linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 5.10 000/593] 5.10.50-rc1 review
@ 2021-07-12  6:02 Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 001/593] Bluetooth: hci_qca: fix potential GPF Greg Kroah-Hartman
                   ` (597 more replies)
  0 siblings, 598 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 5.10.50 release.
There are 593 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 14 Jul 2021 06:02:46 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.50-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.10.50-rc1

Quat Le <quat.le@oracle.com>
    scsi: core: Retry I/O for Notify (Enable Spinup) Required error

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: exynos4-is: remove a now unused integer

Johan Hovold <johan@kernel.org>
    mmc: vub3000: fix control-request direction

Bean Huo <beanhuo@micron.com>
    mmc: block: Disable CMDQ on the ioctl path

Pavel Begunkov <asml.silence@gmail.com>
    io_uring: fix blocking inline submission

Long Li <longli@microsoft.com>
    block: return the correct bvec when checking for gaps

Wei Yongjun <weiyongjun1@huawei.com>
    erofs: fix error return code in erofs_read_superblock()

Jarkko Sakkinen <jarkko@kernel.org>
    tpm: Replace WARN_ONCE() with dev_err_once() in tpm_tis_status()

Eric Biggers <ebiggers@google.com>
    fscrypt: fix derivation of SipHash keys on big endian CPUs

Eric Biggers <ebiggers@google.com>
    fscrypt: don't ignore minor_hash when hash is 0

Sibi Sankar <sibis@codeaurora.org>
    mailbox: qcom-ipcc: Fix IPCC mbox channel exhaustion

Varun Prakash <varun@chelsio.com>
    scsi: target: cxgbit: Unmap DMA buffer before calling target_execute_cmd()

Javed Hasan <jhasan@marvell.com>
    scsi: fc: Correct RHBA attributes length

Namjae Jeon <namjae.jeon@samsung.com>
    exfat: handle wrong stream entry size in exfat_readdir()

Guo Ren <guoren@linux.alibaba.com>
    csky: syscache: Fixup duplicate cache flush

Randy Dunlap <rdunlap@infradead.org>
    csky: fix syscache.c fallthrough warning

Arnaldo Carvalho de Melo <acme@redhat.com>
    perf llvm: Return -ENOMEM when asprintf() fails

Dave Hansen <dave.hansen@linux.intel.com>
    selftests/vm/pkeys: refill shadow register after implicit kernel write

Dave Hansen <dave.hansen@linux.intel.com>
    selftests/vm/pkeys: handle negative sys_pkey_alloc() return code

Dave Hansen <dave.hansen@linux.intel.com>
    selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random

Trent Piepho <tpiepho@gmail.com>
    lib/math/rational.c: fix divide by zero

Miaohe Lin <linmiaohe@huawei.com>
    mm/z3fold: use release_z3fold_page_locked() to release locked z3fold page

Miaohe Lin <linmiaohe@huawei.com>
    mm/z3fold: fix potential memory leak in z3fold_destroy_pool()

Ralph Campbell <rcampbell@nvidia.com>
    include/linux/huge_mm.h: remove extern keyword

Mike Kravetz <mike.kravetz@oracle.com>
    hugetlb: address ref count racing in prep_compound_gigantic_page

Mike Kravetz <mike.kravetz@oracle.com>
    hugetlb: remove prep_compound_huge_page cleanup

Yanfei Xu <yanfei.xu@windriver.com>
    mm/hugetlb: remove redundant check in preparing and destroying gigantic page

Miaohe Lin <linmiaohe@huawei.com>
    mm/hugetlb: use helper huge_page_order and pages_per_huge_page

Miaohe Lin <linmiaohe@huawei.com>
    mm/huge_memory.c: don't discard hugepage if other processes are mapping it

Miaohe Lin <linmiaohe@huawei.com>
    mm/huge_memory.c: add missing read-only THP checking in transparent_hugepage_enabled()

Miaohe Lin <linmiaohe@huawei.com>
    mm/huge_memory.c: remove dedicated macro HPAGE_CACHE_INDEX_MASK

Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled

Alex Williamson <alex.williamson@redhat.com>
    vfio/pci: Handle concurrent vma faults

Pali Rohár <pali@kernel.org>
    arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART

Pali Rohár <pali@kernel.org>
    serial: mvebu-uart: correctly calculate minimal possible baudrate

Pali Rohár <pali@kernel.org>
    serial: mvebu-uart: do not allow changing baudrate when uartclk is not available

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    ALSA: firewire-lib: Fix 'amdtp_domain_start()' when no AMDTP_OUT_STREAM stream is found

Vaibhav Jain <vaibhav@linux.ibm.com>
    powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable

Nicholas Piggin <npiggin@gmail.com>
    powerpc/64s: Fix copy-paste data exposure into newly created tasks

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    powerpc/papr_scm: Properly handle UUID types and API

Nicholas Piggin <npiggin@gmail.com>
    powerpc: Offline CPU in stop_this_cpu()

Vignesh Raghavendra <vigneshr@ti.com>
    serial: 8250: 8250_omap: Fix possible interrupt storm on K3 SoCs

Vignesh Raghavendra <vigneshr@ti.com>
    serial: 8250: 8250_omap: Disable RX interrupt after DMA enable

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    selftests/ftrace: fix event-no-pid on 1-core machine

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    leds: ktd2692: Fix an error handling path

Zhen Lei <thunder.leizhen@huawei.com>
    leds: as3645a: Fix error return code in as3645a_parse_node()

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: fsl_spdif: Fix unexpected interrupt after suspend

Kai Vehmanen <kai.vehmanen@linux.intel.com>
    ASoC: Intel: sof_sdw: use mach data for ADL RVP DMIC count

Vamshi Krishna Gopal <vamshi.krishna.gopal@intel.com>
    ASoC: Intel: sof_sdw: add quirk support for Brya and BT-offload

Libin Yang <libin.yang@intel.com>
    ASoC: Intel: sof_sdw: add SOF_RT715_DAI_ID_FIX for AlderLake

Chung-Chiang Cheng <shepjeng@gmail.com>
    configfs: fix memleak in configfs_release_bin_file

Codrin Ciubotariu <codrin.ciubotariu@microchip.com>
    ASoC: atmel-i2s: Fix usage of capture and playback at the same time

Nicholas Piggin <npiggin@gmail.com>
    powerpc/powernv: Fix machine check reporting of async store errors

Marek Szyprowski <m.szyprowski@samsung.com>
    extcon: max8997: Add missing modalias string

Stephan Gerhold <stephan@gerhold.net>
    extcon: sm5502: Drop invalid register write in sm5502_reg_data

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe()

Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
    phy: uniphier-pcie: Fix updating phy parameters

Richard Fitzgerald <rf@opensource.cirrus.com>
    soundwire: stream: Fix test for DP prepare complete

Zhen Lei <thunder.leizhen@huawei.com>
    scsi: mpt3sas: Fix error return value in _scsih_expander_add()

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    habanalabs: Fix an error handling path in 'hl_pci_probe()'

Yang Yingliang <yangyingliang@huawei.com>
    mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume()

Geert Uytterhoeven <geert+renesas@glider.be>
    of: Fix truncation of memory sizes on 32-bit platforms

Richard Fitzgerald <rf@opensource.cirrus.com>
    ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: prox: isl29501: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Maciej W. Rozycki <macro@orcam.me.uk>
    serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates

Sergio Paracuellos <sergio.paracuellos@gmail.com>
    staging: mt7621-dts: fix pci address for PCI memory range

Junhao He <hejunhao2@hisilicon.com>
    coresight: core: Fix use of uninitialized pointer

Pavel Skripkin <paskripkin@gmail.com>
    staging: rtl8712: fix memory leak in rtl871x_load_fw_cb

Pavel Skripkin <paskripkin@gmail.com>
    staging: rtl8712: fix error handling in r871xu_drv_init

Dan Carpenter <dan.carpenter@oracle.com>
    staging: gdm724x: check for overflow in gdm_lte_netif_rx()

Dan Carpenter <dan.carpenter@oracle.com>
    staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()

Shengjiu Wang <shengjiu.wang@nxp.com>
    ASoC: fsl_spdif: Fix error handler with pm_runtime_enable

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: light: vcnl4000: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: magn: rm3100: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: mxs-lradc: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: hx711: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: at91-sama5d2: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Mika Westerberg <mika.westerberg@linux.intel.com>
    thunderbolt: Bond lanes only when dual_link_port != NULL in alloc_dev_default()

Andy Shevchenko <andy.shevchenko@gmail.com>
    eeprom: idt_89hpesx: Restore printing the unsupported fwnode name

Andy Shevchenko <andy.shevchenko@gmail.com>
    eeprom: idt_89hpesx: Put fwnode in matching case during ->probe()

Clément Lassieur <clement@lassieur.org>
    usb: dwc2: Don't reset the core after setting turnaround time

Andrew Gabbasov <andrew_gabbasov@mentor.com>
    usb: gadget: f_fs: Fix setting of device and driver data cross-references

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    ASoC: mediatek: mtk-btcvsd: Fix an error handling path in 'mtk_btcvsd_snd_probe()'

Bard Liao <yung-chuan.liao@linux.intel.com>
    ASoC: rt5682-sdw: set regcache_cache_only false before reading RT5682_DEVICE_ID

Shuming Fan <shumingf@realtek.com>
    ASoC: rt5682: fix getting the wrong device id when the suspend_stress_test

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: rt715-sdw: use first_hw_init flag on resume

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: rt711-sdw: use first_hw_init flag on resume

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: rt700-sdw: use first_hw_init flag on resume

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: rt5682-sdw: use first_hw_init flag on resume

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: rt1308-sdw: use first_hw_init flag on resume

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ASoC: max98373-sdw: use first_hw_init flag on resume

Srinath Mannam <srinath.mannam@broadcom.com>
    iommu/dma: Fix IOVA reserve dma ranges

Kees Cook <keescook@chromium.org>
    selftests: splice: Adjust for handler fallback removal

Randy Dunlap <rdunlap@infradead.org>
    s390: appldata depends on PROC_SYSCTL

Niklas Schnelle <schnelle@linux.ibm.com>
    s390: enable HAVE_IOREMAP_PROT

Heiko Carstens <hca@linux.ibm.com>
    s390/irq: select HAVE_IRQ_EXIT_ON_IRQ_STACK

Alexander Monakov <amonakov@ispras.ru>
    iommu/amd: Fix extended features logging

Zhen Lei <thunder.leizhen@huawei.com>
    visorbus: fix error return code in visorchipset_init()

Joachim Fenkes <FENKES@de.ibm.com>
    fsi/sbefifo: Fix reset timeout

Joachim Fenkes <FENKES@de.ibm.com>
    fsi/sbefifo: Clean up correct FIFO when receiving reset request from SBE

Eddie James <eajames@linux.ibm.com>
    fsi: occ: Don't accept response from un-initialized OCC

Eddie James <eajames@linux.ibm.com>
    fsi: scom: Reset the FSI2PIB engine for any error

Colin Ian King <colin.king@canonical.com>
    fsi: core: Fix return of error values on failures

Andreas Kemnade <andreas@kemnade.info>
    mfd: rn5t618: Fix IRQ trigger by changing it to level mode

Randy Dunlap <rdunlap@infradead.org>
    mfd: mp2629: Select MFD_CORE to fix build error

Mike Christie <michael.christie@oracle.com>
    scsi: iscsi: Flush block work before unblock

Randy Dunlap <rdunlap@infradead.org>
    scsi: FlashPoint: Rename si_flags field

Andy Shevchenko <andy.shevchenko@gmail.com>
    leds: lp50xx: Put fwnode in error case during ->probe()

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    leds: lm3697: Don't spam logs when probe is deferred

Andy Shevchenko <andy.shevchenko@gmail.com>
    leds: lm3692x: Put fwnode in any case during ->probe()

Andy Shevchenko <andy.shevchenko@gmail.com>
    leds: lm36274: Put fwnode in error case during ->probe()

Andy Shevchenko <andy.shevchenko@gmail.com>
    leds: lm3532: select regmap I2C API

Andy Shevchenko <andy.shevchenko@gmail.com>
    leds: class: The -ENOTSUPP should never be seen by user space

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    tty: nozomi: Fix the error handling path of 'nozomi_card_init()'

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    firmware: stratix10-svc: Fix a resource leak in an error handling path

Yu Kuai <yukuai3@huawei.com>
    char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol()

Dave Stevenson <dave.stevenson@raspberrypi.com>
    staging: mmal-vchiq: Fix incorrect static vchiq_instance.

Miquel Raynal <miquel.raynal@bootlin.com>
    mtd: rawnand: arasan: Ensure proper configuration for the asserted target

Corentin Labbe <clabbe@baylibre.com>
    mtd: partitions: redboot: seek fis-index-block in the right node

Adrian Hunter <adrian.hunter@intel.com>
    perf scripting python: Fix tuple_set_u64()

Zhen Lei <thunder.leizhen@huawei.com>
    Input: hil_kbd - fix error return code in hil_dev_connect()

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: rsnd: tidyup loop on rsnd_adg_clk_query()

Andy Shevchenko <andy.shevchenko@gmail.com>
    backlight: lm3630a_bl: Put fwnode in error case during ->probe()

Yang Yingliang <yangyingliang@huawei.com>
    ASoC: hisilicon: fix missing clk_disable_unprepare() on error in hi6210_i2s_startup()

Yang Yingliang <yangyingliang@huawei.com>
    ASoC: rk3328: fix missing clk_disable_unprepare() on error in rk3328_platform_probe()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: potentiostat: lmp91000: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: cros_ec_sensors: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: chemical: atlas: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: light: tcs3472: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: light: tcs3414: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: light: isl29125: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: magn: bmc150: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: magn: hmc5843: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: prox: as3935: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: prox: pulsed-light: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: prox: srf08: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: humidity: am2315: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: gyro: bmg160: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: vf610: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: adc: ti-ads1015: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: mxc4005: Fix overread of data and alignment issue.

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: kxcjk-1013: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: hid: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: bma220: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Nuno Sa <nuno.sa@analog.com>
    iio: adis16475: do not return ints in irq handlers

Nuno Sa <nuno.sa@analog.com>
    iio: adis16400: do not return ints in irq handlers

Nuno Sa <nuno.sa@analog.com>
    iio: adis_buffer: do not return ints in irq handlers

Arnd Bergmann <arnd@arndb.de>
    mwifiex: re-fix for unaligned accesses

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    tty: nozomi: Fix a resource leak in an error handling function

Dan Carpenter <dan.carpenter@oracle.com>
    serial: 8250_omap: fix a timeout loop condition

Michael Walle <michael@walle.cc>
    serial: fsl_lpuart: remove RTSCTS handling from get_mctrl()

Michael Walle <michael@walle.cc>
    serial: fsl_lpuart: don't modify arbitrary data on lpuart32

Paul E. McKenney <paulmck@kernel.org>
    rcu: Invoke rcu_spawn_core_kthreads() from rcu_spawn_gp_kthread()

Stephen Boyd <swboyd@chromium.org>
    ASoC: rt5682: Disable irq on shutdown

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    staging: fbtft: Don't spam logs when probe is deferred

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    staging: fbtft: Rectify GPIO handling

Wei Li <liwei391@huawei.com>
    MIPS: Fix PKMAP with 32-bit MIPS huge page support

Leon Romanovsky <leon@kernel.org>
    RDMA/core: Always release restrack object

Leon Romanovsky <leon@kernel.org>
    RDMA/mlx5: Don't access NULL-cleared mpi pointer

Menglong Dong <dong.menglong@zte.com.cn>
    net: tipc: fix FB_MTU eat two pages

Pavel Skripkin <paskripkin@gmail.com>
    net: sched: fix warning in tcindex_alloc_perfect_hash

Vadim Fedorenko <vfedorenko@novek.ru>
    net: lwtunnel: handle MTU calculation in forwading

Muchun Song <songmuchun@bytedance.com>
    writeback: fix obtain a reference to a freeing memcg css

Robert Hancock <robert.hancock@calian.com>
    clk: si5341: Update initialization magic

Robert Hancock <robert.hancock@calian.com>
    clk: si5341: Check for input clock presence and PLL lock on startup

Robert Hancock <robert.hancock@calian.com>
    clk: si5341: Avoid divide errors due to bogus register contents

Robert Hancock <robert.hancock@calian.com>
    clk: si5341: Wait for DEVICE_READY on startup

Jonathan Marek <jonathan@marek.ca>
    clk: qcom: clk-alpha-pll: fix CAL_L write in alpha_pll_fabia_prepare

Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
    clk: actions: Fix AHPPREDIV-H-AHB clock chain on Owl S500 SoC

Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
    clk: actions: Fix bisp_factor_table based clocks on Owl S500 SoC

Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
    clk: actions: Fix SD clocks factor table on Owl S500 SoC

Cristian Ciocaltea <cristian.ciocaltea@gmail.com>
    clk: actions: Fix UART clock dividers on Owl S500 SoC

Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event

Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Bluetooth: Fix Set Extended (Scan Response) Data

Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Bluetooth: Fix not sending Set Extended Scan Response

Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid

Petr Oros <poros@redhat.com>
    Revert "be2net: disable bh with spin_lock in be_process_mcc"

Bailey Forrest <bcf@google.com>
    gve: Fix swapped vars when fetching max queues

Håkon Bugge <haakon.bugge@oracle.com>
    RDMA/cma: Fix incorrect Packet Lifetime calculation

Gary Lin <glin@suse.com>
    bpfilter: Specify the log level for the kmsg message

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs()

Sasha Neftin <sasha.neftin@intel.com>
    e1000e: Check the PCIm state

Eric Dumazet <edumazet@google.com>
    ipv6: fix out-of-bound access in ip6_parse_tlv()

Antoine Tenart <atenart@kernel.org>
    net: atlantic: fix the macsec key length

Antoine Tenart <atenart@kernel.org>
    net: phy: mscc: fix macsec key length

Antoine Tenart <atenart@kernel.org>
    net: macsec: fix the length used to copy the key for offloading

Håkon Bugge <haakon.bugge@oracle.com>
    RDMA/cma: Protect RMW with qp_mutex

Sukadev Bhattiprolu <sukadev@linux.ibm.com>
    ibmvnic: free tx_pool if tso_pool alloc fails

Sukadev Bhattiprolu <sukadev@linux.ibm.com>
    ibmvnic: set ltb->buff to NULL after freeing

Dany Madden <drt@linux.ibm.com>
    Revert "ibmvnic: remove duplicate napi_schedule call in open function"

Jan Sokolowski <jan.sokolowski@intel.com>
    i40e: Fix missing rtnl locking when setting up pf switch

Mateusz Palczewski <mateusz.palczewski@intel.com>
    i40e: Fix autoneg disabling for non-10GBaseT links

Dinghao Liu <dinghao.liu@zju.edu.cn>
    i40e: Fix error handling in i40e_vsi_open

Maciej Żenczykowski <maze@google.com>
    bpf: Do not change gso_size during bpf_skb_change_proto()

Norbert Slusarek <nslusarek@gmx.net>
    can: j1939: j1939_sk_setsockopt(): prevent allocation of j1939 filter for optlen == 0

Eric Dumazet <edumazet@google.com>
    ipv6: exthdrs: do not blindly use init_net

Jian-Hong Pan <jhp@endlessos.org>
    net: bcmgenet: Fix attaching to PYH failed on RPi 4B

Ping-Ke Shih <pkshih@realtek.com>
    mac80211: remove iwlwifi specific workaround NDPs of null_response

Zhen Lei <thunder.leizhen@huawei.com>
    drm/msm/dpu: Fix error return code in dpu_mdss_init()

Zhen Lei <thunder.leizhen@huawei.com>
    drm/msm: Fix error return code in msm_drm_init()

John Fastabend <john.fastabend@gmail.com>
    bpf: Fix null ptr deref with mixed tail calls and subprogs

Eric Dumazet <edumazet@google.com>
    ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl()

Dongliang Mu <mudongliangabcd@gmail.com>
    ieee802154: hwsim: Fix memory leak in hwsim_add_one

Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    tc-testing: fix list handling

Vignesh Raghavendra <vigneshr@ti.com>
    net: ti: am65-cpsw-nuss: Fix crash when changing number of TX queues

Miao Wang <shankerwangmiao@gmail.com>
    net/ipv4: swap flow ports when validating source

Jakub Kicinski <kuba@kernel.org>
    ip6_tunnel: fix GRE6 segmentation

Eric Dumazet <edumazet@google.com>
    vxlan: add missing rcu_read_lock() in neigh_reduce()

Po-Hao Huang <phhuang@realtek.com>
    rtw88: 8822c: fix lc calibration timing

Luca Coelho <luciano.coelho@intel.com>
    iwlwifi: increase PNVM load timeout

Ayush Sawal <ayush.sawal@chelsio.com>
    xfrm: Fix xfrm offload fallback fail case

Eric Dumazet <edumazet@google.com>
    pkt_sched: sch_qfq: fix qfq_change_class() error path

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic

Jakub Kicinski <kuba@kernel.org>
    tls: prevent oversized sendfile() hangs by ignoring MSG_MORE

Yunsheng Lin <linyunsheng@huawei.com>
    net: sched: add barrier to ensure correct ordering for lockless qdisc

Antoine Tenart <atenart@kernel.org>
    vrf: do not push non-ND strict packets with a source LLA through packet taps again

Pavel Skripkin <paskripkin@gmail.com>
    net: ethernet: ezchip: fix error handling

Pavel Skripkin <paskripkin@gmail.com>
    net: ethernet: ezchip: fix UAF in nps_enet_remove

Pavel Skripkin <paskripkin@gmail.com>
    net: ethernet: aeroflex: fix UAF in greth_of_remove

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: mt7615: fix NULL pointer dereference in tx_prepare_skb()

Lorenzo Bianconi <lorenzo@kernel.org>
    mt76: fix possible NULL pointer dereference in mt76_tx

Wang Hai <wanghai38@huawei.com>
    samples/bpf: Fix the error return code of xdp_redirect's main()

Wang Hai <wanghai38@huawei.com>
    samples/bpf: Fix Segmentation fault for xdp_redirect command

Jack Wang <jinpu.wang@cloud.ionos.com>
    RDMA/rtrs-srv: Set minimal max_send_wr and max_recv_wr

Tony Ambardar <tony.ambardar@gmail.com>
    bpf: Fix libelf endian handling in resolv_btfids

Magnus Karlsson <magnus.karlsson@intel.com>
    xsk: Fix broken Tx ring validation

Magnus Karlsson <magnus.karlsson@intel.com>
    xsk: Fix missing validation for skb and unaligned mode

Daniel Xu <dxu@dxuuu.xyz>
    selftests/bpf: Whitelist test_progs.h from .gitignore

Bob Pearson <rpearsonhpe@gmail.com>
    RDMA/rxe: Fix qp reference counting for atomic ops

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_osf: check for TCP packet before further processing

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_exthdr: check for IPv6 packet before further processing

Leon Romanovsky <leon@kernel.org>
    RDMA/mlx5: Don't add slave port to unaffiliated list

Liu Shixin <liushixin2@huawei.com>
    netlabel: Fix memory leak in netlbl_mgmt_add_common

Seevalamuthu Mariappan <seevalam@codeaurora.org>
    ath11k: send beacon template after vdev_start/restart during csa

Yang Li <yang.lee@linux.alibaba.com>
    ath10k: Fix an error code in ath10k_add_interface()

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    ath11k: Fix an error handling path in ath11k_core_fetch_board_data_api_n()

Hang Zhang <zh.nvgt@gmail.com>
    cw1200: Revert unnecessary patches that fix unreal use-after-free bugs

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    brcmsmac: mac80211_if: Fix a resource leak in an error handling path

Tong Tiangen <tongtiangen@huawei.com>
    brcmfmac: Fix a double-free in brcmf_sdio_bus_reset

Alvin Šipraga <ALSI@bang-olufsen.dk>
    brcmfmac: correctly report average RSSI in station info

Alvin Šipraga <ALSI@bang-olufsen.dk>
    brcmfmac: fix setting of station info chains bitmask

Zhen Lei <thunder.leizhen@huawei.com>
    ssb: Fix error return code in ssb_bus_scan()

Bryan O'Donoghue <bryan.odonoghue@linaro.org>
    wcn36xx: Move hal_buf allocation to devm_kmalloc in probe

Lucas Stach <l.stach@pengutronix.de>
    clk: imx8mq: remove SYS PLL 1/2 clock gates

Dongliang Mu <mudongliangabcd@gmail.com>
    ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others

Randy Dunlap <rdunlap@infradead.org>
    wireless: carl9170: fix LEDS build errors & warnings

Yang Yingliang <yangyingliang@huawei.com>
    ath10k: add missing error return code in ath10k_pci_probe()

Yang Yingliang <yangyingliang@huawei.com>
    ath10k: go to path err_unsupported when chip id is not supported

Zhihao Cheng <chengzhihao1@huawei.com>
    tools/bpftool: Fix error return code in do_batch()

Colin Ian King <colin.king@canonical.com>
    drm: qxl: ensure surf.data is ininitialized

Luca Ceresoli <luca@lucaceresoli.net>
    clk: vc5: fix output disabling when enabling a FOD

Maxime Ripard <maxime@cerno.tech>
    drm/vc4: hdmi: Fix error path of hpd-gpios

Kees Cook <keescook@chromium.org>
    drm/pl111: Actually fix CONFIG_VEXPRESS_CONFIG depends

Kamal Heib <kamalheib1@gmail.com>
    RDMA/rxe: Fix failure during driver load

Kees Cook <keescook@chromium.org>
    drm/pl111: depend on CONFIG_VEXPRESS_CONFIG

Leon Romanovsky <leon@kernel.org>
    RDMA/core: Sanitize WQ state received from the userspace

Boris Sukholitko <boris.sukholitko@broadcom.com>
    net/sched: act_vlan: Fix modify to allow 0

Xin Long <lucien.xin@gmail.com>
    xfrm: remove the fragment check for ipv6 beet mode

Dmitry Osipenko <digetx@gmail.com>
    clk: tegra30: Use 300MHz for video decoder by default

Zhen Lei <thunder.leizhen@huawei.com>
    ehea: fix error return code in ehea_restart_qps()

Gioh Kim <gi-oh.kim@cloud.ionos.com>
    RDMA/rtrs-clt: Fix memory leak of not-freed sess->stats and stats->pcpu_stats

Md Haris Iqbal <haris.iqbal@cloud.ionos.com>
    RDMA/rtrs-clt: Check if the queue_depth has changed during a reconnection

Jack Wang <jinpu.wang@cloud.ionos.com>
    RDMA/rtrs-srv: Fix memory leak when having multiple sessions

Gioh Kim <gi-oh.kim@cloud.ionos.com>
    RDMA/rtrs-srv: Fix memory leak of unfreed rtrs_srv_stats object

Gioh Kim <gi-oh.kim@cloud.ionos.com>
    RDMA/rtrs: Do not reset hb_missed_max after re-connection

Md Haris Iqbal <haris.iqbal@cloud.ionos.com>
    RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats

Bart Van Assche <bvanassche@acm.org>
    RDMA/srp: Fix a recently introduced memory leak

Jianguo Wu <wujianguo@chinatelecom.cn>
    mptcp: generate subflow hmac after mptcp_finish_join()

Jianguo Wu <wujianguo@chinatelecom.cn>
    mptcp: fix pr_debug in mptcp_token_new_connect

Colin Ian King <colin.king@canonical.com>
    drm/rockchip: cdn-dp: fix sign extension on an int multiply for a u64 result

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    drm/rockchip: lvds: Fix an error handling path

Thomas Hebb <tommyhebb@gmail.com>
    drm/rockchip: dsi: move all lane config except LCDC mux to bind()

Yang Yingliang <yangyingliang@huawei.com>
    drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in cdn_dp_grf_write()

Alex Bee <knaerzche@gmail.com>
    drm: rockchip: set alpha_en to 0 if it is not used

Yang Yingliang <yangyingliang@huawei.com>
    net: ftgmac100: add missing error return code in ftgmac100_probe()

Jerome Brunet <jbrunet@baylibre.com>
    clk: meson: g12a: fix gp0 and hifi ranges

Wei Yongjun <weiyongjun1@huawei.com>
    net: qrtr: ns: Fix error return code in qrtr_ns_init()

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Fix cpu updates of coherent multisample surfaces

Thomas Hellstrom <thellstrom@vmware.com>
    drm/vmwgfx: Mark a surface gpu-dirty after the SVGA3dCmdDXGenMips command

Geert Uytterhoeven <geert+renesas@glider.be>
    pinctrl: renesas: r8a77990: JTAG pins do not have pull-down capabilities

Geert Uytterhoeven <geert+renesas@glider.be>
    pinctrl: renesas: r8a7796: Add missing bias for PRESET# pin

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    net: pch_gbe: Propagate error from devm_gpio_request_one()

Andy Shevchenko <andy.shevchenko@gmail.com>
    net: mvpp2: Put fwnode in error case during ->probe()

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    video: fbdev: imxfb: Fix an error message

Takashi Iwai <tiwai@suse.de>
    drm/ast: Fix missing conversions to managed API

Yingjie Wang <wangyingjie55@126.com>
    drm/amd/dc: Fix a missing check bug in dm_dp_mst_detect()

Douglas Anderson <dianders@chromium.org>
    drm/bridge: Fix the stop condition of drm_bridge_chain_pre_enable()

Robert Foss <robert.foss@linaro.org>
    drm/bridge/sii8620: fix dependency on extcon

Sabrina Dubroca <sd@queasysnail.net>
    xfrm: xfrm_state_mtu should return at least 1280 for ipv6

Liu Shixin <liushixin2@huawei.com>
    mm/page_alloc: fix counting of managed_pages

Lorenzo Stoakes <lstoakes@gmail.com>
    mm: page_alloc: refactor setup_per_zone_lowmem_reserve()

Waiman Long <longman@redhat.com>
    mm: memcg/slab: properly set up gfp flags for objcg pointer array

Miaohe Lin <linmiaohe@huawei.com>
    mm/shmem: fix shmem_swapin() race with swapoff

Miaohe Lin <linmiaohe@huawei.com>
    swap: fix do_swap_page() race with swapoff

Anshuman Khandual <anshuman.khandual@arm.com>
    mm/debug_vm_pgtable: ensure THP availability via has_transparent_hugepage()

Anshuman Khandual <anshuman.khandual@arm.com>
    mm/debug_vm_pgtable/basic: iterate over entire protection_map[]

Anshuman Khandual <anshuman.khandual@arm.com>
    mm/debug_vm_pgtable/basic: add validation for dirtiness after write protect

Jan Kara <jack@suse.cz>
    dax: fix ENOMEM handling in grab_mapping_entry()

Dan Carpenter <dan.carpenter@oracle.com>
    ocfs2: fix snprintf() checking

Ming Lei <ming.lei@redhat.com>
    blk-mq: update hctx->dispatch_busy in case of real scheduler

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    cpufreq: Make cpufreq_online() call driver->offline() on errors

Nathan Chancellor <nathan@kernel.org>
    ACPI: bgrt: Fix CFI violation

Dwaipayan Ray <dwaipayanray1@gmail.com>
    ACPI: Use DEVICE_ATTR_<RW|RO|WO> macros

Zhang Yi <yi.zhang@huawei.com>
    blk-wbt: make sure throttle is enabled properly

Zhang Yi <yi.zhang@huawei.com>
    blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled()

Xiaofei Tan <tanxiaofei@huawei.com>
    ACPI: APEI: fix synchronous external aborts in user-mode

Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
    extcon: extcon-max8997: Fix IRQ freeing at error path

Tony Lindgren <tony@atomide.com>
    clocksource/drivers/timer-ti-dm: Save and restore timer TIOCP_CFG

Christoph Hellwig <hch@lst.de>
    mark pstore-blk as broken

Krzysztof Wilczyński <kw@linux.com>
    ACPI: sysfs: Fix a buffer overrun problem with description_show()

Mario Limonciello <mario.limonciello@amd.com>
    nvme-pci: look for StorageD3Enable on companion ACPI device instead

Ming Lei <ming.lei@redhat.com>
    block: avoid double io accounting for flush request

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    ACPI: PM / fan: Put fan device IDs into separate header file

YueHaibing <yuehaibing@huawei.com>
    PM / devfreq: Add missing error code in devfreq_add_device()

Philipp Zabel <p.zabel@pengutronix.de>
    media: video-mux: Skip dangling endpoints

Ezequiel Garcia <ezequiel@collabora.com>
    media: v4l2-async: Clean v4l2_async_notifier_add_fwnode_remote_subdev

Zhaoyang Huang <zhaoyang.huang@unisoc.com>
    psi: Fix race between psi_trigger_create/destroy

Herbert Xu <herbert@gondor.apana.org.au>
    crypto: nx - Fix RCU warning in nx842_OF_upd_status

Mirko Vogt <mirko-dev|linux@nanl.de>
    spi: spi-sun6i: Fix chipselect/clock bug

Peter Zijlstra <peterz@infradead.org>
    lockdep/selftests: Fix selftests vs PROVE_RAW_LOCK_NESTING

Peter Zijlstra <peterz@infradead.org>
    lockdep: Fix wait-type for empty stack

Qais Yousef <qais.yousef@arm.com>
    sched/uclamp: Fix uclamp_tg_restrict()

Vincent Donnefort <vincent.donnefort@arm.com>
    sched/rt: Fix Deadline utilization tracking during policy change

Vincent Donnefort <vincent.donnefort@arm.com>
    sched/rt: Fix RT utilization tracking during policy change

Joerg Roedel <jroedel@suse.de>
    x86/sev: Split up runtime #VC handler for correct state tracking

Joerg Roedel <jroedel@suse.de>
    x86/sev: Make sure IRQs are disabled while GHCB is active

David Sterba <dsterba@suse.com>
    btrfs: clear log tree recovering status if starting transaction fails

Axel Lin <axel.lin@ingics.com>
    regulator: hi655x: Fix pass wrong pointer to config.driver_data

Alexandru Elisei <alexandru.elisei@arm.com>
    KVM: arm64: Don't zero the cycle count register when PMCR_EL0.P is set

Tuan Phan <tuanphan@os.amperecomputing.com>
    perf/arm-cmn: Fix invalid pointer when access dtc object sharing the same IRQ number

Kai Huang <kai.huang@intel.com>
    KVM: x86/mmu: Fix return value in tdp_mmu_map_handle_target_level()

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Don't clobber nested MMU's A/D status on EPTP switch

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Ensure 64-bit shift when checking VMFUNC bitmap

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Sync all PGDs on nested transition with shadow paging

Guenter Roeck <linux@roeck-us.net>
    hwmon: (max31790) Fix fan speed reporting for fan7..12

Guenter Roeck <linux@roeck-us.net>
    hwmon: (max31722) Remove non-standard ACPI device IDs

Guenter Roeck <linux@roeck-us.net>
    hwmon: (lm70) Revert "hwmon: (lm70) Add support for ACPI"

Stephen Boyd <swboyd@chromium.org>
    hwmon: (lm70) Use device_get_match_data()

Dillon Min <dillon.minfei@gmail.com>
    media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx

Arnd Bergmann <arnd@arndb.de>
    media: subdev: remove VIDIOC_DQEVENT_TIME32 handling

Anshuman Khandual <anshuman.khandual@arm.com>
    arm64/mm: Fix ttbr0 values stored in struct thread_info for software-pan

Mark Rutland <mark.rutland@arm.com>
    arm64: consistently use reserved_pg_dir

Zhen Lei <thunder.leizhen@huawei.com>
    mmc: usdhi6rol0: fix error return code in usdhi6_probe()

Hongbo Li <herberthbli@tencent.com>
    crypto: sm2 - fix a memory leak in sm2

Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
    crypto: sm2 - remove unnecessary reset operations

Hangbin Liu <liuhangbin@gmail.com>
    crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit

Zhang Qilong <zhangqilong3@huawei.com>
    crypto: omap-sham - Fix PM reference leak in omap sham ops

Tong Tiangen <tongtiangen@huawei.com>
    crypto: nitrox - fix unchecked variable in nitrox_register_interrupts

Axel Lin <axel.lin@ingics.com>
    regulator: fan53880: Fix vsel_mask setting for FAN53880_BUCK

Gustavo A. R. Silva <gustavoars@kernel.org>
    media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2()

Randy Dunlap <rdunlap@infradead.org>
    m68k: atari: Fix ATARI_KBD_CORE kconfig unmet dependency warning

Johan Hovold <johan@kernel.org>
    media: gspca/gl860: fix zero-length control requests

Zhen Lei <thunder.leizhen@huawei.com>
    media: tc358743: Fix error return code in tc358743_probe_of()

Dan Carpenter <dan.carpenter@oracle.com>
    media: au0828: fix a NULL vs IS_ERR() check

Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    media: exynos4-is: Fix a use after free in isp_video_release

Ezequiel Garcia <ezequiel@collabora.com>
    media: rkvdec: Fix .buf_prepare

Randy Dunlap <rdunlap@infradead.org>
    locking/lockdep: Reduce LOCKDEP dependency list

