Zhang <zhangyanjun@cestc.cn>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/nvme.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index 86336496c65c..c3e4d9b6f9c0 100644
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -749,7 +749,7 @@ static inline void nvme_trace_bio_complete(struct request *req,
{
struct nvme_ns *ns = req->q->queuedata;
- if (req->cmd_flags & REQ_NVME_MPATH)
+ if ((req->cmd_flags & REQ_NVME_MPATH) && req->bio)
trace_block_bio_complete(ns->head->disk->queue, req->bio);
}
--
2.35.1
^ permalink raw reply related [flat|nested] 799+ messages in thread
* [PATCH 5.10 760/783] x86/bugs: Flush IBP in ib_prctl_set()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (758 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 759/783] nvme: fix multipath crash caused by flush request when blktrace is enabled Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 761/783] nfsd: fix handling of readdir in v4root vs. mount upcall timeout Greg Kroah-Hartman
` (32 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Branco,
Borislav Petkov (AMD),
Ingo Molnar
From: Rodrigo Branco <bsdaemon@google.com>
commit a664ec9158eeddd75121d39c9a0758016097fa96 upstream.
We missed the window between the TIF flag update and the next reschedule.
Signed-off-by: Rodrigo Branco <bsdaemon@google.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/bugs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -1896,6 +1896,8 @@ static int ib_prctl_set(struct task_stru
if (ctrl == PR_SPEC_FORCE_DISABLE)
task_set_spec_ib_force_disable(task);
task_update_spec_tif(task);
+ if (task == current)
+ indirect_branch_prediction_barrier();
break;
default:
return -ERANGE;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 761/783] nfsd: fix handling of readdir in v4root vs. mount upcall timeout
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (759 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 760/783] x86/bugs: Flush IBP in ib_prctl_set() Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 762/783] fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB Greg Kroah-Hartman
` (31 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Steve Dickson, JianHong Yin,
Jeff Layton, Chuck Lever
From: Jeff Layton <jlayton@kernel.org>
commit cad853374d85fe678d721512cecfabd7636e51f3 upstream.
If v4 READDIR operation hits a mountpoint and gets back an error,
then it will include that entry in the reply and set RDATTR_ERROR for it
to the error.
That's fine for "normal" exported filesystems, but on the v4root, we
need to be more careful to only expose the existence of dentries that
lead to exports.
If the mountd upcall times out while checking to see whether a
mountpoint on the v4root is exported, then we have no recourse other
than to fail the whole operation.
Cc: Steve Dickson <steved@redhat.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216777
Reported-by: JianHong Yin <yin-jianhong@163.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -3405,6 +3405,17 @@ nfsd4_encode_dirent(void *ccdv, const ch
case nfserr_noent:
xdr_truncate_encode(xdr, start_offset);
goto skip_entry;
+ case nfserr_jukebox:
+ /*
+ * The pseudoroot should only display dentries that lead to
+ * exports. If we get EJUKEBOX here, then we can't tell whether
+ * this entry should be included. Just fail the whole READDIR
+ * with NFS4ERR_DELAY in that case, and hope that the situation
+ * will resolve itself by the client's next attempt.
+ */
+ if (cd->rd_fhp->fh_export->ex_flags & NFSEXP_V4ROOT)
+ goto fail;
+ fallthrough;
default:
/*
* If the client requested the RDATTR_ERROR attribute,
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 762/783] fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (760 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 761/783] nfsd: fix handling of readdir in v4root vs. mount upcall timeout Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 763/783] riscv: uaccess: fix type of 0 variable on error in get_user() Greg Kroah-Hartman
` (30 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, it+linux-fbdev, Z. Liu, Rich Felker,
Paul Menzel, Helge Deller
From: Paul Menzel <pmenzel@molgen.mpg.de>
commit f685dd7a8025f2554f73748cfdb8143a21fb92c7 upstream.
Commit 62d89a7d49af ("video: fbdev: matroxfb: set maxvram of vbG200eW to
the same as vbG200 to avoid black screen") accidently decreases the
maximum memory size for the Matrox G200eW (102b:0532) from 8 MB to 1 MB
by missing one zero. This caused the driver initialization to fail with
the messages below, as the minimum required VRAM size is 2 MB:
[ 9.436420] matroxfb: Matrox MGA-G200eW (PCI) detected
[ 9.444502] matroxfb: cannot determine memory size
[ 9.449316] matroxfb: probe of 0000:0a:03.0 failed with error -1
So, add the missing 0 to make it the intended 16 MB. Successfully tested on
the Dell PowerEdge R910/0KYD3D, BIOS 2.10.0 08/29/2013, that the warning is
gone.
While at it, add a leading 0 to the maxdisplayable entry, so it’s aligned
properly. The value could probably also be increased from 8 MB to 16 MB, as
the G200 uses the same values, but I have not checked any datasheet.
Note, matroxfb is obsolete and superseded by the maintained DRM driver
mga200, which is used by default on most systems where both drivers are
available. Therefore, on most systems it was only a cosmetic issue.
Fixes: 62d89a7d49af ("video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen")
Link: https://lore.kernel.org/linux-fbdev/972999d3-b75d-5680-fcef-6e6905c52ac5@suse.de/T/#mb6953a9995ebd18acc8552f99d6db39787aec775
Cc: it+linux-fbdev@molgen.mpg.de
Cc: Z. Liu <liuzx@knownsec.com>
Cc: Rich Felker <dalias@libc.org>
Cc: stable@vger.kernel.org
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/matrox/matroxfb_base.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/matrox/matroxfb_base.c
+++ b/drivers/video/fbdev/matrox/matroxfb_base.c
@@ -1377,8 +1377,8 @@ static struct video_board vbG200 = {
.lowlevel = &matrox_G100
};
static struct video_board vbG200eW = {
- .maxvram = 0x100000,
- .maxdisplayable = 0x800000,
+ .maxvram = 0x1000000,
+ .maxdisplayable = 0x0800000,
.accelID = FB_ACCEL_MATROX_MGAG200,
.lowlevel = &matrox_G100
};
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 763/783] riscv: uaccess: fix type of 0 variable on error in get_user()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (761 preceding siblings ...)
2023-01-12 13:57 ` [PATCH 5.10 762/783] fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB Greg Kroah-Hartman
@ 2023-01-12 13:57 ` Greg Kroah-Hartman
2023-01-12 13:58 ` Greg Kroah-Hartman
` (29 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:57 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ben Dooks, Palmer Dabbelt
From: Ben Dooks <ben-linux@fluff.org>
commit b9b916aee6715cd7f3318af6dc360c4729417b94 upstream.
If the get_user(x, ptr) has x as a pointer, then the setting
of (x) = 0 is going to produce the following sparse warning,
so fix this by forcing the type of 'x' when access_ok() fails.
fs/aio.c:2073:21: warning: Using plain integer as NULL pointer
Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Reviewed-by: Palmer Dabbelt <palmer@rivosinc.com>
Link: https://lore.kernel.org/r/20221229170545.718264-1-ben-linux@fluff.org
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/uaccess.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/riscv/include/asm/uaccess.h
+++ b/arch/riscv/include/asm/uaccess.h
@@ -216,7 +216,7 @@ do { \
might_fault(); \
access_ok(__p, sizeof(*__p)) ? \
__get_user((x), __p) : \
- ((x) = 0, -EFAULT); \
+ ((x) = (__force __typeof__(x))0, -EFAULT); \
})
#define __put_user_asm(insn, x, ptr, err) \
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 764/783] drm/i915/gvt: fix gvt debugfs destroy
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 002/783] arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins Greg Kroah-Hartman
` (791 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang, Zhi, He, Yu, Zhenyu Wang, Wang, He
From: Zhenyu Wang <zhenyuw@linux.intel.com>
commit c4b850d1f448a901fbf4f7f36dec38c84009b489 upstream.
When gvt debug fs is destroyed, need to have a sane check if drm
minor's debugfs root is still available or not, otherwise in case like
device remove through unbinding, drm minor's debugfs directory has
already been removed, then intel_gvt_debugfs_clean() would act upon
dangling pointer like below oops.
i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2
i915 0000:00:02.0: MDEV: Registered
Console: switching to colour dummy device 80x25
i915 0000:00:02.0: MDEV: Unregistering
BUG: kernel NULL pointer dereference, address: 00000000000000a0
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15
Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020
RIP: 0010:down_write+0x1f/0x90
Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01
RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000
RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8
RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0
R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000
R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0
FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0
Call Trace:
<TASK>
simple_recursive_removal+0x9f/0x2a0
? start_creating.part.0+0x120/0x120
? _raw_spin_lock+0x13/0x40
debugfs_remove+0x40/0x60
intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]
intel_gvt_clean_device+0x49/0xe0 [kvmgt]
intel_gvt_driver_remove+0x2f/0xb0
i915_driver_remove+0xa4/0xf0
i915_pci_remove+0x1a/0x30
pci_device_remove+0x33/0xa0
device_release_driver_internal+0x1b2/0x230
unbind_store+0xe0/0x110
kernfs_fop_write_iter+0x11b/0x1f0
vfs_write+0x203/0x3d0
ksys_write+0x63/0xe0
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6947cb5190
Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190
RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001
RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001
R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0
</TASK>
Modules linked in: kvmgt
CR2: 00000000000000a0
---[ end trace 0000000000000000 ]---
Cc: Wang, Zhi <zhi.a.wang@intel.com>
Cc: He, Yu <yu.he@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
Fixes: bc7b0be316ae ("drm/i915/gvt: Add basic debugfs infrastructure")
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20221219140357.769557-1-zhenyuw@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gvt/debugfs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/gvt/debugfs.c
+++ b/drivers/gpu/drm/i915/gvt/debugfs.c
@@ -199,6 +199,10 @@ void intel_gvt_debugfs_init(struct intel
*/
void intel_gvt_debugfs_clean(struct intel_gvt *gvt)
{
- debugfs_remove_recursive(gvt->debugfs_root);
- gvt->debugfs_root = NULL;
+ struct drm_minor *minor = gvt->gt->i915->drm.primary;
+
+ if (minor->debugfs_root) {
+ debugfs_remove_recursive(gvt->debugfs_root);
+ gvt->debugfs_root = NULL;
+ }
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 764/783] drm/i915/gvt: fix gvt debugfs destroy
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
0 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang, Zhi, He, Yu, Zhenyu Wang, Wang, He
From: Zhenyu Wang <zhenyuw@linux.intel.com>
commit c4b850d1f448a901fbf4f7f36dec38c84009b489 upstream.
When gvt debug fs is destroyed, need to have a sane check if drm
minor's debugfs root is still available or not, otherwise in case like
device remove through unbinding, drm minor's debugfs directory has
already been removed, then intel_gvt_debugfs_clean() would act upon
dangling pointer like below oops.
i915 0000:00:02.0: Direct firmware load for i915/gvt/vid_0x8086_did_0x1926_rid_0x0a.golden_hw_state failed with error -2
i915 0000:00:02.0: MDEV: Registered
Console: switching to colour dummy device 80x25
i915 0000:00:02.0: MDEV: Unregistering
BUG: kernel NULL pointer dereference, address: 00000000000000a0
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP PTI
CPU: 2 PID: 2486 Comm: gfx-unbind.sh Tainted: G I 6.1.0-rc8+ #15
Hardware name: Dell Inc. XPS 13 9350/0JXC1H, BIOS 1.13.0 02/10/2020
RIP: 0010:down_write+0x1f/0x90
Code: 1d ff ff 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 53 48 89 fb e8 62 c0 ff ff bf 01 00 00 00 e8 28 5e 31 ff 31 c0 ba 01 00 00 00 <f0> 48 0f b1 13 75 33 65 48 8b 04 25 c0 bd 01 00 48 89 43 08 bf 01
RSP: 0018:ffff9eb3036ffcc8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000000000a0 RCX: ffffff8100000000
RDX: 0000000000000001 RSI: 0000000000000064 RDI: ffffffffa48787a8
RBP: ffff9eb3036ffd30 R08: ffffeb1fc45a0608 R09: ffffeb1fc45a05c0
R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000
R13: ffff91acc33fa328 R14: ffff91acc033f080 R15: ffff91acced533e0
FS: 00007f6947bba740(0000) GS:ffff91ae36d00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000a0 CR3: 00000001133a2002 CR4: 00000000003706e0
Call Trace:
<TASK>
simple_recursive_removal+0x9f/0x2a0
? start_creating.part.0+0x120/0x120
? _raw_spin_lock+0x13/0x40
debugfs_remove+0x40/0x60
intel_gvt_debugfs_clean+0x15/0x30 [kvmgt]
intel_gvt_clean_device+0x49/0xe0 [kvmgt]
intel_gvt_driver_remove+0x2f/0xb0
i915_driver_remove+0xa4/0xf0
i915_pci_remove+0x1a/0x30
pci_device_remove+0x33/0xa0
device_release_driver_internal+0x1b2/0x230
unbind_store+0xe0/0x110
kernfs_fop_write_iter+0x11b/0x1f0
vfs_write+0x203/0x3d0
ksys_write+0x63/0xe0
do_syscall_64+0x37/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f6947cb5190
Code: 40 00 48 8b 15 71 9c 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 51 24 0e 00 00 74 17 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
RSP: 002b:00007ffcbac45a28 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f6947cb5190
RDX: 000000000000000d RSI: 0000555e35c866a0 RDI: 0000000000000001
RBP: 0000555e35c866a0 R08: 0000000000000002 R09: 0000555e358cb97c
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001
R13: 000000000000000d R14: 0000000000000000 R15: 0000555e358cb8e0
</TASK>
Modules linked in: kvmgt
CR2: 00000000000000a0
---[ end trace 0000000000000000 ]---
Cc: Wang, Zhi <zhi.a.wang@intel.com>
Cc: He, Yu <yu.he@intel.com>
Cc: stable@vger.kernel.org
Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
Fixes: bc7b0be316ae ("drm/i915/gvt: Add basic debugfs infrastructure")
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20221219140357.769557-1-zhenyuw@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gvt/debugfs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/gvt/debugfs.c
+++ b/drivers/gpu/drm/i915/gvt/debugfs.c
@@ -199,6 +199,10 @@ void intel_gvt_debugfs_init(struct intel
*/
void intel_gvt_debugfs_clean(struct intel_gvt *gvt)
{
- debugfs_remove_recursive(gvt->debugfs_root);
- gvt->debugfs_root = NULL;
+ struct drm_minor *minor = gvt->gt->i915->drm.primary;
+
+ if (minor->debugfs_root) {
+ debugfs_remove_recursive(gvt->debugfs_root);
+ gvt->debugfs_root = NULL;
+ }
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 765/783] drm/i915/gvt: fix vgpu debugfs clean in remove
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (763 preceding siblings ...)
2023-01-12 13:58 ` Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 766/783] ext4: dont allow journal inode to have encrypt flag Greg Kroah-Hartman
` (27 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wang Zhi, He Yu, Alex Williamson,
Zhenyu Wang
From: Zhenyu Wang <zhenyuw@linux.intel.com>
commit 704f3384f322b40ba24d958473edfb1c9750c8fd upstream.
Check carefully on root debugfs available when destroying vgpu,
e.g in remove case drm minor's debugfs root might already be destroyed,
which led to kernel oops like below.
Console: switching to colour dummy device 80x25
i915 0000:00:02.0: MDEV: Unregistering
intel_vgpu_mdev b1338b2d-a709-4c23-b766-cc436c36cdf0: Removing from iommu group 14
BUG: kernel NULL pointer dereference, address: 0000000000000150
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 3 PID: 1046 Comm: driverctl Not tainted 6.1.0-rc2+ #6
Hardware name: HP HP ProDesk 600 G3 MT/829D, BIOS P02 Ver. 02.44 09/13/2022
RIP: 0010:__lock_acquire+0x5e2/0x1f90
Code: 87 ad 09 00 00 39 05 e1 1e cc 02 0f 82 f1 09 00 00 ba 01 00 00 00 48 83 c4 48 89 d0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 45 31 ff <48> 81 3f 60 9e c2 b6 45 0f 45 f8 83 fe 01 0f 87 55 fa ff ff 89 f0
RSP: 0018:ffff9f770274f948 EFLAGS: 00010046
RAX: 0000000000000003 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000150
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8895d1173300 R11: 0000000000000001 R12: 0000000000000000
R13: 0000000000000150 R14: 0000000000000000 R15: 0000000000000000
FS: 00007fc9b2ba0740(0000) GS:ffff889cdfcc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000150 CR3: 000000010fd93005 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
lock_acquire+0xbf/0x2b0
? simple_recursive_removal+0xa5/0x2b0
? lock_release+0x13d/0x2d0
down_write+0x2a/0xd0
? simple_recursive_removal+0xa5/0x2b0
simple_recursive_removal+0xa5/0x2b0
? start_creating.part.0+0x110/0x110
? _raw_spin_unlock+0x29/0x40
debugfs_remove+0x40/0x60
intel_gvt_debugfs_remove_vgpu+0x15/0x30 [kvmgt]
intel_gvt_destroy_vgpu+0x60/0x100 [kvmgt]
intel_vgpu_release_dev+0xe/0x20 [kvmgt]
device_release+0x30/0x80
kobject_put+0x79/0x1b0
device_release_driver_internal+0x1b8/0x230
bus_remove_device+0xec/0x160
device_del+0x189/0x400
? up_write+0x9c/0x1b0
? mdev_device_remove_common+0x60/0x60 [mdev]
mdev_device_remove_common+0x22/0x60 [mdev]
mdev_device_remove_cb+0x17/0x20 [mdev]
device_for_each_child+0x56/0x80
mdev_unregister_parent+0x5a/0x81 [mdev]
intel_gvt_clean_device+0x2d/0xe0 [kvmgt]
intel_gvt_driver_remove+0x2e/0xb0 [i915]
i915_driver_remove+0xac/0x100 [i915]
i915_pci_remove+0x1a/0x30 [i915]
pci_device_remove+0x31/0xa0
device_release_driver_internal+0x1b8/0x230
unbind_store+0xd8/0x100
kernfs_fop_write_iter+0x156/0x210
vfs_write+0x236/0x4a0
ksys_write+0x61/0xd0
do_syscall_64+0x55/0x80
? find_held_lock+0x2b/0x80
? lock_release+0x13d/0x2d0
? up_read+0x17/0x20
? lock_is_held_type+0xe3/0x140
? asm_exc_page_fault+0x22/0x30
? lockdep_hardirqs_on+0x7d/0x100
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7fc9b2c9e0c4
Code: 15 71 7d 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 80 3d 3d 05 0e 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 48 83 ec 28 48 89 54 24 18 48
RSP: 002b:00007ffec29c81c8 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007fc9b2c9e0c4
RDX: 000000000000000d RSI: 0000559f8b5f48a0 RDI: 0000000000000001
RBP: 0000559f8b5f48a0 R08: 0000559f8b5f3540 R09: 00007fc9b2d76d30
R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000d
R13: 00007fc9b2d77780 R14: 000000000000000d R15: 00007fc9b2d72a00
</TASK>
Modules linked in: sunrpc intel_rapl_msr intel_rapl_common intel_pmc_core_pltdrv intel_pmc_core intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ee1004 igbvf rapl vfat fat intel_cstate intel_uncore pktcdvd i2c_i801 pcspkr wmi_bmof i2c_smbus acpi_pad vfio_pci vfio_pci_core vfio_virqfd zram fuse dm_multipath kvmgt mdev vfio_iommu_type1 vfio kvm irqbypass i915 nvme e1000e igb nvme_core crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic serio_raw ghash_clmulni_intel sha512_ssse3 dca drm_buddy intel_gtt video wmi drm_display_helper ttm
CR2: 0000000000000150
---[ end trace 0000000000000000 ]---
Cc: Wang Zhi <zhi.a.wang@intel.com>
Cc: He Yu <yu.he@intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Zhi Wang <zhi.a.wang@intel.com>
Tested-by: Yu He <yu.he@intel.com>
Fixes: bc7b0be316ae ("drm/i915/gvt: Add basic debugfs infrastructure")
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20221219140357.769557-2-zhenyuw@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gvt/debugfs.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/i915/gvt/debugfs.c
+++ b/drivers/gpu/drm/i915/gvt/debugfs.c
@@ -175,8 +175,13 @@ void intel_gvt_debugfs_add_vgpu(struct i
*/
void intel_gvt_debugfs_remove_vgpu(struct intel_vgpu *vgpu)
{
- debugfs_remove_recursive(vgpu->debugfs);
- vgpu->debugfs = NULL;
+ struct intel_gvt *gvt = vgpu->gvt;
+ struct drm_minor *minor = gvt->gt->i915->drm.primary;
+
+ if (minor->debugfs_root && gvt->debugfs_root) {
+ debugfs_remove_recursive(vgpu->debugfs);
+ vgpu->debugfs = NULL;
+ }
}
/**
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 766/783] ext4: dont allow journal inode to have encrypt flag
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (764 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 765/783] drm/i915/gvt: fix vgpu debugfs clean in remove Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 767/783] selftests: set the BUILD variable to absolute path Greg Kroah-Hartman
` (26 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ba9dac45bc76c490b7c3,
Eric Biggers, Theodore Tso, stable
From: Eric Biggers <ebiggers@google.com>
commit 105c78e12468413e426625831faa7db4284e1fec upstream.
Mounting a filesystem whose journal inode has the encrypt flag causes a
NULL dereference in fscrypt_limit_io_blocks() when the 'inlinecrypt'
mount option is used.
The problem is that when jbd2_journal_init_inode() calls bmap(), it
eventually finds its way into ext4_iomap_begin(), which calls
fscrypt_limit_io_blocks(). fscrypt_limit_io_blocks() requires that if
the inode is encrypted, then its encryption key must already be set up.
That's not the case here, since the journal inode is never "opened" like
a normal file would be. Hence the crash.
A reproducer is:
mkfs.ext4 -F /dev/vdb
debugfs -w /dev/vdb -R "set_inode_field <8> flags 0x80808"
mount /dev/vdb /mnt -o inlinecrypt
To fix this, make ext4 consider journal inodes with the encrypt flag to
be invalid. (Note, maybe other flags should be rejected on the journal
inode too. For now, this is just the minimal fix for the above issue.)
I've marked this as fixing the commit that introduced the call to
fscrypt_limit_io_blocks(), since that's what made an actual crash start
being possible. But this fix could be applied to any version of ext4
that supports the encrypt feature.
Reported-by: syzbot+ba9dac45bc76c490b7c3@syzkaller.appspotmail.com
Fixes: 38ea50daa7a4 ("ext4: support direct I/O with fscrypt using blk-crypto")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221102053312.189962-1-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5262,7 +5262,7 @@ static struct inode *ext4_get_journal_in
jbd_debug(2, "Journal inode found at %p: %lld bytes\n",
journal_inode, journal_inode->i_size);
- if (!S_ISREG(journal_inode->i_mode)) {
+ if (!S_ISREG(journal_inode->i_mode) || IS_ENCRYPTED(journal_inode)) {
ext4_msg(sb, KERN_ERR, "invalid journal inode");
iput(journal_inode);
return NULL;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 767/783] selftests: set the BUILD variable to absolute path
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (765 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 766/783] ext4: dont allow journal inode to have encrypt flag Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 768/783] hfs/hfsplus: use WARN_ON for sanity check Greg Kroah-Hartman
` (25 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Muhammad Usama Anjum, Shuah Khan,
Tyler Hicks (Microsoft)
From: Muhammad Usama Anjum <usama.anjum@collabora.com>
commit 5ad51ab618de5d05f4e692ebabeb6fe6289aaa57 upstream.
The build of kselftests fails if relative path is specified through
KBUILD_OUTPUT or O=<path> method. BUILD variable is used to determine
the path of the output objects. When make is run from other directories
with relative paths, the exact path of the build objects is ambiguous
and build fails.
make[1]: Entering directory '/home/usama/repos/kernel/linux_mainline2/tools/testing/selftests/alsa'
gcc mixer-test.c -L/usr/lib/x86_64-linux-gnu -lasound -o build/kselftest/alsa/mixer-test
/usr/bin/ld: cannot open output file build/kselftest/alsa/mixer-test
Set the BUILD variable to the absolute path of the output directory.
Make the logic readable and easy to follow. Use spaces instead of tabs
for indentation as if with tab indentation is considered recipe in make.
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Tyler Hicks (Microsoft) <code@tyhicks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/Makefile | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
--- a/tools/testing/selftests/Makefile
+++ b/tools/testing/selftests/Makefile
@@ -103,19 +103,27 @@ ifdef building_out_of_srctree
override LDFLAGS =
endif
-ifneq ($(O),)
- BUILD := $(O)/kselftest
+top_srcdir ?= ../../..
+
+ifeq ("$(origin O)", "command line")
+ KBUILD_OUTPUT := $(O)
+endif
+
+ifneq ($(KBUILD_OUTPUT),)
+ # Make's built-in functions such as $(abspath ...), $(realpath ...) cannot
+ # expand a shell special character '~'. We use a somewhat tedious way here.
+ abs_objtree := $(shell cd $(top_srcdir) && mkdir -p $(KBUILD_OUTPUT) && cd $(KBUILD_OUTPUT) && pwd)
+ $(if $(abs_objtree),, \
+ $(error failed to create output directory "$(KBUILD_OUTPUT)"))
+ # $(realpath ...) resolves symlinks
+ abs_objtree := $(realpath $(abs_objtree))
+ BUILD := $(abs_objtree)/kselftest
else
- ifneq ($(KBUILD_OUTPUT),)
- BUILD := $(KBUILD_OUTPUT)/kselftest
- else
- BUILD := $(shell pwd)
- DEFAULT_INSTALL_HDR_PATH := 1
- endif
+ BUILD := $(CURDIR)
+ DEFAULT_INSTALL_HDR_PATH := 1
endif
# Prepare for headers install
-top_srcdir ?= ../../..
include $(top_srcdir)/scripts/subarch.include
ARCH ?= $(SUBARCH)
export KSFT_KHDR_INSTALL_DONE := 1
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 768/783] hfs/hfsplus: use WARN_ON for sanity check
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (766 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 767/783] selftests: set the BUILD variable to absolute path Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 769/783] hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling Greg Kroah-Hartman
` (24 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Christian Brauner,
Alexander Viro, Jan Kara, Andrew Morton, Linus Torvalds
From: Arnd Bergmann <arnd@arndb.de>
commit 55d1cbbbb29e6656c662ee8f73ba1fc4777532eb upstream.
gcc warns about a couple of instances in which a sanity check exists but
the author wasn't sure how to react to it failing, which makes it look
like a possible bug:
fs/hfsplus/inode.c: In function 'hfsplus_cat_read_inode':
fs/hfsplus/inode.c:503:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
503 | /* panic? */;
| ^
fs/hfsplus/inode.c:524:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
524 | /* panic? */;
| ^
fs/hfsplus/inode.c: In function 'hfsplus_cat_write_inode':
fs/hfsplus/inode.c:582:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
582 | /* panic? */;
| ^
fs/hfsplus/inode.c:608:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
608 | /* panic? */;
| ^
fs/hfs/inode.c: In function 'hfs_write_inode':
fs/hfs/inode.c:464:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
464 | /* panic? */;
| ^
fs/hfs/inode.c:485:37: error: suggest braces around empty body in an 'if' statement [-Werror=empty-body]
485 | /* panic? */;
| ^
panic() is probably not the correct choice here, but a WARN_ON
seems appropriate and avoids the compile-time warning.
Link: https://lkml.kernel.org/r/20210927102149.1809384-1-arnd@kernel.org
Link: https://lore.kernel.org/all/20210322223249.2632268-1-arnd@kernel.org/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfs/inode.c | 6 ++----
fs/hfsplus/inode.c | 12 ++++--------
2 files changed, 6 insertions(+), 12 deletions(-)
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -462,8 +462,7 @@ int hfs_write_inode(struct inode *inode,
goto out;
if (S_ISDIR(main_inode->i_mode)) {
- if (fd.entrylength < sizeof(struct hfs_cat_dir))
- /* panic? */;
+ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir));
hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_dir));
if (rec.type != HFS_CDR_DIR ||
@@ -483,8 +482,7 @@ int hfs_write_inode(struct inode *inode,
hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_file));
} else {
- if (fd.entrylength < sizeof(struct hfs_cat_file))
- /* panic? */;
+ WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file));
hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_file));
if (rec.type != HFS_CDR_FIL ||
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -497,8 +497,7 @@ int hfsplus_cat_read_inode(struct inode
if (type == HFSPLUS_FOLDER) {
struct hfsplus_cat_folder *folder = &entry.folder;
- if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
- /* panic? */;
+ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder));
hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
sizeof(struct hfsplus_cat_folder));
hfsplus_get_perms(inode, &folder->permissions, 1);
@@ -518,8 +517,7 @@ int hfsplus_cat_read_inode(struct inode
} else if (type == HFSPLUS_FILE) {
struct hfsplus_cat_file *file = &entry.file;
- if (fd->entrylength < sizeof(struct hfsplus_cat_file))
- /* panic? */;
+ WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file));
hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
sizeof(struct hfsplus_cat_file));
@@ -576,8 +574,7 @@ int hfsplus_cat_write_inode(struct inode
if (S_ISDIR(main_inode->i_mode)) {
struct hfsplus_cat_folder *folder = &entry.folder;
- if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
- /* panic? */;
+ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder));
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
sizeof(struct hfsplus_cat_folder));
/* simple node checks? */
@@ -602,8 +599,7 @@ int hfsplus_cat_write_inode(struct inode
} else {
struct hfsplus_cat_file *file = &entry.file;
- if (fd.entrylength < sizeof(struct hfsplus_cat_file))
- /* panic? */;
+ WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file));
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
sizeof(struct hfsplus_cat_file));
hfsplus_inode_write_fork(inode, &file->data_fork);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 769/783] hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (767 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 768/783] hfs/hfsplus: use WARN_ON for sanity check Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 770/783] mbcache: Avoid nesting of cache->c_list_lock under bit locks Greg Kroah-Hartman
` (23 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+7bb7cd3595533513a9e7,
Michael Schmitz, Arnd Bergmann, Matthew Wilcox,
Viacheslav Dubeyko, Linus Torvalds
From: Linus Torvalds <torvalds@linux-foundation.org>
commit cb7a95af78d29442b8294683eca4897544b8ef46 upstream.
Commit 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check") fixed
a build warning by turning a comment into a WARN_ON(), but it turns out
that syzbot then complains because it can trigger said warning with a
corrupted hfs image.
The warning actually does warn about a bad situation, but we are much
better off just handling it as the error it is. So rather than warn
about us doing bad things, stop doing the bad things and return -EIO.
While at it, also fix a memory leak that was introduced by an earlier
fix for a similar syzbot warning situation, and add a check for one case
that historically wasn't handled at all (ie neither comment nor
subsequent WARN_ON).
Reported-by: syzbot+7bb7cd3595533513a9e7@syzkaller.appspotmail.com
Fixes: 55d1cbbbb29e ("hfs/hfsplus: use WARN_ON for sanity check")
Fixes: 8d824e69d9f3 ("hfs: fix OOB Read in __hfs_brec_find")
Link: https://lore.kernel.org/lkml/000000000000dbce4e05f170f289@google.com/
Tested-by: Michael Schmitz <schmitzmic@gmail.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Viacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hfs/inode.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/fs/hfs/inode.c
+++ b/fs/hfs/inode.c
@@ -454,15 +454,16 @@ int hfs_write_inode(struct inode *inode,
/* panic? */
return -EIO;
+ res = -EIO;
if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN)
- return -EIO;
+ goto out;
fd.search_key->cat = HFS_I(main_inode)->cat_key;
if (hfs_brec_find(&fd))
- /* panic? */
goto out;
if (S_ISDIR(main_inode->i_mode)) {
- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_dir));
+ if (fd.entrylength < sizeof(struct hfs_cat_dir))
+ goto out;
hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_dir));
if (rec.type != HFS_CDR_DIR ||
@@ -475,6 +476,8 @@ int hfs_write_inode(struct inode *inode,
hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_dir));
} else if (HFS_IS_RSRC(inode)) {
+ if (fd.entrylength < sizeof(struct hfs_cat_file))
+ goto out;
hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_file));
hfs_inode_write_fork(inode, rec.file.RExtRec,
@@ -482,7 +485,8 @@ int hfs_write_inode(struct inode *inode,
hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_file));
} else {
- WARN_ON(fd.entrylength < sizeof(struct hfs_cat_file));
+ if (fd.entrylength < sizeof(struct hfs_cat_file))
+ goto out;
hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_file));
if (rec.type != HFS_CDR_FIL ||
@@ -499,9 +503,10 @@ int hfs_write_inode(struct inode *inode,
hfs_bnode_write(fd.bnode, &rec, fd.entryoffset,
sizeof(struct hfs_cat_file));
}
+ res = 0;
out:
hfs_find_exit(&fd);
- return 0;
+ return res;
}
static struct dentry *hfs_file_lookup(struct inode *dir, struct dentry *dentry,
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 770/783] mbcache: Avoid nesting of cache->c_list_lock under bit locks
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (768 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 769/783] hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 771/783] efi: random: combine bootloader provided RNG seed with RNG protocol output Greg Kroah-Hartman
` (22 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Mike Galbraith, Jan Kara,
Theodore Tso
From: Jan Kara <jack@suse.cz>
commit 5fc4cbd9fde5d4630494fd6ffc884148fb618087 upstream.
Commit 307af6c87937 ("mbcache: automatically delete entries from cache
on freeing") started nesting cache->c_list_lock under the bit locks
protecting hash buckets of the mbcache hash table in
mb_cache_entry_create(). This causes problems for real-time kernels
because there spinlocks are sleeping locks while bitlocks stay atomic.
Luckily the nesting is easy to avoid by holding entry reference until
the entry is added to the LRU list. This makes sure we cannot race with
entry deletion.
Cc: stable@kernel.org
Fixes: 307af6c87937 ("mbcache: automatically delete entries from cache on freeing")
Reported-by: Mike Galbraith <efault@gmx.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220908091032.10513-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/mbcache.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -90,8 +90,14 @@ int mb_cache_entry_create(struct mb_cach
return -ENOMEM;
INIT_LIST_HEAD(&entry->e_list);
- /* Initial hash reference */
- atomic_set(&entry->e_refcnt, 1);
+ /*
+ * We create entry with two references. One reference is kept by the
+ * hash table, the other reference is used to protect us from
+ * mb_cache_entry_delete_or_get() until the entry is fully setup. This
+ * avoids nesting of cache->c_list_lock into hash table bit locks which
+ * is problematic for RT.
+ */
+ atomic_set(&entry->e_refcnt, 2);
entry->e_key = key;
entry->e_value = value;
entry->e_flags = 0;
@@ -107,15 +113,12 @@ int mb_cache_entry_create(struct mb_cach
}
}
hlist_bl_add_head(&entry->e_hash_list, head);
- /*
- * Add entry to LRU list before it can be found by
- * mb_cache_entry_delete() to avoid races
- */
+ hlist_bl_unlock(head);
spin_lock(&cache->c_list_lock);
list_add_tail(&entry->e_list, &cache->c_list);
cache->c_entry_count++;
spin_unlock(&cache->c_list_lock);
- hlist_bl_unlock(head);
+ mb_cache_entry_put(cache, entry);
return 0;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 771/783] efi: random: combine bootloader provided RNG seed with RNG protocol output
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (769 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 770/783] mbcache: Avoid nesting of cache->c_list_lock under bit locks Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 772/783] io_uring: Fix unsigned res comparison with zero in io_fixup_rw_res() Greg Kroah-Hartman
` (21 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jason A. Donenfeld, Ard Biesheuvel
From: Ard Biesheuvel <ardb@kernel.org>
commit 196dff2712ca5a2e651977bb2fe6b05474111a83 upstream.
Instead of blindly creating the EFI random seed configuration table if
the RNG protocol is implemented and works, check whether such a EFI
configuration table was provided by an earlier boot stage and if so,
concatenate the existing and the new seeds, leaving it up to the core
code to mix it in and credit it the way it sees fit.
This can be used for, e.g., systemd-boot, to pass an additional seed to
Linux in a way that can be consumed by the kernel very early. In that
case, the following definitions should be used to pass the seed to the
EFI stub:
struct linux_efi_random_seed {
u32 size; // of the 'seed' array in bytes
u8 seed[];
};
The memory for the struct must be allocated as EFI_ACPI_RECLAIM_MEMORY
pool memory, and the address of the struct in memory should be installed
as a EFI configuration table using the following GUID:
LINUX_EFI_RANDOM_SEED_TABLE_GUID 1ce1e5bc-7ceb-42f2-81e5-8aadf180f57b
Note that doing so is safe even on kernels that were built without this
patch applied, but the seed will simply be overwritten with a seed
derived from the EFI RNG protocol, if available. The recommended seed
size is 32 bytes, and seeds larger than 512 bytes are considered
corrupted and ignored entirely.