Sergey Shtylyov <s.shtylyov@omprussia.ru>
    pata_ep93xx: fix deferred probing

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    media: rc: i2c: Fix an error message

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    crypto: ccp - Fix a resource leak in an error handling path

Suman Anna <s-anna@ti.com>
    crypto: sa2ul - Fix pm_runtime enable in sa_ul_probe()

Suman Anna <s-anna@ti.com>
    crypto: sa2ul - Fix leaks on failure paths with sa_dma_init()

Joe Richey <joerichey@google.com>
    x86/elf: Use _BITUL() macro in UAPI headers

Mimi Zohar <zohar@linux.ibm.com>
    evm: fix writing <securityfs>/evm overflow

Sergey Shtylyov <s.shtylyov@omp.ru>
    pata_octeon_cf: avoid WARN_ON() in ata_host_activate()

Josh Poimboeuf <jpoimboe@redhat.com>
    kbuild: Fix objtool dependency for 'OBJECT_FILES_NON_STANDARD_<obj> := n'

Qais Yousef <qais.yousef@arm.com>
    sched/uclamp: Fix locking around cpu_util_update_eff()

Qais Yousef <qais.yousef@arm.com>
    sched/uclamp: Fix wrong implementation of cpu.uclamp.min

Randy Dunlap <rdunlap@infradead.org>
    media: I2C: change 'RST' to "RSET" to fix multiple build errors

Sergey Shtylyov <s.shtylyov@omprussia.ru>
    pata_rb532_cf: fix deferred probing

Sergey Shtylyov <s.shtylyov@omprussia.ru>
    sata_highbank: fix deferred probing

Zhen Lei <thunder.leizhen@huawei.com>
    crypto: ux500 - Fix error return code in hash_hw_final()

Corentin Labbe <clabbe@baylibre.com>
    crypto: ixp4xx - update IV after requests

Corentin Labbe <clabbe@baylibre.com>
    crypto: ixp4xx - dma_unmap the correct address

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: hantro: do a PM resume earlier

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: s5p_cec: decrement usage count if disabled

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: venus: Rework error fail recover logic

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    spi: Avoid undefined behaviour when counting unused native CSs

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    spi: Allow to have all native CSs in use along with GPIOs

Roman Gushchin <guro@fb.com>
    writeback, cgroup: increment isw_nr_in_flight before grabbing an inode

Arnd Bergmann <arnd@arndb.de>
    ia64: mca_drv: fix incorrect array size calculation

Petr Mladek <pmladek@suse.com>
    kthread_worker: fix return value when kthread_mod_delayed_work() races with kthread_cancel_delayed_work_sync()

Ming Lei <ming.lei@redhat.com>
    block: fix discard request merge

Shawn Guo <shawn.guo@linaro.org>
    mailbox: qcom: Use PLATFORM_DEVID_AUTO to register platform device

Steve French <stfrench@microsoft.com>
    cifs: fix missing spinlock around update to ses->status

Jason Gerecke <killertofu@gmail.com>
    HID: wacom: Correct base usage for capacitive ExpressKey status bits

Richard Fitzgerald <rf@opensource.cirrus.com>
    ACPI: tables: Add custom DSDT file as makefile prerequisite

Javier Martinez Canillas <javierm@redhat.com>
    tpm_tis_spi: add missing SPI device ID entries

Paul E. McKenney <paulmck@kernel.org>
    clocksource: Check per-CPU clock synchronization when marked unstable

Paul E. McKenney <paulmck@kernel.org>
    clocksource: Retry clock read if long delays detected

Zhang Rui <rui.zhang@intel.com>
    ACPI: EC: trust DSDT GPE for certain HP laptop

Ronnie Sahlberg <lsahlber@redhat.com>
    cifs: improve fallocate emulation

Haiyang Zhang <haiyangz@microsoft.com>
    PCI: hv: Add check for hyperv_initialized in init_hv_pci_drv()

Tony Luck <tony.luck@intel.com>
    EDAC/Intel: Do not load EDAC driver when running as a guest

Hannes Reinecke <hare@suse.de>
    nvmet-fc: do not check for invalid target port in nvmet_fc_handle_fcp_rqst()

JK Kim <jongkang.kim2@gmail.com>
    nvme-pci: fix var. type for increasing cq_head

Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
    platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard()

Luke D. Jones <luke@ljones.dev>
    platform/x86: asus-nb-wmi: Revert "add support for ASUS ROG Zephyrus G14 and G15"

Luke D. Jones <luke@ljones.dev>
    platform/x86: asus-nb-wmi: Revert "Drop duplicate DMI quirk structures"

Ming Lei <ming.lei@redhat.com>
    block: fix race between adding/removing rq qos and normal IO

Hui Wang <hui.wang@canonical.com>
    ACPI: resources: Add checks for ACPI IRQ override

Hanjun Guo <guohanjun@huawei.com>
    ACPI: bus: Call kobject_put() in acpi_init() error path

Erik Kaneda <erik.kaneda@intel.com>
    ACPICA: Fix memory leak caused by _CID repair function

Alexander Aring <aahringo@redhat.com>
    fs: dlm: fix memory leak when fenced

Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
    drivers: hv: Fix missing error code in vmbus_connect()

Christian Brauner <christian.brauner@ubuntu.com>
    open: don't silently ignore unknown O-flags in openat2()

Richard Fitzgerald <rf@opensource.cirrus.com>
    random32: Fix implicit truncation warning in prandom_seed_state()

Alexander Aring <aahringo@redhat.com>
    fs: dlm: cancel work sync othercon

Ming Lei <ming.lei@redhat.com>
    blk-mq: clear stale request in tags->rq[] before freeing one request pool

Ming Lei <ming.lei@redhat.com>
    blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter

zhangyi (F) <yi.zhang@huawei.com>
    block_dump: remove block_dump feature in mark_inode_dirty()

Chris Chiu <chris.chiu@canonical.com>
    ACPI: EC: Make more Asus laptops use ECDT _GPE

Hans de Goede <hdegoede@redhat.com>
    platform/x86: touchscreen_dmi: Add info for the Goodix GT912 panel of TM800A550L tablets

Hans de Goede <hdegoede@redhat.com>
    platform/x86: touchscreen_dmi: Add an extra entry for the upside down Goodix touchscreen on Teclast X89 tablets

Hans de Goede <hdegoede@redhat.com>
    Input: goodix - platform/x86: touchscreen_dmi - Move upside down quirks to touchscreen_dmi.c

Richard Fitzgerald <rf@opensource.cirrus.com>
    lib: vsprintf: Fix handling of number field widths in vsscanf

YueHaibing <yuehaibing@huawei.com>
    hv_utils: Fix passing zero to 'PTR_ERR' warning

Mario Limonciello <mario.limonciello@amd.com>
    ACPI: processor idle: Fix up C-state latency if not ordered

Bixuan Cui <cuibixuan@huawei.com>
    EDAC/ti: Add missing MODULE_DEVICE_TABLE

Dmitry Torokhov <dmitry.torokhov@gmail.com>
    HID: do not use down_interruptible() when unbinding devices

Luke D Jones <luke@ljones.dev>
    ACPI: video: use native backlight for GA401/GA502/GA503

Shuah Khan <skhan@linuxfoundation.org>
    media: Fix Media Controller API config checks

Axel Lin <axel.lin@ingics.com>
    regulator: da9052: Ensure enough delay time for .set_voltage_time_sel

Hsin-Hsiung Wang <hsin-hsiung.wang@mediatek.com>
    regulator: mt6358: Fix vdram2 .vsel_mask

Heiko Carstens <hca@linux.ibm.com>
    KVM: s390: get rid of register asm usage

Boqun Feng <boqun.feng@gmail.com>
    lockding/lockdep: Avoid to find wrong lock dep path in check_irq_usage()

Boqun Feng <boqun.feng@gmail.com>
    locking/lockdep: Fix the dep path printing for backwards BFS

Christophe Leroy <christophe.leroy@csgroup.eu>
    btrfs: disable build on platforms having page size 256K

Qu Wenruo <wqu@suse.com>
    btrfs: don't clear page extent mapped if we're not invalidating the full page

David Sterba <dsterba@suse.com>
    btrfs: sysfs: fix format string for some discard stats

Josef Bacik <josef@toxicpanda.com>
    btrfs: abort transaction if we fail to update the delayed inode

Josef Bacik <josef@toxicpanda.com>
    btrfs: fix error handling in __btrfs_update_delayed_inode

Suraj Jitindar Singh <sjitindarsingh@gmail.com>
    KVM: PPC: Book3S HV: Fix TLB management on SMT8 POWER9 and POWER10 processors

Jing Xiangfeng <jingxiangfeng@huawei.com>
    drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe()

Guenter Roeck <linux@roeck-us.net>
    hwmon: (max31790) Fix pwmX_enable attributes

Guenter Roeck <linux@roeck-us.net>
    hwmon: (max31790) Report correct current pwm duty cycles

Steve Longerbeam <slongerbeam@gmail.com>
    media: imx-csi: Skip first few frames from a BT.656 source

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: siano: fix device register error path

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: dvb_net: avoid speculation from net slot

Ard Biesheuvel <ardb@kernel.org>
    crypto: shash - avoid comparing pointers to exported functions under CFI

zpershuai <zpershuai@gmail.com>
    spi: meson-spicc: fix memory leak in meson_spicc_probe

zpershuai <zpershuai@gmail.com>
    spi: meson-spicc: fix a wrong goto jump for avoiding memory leak.

Zheyu Ma <zheyuma97@gmail.com>
    mmc: via-sdmmc: add a check against NULL pointer dereference

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    mmc: sdhci-sprd: use sdhci_sprd_writew

Tong Zhang <ztong0001@gmail.com>
    memstick: rtsx_usb_ms: fix UAF

Dongliang Mu <mudongliangabcd@gmail.com>
    media: dvd_usb: memory leak in cinergyt2_fe_attach

Nick Desaulniers <ndesaulniers@google.com>
    Makefile: fix GDB warning with CONFIG_RELR

Kai Ye <yekai13@huawei.com>
    crypto: hisilicon/sec - fixup 3des minimum key size declaration

Evgeny Novikov <novikov@ispras.ru>
    media: st-hva: Fix potential NULL pointer dereferences

Zheyu Ma <zheyuma97@gmail.com>
    media: bt8xx: Fix a missing check bug in bt878_probe

Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release

Andrzej Pietrasiewicz <andrzej.p@collabora.com>
    media: cedrus: Fix .buf_prepare

Andrzej Pietrasiewicz <andrzej.p@collabora.com>
    media: hantro: Fix .buf_prepare

Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
    media: em28xx: Fix possible memory leak of em28xx struct

Tong Zhang <ztong0001@gmail.com>
    media: bt878: do not schedule tasklet when it is not setup

Dillon Min <dillon.minfei@gmail.com>
    media: i2c: ov2659: Use clk_{prepare_enable,disable_unprepare}() to set xvclk on/off

Odin Ugedal <odin@uged.al>
    sched/fair: Fix ascii art by relpacing tabs

Tian Tao <tiantao6@hisilicon.com>
    arm64: perf: Convert snprintf to sysfs_emit

Thara Gopinath <thara.gopinath@linaro.org>
    crypto: qce: skcipher: Fix incorrect sg count for dma transfers

Jack Xu <jack.xu@intel.com>
    crypto: qat - remove unused macro in FW loader

Jack Xu <jack.xu@intel.com>
    crypto: qat - check return code of qat_hal_rd_rel_reg()

Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    media: imx: imx7_mipi_csis: Fix logging of only error event counters

Anirudh Rayabharam <mail@anirudhrb.com>
    media: pvrusb2: fix warning in pvr2_i2c_core_done

Jernej Skrabec <jernej.skrabec@siol.net>
    media: hevc: Fix dependent slice segment flags

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: cobalt: fix race condition in setting HPD

Pavel Skripkin <paskripkin@gmail.com>
    media: cpia2: fix memory leak in cpia2_usb_probe

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: sti: fix obj-$(config) targets

Bixuan Cui <cuibixuan@huawei.com>
    crypto: nx - add missing MODULE_DEVICE_TABLE

Łukasz Stelmach <l.stelmach@samsung.com>
    hwrng: exynos - Fix runtime PM imbalance on error

Valentin Schneider <valentin.schneider@arm.com>
    sched/core: Initialize the idle task with preemption disabled

Zou Wei <zou_wei@huawei.com>
    regulator: uniphier: Add missing MODULE_DEVICE_TABLE

Tian Tao <tiantao6@hisilicon.com>
    spi: omap-100k: Fix the length judgment problem

Jay Fang <f.fangjian@huawei.com>
    spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages()

Jay Fang <f.fangjian@huawei.com>
    spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: exynos-gsc: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: exynos4-is: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: sti/bdisp: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: sunxi: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: s5p-jpeg: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: mtk-vcodec: fix PM runtime get logic

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: sh_vou: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: am437x: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: s5p: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: mdk-mdp: fix pm_runtime_get_sync() usage count

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: marvel-ccic: fix some issues when getting pm_runtime

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    staging: media: rkvdec: fix pm_runtime_get_sync() usage count

Alexey Gladkov <legion@kernel.org>
    Add a reference to ucounts for each cred

Charles Keepax <ckeepax@opensource.cirrus.com>
    spi: Make of_register_spi_device also set the fwnode

Lukasz Luba <lukasz.luba@arm.com>
    thermal/cpufreq_cooling: Update offline CPUs per-cpu thermal_pressure

Miklos Szeredi <mszeredi@redhat.com>
    fuse: reject internal errno

Miklos Szeredi <mszeredi@redhat.com>
    fuse: check connected before queueing on fpq->io

Miklos Szeredi <mszeredi@redhat.com>
    fuse: ignore PG_workingset after stealing

Greg Kurz <groug@kaod.org>
    fuse: Fix infinite loop in sget_fc()

Greg Kurz <groug@kaod.org>
    fuse: Fix crash if superblock of submount gets killed early

Greg Kurz <groug@kaod.org>
    fuse: Fix crash in fuse_dentry_automount() error path

Roberto Sassu <roberto.sassu@huawei.com>
    evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded

Roberto Sassu <roberto.sassu@huawei.com>
    evm: Execute evm_inode_init_security() only when an HMAC key is loaded

Kristian Klausen <kristian@klausen.dk>
    loop: Fix missing discard support when using LOOP_CONFIGURE

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()

Yun Zhou <yun.zhou@windriver.com>
    seq_buf: Make trace_seq_putmem_hex() support data longer than 8

Steven Rostedt (VMware) <rostedt@goodmis.org>
    tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing

Steven Rostedt (VMware) <rostedt@goodmis.org>
    tracing/histograms: Fix parsing of "sym-offset" modifier

Martin Fuzzey <martin.fuzzey@flowbird.group>
    rsi: fix AP mode with WPA failure due to encrypted EAPOL

Marek Vasut <marex@denx.de>
    rsi: Assign beacon rate settings to the correct rate_info descriptor field

Michael Buesch <m@bues.ch>
    ssb: sdio: Don't overwrite const buffer if block_write fails

Pali Rohár <pali@kernel.org>
    ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()

Ondrej Zary <linux@zary.sk>
    serial_cs: remove wrong GLOBETROTTER.cis entry

Ondrej Zary <linux@zary.sk>
    serial_cs: Add Option International GSM-Ready 56K/ISDN modem

Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    serial: sh-sci: Stop dmaengine transfer in sci_stop_tx()

Pali Rohár <pali@kernel.org>
    serial: mvebu-uart: fix calculation of clock divisor

Stephan Gerhold <stephan@gerhold.net>
    iio: accel: bma180: Fix BMA25x bandwidth register values

Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
    iio: ltr501: ltr501_read_ps(): add missing endianness conversion

Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
    iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR

Marc Kleine-Budde <mkl@pengutronix.de>
    iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too

frank zago <frank@zago.net>
    iio: light: tcs3472: do not free unallocated IRQ

Yang Yingliang <yangyingliang@huawei.com>
    iio: frequency: adf4350: disable reg and clk on error in adf4350_probe()

Martin Fuzzey <martin.fuzzey@flowbird.group>
    rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path

Dinh Nguyen <dinguyen@kernel.org>
    clk: agilex/stratix10: fix bypass representation

Dinh Nguyen <dinguyen@kernel.org>
    clk: agilex/stratix10: remove noc_clk

Dinh Nguyen <dinguyen@kernel.org>
    clk: agilex/stratix10/n5x: fix how the bypass_reg is handled

Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
    f2fs: Prevent swap file in LFS mode

Janosch Frank <frankja@linux.ibm.com>
    s390: mm: Fix secure storage access exception handling

Vineeth Vijayan <vneethv@linux.ibm.com>
    s390/cio: dont call css_wait_for_slow_path() inside a lock

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Use MMU's role to detect CR4.SMEP value in nested NPT walk

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs

Nathan Chancellor <nathan@kernel.org>
    KVM: PPC: Book3S HV: Workaround high stack usage with clang

Sean Christopherson <seanjc@google.com>
    KVM: nVMX: Handle split-lock #AC exceptions that happen in L2

Robin Murphy <robin.murphy@arm.com>
    perf/smmuv3: Don't trample existing events with global filter

Jann Horn <jannh@google.com>
    mm/gup: fix try_grab_compound_head() race with split_huge_page()

Baochen Qiang <bqiang@codeaurora.org>
    bus: mhi: Wait for M2 state during system resume

Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    SUNRPC: Should wake up the privileged task firstly.

Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    SUNRPC: Fix the batch tasks count wraparound.

Felix Fietkau <nbd@nbd.name>
    mac80211: remove iwlwifi specific workaround that broke sta NDP tx

Stephane Grosjean <s.grosjean@peak-system.com>
    can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path

Oleksij Rempel <linux@rempel-privat.de>
    can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done

Oliver Hartkopp <socketcan@hartkopp.net>
    can: isotp: isotp_release(): omit unintended hrtimer restart on socket release

Oliver Hartkopp <socketcan@hartkopp.net>
    can: gw: synchronize rcu operations before removing gw job entry

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    can: bcm: delay release of struct bcm_op after synchronize_rcu()

Stephen Brennan <stephen.s.brennan@oracle.com>
    ext4: use ext4_grp_locked_error in mb_find_extent

Pan Dong <pandong.peter@bytedance.com>
    ext4: fix avefreec in find_group_orlov

Zhang Yi <yi.zhang@huawei.com>
    ext4: remove check for zero nr_to_scan in ext4_es_scan()

Zhang Yi <yi.zhang@huawei.com>
    ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit

Yang Yingliang <yangyingliang@huawei.com>
    ext4: return error code when ext4_fill_flex_info() fails

Jan Kara <jack@suse.cz>
    ext4: fix overflow in ext4_iomap_alloc()

Anirudh Rayabharam <mail@anirudhrb.com>
    ext4: fix kernel infoleak via ext4_extent_header

Zhang Yi <yi.zhang@huawei.com>
    ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle

David Sterba <dsterba@suse.com>
    btrfs: clear defrag status of a root if starting transaction fails

David Sterba <dsterba@suse.com>
    btrfs: compression: don't try to compress if we don't have enough pages

Filipe Manana <fdmanana@suse.com>
    btrfs: send: fix invalid path for unlink operations after parent orphanization

Ludovic Desroches <ludovic.desroches@microchip.com>
    ARM: dts: at91: sama5d4: fix pinctrl muxing

Linus Walleij <linus.walleij@linaro.org>
    ARM: dts: ux500: Fix LED probing

Yang Jihong <yangjihong1@huawei.com>
    arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode

Joerg Roedel <jroedel@suse.de>
    crypto: ccp - Annotate SEV Firmware file names

Kees Cook <keescook@chromium.org>
    crypto: nx - Fix memcpy() over-reading in nonce

Alexander Larkin <avlarkin82@gmail.com>
    Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl

Al Viro <viro@zeniv.linux.org.uk>
    iov_iter_fault_in_readable() should do nothing in xarray case

Al Viro <viro@zeniv.linux.org.uk>
    copy_page_to_iter(): fix ITER_DISCARD case

Kees Cook <keescook@chromium.org>
    selftests/lkdtm: Avoid needing explicit sub-shell

Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
    ntfs: fix validity check for file name attribute

Andreas Gruenbacher <agruenba@redhat.com>
    gfs2: Fix error handling in init_statfs

Andreas Gruenbacher <agruenba@redhat.com>
    gfs2: Fix underflow in gfs2_page_mkwrite

Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>
    xhci: solve a double free problem while doing s4

Jing Xiangfeng <jingxiangfeng@huawei.com>
    usb: typec: Add the missed altmode_id_remove() in typec_register_altmode()

Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
    usb: dwc3: Fix debugfs creation flow

Hannu Hartikainen <hannu@hrtk.in>
    USB: cdc-acm: blacklist Heimann USB Appset device

Moritz Fischer <mdf@kernel.org>
    usb: renesas-xhci: Fix handling of unknown ROM state

Linyu Yuan <linyyuan@codeaurora.com>
    usb: gadget: eem: fix echo command packet response issue

Pavel Skripkin <paskripkin@gmail.com>
    net: can: ems_usb: fix use-after-free in ems_usb_disconnect()

Johan Hovold <johan@kernel.org>
    Input: usbtouchscreen - fix control-request directions

Pavel Skripkin <paskripkin@gmail.com>
    media: dvb-usb: fix wrong definition

Jeremy Szu <jeremy.szu@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 830 G8 Notebook PC

Takashi Iwai <tiwai@suse.de>
    ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too

Takashi Iwai <tiwai@suse.de>
    ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D

Elia Devito <eliadevito@gmail.com>
    ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx

Jeremy Szu <jeremy.szu@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook x360 830 G8

Takashi Iwai <tiwai@suse.de>
    ALSA: hda/realtek: Add another ALC236 variant support

Andy Chi <andy.chi@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 630 G8

Andy Chi <andy.chi@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G8

Andy Chi <andy.chi@canonical.com>
    ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 450 G8

Takashi Iwai <tiwai@suse.de>
    ALSA: intel8x0: Fix breakage at ac97 clock measurement

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: scarlett2: Fix wrong resume call

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: firewire-motu: fix stream format for MOTU 8pre FireWire

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Fix OOB access at proc output

Daehwan Jung <dh10.jung@samsung.com>
    ALSA: usb-audio: fix rate on Ozone Z90 USB headset

Szymon Janc <szymon.janc@codecoup.pl>
    Bluetooth: Remove spurious error message

Connor Abbott <cwabbott0@gmail.com>
    Bluetooth: btqca: Don't modify firmware contents in-place

Pavel Skripkin <paskripkin@gmail.com>
    Bluetooth: hci_qca: fix potential GPF


-------------

Diffstat:

 Documentation/ABI/testing/evm                      |  26 ++-
 Documentation/ABI/testing/sysfs-bus-papr-pmem      |   8 +-
 Documentation/admin-guide/kernel-parameters.txt    |   6 +
 Documentation/hwmon/max31790.rst                   |   5 +-
 .../userspace-api/media/v4l/ext-ctrls-codec.rst    |   5 +-
 Documentation/vm/arch_pgtable_helpers.rst          |   8 +-
 Makefile                                           |   6 +-
 arch/alpha/kernel/smp.c                            |   1 -
 arch/arc/kernel/smp.c                              |   1 -
 arch/arm/boot/dts/sama5d4.dtsi                     |   2 +-
 arch/arm/boot/dts/ste-href.dtsi                    |   7 +
 arch/arm/kernel/perf_event_v7.c                    |   4 +-
 arch/arm/kernel/smp.c                              |   1 -
 arch/arm64/boot/dts/marvell/armada-37xx.dtsi       |   2 +-
 arch/arm64/include/asm/asm-uaccess.h               |   4 +-
 arch/arm64/include/asm/kernel-pgtable.h            |   6 -
 arch/arm64/include/asm/mmu_context.h               |   8 +-
 arch/arm64/include/asm/pgtable.h                   |   1 +
 arch/arm64/include/asm/preempt.h                   |   2 +-
 arch/arm64/include/asm/uaccess.h                   |   4 +-
 arch/arm64/kernel/entry.S                          |   6 +-
 arch/arm64/kernel/perf_event.c                     |   2 +-
 arch/arm64/kernel/setup.c                          |   2 +-
 arch/arm64/kernel/smp.c                            |   1 -
 arch/arm64/kernel/vmlinux.lds.S                    |   8 +-
 arch/arm64/kvm/pmu-emul.c                          |   1 +
 arch/arm64/mm/proc.S                               |   2 +-
 arch/csky/kernel/smp.c                             |   1 -
 arch/csky/mm/syscache.c                            |  11 +-
 arch/ia64/kernel/mca_drv.c                         |   2 +-
 arch/ia64/kernel/smpboot.c                         |   1 -
 arch/m68k/Kconfig.machine                          |   3 +
 arch/mips/include/asm/highmem.h                    |   2 +-
 arch/mips/kernel/smp.c                             |   1 -
 arch/openrisc/kernel/smp.c                         |   2 -
 arch/parisc/kernel/smp.c                           |   1 -
 arch/powerpc/include/asm/cputhreads.h              |  30 ++++
 arch/powerpc/kernel/mce_power.c                    |  48 +++++-
 arch/powerpc/kernel/process.c                      |  48 ++++--
 arch/powerpc/kernel/smp.c                          |  12 +-
 arch/powerpc/kernel/stacktrace.c                   |  26 ++-
 arch/powerpc/kvm/book3s_hv.c                       |  13 +-
 arch/powerpc/kvm/book3s_hv_builtin.c               |   2 +-
 arch/powerpc/kvm/book3s_hv_nested.c                |   3 +-
 arch/powerpc/kvm/book3s_hv_rm_mmu.c                |   2 +-
 arch/powerpc/platforms/pseries/papr_scm.c          |  62 ++++---
 arch/riscv/kernel/smpboot.c                        |   1 -
 arch/s390/Kconfig                                  |   4 +-
 arch/s390/boot/uv.c                                |   1 +
 arch/s390/include/asm/pgtable.h                    |  19 +++
 arch/s390/include/asm/preempt.h                    |   4 +-
 arch/s390/include/asm/uv.h                         |   8 +-
 arch/s390/kernel/smp.c                             |   1 -
 arch/s390/kernel/uv.c                              |  10 ++
 arch/s390/kvm/kvm-s390.c                           |  18 +-
 arch/s390/mm/fault.c                               |  26 +++
 arch/sh/kernel/smp.c                               |   2 -
 arch/sparc/kernel/smp_32.c                         |   1 -
 arch/sparc/kernel/smp_64.c                         |   3 -
 arch/x86/crypto/curve25519-x86_64.c                |   2 +-
 arch/x86/entry/entry_64.S                          |   4 +-
 arch/x86/include/asm/idtentry.h                    |  29 ++--
 arch/x86/include/asm/kvm_host.h                    |   2 +-
 arch/x86/include/asm/preempt.h                     |   2 +-
 arch/x86/include/uapi/asm/hwcap2.h                 |   6 +-
 arch/x86/kernel/sev-es.c                           | 182 ++++++++++++---------
 arch/x86/kernel/smpboot.c                          |   1 -
 arch/x86/kernel/tsc.c                              |   3 +-
 arch/x86/kvm/hyperv.c                              |   2 +-
 arch/x86/kvm/mmu/mmu.c                             |  10 +-
 arch/x86/kvm/mmu/paging_tmpl.h                     |   3 +-
 arch/x86/kvm/mmu/tdp_mmu.c                         |   2 +-
 arch/x86/kvm/vmx/nested.c                          |  29 ++--
 arch/x86/kvm/vmx/vmcs.h                            |   5 +
 arch/x86/kvm/vmx/vmx.c                             |   4 +-
 arch/x86/kvm/vmx/vmx.h                             |   1 +
 arch/x86/kvm/x86.c                                 |   2 +-
 arch/xtensa/kernel/smp.c                           |   1 -
 block/blk-flush.c                                  |   3 +-
 block/blk-merge.c                                  |   8 +-
 block/blk-mq-tag.c                                 |  49 ++++--
 block/blk-mq-tag.h                                 |   6 +
 block/blk-mq.c                                     |  63 +++++--
 block/blk-mq.h                                     |   1 +
 block/blk-rq-qos.h                                 |  24 +++
 block/blk-wbt.c                                    |  11 +-
 block/blk-wbt.h                                    |   1 +
 crypto/shash.c                                     |  18 +-
 crypto/sm2.c                                       |  99 +++++------
 drivers/acpi/Makefile                              |   5 +
 drivers/acpi/acpi_pad.c                            |  24 +--
 drivers/acpi/acpi_tad.c                            |  14 +-
 drivers/acpi/acpica/nsrepair2.c                    |   7 +
 drivers/acpi/apei/ghes.c                           |  81 +++++++--
 drivers/acpi/bgrt.c                                |  57 ++-----
 drivers/acpi/bus.c                                 |   1 +
 drivers/acpi/device_pm.c                           |   6 +-
 drivers/acpi/device_sysfs.c                        |  46 +++---
 drivers/acpi/dock.c                                |  26 +--
 drivers/acpi/ec.c                                  |  37 ++++-
 drivers/acpi/fan.c                                 |   7 +-
 drivers/acpi/fan.h                                 |  13 ++
 drivers/acpi/power.c                               |   9 +-
 drivers/acpi/processor_idle.c                      |  40 +++++
 drivers/acpi/resource.c                            |   9 +-
 drivers/acpi/video_detect.c                        |  24 +++
 drivers/ata/pata_ep93xx.c                          |   2 +-
 drivers/ata/pata_octeon_cf.c                       |   5 +-
 drivers/ata/pata_rb532_cf.c                        |   6 +-
 drivers/ata/sata_highbank.c                        |   6 +-
 drivers/block/loop.c                               |   1 +
 drivers/bluetooth/btqca.c                          |  27 ++-
 drivers/bluetooth/hci_qca.c                        |   4 +-
 drivers/bus/mhi/core/pm.c                          |   1 +
 drivers/char/hw_random/exynos-trng.c               |   4 +-
 drivers/char/pcmcia/cm4000_cs.c                    |   4 +
 drivers/char/tpm/tpm_tis_core.c                    |  25 ++-
 drivers/char/tpm/tpm_tis_core.h                    |   3 +-
 drivers/char/tpm/tpm_tis_spi_main.c                |   2 +
 drivers/clk/actions/owl-s500.c                     |  75 +++++----
 drivers/clk/clk-si5341.c                           |  77 ++++++++-
 drivers/clk/clk-versaclock5.c                      |  27 ++-
 drivers/clk/imx/clk-imx8mq.c                       |  56 ++-----
 drivers/clk/meson/g12a.c                           |   2 +-
 drivers/clk/qcom/clk-alpha-pll.c                   |   2 +-
 drivers/clk/socfpga/clk-agilex.c                   |  89 ++++++----
 drivers/clk/socfpga/clk-periph-s10.c               |  11 +-
 drivers/clk/socfpga/clk-s10.c                      |  87 +++++++---
 drivers/clk/tegra/clk-tegra30.c                    |   2 +-
 drivers/clocksource/timer-ti-dm.c                  |   6 +
 drivers/cpufreq/cpufreq.c                          |  11 +-
 drivers/crypto/cavium/nitrox/nitrox_isr.c          |   4 +
 drivers/crypto/ccp/sev-dev.c                       |   4 +
 drivers/crypto/ccp/sp-pci.c                        |   6 +-
 drivers/crypto/hisilicon/sec2/sec_crypto.c         |   4 +-
 drivers/crypto/ixp4xx_crypto.c                     |  24 ++-
 drivers/crypto/nx/nx-842-pseries.c                 |   9 +-
 drivers/crypto/nx/nx-aes-ctr.c                     |   2 +-
 drivers/crypto/omap-sham.c                         |   4 +-
 drivers/crypto/qat/qat_common/qat_hal.c            |   6 +-
 drivers/crypto/qat/qat_common/qat_uclo.c           |   1 -
 drivers/crypto/qce/skcipher.c                      |  15 +-
 drivers/crypto/sa2ul.c                             |  22 ++-
 drivers/crypto/ux500/hash/hash_core.c              |   1 +
 drivers/devfreq/devfreq.c                          |   1 +
 drivers/edac/i10nm_base.c                          |   3 +
 drivers/edac/pnd2_edac.c                           |   3 +
 drivers/edac/sb_edac.c                             |   3 +
 drivers/edac/skx_base.c                            |   3 +
 drivers/edac/ti_edac.c                             |   1 +
 drivers/extcon/extcon-max8997.c                    |   3 +-
 drivers/extcon/extcon-sm5502.c                     |   1 -
 drivers/firmware/stratix10-svc.c                   |  22 ++-
 drivers/fsi/fsi-core.c                             |   4 +-
 drivers/fsi/fsi-occ.c                              |   1 +
 drivers/fsi/fsi-sbefifo.c                          |  10 +-
 drivers/fsi/fsi-scom.c                             |  16 +-
 .../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c    |   3 +
 drivers/gpu/drm/ast/ast_main.c                     |   4 +-
 drivers/gpu/drm/bridge/Kconfig                     |   2 +-
 drivers/gpu/drm/drm_bridge.c                       |   3 +
 drivers/gpu/drm/msm/disp/dpu1/dpu_mdss.c           |   8 +-
 drivers/gpu/drm/msm/msm_drv.c                      |   1 +
 drivers/gpu/drm/pl111/Kconfig                      |   1 +
 drivers/gpu/drm/qxl/qxl_dumb.c                     |   2 +
 drivers/gpu/drm/rockchip/cdn-dp-core.c             |   1 +
 drivers/gpu/drm/rockchip/cdn-dp-reg.c              |   2 +-
 drivers/gpu/drm/rockchip/dw-mipi-dsi-rockchip.c    |  36 +++-
 drivers/gpu/drm/rockchip/rockchip_drm_vop.c        |   1 +
 drivers/gpu/drm/rockchip/rockchip_lvds.c           |   4 +-
 drivers/gpu/drm/vc4/vc4_hdmi.c                     |   4 +-
 .../drm/vmwgfx/device_include/svga3d_surfacedefs.h |   8 +-
 drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c            |  20 ++-
 drivers/gpu/drm/vmwgfx/vmwgfx_surface.c            |  13 ++
 drivers/hid/hid-core.c                             |  10 +-
 drivers/hid/wacom_wac.h                            |   2 +-
 drivers/hv/connection.c                            |   4 +-
 drivers/hv/hv_util.c                               |   4 +-
 drivers/hwmon/lm70.c                               |  48 +-----
 drivers/hwmon/max31722.c                           |   9 -
 drivers/hwmon/max31790.c                           |  49 +++---
 drivers/hwtracing/coresight/coresight-core.c       |   2 +-
 drivers/iio/accel/bma180.c                         |  19 ++-
 drivers/iio/accel/bma220_spi.c                     |  10 +-
 drivers/iio/accel/hid-sensor-accel-3d.c            |  13 +-
 drivers/iio/accel/kxcjk-1013.c                     |  24 +--
 drivers/iio/accel/mxc4005.c                        |  10 +-
 drivers/iio/accel/stk8312.c                        |  12 +-
 drivers/iio/accel/stk8ba50.c                       |  17 +-
 drivers/iio/adc/at91-sama5d2_adc.c                 |   3 +-
 drivers/iio/adc/hx711.c                            |   4 +-
 drivers/iio/adc/mxs-lradc-adc.c                    |   3 +-
 drivers/iio/adc/ti-ads1015.c                       |  12 +-
 drivers/iio/adc/ti-ads8688.c                       |   3 +-
 drivers/iio/adc/vf610_adc.c                        |  10 +-
 drivers/iio/chemical/atlas-sensor.c                |   4 +-
 drivers/iio/frequency/adf4350.c                    |   6 +-
 drivers/iio/gyro/bmg160_core.c                     |  10 +-
 drivers/iio/humidity/am2315.c                      |  16 +-
 drivers/iio/imu/adis16400.c                        |   3 -
 drivers/iio/imu/adis16475.c                        |   2 +-
 drivers/iio/imu/adis_buffer.c                      |   3 -
 drivers/iio/light/isl29125.c                       |  10 +-
 drivers/iio/light/ltr501.c                         |  15 +-
 drivers/iio/light/tcs3414.c                        |  10 +-
 drivers/iio/light/tcs3472.c                        |  16 +-
 drivers/iio/light/vcnl4000.c                       |   2 +-
 drivers/iio/light/vcnl4035.c                       |   3 +-
 drivers/iio/magnetometer/bmc150_magn.c             |  11 +-
 drivers/iio/magnetometer/hmc5843.h                 |   8 +-
 drivers/iio/magnetometer/hmc5843_core.c            |   4 +-
 drivers/iio/magnetometer/rm3100-core.c             |   3 +-
 drivers/iio/potentiostat/lmp91000.c                |   4 +-
 drivers/iio/proximity/as3935.c                     |  10 +-
 drivers/iio/proximity/isl29501.c                   |   2 +-
 drivers/iio/proximity/pulsedlight-lidar-lite-v2.c  |  10 +-
 drivers/iio/proximity/srf08.c                      |  14 +-
 drivers/infiniband/core/cma.c                      |  26 ++-
 drivers/infiniband/core/uverbs_cmd.c               |  21 ++-
 drivers/infiniband/hw/mlx4/qp.c                    |   9 +-
 drivers/infiniband/hw/mlx5/main.c                  |   4 +-
 drivers/infiniband/hw/mlx5/qp.c                    |   6 +-
 drivers/infiniband/sw/rxe/rxe_net.c                |  10 +-
 drivers/infiniband/sw/rxe/rxe_qp.c                 |   1 -
 drivers/infiniband/sw/rxe/rxe_resp.c               |   2 -
 drivers/infiniband/ulp/rtrs/rtrs-clt.c             |  28 +++-
 drivers/infiniband/ulp/rtrs/rtrs-srv-sysfs.c       |   1 +
 drivers/infiniband/ulp/rtrs/rtrs-srv.c             |  39 +++--
 drivers/infiniband/ulp/rtrs/rtrs.c                 |   1 -
 drivers/infiniband/ulp/srp/ib_srp.c                |  13 +-
 drivers/input/joydev.c                             |   2 +-
 drivers/input/keyboard/Kconfig                     |   3 -
 drivers/input/keyboard/hil_kbd.c                   |   1 +
 drivers/input/touchscreen/goodix.c                 |  52 ------
 drivers/input/touchscreen/usbtouchscreen.c         |   8 +-
 drivers/iommu/amd/init.c                           |   4 +-
 drivers/iommu/dma-iommu.c                          |   6 +-
 drivers/leds/Kconfig                               |   1 +
 drivers/leds/led-class.c                           |   4 -
 drivers/leds/leds-as3645a.c                        |   1 +
 drivers/leds/leds-ktd2692.c                        |  27 ++-
 drivers/leds/leds-lm36274.c                        |   1 +
 drivers/leds/leds-lm3692x.c                        |   8 +-
 drivers/leds/leds-lm3697.c                         |   8 +-
 drivers/leds/leds-lp50xx.c                         |   2 +-
 drivers/mailbox/qcom-apcs-ipc-mailbox.c            |   2 +-
 drivers/mailbox/qcom-ipcc.c                        |   6 +
 drivers/media/cec/platform/s5p/s5p_cec.c           |   7 +-
 drivers/media/common/siano/smscoreapi.c            |  22 +--
 drivers/media/common/siano/smscoreapi.h            |   4 +-
 drivers/media/common/siano/smsdvb-main.c           |   4 +
 drivers/media/dvb-core/dvb_net.c                   |  25 ++-
 drivers/media/i2c/ir-kbd-i2c.c                     |   4 +-
 drivers/media/i2c/ov2659.c                         |  24 ++-
 drivers/media/i2c/s5c73m3/s5c73m3-core.c           |   6 +-
 drivers/media/i2c/s5c73m3/s5c73m3.h                |   2 +-
 drivers/media/i2c/s5k4ecgx.c                       |  10 +-
 drivers/media/i2c/s5k5baf.c                        |   6 +-
 drivers/media/i2c/s5k6aa.c                         |  10 +-
 drivers/media/i2c/tc358743.c                       |   1 +
 drivers/media/mc/Makefile                          |   2 +-
 drivers/media/pci/bt8xx/bt878.c                    |   6 +-
 drivers/media/pci/cobalt/cobalt-driver.c           |   1 +
 drivers/media/pci/cobalt/cobalt-driver.h           |   7 +-
 drivers/media/pci/intel/ipu3/ipu3-cio2.c           |  17 +-
 drivers/media/platform/am437x/am437x-vpfe.c        |  15 +-
 drivers/media/platform/exynos-gsc/gsc-m2m.c        |   4 +-
 drivers/media/platform/exynos4-is/fimc-capture.c   |   6 +-
 drivers/media/platform/exynos4-is/fimc-is.c        |   4 +-
 drivers/media/platform/exynos4-is/fimc-isp-video.c |  10 +-
 drivers/media/platform/exynos4-is/fimc-isp.c       |   7 +-
 drivers/media/platform/exynos4-is/fimc-lite.c      |   5 +-
 drivers/media/platform/exynos4-is/fimc-m2m.c       |   5 +-
 drivers/media/platform/exynos4-is/media-dev.c      |  10 +-
 drivers/media/platform/exynos4-is/mipi-csis.c      |  10 +-
 drivers/media/platform/marvell-ccic/mcam-core.c    |   9 +-
 drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c       |   6 +-
 .../media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c |   4 +-
 .../media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c  |   8 +-
 .../media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h  |   2 +-
 drivers/media/platform/omap3isp/isp.c              |  79 ++++-----
 drivers/media/platform/qcom/venus/core.c           |  60 +++++--
 drivers/media/platform/s5p-g2d/g2d.c               |   3 +
 drivers/media/platform/s5p-jpeg/jpeg-core.c        |   5 +-
 drivers/media/platform/sh_vou.c                    |   6 +-
 drivers/media/platform/sti/bdisp/Makefile          |   2 +-
 drivers/media/platform/sti/bdisp/bdisp-v4l2.c      |   7 +-
 drivers/media/platform/sti/delta/Makefile          |   2 +-
 drivers/media/platform/sti/hva/Makefile            |   2 +-
 drivers/media/platform/sti/hva/hva-hw.c            |   3 +-
 drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c |   9 +-
 drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.h |   1 -
 .../platform/sunxi/sun8i-rotate/sun8i_rotate.c     |   2 +-
 drivers/media/platform/video-mux.c                 |  18 +-
 drivers/media/usb/au0828/au0828-core.c             |   4 +-
 drivers/media/usb/cpia2/cpia2.h                    |   1 +
 drivers/media/usb/cpia2/cpia2_core.c               |  12 ++
 drivers/media/usb/cpia2/cpia2_usb.c                |  13 +-
 drivers/media/usb/dvb-usb/cinergyT2-core.c         |   2 +
 drivers/media/usb/dvb-usb/cxusb.c                  |   2 +-
 drivers/media/usb/em28xx/em28xx-input.c            |   8 +-
 drivers/media/usb/gspca/gl860/gl860.c              |   4 +-
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c            |   4 +-
 drivers/media/v4l2-core/v4l2-async.c               |  24 +--
 drivers/media/v4l2-core/v4l2-fh.c                  |   1 +
 drivers/media/v4l2-core/v4l2-subdev.c              |  24 ---
 drivers/memstick/host/rtsx_usb_ms.c                |  10 +-
 drivers/mfd/Kconfig                                |   1 +
 drivers/mfd/rn5t618.c                              |   2 +-
 drivers/misc/eeprom/idt_89hpesx.c                  |   8 +-
 drivers/misc/habanalabs/common/habanalabs_drv.c    |   1 +
 drivers/mmc/core/block.c                           |   8 +
 drivers/mmc/host/sdhci-sprd.c                      |   1 +
 drivers/mmc/host/usdhi6rol0.c                      |   1 +
 drivers/mmc/host/via-sdmmc.c                       |   3 +
 drivers/mmc/host/vub300.c                          |   2 +-
 drivers/mtd/nand/raw/arasan-nand-controller.c      |  90 ++++++----
 drivers/mtd/nand/raw/marvell_nand.c                |   4 +-
 drivers/mtd/parsers/redboot.c                      |   7 +-
 drivers/net/can/peak_canfd/peak_canfd.c            |   4 +-
 drivers/net/can/usb/ems_usb.c                      |   3 +-
 drivers/net/dsa/sja1105/sja1105_main.c             |   6 +
 drivers/net/ethernet/aeroflex/greth.c              |   3 +-
 drivers/net/ethernet/aquantia/atlantic/aq_macsec.h |   4 +-
 drivers/net/ethernet/broadcom/genet/bcmgenet.c     |   1 +
 drivers/net/ethernet/emulex/benet/be_cmds.c        |   6 +-
 drivers/net/ethernet/emulex/benet/be_main.c        |   2 +
 drivers/net/ethernet/ezchip/nps_enet.c             |   4 +-
 drivers/net/ethernet/faraday/ftgmac100.c           |   6 +-
 drivers/net/ethernet/google/gve/gve_main.c         |   4 +-
 drivers/net/ethernet/ibm/ehea/ehea_main.c          |   9 +-
 drivers/net/ethernet/ibm/ibmvnic.c                 |  36 ++--
 drivers/net/ethernet/intel/e1000e/netdev.c         |  24 +--
 drivers/net/ethernet/intel/i40e/i40e_ethtool.c     |   3 +-
 drivers/net/ethernet/intel/i40e/i40e_main.c        |  17 +-
 drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c    |   2 +
 .../net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c   |  10 +-
 drivers/net/ethernet/ti/am65-cpsw-nuss.c           |  18 +-
 drivers/net/ieee802154/mac802154_hwsim.c           |  11 +-
 drivers/net/macsec.c                               |   4 +-
 drivers/net/phy/mscc/mscc_macsec.c                 |   2 +-
 drivers/net/phy/mscc/mscc_macsec.h                 |   2 +-
 drivers/net/vrf.c                                  |  14 +-
 drivers/net/vxlan.c                                |   2 +
 drivers/net/wireless/ath/ath10k/mac.c              |   1 +
 drivers/net/wireless/ath/ath10k/pci.c              |  14 +-
 drivers/net/wireless/ath/ath11k/core.c             |   3 +-
 drivers/net/wireless/ath/ath11k/mac.c              |  10 +-
 drivers/net/wireless/ath/ath9k/main.c              |   5 +
 drivers/net/wireless/ath/carl9170/Kconfig          |   8 +-
 drivers/net/wireless/ath/wcn36xx/main.c            |  21 +--
 .../broadcom/brcm80211/brcmfmac/cfg80211.c         |  37 +++--
 .../wireless/broadcom/brcm80211/brcmfmac/sdio.c    |   1 -
 .../broadcom/brcm80211/brcmsmac/mac80211_if.c      |   8 +-
 drivers/net/wireless/intel/iwlwifi/fw/pnvm.h       |   4 +-
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c        |   3 +
 drivers/net/wireless/marvell/mwifiex/pcie.c        |  10 +-
 .../net/wireless/mediatek/mt76/mt7615/pci_mac.c    |   5 +-
 .../net/wireless/mediatek/mt76/mt7615/usb_sdio.c   |   5 +-
 drivers/net/wireless/mediatek/mt76/tx.c            |   2 +-
 drivers/net/wireless/realtek/rtw88/rtw8822c.c      |  22 +--
 drivers/net/wireless/rsi/rsi_91x_hal.c             |   6 +-
 drivers/net/wireless/rsi/rsi_91x_mac80211.c        |   3 -
 drivers/net/wireless/rsi/rsi_91x_mgmt.c            |   3 +-
 drivers/net/wireless/rsi/rsi_main.h                |   1 -
 drivers/net/wireless/st/cw1200/scan.c              |  17 +-
 drivers/nvme/host/pci.c                            |  26 +--
 drivers/nvme/target/fc.c                           |  10 +-
 drivers/of/fdt.c                                   |   8 +-
 drivers/of/of_reserved_mem.c                       |   8 +-
 drivers/pci/controller/pci-hyperv.c                |   3 +
 drivers/perf/arm-cmn.c                             |   2 +-
 drivers/perf/arm_smmuv3_pmu.c                      |  18 +-
 drivers/perf/fsl_imx8_ddr_perf.c                   |   6 +-
 drivers/phy/socionext/phy-uniphier-pcie.c          |  11 +-
 drivers/phy/ti/phy-dm816x-usb.c                    |  17 +-
 drivers/pinctrl/renesas/pfc-r8a7796.c              |   3 +-
 drivers/pinctrl/renesas/pfc-r8a77990.c             |   8 +-
 drivers/platform/x86/asus-nb-wmi.c                 |  77 ---------
 drivers/platform/x86/toshiba_acpi.c                |   1 +
 drivers/platform/x86/touchscreen_dmi.c             |  85 ++++++++++
 drivers/regulator/da9052-regulator.c               |   3 +-
 drivers/regulator/fan53880.c                       |   2 +-
 drivers/regulator/hi655x-regulator.c               |  16 +-
 drivers/regulator/mt6358-regulator.c               |   2 +-
 drivers/regulator/uniphier-regulator.c             |   1 +
 drivers/rtc/rtc-stm32.c                            |   6 +-
 drivers/s390/cio/chp.c                             |   3 +
 drivers/s390/cio/chsc.c                            |   2 -
 drivers/scsi/FlashPoint.c                          |  32 ++--
 drivers/scsi/mpt3sas/mpt3sas_scsih.c               |   4 +-
 drivers/scsi/scsi_lib.c                            |   1 +
 drivers/scsi/scsi_transport_iscsi.c                |   2 +
 drivers/soundwire/stream.c                         |  13 +-
 drivers/spi/spi-loopback-test.c                    |   2 +-
 drivers/spi/spi-meson-spicc.c                      |   8 +-
 drivers/spi/spi-omap-100k.c                        |   2 +-
 drivers/spi/spi-sun6i.c                            |   6 +-
 drivers/spi/spi-topcliff-pch.c                     |   4 +-
 drivers/spi/spi.c                                  |   8 +-
 drivers/ssb/scan.c                                 |   1 +
 drivers/ssb/sdio.c                                 |   1 -
 drivers/staging/fbtft/fb_agm1264k-fl.c             |  20 +--
 drivers/staging/fbtft/fb_bd663474.c                |   4 -
 drivers/staging/fbtft/fb_ili9163.c                 |   4 -
 drivers/staging/fbtft/fb_ili9320.c                 |   1 -
 drivers/staging/fbtft/fb_ili9325.c                 |   4 -
 drivers/staging/fbtft/fb_ili9340.c                 |   1 -
 drivers/staging/fbtft/fb_s6d1121.c                 |   4 -
 drivers/staging/fbtft/fb_sh1106.c                  |   1 -
 drivers/staging/fbtft/fb_ssd1289.c                 |   4 -
 drivers/staging/fbtft/fb_ssd1325.c                 |   2 -
 drivers/staging/fbtft/fb_ssd1331.c                 |   6 +-
 drivers/staging/fbtft/fb_ssd1351.c                 |   1 -
 drivers/staging/fbtft/fb_upd161704.c               |   4 -
 drivers/staging/fbtft/fb_watterott.c               |   1 -
 drivers/staging/fbtft/fbtft-bus.c                  |   3 +-
 drivers/staging/fbtft/fbtft-core.c                 |  25 ++-
 drivers/staging/fbtft/fbtft-io.c                   |  12 +-
 drivers/staging/gdm724x/gdm_lte.c                  |  20 ++-
 drivers/staging/media/hantro/hantro_drv.c          |  33 ++--
 drivers/staging/media/hantro/hantro_v4l2.c         |   9 +-
 drivers/staging/media/imx/imx-media-csi.c          |  28 ++--
 drivers/staging/media/imx/imx6-mipi-csi2.c         |  19 +--
 drivers/staging/media/imx/imx7-media-csi.c         |  16 +-
 drivers/staging/media/imx/imx7-mipi-csis.c         |  21 +--
 drivers/staging/media/rkisp1/rkisp1-dev.c          |  15 +-
 drivers/staging/media/rkvdec/rkvdec.c              |  12 +-
 drivers/staging/media/sunxi/cedrus/cedrus_h265.c   |   4 +-
 drivers/staging/media/sunxi/cedrus/cedrus_video.c  |   8 +-
 drivers/staging/mt7621-dts/mt7621.dtsi             |   2 +-
 drivers/staging/rtl8712/hal_init.c                 |   3 +
 drivers/staging/rtl8712/os_intfs.c                 |   4 -
 drivers/staging/rtl8712/usb_intf.c                 |  24 +--
 .../staging/vc04_services/vchiq-mmal/mmal-vchiq.c  |   2 +-
 drivers/target/iscsi/cxgbit/cxgbit_ddp.c           |  19 ++-
 drivers/target/iscsi/cxgbit/cxgbit_target.c        |  21 ++-
 drivers/thermal/cpufreq_cooling.c                  |   2 +-
 drivers/thunderbolt/test.c                         |  14 +-
 drivers/tty/nozomi.c                               |   9 +-
 drivers/tty/serial/8250/8250_omap.c                |  62 ++++++-
 drivers/tty/serial/8250/8250_port.c                |  19 ++-
 drivers/tty/serial/8250/serial_cs.c                |   2 +-
 drivers/tty/serial/fsl_lpuart.c                    |  14 +-
 drivers/tty/serial/mvebu-uart.c                    |  18 +-
 drivers/tty/serial/sh-sci.c                        |   8 +
 drivers/usb/class/cdc-acm.c                        |   5 +
 drivers/usb/dwc2/core.c                            |  30 +++-
 drivers/usb/dwc3/core.c                            |   3 +-
 drivers/usb/gadget/function/f_eem.c                |  43 ++++-
 drivers/usb/gadget/function/f_fs.c                 |  65 ++++----
 drivers/usb/host/xhci-mem.c                        |   1 +
 drivers/usb/host/xhci-pci-renesas.c                |  16 +-
 drivers/usb/typec/class.c                          |   4 +-
 drivers/vfio/pci/vfio_pci.c                        |  29 +++-
 drivers/video/backlight/lm3630a_bl.c               |   4 +-
 drivers/video/fbdev/imxfb.c                        |   2 +-
 drivers/visorbus/visorchipset.c                    |   6 +-
 fs/btrfs/Kconfig                                   |   2 +
 fs/btrfs/delayed-inode.c                           |  18 +-
 fs/btrfs/inode.c                                   |  16 +-
 fs/btrfs/send.c                                    |  11 ++
 fs/btrfs/sysfs.c                                   |   4 +-
 fs/btrfs/transaction.c                             |   6 +-
 fs/btrfs/tree-log.c                                |   1 +
 fs/cifs/cifsglob.h                                 |   3 +-
 fs/cifs/connect.c                                  |   5 +-
 fs/cifs/smb2ops.c                                  | 133 +++++++++++++++
 fs/configfs/file.c                                 |  10 +-
 fs/crypto/fname.c                                  |  10 +-
 fs/crypto/keysetup.c                               |  40 ++++-
 fs/dax.c                                           |   3 +-
 fs/dlm/config.c                                    |   9 +
 fs/dlm/lowcomms.c                                  |   2 +-
 fs/erofs/super.c                                   |   1 +
 fs/exec.c                                          |   4 +
 fs/exfat/dir.c                                     |   8 +-
 fs/ext4/extents.c                                  |   3 +
 fs/ext4/extents_status.c                           |   4 +-
 fs/ext4/ialloc.c                                   |  11 +-
 fs/ext4/inode.c                                    |   2 +-
 fs/ext4/mballoc.c                                  |   9 +-
 fs/ext4/super.c                                    |  10 +-
 fs/f2fs/data.c                                     |   6 +
 fs/fs-writeback.c                                  |  39 ++---
 fs/fuse/dev.c                                      |  12 +-
 fs/fuse/dir.c                                      |  25 ++-
 fs/gfs2/file.c                                     |   4 +-
 fs/gfs2/ops_fstype.c                               |   1 +
 fs/io_uring.c                                      |   2 +-
 fs/ntfs/inode.c                                    |   2 +-
 fs/ocfs2/filecheck.c                               |   6 +-
 fs/ocfs2/stackglue.c                               |   8 +-
 fs/open.c                                          |  14 +-
 fs/proc/task_mmu.c                                 |   2 +-
 fs/pstore/Kconfig                                  |   1 +
 include/asm-generic/preempt.h                      |   2 +-
 include/clocksource/timer-ti-dm.h                  |   1 +
 include/crypto/internal/hash.h                     |   8 +-
 include/dt-bindings/clock/imx8mq-clock.h           |  19 ---
 include/linux/bio.h                                |  12 +-
 include/linux/clocksource.h                        |   2 +-
 include/linux/cred.h                               |   2 +
 include/linux/huge_mm.h                            | 165 ++++++++++---------
 include/linux/iio/common/cros_ec_sensors_core.h    |   2 +-
 include/linux/prandom.h                            |   2 +-
 include/linux/swap.h                               |   9 +
 include/linux/tracepoint.h                         |  10 ++
 include/linux/user_namespace.h                     |   4 +
 include/media/hevc-ctrls.h                         |   3 +-
 include/media/media-dev-allocator.h                |   2 +-
 include/media/v4l2-async.h                         |  15 +-
 include/net/bluetooth/hci.h                        |   6 +-
 include/net/bluetooth/hci_core.h                   |   8 +-
 include/net/ip.h                                   |  12 +-
 include/net/ip6_route.h                            |  16 +-
 include/net/macsec.h                               |   2 +-
 include/net/sch_generic.h                          |  12 ++
 include/net/tc_act/tc_vlan.h                       |   1 +
 include/net/xfrm.h                                 |   1 +
 include/net/xsk_buff_pool.h                        |   9 +-
 include/scsi/fc/fc_ms.h                            |   4 +-
 init/main.c                                        |   6 +-
 kernel/bpf/verifier.c                              |   6 +-
 kernel/cred.c                                      |  40 +++++
 kernel/fork.c                                      |   8 +-
 kernel/kthread.c                                   |  19 ++-
 kernel/locking/lockdep.c                           | 122 +++++++++++++-
 kernel/rcu/tree.c                                  |   2 +-
 kernel/sched/core.c                                |  45 ++---
 kernel/sched/deadline.c                            |   2 +
 kernel/sched/fair.c                                |   8 +-
 kernel/sched/psi.c                                 |  12 +-
 kernel/sched/rt.c                                  |  17 +-
 kernel/smpboot.c                                   |   1 -
 kernel/sys.c                                       |  12 ++
 kernel/time/clocksource.c                          | 113 ++++++++++++-
 kernel/trace/bpf_trace.c                           |   3 +-
 kernel/trace/trace_events_hist.c                   |   7 +
 kernel/tracepoint.c                                |  33 +++-
 kernel/ucount.c                                    |  40 ++++-
 kernel/user_namespace.c                            |   3 +
 lib/Kconfig.debug                                  |   1 -
 lib/iov_iter.c                                     |   9 +-
 lib/kstrtox.c                                      |  13 +-
 lib/kstrtox.h                                      |   2 +
 lib/locking-selftest.c                             |   1 +
 lib/math/rational.c                                |  16 +-
 lib/seq_buf.c                                      |   4 +-
 lib/vsprintf.c                                     |  82 ++++++----
 mm/debug_vm_pgtable.c                              | 149 ++++++++++++++---
 mm/gup.c                                           |  58 +++++--
 mm/huge_memory.c                                   |  19 ++-
 mm/hugetlb.c                                       | 104 ++++++++----
 mm/khugepaged.c                                    |   4 +-
 mm/memcontrol.c                                    |   8 +
 mm/memory.c                                        |  11 +-
 mm/page_alloc.c                                    |  34 ++--
 mm/shmem.c                                         |  17 +-
 mm/slab.h                                          |   1 -
 mm/z3fold.c                                        |   3 +-
 net/bluetooth/hci_event.c                          |  27 +--
 net/bluetooth/hci_request.c                        |  63 +++----
 net/bluetooth/mgmt.c                               |   3 +
 net/bpfilter/main.c                                |   2 +-
 net/can/bcm.c                                      |   7 +-
 net/can/gw.c                                       |   3 +
 net/can/isotp.c                                    |   7 +-
 net/can/j1939/main.c                               |   4 +
 net/can/j1939/socket.c                             |   5 +-
 net/core/filter.c                                  |   4 -
 net/ipv4/esp4.c                                    |   2 +-
 net/ipv4/fib_frontend.c                            |   2 +
 net/ipv4/route.c                                   |   3 +-
 net/ipv6/esp6.c                                    |   2 +-
 net/ipv6/exthdrs.c                                 |  31 ++--
 net/ipv6/ip6_tunnel.c                              |   4 +-
 net/mac80211/mlme.c                                |   9 -
 net/mac80211/sta_info.c                            |   5 -
 net/mptcp/subflow.c                                |   6 +-
 net/mptcp/token.c                                  |   6 +-
 net/netfilter/nf_tables_offload.c                  |  17 +-
 net/netfilter/nft_exthdr.c                         |   3 +
 net/netfilter/nft_osf.c                            |   5 +
 net/netfilter/nft_tproxy.c                         |   9 +-
 net/netlabel/netlabel_mgmt.c                       |  19 ++-
 net/qrtr/ns.c                                      |   4 +-
 net/sched/act_vlan.c                               |   7 +-
 net/sched/cls_tcindex.c                            |   2 +-
 net/sched/sch_qfq.c                                |   8 +-
 net/sunrpc/sched.c                                 |  12 +-
 net/tipc/bcast.c                                   |   2 +-
 net/tipc/msg.c                                     |  17 +-
 net/tipc/msg.h                                     |   3 +-
 net/tls/tls_sw.c                                   |   2 +-
 net/xdp/xsk_queue.h                                |  11 +-
 net/xfrm/xfrm_device.c                             |   1 +
 net/xfrm/xfrm_output.c                             |   7 -
 net/xfrm/xfrm_state.c                              |  14 +-
 samples/bpf/xdp_redirect_user.c                    |   4 +-
 scripts/Makefile.build                             |   5 +-
 scripts/tools-support-relr.sh                      |   3 +-
 security/integrity/evm/evm_main.c                  |   5 +-
 security/integrity/evm/evm_secfs.c                 |  13 +-
 sound/firewire/amdtp-stream.c                      |   7 +-
 sound/firewire/motu/motu-protocol-v2.c             |   5 +-
 sound/pci/hda/patch_realtek.c                      |  49 +++++-
 sound/pci/intel8x0.c                               |   2 +-
 sound/soc/atmel/atmel-i2s.c                        |  34 +++-
 sound/soc/codecs/cs42l42.h                         |   2 +-
 sound/soc/codecs/max98373-sdw.c                    |  12 +-
 sound/soc/codecs/max98373.h                        |   2 +-
 sound/soc/codecs/rk3328_codec.c                    |  28 +++-
 sound/soc/codecs/rt1308-sdw.c                      |   2 +-
 sound/soc/codecs/rt5682-i2c.c                      |   1 +
 sound/soc/codecs/rt5682-sdw.c                      |  23 ++-
 sound/soc/codecs/rt700-sdw.c                       |   2 +-
 sound/soc/codecs/rt711-sdw.c                       |   2 +-
 sound/soc/codecs/rt715-sdw.c                       |   2 +-
 sound/soc/fsl/fsl_spdif.c                          |  23 ++-
 sound/soc/hisilicon/hi6210-i2s.c                   |  14 +-
 sound/soc/intel/boards/sof_sdw.c                   |  16 +-
 sound/soc/mediatek/common/mtk-btcvsd.c             |  24 ++-
 sound/soc/sh/rcar/adg.c                            |   4 +-
 sound/usb/format.c                                 |   2 +
 sound/usb/mixer.c                                  |   8 +-
 sound/usb/mixer.h                                  |   1 +
 sound/usb/mixer_scarlett_gen2.c                    |   7 +-
 tools/bpf/bpftool/main.c                           |   4 +-
 tools/bpf/resolve_btfids/main.c                    |   3 +
 tools/perf/util/llvm-utils.c                       |   2 +
 .../util/scripting-engines/trace-event-python.c    | 146 +++++++++--------
 tools/testing/selftests/bpf/.gitignore             |   1 +
 .../selftests/ftrace/test.d/event/event-no-pid.tc  |   7 +
 tools/testing/selftests/lkdtm/run.sh               |  12 +-
 .../testing/selftests/splice/short_splice_read.sh  | 119 +++++++++++---
 .../selftests/tc-testing/plugin-lib/scapyPlugin.py |   2 +-
 tools/testing/selftests/vm/protection_keys.c       |  12 +-
 638 files changed, 5205 insertions(+), 2782 deletions(-)



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 001/593] Bluetooth: hci_qca: fix potential GPF
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 002/593] Bluetooth: btqca: Dont modify firmware contents in-place Greg Kroah-Hartman
                   ` (596 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rocky Liao, Pavel Skripkin,
	Johan Hovold, Marcel Holtmann

From: Pavel Skripkin <paskripkin@gmail.com>

commit 59f90f1351282ea2dbd0c59098fd9bb2634e920e upstream.

In qca_power_shutdown() qcadev local variable is
initialized by hu->serdev.dev private data, but
hu->serdev can be NULL and there is a check for it.

Since, qcadev is not used before

	if (!hu->serdev)
		return;

we can move its initialization after this "if" to
prevent GPF.

Fixes: 5559904ccc08 ("Bluetooth: hci_qca: Add QCA Rome power off support to the qca_power_shutdown()")
Cc: stable@vger.kernel.org # v5.6+
Cc: Rocky Liao <rjliao@codeaurora.org>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/hci_qca.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -1809,8 +1809,6 @@ static void qca_power_shutdown(struct hc
 	unsigned long flags;
 	enum qca_btsoc_type soc_type = qca_soc_type(hu);
 
-	qcadev = serdev_device_get_drvdata(hu->serdev);
-
 	/* From this point we go into power off state. But serial port is
 	 * still open, stop queueing the IBS data and flush all the buffered
 	 * data in skb's.
@@ -1826,6 +1824,8 @@ static void qca_power_shutdown(struct hc
 	if (!hu->serdev)
 		return;
 
+	qcadev = serdev_device_get_drvdata(hu->serdev);
+
 	if (qca_is_wcn399x(soc_type)) {
 		host_set_baudrate(hu, 2400);
 		qca_send_power_pulse(hu, false);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 002/593] Bluetooth: btqca: Dont modify firmware contents in-place
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 001/593] Bluetooth: hci_qca: fix potential GPF Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 003/593] Bluetooth: Remove spurious error message Greg Kroah-Hartman
                   ` (595 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Venkata Lakshmi Narayana Gubba,
	Connor Abbott, Marcel Holtmann

From: Connor Abbott <cwabbott0@gmail.com>

commit b43ca511178ed0ab6fd2405df28cf9e100273020 upstream.

struct firmware::data is marked const, and when the firmware is
compressed with xz (default at least with Fedora) it's mapped read-only
which results in a crash:

BUG: unable to handle page fault for address: ffffae57c0ca5047
PGD 100000067 P4D 100000067 PUD 1001ce067 PMD 10165a067 PTE 8000000112bba161
Oops: 0003 [#1] SMP NOPTI
CPU: 3 PID: 204 Comm: kworker/u17:0 Not tainted 5.12.1-test+ #1
Hardware name: Dell Inc. XPS 13 9310/0F7M4C, BIOS 1.2.5 12/10/2020
Workqueue: hci0 hci_power_on [bluetooth]
RIP: 0010:qca_download_firmware+0x27c/0x4e0 [btqca]
Code: 1b 75 04 80 48 0c 01 0f b7 c6 8d 54 02 0c 41 39 d7 0f 8e 62 fe ff ff 48 63 c2 4c 01 e8 0f b7 38 0f b7 70 02 66 83 ff 11 75 d3 <80> 48 0c 80 41 83 fc 03 7e 6e 88 58 0d eb ce 41 0f b6 45 0e 48 8b
RSP: 0018:ffffae57c08dfc68 EFLAGS: 00010246
RAX: ffffae57c0ca503b RBX: 000000000000000e RCX: 0000000000000000
RDX: 0000000000000037 RSI: 0000000000000006 RDI: 0000000000000011
RBP: ffff978d9949e000 R08: ffff978d84ed7540 R09: ffffae57c0ca5000
R10: 000000000010cd00 R11: 0000000000000001 R12: 0000000000000005
R13: ffffae57c0ca5004 R14: ffff978d98ca8680 R15: 00000000000016a9
FS:  0000000000000000(0000) GS:ffff9794ef6c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffae57c0ca5047 CR3: 0000000113d5a004 CR4: 0000000000770ee0
PKRU: 55555554
Call Trace:
 qca_uart_setup+0x2cb/0x1390 [btqca]
 ? qca_read_soc_version+0x136/0x220 [btqca]
 qca_setup+0x288/0xab0 [hci_uart]
 hci_dev_do_open+0x1f3/0x780 [bluetooth]
 ? try_to_wake_up+0x1c1/0x4f0
 hci_power_on+0x3f/0x200 [bluetooth]
 process_one_work+0x1ec/0x380
 worker_thread+0x53/0x3e0
 ? process_one_work+0x380/0x380
 kthread+0x11b/0x140
 ? kthread_associate_blkcg+0xa0/0xa0
 ret_from_fork+0x1f/0x30
Modules linked in: llc ip_set nf_tables nfnetlink snd_soc_skl_hda_dsp(+) ip6table_filter snd_soc_hdac_hdmi ip6_tables qrtr_mhi iptable_filter snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic s>
 dell_wmi_sysman(+) dell_smbios snd dcdbas mhi vfat videobuf2_vmalloc i2c_i801 videobuf2_memops videobuf2_v4l2 dell_wmi_descriptor fat wmi_bmof soundcore i2c_smbus videobuf2_common libarc4 mei_me mei hid_se>
 i2c_hid_acpi i2c_hid video pinctrl_tigerlake fuse
CR2: ffffae57c0ca5047

This also seems to fix a failure to suspend due to the firmware
download on bootup getting interrupted by the crash:

Bluetooth: hci0: SSR or FW download time out
PM: dpm_run_callback(): acpi_subsys_suspend+0x0/0x60 returns -110
PM: Device serial0-0 failed to suspend: error -110
PM: Some devices failed to suspend, or early wake event detected

Fixes: 83e8196 ("Bluetooth: btqca: Introduce generic QCA ROME support")
Cc: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
Cc: stable@vger.kernel.org
Signed-off-by: Connor Abbott <cwabbott0@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bluetooth/btqca.c |   27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -143,7 +143,7 @@ int qca_send_pre_shutdown_cmd(struct hci
 EXPORT_SYMBOL_GPL(qca_send_pre_shutdown_cmd);
 
 static void qca_tlv_check_data(struct qca_fw_config *config,
-		const struct firmware *fw, enum qca_btsoc_type soc_type)
+		u8 *fw_data, enum qca_btsoc_type soc_type)
 {
 	const u8 *data;
 	u32 type_len;
@@ -154,7 +154,7 @@ static void qca_tlv_check_data(struct qc
 	struct tlv_type_nvm *tlv_nvm;
 	uint8_t nvm_baud_rate = config->user_baud_rate;
 
-	tlv = (struct tlv_type_hdr *)fw->data;
+	tlv = (struct tlv_type_hdr *)fw_data;
 
 	type_len = le32_to_cpu(tlv->type_len);
 	length = (type_len >> 8) & 0x00ffffff;
@@ -350,8 +350,9 @@ static int qca_download_firmware(struct
 				 enum qca_btsoc_type soc_type)
 {
 	const struct firmware *fw;
+	u8 *data;
 	const u8 *segment;
-	int ret, remain, i = 0;
+	int ret, size, remain, i = 0;
 
 	bt_dev_info(hdev, "QCA Downloading %s", config->fwname);
 
@@ -362,10 +363,22 @@ static int qca_download_firmware(struct
 		return ret;
 	}
 
-	qca_tlv_check_data(config, fw, soc_type);
+	size = fw->size;
+	data = vmalloc(fw->size);
+	if (!data) {
+		bt_dev_err(hdev, "QCA Failed to allocate memory for file: %s",
+			   config->fwname);
+		release_firmware(fw);
+		return -ENOMEM;
+	}
+
+	memcpy(data, fw->data, size);
+	release_firmware(fw);
+
+	qca_tlv_check_data(config, data, soc_type);
 
-	segment = fw->data;
-	remain = fw->size;
+	segment = data;
+	remain = size;
 	while (remain > 0) {
 		int segsize = min(MAX_SIZE_PER_TLV_SEGMENT, remain);
 
@@ -395,7 +408,7 @@ static int qca_download_firmware(struct
 		ret = qca_inject_cmd_complete_event(hdev);
 
 out:
-	release_firmware(fw);
+	vfree(data);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 003/593] Bluetooth: Remove spurious error message
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 001/593] Bluetooth: hci_qca: fix potential GPF Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 002/593] Bluetooth: btqca: Dont modify firmware contents in-place Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 004/593] ALSA: usb-audio: fix rate on Ozone Z90 USB headset Greg Kroah-Hartman
                   ` (594 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Szymon Janc, Marcel Holtmann

From: Szymon Janc <szymon.janc@codecoup.pl>

commit 1c58e933aba23f68c0d3f192f7cc6eed8fabd694 upstream.

Even with rate limited reporting this is very spammy and since
it is remote device that is providing bogus data there is no
need to report this as error.

Since real_len variable was used only to allow conditional error
message it is now also removed.