In order to preserve forward secrecy, seeds from previous bootloaders
are memzero'd out, and in order to preserve memory, those older seeds
are also freed from memory. Freeing from memory without first memzeroing
is not safe to do, as it's possible that nothing else will ever
overwrite those pages used by EFI.
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com>
[ardb: incorporate Jason's followup changes to extend the maximum seed
size on the consumer end, memzero() it and drop a needless printk]
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/efi.c | 4 +--
drivers/firmware/efi/libstub/efistub.h | 2 +
drivers/firmware/efi/libstub/random.c | 42 ++++++++++++++++++++++++++++-----
include/linux/efi.h | 2 -
4 files changed, 40 insertions(+), 10 deletions(-)
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -590,7 +590,7 @@ int __init efi_config_parse_tables(const
seed = early_memremap(efi_rng_seed, sizeof(*seed));
if (seed != NULL) {
- size = min(seed->size, EFI_RANDOM_SEED_SIZE);
+ size = min_t(u32, seed->size, SZ_1K); // sanity check
early_memunmap(seed, sizeof(*seed));
} else {
pr_err("Could not map UEFI random seed!\n");
@@ -599,8 +599,8 @@ int __init efi_config_parse_tables(const
seed = early_memremap(efi_rng_seed,
sizeof(*seed) + size);
if (seed != NULL) {
- pr_notice("seeding entropy pool\n");
add_bootloader_randomness(seed->bits, size);
+ memzero_explicit(seed->bits, size);
early_memunmap(seed, sizeof(*seed) + size);
} else {
pr_err("Could not map UEFI random seed!\n");
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -767,6 +767,8 @@ efi_status_t efi_get_random_bytes(unsign
efi_status_t efi_random_alloc(unsigned long size, unsigned long align,
unsigned long *addr, unsigned long random_seed);
+efi_status_t efi_random_get_seed(void);
+
efi_status_t check_platform_features(void);
void *get_efi_config_table(efi_guid_t guid);
--- a/drivers/firmware/efi/libstub/random.c
+++ b/drivers/firmware/efi/libstub/random.c
@@ -67,8 +67,9 @@ efi_status_t efi_random_get_seed(void)
efi_guid_t rng_proto = EFI_RNG_PROTOCOL_GUID;
efi_guid_t rng_algo_raw = EFI_RNG_ALGORITHM_RAW;
efi_guid_t rng_table_guid = LINUX_EFI_RANDOM_SEED_TABLE_GUID;
+ struct linux_efi_random_seed *prev_seed, *seed = NULL;
+ int prev_seed_size = 0, seed_size = EFI_RANDOM_SEED_SIZE;
efi_rng_protocol_t *rng = NULL;
- struct linux_efi_random_seed *seed = NULL;
efi_status_t status;
status = efi_bs_call(locate_protocol, &rng_proto, NULL, (void **)&rng);
@@ -76,18 +77,33 @@ efi_status_t efi_random_get_seed(void)
return status;
/*
+ * Check whether a seed was provided by a prior boot stage. In that
+ * case, instead of overwriting it, let's create a new buffer that can
+ * hold both, and concatenate the existing and the new seeds.
+ * Note that we should read the seed size with caution, in case the
+ * table got corrupted in memory somehow.
+ */
+ prev_seed = get_efi_config_table(LINUX_EFI_RANDOM_SEED_TABLE_GUID);
+ if (prev_seed && prev_seed->size <= 512U) {
+ prev_seed_size = prev_seed->size;
+ seed_size += prev_seed_size;
+ }
+
+ /*
* Use EFI_ACPI_RECLAIM_MEMORY here so that it is guaranteed that the
* allocation will survive a kexec reboot (although we refresh the seed
* beforehand)
*/
status = efi_bs_call(allocate_pool, EFI_ACPI_RECLAIM_MEMORY,
- sizeof(*seed) + EFI_RANDOM_SEED_SIZE,
+ struct_size(seed, bits, seed_size),
(void **)&seed);
- if (status != EFI_SUCCESS)
- return status;
+ if (status != EFI_SUCCESS) {
+ efi_warn("Failed to allocate memory for RNG seed.\n");
+ goto err_warn;
+ }
status = efi_call_proto(rng, get_rng, &rng_algo_raw,
- EFI_RANDOM_SEED_SIZE, seed->bits);
+ EFI_RANDOM_SEED_SIZE, seed->bits);
if (status == EFI_UNSUPPORTED)
/*
@@ -100,14 +116,28 @@ efi_status_t efi_random_get_seed(void)
if (status != EFI_SUCCESS)
goto err_freepool;
- seed->size = EFI_RANDOM_SEED_SIZE;
+ seed->size = seed_size;
+ if (prev_seed_size)
+ memcpy(seed->bits + EFI_RANDOM_SEED_SIZE, prev_seed->bits,
+ prev_seed_size);
+
status = efi_bs_call(install_configuration_table, &rng_table_guid, seed);
if (status != EFI_SUCCESS)
goto err_freepool;
+ if (prev_seed_size) {
+ /* wipe and free the old seed if we managed to install the new one */
+ memzero_explicit(prev_seed->bits, prev_seed_size);
+ efi_bs_call(free_pool, prev_seed);
+ }
return EFI_SUCCESS;
err_freepool:
+ memzero_explicit(seed, struct_size(seed, bits, seed_size));
efi_bs_call(free_pool, seed);
+ efi_warn("Failed to obtain seed from EFI_RNG_PROTOCOL\n");
+err_warn:
+ if (prev_seed)
+ efi_warn("Retaining bootloader-supplied seed only");
return status;
}
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1108,8 +1108,6 @@ void efi_check_for_embedded_firmwares(vo
static inline void efi_check_for_embedded_firmwares(void) { }
#endif
-efi_status_t efi_random_get_seed(void);
-
void efi_retrieve_tpm2_eventlog(void);
/*
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 772/783] io_uring: Fix unsigned res comparison with zero in io_fixup_rw_res()
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (770 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 771/783] efi: random: combine bootloader provided RNG seed with RNG protocol output Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 773/783] parisc: Align parisc MADV_XXX constants with all other architectures Greg Kroah-Hartman
` (20 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harshit Mogalapalli
From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Smatch warning: io_fixup_rw_res() warn:
unsigned 'res' is never less than zero.
Change type of 'res' from unsigned to long.
Fixes: d6b7efc722a2 ("io_uring/rw: fix error'ed retry return values")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2702,7 +2702,7 @@ static bool __io_complete_rw_common(stru
return false;
}
-static inline int io_fixup_rw_res(struct io_kiocb *req, unsigned res)
+static inline int io_fixup_rw_res(struct io_kiocb *req, long res)
{
struct io_async_rw *io = req->async_data;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 773/783] parisc: Align parisc MADV_XXX constants with all other architectures
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (771 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 772/783] io_uring: Fix unsigned res comparison with zero in io_fixup_rw_res() Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 774/783] ext4: disable fast-commit of encrypted dir operations Greg Kroah-Hartman
` (19 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
From: Helge Deller <deller@gmx.de>
commit 71bdea6f798b425bc0003780b13e3fdecb16a010 upstream.
Adjust some MADV_XXX constants to be in sync what their values are on
all other platforms. There is currently no reason to have an own
numbering on parisc, but it requires workarounds in many userspace
sources (e.g. glibc, qemu, ...) - which are often forgotten and thus
introduce bugs and different behaviour on parisc.
A wrapper avoids an ABI breakage for existing userspace applications by
translating any old values to the new ones, so this change allows us to
move over all programs to the new ABI over time.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
---
arch/parisc/include/uapi/asm/mman.h | 23 +++++++++++------------
arch/parisc/kernel/sys_parisc.c | 27 +++++++++++++++++++++++++++
arch/parisc/kernel/syscalls/syscall.tbl | 2 +-
tools/arch/parisc/include/uapi/asm/mman.h | 12 ++++++------
tools/perf/bench/bench.h | 12 ------------
5 files changed, 45 insertions(+), 31 deletions(-)
--- a/arch/parisc/include/uapi/asm/mman.h
+++ b/arch/parisc/include/uapi/asm/mman.h
@@ -49,28 +49,27 @@
#define MADV_DONTFORK 10 /* don't inherit across fork */
#define MADV_DOFORK 11 /* do inherit across fork */
-#define MADV_COLD 20 /* deactivate these pages */
-#define MADV_PAGEOUT 21 /* reclaim these pages */
-
-#define MADV_MERGEABLE 65 /* KSM may merge identical pages */
-#define MADV_UNMERGEABLE 66 /* KSM may not merge identical pages */
+#define MADV_MERGEABLE 12 /* KSM may merge identical pages */
+#define MADV_UNMERGEABLE 13 /* KSM may not merge identical pages */
-#define MADV_HUGEPAGE 67 /* Worth backing with hugepages */
-#define MADV_NOHUGEPAGE 68 /* Not worth backing with hugepages */
+#define MADV_HUGEPAGE 14 /* Worth backing with hugepages */
+#define MADV_NOHUGEPAGE 15 /* Not worth backing with hugepages */
-#define MADV_DONTDUMP 69 /* Explicity exclude from the core dump,
+#define MADV_DONTDUMP 16 /* Explicity exclude from the core dump,
overrides the coredump filter bits */
-#define MADV_DODUMP 70 /* Clear the MADV_NODUMP flag */
+#define MADV_DODUMP 17 /* Clear the MADV_NODUMP flag */
-#define MADV_WIPEONFORK 71 /* Zero memory on fork, child only */
-#define MADV_KEEPONFORK 72 /* Undo MADV_WIPEONFORK */
+#define MADV_WIPEONFORK 18 /* Zero memory on fork, child only */
+#define MADV_KEEPONFORK 19 /* Undo MADV_WIPEONFORK */
+
+#define MADV_COLD 20 /* deactivate these pages */
+#define MADV_PAGEOUT 21 /* reclaim these pages */
#define MADV_HWPOISON 100 /* poison a page for testing */
#define MADV_SOFT_OFFLINE 101 /* soft offline page for testing */
/* compatibility flags */
#define MAP_FILE 0
-#define MAP_VARIABLE 0
#define PKEY_DISABLE_ACCESS 0x1
#define PKEY_DISABLE_WRITE 0x2
--- a/arch/parisc/kernel/sys_parisc.c
+++ b/arch/parisc/kernel/sys_parisc.c
@@ -444,3 +444,30 @@ asmlinkage long parisc_inotify_init1(int
flags = FIX_O_NONBLOCK(flags);
return sys_inotify_init1(flags);
}
+
+/*
+ * madvise() wrapper
+ *
+ * Up to kernel v6.1 parisc has different values than all other
+ * platforms for the MADV_xxx flags listed below.
+ * To keep binary compatibility with existing userspace programs
+ * translate the former values to the new values.
+ *
+ * XXX: Remove this wrapper in year 2025 (or later)
+ */
+
+asmlinkage notrace long parisc_madvise(unsigned long start, size_t len_in, int behavior)
+{
+ switch (behavior) {
+ case 65: behavior = MADV_MERGEABLE; break;
+ case 66: behavior = MADV_UNMERGEABLE; break;
+ case 67: behavior = MADV_HUGEPAGE; break;
+ case 68: behavior = MADV_NOHUGEPAGE; break;
+ case 69: behavior = MADV_DONTDUMP; break;
+ case 70: behavior = MADV_DODUMP; break;
+ case 71: behavior = MADV_WIPEONFORK; break;
+ case 72: behavior = MADV_KEEPONFORK; break;
+ }
+
+ return sys_madvise(start, len_in, behavior);
+}
--- a/arch/parisc/kernel/syscalls/syscall.tbl
+++ b/arch/parisc/kernel/syscalls/syscall.tbl
@@ -131,7 +131,7 @@
116 common sysinfo sys_sysinfo compat_sys_sysinfo
117 common shutdown sys_shutdown
118 common fsync sys_fsync
-119 common madvise sys_madvise
+119 common madvise parisc_madvise
120 common clone sys_clone_wrapper
121 common setdomainname sys_setdomainname
122 common sendfile sys_sendfile compat_sys_sendfile
--- a/tools/arch/parisc/include/uapi/asm/mman.h
+++ b/tools/arch/parisc/include/uapi/asm/mman.h
@@ -1,20 +1,20 @@
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
#ifndef TOOLS_ARCH_PARISC_UAPI_ASM_MMAN_FIX_H
#define TOOLS_ARCH_PARISC_UAPI_ASM_MMAN_FIX_H
-#define MADV_DODUMP 70
+#define MADV_DODUMP 17
#define MADV_DOFORK 11
-#define MADV_DONTDUMP 69
+#define MADV_DONTDUMP 16
#define MADV_DONTFORK 10
#define MADV_DONTNEED 4
#define MADV_FREE 8
-#define MADV_HUGEPAGE 67
-#define MADV_MERGEABLE 65
-#define MADV_NOHUGEPAGE 68
+#define MADV_HUGEPAGE 14
+#define MADV_MERGEABLE 12
+#define MADV_NOHUGEPAGE 15
#define MADV_NORMAL 0
#define MADV_RANDOM 1
#define MADV_REMOVE 9
#define MADV_SEQUENTIAL 2
-#define MADV_UNMERGEABLE 66
+#define MADV_UNMERGEABLE 13
#define MADV_WILLNEED 3
#define MAP_ANONYMOUS 0x10
#define MAP_DENYWRITE 0x0800
--- a/tools/perf/bench/bench.h
+++ b/tools/perf/bench/bench.h
@@ -10,25 +10,13 @@ extern struct timeval bench__start, benc
* The madvise transparent hugepage constants were added in glibc
* 2.13. For compatibility with older versions of glibc, define these
* tokens if they are not already defined.
- *
- * PA-RISC uses different madvise values from other architectures and
- * needs to be special-cased.
*/
-#ifdef __hppa__
-# ifndef MADV_HUGEPAGE
-# define MADV_HUGEPAGE 67
-# endif
-# ifndef MADV_NOHUGEPAGE
-# define MADV_NOHUGEPAGE 68
-# endif
-#else
# ifndef MADV_HUGEPAGE
# define MADV_HUGEPAGE 14
# endif
# ifndef MADV_NOHUGEPAGE
# define MADV_NOHUGEPAGE 15
# endif
-#endif
int bench_numa(int argc, const char **argv);
int bench_sched_messaging(int argc, const char **argv);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 774/783] ext4: disable fast-commit of encrypted dir operations
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (772 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 773/783] parisc: Align parisc MADV_XXX constants with all other architectures Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 775/783] ext4: dont set up encryption key during jbd2 transaction Greg Kroah-Hartman
` (18 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Eric Biggers, Theodore Tso
From: Eric Biggers <ebiggers@google.com>
commit 0fbcb5251fc81b58969b272c4fb7374a7b922e3e upstream.
fast-commit of create, link, and unlink operations in encrypted
directories is completely broken because the unencrypted filenames are
being written to the fast-commit journal instead of the encrypted
filenames. These operations can't be replayed, as encryption keys
aren't present at journal replay time. It is also an information leak.
Until if/when we can get this working properly, make encrypted directory
operations ineligible for fast-commit.
Note that fast-commit operations on encrypted regular files continue to
be allowed, as they seem to work.
Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
Cc: <stable@vger.kernel.org> # v5.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221106224841.279231-2-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 40 ++++++++++++++++++++++++----------------
fs/ext4/fast_commit.h | 1 +
include/trace/events/ext4.h | 7 +++++--
3 files changed, 30 insertions(+), 18 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -371,25 +371,33 @@ static int __track_dentry_update(struct
struct __track_dentry_update_args *dentry_update =
(struct __track_dentry_update_args *)arg;
struct dentry *dentry = dentry_update->dentry;
- struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb);
+ struct inode *dir = dentry->d_parent->d_inode;
+ struct super_block *sb = inode->i_sb;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
mutex_unlock(&ei->i_fc_lock);
+
+ if (IS_ENCRYPTED(dir)) {
+ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_ENCRYPTED_FILENAME);
+ mutex_lock(&ei->i_fc_lock);
+ return -EOPNOTSUPP;
+ }
+
node = kmem_cache_alloc(ext4_fc_dentry_cachep, GFP_NOFS);
if (!node) {
- ext4_fc_mark_ineligible(inode->i_sb, EXT4_FC_REASON_NOMEM);
+ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM);
mutex_lock(&ei->i_fc_lock);
return -ENOMEM;
}
node->fcd_op = dentry_update->op;
- node->fcd_parent = dentry->d_parent->d_inode->i_ino;
+ node->fcd_parent = dir->i_ino;
node->fcd_ino = inode->i_ino;
if (dentry->d_name.len > DNAME_INLINE_LEN) {
node->fcd_name.name = kmalloc(dentry->d_name.len, GFP_NOFS);
if (!node->fcd_name.name) {
kmem_cache_free(ext4_fc_dentry_cachep, node);
- ext4_fc_mark_ineligible(inode->i_sb,
- EXT4_FC_REASON_NOMEM);
+ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM);
mutex_lock(&ei->i_fc_lock);
return -ENOMEM;
}
@@ -2142,17 +2150,17 @@ void ext4_fc_init(struct super_block *sb
journal->j_fc_cleanup_callback = ext4_fc_cleanup;
}
-static const char *fc_ineligible_reasons[] = {
- "Extended attributes changed",
- "Cross rename",
- "Journal flag changed",
- "Insufficient memory",
- "Swap boot",
- "Resize",
- "Dir renamed",
- "Falloc range op",
- "Data journalling",
- "FC Commit Failed"
+static const char * const fc_ineligible_reasons[] = {
+ [EXT4_FC_REASON_XATTR] = "Extended attributes changed",
+ [EXT4_FC_REASON_CROSS_RENAME] = "Cross rename",
+ [EXT4_FC_REASON_JOURNAL_FLAG_CHANGE] = "Journal flag changed",
+ [EXT4_FC_REASON_NOMEM] = "Insufficient memory",
+ [EXT4_FC_REASON_SWAP_BOOT] = "Swap boot",
+ [EXT4_FC_REASON_RESIZE] = "Resize",
+ [EXT4_FC_REASON_RENAME_DIR] = "Dir renamed",
+ [EXT4_FC_REASON_FALLOC_RANGE] = "Falloc range op",
+ [EXT4_FC_REASON_INODE_JOURNAL_DATA] = "Data journalling",
+ [EXT4_FC_REASON_ENCRYPTED_FILENAME] = "Encrypted filename",
};
int ext4_fc_info_show(struct seq_file *seq, void *v)
--- a/fs/ext4/fast_commit.h
+++ b/fs/ext4/fast_commit.h
@@ -104,6 +104,7 @@ enum {
EXT4_FC_REASON_FALLOC_RANGE,
EXT4_FC_REASON_INODE_JOURNAL_DATA,
EXT4_FC_COMMIT_FAILED,
+ EXT4_FC_REASON_ENCRYPTED_FILENAME,
EXT4_FC_REASON_MAX
};
--- a/include/trace/events/ext4.h
+++ b/include/trace/events/ext4.h
@@ -104,6 +104,7 @@ TRACE_DEFINE_ENUM(EXT4_FC_REASON_RESIZE)
TRACE_DEFINE_ENUM(EXT4_FC_REASON_RENAME_DIR);
TRACE_DEFINE_ENUM(EXT4_FC_REASON_FALLOC_RANGE);
TRACE_DEFINE_ENUM(EXT4_FC_REASON_INODE_JOURNAL_DATA);
+TRACE_DEFINE_ENUM(EXT4_FC_REASON_ENCRYPTED_FILENAME);
TRACE_DEFINE_ENUM(EXT4_FC_REASON_MAX);
#define show_fc_reason(reason) \
@@ -116,7 +117,8 @@ TRACE_DEFINE_ENUM(EXT4_FC_REASON_MAX);
{ EXT4_FC_REASON_RESIZE, "RESIZE"}, \
{ EXT4_FC_REASON_RENAME_DIR, "RENAME_DIR"}, \
{ EXT4_FC_REASON_FALLOC_RANGE, "FALLOC_RANGE"}, \
- { EXT4_FC_REASON_INODE_JOURNAL_DATA, "INODE_JOURNAL_DATA"})
+ { EXT4_FC_REASON_INODE_JOURNAL_DATA, "INODE_JOURNAL_DATA"}, \
+ { EXT4_FC_REASON_ENCRYPTED_FILENAME, "ENCRYPTED_FILENAME"})
TRACE_EVENT(ext4_other_inode_update_time,
TP_PROTO(struct inode *inode, ino_t orig_ino),
@@ -2940,7 +2942,7 @@ TRACE_EVENT(ext4_fc_stats,
),
TP_printk("dev %d,%d fc ineligible reasons:\n"
- "%s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u "
+ "%s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u, %s:%u"
"num_commits:%lu, ineligible: %lu, numblks: %lu",
MAJOR(__entry->dev), MINOR(__entry->dev),
FC_REASON_NAME_STAT(EXT4_FC_REASON_XATTR),
@@ -2952,6 +2954,7 @@ TRACE_EVENT(ext4_fc_stats,
FC_REASON_NAME_STAT(EXT4_FC_REASON_RENAME_DIR),
FC_REASON_NAME_STAT(EXT4_FC_REASON_FALLOC_RANGE),
FC_REASON_NAME_STAT(EXT4_FC_REASON_INODE_JOURNAL_DATA),
+ FC_REASON_NAME_STAT(EXT4_FC_REASON_ENCRYPTED_FILENAME),
__entry->fc_commits, __entry->fc_ineligible_commits,
__entry->fc_numblks)
);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 775/783] ext4: dont set up encryption key during jbd2 transaction
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (773 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 774/783] ext4: disable fast-commit of encrypted dir operations Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 776/783] fsl_lpuart: Dont enable interrupts too early Greg Kroah-Hartman
` (17 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+1a748d0007eeac3ab079,
Eric Biggers, Theodore Tso
From: Eric Biggers <ebiggers@google.com>
commit 4c0d5778385cb3618ff26a561ce41de2b7d9de70 upstream.
Commit a80f7fcf1867 ("ext4: fixup ext4_fc_track_* functions' signature")
extended the scope of the transaction in ext4_unlink() too far, making
it include the call to ext4_find_entry(). However, ext4_find_entry()
can deadlock when called from within a transaction because it may need
to set up the directory's encryption key.
Fix this by restoring the transaction to its original scope.
Reported-by: syzbot+1a748d0007eeac3ab079@syzkaller.appspotmail.com
Fixes: a80f7fcf1867 ("ext4: fixup ext4_fc_track_* functions' signature")
Cc: <stable@vger.kernel.org> # v5.10+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20221106224841.279231-3-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 4 ++--
fs/ext4/fast_commit.c | 2 +-
fs/ext4/namei.c | 44 ++++++++++++++++++++++++--------------------
3 files changed, 27 insertions(+), 23 deletions(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -3486,8 +3486,8 @@ extern int ext4_handle_dirty_dirblock(ha
extern int ext4_ci_compare(const struct inode *parent,
const struct qstr *fname,
const struct qstr *entry, bool quick);
-extern int __ext4_unlink(handle_t *handle, struct inode *dir, const struct qstr *d_name,
- struct inode *inode);
+extern int __ext4_unlink(struct inode *dir, const struct qstr *d_name,
+ struct inode *inode, struct dentry *dentry);
extern int __ext4_link(struct inode *dir, struct inode *inode,
struct dentry *dentry);
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1300,7 +1300,7 @@ static int ext4_fc_replay_unlink(struct
return 0;
}
- ret = __ext4_unlink(NULL, old_parent, &entry, inode);
+ ret = __ext4_unlink(old_parent, &entry, inode, NULL);
/* -ENOENT ok coz it might not exist anymore. */
if (ret == -ENOENT)
ret = 0;
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -3244,14 +3244,20 @@ end_rmdir:
return retval;
}
-int __ext4_unlink(handle_t *handle, struct inode *dir, const struct qstr *d_name,
- struct inode *inode)
+int __ext4_unlink(struct inode *dir, const struct qstr *d_name,
+ struct inode *inode,
+ struct dentry *dentry /* NULL during fast_commit recovery */)
{
int retval = -ENOENT;
struct buffer_head *bh;
struct ext4_dir_entry_2 *de;
+ handle_t *handle;
int skip_remove_dentry = 0;
+ /*
+ * Keep this outside the transaction; it may have to set up the
+ * directory's encryption key, which isn't GFP_NOFS-safe.
+ */
bh = ext4_find_entry(dir, d_name, &de, NULL);
if (IS_ERR(bh))
return PTR_ERR(bh);
@@ -3268,7 +3274,14 @@ int __ext4_unlink(handle_t *handle, stru
if (EXT4_SB(inode->i_sb)->s_mount_state & EXT4_FC_REPLAY)
skip_remove_dentry = 1;
else
- goto out;
+ goto out_bh;
+ }
+
+ handle = ext4_journal_start(dir, EXT4_HT_DIR,
+ EXT4_DATA_TRANS_BLOCKS(dir->i_sb));
+ if (IS_ERR(handle)) {
+ retval = PTR_ERR(handle);
+ goto out_bh;
}
if (IS_DIRSYNC(dir))
@@ -3277,12 +3290,12 @@ int __ext4_unlink(handle_t *handle, stru
if (!skip_remove_dentry) {
retval = ext4_delete_entry(handle, dir, de, bh);
if (retval)
- goto out;
+ goto out_handle;
dir->i_ctime = dir->i_mtime = current_time(dir);
ext4_update_dx_flag(dir);
retval = ext4_mark_inode_dirty(handle, dir);
if (retval)
- goto out;
+ goto out_handle;
} else {
retval = 0;
}
@@ -3295,15 +3308,17 @@ int __ext4_unlink(handle_t *handle, stru
ext4_orphan_add(handle, inode);
inode->i_ctime = current_time(inode);
retval = ext4_mark_inode_dirty(handle, inode);
-
-out:
+ if (dentry && !retval)
+ ext4_fc_track_unlink(handle, dentry);
+out_handle:
+ ext4_journal_stop(handle);
+out_bh:
brelse(bh);
return retval;
}
static int ext4_unlink(struct inode *dir, struct dentry *dentry)
{
- handle_t *handle;
int retval;
if (unlikely(ext4_forced_shutdown(EXT4_SB(dir->i_sb))))
@@ -3321,16 +3336,7 @@ static int ext4_unlink(struct inode *dir
if (retval)
goto out_trace;
- handle = ext4_journal_start(dir, EXT4_HT_DIR,
- EXT4_DATA_TRANS_BLOCKS(dir->i_sb));
- if (IS_ERR(handle)) {
- retval = PTR_ERR(handle);
- goto out_trace;
- }
-
- retval = __ext4_unlink(handle, dir, &dentry->d_name, d_inode(dentry));
- if (!retval)
- ext4_fc_track_unlink(handle, dentry);
+ retval = __ext4_unlink(dir, &dentry->d_name, d_inode(dentry), dentry);
#ifdef CONFIG_UNICODE
/* VFS negative dentries are incompatible with Encoding and
* Case-insensitiveness. Eventually we'll want avoid
@@ -3341,8 +3347,6 @@ static int ext4_unlink(struct inode *dir
if (IS_CASEFOLDED(dir))
d_invalidate(dentry);
#endif
- if (handle)
- ext4_journal_stop(handle);
out_trace:
trace_ext4_unlink_exit(dentry, retval);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 776/783] fsl_lpuart: Dont enable interrupts too early
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (774 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 775/783] ext4: dont set up encryption key during jbd2 transaction Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 777/783] serial: fixup backport of "serial: Deassert Transmit Enable on probe in driver-specific way" Greg Kroah-Hartman
` (16 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Indan Zupancic, Dominique Martinet
From: Indan Zupancic <Indan.Zupancic@mep-info.com>
commit 401fb66a355eb0f22096cf26864324f8e63c7d78 upstream.
If an irq is pending when devm_request_irq() is called, the irq
handler will cause a NULL pointer access because initialisation
is not done yet.
Fixes: 9d7ee0e28da59 ("tty: serial: lpuart: avoid report NULL interrupt")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Indan Zupancic <Indan.Zupancic@mep-info.com>
Link: https://lore.kernel.org/r/20220505114750.45423-1-Indan.Zupancic@mep-info.com
[5.10 did not have lpuart_global_reset or anything after
uart_add_one_port(), so add the remove call in cleanup manually]
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/fsl_lpuart.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -2586,6 +2586,7 @@ static int lpuart_probe(struct platform_
struct device_node *np = pdev->dev.of_node;
struct lpuart_port *sport;
struct resource *res;
+ irq_handler_t handler;
int ret;
sport = devm_kzalloc(&pdev->dev, sizeof(*sport), GFP_KERNEL);
@@ -2658,17 +2659,12 @@ static int lpuart_probe(struct platform_
if (lpuart_is_32(sport)) {
lpuart_reg.cons = LPUART32_CONSOLE;
- ret = devm_request_irq(&pdev->dev, sport->port.irq, lpuart32_int, 0,
- DRIVER_NAME, sport);
+ handler = lpuart32_int;
} else {
lpuart_reg.cons = LPUART_CONSOLE;
- ret = devm_request_irq(&pdev->dev, sport->port.irq, lpuart_int, 0,
- DRIVER_NAME, sport);
+ handler = lpuart_int;
}
- if (ret)
- goto failed_irq_request;
-
ret = uart_get_rs485_mode(&sport->port);
if (ret)
goto failed_get_rs485;
@@ -2684,11 +2680,17 @@ static int lpuart_probe(struct platform_
if (ret)
goto failed_attach_port;
+ ret = devm_request_irq(&pdev->dev, sport->port.irq, handler, 0,
+ DRIVER_NAME, sport);
+ if (ret)
+ goto failed_irq_request;
+
return 0;
+failed_irq_request:
+ uart_remove_one_port(&lpuart_reg, &sport->port);
failed_get_rs485:
failed_attach_port:
-failed_irq_request:
lpuart_disable_clks(sport);
return ret;
}
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 777/783] serial: fixup backport of "serial: Deassert Transmit Enable on probe in driver-specific way"
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (775 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 776/783] fsl_lpuart: Dont enable interrupts too early Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 778/783] mptcp: mark ops structures as ro_after_init Greg Kroah-Hartman
` (15 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rasmus Villemoes, Dominique Martinet
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
When 7c7f9bc986e6 ("serial: Deassert Transmit Enable on probe in
driver-specific way") got backported to 5.10.y, there known as
26a2b9c468de, some hunks were accidentally left out.
In serial_core.c, it is possible that the omission in
uart_suspend_port() is harmless, but the backport did have the
corresponding hunk in uart_resume_port(), it runs counter to the
original commit's intention of
Skip any invocation of ->set_mctrl() if RS485 is enabled.
and it's certainly better to be aligned with upstream.
Link: https://lkml.kernel.org/r/20221222114414.1886632-1-linux@rasmusvillemoes.dk
Fixes: 26a2b9c468de ("serial: Deassert Transmit Enable on probe in driver-specific way")
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
[the fsl_lpuart part of the 5.15 patch is not required on 5.10,
because the code before 26a2b9c468de was incorrectly not calling
uart_remove_one_port on failed_get_rs485]
Signed-off-by: Dominique Martinet <dominique.martinet@atmark-techno.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/serial_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -2254,7 +2254,8 @@ int uart_suspend_port(struct uart_driver
spin_lock_irq(&uport->lock);
ops->stop_tx(uport);
- ops->set_mctrl(uport, 0);
+ if (!(uport->rs485.flags & SER_RS485_ENABLED))
+ ops->set_mctrl(uport, 0);
ops->stop_rx(uport);
spin_unlock_irq(&uport->lock);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 778/783] mptcp: mark ops structures as ro_after_init
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (776 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 777/783] serial: fixup backport of "serial: Deassert Transmit Enable on probe in driver-specific way" Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 779/783] mptcp: remove MPTCP ifdef in TCP SYN cookies Greg Kroah-Hartman
` (14 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Mat Martineau,
Jakub Kicinski
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
From: Florian Westphal <fw@strlen.de>
commit 51fa7f8ebf0e25c7a9039fa3988a623d5f3855aa upstream.
These structures are initialised from the init hooks, so we can't make
them 'const'. But no writes occur afterwards, so we can use ro_after_init.
Also, remove bogus EXPORT_SYMBOL, the only access comes from ip
stack, not from kernel modules.
Cc: stable@vger.kernel.org # 5.10
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -360,8 +360,7 @@ do_reset:
}
struct request_sock_ops mptcp_subflow_request_sock_ops;
-EXPORT_SYMBOL_GPL(mptcp_subflow_request_sock_ops);
-static struct tcp_request_sock_ops subflow_request_sock_ipv4_ops;
+static struct tcp_request_sock_ops subflow_request_sock_ipv4_ops __ro_after_init;
static int subflow_v4_conn_request(struct sock *sk, struct sk_buff *skb)
{
@@ -382,9 +381,9 @@ drop:
}
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
-static struct tcp_request_sock_ops subflow_request_sock_ipv6_ops;
-static struct inet_connection_sock_af_ops subflow_v6_specific;
-static struct inet_connection_sock_af_ops subflow_v6m_specific;
+static struct tcp_request_sock_ops subflow_request_sock_ipv6_ops __ro_after_init;
+static struct inet_connection_sock_af_ops subflow_v6_specific __ro_after_init;
+static struct inet_connection_sock_af_ops subflow_v6m_specific __ro_after_init;
static int subflow_v6_conn_request(struct sock *sk, struct sk_buff *skb)
{
@@ -636,7 +635,7 @@ dispose_child:
return child;
}
-static struct inet_connection_sock_af_ops subflow_specific;
+static struct inet_connection_sock_af_ops subflow_specific __ro_after_init;
enum mapping_status {
MAPPING_OK,
@@ -1017,7 +1016,7 @@ static void subflow_write_space(struct s
}
}
-static struct inet_connection_sock_af_ops *
+static const struct inet_connection_sock_af_ops *
subflow_default_af_ops(struct sock *sk)
{
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
@@ -1032,7 +1031,7 @@ void mptcpv6_handle_mapped(struct sock *
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
struct inet_connection_sock *icsk = inet_csk(sk);
- struct inet_connection_sock_af_ops *target;
+ const struct inet_connection_sock_af_ops *target;
target = mapped ? &subflow_v6m_specific : subflow_default_af_ops(sk);
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 779/783] mptcp: remove MPTCP ifdef in TCP SYN cookies
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (777 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 778/783] mptcp: mark ops structures as ro_after_init Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 780/783] mptcp: dedicated request sock for subflow in v6 Greg Kroah-Hartman
` (13 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Mat Martineau,
Matthieu Baerts, Jakub Kicinski
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
From: Matthieu Baerts <matthieu.baerts@tessares.net>
commit 3fff88186f047627bb128d65155f42517f8e448f upstream.
To ease the maintenance, it is often recommended to avoid having #ifdef
preprocessor conditions.
Here the section related to CONFIG_MPTCP was quite short but the next
commit needs to add more code around. It is then cleaner to move
specific MPTCP code to functions located in net/mptcp directory.
Now that mptcp_subflow_request_sock_ops structure can be static, it can
also be marked as "read only after init".