[72454.143336] bt_err_ratelimited: 10 callbacks suppressed
[72454.143337] Bluetooth: hci0: advertising data len corrected
[72454.296314] Bluetooth: hci0: advertising data len corrected
[72454.892329] Bluetooth: hci0: advertising data len corrected
[72455.051319] Bluetooth: hci0: advertising data len corrected
[72455.357326] Bluetooth: hci0: advertising data len corrected
[72455.663295] Bluetooth: hci0: advertising data len corrected
[72455.787278] Bluetooth: hci0: advertising data len corrected
[72455.942278] Bluetooth: hci0: advertising data len corrected
[72456.094276] Bluetooth: hci0: advertising data len corrected
[72456.249137] Bluetooth: hci0: advertising data len corrected
[72459.416333] bt_err_ratelimited: 13 callbacks suppressed
[72459.416334] Bluetooth: hci0: advertising data len corrected
[72459.721334] Bluetooth: hci0: advertising data len corrected
[72460.011317] Bluetooth: hci0: advertising data len corrected
[72460.327171] Bluetooth: hci0: advertising data len corrected
[72460.638294] Bluetooth: hci0: advertising data len corrected
[72460.946350] Bluetooth: hci0: advertising data len corrected
[72461.225320] Bluetooth: hci0: advertising data len corrected
[72461.690322] Bluetooth: hci0: advertising data len corrected
[72462.118318] Bluetooth: hci0: advertising data len corrected
[72462.427319] Bluetooth: hci0: advertising data len corrected
[72464.546319] bt_err_ratelimited: 7 callbacks suppressed
[72464.546319] Bluetooth: hci0: advertising data len corrected
[72464.857318] Bluetooth: hci0: advertising data len corrected
[72465.163332] Bluetooth: hci0: advertising data len corrected
[72465.278331] Bluetooth: hci0: advertising data len corrected
[72465.432323] Bluetooth: hci0: advertising data len corrected
[72465.891334] Bluetooth: hci0: advertising data len corrected
[72466.045334] Bluetooth: hci0: advertising data len corrected
[72466.197321] Bluetooth: hci0: advertising data len corrected
[72466.340318] Bluetooth: hci0: advertising data len corrected
[72466.498335] Bluetooth: hci0: advertising data len corrected
[72469.803299] bt_err_ratelimited: 10 callbacks suppressed

Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=203753
Cc: stable@vger.kernel.org
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/bluetooth/hci_event.c |   14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5401,7 +5401,7 @@ static void process_adv_report(struct hc
 	struct hci_conn *conn;
 	bool match;
 	u32 flags;
-	u8 *ptr, real_len;
+	u8 *ptr;
 
 	switch (type) {
 	case LE_ADV_IND:
@@ -5432,14 +5432,10 @@ static void process_adv_report(struct hc
 			break;
 	}
 
-	real_len = ptr - data;
-
-	/* Adjust for actual length */
-	if (len != real_len) {
-		bt_dev_err_ratelimited(hdev, "advertising data len corrected %u -> %u",
-				       len, real_len);
-		len = real_len;
-	}
+	/* Adjust for actual length. This handles the case when remote
+	 * device is advertising with incorrect data length.
+	 */
+	len = ptr - data;
 
 	/* If the direct address is present, then this report is from
 	 * a LE Direct Advertising Report event. In that case it is



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 004/593] ALSA: usb-audio: fix rate on Ozone Z90 USB headset
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 003/593] Bluetooth: Remove spurious error message Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 005/593] ALSA: usb-audio: Fix OOB access at proc output Greg Kroah-Hartman
                   ` (593 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daehwan Jung, Takashi Iwai

From: Daehwan Jung <dh10.jung@samsung.com>

commit aecc19ec404bdc745c781058ac97a373731c3089 upstream.

It mislabels its 96 kHz altsetting and that's why it causes some noise

Signed-off-by: Daehwan Jung <dh10.jung@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/format.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -208,9 +208,11 @@ static int parse_audio_format_rates_v1(s
 				continue;
 			/* C-Media CM6501 mislabels its 96 kHz altsetting */
 			/* Terratec Aureon 7.1 USB C-Media 6206, too */
+			/* Ozone Z90 USB C-Media, too */
 			if (rate == 48000 && nr_rates == 1 &&
 			    (chip->usb_id == USB_ID(0x0d8c, 0x0201) ||
 			     chip->usb_id == USB_ID(0x0d8c, 0x0102) ||
+			     chip->usb_id == USB_ID(0x0d8c, 0x0078) ||
 			     chip->usb_id == USB_ID(0x0ccd, 0x00b1)) &&
 			    fp->altsetting == 5 && fp->maxpacksize == 392)
 				rate = 96000;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 005/593] ALSA: usb-audio: Fix OOB access at proc output
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 004/593] ALSA: usb-audio: fix rate on Ozone Z90 USB headset Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 006/593] ALSA: firewire-motu: fix stream format for MOTU 8pre FireWire Greg Kroah-Hartman
                   ` (592 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 362372ceb6556f338e230f2d90af27b47f82365a upstream.

At extending the available mixer values for 32bit types, we forgot to
add the corresponding entries for the format dump in the proc output.
This may result in OOB access.  Here adds the missing entries.

Fixes: bc18e31c3042 ("ALSA: usb-audio: Fix parameter block size for UAC2 control requests")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210622090647.14021-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/mixer.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -3273,8 +3273,9 @@ static void snd_usb_mixer_dump_cval(stru
 				    struct usb_mixer_elem_list *list)
 {
 	struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
-	static const char * const val_types[] = {"BOOLEAN", "INV_BOOLEAN",
-				    "S8", "U8", "S16", "U16"};
+	static const char * const val_types[] = {
+		"BOOLEAN", "INV_BOOLEAN", "S8", "U8", "S16", "U16", "S32", "U32",
+	};
 	snd_iprintf(buffer, "    Info: id=%i, control=%i, cmask=0x%x, "
 			    "channels=%i, type=\"%s\"\n", cval->head.id,
 			    cval->control, cval->cmask, cval->channels,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 006/593] ALSA: firewire-motu: fix stream format for MOTU 8pre FireWire
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 005/593] ALSA: usb-audio: Fix OOB access at proc output Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 007/593] ALSA: usb-audio: scarlett2: Fix wrong resume call Greg Kroah-Hartman
                   ` (591 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

commit fc36ef80ca2c68b2c9df06178048f08280e4334f upstream.

My previous refactoring for ALSA firewire-motu driver brought regression
to handle MOTU 8pre FireWire. The packet format is not operated correctly.

Cc: <stable@vger.kernel.org>
Fixes: dfbaa4dc11eb ("ALSA: firewire-motu: add model-specific table of chunk count")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20210614083133.39753-1-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/firewire/motu/motu-protocol-v2.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/sound/firewire/motu/motu-protocol-v2.c
+++ b/sound/firewire/motu/motu-protocol-v2.c
@@ -353,6 +353,7 @@ const struct snd_motu_spec snd_motu_spec
 	.protocol_version = SND_MOTU_PROTOCOL_V2,
 	.flags = SND_MOTU_SPEC_RX_MIDI_2ND_Q |
 		 SND_MOTU_SPEC_TX_MIDI_2ND_Q,
-	.tx_fixed_pcm_chunks = {10, 6, 0},
-	.rx_fixed_pcm_chunks = {10, 6, 0},
+	// Two dummy chunks always in the end of data block.
+	.tx_fixed_pcm_chunks = {10, 10, 0},
+	.rx_fixed_pcm_chunks = {6, 6, 0},
 };



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 007/593] ALSA: usb-audio: scarlett2: Fix wrong resume call
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 006/593] ALSA: firewire-motu: fix stream format for MOTU 8pre FireWire Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-13 20:46   ` Pavel Machek
  2021-07-12  6:02 ` [PATCH 5.10 008/593] ALSA: intel8x0: Fix breakage at ac97 clock measurement Greg Kroah-Hartman
                   ` (590 subsequent siblings)
  597 siblings, 1 reply; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geoffrey D. Bennett, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 785b6f29a795f109685f286b91e0250c206fbffb upstream.

The current way of the scarlett2 mixer code managing the
usb_mixer_elem_info object is wrong in two ways: it passes its
internal index to the head.id field, and the val_type field is
uninitialized.  This ended up with the wrong execution at the resume
because a bogus unit id is passed wrongly.  Also, in the later code
extensions, we'll have more mixer elements, and passing the index will
overflow the unit id size (of 256).

This patch corrects those issues.  It introduces a new value type,
USB_MIXER_BESPOKEN, which indicates a non-standard mixer element, and
use this type for all scarlett2 mixer elements, as well as
initializing the fixed unit id 0 for avoiding the overflow.

Tested-by: Geoffrey D. Bennett <g@b4.vu>
Signed-off-by: Geoffrey D. Bennett <g@b4.vu>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/49721219f45b7e175e729b0d9d9c142fd8f4342a.1624379707.git.g@b4.vu
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/mixer.c               |    3 +++
 sound/usb/mixer.h               |    1 +
 sound/usb/mixer_scarlett_gen2.c |    7 ++++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -3631,6 +3631,9 @@ static int restore_mixer_value(struct us
 	struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
 	int c, err, idx;
 
+	if (cval->val_type == USB_MIXER_BESPOKEN)
+		return 0;
+
 	if (cval->cmask) {
 		idx = 0;
 		for (c = 0; c < MAX_CHANNELS; c++) {
--- a/sound/usb/mixer.h
+++ b/sound/usb/mixer.h
@@ -55,6 +55,7 @@ enum {
 	USB_MIXER_U16,
 	USB_MIXER_S32,
 	USB_MIXER_U32,
+	USB_MIXER_BESPOKEN,	/* non-standard type */
 };
 
 typedef void (*usb_mixer_elem_dump_func_t)(struct snd_info_buffer *buffer,
--- a/sound/usb/mixer_scarlett_gen2.c
+++ b/sound/usb/mixer_scarlett_gen2.c
@@ -949,10 +949,15 @@ static int scarlett2_add_new_ctl(struct
 	if (!elem)
 		return -ENOMEM;
 
+	/* We set USB_MIXER_BESPOKEN type, so that the core USB mixer code
+	 * ignores them for resume and other operations.
+	 * Also, the head.id field is set to 0, as we don't use this field.
+	 */
 	elem->head.mixer = mixer;
 	elem->control = index;
-	elem->head.id = index;
+	elem->head.id = 0;
 	elem->channels = channels;
+	elem->val_type = USB_MIXER_BESPOKEN;
 
 	kctl = snd_ctl_new1(ncontrol, elem);
 	if (!kctl) {



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 008/593] ALSA: intel8x0: Fix breakage at ac97 clock measurement
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 007/593] ALSA: usb-audio: scarlett2: Fix wrong resume call Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 009/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 450 G8 Greg Kroah-Hartman
                   ` (589 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Senozhatsky, Takashi Iwai,
	Max Filippov

From: Takashi Iwai <tiwai@suse.de>

commit 24d1e49415be546470b20429d748e240d0518b7e upstream.

The recent workaround for the wild interrupts in commit c1f0616124c4
("ALSA: intel8x0: Don't update period unless prepared") leaded to a
regression, causing the interrupt storm during ac97 clock measurement
at the driver probe.  We need to handle the interrupt while the clock
measurement as well as the proper PCM streams.

Fixes: c1f0616124c4 ("ALSA: intel8x0: Don't update period unless prepared")
Reported-and-tested-by: Max Filippov <jcmvbkbc@gmail.com>
Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/CAMo8BfKKMQkcsbOQaeEjq_FsJhdK=fn598dvh7YOcZshUSOH=g@mail.gmail.com
Link: https://lore.kernel.org/r/20210708090738.1569-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/intel8x0.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/pci/intel8x0.c
+++ b/sound/pci/intel8x0.c
@@ -715,7 +715,7 @@ static inline void snd_intel8x0_update(s
 	int status, civ, i, step;
 	int ack = 0;
 
-	if (!ichdev->prepared || ichdev->suspended)
+	if (!(ichdev->prepared || chip->in_measurement) || ichdev->suspended)
 		return;
 
 	spin_lock_irqsave(&chip->reg_lock, flags);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 009/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 450 G8
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 008/593] ALSA: intel8x0: Fix breakage at ac97 clock measurement Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 010/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G8 Greg Kroah-Hartman
                   ` (588 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Chi, Takashi Iwai

From: Andy Chi <andy.chi@canonical.com>

commit 2b70b264d34d398c77a5936e317336f00cf5badb upstream.

The HP ProBook 450 G8 using ALC236 codec which using 0x02 to
control mute LED and 0x01 to control micmute LED.
Therefore, add a quirk to make it works.

Signed-off-by: Andy Chi <andy.chi@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210701091417.9696-1-andy.chi@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8322,6 +8322,7 @@ static const struct snd_pci_quirk alc269
 		      ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+	SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f2, "HP ProBook 640 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 010/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G8
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 009/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 450 G8 Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 011/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 630 G8 Greg Kroah-Hartman
                   ` (587 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Chi, Takashi Iwai

From: Andy Chi <andy.chi@canonical.com>

commit a3b7f9b8fa2967e1b3c2a402301715124c90306b upstream.

The HP ProBook 445 G8 using ALC236 codec.
COEF index 0x34 bit 5 is used to control the playback mute LED, but the
microphone mute LED is controlled using pin VREF instead of a COEF index.
Therefore, add a quirk to make it works.

Signed-off-by: Andy Chi <andy.chi@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210701091417.9696-2-andy.chi@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8330,6 +8330,8 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+	SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+	SND_PCI_QUIRK(0x103c, 0x8863, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
 	SND_PCI_QUIRK(0x103c, 0x886d, "HP ZBook Fury 17.3 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8870, "HP ZBook Fury 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x8873, "HP ZBook Studio 15.6 Inch G8 Mobile Workstation PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 011/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 630 G8
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 010/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G8 Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 012/593] ALSA: hda/realtek: Add another ALC236 variant support Greg Kroah-Hartman
                   ` (586 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Chi, Takashi Iwai

From: Andy Chi <andy.chi@canonical.com>

commit fb3acdb2ba289aa06a5a995b3abef409bfe0a220 upstream.

The HP ProBook 630 G8 using ALC236 codec which using 0x02 to
control mute LED and 0x01 to control micmute LED.
Therefore, add a quirk to make it works.

Signed-off-by: Andy Chi <andy.chi@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210701091417.9696-3-andy.chi@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8323,6 +8323,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+	SND_PCI_QUIRK(0x103c, 0x87f1, "HP ProBook 630 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f2, "HP ProBook 640 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 012/593] ALSA: hda/realtek: Add another ALC236 variant support
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 011/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 630 G8 Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 013/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook x360 830 G8 Greg Kroah-Hartman
                   ` (585 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 1948fc065a89f18d057b8ffaef6d7242ad99edb8 upstream.

The codec chip 10ec:0230 is another variant of ALC236, combined with a
card reader.  Apply the equivalent setup as 10ec:0236.

BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1184869
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210618161720.28694-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -385,6 +385,7 @@ static void alc_fill_eapd_coef(struct hd
 		alc_update_coef_idx(codec, 0x67, 0xf000, 0x3000);
 		fallthrough;
 	case 0x10ec0215:
+	case 0x10ec0230:
 	case 0x10ec0233:
 	case 0x10ec0235:
 	case 0x10ec0236:
@@ -3153,6 +3154,7 @@ static void alc_disable_headset_jack_key
 		alc_update_coef_idx(codec, 0x49, 0x0045, 0x0);
 		alc_update_coef_idx(codec, 0x44, 0x0045 << 8, 0x0);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_write_coef_idx(codec, 0x48, 0x0);
@@ -3180,6 +3182,7 @@ static void alc_enable_headset_jack_key(
 		alc_update_coef_idx(codec, 0x49, 0x007f, 0x0045);
 		alc_update_coef_idx(codec, 0x44, 0x007f << 8, 0x0045 << 8);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_write_coef_idx(codec, 0x48, 0xd011);
@@ -4737,6 +4740,7 @@ static void alc_headset_mode_unplugged(s
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, coef0255);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0256);
@@ -4851,6 +4855,7 @@ static void alc_headset_mode_mic_in(stru
 		alc_process_coef_fw(codec, coef0255);
 		snd_hda_set_pin_ctl_cache(codec, mic_pin, PIN_VREF50);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_write_coef_idx(codec, 0x45, 0xc489);
@@ -5000,6 +5005,7 @@ static void alc_headset_mode_default(str
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, coef0255);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_write_coef_idx(codec, 0x1b, 0x0e4b);
@@ -5098,6 +5104,7 @@ static void alc_headset_mode_ctia(struct
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, coef0255);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0256);
@@ -5211,6 +5218,7 @@ static void alc_headset_mode_omtp(struct
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, coef0255);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, coef0256);
@@ -5311,6 +5319,7 @@ static void alc_determine_headset_type(s
 		val = alc_read_coef_idx(codec, 0x46);
 		is_ctia = (val & 0x0070) == 0x0070;
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_write_coef_idx(codec, 0x1b, 0x0e4b);
@@ -5604,6 +5613,7 @@ static void alc255_set_default_jack_type
 	case 0x10ec0255:
 		alc_process_coef_fw(codec, alc255fw);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		alc_process_coef_fw(codec, alc256fw);
@@ -6204,6 +6214,7 @@ static void alc_combo_jack_hp_jd_restart
 		alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */
 		alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15);
 		break;
+	case 0x10ec0230:
 	case 0x10ec0235:
 	case 0x10ec0236:
 	case 0x10ec0255:
@@ -9330,6 +9341,7 @@ static int patch_alc269(struct hda_codec
 		spec->shutup = alc256_shutup;
 		spec->init_hook = alc256_init;
 		break;
+	case 0x10ec0230:
 	case 0x10ec0236:
 	case 0x10ec0256:
 		spec->codec_variant = ALC269_TYPE_ALC256;
@@ -10621,6 +10633,7 @@ static const struct hda_device_id snd_hd
 	HDA_CODEC_ENTRY(0x10ec0221, "ALC221", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0222, "ALC222", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0225, "ALC225", patch_alc269),
+	HDA_CODEC_ENTRY(0x10ec0230, "ALC236", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0231, "ALC231", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0233, "ALC233", patch_alc269),
 	HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 013/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook x360 830 G8
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 012/593] ALSA: hda/realtek: Add another ALC236 variant support Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 014/593] ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx Greg Kroah-Hartman
                   ` (584 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeremy Szu, Takashi Iwai

From: Jeremy Szu <jeremy.szu@canonical.com>

commit c3d2c88209e85045a364e80fe12a6cde16745b72 upstream.

The HP EliteBook x360 830 G8 using ALC285 codec which using 0x04 to
control mute LED and 0x01 to control micmute LED.
Therefore, add a quirk to make it works.

Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210617171422.16652-1-jeremy.szu@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8340,6 +8340,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP),
 	SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
+	SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x884c, "HP EliteBook 840 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8862, "HP ProBook 445 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 014/593] ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 013/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook x360 830 G8 Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 015/593] ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D Greg Kroah-Hartman
                   ` (583 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Elia Devito, Takashi Iwai

From: Elia Devito <eliadevito@gmail.com>

commit 434591b2a77def0e78abfa38e5d7c4bca954e68a upstream.

On HP Spectre x360 15-df0xxx, after system boot with plugged headset, the
headset mic are not detected.
Moving pincfg and DAC's config to single fixup function fix this.

[ The actual bug in the original code was that it used a chain to
  ALC286_FIXUP_SPEAKER2_TO_DAC1, and it contains not only the DAC1
  route fix but also another chain to ALC269_FIXUP_THINKPAD_ACPI.
  I thought the latter one is harmless for non-Thinkpad, but it
  doesn't seem so; it contains again yet another chain to
  ALC269_FIXUP_SKI_IGNORE, and this might be bad for some machines,
  including this HP machine.  -- tiwai ]

Signed-off-by: Elia Devito <eliadevito@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210619204105.5682-1-eliadevito@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |   27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6347,6 +6347,24 @@ static void alc_fixup_no_int_mic(struct
 	}
 }
 
+static void alc285_fixup_hp_spectre_x360(struct hda_codec *codec,
+					  const struct hda_fixup *fix, int action)
+{
+	static const hda_nid_t conn[] = { 0x02 };
+	static const struct hda_pintbl pincfgs[] = {
+		{ 0x14, 0x90170110 },  /* rear speaker */
+		{ }
+	};
+
+	switch (action) {
+	case HDA_FIXUP_ACT_PRE_PROBE:
+		snd_hda_apply_pincfgs(codec, pincfgs);
+		/* force front speaker to DAC1 */
+		snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn);
+		break;
+	}
+}
+
 /* for hda_fixup_thinkpad_acpi() */
 #include "thinkpad_helper.c"
 
@@ -8124,13 +8142,8 @@ static const struct hda_fixup alc269_fix
 		.chain_id = ALC269_FIXUP_HP_LINE1_MIC1_LED,
 	},
 	[ALC285_FIXUP_HP_SPECTRE_X360] = {
-		.type = HDA_FIXUP_PINS,
-		.v.pins = (const struct hda_pintbl[]) {
-			{ 0x14, 0x90170110 }, /* enable top speaker */
-			{}
-		},
-		.chained = true,
-		.chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1,
+		.type = HDA_FIXUP_FUNC,
+		.v.func = alc285_fixup_hp_spectre_x360,
 	},
 	[ALC287_FIXUP_IDEAPAD_BASS_SPK_AMP] = {
 		.type = HDA_FIXUP_FUNC,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 015/593] ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 014/593] ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 016/593] ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too Greg Kroah-Hartman
                   ` (582 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit f8fbcdfb0665de60997d9746809e1704ed782bbc upstream.

Asus Zenbook 14 UM431D has two speaker pins and a headphone pin, and
the auto-parser ends up assigning the bass to the third DAC 0x06.
Although the tone comes out, it's inconvenient because this DAC has no
volume control unlike two other DACs.

For obtaining the volume control for the bass speaker, this patch
enforces the mapping to let both front and bass speaker pins sharing
the same DAC.  It's not ideal but a little bit of improvement.

Since we've already applied the same workaround for another ASUS
machine, we just need to hook the chain to the existing quirk.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212547
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210620065952.18948-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7831,6 +7831,8 @@ static const struct hda_fixup alc269_fix
 			{ 0x20, AC_VERB_SET_PROC_COEF, 0x4e4b },
 			{ }
 		},
+		.chained = true,
+		.chain_id = ALC289_FIXUP_ASUS_GA401,
 	},
 	[ALC285_FIXUP_HP_GPIO_LED] = {
 		.type = HDA_FIXUP_FUNC,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 016/593] ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 015/593] ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 017/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 830 G8 Notebook PC Greg Kroah-Hartman
                   ` (581 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f upstream.

HP Dragonfly G1 (SSID 103c:861f) also requires the same quirk for the
mute and mic-mute LED just as Dragonfly G2 model.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213329
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210623122022.26179-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8331,6 +8331,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN),
 	SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
 	SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
+	SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
 	SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
 	SND_PCI_QUIRK(0x103c, 0x86c7, "HP Envy AiO 32", ALC274_FIXUP_HP_ENVY_GPIO),
 	SND_PCI_QUIRK(0x103c, 0x8716, "HP Elite Dragonfly G2 Notebook PC", ALC285_FIXUP_HP_GPIO_AMP_INIT),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 017/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 830 G8 Notebook PC
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 016/593] ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 018/593] media: dvb-usb: fix wrong definition Greg Kroah-Hartman
                   ` (580 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jeremy Szu, Takashi Iwai

From: Jeremy Szu <jeremy.szu@canonical.com>

commit dfc2e8ae4066a95c7f9c2bb2dfa26651feaa6b83 upstream.

The HP EliteBook 830 G8 Notebook PC using ALC285 codec which using 0x04 to
control mute LED and 0x01 to control micmute LED.
Therefore, add a quirk to make it works.

Signed-off-by: Jeremy Szu <jeremy.szu@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210625133414.26760-1-jeremy.szu@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8355,6 +8355,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x87f4, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f5, "HP", ALC287_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x87f7, "HP Spectre x360 14", ALC245_FIXUP_HP_X360_AMP),
+	SND_PCI_QUIRK(0x103c, 0x880d, "HP EliteBook 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8846, "HP EliteBook 850 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x8847, "HP EliteBook x360 830 G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),
 	SND_PCI_QUIRK(0x103c, 0x884b, "HP EliteBook 840 Aero G8 Notebook PC", ALC285_FIXUP_HP_GPIO_LED),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 018/593] media: dvb-usb: fix wrong definition
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 017/593] ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 830 G8 Notebook PC Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:02 ` [PATCH 5.10 019/593] Input: usbtouchscreen - fix control-request directions Greg Kroah-Hartman
                   ` (579 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+7336195c02c1bd2f64e1,
	Pavel Skripkin, Sean Young, Mauro Carvalho Chehab

From: Pavel Skripkin <paskripkin@gmail.com>

commit c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 upstream.

syzbot reported WARNING in vmalloc. The problem
was in zero size passed to vmalloc.

The root case was in wrong cxusb_bluebird_lgz201_properties
definition. adapter array has only 1 entry, but num_adapters was
2.

Call Trace:
 __vmalloc_node mm/vmalloc.c:2963 [inline]
 vmalloc+0x67/0x80 mm/vmalloc.c:2996
 dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251
 dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline]
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
 dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
 cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634

Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device")
Cc: stable@vger.kernel.org
Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb/cxusb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -1947,7 +1947,7 @@ static struct dvb_usb_device_properties
 
 	.size_of_priv     = sizeof(struct cxusb_state),
 
-	.num_adapters = 2,
+	.num_adapters = 1,
 	.adapter = {
 		{
 		.num_frontends = 1,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 019/593] Input: usbtouchscreen - fix control-request directions
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 018/593] media: dvb-usb: fix wrong definition Greg Kroah-Hartman
@ 2021-07-12  6:02 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 020/593] net: can: ems_usb: fix use-after-free in ems_usb_disconnect() Greg Kroah-Hartman
                   ` (578 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Dmitry Torokhov

From: Johan Hovold <johan@kernel.org>

commit 41e81022a04a0294c55cfa7e366bc14b9634c66e upstream.

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Fix the four control requests which erroneously used usb_rcvctrlpipe().

Fixes: 1d3e20236d7a ("[PATCH] USB: usbtouchscreen: unified USB touchscreen driver")
Fixes: 24ced062a296 ("usbtouchscreen: add support for DMC TSC-10/25 devices")
Fixes: 9e3b25837a20 ("Input: usbtouchscreen - add support for e2i touchscreen controller")
Signed-off-by: Johan Hovold <johan@kernel.org>
Cc: stable@vger.kernel.org      # 2.6.17
Link: https://lore.kernel.org/r/20210524092048.4443-1-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/touchscreen/usbtouchscreen.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/input/touchscreen/usbtouchscreen.c
+++ b/drivers/input/touchscreen/usbtouchscreen.c
@@ -251,7 +251,7 @@ static int e2i_init(struct usbtouch_usb
 	int ret;
 	struct usb_device *udev = interface_to_usbdev(usbtouch->interface);
 
-	ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+	ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
 	                      0x01, 0x02, 0x0000, 0x0081,
 	                      NULL, 0, USB_CTRL_SET_TIMEOUT);
 
@@ -531,7 +531,7 @@ static int mtouch_init(struct usbtouch_u
 	if (ret)
 		return ret;
 
-	ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+	ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
 	                      MTOUCHUSB_RESET,
 	                      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 	                      1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
@@ -543,7 +543,7 @@ static int mtouch_init(struct usbtouch_u
 	msleep(150);
 
 	for (i = 0; i < 3; i++) {
-		ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+		ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
 				      MTOUCHUSB_ASYNC_REPORT,
 				      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 				      1, 1, NULL, 0, USB_CTRL_SET_TIMEOUT);
@@ -722,7 +722,7 @@ static int dmc_tsc10_init(struct usbtouc
 	}
 
 	/* start sending data */
-	ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0),
+	ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
 	                      TSC10_CMD_DATA1,
 	                      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 	                      0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 020/593] net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-07-12  6:02 ` [PATCH 5.10 019/593] Input: usbtouchscreen - fix control-request directions Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 021/593] usb: gadget: eem: fix echo command packet response issue Greg Kroah-Hartman
                   ` (577 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Marc Kleine-Budde

From: Pavel Skripkin <paskripkin@gmail.com>

commit ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 upstream.

In ems_usb_disconnect() dev pointer, which is netdev private data, is
used after free_candev() call:
| 	if (dev) {
| 		unregister_netdev(dev->netdev);
| 		free_candev(dev->netdev);
|
| 		unlink_all_urbs(dev);
|
| 		usb_free_urb(dev->intr_urb);
|
| 		kfree(dev->intr_in_buffer);
| 		kfree(dev->tx_msg_buffer);
| 	}

Fix it by simply moving free_candev() at the end of the block.

Fail log:
| BUG: KASAN: use-after-free in ems_usb_disconnect
| Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895
|
| CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4
| Workqueue: usb_hub_wq hub_event
| Call Trace:
|     dump_stack (lib/dump_stack.c:122)
|     print_address_description.constprop.0.cold (mm/kasan/report.c:234)
|     kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436)
|     ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058)

Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/ems_usb.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -1053,7 +1053,6 @@ static void ems_usb_disconnect(struct us
 
 	if (dev) {
 		unregister_netdev(dev->netdev);
-		free_candev(dev->netdev);
 
 		unlink_all_urbs(dev);
 
@@ -1061,6 +1060,8 @@ static void ems_usb_disconnect(struct us
 
 		kfree(dev->intr_in_buffer);
 		kfree(dev->tx_msg_buffer);
+
+		free_candev(dev->netdev);
 	}
 }
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 021/593] usb: gadget: eem: fix echo command packet response issue
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 020/593] net: can: ems_usb: fix use-after-free in ems_usb_disconnect() Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-13 20:49   ` Pavel Machek
  2021-07-12  6:03 ` [PATCH 5.10 022/593] usb: renesas-xhci: Fix handling of unknown ROM state Greg Kroah-Hartman
                   ` (576 subsequent siblings)
  597 siblings, 1 reply; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Linyu Yuan

From: Linyu Yuan <linyyuan@codeaurora.com>

commit 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 upstream.

when receive eem echo command, it will send a response,
but queue this response to the usb request which allocate
from gadget device endpoint zero,
and transmit the request to IN endpoint of eem interface.

on dwc3 gadget, it will trigger following warning in function
__dwc3_gadget_ep_queue(),

	if (WARN(req->dep != dep, "request %pK belongs to '%s'\n",
				&req->request, req->dep->name))
		return -EINVAL;

fix it by allocating a usb request from IN endpoint of eem interface,
and transmit the usb request to same IN endpoint of eem interface.

Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/function/f_eem.c |   43 ++++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -30,6 +30,11 @@ struct f_eem {
 	u8				ctrl_id;
 };
 
+struct in_context {
+	struct sk_buff	*skb;
+	struct usb_ep	*ep;
+};
+
 static inline struct f_eem *func_to_eem(struct usb_function *f)
 {
 	return container_of(f, struct f_eem, port.func);
@@ -320,9 +325,12 @@ fail:
 
 static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req)
 {
-	struct sk_buff *skb = (struct sk_buff *)req->context;
+	struct in_context *ctx = req->context;
 
-	dev_kfree_skb_any(skb);
+	dev_kfree_skb_any(ctx->skb);
+	kfree(req->buf);
+	usb_ep_free_request(ctx->ep, req);
+	kfree(ctx);
 }
 
 /*
@@ -410,7 +418,9 @@ static int eem_unwrap(struct gether *por
 		 * b15:		bmType (0 == data, 1 == command)
 		 */
 		if (header & BIT(15)) {
-			struct usb_request	*req = cdev->req;
+			struct usb_request	*req;
+			struct in_context	*ctx;
+			struct usb_ep		*ep;
 			u16			bmEEMCmd;
 
 			/* EEM command packet format:
@@ -439,11 +449,36 @@ static int eem_unwrap(struct gether *por
 				skb_trim(skb2, len);
 				put_unaligned_le16(BIT(15) | BIT(11) | len,
 							skb_push(skb2, 2));
+
+				ep = port->in_ep;
+				req = usb_ep_alloc_request(ep, GFP_ATOMIC);
+				if (!req) {
+					dev_kfree_skb_any(skb2);
+					goto next;
+				}
+
+				req->buf = kmalloc(skb2->len, GFP_KERNEL);
+				if (!req->buf) {
+					usb_ep_free_request(ep, req);
+					dev_kfree_skb_any(skb2);
+					goto next;
+				}
+
+				ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
+				if (!ctx) {
+					kfree(req->buf);
+					usb_ep_free_request(ep, req);
+					dev_kfree_skb_any(skb2);
+					goto next;
+				}
+				ctx->skb = skb2;
+				ctx->ep = ep;
+
 				skb_copy_bits(skb2, 0, req->buf, skb2->len);
 				req->length = skb2->len;
 				req->complete = eem_cmd_complete;
 				req->zero = 1;
-				req->context = skb2;
+				req->context = ctx;
 				if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
 					DBG(cdev, "echo response queue fail\n");
 				break;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 022/593] usb: renesas-xhci: Fix handling of unknown ROM state
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 021/593] usb: gadget: eem: fix echo command packet response issue Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 023/593] USB: cdc-acm: blacklist Heimann USB Appset device Greg Kroah-Hartman
                   ` (575 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathias Nyman, Vinod Koul, Moritz Fischer

From: Moritz Fischer <mdf@kernel.org>

commit d143825baf15f204dac60acdf95e428182aa3374 upstream.

The ROM load sometimes seems to return an unknown status
(RENESAS_ROM_STATUS_NO_RESULT) instead of success / fail.

If the ROM load indeed failed this leads to failures when trying to
communicate with the controller later on.

Attempt to load firmware using RAM load in those cases.

Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM loader for uPD720201")
Cc: stable@vger.kernel.org
Cc: Mathias Nyman <mathias.nyman@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Vinod Koul <vkoul@kernel.org>
Tested-by: Vinod Koul <vkoul@kernel.org>
Reviewed-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Moritz Fischer <mdf@kernel.org>
Link: https://lore.kernel.org/r/20210615153758.253572-1-mdf@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-pci-renesas.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/usb/host/xhci-pci-renesas.c
+++ b/drivers/usb/host/xhci-pci-renesas.c
@@ -207,7 +207,8 @@ static int renesas_check_rom_state(struc
 			return 0;
 
 		case RENESAS_ROM_STATUS_NO_RESULT: /* No result yet */
-			return 0;
+			dev_dbg(&pdev->dev, "Unknown ROM status ...\n");
+			break;
 
 		case RENESAS_ROM_STATUS_ERROR: /* Error State */
 		default: /* All other states are marked as "Reserved states" */
@@ -224,13 +225,12 @@ static int renesas_fw_check_running(stru
 	u8 fw_state;
 	int err;
 
-	/* Check if device has ROM and loaded, if so skip everything */
-	err = renesas_check_rom(pdev);
-	if (err) { /* we have rom */
-		err = renesas_check_rom_state(pdev);
-		if (!err)
-			return err;
-	}
+	/*
+	 * Only if device has ROM and loaded FW we can skip loading and
+	 * return success. Otherwise (even unknown state), attempt to load FW.
+	 */
+	if (renesas_check_rom(pdev) && !renesas_check_rom_state(pdev))
+		return 0;
 
 	/*
 	 * Test if the device is actually needing the firmware. As most



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 023/593] USB: cdc-acm: blacklist Heimann USB Appset device
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 022/593] usb: renesas-xhci: Fix handling of unknown ROM state Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 024/593] usb: dwc3: Fix debugfs creation flow Greg Kroah-Hartman
                   ` (574 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hannu Hartikainen

From: Hannu Hartikainen <hannu@hrtk.in>

commit 4897807753e078655a78de39ed76044d784f3e63 upstream.

The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be
a CDC-ACM device in its descriptors but in fact is not. If it is run
with echo disabled it returns garbled data, probably due to something
that happens in the TTY layer. And when run with echo enabled (the
default), it will mess up the calibration data of the sensor the first
time any data is sent to the device.

In short, I had a bad time after connecting the sensor and trying to get
it to work. I hope blacklisting it in the cdc-acm driver will save
someone else a bit of trouble.

Signed-off-by: Hannu Hartikainen <hannu@hrtk.in>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/class/cdc-acm.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1948,6 +1948,11 @@ static const struct usb_device_id acm_id
 	.driver_info = IGNORE_DEVICE,
 	},
 
+	/* Exclude Heimann Sensor GmbH USB appset demo */
+	{ USB_DEVICE(0x32a7, 0x0000),
+	.driver_info = IGNORE_DEVICE,
+	},
+
 	/* control interfaces without any protocol set */
 	{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
 		USB_CDC_PROTO_NONE) },



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 024/593] usb: dwc3: Fix debugfs creation flow
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 023/593] USB: cdc-acm: blacklist Heimann USB Appset device Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 025/593] usb: typec: Add the missed altmode_id_remove() in typec_register_altmode() Greg Kroah-Hartman
                   ` (573 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jack Pham, Minas Harutyunyan

From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>

commit 84524d1232ecca7cf8678e851b254f05cff4040a upstream.

Creation EP's debugfs called earlier than debugfs folder for dwc3
device created. As result EP's debugfs are created in '/sys/kernel/debug'
instead of '/sys/kernel/debug/usb/dwc3.1.auto'.

Moved dwc3_debugfs_init() function call before calling
dwc3_core_init_mode() to allow create dwc3 debugfs parent before
creating EP's debugfs's.