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Cc: stable@vger.kernel.org # 5.10
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/mptcp.h | 12 ++++++++++--
net/ipv4/syncookies.c | 7 +++----
net/mptcp/subflow.c | 12 +++++++++++-
3 files changed, 24 insertions(+), 7 deletions(-)
--- a/include/net/mptcp.h
+++ b/include/net/mptcp.h
@@ -58,8 +58,6 @@ struct mptcp_out_options {
};
#ifdef CONFIG_MPTCP
-extern struct request_sock_ops mptcp_subflow_request_sock_ops;
-
void mptcp_init(void);
static inline bool sk_is_mptcp(const struct sock *sk)
@@ -133,6 +131,9 @@ void mptcp_seq_show(struct seq_file *seq
int mptcp_subflow_init_cookie_req(struct request_sock *req,
const struct sock *sk_listener,
struct sk_buff *skb);
+struct request_sock *mptcp_subflow_reqsk_alloc(const struct request_sock_ops *ops,
+ struct sock *sk_listener,
+ bool attach_listener);
#else
static inline void mptcp_init(void)
@@ -208,6 +209,13 @@ static inline int mptcp_subflow_init_coo
{
return 0; /* TCP fallback */
}
+
+static inline struct request_sock *mptcp_subflow_reqsk_alloc(const struct request_sock_ops *ops,
+ struct sock *sk_listener,
+ bool attach_listener)
+{
+ return NULL;
+}
#endif /* CONFIG_MPTCP */
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -290,12 +290,11 @@ struct request_sock *cookie_tcp_reqsk_al
struct tcp_request_sock *treq;
struct request_sock *req;
-#ifdef CONFIG_MPTCP
if (sk_is_mptcp(sk))
- ops = &mptcp_subflow_request_sock_ops;
-#endif
+ req = mptcp_subflow_reqsk_alloc(ops, sk, false);
+ else
+ req = inet_reqsk_alloc(ops, sk, false);
- req = inet_reqsk_alloc(ops, sk, false);
if (!req)
return NULL;
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -359,7 +359,7 @@ do_reset:
mptcp_subflow_reset(sk);
}
-struct request_sock_ops mptcp_subflow_request_sock_ops;
+static struct request_sock_ops mptcp_subflow_request_sock_ops __ro_after_init;
static struct tcp_request_sock_ops subflow_request_sock_ipv4_ops __ro_after_init;
static int subflow_v4_conn_request(struct sock *sk, struct sk_buff *skb)
@@ -411,6 +411,16 @@ drop:
}
#endif
+struct request_sock *mptcp_subflow_reqsk_alloc(const struct request_sock_ops *ops,
+ struct sock *sk_listener,
+ bool attach_listener)
+{
+ ops = &mptcp_subflow_request_sock_ops;
+
+ return inet_reqsk_alloc(ops, sk_listener, attach_listener);
+}
+EXPORT_SYMBOL(mptcp_subflow_reqsk_alloc);
+
/* validate hmac received in third ACK */
static bool subflow_hmac_valid(const struct request_sock *req,
const struct mptcp_options_received *mp_opt)
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 780/783] mptcp: dedicated request sock for subflow in v6
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (778 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 779/783] mptcp: remove MPTCP ifdef in TCP SYN cookies Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 781/783] mptcp: use proper req destructor for IPv6 Greg Kroah-Hartman
` (12 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau, Matthieu Baerts,
Jakub Kicinski
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
From: Matthieu Baerts <matthieu.baerts@tessares.net>
commit 34b21d1ddc8ace77a8fa35c1b1e06377209e0dae upstream.
tcp_request_sock_ops structure is specific to IPv4. It should then not
be used with MPTCP subflows on top of IPv6.
For example, it contains the 'family' field, initialised to AF_INET.
This 'family' field is used by TCP FastOpen code to generate the cookie
but also by TCP Metrics, SELinux and SYN Cookies. Using the wrong family
will not lead to crashes but displaying/using/checking wrong things.
Note that 'send_reset' callback from request_sock_ops structure is used
in some error paths. It is then also important to use the correct one
for IPv4 or IPv6.
The slab name can also be different in IPv4 and IPv6, it will be used
when printing some log messages. The slab pointer will anyway be the
same because the object size is the same for both v4 and v6. A
BUILD_BUG_ON() has also been added to make sure this size is the same.
Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Cc: stable@vger.kernel.org # 5.10
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 34 ++++++++++++++++++++++++++--------
1 file changed, 26 insertions(+), 8 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -359,7 +359,7 @@ do_reset:
mptcp_subflow_reset(sk);
}
-static struct request_sock_ops mptcp_subflow_request_sock_ops __ro_after_init;
+static struct request_sock_ops mptcp_subflow_v4_request_sock_ops __ro_after_init;
static struct tcp_request_sock_ops subflow_request_sock_ipv4_ops __ro_after_init;
static int subflow_v4_conn_request(struct sock *sk, struct sk_buff *skb)
@@ -372,7 +372,7 @@ static int subflow_v4_conn_request(struc
if (skb_rtable(skb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
goto drop;
- return tcp_conn_request(&mptcp_subflow_request_sock_ops,
+ return tcp_conn_request(&mptcp_subflow_v4_request_sock_ops,
&subflow_request_sock_ipv4_ops,
sk, skb);
drop:
@@ -381,6 +381,7 @@ drop:
}
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
+static struct request_sock_ops mptcp_subflow_v6_request_sock_ops __ro_after_init;
static struct tcp_request_sock_ops subflow_request_sock_ipv6_ops __ro_after_init;
static struct inet_connection_sock_af_ops subflow_v6_specific __ro_after_init;
static struct inet_connection_sock_af_ops subflow_v6m_specific __ro_after_init;
@@ -402,7 +403,7 @@ static int subflow_v6_conn_request(struc
return 0;
}
- return tcp_conn_request(&mptcp_subflow_request_sock_ops,
+ return tcp_conn_request(&mptcp_subflow_v6_request_sock_ops,
&subflow_request_sock_ipv6_ops, sk, skb);
drop:
@@ -415,7 +416,12 @@ struct request_sock *mptcp_subflow_reqsk
struct sock *sk_listener,
bool attach_listener)
{
- ops = &mptcp_subflow_request_sock_ops;
+ if (ops->family == AF_INET)
+ ops = &mptcp_subflow_v4_request_sock_ops;
+#if IS_ENABLED(CONFIG_MPTCP_IPV6)
+ else if (ops->family == AF_INET6)
+ ops = &mptcp_subflow_v6_request_sock_ops;
+#endif
return inet_reqsk_alloc(ops, sk_listener, attach_listener);
}
@@ -1386,7 +1392,6 @@ static struct tcp_ulp_ops subflow_ulp_op
static int subflow_ops_init(struct request_sock_ops *subflow_ops)
{
subflow_ops->obj_size = sizeof(struct mptcp_subflow_request_sock);
- subflow_ops->slab_name = "request_sock_subflow";
subflow_ops->slab = kmem_cache_create(subflow_ops->slab_name,
subflow_ops->obj_size, 0,
@@ -1403,9 +1408,10 @@ static int subflow_ops_init(struct reque
void __init mptcp_subflow_init(void)
{
- mptcp_subflow_request_sock_ops = tcp_request_sock_ops;
- if (subflow_ops_init(&mptcp_subflow_request_sock_ops) != 0)
- panic("MPTCP: failed to init subflow request sock ops\n");
+ mptcp_subflow_v4_request_sock_ops = tcp_request_sock_ops;
+ mptcp_subflow_v4_request_sock_ops.slab_name = "request_sock_subflow_v4";
+ if (subflow_ops_init(&mptcp_subflow_v4_request_sock_ops) != 0)
+ panic("MPTCP: failed to init subflow v4 request sock ops\n");
subflow_request_sock_ipv4_ops = tcp_request_sock_ipv4_ops;
subflow_request_sock_ipv4_ops.init_req = subflow_v4_init_req;
@@ -1416,6 +1422,18 @@ void __init mptcp_subflow_init(void)
subflow_specific.sk_rx_dst_set = subflow_finish_connect;
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
+ /* In struct mptcp_subflow_request_sock, we assume the TCP request sock
+ * structures for v4 and v6 have the same size. It should not changed in
+ * the future but better to make sure to be warned if it is no longer
+ * the case.
+ */
+ BUILD_BUG_ON(sizeof(struct tcp_request_sock) != sizeof(struct tcp6_request_sock));
+
+ mptcp_subflow_v6_request_sock_ops = tcp6_request_sock_ops;
+ mptcp_subflow_v6_request_sock_ops.slab_name = "request_sock_subflow_v6";
+ if (subflow_ops_init(&mptcp_subflow_v6_request_sock_ops) != 0)
+ panic("MPTCP: failed to init subflow v6 request sock ops\n");
+
subflow_request_sock_ipv6_ops = tcp_request_sock_ipv6_ops;
subflow_request_sock_ipv6_ops.init_req = subflow_v6_init_req;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 781/783] mptcp: use proper req destructor for IPv6
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (779 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 780/783] mptcp: dedicated request sock for subflow in v6 Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 782/783] net: sched: disallow noqueue for qdisc classes Greg Kroah-Hartman
` (11 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau, Matthieu Baerts,
Jakub Kicinski
From: Mat Martineau <mathew.j.martineau@linux.intel.com>
From: Matthieu Baerts <matthieu.baerts@tessares.net>
commit d3295fee3c756ece33ac0d935e172e68c0a4161b upstream.
Before, only the destructor from TCP request sock in IPv4 was called
even if the subflow was IPv6.
It is important to use the right destructor to avoid memory leaks with
some advanced IPv6 features, e.g. when the request socks contain
specific IPv6 options.
Fixes: 79c0949e9a09 ("mptcp: Add key generation and token tree")
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Cc: stable@vger.kernel.org # 5.10
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/subflow.c | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -40,7 +40,6 @@ static void subflow_req_destructor(struc
sock_put((struct sock *)subflow_req->msk);
mptcp_token_destroy_request(req);
- tcp_request_sock_ops.destructor(req);
}
static void subflow_generate_hmac(u64 key1, u64 key2, u32 nonce1, u32 nonce2,
@@ -380,6 +379,12 @@ drop:
return 0;
}
+static void subflow_v4_req_destructor(struct request_sock *req)
+{
+ subflow_req_destructor(req);
+ tcp_request_sock_ops.destructor(req);
+}
+
#if IS_ENABLED(CONFIG_MPTCP_IPV6)
static struct request_sock_ops mptcp_subflow_v6_request_sock_ops __ro_after_init;
static struct tcp_request_sock_ops subflow_request_sock_ipv6_ops __ro_after_init;
@@ -410,6 +415,12 @@ drop:
tcp_listendrop(sk);
return 0; /* don't send reset */
}
+
+static void subflow_v6_req_destructor(struct request_sock *req)
+{
+ subflow_req_destructor(req);
+ tcp6_request_sock_ops.destructor(req);
+}
#endif
struct request_sock *mptcp_subflow_reqsk_alloc(const struct request_sock_ops *ops,
@@ -1401,8 +1412,6 @@ static int subflow_ops_init(struct reque
if (!subflow_ops->slab)
return -ENOMEM;
- subflow_ops->destructor = subflow_req_destructor;
-
return 0;
}
@@ -1410,6 +1419,8 @@ void __init mptcp_subflow_init(void)
{
mptcp_subflow_v4_request_sock_ops = tcp_request_sock_ops;
mptcp_subflow_v4_request_sock_ops.slab_name = "request_sock_subflow_v4";
+ mptcp_subflow_v4_request_sock_ops.destructor = subflow_v4_req_destructor;
+
if (subflow_ops_init(&mptcp_subflow_v4_request_sock_ops) != 0)
panic("MPTCP: failed to init subflow v4 request sock ops\n");
@@ -1431,6 +1442,8 @@ void __init mptcp_subflow_init(void)
mptcp_subflow_v6_request_sock_ops = tcp6_request_sock_ops;
mptcp_subflow_v6_request_sock_ops.slab_name = "request_sock_subflow_v6";
+ mptcp_subflow_v6_request_sock_ops.destructor = subflow_v6_req_destructor;
+
if (subflow_ops_init(&mptcp_subflow_v6_request_sock_ops) != 0)
panic("MPTCP: failed to init subflow v6 request sock ops\n");
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 782/783] net: sched: disallow noqueue for qdisc classes
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (780 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 781/783] mptcp: use proper req destructor for IPv6 Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 783/783] net/ulp: prevent ULP without clone op from entering the LISTEN status Greg Kroah-Hartman
` (10 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frederick Lawler, Jakub Sitnicki,
Jakub Kicinski
From: Frederick Lawler <fred@cloudflare.com>
commit 96398560f26aa07e8f2969d73c8197e6a6d10407 upstream.
While experimenting with applying noqueue to a classful queue discipline,
we discovered a NULL pointer dereference in the __dev_queue_xmit()
path that generates a kernel OOPS:
# dev=enp0s5
# tc qdisc replace dev $dev root handle 1: htb default 1
# tc class add dev $dev parent 1: classid 1:1 htb rate 10mbit
# tc qdisc add dev $dev parent 1:1 handle 10: noqueue
# ping -I $dev -w 1 -c 1 1.1.1.1
[ 2.172856] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 2.173217] #PF: supervisor instruction fetch in kernel mode
...
[ 2.178451] Call Trace:
[ 2.178577] <TASK>
[ 2.178686] htb_enqueue+0x1c8/0x370
[ 2.178880] dev_qdisc_enqueue+0x15/0x90
[ 2.179093] __dev_queue_xmit+0x798/0xd00
[ 2.179305] ? _raw_write_lock_bh+0xe/0x30
[ 2.179522] ? __local_bh_enable_ip+0x32/0x70
[ 2.179759] ? ___neigh_create+0x610/0x840
[ 2.179968] ? eth_header+0x21/0xc0
[ 2.180144] ip_finish_output2+0x15e/0x4f0
[ 2.180348] ? dst_output+0x30/0x30
[ 2.180525] ip_push_pending_frames+0x9d/0xb0
[ 2.180739] raw_sendmsg+0x601/0xcb0
[ 2.180916] ? _raw_spin_trylock+0xe/0x50
[ 2.181112] ? _raw_spin_unlock_irqrestore+0x16/0x30
[ 2.181354] ? get_page_from_freelist+0xcd6/0xdf0
[ 2.181594] ? sock_sendmsg+0x56/0x60
[ 2.181781] sock_sendmsg+0x56/0x60
[ 2.181958] __sys_sendto+0xf7/0x160
[ 2.182139] ? handle_mm_fault+0x6e/0x1d0
[ 2.182366] ? do_user_addr_fault+0x1e1/0x660
[ 2.182627] __x64_sys_sendto+0x1b/0x30
[ 2.182881] do_syscall_64+0x38/0x90
[ 2.183085] entry_SYSCALL_64_after_hwframe+0x63/0xcd
...
[ 2.187402] </TASK>
Previously in commit d66d6c3152e8 ("net: sched: register noqueue
qdisc"), NULL was set for the noqueue discipline on noqueue init
so that __dev_queue_xmit() falls through for the noqueue case. This
also sets a bypass of the enqueue NULL check in the
register_qdisc() function for the struct noqueue_disc_ops.
Classful queue disciplines make it past the NULL check in
__dev_queue_xmit() because the discipline is set to htb (in this case),
and then in the call to __dev_xmit_skb(), it calls into htb_enqueue()
which grabs a leaf node for a class and then calls qdisc_enqueue() by
passing in a queue discipline which assumes ->enqueue() is not set to NULL.
Fix this by not allowing classes to be assigned to the noqueue
discipline. Linux TC Notes states that classes cannot be set to
the noqueue discipline. [1] Let's enforce that here.
Links:
1. https://linux-tc-notes.sourceforge.net/tc/doc/sch_noqueue.txt
Fixes: d66d6c3152e8 ("net: sched: register noqueue qdisc")
Cc: stable@vger.kernel.org
Signed-off-by: Frederick Lawler <fred@cloudflare.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/r/20230109163906.706000-1-fred@cloudflare.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_api.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1114,6 +1114,11 @@ skip:
return -ENOENT;
}
+ if (new && new->ops == &noqueue_qdisc_ops) {
+ NL_SET_ERR_MSG(extack, "Cannot assign noqueue to a class");
+ return -EINVAL;
+ }
+
err = cops->graft(parent, cl, new, &old, extack);
if (err)
return err;
^ permalink raw reply [flat|nested] 799+ messages in thread
* [PATCH 5.10 783/783] net/ulp: prevent ULP without clone op from entering the LISTEN status
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (781 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 782/783] net: sched: disallow noqueue for qdisc classes Greg Kroah-Hartman
@ 2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 20:29 ` [PATCH 5.10 000/783] 5.10.163-rc1 review Florian Fainelli
` (9 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-12 13:58 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, slipper, Paolo Abeni, Jakub Kicinski
From: Paolo Abeni <pabeni@redhat.com>
commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream.
When an ULP-enabled socket enters the LISTEN status, the listener ULP data
pointer is copied inside the child/accepted sockets by sk_clone_lock().
The relevant ULP can take care of de-duplicating the context pointer via
the clone() operation, but only MPTCP and SMC implement such op.
Other ULPs may end-up with a double-free at socket disposal time.
We can't simply clear the ULP data at clone time, as TLS replaces the
socket ops with custom ones assuming a valid TLS ULP context is
available.
Instead completely prevent clone-less ULP sockets from entering the
LISTEN status.
Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
Reported-by: slipper <slipper.alive@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/4b80c3d1dbe3d0ab072f80450c202d9bc88b4b03.1672740602.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_connection_sock.c | 16 +++++++++++++++-
net/ipv4/tcp_ulp.c | 4 ++++
2 files changed, 19 insertions(+), 1 deletion(-)
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -916,11 +916,25 @@ void inet_csk_prepare_forced_close(struc
}
EXPORT_SYMBOL(inet_csk_prepare_forced_close);
+static int inet_ulp_can_listen(const struct sock *sk)
+{
+ const struct inet_connection_sock *icsk = inet_csk(sk);
+
+ if (icsk->icsk_ulp_ops && !icsk->icsk_ulp_ops->clone)
+ return -EINVAL;
+
+ return 0;
+}
+
int inet_csk_listen_start(struct sock *sk, int backlog)
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct inet_sock *inet = inet_sk(sk);
- int err = -EADDRINUSE;
+ int err;
+
+ err = inet_ulp_can_listen(sk);
+ if (unlikely(err))
+ return err;
reqsk_queue_alloc(&icsk->icsk_accept_queue);
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -136,6 +136,10 @@ static int __tcp_set_ulp(struct sock *sk
if (icsk->icsk_ulp_ops)
goto out_err;
+ err = -EINVAL;
+ if (!ulp_ops->clone && sk->sk_state == TCP_LISTEN)
+ goto out_err;
+
err = ulp_ops->init(sk);
if (err)
goto out_err;
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (782 preceding siblings ...)
2023-01-12 13:58 ` [PATCH 5.10 783/783] net/ulp: prevent ULP without clone op from entering the LISTEN status Greg Kroah-Hartman
@ 2023-01-12 20:29 ` Florian Fainelli
2023-01-12 20:51 ` Pavel Machek
` (8 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Florian Fainelli @ 2023-01-12 20:29 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow
On 1/12/23 05:45, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <f.fainelli@gmail.com>
--
Florian
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (783 preceding siblings ...)
2023-01-12 20:29 ` [PATCH 5.10 000/783] 5.10.163-rc1 review Florian Fainelli
@ 2023-01-12 20:51 ` Pavel Machek
2023-01-13 1:12 ` Shuah Khan
` (7 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Pavel Machek @ 2023-01-12 20:51 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
[-- Attachment #1: Type: text/plain, Size: 666 bytes --]
Hi!
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
CIP testing did not find any problems here:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-5.10.y
Tested-by: Pavel Machek (CIP) <pavel@denx.de>
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (784 preceding siblings ...)
2023-01-12 20:51 ` Pavel Machek
@ 2023-01-13 1:12 ` Shuah Khan
2023-01-13 5:50 ` Guenter Roeck
` (6 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Shuah Khan @ 2023-01-13 1:12 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, Shuah Khan
On 1/12/23 06:45, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (785 preceding siblings ...)
2023-01-13 1:12 ` Shuah Khan
@ 2023-01-13 5:50 ` Guenter Roeck
2023-01-13 10:31 ` zhouzhixiu
` (5 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Guenter Roeck @ 2023-01-13 5:50 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow
On Thu, Jan 12, 2023 at 02:45:16PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 162 pass: 162 fail: 0
Qemu test results:
total: 475 pass: 475 fail: 0
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (786 preceding siblings ...)
2023-01-13 5:50 ` Guenter Roeck
@ 2023-01-13 10:31 ` zhouzhixiu
2023-01-13 12:33 ` Sudip Mukherjee
` (4 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: zhouzhixiu @ 2023-01-13 10:31 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow
On 2023/1/12 21:45, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
> -------------
Tested on arm64 and x86 for 5.10.163-rc1,
Kernel
repo:https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Branch: linux-5.10.y
Version: 5.10.163-rc1
Commit: d33d55703c7895c3dd8793cbad6046db91df21db
Compiler: gcc version 7.3.0 (GCC)
arm64:
--------------------------------------------------------------------
Testcase Result Summary:
total: 9023
passed: 9023
failed: 0
timeout: 0
--------------------------------------------------------------------
x86:
--------------------------------------------------------------------
Testcase Result Summary:
total: 9023
passed: 9023
failed: 0
timeout: 0
--------------------------------------------------------------------
Tested-by: Hulk Robot <hulkrobot@huawei.com>
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (787 preceding siblings ...)
2023-01-13 10:31 ` zhouzhixiu
@ 2023-01-13 12:33 ` Sudip Mukherjee
2023-01-13 13:18 ` Jon Hunter
` (3 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Sudip Mukherjee @ 2023-01-13 12:33 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli, srw, rwarsow
Hi Greg,
On Thu, Jan 12, 2023 at 02:45:16PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
Build test (gcc version 11.3.1 20221127):
mips: 63 configs -> no failure
arm: 104 configs -> no failure
arm64: 3 configs -> no failure
x86_64: 4 configs -> no failure
alpha allmodconfig -> no failure
powerpc allmodconfig -> no failure
riscv allmodconfig -> no failure
s390 allmodconfig -> no failure
xtensa allmodconfig -> no failure
Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]
arm64: Booted on rpi4b (4GB model). No regression. [2]
[1]. https://openqa.qa.codethink.co.uk/tests/2628
[2]. https://openqa.qa.codethink.co.uk/tests/2633
Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
--
Regards
Sudip
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (788 preceding siblings ...)
2023-01-13 12:33 ` Sudip Mukherjee
@ 2023-01-13 13:18 ` Jon Hunter
2023-01-13 17:45 ` Naresh Kamboju
` (2 subsequent siblings)
792 siblings, 0 replies; 799+ messages in thread
From: Jon Hunter @ 2023-01-13 13:18 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, linux-tegra
On Thu, 12 Jan 2023 14:45:16 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.10:
11 builds: 11 pass, 0 fail
28 boots: 28 pass, 0 fail
75 tests: 75 pass, 0 fail
Linux version: 5.10.163-rc1-gd33d55703c78
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (789 preceding siblings ...)
2023-01-13 13:18 ` Jon Hunter
@ 2023-01-13 17:45 ` Naresh Kamboju
2023-01-13 18:05 ` Allen Pais
2023-01-13 23:26 ` Ron Economos
792 siblings, 0 replies; 799+ messages in thread
From: Naresh Kamboju @ 2023-01-13 17:45 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
On Thu, 12 Jan 2023 at 19:28, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 5.10.163-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-5.10.y
* git commit: d33d55703c7895c3dd8793cbad6046db91df21db
* git describe: v5.10.162-784-gd33d55703c78
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.10.y/build/v5.10.162-784-gd33d55703c78
## Test Regressions (compared to v5.10.162)
## Metric Regressions (compared to v5.10.162)
## Test Fixes (compared to v5.10.162)
## Metric Fixes (compared to v5.10.162)
## Test result summary
total: 157841, pass: 132606, fail: 3922, skip: 20968, xfail: 345
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 151 total, 150 passed, 1 failed
* arm64: 49 total, 46 passed, 3 failed
* i386: 39 total, 37 passed, 2 failed
* mips: 31 total, 29 passed, 2 failed
* parisc: 8 total, 8 passed, 0 failed
* powerpc: 32 total, 25 passed, 7 failed
* riscv: 16 total, 14 passed, 2 failed
* s390: 16 total, 16 passed, 0 failed
* sh: 14 total, 12 passed, 2 failed
* sparc: 8 total, 8 passed, 0 failed
* x86_64: 42 total, 40 passed, 2 failed
## Test suites summary
* boot
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers-dma-buf
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-net-forwarding
* kselftest-net-mptcp
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-open-posix-tests
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* packetdrill
* perf
* rcutorture
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (790 preceding siblings ...)
2023-01-13 17:45 ` Naresh Kamboju
@ 2023-01-13 18:05 ` Allen Pais
2023-01-13 23:26 ` Ron Economos
792 siblings, 0 replies; 799+ messages in thread
From: Allen Pais @ 2023-01-13 18:05 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my x86_64 and ARM64 test systems. No errors or
regressions.
Tested-by: Allen Pais <apais@linux.microsoft.com>
Thanks.
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
` (791 preceding siblings ...)
2023-01-13 18:05 ` Allen Pais
@ 2023-01-13 23:26 ` Ron Economos
2023-01-13 23:34 ` Ron Economos
792 siblings, 1 reply; 799+ messages in thread
From: Ron Economos @ 2023-01-13 23:26 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow
On 1/12/23 5:45 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.163 release.
> There are 783 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 799+ messages in thread
* Re: [PATCH 5.10 000/783] 5.10.163-rc1 review
2023-01-13 23:26 ` Ron Economos
@ 2023-01-13 23:34 ` Ron Economos
0 siblings, 0 replies; 799+ messages in thread
From: Ron Economos @ 2023-01-13 23:34 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow
On 1/13/23 3:26 PM, Ron Economos wrote:
> On 1/12/23 5:45 AM, Greg Kroah-Hartman wrote:
>> This is the start of the stable review cycle for the 5.10.163 release.
>> There are 783 patches in this series, all will be posted as a response
>> to this one. If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Sat, 14 Jan 2023 13:53:18 +0000.
>> Anything received after that time might be too late.
>>
>> The whole patch series can be found in one patch at:
>> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.163-rc1.gz
>>
>> or in the git tree and branch at:
>> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
>> linux-5.10.y
>> and the diffstat can be found below.
>>
>> thanks,
>>
>> greg k-h
>
> Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
>
> Tested-by: Ron Economos <re@w6rz.net>
>
Oops, replied to the wrong e-mail. Please ignore.
^ permalink raw reply [flat|nested] 799+ messages in thread
end of thread, other threads:[~2023-01-13 23:47 UTC | newest]
Thread overview: 799+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-12 13:45 [PATCH 5.10 000/783] 5.10.163-rc1 review Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 001/783] usb: musb: remove extra check in musb_gadget_vbus_draw Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 002/783] arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 003/783] arm64: dts: qcom: msm8996: fix GPU OPP table Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 004/783] ARM: dts: qcom: apq8064: fix coresight compatible Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 005/783] arm64: dts: qcom: sdm630: fix UART1 pin bias Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 006/783] arm64: dts: qcom: sdm845-cheza: fix AP suspend " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 007/783] arm64: dts: qcom: msm8916: Drop MSS fallback compatible Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 008/783] objtool, kcsan: Add volatile read/write instrumentation to whitelist Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 009/783] ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96 Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 010/783] ARM: dts: stm32: Fix AV96 WLAN regulator gpio property Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 011/783] drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 012/783] soc: qcom: llcc: make irq truly optional Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 013/783] soc: qcom: apr: make code more reuseable Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 014/783] soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 015/783] arm: dts: spear600: Fix clcd interrupt Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 016/783] soc: ti: knav_qmss_queue: Use pm_runtime_resume_and_get instead of pm_runtime_get_sync Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 017/783] soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 018/783] soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 019/783] perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 020/783] perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 021/783] arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 022/783] arm64: dts: ti: k3-j721e-main: " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 023/783] arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 024/783] arm64: dts: mt2712e: Fix unit address for pinctrl node Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 025/783] arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 026/783] arm64: dts: mt2712-evb: Fix usb vbus " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 027/783] arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 028/783] arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 029/783] ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 030/783] ARM: dts: armada-370: " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 031/783] ARM: dts: armada-xp: " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 032/783] ARM: dts: armada-375: " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 033/783] ARM: dts: armada-38x: " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 034/783] ARM: dts: armada-39x: " Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 035/783] ARM: dts: turris-omnia: Add ethernet aliases Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 036/783] ARM: dts: turris-omnia: Add switch port 6 node Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 037/783] arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 038/783] pstore/ram: Fix error return code in ramoops_probe() Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 039/783] ARM: mmp: fix timer_read delay Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 040/783] pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 041/783] tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init() Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 042/783] tpm/tpm_crb: Fix error message in __crb_relinquish_locality() Greg Kroah-Hartman
2023-01-12 13:45 ` [PATCH 5.10 043/783] sched/fair: Cleanup task_util and capacity type Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 044/783] sched/uclamp: Fix relationship between uclamp and migration margin Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 045/783] cpuidle: dt: Return the correct numbers of parsed idle states Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 046/783] alpha: fix syscall entry in !AUDUT_SYSCALL case Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 047/783] PM: hibernate: Fix mistake in kerneldoc comment Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 048/783] fs: dont audit the capability check in simple_xattr_list() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 049/783] cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 050/783] selftests/ftrace: event_triggers: wait longer for test_event_enable Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 051/783] perf: Fix possible memleak in pmu_dev_alloc() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 052/783] lib/debugobjects: fix stat count and optimize debug_objects_mem_init Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 053/783] platform/x86: huawei-wmi: fix return value calculation Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 054/783] timerqueue: Use rb_entry_safe() in timerqueue_getnext() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 055/783] proc: fixup uptime selftest Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 056/783] lib/fonts: fix undefined behavior in bit shift for get_default_font Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 057/783] ocfs2: fix memory leak in ocfs2_stack_glue_init() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 058/783] MIPS: vpe-mt: fix possible memory leak while module exiting Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 059/783] MIPS: vpe-cmp: " Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 060/783] selftests/efivarfs: Add checking of the test return value Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 061/783] PNP: fix name memory leak in pnp_alloc_dev() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 062/783] perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 063/783] perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 064/783] perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 065/783] platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 066/783] irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 067/783] EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 068/783] nfsd: dont call nfsd_file_put from client states seqfile display Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 069/783] genirq/irqdesc: Dont try to remove non-existing sysfs files Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 070/783] cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 071/783] libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 072/783] lib/notifier-error-inject: fix error when writing -errno to debugfs file Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 073/783] docs: fault-injection: fix non-working usage of negative values Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 074/783] debugfs: fix error when writing negative value to atomic_t debugfs file Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 075/783] ocfs2: ocfs2_mount_volume does cleanup job before return error Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 076/783] ocfs2: rewrite error handling of ocfs2_fill_super Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 077/783] ocfs2: fix memory leak in ocfs2_mount_volume() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 078/783] rapidio: fix possible name leaks when rio_add_device() fails Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 079/783] rapidio: rio: fix possible name leak in rio_register_mport() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 080/783] clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 081/783] clocksource/drivers/sh_cmt: Access registers according to spec Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 082/783] futex: Move to kernel/futex/ Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 083/783] futex: Resend potentially swallowed owner death notification Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 084/783] cpu/hotplug: Make target_store() a nop when target == state Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 085/783] clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 086/783] ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 087/783] uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 088/783] x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 089/783] x86/xen: Fix memory leak in xen_init_lock_cpu() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 090/783] xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 091/783] PM: runtime: Improve path in rpm_idle() when no callback Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 092/783] PM: runtime: Do not call __rpm_callback() from rpm_idle() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 093/783] platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 094/783] platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 095/783] MIPS: BCM63xx: Add check for NULL for clk in clk_enable Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 096/783] MIPS: OCTEON: warn only once if deprecated link status is being used Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 097/783] fs: sysv: Fix sysv_nblocks() returns wrong value Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 098/783] rapidio: fix possible UAF when kfifo_alloc() fails Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 099/783] eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 100/783] relay: fix type mismatch when allocating memory in relay_create_buf() Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 101/783] hfs: Fix OOB Write in hfs_asc2mac Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 102/783] rapidio: devices: fix missing put_device in mport_cdev_open Greg Kroah-Hartman
2023-01-12 13:46 ` [PATCH 5.10 103/783] wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 104/783] wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 105/783] wifi: rtl8xxxu: Fix reading the vendor of combo chips Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 106/783] drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 107/783] libbpf: Fix use-after-free in btf_dump_name_dups Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 108/783] libbpf: Fix null-pointer dereference in find_prog_by_sec_insn() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 109/783] pata_ipx4xx_cf: Fix unsigned comparison with less than zero Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 110/783] media: coda: jpeg: Add check for kmalloc Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 111/783] media: i2c: ad5820: Fix error path Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 112/783] venus: pm_helpers: Fix error check in vcodec_domains_get() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 113/783] media: exynos4-is: Use v4l2_async_notifier_add_fwnode_remote_subdev Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 114/783] media: exynos4-is: dont rely on the v4l2_async_subdev internals Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 115/783] can: kvaser_usb: do not increase tx statistics when sending error message frames Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 116/783] can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 117/783] can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 118/783] can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 119/783] can: kvaser_usb_leaf: Set Warning state even without bus errors Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 120/783] can: kvaser_usb_leaf: Fix improved state not being reported Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 121/783] can: kvaser_usb_leaf: Fix wrong CAN state after stopping Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 122/783] can: kvaser_usb_leaf: Fix bogus restart events Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 123/783] can: kvaser_usb: Add struct kvaser_usb_busparams Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 124/783] can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 125/783] drm/rockchip: lvds: fix PM usage counter unbalance in poweron Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 126/783] clk: renesas: r9a06g032: Repair grave increment error Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 127/783] spi: Update reference to struct spi_controller Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 128/783] drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 129/783] ima: Fix fall-through warnings for Clang Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 130/783] ima: Handle -ESTALE returned by ima_filter_rule_match() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 131/783] drm/msm/hdmi: switch to drm_bridge_connector Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 132/783] drm/msm/hdmi: drop unused GPIO support Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 133/783] bpf: Fix slot type check in check_stack_write_var_off Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 134/783] media: vivid: fix compose size exceed boundary Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 135/783] media: platform: exynos4-is: fix return value check in fimc_md_probe() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 136/783] bpf: propagate precision in ALU/ALU64 operations Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 137/783] bpf: Check the other end of slot_type for STACK_SPILL Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 138/783] bpf: propagate precision across all frames, not just the last one Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 139/783] clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 140/783] mtd: Fix device name leak when register device failed in add_mtd_device() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 141/783] Input: joystick - fix Kconfig warning for JOYSTICK_ADC Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 142/783] wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 143/783] media: camss: Clean up received buffers on failed start of streaming Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 144/783] net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 145/783] rxrpc: Fix ack.bufferSize to be 0 when generating an ack Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 146/783] drm/radeon: Add the missed acpi_put_table() to fix memory leak Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 147/783] drm/mediatek: Modify dpi power on/off sequence Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 148/783] ASoC: pxa: fix null-pointer dereference in filter() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 149/783] regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 150/783] amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 151/783] drm/fourcc: Add packed 10bit YUV 4:2:0 format Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 152/783] drm/fourcc: Fix vsub/hsub for Q410 and Q401 Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 153/783] integrity: Fix memory leakage in keyring allocation error path Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 154/783] ima: Fix misuse of dereference of pointer in template_desc_init_fields() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 155/783] wifi: ath10k: Fix return value in ath10k_pci_init() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 156/783] mtd: lpddr2_nvm: Fix possible null-ptr-deref Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 157/783] Input: elants_i2c - properly handle the reset GPIO when power is off Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 158/783] media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 159/783] media: solo6x10: fix possible memory leak in solo_sysfs_init() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 160/783] media: platform: exynos4-is: Fix error handling in fimc_md_init() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 161/783] media: videobuf-dma-contig: use dma_mmap_coherent Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 162/783] inet: add READ_ONCE(sk->sk_bound_dev_if) in inet_csk_bind_conflict() Greg Kroah-Hartman
2023-01-12 13:47 ` [PATCH 5.10 163/783] bpf: Move skb->len == 0 checks into __bpf_redirect Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 164/783] HID: hid-sensor-custom: set fixed size for custom attributes Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 165/783] ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 166/783] ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 167/783] regulator: core: use kfree_const() to free space conditionally Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 168/783] clk: rockchip: Fix memory leak in rockchip_clk_register_pll() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 169/783] drm/amdgpu: fix pci device refcount leak Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 170/783] bonding: fix link recovery in mode 2 when updelay is nonzero Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 171/783] mtd: maps: pxa2xx-flash: fix memory leak in probe Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 172/783] drbd: fix an invalid memory access caused by incorrect use of list iterator Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 173/783] ASoC: qcom: Add checks for devm_kcalloc Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 174/783] media: vimc: Fix wrong function called when vimc_init() fails Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 175/783] media: imon: fix a race condition in send_packet() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 176/783] clk: imx: replace osc_hdmi with dummy Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 177/783] pinctrl: pinconf-generic: add missing of_node_put() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 178/783] media: dvb-core: Fix ignored return value in dvb_register_frontend() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 179/783] media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 180/783] media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 181/783] drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 182/783] ASoC: dt-bindings: wcd9335: fix reset line polarity in example Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 183/783] ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 184/783] NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 185/783] NFSv4.2: Fix a memory stomp in decode_attr_security_label Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 186/783] NFSv4.2: Fix initialisation of struct nfs4_label Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 187/783] NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 188/783] NFS: Fix an Oops in nfs_d_automount() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 189/783] ALSA: asihpi: fix missing pci_disable_device() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 190/783] wifi: iwlwifi: mvm: fix double free on tx path Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 191/783] ASoC: mediatek: mt8173: Fix debugfs registration for components Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 192/783] ASoC: mediatek: mt8173: Enable IRQ when pdata is ready Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 193/783] drm/amd/pm/smu11: BACO is supported when its in BACO state Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 194/783] drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 195/783] drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 196/783] ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 197/783] netfilter: conntrack: set icmpv6 redirects as RELATED Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 198/783] bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 199/783] bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 200/783] bonding: uninitialized variable in bond_miimon_inspect() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 201/783] spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 202/783] wifi: mac80211: fix memory leak in ieee80211_if_add() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 203/783] wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 204/783] wifi: mt76: fix coverity overrun-call in mt76_get_txpower() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 205/783] regulator: core: fix module refcount leak in set_supply() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 206/783] clk: qcom: clk-krait: fix wrong div2 functions Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 207/783] hsr: Add a rcu-read lock to hsr_forward_skb() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 208/783] net: hsr: generate supervision frame without HSR/PRP tag Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 209/783] hsr: Disable netpoll Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 210/783] hsr: Synchronize sending frames to have always incremented outgoing seq nr Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 211/783] hsr: Synchronize sequence number updates Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 212/783] configfs: fix possible memory leak in configfs_create_dir() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 213/783] regulator: core: fix resource leak in regulator_register() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 214/783] hwmon: (jc42) Convert register access and caching to regmap/regcache Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 215/783] hwmon: (jc42) Restore the min/max/critical temperatures on resume Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 216/783] bpf, sockmap: fix race in sock_map_free() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 217/783] ALSA: pcm: Set missing stop_operating flag at undoing trigger start Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 218/783] media: saa7164: fix missing pci_disable_device() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 219/783] ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 220/783] xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 221/783] SUNRPC: Fix missing release socket in rpc_sockname() Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 222/783] NFSv4.x: Fail client initialisation if state manager thread cant run Greg Kroah-Hartman