Fixes: 8d396bb0a5b6 ("usb: dwc3: debugfs: Add and remove endpoint dirs dynamically")
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Jack Pham <jackp@codeaurora.org>
Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Link: https://lore.kernel.org/r/01fafb5b2d8335e98e6eadbac61fc796bdf3ec1a.1623948457.git.Minas.Harutyunyan@synopsys.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc3/core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -1590,17 +1590,18 @@ static int dwc3_probe(struct platform_de
 	}
 
 	dwc3_check_params(dwc);
+	dwc3_debugfs_init(dwc);
 
 	ret = dwc3_core_init_mode(dwc);
 	if (ret)
 		goto err5;
 
-	dwc3_debugfs_init(dwc);
 	pm_runtime_put(dev);
 
 	return 0;
 
 err5:
+	dwc3_debugfs_exit(dwc);
 	dwc3_event_buffers_cleanup(dwc);
 
 	usb_phy_shutdown(dwc->usb2_phy);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 025/593] usb: typec: Add the missed altmode_id_remove() in typec_register_altmode()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 024/593] usb: dwc3: Fix debugfs creation flow Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 026/593] xhci: solve a double free problem while doing s4 Greg Kroah-Hartman
                   ` (572 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Heikki Krogerus, Jing Xiangfeng

From: Jing Xiangfeng <jingxiangfeng@huawei.com>

commit 03026197bb657d784220b040c6173267a0375741 upstream.

typec_register_altmode() misses to call altmode_id_remove() in an error
path. Add the missed function call to fix it.

Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
Cc: stable <stable@vger.kernel.org>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Link: https://lore.kernel.org/r/20210617073226.47599-1-jingxiangfeng@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/typec/class.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/typec/class.c
+++ b/drivers/usb/typec/class.c
@@ -446,8 +446,10 @@ typec_register_altmode(struct device *pa
 	int ret;
 
 	alt = kzalloc(sizeof(*alt), GFP_KERNEL);
-	if (!alt)
+	if (!alt) {
+		altmode_id_remove(parent, id);
 		return ERR_PTR(-ENOMEM);
+	}
 
 	alt->adev.svid = desc->svid;
 	alt->adev.mode = desc->mode;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 026/593] xhci: solve a double free problem while doing s4
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 025/593] usb: typec: Add the missed altmode_id_remove() in typec_register_altmode() Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 027/593] gfs2: Fix underflow in gfs2_page_mkwrite Greg Kroah-Hartman
                   ` (571 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiantao Zhang, Tao Xue, Mathias Nyman

From: Zhangjiantao (Kirin, nanjing) <water.zhangjiantao@huawei.com>

commit b31d9d6d7abbf6483b871b6370bc31c930d53f54 upstream.

when system is doing s4, the process of xhci_resume may be as below:
1、xhci_mem_cleanup
2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough).
xhci_mem_cleanup will be executed twice when system is out of memory.
xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL.
It will be freed twice when xhci_mem_cleanup is called the second time.

We got following bug when system resumes from s4:

kernel BUG at mm/slub.c:309!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
CPU: 0 PID: 5929 Tainted: G S   W   5.4.96-arm64-desktop #1
pc : __slab_free+0x5c/0x424
lr : kfree+0x30c/0x32c

Call trace:
 __slab_free+0x5c/0x424
 kfree+0x30c/0x32c
 xhci_mem_cleanup+0x394/0x3cc
 xhci_mem_init+0x9ac/0x1070
 xhci_init+0x8c/0x1d0
 xhci_resume+0x1cc/0x5fc
 xhci_plat_resume+0x64/0x70
 platform_pm_thaw+0x28/0x60
 dpm_run_callback+0x54/0x24c
 device_resume+0xd0/0x200
 async_resume+0x24/0x60
 async_run_entry_fn+0x44/0x110
 process_one_work+0x1f0/0x490
 worker_thread+0x5c/0x450
 kthread+0x158/0x160
 ret_from_fork+0x10/0x24

Original patch that caused this issue was backported to 4.4 stable,
so this should be backported to 4.4 stabe as well.

Fixes: cf0ee7c60c89 ("xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Jiantao Zhang <water.zhangjiantao@huawei.com>
Signed-off-by: Tao Xue <xuetao09@huawei.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210617150354.1512157-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/host/xhci-mem.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1938,6 +1938,7 @@ no_bw:
 	xhci->hw_ports = NULL;
 	xhci->rh_bw = NULL;
 	xhci->ext_caps = NULL;
+	xhci->port_caps = NULL;
 
 	xhci->page_size = 0;
 	xhci->page_shift = 0;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 027/593] gfs2: Fix underflow in gfs2_page_mkwrite
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 026/593] xhci: solve a double free problem while doing s4 Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 028/593] gfs2: Fix error handling in init_statfs Greg Kroah-Hartman
                   ` (570 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bob Peterson, Andreas Gruenbacher

From: Andreas Gruenbacher <agruenba@redhat.com>

commit d3c51c55cb9274dd43c156f1f26b5eb4d5f2d58c upstream.

On filesystems with a block size smaller than PAGE_SIZE and non-empty
files smaller then PAGE_SIZE, gfs2_page_mkwrite could end up allocating
excess blocks beyond the end of the file, similar to fallocate.  This
doesn't make sense; fix it.

Reported-by: Bob Peterson <rpeterso@redhat.com>
Fixes: 184b4e60853d ("gfs2: Fix end-of-file handling in gfs2_page_mkwrite")
Cc: stable@vger.kernel.org # v5.5+
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/gfs2/file.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/fs/gfs2/file.c
+++ b/fs/gfs2/file.c
@@ -474,8 +474,8 @@ static vm_fault_t gfs2_page_mkwrite(stru
 	file_update_time(vmf->vma->vm_file);
 
 	/* page is wholly or partially inside EOF */
-	if (offset > size - PAGE_SIZE)
-		length = offset_in_page(size);
+	if (size - offset < PAGE_SIZE)
+		length = size - offset;
 	else
 		length = PAGE_SIZE;
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 028/593] gfs2: Fix error handling in init_statfs
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 027/593] gfs2: Fix underflow in gfs2_page_mkwrite Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 029/593] ntfs: fix validity check for file name attribute Greg Kroah-Hartman
                   ` (569 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jing Xiangfeng, Andreas Gruenbacher

From: Andreas Gruenbacher <agruenba@redhat.com>

commit 5d49d3508b3c67201bd3e1bf7f4ef049111b7051 upstream.

On an error path, init_statfs calls iput(pn) after pn has already been put.
Fix that by setting pn to NULL after the initial iput.

Fixes: 97fd734ba17e ("gfs2: lookup local statfs inodes prior to journal recovery")
Cc: stable@vger.kernel.org # v5.10+
Reported-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/gfs2/ops_fstype.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -670,6 +670,7 @@ static int init_statfs(struct gfs2_sbd *
 	}
 
 	iput(pn);
+	pn = NULL;
 	ip = GFS2_I(sdp->sd_sc_inode);
 	error = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, 0,
 				   &sdp->sd_sc_gh);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 029/593] ntfs: fix validity check for file name attribute
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 028/593] gfs2: Fix error handling in init_statfs Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 030/593] selftests/lkdtm: Avoid needing explicit sub-shell Greg Kroah-Hartman
                   ` (568 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Desmond Cheong Zhi Xi,
	syzbot+213ac8bb98f7f4420840, Anton Altaparmakov, Shuah Khan,
	Andrew Morton, Linus Torvalds

From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>

commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream.

When checking the file name attribute, we want to ensure that it fits
within the bounds of ATTR_RECORD.  To do this, we should check that (attr
record + file name offset + file name length) < (attr record + attr record
length).

However, the original check did not include the file name offset in the
calculation.  This means that corrupted on-disk metadata might not caught
by the incorrect file name check, and lead to an invalid memory access.

An example can be seen in the crash report of a memory corruption error
found by Syzbot:
https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246

Adding the file name offset to the validity check fixes this error and
passes the Syzbot reproducer test.

Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Acked-by: Anton Altaparmakov <anton@tuxera.com>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ntfs/inode.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -477,7 +477,7 @@ err_corrupt_attr:
 		}
 		file_name_attr = (FILE_NAME_ATTR*)((u8*)attr +
 				le16_to_cpu(attr->data.resident.value_offset));
-		p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length);
+		p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length);
 		if (p2 < (u8*)attr || p2 > p)
 			goto err_corrupt_attr;
 		/* This attribute is ok, but is it in the $Extend directory? */



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 030/593] selftests/lkdtm: Avoid needing explicit sub-shell
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 029/593] ntfs: fix validity check for file name attribute Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 031/593] copy_page_to_iter(): fix ITER_DISCARD case Greg Kroah-Hartman
                   ` (567 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guillaume Tucker, David Laight, Kees Cook

From: Kees Cook <keescook@chromium.org>

commit 04831e892b41618914b2123ae3b4fa77252e8656 upstream.

Some environments do not set $SHELL when running tests. There's no
need to use $SHELL here anyway, since "cat" can be used to receive any
delivered signals from the kernel. Additionally avoid using bash-isms
in the command, and record stderr for posterity.

Fixes: 46d1a0f03d66 ("selftests/lkdtm: Add tests for LKDTM targets")
Cc: stable@vger.kernel.org
Suggested-by: Guillaume Tucker <guillaume.tucker@collabora.com>
Suggested-by: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210623203936.3151093-2-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 tools/testing/selftests/lkdtm/run.sh |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/tools/testing/selftests/lkdtm/run.sh
+++ b/tools/testing/selftests/lkdtm/run.sh
@@ -76,10 +76,14 @@ fi
 # Save existing dmesg so we can detect new content below
 dmesg > "$DMESG"
 
-# Most shells yell about signals and we're expecting the "cat" process
-# to usually be killed by the kernel. So we have to run it in a sub-shell
-# and silence errors.
-($SHELL -c 'cat <(echo '"$test"') >'"$TRIGGER" 2>/dev/null) || true
+# Since the kernel is likely killing the process writing to the trigger
+# file, it must not be the script's shell itself. i.e. we cannot do:
+#     echo "$test" >"$TRIGGER"
+# Instead, use "cat" to take the signal. Since the shell will yell about
+# the signal that killed the subprocess, we must ignore the failure and
+# continue. However we don't silence stderr since there might be other
+# useful details reported there in the case of other unexpected conditions.
+echo "$test" | cat >"$TRIGGER" || true
 
 # Record and dump the results
 dmesg | comm --nocheck-order -13 "$DMESG" - > "$LOG" || true



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 031/593] copy_page_to_iter(): fix ITER_DISCARD case
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 030/593] selftests/lkdtm: Avoid needing explicit sub-shell Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 032/593] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case Greg Kroah-Hartman
                   ` (566 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

From: Al Viro <viro@zeniv.linux.org.uk>

commit a506abc7b644d71966a75337d5a534f531b3cdc4 upstream.

we need to advance the iterator...

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/iov_iter.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -922,9 +922,12 @@ size_t copy_page_to_iter(struct page *pa
 		size_t wanted = copy_to_iter(kaddr + offset, bytes, i);
 		kunmap_atomic(kaddr);
 		return wanted;
-	} else if (unlikely(iov_iter_is_discard(i)))
+	} else if (unlikely(iov_iter_is_discard(i))) {
+		if (unlikely(i->count < bytes))
+			bytes = i->count;
+		i->count -= bytes;
 		return bytes;
-	else if (likely(!iov_iter_is_pipe(i)))
+	} else if (likely(!iov_iter_is_pipe(i)))
 		return copy_page_to_iter_iovec(page, offset, bytes, i);
 	else
 		return copy_page_to_iter_pipe(page, offset, bytes, i);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 032/593] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 031/593] copy_page_to_iter(): fix ITER_DISCARD case Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 033/593] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl Greg Kroah-Hartman
                   ` (565 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

From: Al Viro <viro@zeniv.linux.org.uk>

commit 0e8f0d67401589a141950856902c7d0ec8d9c985 upstream.

... and actually should just check it's given an iovec-backed iterator
in the first place.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/iov_iter.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -434,7 +434,7 @@ int iov_iter_fault_in_readable(struct io
 	int err;
 	struct iovec v;
 
-	if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
+	if (iter_is_iovec(i)) {
 		iterate_iovec(i, bytes, v, iov, skip, ({
 			err = fault_in_pages_readable(v.iov_base, v.iov_len);
 			if (unlikely(err))



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 033/593] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 032/593] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 034/593] crypto: nx - Fix memcpy() over-reading in nonce Greg Kroah-Hartman
                   ` (564 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Murray McAllister, Linus Torvalds,
	Alexander Larkin, Dmitry Torokhov

From: Alexander Larkin <avlarkin82@gmail.com>

commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.

Even though we validate user-provided inputs we then traverse past
validated data when applying the new map. The issue was originally
discovered by Murray McAllister with this simple POC (if the following
is executed by an unprivileged user it will instantly panic the system):

int main(void) {
	int fd, ret;
	unsigned int buffer[10000];

	fd = open("/dev/input/js0", O_RDONLY);
	if (fd == -1)
		printf("Error opening file\n");

	ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
	printf("%d\n", ret);
}

The solution is to traverse internal buffer which is guaranteed to only
contain valid date when constructing the map.

Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Reported-by: Murray McAllister <murray.mcallister@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/joydev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/joydev.c
+++ b/drivers/input/joydev.c
@@ -500,7 +500,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
 	memcpy(joydev->keypam, keypam, len);
 
 	for (i = 0; i < joydev->nkey; i++)
-		joydev->keymap[keypam[i] - BTN_MISC] = i;
+		joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
 
  out:
 	kfree(keypam);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 034/593] crypto: nx - Fix memcpy() over-reading in nonce
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 033/593] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 035/593] crypto: ccp - Annotate SEV Firmware file names Greg Kroah-Hartman
                   ` (563 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kees Cook, Herbert Xu

From: Kees Cook <keescook@chromium.org>

commit 74c66120fda6596ad57f41e1607b3a5d51ca143d upstream.

Fix typo in memcpy() where size should be CTR_RFC3686_NONCE_SIZE.

Fixes: 030f4e968741 ("crypto: nx - Fix reentrancy bugs")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/nx/nx-aes-ctr.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/crypto/nx/nx-aes-ctr.c
+++ b/drivers/crypto/nx/nx-aes-ctr.c
@@ -118,7 +118,7 @@ static int ctr3686_aes_nx_crypt(struct s
 	struct nx_crypto_ctx *nx_ctx = crypto_skcipher_ctx(tfm);
 	u8 iv[16];
 
-	memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_IV_SIZE);
+	memcpy(iv, nx_ctx->priv.ctr.nonce, CTR_RFC3686_NONCE_SIZE);
 	memcpy(iv + CTR_RFC3686_NONCE_SIZE, req->iv, CTR_RFC3686_IV_SIZE);
 	iv[12] = iv[13] = iv[14] = 0;
 	iv[15] = 1;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 035/593] crypto: ccp - Annotate SEV Firmware file names
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 034/593] crypto: nx - Fix memcpy() over-reading in nonce Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 036/593] arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode Greg Kroah-Hartman
                   ` (562 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Joerg Roedel, Herbert Xu

From: Joerg Roedel <jroedel@suse.de>

commit c8671c7dc7d51125ab9f651697866bf4a9132277 upstream.

Annotate the firmware files CCP might need using MODULE_FIRMWARE().
This will get them included into an initrd when CCP is also included
there. Otherwise the CCP module will not find its firmware when loaded
before the root-fs is mounted.
This can cause problems when the pre-loaded SEV firmware is too old to
support current SEV and SEV-ES virtualization features.

Fixes: e93720606efd ("crypto: ccp - Allow SEV firmware to be chosen based on Family and Model")
Cc: stable@vger.kernel.org # v4.20+
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/ccp/sev-dev.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/crypto/ccp/sev-dev.c
+++ b/drivers/crypto/ccp/sev-dev.c
@@ -42,6 +42,10 @@ static int psp_probe_timeout = 5;
 module_param(psp_probe_timeout, int, 0644);
 MODULE_PARM_DESC(psp_probe_timeout, " default timeout value, in seconds, during PSP device probe");
 
+MODULE_FIRMWARE("amd/amd_sev_fam17h_model0xh.sbin"); /* 1st gen EPYC */
+MODULE_FIRMWARE("amd/amd_sev_fam17h_model3xh.sbin"); /* 2nd gen EPYC */
+MODULE_FIRMWARE("amd/amd_sev_fam19h_model0xh.sbin"); /* 3rd gen EPYC */
+
 static bool psp_dead;
 static int psp_timeout;
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 036/593] arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 035/593] crypto: ccp - Annotate SEV Firmware file names Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 037/593] ARM: dts: ux500: Fix LED probing Greg Kroah-Hartman
                   ` (561 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Jihong, Mark Rutland, Will Deacon

From: Yang Jihong <yangjihong1@huawei.com>

commit fdbef8c4e68ad423416aa6cc93d1616d6f8ac5b3 upstream.

Commit 3a95200d3f89 ("arm_pmu: Change API to support 64bit counter values")
changes the input "value" type from 32-bit to 64-bit, which introduces the
following problem: ARMv7 PMU counters is 32-bit width, in big-endian mode,
write counter uses high 32-bit, which writes an incorrect value.

Before:

 Performance counter stats for 'ls':

              2.22 msec task-clock                #    0.675 CPUs utilized
                 0      context-switches          #    0.000 K/sec
                 0      cpu-migrations            #    0.000 K/sec
                49      page-faults               #    0.022 M/sec
        2150476593      cycles                    #  966.663 GHz
        2148588788      instructions              #    1.00  insn per cycle
        2147745484      branches                  # 965435.074 M/sec
        2147508540      branch-misses             #   99.99% of all branches

None of the above hw event counters are correct.

Solution:

"value" forcibly converted to 32-bit type before being written to PMU register.

After:

 Performance counter stats for 'ls':

              2.09 msec task-clock                #    0.681 CPUs utilized
                 0      context-switches          #    0.000 K/sec
                 0      cpu-migrations            #    0.000 K/sec
                46      page-faults               #    0.022 M/sec
           2807301      cycles                    #    1.344 GHz
           1060159      instructions              #    0.38  insn per cycle
            250496      branches                  #  119.914 M/sec
             23192      branch-misses             #    9.26% of all branches

Fixes: 3a95200d3f89 ("arm_pmu: Change API to support 64bit counter values")
Cc: <stable@vger.kernel.org>
Signed-off-by: Yang Jihong <yangjihong1@huawei.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Link: https://lore.kernel.org/r/20210430012659.232110-1-yangjihong1@huawei.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/kernel/perf_event_v7.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/kernel/perf_event_v7.c
+++ b/arch/arm/kernel/perf_event_v7.c
@@ -773,10 +773,10 @@ static inline void armv7pmu_write_counte
 		pr_err("CPU%u writing wrong counter %d\n",
 			smp_processor_id(), idx);
 	} else if (idx == ARMV7_IDX_CYCLE_COUNTER) {
-		asm volatile("mcr p15, 0, %0, c9, c13, 0" : : "r" (value));
+		asm volatile("mcr p15, 0, %0, c9, c13, 0" : : "r" ((u32)value));
 	} else {
 		armv7_pmnc_select_counter(idx);
-		asm volatile("mcr p15, 0, %0, c9, c13, 2" : : "r" (value));
+		asm volatile("mcr p15, 0, %0, c9, c13, 2" : : "r" ((u32)value));
 	}
 }
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 037/593] ARM: dts: ux500: Fix LED probing
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 036/593] arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 038/593] ARM: dts: at91: sama5d4: fix pinctrl muxing Greg Kroah-Hartman
                   ` (560 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Murphy, Linus Walleij, Olof Johansson

From: Linus Walleij <linus.walleij@linaro.org>

commit 7749510c459c10c431d746a4749e7c9cf2899156 upstream.

The Ux500 HREF LEDs have not been probing properly for a
while as this was introduce:

     ret = of_property_read_u32(np, "color", &led_color);
     if (ret)
             return ret;

Since the device tree did not define the new invented color
attribute, probe was failing.

Define color attributes for the LEDs so they work again.

Link: https://lore.kernel.org/r/20210613123356.880933-1-linus.walleij@linaro.org
Fixes: 92a81562e695 ("leds: lp55xx: Add multicolor framework support to lp55xx")
Cc: stable@vger.kernel.org
Cc: Dan Murphy <dmurphy@ti.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/arch/arm/boot/dts/ste-href.dtsi b/arch/arm/boot/dts/ste-href.dtsi
index 83b179692dff..13d216192904 100644
--- a/arch/arm/boot/dts/ste-href.dtsi
+++ b/arch/arm/boot/dts/ste-href.dtsi
@@ -4,6 +4,7 @@
  */
 
 #include <dt-bindings/interrupt-controller/irq.h>
+#include <dt-bindings/leds/common.h>
 #include "ste-href-family-pinctrl.dtsi"
 
 / {
@@ -64,17 +65,20 @@ chan@0 {
 					reg = <0>;
 					led-cur = /bits/ 8 <0x2f>;
 					max-cur = /bits/ 8 <0x5f>;
+					color = <LED_COLOR_ID_BLUE>;
 					linux,default-trigger = "heartbeat";
 				};
 				chan@1 {
 					reg = <1>;
 					led-cur = /bits/ 8 <0x2f>;
 					max-cur = /bits/ 8 <0x5f>;
+					color = <LED_COLOR_ID_BLUE>;
 				};
 				chan@2 {
 					reg = <2>;
 					led-cur = /bits/ 8 <0x2f>;
 					max-cur = /bits/ 8 <0x5f>;
+					color = <LED_COLOR_ID_BLUE>;
 				};
 			};
 			lp5521@34 {
@@ -88,16 +92,19 @@ chan@0 {
 					reg = <0>;
 					led-cur = /bits/ 8 <0x2f>;
 					max-cur = /bits/ 8 <0x5f>;
+					color = <LED_COLOR_ID_BLUE>;
 				};
 				chan@1 {
 					reg = <1>;
 					led-cur = /bits/ 8 <0x2f>;
 					max-cur = /bits/ 8 <0x5f>;
+					color = <LED_COLOR_ID_BLUE>;
 				};
 				chan@2 {
 					reg = <2>;
 					led-cur = /bits/ 8 <0x2f>;
 					max-cur = /bits/ 8 <0x5f>;
+					color = <LED_COLOR_ID_BLUE>;
 				};
 			};
 			bh1780@29 {



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 038/593] ARM: dts: at91: sama5d4: fix pinctrl muxing
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 037/593] ARM: dts: ux500: Fix LED probing Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 039/593] btrfs: send: fix invalid path for unlink operations after parent orphanization Greg Kroah-Hartman
                   ` (559 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ludovic Desroches, Claudiu Beznea,
	Nicolas Ferre

From: Ludovic Desroches <ludovic.desroches@microchip.com>

commit 253adffb0e98eaf6da2e7cf73ae68695e21f2f3c upstream.

Fix pinctrl muxing, PD28, PD29 and PD31 can be muxed to peripheral A. It
allows to use SCK0, SCK1 and SPI0_NPCS2 signals.

Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Fixes: 679f8d92bb01 ("ARM: at91/dt: sama5d4: add pioD pin mux mask and enable pioD")
Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20191025084210.14726-1-ludovic.desroches@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/sama5d4.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/sama5d4.dtsi
+++ b/arch/arm/boot/dts/sama5d4.dtsi
@@ -809,7 +809,7 @@
 					0xffffffff 0x3ffcfe7c 0x1c010101	/* pioA */
 					0x7fffffff 0xfffccc3a 0x3f00cc3a	/* pioB */
 					0xffffffff 0x3ff83fff 0xff00ffff	/* pioC */
-					0x0003ff00 0x8002a800 0x00000000	/* pioD */
+					0xb003ff00 0x8002a800 0x00000000	/* pioD */
 					0xffffffff 0x7fffffff 0x76fff1bf	/* pioE */
 					>;
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 039/593] btrfs: send: fix invalid path for unlink operations after parent orphanization
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 038/593] ARM: dts: at91: sama5d4: fix pinctrl muxing Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 040/593] btrfs: compression: dont try to compress if we dont have enough pages Greg Kroah-Hartman
                   ` (558 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit d8ac76cdd1755b21e8c008c28d0b7251c0b14986 upstream.

During an incremental send operation, when processing the new references
for the current inode, we might send an unlink operation for another inode
that has a conflicting path and has more than one hard link. However this
path was computed and cached before we processed previous new references
for the current inode. We may have orphanized a directory of that path
while processing a previous new reference, in which case the path will
be invalid and cause the receiver process to fail.

The following reproducer triggers the problem and explains how/why it
happens in its comments:

  $ cat test-send-unlink.sh
  #!/bin/bash

  DEV=/dev/sdi
  MNT=/mnt/sdi

  mkfs.btrfs -f $DEV >/dev/null
  mount $DEV $MNT

  # Create our test files and directory. Inode 259 (file3) has two hard
  # links.
  touch $MNT/file1
  touch $MNT/file2
  touch $MNT/file3

  mkdir $MNT/A
  ln $MNT/file3 $MNT/A/hard_link

  # Filesystem looks like:
  #
  # .                                     (ino 256)
  # |----- file1                          (ino 257)
  # |----- file2                          (ino 258)
  # |----- file3                          (ino 259)
  # |----- A/                             (ino 260)
  #        |---- hard_link                (ino 259)
  #

  # Now create the base snapshot, which is going to be the parent snapshot
  # for a later incremental send.
  btrfs subvolume snapshot -r $MNT $MNT/snap1
  btrfs send -f /tmp/snap1.send $MNT/snap1

  # Move inode 257 into directory inode 260. This results in computing the
  # path for inode 260 as "/A" and caching it.
  mv $MNT/file1 $MNT/A/file1

  # Move inode 258 (file2) into directory inode 260, with a name of
  # "hard_link", moving first inode 259 away since it currently has that
  # location and name.
  mv $MNT/A/hard_link $MNT/tmp
  mv $MNT/file2 $MNT/A/hard_link

  # Now rename inode 260 to something else (B for example) and then create
  # a hard link for inode 258 that has the old name and location of inode
  # 260 ("/A").
  mv $MNT/A $MNT/B
  ln $MNT/B/hard_link $MNT/A

  # Filesystem now looks like:
  #
  # .                                     (ino 256)
  # |----- tmp                            (ino 259)
  # |----- file3                          (ino 259)
  # |----- B/                             (ino 260)
  # |      |---- file1                    (ino 257)
  # |      |---- hard_link                (ino 258)
  # |
  # |----- A                              (ino 258)

  # Create another snapshot of our subvolume and use it for an incremental
  # send.
  btrfs subvolume snapshot -r $MNT $MNT/snap2
  btrfs send -f /tmp/snap2.send -p $MNT/snap1 $MNT/snap2

  # Now unmount the filesystem, create a new one, mount it and try to
  # apply both send streams to recreate both snapshots.
  umount $DEV

  mkfs.btrfs -f $DEV >/dev/null

  mount $DEV $MNT

  # First add the first snapshot to the new filesystem by applying the
  # first send stream.
  btrfs receive -f /tmp/snap1.send $MNT

  # The incremental receive operation below used to fail with the
  # following error:
  #
  #    ERROR: unlink A/hard_link failed: No such file or directory
  #
  # This is because when send is processing inode 257, it generates the
  # path for inode 260 as "/A", since that inode is its parent in the send
  # snapshot, and caches that path.
  #
  # Later when processing inode 258, it first processes its new reference
  # that has the path of "/A", which results in orphanizing inode 260
  # because there is a a path collision. This results in issuing a rename
  # operation from "/A" to "/o260-6-0".
  #
  # Finally when processing the new reference "B/hard_link" for inode 258,
  # it notices that it collides with inode 259 (not yet processed, because
  # it has a higher inode number), since that inode has the name
  # "hard_link" under the directory inode 260. It also checks that inode
  # 259 has two hardlinks, so it decides to issue a unlink operation for
  # the name "hard_link" for inode 259. However the path passed to the
  # unlink operation is "/A/hard_link", which is incorrect since currently
  # "/A" does not exists, due to the orphanization of inode 260 mentioned
  # before. The path is incorrect because it was computed and cached
  # before the orphanization. This results in the receiver to fail with
  # the above error.
  btrfs receive -f /tmp/snap2.send $MNT

  umount $MNT

When running the test, it fails like this:

  $ ./test-send-unlink.sh
  Create a readonly snapshot of '/mnt/sdi' in '/mnt/sdi/snap1'
  At subvol /mnt/sdi/snap1
  Create a readonly snapshot of '/mnt/sdi' in '/mnt/sdi/snap2'
  At subvol /mnt/sdi/snap2
  At subvol snap1
  At snapshot snap2
  ERROR: unlink A/hard_link failed: No such file or directory

Fix this by recomputing a path before issuing an unlink operation when
processing the new references for the current inode if we previously
have orphanized a directory.

A test case for fstests will follow soon.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/send.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -4080,6 +4080,17 @@ static int process_recorded_refs(struct
 				if (ret < 0)
 					goto out;
 			} else {
+				/*
+				 * If we previously orphanized a directory that
+				 * collided with a new reference that we already
+				 * processed, recompute the current path because
+				 * that directory may be part of the path.
+				 */
+				if (orphanized_dir) {
+					ret = refresh_ref_path(sctx, cur);
+					if (ret < 0)
+						goto out;
+				}
 				ret = send_unlink(sctx, cur->full_path);
 				if (ret < 0)
 					goto out;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 040/593] btrfs: compression: dont try to compress if we dont have enough pages
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 039/593] btrfs: send: fix invalid path for unlink operations after parent orphanization Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 041/593] btrfs: clear defrag status of a root if starting transaction fails Greg Kroah-Hartman
                   ` (557 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Sterba

From: David Sterba <dsterba@suse.com>

commit f2165627319ffd33a6217275e5690b1ab5c45763 upstream.

The early check if we should attempt compression does not take into
account the number of input pages. It can happen that there's only one
page, eg. a tail page after some ranges of the BTRFS_MAX_UNCOMPRESSED
have been processed, or an isolated page that won't be converted to an
inline extent.

The single page would be compressed but a later check would drop it
again because the result size must be at least one block shorter than
the input. That can never work with just one page.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/inode.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -547,7 +547,7 @@ again:
 	 * inode has not been flagged as nocompress.  This flag can
 	 * change at any time if we discover bad compression ratios.
 	 */
-	if (inode_need_compress(BTRFS_I(inode), start, end)) {
+	if (nr_pages > 1 && inode_need_compress(BTRFS_I(inode), start, end)) {
 		WARN_ON(pages);
 		pages = kcalloc(nr_pages, sizeof(struct page *), GFP_NOFS);
 		if (!pages) {



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 041/593] btrfs: clear defrag status of a root if starting transaction fails
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 040/593] btrfs: compression: dont try to compress if we dont have enough pages Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 042/593] ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle Greg Kroah-Hartman
                   ` (556 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Anand Jain, David Sterba

From: David Sterba <dsterba@suse.com>

commit 6819703f5a365c95488b07066a8744841bf14231 upstream.

The defrag loop processes leaves in batches and starting transaction for
each. The whole defragmentation on a given root is protected by a bit
but in case the transaction fails, the bit is not cleared

In case the transaction fails the bit would prevent starting
defragmentation again, so make sure it's cleared.

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/transaction.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -1382,8 +1382,10 @@ int btrfs_defrag_root(struct btrfs_root
 
 	while (1) {
 		trans = btrfs_start_transaction(root, 0);
-		if (IS_ERR(trans))
-			return PTR_ERR(trans);
+		if (IS_ERR(trans)) {
+			ret = PTR_ERR(trans);
+			break;
+		}
 
 		ret = btrfs_defrag_leaves(trans, root);
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 042/593] ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 041/593] btrfs: clear defrag status of a root if starting transaction fails Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 043/593] ext4: fix kernel infoleak via ext4_extent_header Greg Kroah-Hartman
                   ` (555 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Zhang Yi, Jan Kara, Theodore Tso

From: Zhang Yi <yi.zhang@huawei.com>

commit b9a037b7f3c401d3c63e0423e56aef606b1ffaaf upstream.

In ext4_orphan_cleanup(), if ext4_truncate() failed to get a transaction
handle, it didn't remove the inode from the in-core orphan list, which
may probably trigger below error dump in ext4_destroy_inode() during the
final iput() and could lead to memory corruption on the later orphan
list changes.

 EXT4-fs (sda): Inode 6291467 (00000000b8247c67): orphan list check failed!
 00000000b8247c67: 0001f30a 00000004 00000000 00000023  ............#...
 00000000e24cde71: 00000006 014082a3 00000000 00000000  ......@.........
 0000000072c6a5ee: 00000000 00000000 00000000 00000000  ................
 ...

This patch fix this by cleanup in-core orphan list manually if
ext4_truncate() return error.

Cc: stable@kernel.org
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210507071904.160808-1-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/super.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3099,8 +3099,15 @@ static void ext4_orphan_cleanup(struct s
 			inode_lock(inode);
 			truncate_inode_pages(inode->i_mapping, inode->i_size);
 			ret = ext4_truncate(inode);
-			if (ret)
+			if (ret) {
+				/*
+				 * We need to clean up the in-core orphan list
+				 * manually if ext4_truncate() failed to get a
+				 * transaction handle.
+				 */
+				ext4_orphan_del(NULL, inode);
 				ext4_std_error(inode->i_sb, ret);
+			}
 			inode_unlock(inode);
 			nr_truncates++;
 		} else {



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 043/593] ext4: fix kernel infoleak via ext4_extent_header
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 042/593] ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 044/593] ext4: fix overflow in ext4_iomap_alloc() Greg Kroah-Hartman
                   ` (554 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, syzbot+2dcfeaf8cb49b05e8f1a,
	Anirudh Rayabharam, Theodore Tso

From: Anirudh Rayabharam <mail@anirudhrb.com>

commit ce3aba43599f0b50adbebff133df8d08a3d5fffe upstream.

Initialize eh_generation of struct ext4_extent_header to prevent leaking
info to userspace. Fixes KMSAN kernel-infoleak bug reported by syzbot at:
http://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8

Cc: stable@kernel.org
Reported-by: syzbot+2dcfeaf8cb49b05e8f1a@syzkaller.appspotmail.com
Fixes: a86c61812637 ("[PATCH] ext3: add extent map support")
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Link: https://lore.kernel.org/r/20210506185655.7118-1-mail@anirudhrb.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/extents.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -825,6 +825,7 @@ void ext4_ext_tree_init(handle_t *handle
 	eh->eh_entries = 0;
 	eh->eh_magic = EXT4_EXT_MAGIC;
 	eh->eh_max = cpu_to_le16(ext4_ext_space_root(inode, 0));
+	eh->eh_generation = 0;
 	ext4_mark_inode_dirty(handle, inode);
 }
 
@@ -1090,6 +1091,7 @@ static int ext4_ext_split(handle_t *hand
 	neh->eh_max = cpu_to_le16(ext4_ext_space_block(inode, 0));
 	neh->eh_magic = EXT4_EXT_MAGIC;
 	neh->eh_depth = 0;
+	neh->eh_generation = 0;
 
 	/* move remainder of path[depth] to the new leaf */
 	if (unlikely(path[depth].p_hdr->eh_entries !=
@@ -1167,6 +1169,7 @@ static int ext4_ext_split(handle_t *hand
 		neh->eh_magic = EXT4_EXT_MAGIC;
 		neh->eh_max = cpu_to_le16(ext4_ext_space_block_idx(inode, 0));
 		neh->eh_depth = cpu_to_le16(depth - i);
+		neh->eh_generation = 0;
 		fidx = EXT_FIRST_INDEX(neh);
 		fidx->ei_block = border;
 		ext4_idx_store_pblock(fidx, oldblock);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 044/593] ext4: fix overflow in ext4_iomap_alloc()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 043/593] ext4: fix kernel infoleak via ext4_extent_header Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 045/593] ext4: return error code when ext4_fill_flex_info() fails Greg Kroah-Hartman
                   ` (553 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Jan Kara, Theodore Tso

From: Jan Kara <jack@suse.cz>

commit d0b040f5f2557b2f507c01e88ad8cff424fdc6a9 upstream.

A code in iomap alloc may overflow block number when converting it to
byte offset. Luckily this is mostly harmless as we will just use more
expensive method of writing using unwritten extents even though we are
writing beyond i_size.

Cc: stable@kernel.org
Fixes: 378f32bab371 ("ext4: introduce direct I/O write using iomap infrastructure")
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210412102333.2676-4-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/inode.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3419,7 +3419,7 @@ retry:
 	 * i_disksize out to i_size. This could be beyond where direct I/O is
 	 * happening and thus expose allocated blocks to direct I/O reads.
 	 */
-	else if ((map->m_lblk * (1 << blkbits)) >= i_size_read(inode))
+	else if (((loff_t)map->m_lblk << blkbits) >= i_size_read(inode))
 		m_flags = EXT4_GET_BLOCKS_CREATE;
 	else if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS))
 		m_flags = EXT4_GET_BLOCKS_IO_CREATE_EXT;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 045/593] ext4: return error code when ext4_fill_flex_info() fails
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 044/593] ext4: fix overflow in ext4_iomap_alloc() Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 046/593] ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit Greg Kroah-Hartman
                   ` (552 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Theodore Tso

From: Yang Yingliang <yangyingliang@huawei.com>

commit 8f6840c4fd1e7bd715e403074fb161c1a04cda73 upstream.

After commit c89128a00838 ("ext4: handle errors on
ext4_commit_super"), 'ret' may be set to 0 before calling
ext4_fill_flex_info(), if ext4_fill_flex_info() fails ext4_mount()
doesn't return error code, it makes 'root' is null which causes crash
in legacy_get_tree().

Fixes: c89128a00838 ("ext4: handle errors on ext4_commit_super")
Reported-by: Hulk Robot <hulkci@huawei.com>
Cc: <stable@vger.kernel.org> # v4.18+
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20210510111051.55650-1-yangyingliang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/super.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5046,6 +5046,7 @@ no_journal:
 			ext4_msg(sb, KERN_ERR,
 			       "unable to initialize "
 			       "flex_bg meta info!");
+			ret = -ENOMEM;
 			goto failed_mount6;
 		}
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 046/593] ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 045/593] ext4: return error code when ext4_fill_flex_info() fails Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 047/593] ext4: remove check for zero nr_to_scan in ext4_es_scan() Greg Kroah-Hartman
                   ` (551 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Yi, Jan Kara, Theodore Tso

From: Zhang Yi <yi.zhang@huawei.com>

commit 4fb7c70a889ead2e91e184895ac6e5354b759135 upstream.

The cache_cnt parameter of tracepoint ext4_es_shrink_exit means the
remaining cache count after shrink, but now it is the cache count before
shrink, fix it by read sbi->s_extent_cache_cnt again.

Fixes: 1ab6c4997e04 ("fs: convert fs shrinkers to new scan/count API")
Cc: stable@vger.kernel.org # 3.12+
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210522103045.690103-3-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/extents_status.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -1579,6 +1579,7 @@ static unsigned long ext4_es_scan(struct
 
 	nr_shrunk = __es_shrink(sbi, nr_to_scan, NULL);
 
+	ret = percpu_counter_read_positive(&sbi->s_es_stats.es_stats_shk_cnt);
 	trace_ext4_es_shrink_scan_exit(sbi->s_sb, nr_shrunk, ret);
 	return nr_shrunk;
 }



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 047/593] ext4: remove check for zero nr_to_scan in ext4_es_scan()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 046/593] ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 048/593] ext4: fix avefreec in find_group_orlov Greg Kroah-Hartman
                   ` (550 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Yi, Jan Kara, Theodore Tso

From: Zhang Yi <yi.zhang@huawei.com>

commit e5e7010e5444d923e4091cafff61d05f2d19cada upstream.

After converting fs shrinkers to new scan/count API, we are no longer
pass zero nr_to_scan parameter to detect the number of objects to free,
just remove this check.

Fixes: 1ab6c4997e04 ("fs: convert fs shrinkers to new scan/count API")
Cc: stable@vger.kernel.org # 3.12+
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210522103045.690103-2-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/extents_status.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -1574,9 +1574,6 @@ static unsigned long ext4_es_scan(struct
 	ret = percpu_counter_read_positive(&sbi->s_es_stats.es_stats_shk_cnt);
 	trace_ext4_es_shrink_scan_enter(sbi->s_sb, nr_to_scan, ret);
 
-	if (!nr_to_scan)
-		return ret;
-
 	nr_shrunk = __es_shrink(sbi, nr_to_scan, NULL);
 
 	ret = percpu_counter_read_positive(&sbi->s_es_stats.es_stats_shk_cnt);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 048/593] ext4: fix avefreec in find_group_orlov
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 047/593] ext4: remove check for zero nr_to_scan in ext4_es_scan() Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 049/593] ext4: use ext4_grp_locked_error in mb_find_extent Greg Kroah-Hartman
                   ` (549 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Pan Dong, Theodore Tso

From: Pan Dong <pandong.peter@bytedance.com>

commit c89849cc0259f3d33624cc3bd127685c3c0fa25d upstream.

The avefreec should be average free clusters instead
of average free blocks, otherwize Orlov's allocator
will not work properly when bigalloc enabled.

Cc: stable@kernel.org
Signed-off-by: Pan Dong <pandong.peter@bytedance.com>
Link: https://lore.kernel.org/r/20210525073656.31594-1-pandong.peter@bytedance.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/ialloc.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -402,7 +402,7 @@ static void get_orlov_stats(struct super
  *
  * We always try to spread first-level directories.
  *
- * If there are blockgroups with both free inodes and free blocks counts
+ * If there are blockgroups with both free inodes and free clusters counts
  * not worse than average we return one with smallest directory count.
  * Otherwise we simply return a random group.
  *
@@ -411,7 +411,7 @@ static void get_orlov_stats(struct super
  * It's OK to put directory into a group unless
  * it has too many directories already (max_dirs) or
  * it has too few free inodes left (min_inodes) or
- * it has too few free blocks left (min_blocks) or
+ * it has too few free clusters left (min_clusters) or
  * Parent's group is preferred, if it doesn't satisfy these
  * conditions we search cyclically through the rest. If none
  * of the groups look good we just look for a group with more
@@ -427,7 +427,7 @@ static int find_group_orlov(struct super
 	ext4_group_t real_ngroups = ext4_get_groups_count(sb);
 	int inodes_per_group = EXT4_INODES_PER_GROUP(sb);
 	unsigned int freei, avefreei, grp_free;
-	ext4_fsblk_t freeb, avefreec;
+	ext4_fsblk_t freec, avefreec;
 	unsigned int ndirs;
 	int max_dirs, min_inodes;
 	ext4_grpblk_t min_clusters;
@@ -446,9 +446,8 @@ static int find_group_orlov(struct super
 
 	freei = percpu_counter_read_positive(&sbi->s_freeinodes_counter);
 	avefreei = freei / ngroups;
-	freeb = EXT4_C2B(sbi,
-		percpu_counter_read_positive(&sbi->s_freeclusters_counter));
-	avefreec = freeb;
+	freec = percpu_counter_read_positive(&sbi->s_freeclusters_counter);
+	avefreec = freec;
 	do_div(avefreec, ngroups);
 	ndirs = percpu_counter_read_positive(&sbi->s_dirs_counter);
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 049/593] ext4: use ext4_grp_locked_error in mb_find_extent
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 048/593] ext4: fix avefreec in find_group_orlov Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 050/593] can: bcm: delay release of struct bcm_op after synchronize_rcu() Greg Kroah-Hartman
                   ` (548 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephen Brennan, Lukas Czerner,
	Junxiao Bi, Theodore Tso

From: Stephen Brennan <stephen.s.brennan@oracle.com>

commit cd84bbbac12a173a381a64c6ec8b76a5277b87b5 upstream.

Commit 5d1b1b3f492f ("ext4: fix BUG when calling ext4_error with locked
block group") introduces ext4_grp_locked_error to handle unlocking a
group in error cases. Otherwise, there is a possibility of a sleep while
atomic. However, since 43c73221b3b1 ("ext4: replace BUG_ON with WARN_ON
in mb_find_extent()"), mb_find_extent() has contained a ext4_error()
call while a group spinlock is held. Replace this with
ext4_grp_locked_error.

Fixes: 43c73221b3b1 ("ext4: replace BUG_ON with WARN_ON in mb_find_extent()")
Cc: <stable@vger.kernel.org> # 4.14+
Signed-off-by: Stephen Brennan <stephen.s.brennan@oracle.com>
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Junxiao Bi <junxiao.bi@oracle.com>
Link: https://lore.kernel.org/r/20210623232114.34457-1-stephen.s.brennan@oracle.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/mballoc.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1597,10 +1597,11 @@ static int mb_find_extent(struct ext4_bu
 	if (ex->fe_start + ex->fe_len > EXT4_CLUSTERS_PER_GROUP(e4b->bd_sb)) {
 		/* Should never happen! (but apparently sometimes does?!?) */
 		WARN_ON(1);
-		ext4_error(e4b->bd_sb, "corruption or bug in mb_find_extent "
-			   "block=%d, order=%d needed=%d ex=%u/%d/%d@%u",
-			   block, order, needed, ex->fe_group, ex->fe_start,
-			   ex->fe_len, ex->fe_logical);
+		ext4_grp_locked_error(e4b->bd_sb, e4b->bd_group, 0, 0,
+			"corruption or bug in mb_find_extent "
+			"block=%d, order=%d needed=%d ex=%u/%d/%d@%u",
+			block, order, needed, ex->fe_group, ex->fe_start,
+			ex->fe_len, ex->fe_logical);
 		ex->fe_len = 0;
 		ex->fe_start = 0;
 		ex->fe_group = 0;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 050/593] can: bcm: delay release of struct bcm_op after synchronize_rcu()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 049/593] ext4: use ext4_grp_locked_error in mb_find_extent Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 051/593] can: gw: synchronize rcu operations before removing gw job entry Greg Kroah-Hartman
                   ` (547 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+0f7e7e5e2f4f40fa89c0,
	Norbert Slusarek, Thadeu Lima de Souza Cascardo, Oliver Hartkopp,
	Marc Kleine-Budde

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit d5f9023fa61ee8b94f37a93f08e94b136cf1e463 upstream.

can_rx_register() callbacks may be called concurrently to the call to
can_rx_unregister(). The callbacks and callback data, though, are
protected by RCU and the struct sock reference count.

So the callback data is really attached to the life of sk, meaning
that it should be released on sk_destruct. However, bcm_remove_op()
calls tasklet_kill(), and RCU callbacks may be called under RCU
softirq, so that cannot be used on kernels before the introduction of
HRTIMER_MODE_SOFT.

However, bcm_rx_handler() is called under RCU protection, so after
calling can_rx_unregister(), we may call synchronize_rcu() in order to
wait for any RCU read-side critical sections to finish. That is,
bcm_rx_handler() won't be called anymore for those ops. So, we only
free them, after we do that synchronize_rcu().

Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com
Cc: linux-stable <stable@vger.kernel.org>
Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com
Reported-by: Norbert Slusarek <nslusarek@gmx.net>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/can/bcm.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -785,6 +785,7 @@ static int bcm_delete_rx_op(struct list_
 						  bcm_rx_handler, op);
 
 			list_del(&op->list);
+			synchronize_rcu();
 			bcm_remove_op(op);
 			return 1; /* done */
 		}
@@ -1533,9 +1534,13 @@ static int bcm_release(struct socket *so
 					  REGMASK(op->can_id),
 					  bcm_rx_handler, op);
 
-		bcm_remove_op(op);
 	}
 
+	synchronize_rcu();
+
+	list_for_each_entry_safe(op, next, &bo->rx_ops, list)
+		bcm_remove_op(op);
+
 #if IS_ENABLED(CONFIG_PROC_FS)
 	/* remove procfs entry */
 	if (net->can.bcmproc_dir && bo->bcm_proc_read)



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 051/593] can: gw: synchronize rcu operations before removing gw job entry
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 050/593] can: bcm: delay release of struct bcm_op after synchronize_rcu() Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 052/593] can: isotp: isotp_release(): omit unintended hrtimer restart on socket release Greg Kroah-Hartman
                   ` (546 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Hartkopp, Marc Kleine-Budde

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 upstream.

can_can_gw_rcv() is called under RCU protection, so after calling
can_rx_unregister(), we have to call synchronize_rcu in order to wait
for any RCU read-side critical sections to finish before removing the
kmem_cache entry with the referenced gw job entry.

Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net
Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/can/gw.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -534,6 +534,7 @@ static int cgw_notifier(struct notifier_
 			if (gwj->src.dev == dev || gwj->dst.dev == dev) {
 				hlist_del(&gwj->list);
 				cgw_unregister_filter(net, gwj);
+				synchronize_rcu();
 				kmem_cache_free(cgw_cache, gwj);
 			}
 		}
@@ -1092,6 +1093,7 @@ static void cgw_remove_all_jobs(struct n
 	hlist_for_each_entry_safe(gwj, nx, &net->can.cgw_list, list) {
 		hlist_del(&gwj->list);
 		cgw_unregister_filter(net, gwj);
+		synchronize_rcu();
 		kmem_cache_free(cgw_cache, gwj);
 	}
 }
@@ -1160,6 +1162,7 @@ static int cgw_remove_job(struct sk_buff
 
 		hlist_del(&gwj->list);
 		cgw_unregister_filter(net, gwj);
+		synchronize_rcu();
 		kmem_cache_free(cgw_cache, gwj);
 		err = 0;
 		break;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 052/593] can: isotp: isotp_release(): omit unintended hrtimer restart on socket release
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 051/593] can: gw: synchronize rcu operations before removing gw job entry Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 053/593] can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done Greg Kroah-Hartman
                   ` (545 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Hartkopp, Marc Kleine-Budde

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit 14a4696bc3118ba49da28f79280e1d55603aa737 upstream.

When closing the isotp socket, the potentially running hrtimers are
canceled before removing the subscription for CAN identifiers via
can_rx_unregister().

This may lead to an unintended (re)start of a hrtimer in
isotp_rcv_cf() and isotp_rcv_fc() in the case that a CAN frame is
received by isotp_rcv() while the subscription removal is processed.

However, isotp_rcv() is called under RCU protection, so after calling
can_rx_unregister, we may call synchronize_rcu in order to wait for
any RCU read-side critical sections to finish. This prevents the
reception of CAN frames after hrtimer_cancel() and therefore the
unintended (re)start of the hrtimers.

Link: https://lore.kernel.org/r/20210618173713.2296-1-socketcan@hartkopp.net
Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/can/isotp.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1023,9 +1023,6 @@ static int isotp_release(struct socket *
 
 	lock_sock(sk);
 
-	hrtimer_cancel(&so->txtimer);
-	hrtimer_cancel(&so->rxtimer);
-
 	/* remove current filters & unregister */
 	if (so->bound) {
 		if (so->ifindex) {
@@ -1037,10 +1034,14 @@ static int isotp_release(struct socket *
 						  SINGLE_MASK(so->rxid),
 						  isotp_rcv, sk);
 				dev_put(dev);
+				synchronize_rcu();
 			}
 		}
 	}
 
+	hrtimer_cancel(&so->txtimer);
+	hrtimer_cancel(&so->rxtimer);
+
 	so->ifindex = 0;
 	so->bound = 0;
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 053/593] can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 052/593] can: isotp: isotp_release(): omit unintended hrtimer restart on socket release Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 054/593] can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path Greg Kroah-Hartman
                   ` (544 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thadeu Lima de Souza Cascardo,
	syzbot+bdf710cfc41c186fdff3, Oleksij Rempel, Marc Kleine-Budde

From: Oleksij Rempel <o.rempel@pengutronix.de>

commit 22c696fed25c63c7f67508309820358b94a96b6d upstream.

Set SOCK_RCU_FREE to let RCU to call sk_destruct() on completion.
Without this patch, we will run in to j1939_can_recv() after priv was
freed by j1939_sk_release()->j1939_sk_sock_destruct()

Fixes: 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback")
Link: https://lore.kernel.org/r/20210617130623.12705-1-o.rempel@pengutronix.de
Cc: linux-stable <stable@vger.kernel.org>
Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Reported-by: syzbot+bdf710cfc41c186fdff3@syzkaller.appspotmail.com
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/can/j1939/main.c   |    4 ++++
 net/can/j1939/socket.c |    3 +++
 2 files changed, 7 insertions(+)

--- a/net/can/j1939/main.c
+++ b/net/can/j1939/main.c
@@ -193,6 +193,10 @@ static void j1939_can_rx_unregister(stru
 	can_rx_unregister(dev_net(ndev), ndev, J1939_CAN_ID, J1939_CAN_MASK,
 			  j1939_can_recv, priv);
 
+	/* The last reference of priv is dropped by the RCU deferred
+	 * j1939_sk_sock_destruct() of the last socket, so we can
+	 * safely drop this reference here.
+	 */
 	j1939_priv_put(priv);
 }
 
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -398,6 +398,9 @@ static int j1939_sk_init(struct sock *sk
 	atomic_set(&jsk->skb_pending, 0);
 	spin_lock_init(&jsk->sk_session_queue_lock);
 	INIT_LIST_HEAD(&jsk->sk_session_queue);
+
+	/* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */
+	sock_set_flag(sk, SOCK_RCU_FREE);
 	sk->sk_destruct = j1939_sk_sock_destruct;
 	sk->sk_protocol = CAN_J1939;
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 054/593] can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 053/593] can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 055/593] mac80211: remove iwlwifi specific workaround that broke sta NDP tx Greg Kroah-Hartman
                   ` (543 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephane Grosjean, Marc Kleine-Budde

From: Stephane Grosjean <s.grosjean@peak-system.com>

commit b17233d385d0b6b43ecf81d43008cb1bbb008166 upstream.

Rather than just indicating that transmission can start, this patch
requires the explicit flushing of the network TX queue when the driver
is informed by the device that it can transmit, next to its
configuration.

In this way, if frames have already been written by the application,
they will actually be transmitted.

Fixes: ffd137f7043c ("can: peak/pcie_fd: remove useless code when interface starts")
Link: https://lore.kernel.org/r/20210623142600.149904-1-s.grosjean@peak-system.com
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/peak_canfd/peak_canfd.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/can/peak_canfd/peak_canfd.c
+++ b/drivers/net/can/peak_canfd/peak_canfd.c
@@ -351,8 +351,8 @@ static int pucan_handle_status(struct pe
 				return err;
 		}
 
-		/* start network queue (echo_skb array is empty) */
-		netif_start_queue(ndev);
+		/* wake network queue up (echo_skb array is empty) */
+		netif_wake_queue(ndev);
 
 		return 0;
 	}



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 055/593] mac80211: remove iwlwifi specific workaround that broke sta NDP tx
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 054/593] can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 056/593] SUNRPC: Fix the batch tasks count wraparound Greg Kroah-Hartman
                   ` (542 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit e41eb3e408de27982a5f8f50b2dd8002bed96908 upstream.

Sending nulldata packets is important for sw AP link probing and detecting
4-address mode links. The checks that dropped these packets were apparently
added to work around an iwlwifi firmware bug with multi-TID aggregation.

Fixes: 41cbb0f5a295 ("mac80211: add support for HE")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20210619101517.90806-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c |    3 +++
 net/mac80211/mlme.c                         |    9 ---------
 2 files changed, 3 insertions(+), 9 deletions(-)

--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1085,6 +1085,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mv
 	if (WARN_ON_ONCE(mvmsta->sta_id == IWL_MVM_INVALID_STA))
 		return -1;
 
+	if (unlikely(ieee80211_is_any_nullfunc(fc)) && sta->he_cap.has_he)
+		return -1;
+
 	if (unlikely(ieee80211_is_probe_resp(fc)))
 		iwl_mvm_probe_resp_set_noa(mvm, skb);
 
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1094,11 +1094,6 @@ void ieee80211_send_nullfunc(struct ieee
 	struct ieee80211_hdr_3addr *nullfunc;
 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 
-	/* Don't send NDPs when STA is connected HE */
-	if (sdata->vif.type == NL80211_IFTYPE_STATION &&
-	    !(ifmgd->flags & IEEE80211_STA_DISABLE_HE))
-		return;
-
 	skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif,
 		!ieee80211_hw_check(&local->hw, DOESNT_SUPPORT_QOS_NDP));
 	if (!skb)
@@ -1130,10 +1125,6 @@ static void ieee80211_send_4addr_nullfun
 	if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_STATION))
 		return;
 
-	/* Don't send NDPs when connected HE */
-	if (!(sdata->u.mgd.flags & IEEE80211_STA_DISABLE_HE))
-		return;
-
 	skb = dev_alloc_skb(local->hw.extra_tx_headroom + 30);
 	if (!skb)
 		return;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 056/593] SUNRPC: Fix the batch tasks count wraparound.
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 055/593] mac80211: remove iwlwifi specific workaround that broke sta NDP tx Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 057/593] SUNRPC: Should wake up the privileged task firstly Greg Kroah-Hartman
                   ` (541 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Xiaoxu, Trond Myklebust

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit fcb170a9d825d7db4a3fb870b0300f5a40a8d096 upstream.

The 'queue->nr' will wraparound from 0 to 255 when only current
priority queue has tasks. This maybe lead a deadlock same as commit
dfe1fe75e00e ("NFSv4: Fix deadlock between nfs4_evict_inode()
and nfs4_opendata_get_inode()"):

Privileged delegreturn task is queued to privileged list because all
the slots are assigned. When non-privileged task complete and release
the slot, a non-privileged maybe picked out. It maybe allocate slot
failed when the session on draining.

If the 'queue->nr' has wraparound to 255, and no enough slot to
service it, then the privileged delegreturn will lost to wake up.

So we should avoid the wraparound on 'queue->nr'.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 5fcdfacc01f3 ("NFSv4: Return delegations synchronously in evict_inode")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/sched.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -595,7 +595,8 @@ static struct rpc_task *__rpc_find_next_
 	 * Service a batch of tasks from a single owner.
 	 */
 	q = &queue->tasks[queue->priority];
-	if (!list_empty(q) && --queue->nr) {
+	if (!list_empty(q) && queue->nr) {
+		queue->nr--;
 		task = list_first_entry(q, struct rpc_task, u.tk_wait.list);
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 057/593] SUNRPC: Should wake up the privileged task firstly.
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 056/593] SUNRPC: Fix the batch tasks count wraparound Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 058/593] bus: mhi: Wait for M2 state during system resume Greg Kroah-Hartman
                   ` (540 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Xiaoxu, Trond Myklebust

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit 5483b904bf336948826594610af4c9bbb0d9e3aa upstream.

When find a task from wait queue to wake up, a non-privileged task may
be found out, rather than the privileged. This maybe lead a deadlock
same as commit dfe1fe75e00e ("NFSv4: Fix deadlock between nfs4_evict_inode()
and nfs4_opendata_get_inode()"):

Privileged delegreturn task is queued to privileged list because all
the slots are assigned. If there has no enough slot to wake up the
non-privileged batch tasks(session less than 8 slot), then the privileged
delegreturn task maybe lost waked up because the found out task can't
get slot since the session is on draining.

So we should treate the privileged task as the emergency task, and
execute it as for as we can.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 5fcdfacc01f3 ("NFSv4: Return delegations synchronously in evict_inode")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/sched.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -592,6 +592,15 @@ static struct rpc_task *__rpc_find_next_
 	struct rpc_task *task;
 
 	/*
+	 * Service the privileged queue.
+	 */
+	q = &queue->tasks[RPC_NR_PRIORITY - 1];
+	if (queue->maxpriority > RPC_PRIORITY_PRIVILEGED && !list_empty(q)) {
+		task = list_first_entry(q, struct rpc_task, u.tk_wait.list);
+		goto out;
+	}
+
+	/*
 	 * Service a batch of tasks from a single owner.
 	 */
 	q = &queue->tasks[queue->priority];



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 058/593] bus: mhi: Wait for M2 state during system resume
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 057/593] SUNRPC: Should wake up the privileged task firstly Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 059/593] mm/gup: fix try_grab_compound_head() race with split_huge_page() Greg Kroah-Hartman
                   ` (539 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Baochen Qiang, Hemant Kumar,
	Manivannan Sadhasivam

From: Baochen Qiang <bqiang@codeaurora.org>

commit 02b49cd1174527e611768fc2ce0f75a74dfec7ae upstream.

During system resume, MHI host triggers M3->M0 transition and then waits
for target device to enter M0 state. Once done, the device queues a state
change event into ctrl event ring and notifies MHI host by raising an
interrupt, where a tasklet is scheduled to process this event. In most
cases, the tasklet is served timely and wait operation succeeds.

However, there are cases where CPU is busy and cannot serve this tasklet
for some time. Once delay goes long enough, the device moves itself to M1
state and also interrupts MHI host after inserting a new state change
event to ctrl ring. Later when CPU finally has time to process the ring,
there will be two events:

1. For M3->M0 event, which is the first event to be processed queued first.
   The tasklet handler serves the event, updates device state to M0 and
   wakes up the task.

2. For M0->M1 event, which is processed later, the tasklet handler
   triggers M1->M2 transition and updates device state to M2 directly,
   then wakes up the MHI host (if it is still sleeping on this wait queue).

Note that although MHI host has been woken up while processing the first
event, it may still has no chance to run before the second event is
processed. In other words, MHI host has to keep waiting till timeout
causing the M0 state to be missed.

kernel log here:
...
Apr 15 01:45:14 test-NUC8i7HVK kernel: [ 4247.911251] mhi 0000:06:00.0: Entered with PM state: M3, MHI state: M3
Apr 15 01:45:14 test-NUC8i7HVK kernel: [ 4247.917762] mhi 0000:06:00.0: State change event to state: M0
Apr 15 01:45:14 test-NUC8i7HVK kernel: [ 4247.917767] mhi 0000:06:00.0: State change event to state: M1
Apr 15 01:45:14 test-NUC8i7HVK kernel: [ 4338.788231] mhi 0000:06:00.0: Did not enter M0 state, MHI state: M2, PM state: M2
...

Fix this issue by simply adding M2 as a valid state for resume.

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1

Cc: stable@vger.kernel.org
Fixes: 0c6b20a1d720 ("bus: mhi: core: Add support for MHI suspend and resume")
Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
Reviewed-by: Hemant Kumar <hemantk@codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20210524040312.14409-1-bqiang@codeaurora.org
[mani: slightly massaged the commit message]
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20210621161616.77524-4-manivannan.sadhasivam@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/bus/mhi/core/pm.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/bus/mhi/core/pm.c
+++ b/drivers/bus/mhi/core/pm.c
@@ -809,6 +809,7 @@ int mhi_pm_resume(struct mhi_controller
 
 	ret = wait_event_timeout(mhi_cntrl->state_event,
 				 mhi_cntrl->dev_state == MHI_STATE_M0 ||
+				 mhi_cntrl->dev_state == MHI_STATE_M2 ||
 				 MHI_PM_IN_ERROR_STATE(mhi_cntrl->pm_state),
 				 msecs_to_jiffies(mhi_cntrl->timeout_ms));
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 059/593] mm/gup: fix try_grab_compound_head() race with split_huge_page()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 058/593] bus: mhi: Wait for M2 state during system resume Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 060/593] perf/smmuv3: Dont trample existing events with global filter Greg Kroah-Hartman
                   ` (538 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jann Horn, John Hubbard,
	Matthew Wilcox, Kirill A. Shutemov, Jan Kara, Andrew Morton,
	Linus Torvalds

From: Jann Horn <jannh@google.com>

commit c24d37322548a6ec3caec67100d28b9c1f89f60a upstream.

try_grab_compound_head() is used to grab a reference to a page from
get_user_pages_fast(), which is only protected against concurrent freeing
of page tables (via local_irq_save()), but not against concurrent TLB
flushes, freeing of data pages, or splitting of compound pages.

Because no reference is held to the page when try_grab_compound_head() is
called, the page may have been freed and reallocated by the time its
refcount has been elevated; therefore, once we're holding a stable
reference to the page, the caller re-checks whether the PTE still points
to the same page (with the same access rights).

The problem is that try_grab_compound_head() has to grab a reference on
the head page; but between the time we look up what the head page is and
the time we actually grab a reference on the head page, the compound page
may have been split up (either explicitly through split_huge_page() or by
freeing the compound page to the buddy allocator and then allocating its
individual order-0 pages).  If that happens, get_user_pages_fast() may end
up returning the right page but lifting the refcount on a now-unrelated
page, leading to use-after-free of pages.

To fix it: Re-check whether the pages still belong together after lifting
the refcount on the head page.  Move anything else that checks
compound_head(page) below the refcount increment.

This can't actually happen on bare-metal x86 (because there, disabling
IRQs locks out remote TLB flushes), but it can happen on virtualized x86
(e.g.  under KVM) and probably also on arm64.  The race window is pretty
narrow, and constantly allocating and shattering hugepages isn't exactly
fast; for now I've only managed to reproduce this in an x86 KVM guest with
an artificially widened timing window (by adding a loop that repeatedly
calls `inl(0x3f8 + 5)` in `try_get_compound_head()` to force VM exits, so
that PV TLB flushes are used instead of IPIs).

As requested on the list, also replace the existing VM_BUG_ON_PAGE() with
a warning and bailout.  Since the existing code only performed the BUG_ON
check on DEBUG_VM kernels, ensure that the new code also only performs the
check under that configuration - I don't want to mix two logically
separate changes together too much.  The macro VM_WARN_ON_ONCE_PAGE()
doesn't return a value on !DEBUG_VM, so wrap the whole check in an #ifdef
block.  An alternative would be to change the VM_WARN_ON_ONCE_PAGE()
definition for !DEBUG_VM such that it always returns false, but since that
would differ from the behavior of the normal WARN macros, it might be too
confusing for readers.

Link: https://lkml.kernel.org/r/20210615012014.1100672-1-jannh@google.com
Fixes: 7aef4172c795 ("mm: handle PTE-mapped tail pages in gerneric fast gup implementaiton")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: John Hubbard <jhubbard@nvidia.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Jan Kara <jack@suse.cz>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 mm/gup.c |   58 +++++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 43 insertions(+), 15 deletions(-)

--- a/mm/gup.c
+++ b/mm/gup.c
@@ -44,6 +44,23 @@ static void hpage_pincount_sub(struct pa
 	atomic_sub(refs, compound_pincount_ptr(page));
 }
 
+/* Equivalent to calling put_page() @refs times. */
+static void put_page_refs(struct page *page, int refs)
+{
+#ifdef CONFIG_DEBUG_VM
+	if (VM_WARN_ON_ONCE_PAGE(page_ref_count(page) < refs, page))
+		return;
+#endif
+
+	/*
+	 * Calling put_page() for each ref is unnecessarily slow. Only the last
+	 * ref needs a put_page().
+	 */
+	if (refs > 1)
+		page_ref_sub(page, refs - 1);
+	put_page(page);
+}
+
 /*
  * Return the compound head page with ref appropriately incremented,
  * or NULL if that failed.
@@ -56,6 +73,21 @@ static inline struct page *try_get_compo
 		return NULL;
 	if (unlikely(!page_cache_add_speculative(head, refs)))
 		return NULL;
+
+	/*
+	 * At this point we have a stable reference to the head page; but it
+	 * could be that between the compound_head() lookup and the refcount
+	 * increment, the compound page was split, in which case we'd end up
+	 * holding a reference on a page that has nothing to do with the page
+	 * we were given anymore.
+	 * So now that the head page is stable, recheck that the pages still
+	 * belong together.
+	 */
+	if (unlikely(compound_head(page) != head)) {
+		put_page_refs(head, refs);
+		return NULL;
+	}
+
 	return head;
 }
 
@@ -96,6 +128,14 @@ static __maybe_unused struct page *try_g
 			return NULL;
 
 		/*
+		 * CAUTION: Don't use compound_head() on the page before this
+		 * point, the result won't be stable.
+		 */
+		page = try_get_compound_head(page, refs);
+		if (!page)
+			return NULL;
+
+		/*
 		 * When pinning a compound page of order > 1 (which is what
 		 * hpage_pincount_available() checks for), use an exact count to
 		 * track it, via hpage_pincount_add/_sub().
@@ -103,15 +143,10 @@ static __maybe_unused struct page *try_g
 		 * However, be sure to *also* increment the normal page refcount
 		 * field at least once, so that the page really is pinned.
 		 */
-		if (!hpage_pincount_available(page))
-			refs *= GUP_PIN_COUNTING_BIAS;
-
-		page = try_get_compound_head(page, refs);
-		if (!page)
-			return NULL;
-
 		if (hpage_pincount_available(page))
 			hpage_pincount_add(page, refs);
+		else
+			page_ref_add(page, refs * (GUP_PIN_COUNTING_BIAS - 1));
 
 		mod_node_page_state(page_pgdat(page), NR_FOLL_PIN_ACQUIRED,
 				    orig_refs);
@@ -135,14 +170,7 @@ static void put_compound_head(struct pag
 			refs *= GUP_PIN_COUNTING_BIAS;
 	}
 
-	VM_BUG_ON_PAGE(page_ref_count(page) < refs, page);
-	/*
-	 * Calling put_page() for each ref is unnecessarily slow. Only the last
-	 * ref needs a put_page().
-	 */
-	if (refs > 1)
-		page_ref_sub(page, refs - 1);
-	put_page(page);
+	put_page_refs(page, refs);
 }
 
 /**



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 060/593] perf/smmuv3: Dont trample existing events with global filter
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 059/593] mm/gup: fix try_grab_compound_head() race with split_huge_page() Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 061/593] KVM: nVMX: Handle split-lock #AC exceptions that happen in L2 Greg Kroah-Hartman
                   ` (537 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Robin Murphy, Will Deacon

From: Robin Murphy <robin.murphy@arm.com>

commit 4c1daba15c209b99d192f147fea3dade30f72ed2 upstream.

With global filtering, we only allow an event to be scheduled if its
filter settings exactly match those of any existing events, therefore
it is pointless to reapply the filter in that case. Much worse, though,
is that in doing that we trample the event type of counter 0 if it's
already active, and never touch the appropriate PMEVTYPERn so the new
event is likely not counting the right thing either. Don't do that.

CC: stable@vger.kernel.org
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Link: https://lore.kernel.org/r/32c80c0e46237f49ad8da0c9f8864e13c4a803aa.1623153312.git.robin.murphy@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/perf/arm_smmuv3_pmu.c |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/drivers/perf/arm_smmuv3_pmu.c
+++ b/drivers/perf/arm_smmuv3_pmu.c
@@ -275,7 +275,7 @@ static int smmu_pmu_apply_event_filter(s
 				       struct perf_event *event, int idx)
 {
 	u32 span, sid;
-	unsigned int num_ctrs = smmu_pmu->num_counters;
+	unsigned int cur_idx, num_ctrs = smmu_pmu->num_counters;
 	bool filter_en = !!get_filter_enable(event);
 
 	span = filter_en ? get_filter_span(event) :
@@ -283,17 +283,19 @@ static int smmu_pmu_apply_event_filter(s
 	sid = filter_en ? get_filter_stream_id(event) :
 			   SMMU_PMCG_DEFAULT_FILTER_SID;
 
-	/* Support individual filter settings */
-	if (!smmu_pmu->global_filter) {
+	cur_idx = find_first_bit(smmu_pmu->used_counters, num_ctrs);
+	/*
+	 * Per-counter filtering, or scheduling the first globally-filtered
+	 * event into an empty PMU so idx == 0 and it works out equivalent.
+	 */
+	if (!smmu_pmu->global_filter || cur_idx == num_ctrs) {
 		smmu_pmu_set_event_filter(event, idx, span, sid);
 		return 0;
 	}
 
-	/* Requested settings same as current global settings*/
-	idx = find_first_bit(smmu_pmu->used_counters, num_ctrs);
-	if (idx == num_ctrs ||
-	    smmu_pmu_check_global_filter(smmu_pmu->events[idx], event)) {
-		smmu_pmu_set_event_filter(event, 0, span, sid);
+	/* Otherwise, must match whatever's currently scheduled */
+	if (smmu_pmu_check_global_filter(smmu_pmu->events[cur_idx], event)) {
+		smmu_pmu_set_evtyper(smmu_pmu, idx, get_event(event));
 		return 0;
 	}
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 061/593] KVM: nVMX: Handle split-lock #AC exceptions that happen in L2
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 060/593] perf/smmuv3: Dont trample existing events with global filter Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 062/593] KVM: PPC: Book3S HV: Workaround high stack usage with clang Greg Kroah-Hartman
                   ` (536 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xiaoyao Li, Sean Christopherson,
	Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit b33bb78a1fada6445c265c585ee0dd0fc6279102 upstream.

Mark #ACs that won't be reinjected to the guest as wanted by L0 so that
KVM handles split-lock #AC from L2 instead of forwarding the exception to
L1.  Split-lock #AC isn't yet virtualized, i.e. L1 will treat it like a
regular #AC and do the wrong thing, e.g. reinject it into L2.

Fixes: e6f8b6c12f03 ("KVM: VMX: Extend VMXs #AC interceptor to handle split lock #AC in guest")
Cc: Xiaoyao Li <xiaoyao.li@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210622172244.3561540-1-seanjc@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/vmx/nested.c |    3 +++
 arch/x86/kvm/vmx/vmcs.h   |    5 +++++
 arch/x86/kvm/vmx/vmx.c    |    4 ++--
 arch/x86/kvm/vmx/vmx.h    |    1 +
 4 files changed, 11 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -5787,6 +5787,9 @@ static bool nested_vmx_l0_wants_exit(str
 		else if (is_breakpoint(intr_info) &&
 			 vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
 			return true;
+		else if (is_alignment_check(intr_info) &&
+			 !vmx_guest_inject_ac(vcpu))
+			return true;
 		return false;
 	case EXIT_REASON_EXTERNAL_INTERRUPT:
 		return true;
--- a/arch/x86/kvm/vmx/vmcs.h
+++ b/arch/x86/kvm/vmx/vmcs.h
@@ -117,6 +117,11 @@ static inline bool is_gp_fault(u32 intr_
 	return is_exception_n(intr_info, GP_VECTOR);
 }
 
+static inline bool is_alignment_check(u32 intr_info)
+{
+	return is_exception_n(intr_info, AC_VECTOR);
+}
+
 static inline bool is_machine_check(u32 intr_info)
 {
 	return is_exception_n(intr_info, MC_VECTOR);
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -4755,7 +4755,7 @@ static int handle_machine_check(struct k
  *  - Guest has #AC detection enabled in CR0
  *  - Guest EFLAGS has AC bit set
  */
-static inline bool guest_inject_ac(struct kvm_vcpu *vcpu)
+bool vmx_guest_inject_ac(struct kvm_vcpu *vcpu)
 {
 	if (!boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT))
 		return true;
@@ -4864,7 +4864,7 @@ static int handle_exception_nmi(struct k
 		kvm_run->debug.arch.exception = ex_no;
 		break;
 	case AC_VECTOR:
-		if (guest_inject_ac(vcpu)) {
+		if (vmx_guest_inject_ac(vcpu)) {
 			kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
 			return 1;
 		}
--- a/arch/x86/kvm/vmx/vmx.h
+++ b/arch/x86/kvm/vmx/vmx.h
@@ -352,6 +352,7 @@ void vmx_set_segment(struct kvm_vcpu *vc
 u64 construct_eptp(struct kvm_vcpu *vcpu, unsigned long root_hpa,
 		   int root_level);
 
+bool vmx_guest_inject_ac(struct kvm_vcpu *vcpu);
 void update_exception_bitmap(struct kvm_vcpu *vcpu);
 void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu);
 bool vmx_nmi_blocked(struct kvm_vcpu *vcpu);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 062/593] KVM: PPC: Book3S HV: Workaround high stack usage with clang
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 061/593] KVM: nVMX: Handle split-lock #AC exceptions that happen in L2 Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 063/593] KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs Greg Kroah-Hartman
                   ` (535 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Nathan Chancellor,
	Michael Ellerman

From: Nathan Chancellor <nathan@kernel.org>

commit 51696f39cbee5bb684e7959c0c98b5f54548aa34 upstream.