2023-01-12 13:48 ` [PATCH 5.10 223/783] mmc: alcor: fix return value check of mmc_add_host() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 224/783] mmc: moxart: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 225/783] mmc: mxcmmc: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 226/783] mmc: pxamci: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 227/783] mmc: rtsx_usb_sdmmc: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 228/783] mmc: toshsd: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 229/783] mmc: vub300: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 230/783] mmc: wmt-sdmmc: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 231/783] mmc: atmel-mci: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 232/783] mmc: omap_hsmmc: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 233/783] mmc: meson-gx: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 234/783] mmc: via-sdmmc: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 235/783] mmc: wbsd: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 236/783] mmc: mmci: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 237/783] media: c8sectpfe: Add of_node_put() when breaking out of loop Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 238/783] media: coda: Add check for dcoda_iram_alloc Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 239/783] media: coda: Add check for kmalloc Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 240/783] clk: samsung: Fix memory leak in _samsung_clk_register_pll() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 241/783] spi: spi-gpio: Dont set MOSI as an input if not 3WIRE mode Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 242/783] wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 243/783] wifi: rtl8xxxu: Fix the channel width reporting Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 244/783] wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 245/783] blktrace: Fix output non-blktrace event when blk_classic option enabled Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 246/783] clk: socfpga: clk-pll: Remove unused variable rc Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 247/783] clk: socfpga: use clk_hw_register for a5/c5 Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 248/783] clk: socfpga: Fix memory leak in socfpga_gate_init() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 249/783] net: vmw_vsock: vmci: Check memcpy_from_msg() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 250/783] net: defxx: Fix missing err handling in dfx_init() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 251/783] net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 252/783] drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 253/783] of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 254/783] ethernet: s2io: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 255/783] net: farsync: Fix kmemleak when rmmods farsync Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 256/783] net/tunnel: wait until all sk_user_data reader finish before releasing the sock Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 257/783] net: apple: mace: dont call dev_kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 258/783] net: apple: bmac: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 259/783] net: emaclite: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 260/783] net: ethernet: dnet: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 261/783] hamradio: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 262/783] net: amd: lance: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 263/783] net: amd-xgbe: Fix logic around active and passive cables Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 264/783] net: amd-xgbe: Check only the minimum speed for active/passive cables Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 265/783] can: tcan4x5x: Remove invalid write in clear_interrupts Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 266/783] net: lan9303: Fix read error execution path Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 267/783] ntb_netdev: Use dev_kfree_skb_any() in interrupt context Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 268/783] sctp: sysctl: make extra pointers netns aware Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 269/783] Bluetooth: btusb: dont call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 270/783] Bluetooth: hci_qca: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 271/783] Bluetooth: hci_ll: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 272/783] Bluetooth: hci_h5: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 273/783] Bluetooth: hci_bcsp: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 274/783] Bluetooth: hci_core: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 275/783] Bluetooth: RFCOMM: " Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 276/783] stmmac: fix potential division by 0 Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 277/783] apparmor: fix a memleak in multi_transaction_new() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 278/783] apparmor: fix lockdep warning when removing a namespace Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 279/783] apparmor: Fix abi check to include v8 abi Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 280/783] crypto: sun8i-ss - use dma_addr instead u32 Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 281/783] crypto: nitrox - avoid double free on error path in nitrox_sriov_init() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 282/783] scsi: core: Fix a race between scsi_done() and scsi_timeout() Greg Kroah-Hartman
2023-01-12 13:49 ` [PATCH 5.10 283/783] apparmor: Use pointer to struct aa_label for lbs_cred Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 284/783] PCI: dwc: Fix n_fts[] array overrun Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 285/783] RDMA/core: Fix order of nldev_exit call Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 286/783] PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 287/783] f2fs: Fix the race condition of resize flag between resizefs Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 288/783] crypto: rockchip - do not do custom power management Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 289/783] crypto: rockchip - do not store mode globally Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 290/783] crypto: rockchip - add fallback for cipher Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 291/783] crypto: rockchip - add fallback for ahash Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 292/783] crypto: rockchip - better handle cipher key Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 293/783] crypto: rockchip - remove non-aligned handling Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 294/783] crypto: rockchip - delete unneeded variable initialization Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 295/783] crypto: rockchip - rework by using crypto_engine Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 296/783] apparmor: Fix memleak in alloc_ns() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 297/783] f2fs: fix normal discard process Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 298/783] RDMA/siw: Fix immediate work request flush to completion queue Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 299/783] RDMA/nldev: Return "-EAGAIN" if the cm_id isnt from expected port Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 300/783] RDMA/siw: Set defined status for work completion with undefined status Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 301/783] scsi: scsi_debug: Fix a warning in resp_write_scat() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 302/783] crypto: ccree - Remove debugfs when platform_driver_register failed Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 303/783] crypto: cryptd - Use request context instead of stack for sub-request Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 304/783] crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 305/783] RDMA/hns: Repacing dseg_len by macros in fill_ext_sge_inl_data() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 306/783] RDMA/hns: Fix ext_sge num error when post send Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 307/783] PCI: Check for alloc failure in pci_request_irq() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 308/783] RDMA/hfi: Decrease PCI device reference count in error path Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 309/783] crypto: ccree - Make cc_debugfs_global_fini() available for module init function Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 310/783] RDMA/hns: fix memory leak in hns_roce_alloc_mr() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 311/783] RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 312/783] scsi: hpsa: Fix possible memory leak in hpsa_init_one() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 313/783] crypto: tcrypt - Fix multibuffer skcipher speed test mem leak Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 314/783] padata: Always leave BHs disabled when running ->parallel() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 315/783] padata: Fix list iterator in padata_do_serial() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 316/783] scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 317/783] scsi: hpsa: Fix error handling in hpsa_add_sas_host() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 318/783] scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 319/783] scsi: scsi_debug: Fix a warning in resp_verify() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 320/783] scsi: scsi_debug: Fix a warning in resp_report_zones() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 321/783] scsi: fcoe: Fix possible name leak when device_register() fails Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 322/783] scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 323/783] scsi: ipr: Fix WARNING in ipr_init() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 324/783] scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 325/783] scsi: snic: Fix possible UAF in snic_tgt_create() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 326/783] RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 327/783] f2fs: avoid victim selection from previous victim section Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 328/783] RDMA/nldev: Fix failure to send large messages Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 329/783] crypto: amlogic - Remove kcalloc without check Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 330/783] crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 331/783] riscv/mm: add arch hook arch_clear_hugepage_flags Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 332/783] RDMA/hfi1: Fix error return code in parse_platform_config() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 333/783] RDMA/srp: Fix error return code in srp_parse_options() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 334/783] orangefs: Fix sysfs not cleanup when dev init failed Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 335/783] RDMA/hns: Fix PBL page MTR find Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 336/783] RDMA/hns: Fix page size cap from firmware Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 337/783] crypto: img-hash - Fix variable dereferenced before check hdev->req Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 338/783] hwrng: amd - Fix PCI device refcount leak Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 339/783] hwrng: geode " Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 340/783] IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 341/783] drivers: dio: fix possible memory leak in dio_init() Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 342/783] serial: tegra: Read DMA status before terminating Greg Kroah-Hartman
2023-01-12 13:50 ` [PATCH 5.10 343/783] class: fix possible memory leak in __class_register() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 344/783] vfio: platform: Do not pass return buffer to ACPI _RST method Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 345/783] uio: uio_dmem_genirq: Fix missing unlock in irq configuration Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 346/783] uio: uio_dmem_genirq: Fix deadlock between irq config and handling Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 347/783] usb: fotg210-udc: Fix ages old endianness issues Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 348/783] staging: vme_user: Fix possible UAF in tsi148_dma_list_add Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 349/783] usb: typec: Check for ops->exit instead of ops->enter in altmode_exit Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 350/783] usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 351/783] usb: typec: tipd: Fix spurious fwnode_handle_put in error path Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 352/783] serial: amba-pl011: avoid SBSA UART accessing DMACR register Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 353/783] serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 354/783] serial: pch: Fix PCI device refcount leak in pch_request_dma() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 355/783] tty: serial: clean up stop-tx part in altera_uart_tx_chars() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 356/783] tty: serial: altera_uart_{r,t}x_chars() need only uart_port Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 357/783] serial: altera_uart: fix locking in polling mode Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 358/783] serial: sunsab: Fix error handling in sunsab_init() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 359/783] test_firmware: fix memory leak in test_firmware_init() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 360/783] misc: ocxl: fix possible name leak in ocxl_file_register_afu() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 361/783] ocxl: fix pci device refcount leak when calling get_function_0() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 362/783] misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 363/783] misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 364/783] firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 365/783] cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 366/783] cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 367/783] iio: temperature: ltc2983: make bulk write buffer DMA-safe Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 368/783] genirq: Add IRQF_NO_AUTOEN for request_irq/nmi() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 369/783] iio:imu:adis: Use IRQF_NO_AUTOEN instead of irq request then disable Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 370/783] iio: adis: handle devices that cannot unmask the drdy pin Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 371/783] iio: adis: stylistic changes Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 372/783] iio:imu:adis: Move exports into IIO_ADISLIB namespace Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 373/783] iio: adis: add __adis_enable_irq() implementation Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 374/783] counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 375/783] usb: roles: fix of node refcount leak in usb_role_switch_is_parent() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 376/783] usb: gadget: f_hid: optional SETUP/SET_REPORT mode Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 377/783] usb: gadget: f_hid: fix f_hidg lifetime vs cdev Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 378/783] usb: gadget: f_hid: fix refcount leak on error path Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 379/783] drivers: mcb: fix resource leak in mcb_probe() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 380/783] mcb: mcb-parse: fix error handing in chameleon_parse_gdd() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 381/783] chardev: fix error handling in cdev_device_add() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 382/783] i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 383/783] staging: rtl8192u: Fix use after free in ieee80211_rx() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 384/783] staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 385/783] vme: Fix error not catched in fake_init() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 386/783] gpiolib: Get rid of redundant else Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 387/783] gpiolib: cdev: fix NULL-pointer dereferences Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 388/783] i2c: mux: reg: check return value after calling platform_get_resource() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 389/783] i2c: ismt: Fix an out-of-bounds bug in ismt_access() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 390/783] usb: storage: Add check for kcalloc Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 391/783] tracing/hist: Fix issue of losting command info in error_log Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 392/783] samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 393/783] thermal/drivers/imx8mm_thermal: Validate temperature range Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 394/783] fbdev: ssd1307fb: Drop optional dependency Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 395/783] fbdev: pm2fb: fix missing pci_disable_device() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 396/783] fbdev: via: Fix error in via_core_init() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 397/783] fbdev: vermilion: decrease reference count in error path Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 398/783] fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 399/783] HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 400/783] HSI: omap_ssi_core: fix possible memory leak in ssi_probe() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 401/783] power: supply: fix residue sysfs file in error handle route of __power_supply_register() Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 402/783] perf trace: Return error if a system call doesnt exist Greg Kroah-Hartman
2023-01-12 13:51 ` [PATCH 5.10 403/783] perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 404/783] perf trace: Handle failure when trace point folder is missed Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 405/783] perf symbol: correction while adjusting symbol Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 406/783] HSI: omap_ssi_core: Fix error handling in ssi_init() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 407/783] power: supply: fix null pointer dereferencing in power_supply_get_battery_info Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 408/783] RDMA/siw: Fix pointer cast warning Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 409/783] iommu/sun50i: Fix reset release Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 410/783] iommu/sun50i: Consider all fault sources for reset Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 411/783] iommu/sun50i: Fix R/W permission check Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 412/783] iommu/sun50i: Fix flush size Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 413/783] phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 414/783] include/uapi/linux/swab: Fix potentially missing __always_inline Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 415/783] pwm: tegra: Improve required rate calculation Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 416/783] dmaengine: idxd: Fix crc_val field for completion record Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 417/783] rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0 Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 418/783] rtc: cmos: Fix event handler registration ordering issue Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 419/783] rtc: cmos: Fix wake alarm breakage Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 420/783] rtc: cmos: fix build on non-ACPI platforms Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 421/783] rtc: cmos: Call cmos_wake_setup() from cmos_do_probe() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 422/783] rtc: cmos: Call rtc_wake_setup() " Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 423/783] rtc: cmos: Eliminate forward declarations of some functions Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 424/783] rtc: cmos: Rename ACPI-related functions Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 425/783] rtc: cmos: Disable ACPI RTC event on removal Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 426/783] rtc: snvs: Allow a time difference on clock register read Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 427/783] rtc: pcf85063: Fix reading alarm Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 428/783] iommu/amd: Fix pci device refcount leak in ppr_notifier() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 429/783] iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 430/783] macintosh: fix possible memory leak in macio_add_one_device() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 431/783] macintosh/macio-adb: check the return value of ioremap() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 432/783] powerpc/52xx: Fix a resource leak in an error handling path Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 433/783] cxl: Fix refcount leak in cxl_calc_capp_routing Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 434/783] powerpc/xmon: Enable breakpoints on 8xx Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 435/783] powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 436/783] powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 437/783] kbuild: remove unneeded mkdir for external modules_install Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 438/783] kbuild: unify modules(_install) for in-tree and external modules Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 439/783] kbuild: refactor single builds of *.ko Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 440/783] powerpc/perf: callchain validate kernel stack pointer bounds Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 441/783] powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 442/783] powerpc/hv-gpci: Fix hv_gpci event list Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 443/783] selftests/powerpc: Fix resource leaks Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 444/783] iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 445/783] pwm: sifive: Call pwm_sifive_update_clock() while mutex is held Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 446/783] remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 447/783] remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 448/783] remoteproc: qcom_q6v5_pas: detach power domains on remove Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 449/783] remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 450/783] powerpc/eeh: Drop redundant spinlock initialization Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 451/783] powerpc/pseries/eeh: use correct API for error log size Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 452/783] netfilter: flowtable: really fix NAT IPv6 offload Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 453/783] rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 454/783] rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 455/783] rtc: pcf85063: fix pcf85063_clkout_control Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 456/783] NFSD: Remove spurious cb_setup_err tracepoint Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 457/783] nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 458/783] net: macsec: fix net device access prior to holding a lock Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 459/783] mISDN: hfcsusb: dont call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 460/783] mISDN: hfcpci: " Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 461/783] mISDN: hfcmulti: " Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 462/783] nfc: pn533: Clear nfc_target before being used Greg Kroah-Hartman
2023-01-12 13:52 ` [PATCH 5.10 463/783] r6040: Fix kmemleak in probe and remove Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 464/783] net: switch to storing KCOV handle directly in sk_buff Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 465/783] net: add inline function skb_csum_is_sctp Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 466/783] net: igc: use skb_csum_is_sctp instead of protocol check Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 467/783] net: add a helper to avoid issues with HW TX timestamping and SO_TXTIME Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 468/783] igc: Enhance Qbv scheduling by using first flag bit Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 469/783] igc: Use strict cycles for Qbv scheduling Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 470/783] igc: Add checking for basetime less than zero Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 471/783] igc: recalculate Qbv end_time by considering cycle time Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 472/783] igc: Lift TAPRIO schedule restriction Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 473/783] igc: Set Qbv start_time and end_time to end_time if not being configured in GCL Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 474/783] rtc: mxc_v2: Add missing clk_disable_unprepare() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 475/783] selftests: devlink: fix the fd redirect in dummy_reporter_test Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 476/783] openvswitch: Fix flow lookup to use unmasked key Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 477/783] skbuff: Account for tail adjustment during pull operations Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 478/783] mailbox: zynq-ipi: fix error handling while device_register() fails Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 479/783] net_sched: reject TCF_EM_SIMPLE case for complex ematch module Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 480/783] rxrpc: Fix missing unlock in rxrpc_do_sendmsg() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 481/783] myri10ge: Fix an error handling path in myri10ge_probe() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 482/783] net: stream: purge sk_error_queue in sk_stream_kill_queues() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 483/783] rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 484/783] arm64: make is_ttbrX_addr() noinstr-safe Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 485/783] video: hyperv_fb: Avoid taking busy spinlock on panic path Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 486/783] x86/hyperv: Remove unregister syscore call from Hyper-V cleanup Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 487/783] binfmt_misc: fix shift-out-of-bounds in check_special_flags Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 488/783] fs: jfs: fix shift-out-of-bounds in dbAllocAG Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 489/783] udf: Avoid double brelse() in udf_rename() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 490/783] fs: jfs: fix shift-out-of-bounds in dbDiscardAG Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 491/783] ACPICA: Fix error code path in acpi_ds_call_control_method() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 492/783] nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 493/783] nilfs2: fix shift-out-of-bounds due to too large exponent of block size Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 494/783] acct: fix potential integer overflow in encode_comp_t() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 495/783] hfs: fix OOB Read in __hfs_brec_find Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 496/783] drm/etnaviv: add missing quirks for GC300 Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 497/783] brcmfmac: return error when getting invalid max_flowrings from dongle Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 498/783] wifi: ath9k: verify the expected usb_endpoints are present Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 499/783] wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 500/783] ASoC: codecs: rt298: Add quirk for KBL-R RVP platform Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 501/783] ipmi: fix memleak when unload ipmi driver Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 502/783] drm/amd/display: prevent memory leak Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 503/783] qed (gcc13): use u16 for fid to be big enough Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 504/783] bpf: make sure skb->len != 0 when redirecting to a tunneling device Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 505/783] net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 506/783] hamradio: baycom_epp: Fix return type of baycom_send_packet() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 507/783] wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 508/783] igb: Do not free q_vector unless new one was allocated Greg Kroah-Hartman
2023-01-12 13:53 ` [Intel-wired-lan] " Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 509/783] drm/amdgpu: Fix type of second parameter in trans_msg() callback Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 510/783] drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 511/783] s390/ctcm: Fix return type of ctc{mp,}m_tx() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 512/783] s390/netiucv: Fix return type of netiucv_tx() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 513/783] s390/lcs: Fix return type of lcs_start_xmit() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 514/783] drm/msm: Use drm_mode_copy() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 515/783] drm/rockchip: " Greg Kroah-Hartman