LLVM does not emit optimal byteswap assembly, which results in high
stack usage in kvmhv_enter_nested_guest() due to the inlining of
byteswap_pt_regs(). With LLVM 12.0.0:

arch/powerpc/kvm/book3s_hv_nested.c:289:6: error: stack frame size of
2512 bytes in function 'kvmhv_enter_nested_guest' [-Werror,-Wframe-larger-than=]
long kvmhv_enter_nested_guest(struct kvm_vcpu *vcpu)
     ^
1 error generated.

While this gets fixed in LLVM, mark byteswap_pt_regs() as
noinline_for_stack so that it does not get inlined and break the build
due to -Werror by default in arch/powerpc/. Not inlining saves
approximately 800 bytes with LLVM 12.0.0:

arch/powerpc/kvm/book3s_hv_nested.c:290:6: warning: stack frame size of
1728 bytes in function 'kvmhv_enter_nested_guest' [-Wframe-larger-than=]
long kvmhv_enter_nested_guest(struct kvm_vcpu *vcpu)
     ^
1 warning generated.

Cc: stable@vger.kernel.org # v4.20+
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://github.com/ClangBuiltLinux/linux/issues/1292
Link: https://bugs.llvm.org/show_bug.cgi?id=49610
Link: https://lore.kernel.org/r/202104031853.vDT0Qjqj-lkp@intel.com/
Link: https://gist.github.com/ba710e3703bf45043a31e2806c843ffd
Link: https://lore.kernel.org/r/20210621182440.990242-1-nathan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kvm/book3s_hv_nested.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kvm/book3s_hv_nested.c
+++ b/arch/powerpc/kvm/book3s_hv_nested.c
@@ -51,7 +51,8 @@ void kvmhv_save_hv_regs(struct kvm_vcpu
 	hr->ppr = vcpu->arch.ppr;
 }
 
-static void byteswap_pt_regs(struct pt_regs *regs)
+/* Use noinline_for_stack due to https://bugs.llvm.org/show_bug.cgi?id=49610 */
+static noinline_for_stack void byteswap_pt_regs(struct pt_regs *regs)
 {
 	unsigned long *addr = (unsigned long *) regs;
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 063/593] KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 062/593] KVM: PPC: Book3S HV: Workaround high stack usage with clang Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 064/593] KVM: x86/mmu: Use MMUs role to detect CR4.SMEP value in nested NPT walk Greg Kroah-Hartman
                   ` (534 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 112022bdb5bc372e00e6e43cb88ee38ea67b97bd upstream.

Mark NX as being used for all non-nested shadow MMUs, as KVM will set the
NX bit for huge SPTEs if the iTLB mutli-hit mitigation is enabled.
Checking the mitigation itself is not sufficient as it can be toggled on
at any time and KVM doesn't reset MMU contexts when that happens.  KVM
could reset the contexts, but that would require purging all SPTEs in all
MMUs, for no real benefit.  And, KVM already forces EFER.NX=1 when TDP is
disabled (for WP=0, SMEP=1, NX=0), so technically NX is never reserved
for shadow MMUs.

Fixes: b8e8c8303ff2 ("kvm: mmu: ITLB_MULTIHIT mitigation")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210622175739.3610207-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/mmu/mmu.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -4133,7 +4133,15 @@ static void reset_rsvds_bits_mask_ept(st
 void
 reset_shadow_zero_bits_mask(struct kvm_vcpu *vcpu, struct kvm_mmu *context)
 {
-	bool uses_nx = context->nx ||
+	/*
+	 * KVM uses NX when TDP is disabled to handle a variety of scenarios,
+	 * notably for huge SPTEs if iTLB multi-hit mitigation is enabled and
+	 * to generate correct permissions for CR0.WP=0/CR4.SMEP=1/EFER.NX=0.
+	 * The iTLB multi-hit workaround can be toggled at any time, so assume
+	 * NX can be used by any non-nested shadow MMU to avoid having to reset
+	 * MMU contexts.  Note, KVM forces EFER.NX=1 when TDP is disabled.
+	 */
+	bool uses_nx = context->nx || !tdp_enabled ||
 		context->mmu_role.base.smep_andnot_wp;
 	struct rsvd_bits_validate *shadow_zero_check;
 	int i;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 064/593] KVM: x86/mmu: Use MMUs role to detect CR4.SMEP value in nested NPT walk
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 063/593] KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 065/593] s390/cio: dont call css_wait_for_slow_path() inside a lock Greg Kroah-Hartman
                   ` (533 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit ef318b9edf66a082f23d00d79b70c17b4c055a26 upstream.

Use the MMU's role to get its effective SMEP value when injecting a fault
into the guest.  When walking L1's (nested) NPT while L2 is active, vCPU
state will reflect L2, whereas NPT uses the host's (L1 in this case) CR0,
CR4, EFER, etc...  If L1 and L2 have different settings for SMEP and
L1 does not have EFER.NX=1, this can result in an incorrect PFEC.FETCH
when injecting #NPF.

Fixes: e57d4a356ad3 ("KVM: Add instruction fetch checking when walking guest page table")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210622175739.3610207-5-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/kvm/mmu/paging_tmpl.h |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/arch/x86/kvm/mmu/paging_tmpl.h
+++ b/arch/x86/kvm/mmu/paging_tmpl.h
@@ -471,8 +471,7 @@ retry_walk:
 
 error:
 	errcode |= write_fault | user_fault;
-	if (fetch_fault && (mmu->nx ||
-			    kvm_read_cr4_bits(vcpu, X86_CR4_SMEP)))
+	if (fetch_fault && (mmu->nx || mmu->mmu_role.ext.cr4_smep))
 		errcode |= PFERR_FETCH_MASK;
 
 	walker->fault.vector = PF_VECTOR;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 065/593] s390/cio: dont call css_wait_for_slow_path() inside a lock
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 064/593] KVM: x86/mmu: Use MMUs role to detect CR4.SMEP value in nested NPT walk Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 066/593] s390: mm: Fix secure storage access exception handling Greg Kroah-Hartman
                   ` (532 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Oberparleiter, Vineeth Vijayan,
	Vasily Gorbik

From: Vineeth Vijayan <vneethv@linux.ibm.com>

commit c749d8c018daf5fba6dfac7b6c5c78b27efd7d65 upstream.

Currently css_wait_for_slow_path() gets called inside the chp->lock.
The path-verification-loop of slowpath inside this lock could lead to
deadlock as reported by the lockdep validator.

The ccw_device_get_chp_desc() during the instance of a device-set-online
would try to acquire the same 'chp->lock' to read the chp->desc.
The instance of this function can get called from multiple scenario,
like probing or setting-device online manually. This could, in some
corner-cases lead to the deadlock.

lockdep validator reported this as,

        CPU0                    CPU1
        ----                    ----
   lock(&chp->lock);
                                lock(kn->active#43);
                                lock(&chp->lock);
   lock((wq_completion)cio);

The chp->lock was introduced to serialize the access of struct
channel_path. This lock is not needed for the css_wait_for_slow_path()
function, so invoke the slow-path function outside this lock.

Fixes: b730f3a93395 ("[S390] cio: add lock to struct channel_path")
Cc: <stable@vger.kernel.org>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/cio/chp.c  |    3 +++
 drivers/s390/cio/chsc.c |    2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/s390/cio/chp.c
+++ b/drivers/s390/cio/chp.c
@@ -255,6 +255,9 @@ static ssize_t chp_status_write(struct d
 	if (!num_args)
 		return count;
 
+	/* Wait until previous actions have settled. */
+	css_wait_for_slow_path();
+
 	if (!strncasecmp(cmd, "on", 2) || !strcmp(cmd, "1")) {
 		mutex_lock(&cp->lock);
 		error = s390_vary_chpid(cp->chpid, 1);
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -757,8 +757,6 @@ int chsc_chp_vary(struct chp_id chpid, i
 {
 	struct channel_path *chp = chpid_to_chp(chpid);
 
-	/* Wait until previous actions have settled. */
-	css_wait_for_slow_path();
 	/*
 	 * Redo PathVerification on the devices the chpid connects to
 	 */



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 066/593] s390: mm: Fix secure storage access exception handling
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 065/593] s390/cio: dont call css_wait_for_slow_path() inside a lock Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 067/593] f2fs: Prevent swap file in LFS mode Greg Kroah-Hartman
                   ` (531 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Janosch Frank, Christian Borntraeger,
	Vasily Gorbik

From: Janosch Frank <frankja@linux.ibm.com>

commit 85b18d7b5e7ffefb2f076186511d39c4990aa005 upstream.

Turns out that the bit 61 in the TEID is not always 1 and if that's
the case the address space ID and the address are
unpredictable. Without an address and its address space ID we can't
export memory and hence we can only send a SIGSEGV to the process or
panic the kernel depending on who caused the exception.

Unfortunately bit 61 is only reliable if we have the "misc" UV feature
bit.

Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Fixes: 084ea4d611a3d ("s390/mm: add (non)secure page access exceptions handlers")
Cc: stable@vger.kernel.org
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/boot/uv.c        |    1 +
 arch/s390/include/asm/uv.h |    8 +++++++-
 arch/s390/kernel/uv.c      |   10 ++++++++++
 arch/s390/mm/fault.c       |   26 ++++++++++++++++++++++++++
 4 files changed, 44 insertions(+), 1 deletion(-)

--- a/arch/s390/boot/uv.c
+++ b/arch/s390/boot/uv.c
@@ -36,6 +36,7 @@ void uv_query_info(void)
 		uv_info.max_sec_stor_addr = ALIGN(uvcb.max_guest_stor_addr, PAGE_SIZE);
 		uv_info.max_num_sec_conf = uvcb.max_num_sec_conf;
 		uv_info.max_guest_cpu_id = uvcb.max_guest_cpu_id;
+		uv_info.uv_feature_indications = uvcb.uv_feature_indications;
 	}
 
 #ifdef CONFIG_PROTECTED_VIRTUALIZATION_GUEST
--- a/arch/s390/include/asm/uv.h
+++ b/arch/s390/include/asm/uv.h
@@ -73,6 +73,10 @@ enum uv_cmds_inst {
 	BIT_UVC_CMD_UNPIN_PAGE_SHARED = 22,
 };
 
+enum uv_feat_ind {
+	BIT_UV_FEAT_MISC = 0,
+};
+
 struct uv_cb_header {
 	u16 len;
 	u16 cmd;	/* Command Code */
@@ -97,7 +101,8 @@ struct uv_cb_qui {
 	u64 max_guest_stor_addr;
 	u8  reserved88[158 - 136];
 	u16 max_guest_cpu_id;
-	u8  reserveda0[200 - 160];
+	u64 uv_feature_indications;
+	u8  reserveda0[200 - 168];
 } __packed __aligned(8);
 
 /* Initialize Ultravisor */
@@ -274,6 +279,7 @@ struct uv_info {
 	unsigned long max_sec_stor_addr;
 	unsigned int max_num_sec_conf;
 	unsigned short max_guest_cpu_id;
+	unsigned long uv_feature_indications;
 };
 
 extern struct uv_info uv_info;
--- a/arch/s390/kernel/uv.c
+++ b/arch/s390/kernel/uv.c
@@ -364,6 +364,15 @@ static ssize_t uv_query_facilities(struc
 static struct kobj_attribute uv_query_facilities_attr =
 	__ATTR(facilities, 0444, uv_query_facilities, NULL);
 
+static ssize_t uv_query_feature_indications(struct kobject *kobj,
+					    struct kobj_attribute *attr, char *buf)
+{
+	return sysfs_emit(buf, "%lx\n", uv_info.uv_feature_indications);
+}
+
+static struct kobj_attribute uv_query_feature_indications_attr =
+	__ATTR(feature_indications, 0444, uv_query_feature_indications, NULL);
+
 static ssize_t uv_query_max_guest_cpus(struct kobject *kobj,
 				       struct kobj_attribute *attr, char *page)
 {
@@ -396,6 +405,7 @@ static struct kobj_attribute uv_query_ma
 
 static struct attribute *uv_query_attrs[] = {
 	&uv_query_facilities_attr.attr,
+	&uv_query_feature_indications_attr.attr,
 	&uv_query_max_guest_cpus_attr.attr,
 	&uv_query_max_guest_vms_attr.attr,
 	&uv_query_max_guest_addr_attr.attr,
--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
@@ -805,6 +805,32 @@ void do_secure_storage_access(struct pt_
 	struct page *page;
 	int rc;
 
+	/*
+	 * bit 61 tells us if the address is valid, if it's not we
+	 * have a major problem and should stop the kernel or send a
+	 * SIGSEGV to the process. Unfortunately bit 61 is not
+	 * reliable without the misc UV feature so we need to check
+	 * for that as well.
+	 */
+	if (test_bit_inv(BIT_UV_FEAT_MISC, &uv_info.uv_feature_indications) &&
+	    !test_bit_inv(61, &regs->int_parm_long)) {
+		/*
+		 * When this happens, userspace did something that it
+		 * was not supposed to do, e.g. branching into secure
+		 * memory. Trigger a segmentation fault.
+		 */
+		if (user_mode(regs)) {
+			send_sig(SIGSEGV, current, 0);
+			return;
+		}
+
+		/*
+		 * The kernel should never run into this case and we
+		 * have no way out of this situation.
+		 */
+		panic("Unexpected PGM 0x3d with TEID bit 61=0");
+	}
+
 	switch (get_fault_type(regs)) {
 	case USER_FAULT:
 		mm = current->mm;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 067/593] f2fs: Prevent swap file in LFS mode
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 066/593] s390: mm: Fix secure storage access exception handling Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 068/593] clk: agilex/stratix10/n5x: fix how the bypass_reg is handled Greg Kroah-Hartman
                   ` (530 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shinichiro Kawasaki, Chao Yu, Jaegeuk Kim

From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>

commit d927ccfccb009ede24448d69c08b12e7c8a6979b upstream.

The kernel writes to swap files on f2fs directly without the assistance
of the filesystem. This direct write by kernel can be non-sequential
even when the f2fs is in LFS mode. Such non-sequential write conflicts
with the LFS semantics. Especially when f2fs is set up on zoned block
devices, the non-sequential write causes unaligned write command errors.

To avoid the non-sequential writes to swap files, prevent swap file
activation when the filesystem is in LFS mode.

Fixes: 4969c06a0d83 ("f2fs: support swap file w/ DIO")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Cc: stable@vger.kernel.org # v5.10+
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/f2fs/data.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -4112,6 +4112,12 @@ static int f2fs_swap_activate(struct swa
 	if (f2fs_readonly(F2FS_I_SB(inode)->sb))
 		return -EROFS;
 
+	if (f2fs_lfs_mode(F2FS_I_SB(inode))) {
+		f2fs_err(F2FS_I_SB(inode),
+			"Swapfile not supported in LFS mode");
+		return -EINVAL;
+	}
+
 	ret = f2fs_convert_inline_inode(inode);
 	if (ret)
 		return ret;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 068/593] clk: agilex/stratix10/n5x: fix how the bypass_reg is handled
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 067/593] f2fs: Prevent swap file in LFS mode Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 069/593] clk: agilex/stratix10: remove noc_clk Greg Kroah-Hartman
                   ` (529 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dinh Nguyen, Stephen Boyd

From: Dinh Nguyen <dinguyen@kernel.org>

commit dfd1427c3769ba51297777dbb296f1802d72dbf6 upstream.

If the bypass_reg is set, then we can return the bypass parent, however,
if there is not a bypass_reg, we need to figure what the correct parent
mux is.

The previous code never handled the parent mux if there was a
bypass_reg.

Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform")
Cc: stable@vger.kernel.org
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lore.kernel.org/r/20210611025201.118799-4-dinguyen@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/socfpga/clk-periph-s10.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/clk/socfpga/clk-periph-s10.c
+++ b/drivers/clk/socfpga/clk-periph-s10.c
@@ -49,16 +49,21 @@ static u8 clk_periclk_get_parent(struct
 {
 	struct socfpga_periph_clk *socfpgaclk = to_periph_clk(hwclk);
 	u32 clk_src, mask;
-	u8 parent;
+	u8 parent = 0;
 
+	/* handle the bypass first */
 	if (socfpgaclk->bypass_reg) {
 		mask = (0x1 << socfpgaclk->bypass_shift);
 		parent = ((readl(socfpgaclk->bypass_reg) & mask) >>
 			   socfpgaclk->bypass_shift);
-	} else {
+		if (parent)
+			return parent;
+	}
+
+	if (socfpgaclk->hw.reg) {
 		clk_src = readl(socfpgaclk->hw.reg);
 		parent = (clk_src >> CLK_MGR_FREE_SHIFT) &
-			CLK_MGR_FREE_MASK;
+			  CLK_MGR_FREE_MASK;
 	}
 	return parent;
 }



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 069/593] clk: agilex/stratix10: remove noc_clk
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 068/593] clk: agilex/stratix10/n5x: fix how the bypass_reg is handled Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 070/593] clk: agilex/stratix10: fix bypass representation Greg Kroah-Hartman
                   ` (528 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dinh Nguyen, Stephen Boyd

From: Dinh Nguyen <dinguyen@kernel.org>

commit efbe21df3e889c0f4bf682c2b7e2465d60b0127c upstream.

Early documentation had a noc_clk, but in reality, it's just the
noc_free_clk. Remove the noc_clk clock and just use the noc_free_clk.

Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform")
Cc: stable@vger.kernel.org
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lore.kernel.org/r/20210611025201.118799-1-dinguyen@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/socfpga/clk-agilex.c |   32 +++++++++++++++-----------------
 drivers/clk/socfpga/clk-s10.c    |   32 +++++++++++++++-----------------
 2 files changed, 30 insertions(+), 34 deletions(-)

--- a/drivers/clk/socfpga/clk-agilex.c
+++ b/drivers/clk/socfpga/clk-agilex.c
@@ -211,11 +211,9 @@ static const struct stratix10_perip_cnt_
 	{ AGILEX_MPU_FREE_CLK, "mpu_free_clk", NULL, mpu_free_mux, ARRAY_SIZE(mpu_free_mux),
 	   0, 0x3C, 0, 0, 0},
 	{ AGILEX_NOC_FREE_CLK, "noc_free_clk", NULL, noc_free_mux, ARRAY_SIZE(noc_free_mux),
-	  0, 0x40, 0, 0, 1},
-	{ AGILEX_L4_SYS_FREE_CLK, "l4_sys_free_clk", "noc_free_clk", NULL, 1, 0,
-	  0, 4, 0, 0},
-	{ AGILEX_NOC_CLK, "noc_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux),
-	  0, 0, 0, 0x30, 1},
+	  0, 0x40, 0, 0, 0},
+	{ AGILEX_L4_SYS_FREE_CLK, "l4_sys_free_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0,
+	  0, 4, 0x30, 1},
 	{ AGILEX_EMAC_A_FREE_CLK, "emaca_free_clk", NULL, emaca_free_mux, ARRAY_SIZE(emaca_free_mux),
 	  0, 0xD4, 0, 0x88, 0},
 	{ AGILEX_EMAC_B_FREE_CLK, "emacb_free_clk", NULL, emacb_free_mux, ARRAY_SIZE(emacb_free_mux),
@@ -241,24 +239,24 @@ static const struct stratix10_gate_clock
 	  0, 0, 0, 0, 0, 0, 4},
 	{ AGILEX_MPU_CCU_CLK, "mpu_ccu_clk", "mpu_clk", NULL, 1, 0, 0x24,
 	  0, 0, 0, 0, 0, 0, 2},
-	{ AGILEX_L4_MAIN_CLK, "l4_main_clk", "noc_clk", NULL, 1, 0, 0x24,
-	  1, 0x44, 0, 2, 0, 0, 0},
-	{ AGILEX_L4_MP_CLK, "l4_mp_clk", "noc_clk", NULL, 1, 0, 0x24,
-	  2, 0x44, 8, 2, 0, 0, 0},
+	{ AGILEX_L4_MAIN_CLK, "l4_main_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24,
+	  1, 0x44, 0, 2, 0x30, 1, 0},
+	{ AGILEX_L4_MP_CLK, "l4_mp_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24,
+	  2, 0x44, 8, 2, 0x30, 1, 0},
 	/*
 	 * The l4_sp_clk feeds a 100 MHz clock to various peripherals, one of them
 	 * being the SP timers, thus cannot get gated.
 	 */
-	{ AGILEX_L4_SP_CLK, "l4_sp_clk", "noc_clk", NULL, 1, CLK_IS_CRITICAL, 0x24,
-	  3, 0x44, 16, 2, 0, 0, 0},
-	{ AGILEX_CS_AT_CLK, "cs_at_clk", "noc_clk", NULL, 1, 0, 0x24,
-	  4, 0x44, 24, 2, 0, 0, 0},
-	{ AGILEX_CS_TRACE_CLK, "cs_trace_clk", "noc_clk", NULL, 1, 0, 0x24,
-	  4, 0x44, 26, 2, 0, 0, 0},
+	{ AGILEX_L4_SP_CLK, "l4_sp_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), CLK_IS_CRITICAL, 0x24,
+	  3, 0x44, 16, 2, 0x30, 1, 0},
+	{ AGILEX_CS_AT_CLK, "cs_at_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24,
+	  4, 0x44, 24, 2, 0x30, 1, 0},
+	{ AGILEX_CS_TRACE_CLK, "cs_trace_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24,
+	  4, 0x44, 26, 2, 0x30, 1, 0},
 	{ AGILEX_CS_PDBG_CLK, "cs_pdbg_clk", "cs_at_clk", NULL, 1, 0, 0x24,
 	  4, 0x44, 28, 1, 0, 0, 0},
-	{ AGILEX_CS_TIMER_CLK, "cs_timer_clk", "noc_clk", NULL, 1, 0, 0x24,
-	  5, 0, 0, 0, 0, 0, 0},
+	{ AGILEX_CS_TIMER_CLK, "cs_timer_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x24,
+	  5, 0, 0, 0, 0x30, 1, 0},
 	{ AGILEX_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_usr0_mux, ARRAY_SIZE(s2f_usr0_mux), 0, 0x24,
 	  6, 0, 0, 0, 0, 0, 0},
 	{ AGILEX_EMAC0_CLK, "emac0_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C,
--- a/drivers/clk/socfpga/clk-s10.c
+++ b/drivers/clk/socfpga/clk-s10.c
@@ -167,7 +167,7 @@ static const struct stratix10_perip_cnt_
 	{ STRATIX10_MPU_FREE_CLK, "mpu_free_clk", NULL, mpu_free_mux, ARRAY_SIZE(mpu_free_mux),
 	   0, 0x48, 0, 0, 0},
 	{ STRATIX10_NOC_FREE_CLK, "noc_free_clk", NULL, noc_free_mux, ARRAY_SIZE(noc_free_mux),
-	  0, 0x4C, 0, 0, 0},
+	  0, 0x4C, 0, 0x3C, 1},
 	{ STRATIX10_MAIN_EMACA_CLK, "main_emaca_clk", "main_noc_base_clk", NULL, 1, 0,
 	  0x50, 0, 0, 0},
 	{ STRATIX10_MAIN_EMACB_CLK, "main_emacb_clk", "main_noc_base_clk", NULL, 1, 0,
@@ -200,10 +200,8 @@ static const struct stratix10_perip_cnt_
 	  0, 0xD4, 0, 0, 0},
 	{ STRATIX10_PERI_PSI_REF_CLK, "peri_psi_ref_clk", "peri_noc_base_clk", NULL, 1, 0,
 	  0xD8, 0, 0, 0},
-	{ STRATIX10_L4_SYS_FREE_CLK, "l4_sys_free_clk", "noc_free_clk", NULL, 1, 0,
-	  0, 4, 0, 0},
-	{ STRATIX10_NOC_CLK, "noc_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux),
-	  0, 0, 0, 0x3C, 1},
+	{ STRATIX10_L4_SYS_FREE_CLK, "l4_sys_free_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0,
+	  0, 4, 0x3C, 1},
 	{ STRATIX10_EMAC_A_FREE_CLK, "emaca_free_clk", NULL, emaca_free_mux, ARRAY_SIZE(emaca_free_mux),
 	  0, 0, 2, 0xB0, 0},
 	{ STRATIX10_EMAC_B_FREE_CLK, "emacb_free_clk", NULL, emacb_free_mux, ARRAY_SIZE(emacb_free_mux),
@@ -227,20 +225,20 @@ static const struct stratix10_gate_clock
 	  0, 0, 0, 0, 0, 0, 4},
 	{ STRATIX10_MPU_L2RAM_CLK, "mpu_l2ram_clk", "mpu_clk", NULL, 1, 0, 0x30,
 	  0, 0, 0, 0, 0, 0, 2},
-	{ STRATIX10_L4_MAIN_CLK, "l4_main_clk", "noc_clk", NULL, 1, 0, 0x30,
-	  1, 0x70, 0, 2, 0, 0, 0},
-	{ STRATIX10_L4_MP_CLK, "l4_mp_clk", "noc_clk", NULL, 1, 0, 0x30,
-	  2, 0x70, 8, 2, 0, 0, 0},
-	{ STRATIX10_L4_SP_CLK, "l4_sp_clk", "noc_clk", NULL, 1, CLK_IS_CRITICAL, 0x30,
-	  3, 0x70, 16, 2, 0, 0, 0},
-	{ STRATIX10_CS_AT_CLK, "cs_at_clk", "noc_clk", NULL, 1, 0, 0x30,
-	  4, 0x70, 24, 2, 0, 0, 0},
-	{ STRATIX10_CS_TRACE_CLK, "cs_trace_clk", "noc_clk", NULL, 1, 0, 0x30,
-	  4, 0x70, 26, 2, 0, 0, 0},
+	{ STRATIX10_L4_MAIN_CLK, "l4_main_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x30,
+	  1, 0x70, 0, 2, 0x3C, 1, 0},
+	{ STRATIX10_L4_MP_CLK, "l4_mp_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x30,
+	  2, 0x70, 8, 2, 0x3C, 1, 0},
+	{ STRATIX10_L4_SP_CLK, "l4_sp_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), CLK_IS_CRITICAL, 0x30,
+	  3, 0x70, 16, 2, 0x3C, 1, 0},
+	{ STRATIX10_CS_AT_CLK, "cs_at_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x30,
+	  4, 0x70, 24, 2, 0x3C, 1, 0},
+	{ STRATIX10_CS_TRACE_CLK, "cs_trace_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x30,
+	  4, 0x70, 26, 2, 0x3C, 1, 0},
 	{ STRATIX10_CS_PDBG_CLK, "cs_pdbg_clk", "cs_at_clk", NULL, 1, 0, 0x30,
 	  4, 0x70, 28, 1, 0, 0, 0},
-	{ STRATIX10_CS_TIMER_CLK, "cs_timer_clk", "noc_clk", NULL, 1, 0, 0x30,
-	  5, 0, 0, 0, 0, 0, 0},
+	{ STRATIX10_CS_TIMER_CLK, "cs_timer_clk", NULL, noc_mux, ARRAY_SIZE(noc_mux), 0, 0x30,
+	  5, 0, 0, 0, 0x3C, 1, 0},
 	{ STRATIX10_S2F_USER0_CLK, "s2f_user0_clk", NULL, s2f_usr0_mux, ARRAY_SIZE(s2f_usr0_mux), 0, 0x30,
 	  6, 0, 0, 0, 0, 0, 0},
 	{ STRATIX10_EMAC0_CLK, "emac0_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0xA4,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 070/593] clk: agilex/stratix10: fix bypass representation
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 069/593] clk: agilex/stratix10: remove noc_clk Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 071/593] rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path Greg Kroah-Hartman
                   ` (527 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dinh Nguyen, Stephen Boyd

From: Dinh Nguyen <dinguyen@kernel.org>

commit 6855ee839699bdabb4b16cf942557fd763bcb1fa upstream.

Each of these clocks(s2f_usr0/1, sdmmc_clk, gpio_db, emac_ptp,
emac0/1/2) have a bypass setting that can use the boot_clk. The
previous representation was not correct.

Fix the representation.

Fixes: 80c6b7a0894f ("clk: socfpga: agilex: add clock driver for the Agilex platform")
Cc: stable@vger.kernel.org
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lore.kernel.org/r/20210611025201.118799-2-dinguyen@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/clk/socfpga/clk-agilex.c |   57 +++++++++++++++++++++++++++++++--------
 drivers/clk/socfpga/clk-s10.c    |   55 ++++++++++++++++++++++++++++++-------
 2 files changed, 91 insertions(+), 21 deletions(-)

--- a/drivers/clk/socfpga/clk-agilex.c
+++ b/drivers/clk/socfpga/clk-agilex.c
@@ -186,6 +186,41 @@ static const struct clk_parent_data noc_
 	  .name = "boot_clk", },
 };
 
+static const struct clk_parent_data sdmmc_mux[] = {
+	{ .fw_name = "sdmmc_free_clk",
+	  .name = "sdmmc_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data s2f_user1_mux[] = {
+	{ .fw_name = "s2f_user1_free_clk",
+	  .name = "s2f_user1_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data psi_mux[] = {
+	{ .fw_name = "psi_ref_free_clk",
+	  .name = "psi_ref_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data gpio_db_mux[] = {
+	{ .fw_name = "gpio_db_free_clk",
+	  .name = "gpio_db_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data emac_ptp_mux[] = {
+	{ .fw_name = "emac_ptp_free_clk",
+	  .name = "emac_ptp_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
 /* clocks in AO (always on) controller */
 static const struct stratix10_pll_clock agilex_pll_clks[] = {
 	{ AGILEX_BOOT_CLK, "boot_clk", boot_mux, ARRAY_SIZE(boot_mux), 0,
@@ -223,7 +258,7 @@ static const struct stratix10_perip_cnt_
 	{ AGILEX_GPIO_DB_FREE_CLK, "gpio_db_free_clk", NULL, gpio_db_free_mux,
 	  ARRAY_SIZE(gpio_db_free_mux), 0, 0xE0, 0, 0x88, 3},
 	{ AGILEX_SDMMC_FREE_CLK, "sdmmc_free_clk", NULL, sdmmc_free_mux,
-	  ARRAY_SIZE(sdmmc_free_mux), 0, 0xE4, 0, 0x88, 4},
+	  ARRAY_SIZE(sdmmc_free_mux), 0, 0xE4, 0, 0, 0},
 	{ AGILEX_S2F_USER0_FREE_CLK, "s2f_user0_free_clk", NULL, s2f_usr0_free_mux,
 	  ARRAY_SIZE(s2f_usr0_free_mux), 0, 0xE8, 0, 0, 0},
 	{ AGILEX_S2F_USER1_FREE_CLK, "s2f_user1_free_clk", NULL, s2f_usr1_free_mux,
@@ -265,16 +300,16 @@ static const struct stratix10_gate_clock
 	  1, 0, 0, 0, 0x94, 27, 0},
 	{ AGILEX_EMAC2_CLK, "emac2_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0x7C,
 	  2, 0, 0, 0, 0x94, 28, 0},
-	{ AGILEX_EMAC_PTP_CLK, "emac_ptp_clk", "emac_ptp_free_clk", NULL, 1, 0, 0x7C,
-	  3, 0, 0, 0, 0, 0, 0},
-	{ AGILEX_GPIO_DB_CLK, "gpio_db_clk", "gpio_db_free_clk", NULL, 1, 0, 0x7C,
-	  4, 0x98, 0, 16, 0, 0, 0},
-	{ AGILEX_SDMMC_CLK, "sdmmc_clk", "sdmmc_free_clk", NULL, 1, 0, 0x7C,
-	  5, 0, 0, 0, 0, 0, 4},
-	{ AGILEX_S2F_USER1_CLK, "s2f_user1_clk", "s2f_user1_free_clk", NULL, 1, 0, 0x7C,
-	  6, 0, 0, 0, 0, 0, 0},
-	{ AGILEX_PSI_REF_CLK, "psi_ref_clk", "psi_ref_free_clk", NULL, 1, 0, 0x7C,
-	  7, 0, 0, 0, 0, 0, 0},
+	{ AGILEX_EMAC_PTP_CLK, "emac_ptp_clk", NULL, emac_ptp_mux, ARRAY_SIZE(emac_ptp_mux), 0, 0x7C,
+	  3, 0, 0, 0, 0x88, 2, 0},
+	{ AGILEX_GPIO_DB_CLK, "gpio_db_clk", NULL, gpio_db_mux, ARRAY_SIZE(gpio_db_mux), 0, 0x7C,
+	  4, 0x98, 0, 16, 0x88, 3, 0},
+	{ AGILEX_SDMMC_CLK, "sdmmc_clk", NULL, sdmmc_mux, ARRAY_SIZE(sdmmc_mux), 0, 0x7C,
+	  5, 0, 0, 0, 0x88, 4, 4},
+	{ AGILEX_S2F_USER1_CLK, "s2f_user1_clk", NULL, s2f_user1_mux, ARRAY_SIZE(s2f_user1_mux), 0, 0x7C,
+	  6, 0, 0, 0, 0x88, 5, 0},
+	{ AGILEX_PSI_REF_CLK, "psi_ref_clk", NULL, psi_mux, ARRAY_SIZE(psi_mux), 0, 0x7C,
+	  7, 0, 0, 0, 0x88, 6, 0},
 	{ AGILEX_USB_CLK, "usb_clk", "l4_mp_clk", NULL, 1, 0, 0x7C,
 	  8, 0, 0, 0, 0, 0, 0},
 	{ AGILEX_SPI_M_CLK, "spi_m_clk", "l4_mp_clk", NULL, 1, 0, 0x7C,
--- a/drivers/clk/socfpga/clk-s10.c
+++ b/drivers/clk/socfpga/clk-s10.c
@@ -144,6 +144,41 @@ static const struct clk_parent_data mpu_
 	  .name = "f2s-free-clk", },
 };
 
+static const struct clk_parent_data sdmmc_mux[] = {
+	{ .fw_name = "sdmmc_free_clk",
+	  .name = "sdmmc_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data s2f_user1_mux[] = {
+	{ .fw_name = "s2f_user1_free_clk",
+	  .name = "s2f_user1_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data psi_mux[] = {
+	{ .fw_name = "psi_ref_free_clk",
+	  .name = "psi_ref_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data gpio_db_mux[] = {
+	{ .fw_name = "gpio_db_free_clk",
+	  .name = "gpio_db_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
+static const struct clk_parent_data emac_ptp_mux[] = {
+	{ .fw_name = "emac_ptp_free_clk",
+	  .name = "emac_ptp_free_clk", },
+	{ .fw_name = "boot_clk",
+	  .name = "boot_clk", },
+};
+
 /* clocks in AO (always on) controller */
 static const struct stratix10_pll_clock s10_pll_clks[] = {
 	{ STRATIX10_BOOT_CLK, "boot_clk", boot_mux, ARRAY_SIZE(boot_mux), 0,
@@ -247,16 +282,16 @@ static const struct stratix10_gate_clock
 	  1, 0, 0, 0, 0xDC, 27, 0},
 	{ STRATIX10_EMAC2_CLK, "emac2_clk", NULL, emac_mux, ARRAY_SIZE(emac_mux), 0, 0xA4,
 	  2, 0, 0, 0, 0xDC, 28, 0},
-	{ STRATIX10_EMAC_PTP_CLK, "emac_ptp_clk", "emac_ptp_free_clk", NULL, 1, 0, 0xA4,
-	  3, 0, 0, 0, 0, 0, 0},
-	{ STRATIX10_GPIO_DB_CLK, "gpio_db_clk", "gpio_db_free_clk", NULL, 1, 0, 0xA4,
-	  4, 0xE0, 0, 16, 0, 0, 0},
-	{ STRATIX10_SDMMC_CLK, "sdmmc_clk", "sdmmc_free_clk", NULL, 1, 0, 0xA4,
-	  5, 0, 0, 0, 0, 0, 4},
-	{ STRATIX10_S2F_USER1_CLK, "s2f_user1_clk", "s2f_user1_free_clk", NULL, 1, 0, 0xA4,
-	  6, 0, 0, 0, 0, 0, 0},
-	{ STRATIX10_PSI_REF_CLK, "psi_ref_clk", "psi_ref_free_clk", NULL, 1, 0, 0xA4,
-	  7, 0, 0, 0, 0, 0, 0},
+	{ STRATIX10_EMAC_PTP_CLK, "emac_ptp_clk", NULL, emac_ptp_mux, ARRAY_SIZE(emac_ptp_mux), 0, 0xA4,
+	  3, 0, 0, 0, 0xB0, 2, 0},
+	{ STRATIX10_GPIO_DB_CLK, "gpio_db_clk", NULL, gpio_db_mux, ARRAY_SIZE(gpio_db_mux), 0, 0xA4,
+	  4, 0xE0, 0, 16, 0xB0, 3, 0},
+	{ STRATIX10_SDMMC_CLK, "sdmmc_clk", NULL, sdmmc_mux, ARRAY_SIZE(sdmmc_mux), 0, 0xA4,
+	  5, 0, 0, 0, 0xB0, 4, 4},
+	{ STRATIX10_S2F_USER1_CLK, "s2f_user1_clk", NULL, s2f_user1_mux, ARRAY_SIZE(s2f_user1_mux), 0, 0xA4,
+	  6, 0, 0, 0, 0xB0, 5, 0},
+	{ STRATIX10_PSI_REF_CLK, "psi_ref_clk", NULL, psi_mux, ARRAY_SIZE(psi_mux), 0, 0xA4,
+	  7, 0, 0, 0, 0xB0, 6, 0},
 	{ STRATIX10_USB_CLK, "usb_clk", "l4_mp_clk", NULL, 1, 0, 0xA4,
 	  8, 0, 0, 0, 0, 0, 0},
 	{ STRATIX10_SPI_M_CLK, "spi_m_clk", "l4_mp_clk", NULL, 1, 0, 0xA4,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 071/593] rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 070/593] clk: agilex/stratix10: fix bypass representation Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 072/593] iio: frequency: adf4350: disable reg and clk on error in adf4350_probe() Greg Kroah-Hartman
                   ` (526 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Fuzzey, Nobuhiro Iwamatsu,
	Alexandre Belloni

From: Martin Fuzzey <martin.fuzzey@flowbird.group>

commit 950ac33dbe6ff656a623d862022f0762ec061ba7 upstream.