2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 516/783] drm/sti: " Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 517/783] drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 518/783] md/raid1: stop mdx_raid1 thread when raid1 array run failed Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 519/783] drm/amd/display: fix array index out of bound error in bios parser Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 520/783] net: add atomic_long_t to net_device_stats fields Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 521/783] mrp: introduce active flags to prevent UAF when applicant uninit Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 522/783] ppp: associate skb with a device at tx Greg Kroah-Hartman
2023-01-12 13:53 ` [PATCH 5.10 523/783] bpf: Prevent decl_tag from being referenced in func_proto arg Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 524/783] ethtool: avoiding integer overflow in ethtool_phys_id() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 525/783] media: dvb-frontends: fix leak of memory fw Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 526/783] media: dvbdev: adopts refcnt to avoid UAF Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 527/783] media: dvb-usb: fix memory leak in dvb_usb_adapter_init() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 528/783] blk-mq: fix possible memleak when register hctx failed Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 529/783] libbpf: Avoid enum forward-declarations in public API in C++ mode Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 530/783] regulator: core: fix use_count leakage when handling boot-on Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 531/783] mmc: f-sdh30: Add quirks for broken timeout clock capability Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 532/783] mmc: renesas_sdhi: better reset from HS400 mode Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 533/783] media: si470x: Fix use-after-free in si470x_int_in_callback() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 534/783] clk: st: Fix memory leak in st_of_quadfs_setup() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 535/783] hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 536/783] drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 537/783] drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 538/783] orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 539/783] orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 540/783] hwmon: (jc42) Fix missing unlock on error in jc42_write() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 541/783] ALSA/ASoC: hda: move/rename snd_hdac_ext_stop_streams to hdac_stream.c Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 542/783] ALSA: hda: add snd_hdac_stop_streams() helper Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 543/783] ASoC: Intel: Skylake: Fix driver hang during shutdown Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 544/783] ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 545/783] ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 546/783] ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 547/783] ASoC: wm8994: Fix potential deadlock Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 548/783] ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 549/783] ASoC: rt5670: Remove unbalanced pm_runtime_put() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 550/783] LoadPin: Ignore the "contents" argument of the LSM hooks Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 551/783] pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 552/783] perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 553/783] afs: Fix lost servers_outstanding count Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 554/783] pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 555/783] ima: Simplify ima_lsm_copy_rule Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 556/783] ALSA: usb-audio: add the quirk for KT0206 device Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 557/783] ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 558/783] ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 559/783] usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 560/783] usb: dwc3: core: defer probe on ulpi_read_id timeout Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 561/783] HID: wacom: Ensure bootloader PID is usable in hidraw mode Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 562/783] HID: mcp2221: dont connect hidraw Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 563/783] reiserfs: Add missing calls to reiserfs_security_free() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 564/783] iio: adc: ad_sigma_delta: do not use internal iio_dev lock Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 565/783] iio: adc128s052: add proper .data members in adc128_of_match table Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 566/783] regulator: core: fix deadlock on regulator enable Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 567/783] gcov: add support for checksum field Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 568/783] ovl: fix use inode directly in rcu-walk mode Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 569/783] media: dvbdev: fix build warning due to comments Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 570/783] media: dvbdev: fix refcnt bug Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 571/783] pwm: tegra: Fix 32 bit build Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 572/783] usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 573/783] cifs: fix oops during encryption Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 574/783] nvme-pci: fix doorbell buffer value endianness Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 575/783] nvme-pci: fix mempool alloc size Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 576/783] nvme-pci: fix page size checks Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 577/783] ata: ahci: Fix PCS quirk application for suspend Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 578/783] nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 579/783] nvmet: dont defer passthrough commands with trivial effects to the workqueue Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 580/783] objtool: Fix SEGFAULT Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 581/783] powerpc/rtas: avoid device tree lookups in rtas_os_term() Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 582/783] powerpc/rtas: avoid scheduling " Greg Kroah-Hartman
2023-01-12 13:54 ` [PATCH 5.10 583/783] HID: multitouch: fix Asus ExpertBook P2 P2451FA trackpoint Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 584/783] HID: plantronics: Additional PIDs for double volume key presses quirk Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 585/783] pstore/zone: Use GFP_ATOMIC to allocate zone buffer Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 586/783] hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 587/783] binfmt: Fix error return code in load_elf_fdpic_binary() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 588/783] ovl: Use ovl mounters fsuid and fsgid in ovl_link() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 589/783] ALSA: line6: correct midi status byte when receiving data from podxt Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 590/783] ALSA: line6: fix stack overflow in line6_midi_transmit Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 591/783] pnode: terminate at peers of source Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 592/783] md: fix a crash in mempool_free Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 593/783] mm, compaction: fix fast_isolate_around() to stay within boundaries Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 594/783] f2fs: should put a page when checking the summary info Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 595/783] mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 596/783] tpm: acpi: Call acpi_put_table() to fix memory leak Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 597/783] tpm: tpm_crb: Add the missed " Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 598/783] tpm: tpm_tis: " Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 599/783] SUNRPC: Dont leak netobj memory when gss_read_proxy_verf() fails Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 600/783] kcsan: Instrument memcpy/memset/memmove with newer Clang Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 601/783] ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 602/783] ASoC/SoundWire: dai: expand stream concept beyond SoundWire Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 603/783] net/mlx5e: Fix nullptr in mlx5e_tc_add_fdb_flow() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 604/783] wifi: rtlwifi: remove always-true condition pointed out by GCC 12 Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 605/783] wifi: rtlwifi: 8192de: correct checking of IQK reload Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 606/783] torture: Exclude "NOHZ tick-stop error" from fatal errors Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 607/783] rcu: Prevent lockdep-RCU splats on lock acquisition/release Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 608/783] net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 609/783] net/af_packet: make sure to pull mac header Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 610/783] media: stv0288: use explicitly signed char Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 611/783] soc: qcom: Select REMAP_MMIO for LLCC driver Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 612/783] kest.pl: Fix grub2 menu handling for rebooting Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 613/783] ktest.pl minconfig: Unset configs instead of just removing them Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 614/783] jbd2: use the correct print format Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 615/783] arm64: dts: qcom: sdm845-db845c: correct SPI2 pins drive strength Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 616/783] mmc: sdhci-sprd: Disable CLK_AUTO when the clock is less than 400K Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 617/783] btrfs: fix resolving backrefs for inline extent followed by prealloc Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 618/783] ARM: ux500: do not directly dereference __iomem Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 619/783] arm64: dts: qcom: sdm850-lenovo-yoga-c630: correct I2C12 pins drive strength Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 620/783] selftests: Use optional USERCFLAGS and USERLDFLAGS Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 621/783] PM/devfreq: governor: Add a private governor_data for governor Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 622/783] cpufreq: Init completion before kobject_init_and_add() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 623/783] ALSA: patch_realtek: Fix Dell Inspiron Plus 16 Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 624/783] ALSA: hda/realtek: Apply dual codec fixup for Dell Latitude laptops Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 625/783] dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 626/783] dm thin: Fix ABBA deadlock between shrink_slab and dm_pool_abort_metadata Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 627/783] dm thin: Use last transactions pmd->root when commit failed Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 628/783] dm thin: resume even if in FAIL mode Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 629/783] dm thin: Fix UAF in run_timer_softirq() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 630/783] dm integrity: Fix UAF in dm_integrity_dtr() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 631/783] dm clone: Fix UAF in clone_dtr() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 632/783] dm cache: Fix UAF in destroy() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 633/783] dm cache: set needs_check flag after aborting metadata Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 634/783] tracing/hist: Fix out-of-bound write on action_data.var_ref_idx Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 635/783] perf/core: Call LSM hook after copying perf_event_attr Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 636/783] KVM: nVMX: Inject #GP, not #UD, if "generic" VMXON CR0/CR4 check fails Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 637/783] x86/microcode/intel: Do not retry microcode reloading on the APs Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 638/783] ftrace/x86: Add back ftrace_expected for ftrace bug reports Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 639/783] x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 640/783] tracing/hist: Fix wrong return value in parse_action_params() Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 641/783] tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 642/783] staging: media: tegra-video: fix chan->mipi value on error Greg Kroah-Hartman
2023-01-12 13:55 ` [PATCH 5.10 643/783] ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 644/783] media: dvb-core: Fix double free in dvb_register_device() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 645/783] media: dvb-core: Fix UAF due to refcount races at releasing Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 646/783] cifs: fix confusing debug message Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 647/783] cifs: fix missing display of three mount options Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 648/783] rtc: ds1347: fix value written to century register Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 649/783] md/bitmap: Fix bitmap chunk size overflow issues Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 650/783] efi: Add iMac Pro 2017 to uefi skip cert quirk Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 651/783] wifi: wilc1000: sdio: fix module autoloading Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 652/783] ASoC: jz4740-i2s: Handle independent FIFO flush bits Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 653/783] ipmi: fix long wait in unload when IPMI disconnect Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 654/783] mtd: spi-nor: Check for zero erase size in spi_nor_find_best_erase_type() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 655/783] ima: Fix a potential NULL pointer access in ima_restore_measurement_list Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 656/783] ipmi: fix use after free in _ipmi_destroy_user() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 657/783] PCI: Fix pci_device_is_present() for VFs by checking PF Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 658/783] PCI/sysfs: Fix double free in error path Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 659/783] crypto: n2 - add missing hash statesize Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 660/783] driver core: Fix bus_type.match() error handling in __driver_attach() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 661/783] iommu/amd: Fix ivrs_acpihid cmdline parsing code Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 662/783] remoteproc: core: Do pm_relax when in RPROC_OFFLINE state Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 663/783] parisc: led: Fix potential null-ptr-deref in start_task() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 664/783] device_cgroup: Roll back to original exceptions after copy failure Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 665/783] drm/connector: send hotplug uevent on connector cleanup Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 666/783] drm/vmwgfx: Validate the box size for the snooped cursor Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 667/783] drm/i915/dsi: fix VBT send packet port selection for dual link DSI Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 668/783] drm/ingenic: Fix missing platform_driver_unregister() call in ingenic_drm_init() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 669/783] ext4: silence the warning when evicting inode with dioread_nolock Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 670/783] ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 671/783] ext4: fix use-after-free in ext4_orphan_cleanup Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 672/783] ext4: fix undefined behavior in bit shift for ext4_check_flag_values Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 673/783] ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 674/783] ext4: add helper to check quota inums Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 675/783] ext4: fix bug_on in __es_tree_search caused by bad quota inode Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 676/783] ext4: fix reserved cluster accounting in __es_remove_extent() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 677/783] ext4: check and assert if marking an no_delete evicting inode dirty Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 678/783] ext4: fix bug_on in __es_tree_search caused by bad boot loader inode Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 679/783] ext4: init quota for old.inode in ext4_rename Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 680/783] ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 681/783] ext4: fix corruption when online resizing a 1K bigalloc fs Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 682/783] ext4: fix error code return to user-space in ext4_get_branch() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 683/783] ext4: avoid BUG_ON when creating xattrs Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 684/783] ext4: fix inode leak in ext4_xattr_inode_create() on an error path Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 685/783] ext4: initialize quota before expanding inode in setproject ioctl Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 686/783] ext4: avoid unaccounted block allocation when expanding inode Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 687/783] ext4: allocate extended attribute value in vmalloc area Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 688/783] drm/amdgpu: handle polaris10/11 overlap asics (v2) Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 689/783] drm/amdgpu: make display pinning more flexible (v2) Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 690/783] ARM: renumber bits related to _TIF_WORK_MASK Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 691/783] perf/x86/intel/uncore: Generalize I/O stacks to PMON mapping procedure Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 692/783] perf/x86/intel/uncore: Clear attr_update properly Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 693/783] btrfs: replace strncpy() with strscpy() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 694/783] x86/mce: Get rid of msr_ops Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 695/783] x86/MCE/AMD: Clear DFR errors found in THR handler Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 696/783] media: s5p-mfc: Fix to handle reference queue during finishing Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 697/783] media: s5p-mfc: Clear workbit to handle error condition Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 698/783] media: s5p-mfc: Fix in register read and write for H264 Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 699/783] perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 700/783] perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 701/783] x86/kprobes: Convert to insn_decode() Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 702/783] x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK Greg Kroah-Hartman
2023-01-12 13:56 ` [PATCH 5.10 703/783] staging: media: tegra-video: fix device_node use after free Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 704/783] ravb: Fix "failed to switch device to config mode" message during unbind Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 705/783] riscv/stacktrace: Fix stack output without ra on the stack top Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 706/783] riscv: stacktrace: Fixup ftrace_graph_ret_addr retp argument Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 707/783] ext4: goto right label failed_mount3a Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 708/783] ext4: correct inconsistent error msg in nojournal mode Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 709/783] mm/highmem: Lift memcpy_[to|from]_page to core Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 710/783] ext4: use memcpy_to_page() in pagecache_write() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 711/783] fs: ext4: initialize fsdata " Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 712/783] ext4: move functions in super.c Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 713/783] ext4: simplify ext4 error translation Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 714/783] ext4: fix various seppling typos Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 715/783] ext4: fix leaking uninitialized memory in fast-commit journal Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 716/783] ext4: use kmemdup() to replace kmalloc + memcpy Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 717/783] mbcache: dont reclaim used entries Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 718/783] mbcache: add functions to delete entry if unused Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 719/783] ext4: remove EA inode entry from mbcache on inode eviction Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 720/783] ext4: unindent codeblock in ext4_xattr_block_set() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 721/783] ext4: fix race when reusing xattr blocks Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 722/783] mbcache: automatically delete entries from cache on freeing Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 723/783] ext4: fix deadlock due to mbcache entry corruption Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 724/783] SUNRPC: ensure the matching upcall is in-flight upon downcall Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 725/783] bpf: pull before calling skb_postpull_rcsum() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 726/783] drm/panfrost: Fix GEM handle creation ref-counting Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 727/783] vmxnet3: correctly report csum_level for encapsulated packet Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 728/783] veth: Fix race with AF_XDP exposing old or uninitialized descriptors Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 729/783] nfsd: shut down the NFSv4 state objects before the filecache Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 730/783] net: hns3: add interrupts re-initialization while doing VF FLR Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 731/783] net: sched: fix memory leak in tcindex_set_parms Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 732/783] qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 733/783] nfc: Fix potential resource leaks Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 734/783] vhost/vsock: Fix error handling in vhost_vsock_init() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 735/783] vringh: fix range used in iotlb_translate() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 736/783] vhost: fix range used in translate_desc() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 737/783] net/mlx5: Add forgotten cleanup calls into mlx5_init_once() error path Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 738/783] net/mlx5: Avoid recovery in probe flows Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 739/783] net/mlx5e: IPoIB, Dont allow CQE compression to be turned on by default Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 740/783] net/mlx5e: Fix hw mtu initializing at XDP SQ allocation Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 741/783] net: amd-xgbe: add missed tasklet_kill Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 742/783] net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 743/783] RDMA/mlx5: Fix validation of max_rd_atomic caps for DC Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 744/783] drm/meson: Reduce the FIFO lines held when AFBC is not used Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 745/783] filelock: new helper: vfs_inode_has_locks Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 746/783] ceph: switch to vfs_inode_has_locks() to fix file lock bug Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 747/783] gpio: sifive: Fix refcount leak in sifive_gpio_probe Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 748/783] net: sched: atm: dont intepret cls results when asked to drop Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 749/783] net: sched: cbq: " Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 750/783] netfilter: ipset: fix hash:net,port,net hang with /0 subnet Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 751/783] netfilter: ipset: Rework long task execution when adding/deleting entries Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 752/783] perf tools: Fix resources leak in perf_data__open_dir() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 753/783] drivers/net/bonding/bond_3ad: return when theres no aggregator Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 754/783] usb: rndis_host: Secure rndis_query check against int overflow Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 755/783] drm/i915: unpin on error in intel_vgpu_shadow_mm_pin() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 756/783] caif: fix memory leak in cfctrl_linkup_request() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 757/783] udf: Fix extension of the last extent in the file Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 758/783] ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 759/783] nvme: fix multipath crash caused by flush request when blktrace is enabled Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 760/783] x86/bugs: Flush IBP in ib_prctl_set() Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 761/783] nfsd: fix handling of readdir in v4root vs. mount upcall timeout Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 762/783] fbdev: matroxfb: G200eW: Increase max memory from 1 MB to 16 MB Greg Kroah-Hartman
2023-01-12 13:57 ` [PATCH 5.10 763/783] riscv: uaccess: fix type of 0 variable on error in get_user() Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 764/783] drm/i915/gvt: fix gvt debugfs destroy Greg Kroah-Hartman
2023-01-12 13:58 ` Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 765/783] drm/i915/gvt: fix vgpu debugfs clean in remove Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 766/783] ext4: dont allow journal inode to have encrypt flag Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 767/783] selftests: set the BUILD variable to absolute path Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 768/783] hfs/hfsplus: use WARN_ON for sanity check Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 769/783] hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 770/783] mbcache: Avoid nesting of cache->c_list_lock under bit locks Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 771/783] efi: random: combine bootloader provided RNG seed with RNG protocol output Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 772/783] io_uring: Fix unsigned res comparison with zero in io_fixup_rw_res() Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 773/783] parisc: Align parisc MADV_XXX constants with all other architectures Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 774/783] ext4: disable fast-commit of encrypted dir operations Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 775/783] ext4: dont set up encryption key during jbd2 transaction Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 776/783] fsl_lpuart: Dont enable interrupts too early Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 777/783] serial: fixup backport of "serial: Deassert Transmit Enable on probe in driver-specific way" Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 778/783] mptcp: mark ops structures as ro_after_init Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 779/783] mptcp: remove MPTCP ifdef in TCP SYN cookies Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 780/783] mptcp: dedicated request sock for subflow in v6 Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 781/783] mptcp: use proper req destructor for IPv6 Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 782/783] net: sched: disallow noqueue for qdisc classes Greg Kroah-Hartman
2023-01-12 13:58 ` [PATCH 5.10 783/783] net/ulp: prevent ULP without clone op from entering the LISTEN status Greg Kroah-Hartman
2023-01-12 20:29 ` [PATCH 5.10 000/783] 5.10.163-rc1 review Florian Fainelli
2023-01-12 20:51 ` Pavel Machek
2023-01-13 1:12 ` Shuah Khan
2023-01-13 5:50 ` Guenter Roeck
2023-01-13 10:31 ` zhouzhixiu
2023-01-13 12:33 ` Sudip Mukherjee
2023-01-13 13:18 ` Jon Hunter
2023-01-13 17:45 ` Naresh Kamboju
2023-01-13 18:05 ` Allen Pais
2023-01-13 23:26 ` Ron Economos
2023-01-13 23:34 ` Ron Economos
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.