The STM32MP1 RTC may have 2 clocks, the pclk and the rtc_ck.

If clk_prepare_enable() fails for the second clock (rtc_ck) we must only
call clk_disable_unprepare() for the first clock (pclk) but currently we
call it on both leading to a WARN:

[   15.629568] WARNING: CPU: 0 PID: 146 at drivers/clk/clk.c:958 clk_core_disable+0xb0/0xc8
[   15.637620] ck_rtc already disabled
[   15.663322] CPU: 0 PID: 146 Comm: systemd-udevd Not tainted 5.4.77-pknbsp-svn5759-atag-v5.4.77-204-gea4235203137-dirty #2413
[   15.674510] Hardware name: STM32 (Device Tree Support)
[   15.679658] [<c0111148>] (unwind_backtrace) from [<c010c0b8>] (show_stack+0x10/0x14)
[   15.687371] [<c010c0b8>] (show_stack) from [<c0ab3d28>] (dump_stack+0xc0/0xe0)
[   15.694574] [<c0ab3d28>] (dump_stack) from [<c012360c>] (__warn+0xc8/0xf0)
[   15.701428] [<c012360c>] (__warn) from [<c0123694>] (warn_slowpath_fmt+0x60/0x94)
[   15.708894] [<c0123694>] (warn_slowpath_fmt) from [<c053b518>] (clk_core_disable+0xb0/0xc8)
[   15.717230] [<c053b518>] (clk_core_disable) from [<c053c190>] (clk_core_disable_lock+0x18/0x24)
[   15.725924] [<c053c190>] (clk_core_disable_lock) from [<bf0adc44>] (stm32_rtc_probe+0x124/0x5e4 [rtc_stm32])
[   15.735739] [<bf0adc44>] (stm32_rtc_probe [rtc_stm32]) from [<c05f7d4c>] (platform_drv_probe+0x48/0x98)
[   15.745095] [<c05f7d4c>] (platform_drv_probe) from [<c05f5cec>] (really_probe+0x1f0/0x458)
[   15.753338] [<c05f5cec>] (really_probe) from [<c05f61c4>] (driver_probe_device+0x70/0x1c4)
[   15.761584] [<c05f61c4>] (driver_probe_device) from [<c05f6580>] (device_driver_attach+0x58/0x60)
[   15.770439] [<c05f6580>] (device_driver_attach) from [<c05f6654>] (__driver_attach+0xcc/0x170)
[   15.779032] [<c05f6654>] (__driver_attach) from [<c05f40d8>] (bus_for_each_dev+0x58/0x7c)
[   15.787191] [<c05f40d8>] (bus_for_each_dev) from [<c05f4ffc>] (bus_add_driver+0xdc/0x1f8)
[   15.795352] [<c05f4ffc>] (bus_add_driver) from [<c05f6ed8>] (driver_register+0x7c/0x110)
[   15.803425] [<c05f6ed8>] (driver_register) from [<c01027bc>] (do_one_initcall+0x70/0x1b8)
[   15.811588] [<c01027bc>] (do_one_initcall) from [<c01a1094>] (do_init_module+0x58/0x1f8)
[   15.819660] [<c01a1094>] (do_init_module) from [<c01a0074>] (load_module+0x1e58/0x23c8)
[   15.827646] [<c01a0074>] (load_module) from [<c01a0860>] (sys_finit_module+0xa0/0xd4)
[   15.835459] [<c01a0860>] (sys_finit_module) from [<c01011e0>] (__sys_trace_return+0x0/0x20)

Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
Fixes: 4e64350f42e2 ("rtc: add STM32 RTC driver")
Cc: stable@vger.kernel.org
Reviewed-by: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/1623087421-19722-1-git-send-email-martin.fuzzey@flowbird.group
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/rtc/rtc-stm32.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/rtc/rtc-stm32.c
+++ b/drivers/rtc/rtc-stm32.c
@@ -754,7 +754,7 @@ static int stm32_rtc_probe(struct platfo
 
 	ret = clk_prepare_enable(rtc->rtc_ck);
 	if (ret)
-		goto err;
+		goto err_no_rtc_ck;
 
 	if (rtc->data->need_dbp)
 		regmap_update_bits(rtc->dbp, rtc->dbp_reg,
@@ -830,10 +830,12 @@ static int stm32_rtc_probe(struct platfo
 	}
 
 	return 0;
+
 err:
+	clk_disable_unprepare(rtc->rtc_ck);
+err_no_rtc_ck:
 	if (rtc->data->has_pclk)
 		clk_disable_unprepare(rtc->pclk);
-	clk_disable_unprepare(rtc->rtc_ck);
 
 	if (rtc->data->need_dbp)
 		regmap_update_bits(rtc->dbp, rtc->dbp_reg, rtc->dbp_mask, 0);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 072/593] iio: frequency: adf4350: disable reg and clk on error in adf4350_probe()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 071/593] rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 073/593] iio: light: tcs3472: do not free unallocated IRQ Greg Kroah-Hartman
                   ` (525 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang,
	Linus Walleij, Stable, Jonathan Cameron

From: Yang Yingliang <yangyingliang@huawei.com>

commit c8cc4cf60b000fb9f4b29bed131fb6cf1fe42d67 upstream.

Disable reg and clk when devm_gpiod_get_optional() fails in adf4350_probe().

Fixes:4a89d2f47ccd ("iio: adf4350: Convert to use GPIO descriptor")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20210601142605.3613605-1-yangyingliang@huawei.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/frequency/adf4350.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/iio/frequency/adf4350.c
+++ b/drivers/iio/frequency/adf4350.c
@@ -563,8 +563,10 @@ static int adf4350_probe(struct spi_devi
 
 	st->lock_detect_gpiod = devm_gpiod_get_optional(&spi->dev, NULL,
 							GPIOD_IN);
-	if (IS_ERR(st->lock_detect_gpiod))
-		return PTR_ERR(st->lock_detect_gpiod);
+	if (IS_ERR(st->lock_detect_gpiod)) {
+		ret = PTR_ERR(st->lock_detect_gpiod);
+		goto error_disable_reg;
+	}
 
 	if (pdata->power_up_frequency) {
 		ret = adf4350_set_freq(st, pdata->power_up_frequency);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 073/593] iio: light: tcs3472: do not free unallocated IRQ
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 072/593] iio: frequency: adf4350: disable reg and clk on error in adf4350_probe() Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-13 21:31   ` Pavel Machek
  2021-07-12  6:03 ` [PATCH 5.10 074/593] iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too Greg Kroah-Hartman
                   ` (524 subsequent siblings)
  597 siblings, 1 reply; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, frank zago, Stable, Jonathan Cameron

From: frank zago <frank@zago.net>

commit 7cd04c863f9e1655d607705455e7714f24451984 upstream.

Allocating an IRQ is conditional to the IRQ existence, but freeing it
was not. If no IRQ was allocate, the driver would still try to free
IRQ 0. Add the missing checks.

This fixes the following trace when the driver is removed:

[  100.667788] Trying to free already-free IRQ 0
[  100.667793] WARNING: CPU: 0 PID: 2315 at kernel/irq/manage.c:1826 free_irq+0x1fd/0x370
...
[  100.667914] Call Trace:
[  100.667920]  tcs3472_remove+0x3a/0x90 [tcs3472]
[  100.667927]  i2c_device_remove+0x2b/0xa0

Signed-off-by: frank zago <frank@zago.net>
Link: https://lore.kernel.org/r/20210427022017.19314-2-frank@zago.net
Fixes: 9d2f715d592e ("iio: light: tcs3472: support out-of-threshold events")
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/tcs3472.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/iio/light/tcs3472.c
+++ b/drivers/iio/light/tcs3472.c
@@ -531,7 +531,8 @@ static int tcs3472_probe(struct i2c_clie
 	return 0;
 
 free_irq:
-	free_irq(client->irq, indio_dev);
+	if (client->irq)
+		free_irq(client->irq, indio_dev);
 buffer_cleanup:
 	iio_triggered_buffer_cleanup(indio_dev);
 	return ret;
@@ -559,7 +560,8 @@ static int tcs3472_remove(struct i2c_cli
 	struct iio_dev *indio_dev = i2c_get_clientdata(client);
 
 	iio_device_unregister(indio_dev);
-	free_irq(client->irq, indio_dev);
+	if (client->irq)
+		free_irq(client->irq, indio_dev);
 	iio_triggered_buffer_cleanup(indio_dev);
 	tcs3472_powerdown(iio_priv(indio_dev));
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 074/593] iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 073/593] iio: light: tcs3472: do not free unallocated IRQ Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 075/593] iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR Greg Kroah-Hartman
                   ` (523 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Lang, Andy Shevchenko,
	Marc Kleine-Budde, Stable, Jonathan Cameron, Nikita Travkin

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit 2ac0b029a04b673ce83b5089368f467c5dca720c upstream.

The regmap is configured for 8 bit registers, uses a RB-Tree cache and
marks several registers as volatile (i.e. do not cache).

The ALS and PS data registers in the chip are 16 bit wide and spans
two regmap registers. In the current driver only the base register is
marked as volatile, resulting in the upper register only read once.

Further the data sheet notes:

| When the I2C read operation starts, all four ALS data registers are
| locked until the I2C read operation of register 0x8B is completed.

Which results in the registers never update after the 2nd read.

This patch fixes the problem by marking the upper 8 bits of the ALS
and PS registers as volatile, too.

Fixes: 2f2c96338afc ("iio: ltr501: Add regmap support.")
Reported-by: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Tested-by: Nikita Travkin <nikita@trvn.ru> # ltr559
Link: https://lore.kernel.org/r/20210610134619.2101372-2-mkl@pengutronix.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -32,9 +32,12 @@
 #define LTR501_PART_ID 0x86
 #define LTR501_MANUFAC_ID 0x87
 #define LTR501_ALS_DATA1 0x88 /* 16-bit, little endian */
+#define LTR501_ALS_DATA1_UPPER 0x89 /* upper 8 bits of LTR501_ALS_DATA1 */
 #define LTR501_ALS_DATA0 0x8a /* 16-bit, little endian */
+#define LTR501_ALS_DATA0_UPPER 0x8b /* upper 8 bits of LTR501_ALS_DATA0 */
 #define LTR501_ALS_PS_STATUS 0x8c
 #define LTR501_PS_DATA 0x8d /* 16-bit, little endian */
+#define LTR501_PS_DATA_UPPER 0x8e /* upper 8 bits of LTR501_PS_DATA */
 #define LTR501_INTR 0x8f /* output mode, polarity, mode */
 #define LTR501_PS_THRESH_UP 0x90 /* 11 bit, ps upper threshold */
 #define LTR501_PS_THRESH_LOW 0x92 /* 11 bit, ps lower threshold */
@@ -1354,9 +1357,12 @@ static bool ltr501_is_volatile_reg(struc
 {
 	switch (reg) {
 	case LTR501_ALS_DATA1:
+	case LTR501_ALS_DATA1_UPPER:
 	case LTR501_ALS_DATA0:
+	case LTR501_ALS_DATA0_UPPER:
 	case LTR501_ALS_PS_STATUS:
 	case LTR501_PS_DATA:
+	case LTR501_PS_DATA_UPPER:
 		return true;
 	default:
 		return false;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 075/593] iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 074/593] iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 076/593] iio: ltr501: ltr501_read_ps(): add missing endianness conversion Greg Kroah-Hartman
                   ` (522 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Lang, Andy Shevchenko,
	Marc Kleine-Budde, Stable, Jonathan Cameron, Nikita Travkin

From: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>

commit 421a26f3d7a7c3ca43f3a9dc0f3cb0f562d5bd95 upstream.

The ltr559 chip uses only the lowest bit of the ALS_CONTR register to
configure between active and stand-by mode. In the original driver
BIT(1) is used, which does a software reset instead.

This patch fixes the problem by using BIT(0) as als_mode_active for
the ltr559 chip.

Fixes: 8592a7eefa54 ("iio: ltr501: Add support for ltr559 chip")
Signed-off-by: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Tested-by: Nikita Travkin <nikita@trvn.ru> # ltr559
Link: https://lore.kernel.org/r/20210610134619.2101372-3-mkl@pengutronix.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1208,7 +1208,7 @@ static struct ltr501_chip_info ltr501_ch
 		.als_gain_tbl_size = ARRAY_SIZE(ltr559_als_gain_tbl),
 		.ps_gain = ltr559_ps_gain_tbl,
 		.ps_gain_tbl_size = ARRAY_SIZE(ltr559_ps_gain_tbl),
-		.als_mode_active = BIT(1),
+		.als_mode_active = BIT(0),
 		.als_gain_mask = BIT(2) | BIT(3) | BIT(4),
 		.als_gain_shift = 2,
 		.info = &ltr501_info,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 076/593] iio: ltr501: ltr501_read_ps(): add missing endianness conversion
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 075/593] iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 077/593] iio: accel: bma180: Fix BMA25x bandwidth register values Greg Kroah-Hartman
                   ` (521 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Lang, Andy Shevchenko,
	Marc Kleine-Budde, Stable, Jonathan Cameron, Nikita Travkin

From: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>

commit 71b33f6f93ef9462c84560e2236ed22209d26a58 upstream.

The PS ADC Channel data is spread over 2 registers in little-endian
form. This patch adds the missing endianness conversion.

Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Signed-off-by: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Tested-by: Nikita Travkin <nikita@trvn.ru> # ltr559
Link: https://lore.kernel.org/r/20210610134619.2101372-4-mkl@pengutronix.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -409,18 +409,19 @@ static int ltr501_read_als(const struct
 
 static int ltr501_read_ps(const struct ltr501_data *data)
 {
-	int ret, status;
+	__le16 status;
+	int ret;
 
 	ret = ltr501_drdy(data, LTR501_STATUS_PS_RDY);
 	if (ret < 0)
 		return ret;
 
 	ret = regmap_bulk_read(data->regmap, LTR501_PS_DATA,
-			       &status, 2);
+			       &status, sizeof(status));
 	if (ret < 0)
 		return ret;
 
-	return status;
+	return le16_to_cpu(status);
 }
 
 static int ltr501_read_intr_prst(const struct ltr501_data *data,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 077/593] iio: accel: bma180: Fix BMA25x bandwidth register values
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 076/593] iio: ltr501: ltr501_read_ps(): add missing endianness conversion Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 078/593] serial: mvebu-uart: fix calculation of clock divisor Greg Kroah-Hartman
                   ` (520 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Meerwald, Stephan Gerhold,
	Linus Walleij, Stable, Jonathan Cameron

From: Stephan Gerhold <stephan@gerhold.net>

commit 8090d67421ddab0ae932abab5a60200598bf0bbb upstream.

According to the BMA253 datasheet [1] and BMA250 datasheet [2] the
bandwidth value for BMA25x should be set as 01xxx:

  "Settings 00xxx result in a bandwidth of 7.81 Hz; [...]
   It is recommended [...] to use the range from ´01000b´ to ´01111b´
   only in order to be compatible with future products."

However, at the moment the drivers sets bandwidth values from 0 to 6,
which is not recommended and always results into 7.81 Hz bandwidth
according to the datasheet.

Fix this by introducing a bw_offset = 8 = 01000b for BMA25x,
so the additional bit is always set for BMA25x.

[1]: https://www.bosch-sensortec.com/media/boschsensortec/downloads/datasheets/bst-bma253-ds000.pdf
[2]: https://datasheet.octopart.com/BMA250-Bosch-datasheet-15540103.pdf

Cc: Peter Meerwald <pmeerw@pmeerw.net>
Fixes: 2017cff24cc0 ("iio:bma180: Add BMA250 chip support")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20210526094408.34298-2-stephan@gerhold.net
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/accel/bma180.c |    9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

--- a/drivers/iio/accel/bma180.c
+++ b/drivers/iio/accel/bma180.c
@@ -55,7 +55,7 @@ struct bma180_part_info {
 
 	u8 int_reset_reg, int_reset_mask;
 	u8 sleep_reg, sleep_mask;
-	u8 bw_reg, bw_mask;
+	u8 bw_reg, bw_mask, bw_offset;
 	u8 scale_reg, scale_mask;
 	u8 power_reg, power_mask, lowpower_val;
 	u8 int_enable_reg, int_enable_mask;
@@ -127,6 +127,7 @@ struct bma180_part_info {
 
 #define BMA250_RANGE_MASK	GENMASK(3, 0) /* Range of accel values */
 #define BMA250_BW_MASK		GENMASK(4, 0) /* Accel bandwidth */
+#define BMA250_BW_OFFSET	8
 #define BMA250_SUSPEND_MASK	BIT(7) /* chip will sleep */
 #define BMA250_LOWPOWER_MASK	BIT(6)
 #define BMA250_DATA_INTEN_MASK	BIT(4)
@@ -143,6 +144,7 @@ struct bma180_part_info {
 
 #define BMA254_RANGE_MASK	GENMASK(3, 0) /* Range of accel values */
 #define BMA254_BW_MASK		GENMASK(4, 0) /* Accel bandwidth */
+#define BMA254_BW_OFFSET	8
 #define BMA254_SUSPEND_MASK	BIT(7) /* chip will sleep */
 #define BMA254_LOWPOWER_MASK	BIT(6)
 #define BMA254_DATA_INTEN_MASK	BIT(4)
@@ -283,7 +285,8 @@ static int bma180_set_bw(struct bma180_d
 	for (i = 0; i < data->part_info->num_bw; ++i) {
 		if (data->part_info->bw_table[i] == val) {
 			ret = bma180_set_bits(data, data->part_info->bw_reg,
-				data->part_info->bw_mask, i);
+				data->part_info->bw_mask,
+				i + data->part_info->bw_offset);
 			if (ret) {
 				dev_err(&data->client->dev,
 					"failed to set bandwidth\n");
@@ -876,6 +879,7 @@ static const struct bma180_part_info bma
 		.sleep_mask = BMA250_SUSPEND_MASK,
 		.bw_reg = BMA250_BW_REG,
 		.bw_mask = BMA250_BW_MASK,
+		.bw_offset = BMA250_BW_OFFSET,
 		.scale_reg = BMA250_RANGE_REG,
 		.scale_mask = BMA250_RANGE_MASK,
 		.power_reg = BMA250_POWER_REG,
@@ -905,6 +909,7 @@ static const struct bma180_part_info bma
 		.sleep_mask = BMA254_SUSPEND_MASK,
 		.bw_reg = BMA254_BW_REG,
 		.bw_mask = BMA254_BW_MASK,
+		.bw_offset = BMA254_BW_OFFSET,
 		.scale_reg = BMA254_RANGE_REG,
 		.scale_mask = BMA254_RANGE_MASK,
 		.power_reg = BMA254_POWER_REG,



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 078/593] serial: mvebu-uart: fix calculation of clock divisor
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 077/593] iio: accel: bma180: Fix BMA25x bandwidth register values Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:03 ` [PATCH 5.10 079/593] serial: sh-sci: Stop dmaengine transfer in sci_stop_tx() Greg Kroah-Hartman
                   ` (519 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár

From: Pali Rohár <pali@kernel.org>

commit 9078204ca5c33ba20443a8623a41a68a9995a70d upstream.

The clock divisor should be rounded to the closest value.

Signed-off-by: Pali Rohár <pali@kernel.org>
Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate")
Cc: stable@vger.kernel.org # 0e4cf69ede87 ("serial: mvebu-uart: clarify the baud rate derivation")
Link: https://lore.kernel.org/r/20210624224909.6350-2-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/mvebu-uart.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/mvebu-uart.c
+++ b/drivers/tty/serial/mvebu-uart.c
@@ -463,7 +463,7 @@ static int mvebu_uart_baud_rate_set(stru
 	 * makes use of D to configure the desired baudrate.
 	 */
 	m_divisor = OSAMP_DEFAULT_DIVISOR;
-	d_divisor = DIV_ROUND_UP(port->uartclk, baud * m_divisor);
+	d_divisor = DIV_ROUND_CLOSEST(port->uartclk, baud * m_divisor);
 
 	brdv = readl(port->membase + UART_BRDV);
 	brdv &= ~BRDV_BAUD_MASK;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 079/593] serial: sh-sci: Stop dmaengine transfer in sci_stop_tx()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 078/593] serial: mvebu-uart: fix calculation of clock divisor Greg Kroah-Hartman
@ 2021-07-12  6:03 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 080/593] serial_cs: Add Option International GSM-Ready 56K/ISDN modem Greg Kroah-Hartman
                   ` (518 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yoshihiro Shimoda

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

commit 08a84410a04f05c7c1b8e833f552416d8eb9f6fe upstream.

Stop dmaengine transfer in sci_stop_tx(). Otherwise, the following
message is possible output when system enters suspend and while
transferring data, because clearing TIE bit in SCSCR is not able to
stop any dmaengine transfer.

    sh-sci e6550000.serial: ttySC1: Unable to drain transmitter

Note that this driver has already used some #ifdef in the .c file
so that this patch also uses #ifdef to fix the issue. Otherwise,
build errors happens if the CONFIG_SERIAL_SH_SCI_DMA is disabled.

Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.")
Cc: <stable@vger.kernel.org> # v4.9+
Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Link: https://lore.kernel.org/r/20210610110806.277932-1-yoshihiro.shimoda.uh@renesas.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/sh-sci.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -610,6 +610,14 @@ static void sci_stop_tx(struct uart_port
 	ctrl &= ~SCSCR_TIE;
 
 	serial_port_out(port, SCSCR, ctrl);
+
+#ifdef CONFIG_SERIAL_SH_SCI_DMA
+	if (to_sci_port(port)->chan_tx &&
+	    !dma_submit_error(to_sci_port(port)->cookie_tx)) {
+		dmaengine_terminate_async(to_sci_port(port)->chan_tx);
+		to_sci_port(port)->cookie_tx = -EINVAL;
+	}
+#endif
 }
 
 static void sci_start_rx(struct uart_port *port)



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 080/593] serial_cs: Add Option International GSM-Ready 56K/ISDN modem
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-07-12  6:03 ` [PATCH 5.10 079/593] serial: sh-sci: Stop dmaengine transfer in sci_stop_tx() Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 081/593] serial_cs: remove wrong GLOBETROTTER.cis entry Greg Kroah-Hartman
                   ` (517 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Zary

From: Ondrej Zary <linux@zary.sk>

commit d495dd743d5ecd47288156e25c4d9163294a0992 upstream.

Add support for Option International GSM-Ready 56K/ISDN PCMCIA modem
card.

Signed-off-by: Ondrej Zary <linux@zary.sk>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210611201940.23898-2-linux@zary.sk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/serial_cs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/tty/serial/8250/serial_cs.c
+++ b/drivers/tty/serial/8250/serial_cs.c
@@ -780,6 +780,7 @@ static const struct pcmcia_device_id ser
 	PCMCIA_DEVICE_PROD_ID12("Multi-Tech", "MT2834LT", 0x5f73be51, 0x4cd7c09e),
 	PCMCIA_DEVICE_PROD_ID12("OEM      ", "C288MX     ", 0xb572d360, 0xd2385b7a),
 	PCMCIA_DEVICE_PROD_ID12("Option International", "V34bis GSM/PSTN Data/Fax Modem", 0x9d7cd6f5, 0x5cb8bf41),
+	PCMCIA_DEVICE_PROD_ID12("Option International", "GSM-Ready 56K/ISDN", 0x9d7cd6f5, 0xb23844aa),
 	PCMCIA_DEVICE_PROD_ID12("PCMCIA   ", "C336MX     ", 0x99bcafe9, 0xaa25bcab),
 	PCMCIA_DEVICE_PROD_ID12("Quatech Inc", "PCMCIA Dual RS-232 Serial Port Card", 0xc4420b35, 0x92abc92f),
 	PCMCIA_DEVICE_PROD_ID12("Quatech Inc", "Dual RS-232 Serial Port PC Card", 0xc4420b35, 0x031a380d),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 081/593] serial_cs: remove wrong GLOBETROTTER.cis entry
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 080/593] serial_cs: Add Option International GSM-Ready 56K/ISDN modem Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 082/593] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() Greg Kroah-Hartman
                   ` (516 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Zary

From: Ondrej Zary <linux@zary.sk>

commit 11b1d881a90fc184cc7d06e9804eb288c24a2a0d upstream.

The GLOBETROTTER.cis entry in serial_cs matches more devices than
intended and breaks them. Remove it.

Example: # pccardctl info
PRODID_1="Option International
"
PRODID_2="GSM-Ready 56K/ISDN
"
PRODID_3="021
"
PRODID_4="A
"
MANFID=0013,0000
FUNCID=0

result:
pcmcia 0.0: Direct firmware load for cis/GLOBETROTTER.cis failed with error -2

The GLOBETROTTER.cis is nowhere to be found. There's GLOBETROTTER.cis.ihex at
https://netdev.vger.kernel.narkive.com/h4inqdxM/patch-axnet-cs-fix-phy-id-detection-for-bogus-asix-chip#post41
It's from completely diffetent card:
vers_1 4.1, "Option International", "GSM/GPRS GlobeTrotter", "001", "A"

Signed-off-by: Ondrej Zary <linux@zary.sk>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210611201940.23898-1-linux@zary.sk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/serial_cs.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/tty/serial/8250/serial_cs.c
+++ b/drivers/tty/serial/8250/serial_cs.c
@@ -808,7 +808,6 @@ static const struct pcmcia_device_id ser
 	PCMCIA_DEVICE_CIS_PROD_ID12("ADVANTECH", "COMpad-32/85B-4", 0x96913a85, 0xcec8f102, "cis/COMpad4.cis"),
 	PCMCIA_DEVICE_CIS_PROD_ID123("ADVANTECH", "COMpad-32/85", "1.0", 0x96913a85, 0x8fbe92ae, 0x0877b627, "cis/COMpad2.cis"),
 	PCMCIA_DEVICE_CIS_PROD_ID2("RS-COM 2P", 0xad20b156, "cis/RS-COM-2P.cis"),
-	PCMCIA_DEVICE_CIS_MANF_CARD(0x0013, 0x0000, "cis/GLOBETROTTER.cis"),
 	PCMCIA_DEVICE_PROD_ID12("ELAN DIGITAL SYSTEMS LTD, c1997.", "SERIAL CARD: SL100  1.00.", 0x19ca78af, 0xf964f42b),
 	PCMCIA_DEVICE_PROD_ID12("ELAN DIGITAL SYSTEMS LTD, c1997.", "SERIAL CARD: SL100", 0x19ca78af, 0x71d98e83),
 	PCMCIA_DEVICE_PROD_ID12("ELAN DIGITAL SYSTEMS LTD, c1997.", "SERIAL CARD: SL232  1.00.", 0x19ca78af, 0x69fb7490),



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 082/593] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 081/593] serial_cs: remove wrong GLOBETROTTER.cis entry Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 083/593] ssb: sdio: Dont overwrite const buffer if block_write fails Greg Kroah-Hartman
                   ` (515 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár, Kalle Valo

From: Pali Rohár <pali@kernel.org>

commit fb312ac5ccb007e843f982b38d4d6886ba4b32f2 upstream.

I got this crash more times during debugging of PCIe controller and crash
happens somehow at the time when PCIe kernel code started link retraining (as
part of ASPM code) when at the same time PCIe link went down and ath9k probably
executed hw reset procedure.

Currently I'm not able to reproduce this issue as it looks like to be
some race condition between link training, ASPM, link down and reset
path. And as always, race conditions which depends on more input
parameters are hard to reproduce as it depends on precise timings.

But it is clear that pointers are zero in this case and should be
properly filled as same code pattern is used in ath9k_stop() function.
Anyway I was able to reproduce this crash by manually triggering ath
reset worker prior putting card up. I created simple patch to export
reset functionality via debugfs and use it to "simulate" of triggering
reset.    s proved that NULL-pointer dereference issue is there.

Function ath9k_hw_reset() is dereferencing chan structure pointer, so it
needs to be non-NULL pointer.

Function ath9k_stop() already contains code which sets ah->curchan to valid
non-NULL pointer prior calling ath9k_hw_reset() function.

Add same code pattern also into ath_reset_internal() function to prevent
kernel NULL pointer dereference in ath9k_hw_reset() function.

This change fixes kernel NULL pointer dereference in ath9k_hw_reset() which
is caused by calling ath9k_hw_reset() from ath_reset_internal() with NULL
chan structure.

    [   45.334305] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
    [   45.344417] Mem abort info:
    [   45.347301]   ESR = 0x96000005
    [   45.350448]   EC = 0x25: DABT (current EL), IL = 32 bits
    [   45.356166]   SET = 0, FnV = 0
    [   45.359350]   EA = 0, S1PTW = 0
    [   45.362596] Data abort info:
    [   45.365756]   ISV = 0, ISS = 0x00000005
    [   45.369735]   CM = 0, WnR = 0
    [   45.372814] user pgtable: 4k pages, 39-bit VAs, pgdp=000000000685d000
    [   45.379663] [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
    [   45.388856] Internal error: Oops: 96000005 [#1] SMP
    [   45.393897] Modules linked in: ath9k ath9k_common ath9k_hw
    [   45.399574] CPU: 1 PID: 309 Comm: kworker/u4:2 Not tainted 5.12.0-rc2-dirty #785
    [   45.414746] Workqueue: phy0 ath_reset_work [ath9k]
    [   45.419713] pstate: 40000005 (nZcv daif -PAN -UAO -TCO BTYPE=--)
    [   45.425910] pc : ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw]
    [   45.431234] lr : ath9k_hw_reset+0xc0/0x1c48 [ath9k_hw]
    [   45.436548] sp : ffffffc0118dbca0
    [   45.439961] x29: ffffffc0118dbca0 x28: 0000000000000000
    [   45.445442] x27: ffffff800dee4080 x26: 0000000000000000
    [   45.450923] x25: ffffff800df9b9d8 x24: 0000000000000000
    [   45.456404] x23: ffffffc0115f6000 x22: ffffffc008d0d408
    [   45.461885] x21: ffffff800dee5080 x20: ffffff800df9b9d8
    [   45.467366] x19: 0000000000000000 x18: 0000000000000000
    [   45.472846] x17: 0000000000000000 x16: 0000000000000000
    [   45.478326] x15: 0000000000000010 x14: ffffffffffffffff
    [   45.483807] x13: ffffffc0918db94f x12: ffffffc011498720
    [   45.489289] x11: 0000000000000003 x10: ffffffc0114806e0
    [   45.494770] x9 : ffffffc01014b2ec x8 : 0000000000017fe8
    [   45.500251] x7 : c0000000ffffefff x6 : 0000000000000001
    [   45.505733] x5 : 0000000000000000 x4 : 0000000000000000
    [   45.511213] x3 : 0000000000000000 x2 : ffffff801fece870
    [   45.516693] x1 : ffffffc00eded000 x0 : 000000000000003f
    [   45.522174] Call trace:
    [   45.524695]  ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw]
    [   45.529653]  ath_reset_internal+0x1a8/0x2b8 [ath9k]
    [   45.534696]  ath_reset_work+0x2c/0x40 [ath9k]
    [   45.539198]  process_one_work+0x210/0x480
    [   45.543339]  worker_thread+0x5c/0x510
    [   45.547115]  kthread+0x12c/0x130
    [   45.550445]  ret_from_fork+0x10/0x1c
    [   45.554138] Code: 910922c2 9117e021 95ff0398 b4000294 (b9400a61)
    [   45.560430] ---[ end trace 566410ba90b50e8b ]---
    [   45.565193] Kernel panic - not syncing: Oops: Fatal exception in interrupt
    [   45.572282] SMP: stopping secondary CPUs
    [   45.576331] Kernel Offset: disabled
    [   45.579924] CPU features: 0x00040002,0000200c
    [   45.584416] Memory Limit: none
    [   45.587564] Rebooting in 3 seconds..

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210402122653.24014-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath9k/main.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -307,6 +307,11 @@ static int ath_reset_internal(struct ath
 		hchan = ah->curchan;
 	}
 
+	if (!hchan) {
+		fastcc = false;
+		hchan = ath9k_cmn_get_channel(sc->hw, ah, &sc->cur_chan->chandef);
+	}
+
 	if (!ath_prepare_reset(sc))
 		fastcc = false;
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 083/593] ssb: sdio: Dont overwrite const buffer if block_write fails
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 082/593] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 084/593] rsi: Assign beacon rate settings to the correct rate_info descriptor field Greg Kroah-Hartman
                   ` (514 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Büsch, Kalle Valo

From: Michael Buesch <m@bues.ch>

commit 47ec636f7a25aa2549e198c48ecb6b1c25d05456 upstream.

It doesn't make sense to clobber the const driver-side buffer, if a
write-to-device attempt failed. All other SSB variants (PCI, PCMCIA and SoC)
also don't corrupt the buffer on any failure in block_write.
Therefore, remove this memset from the SDIO variant.

Signed-off-by: Michael Büsch <m@bues.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210515210252.318be2ba@wiggum
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/ssb/sdio.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/ssb/sdio.c
+++ b/drivers/ssb/sdio.c
@@ -411,7 +411,6 @@ static void ssb_sdio_block_write(struct
 	sdio_claim_host(bus->host_sdio);
 	if (unlikely(ssb_sdio_switch_core(bus, dev))) {
 		error = -EIO;
-		memset((void *)buffer, 0xff, count);
 		goto err_out;
 	}
 	offset |= bus->sdio_sbaddr & 0xffff;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 084/593] rsi: Assign beacon rate settings to the correct rate_info descriptor field
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 083/593] ssb: sdio: Dont overwrite const buffer if block_write fails Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 085/593] rsi: fix AP mode with WPA failure due to encrypted EAPOL Greg Kroah-Hartman
                   ` (513 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Amitkumar Karwar,
	Angus Ainslie, David S. Miller, Jakub Kicinski, Kalle Valo,
	Karun Eagalapati, Martin Kepplinger, Prameela Rani Garnepudi,
	Sebastian Krzyszkowiak, Siva Rebbagondla, netdev

From: Marek Vasut <marex@denx.de>

commit b1c3a24897bd528f2f4fda9fea7da08a84ae25b6 upstream.

The RSI_RATE_x bits must be assigned to struct rsi_data_desc rate_info
field. The rest of the driver does it correctly, except this one place,
so fix it. This is also aligned with the RSI downstream vendor driver.
Without this patch, an AP operating at 5 GHz does not transmit any
beacons at all, this patch fixes that.

Fixes: d26a9559403c ("rsi: add beacon changes for AP mode")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
Cc: Angus Ainslie <angus@akkea.ca>
Cc: David S. Miller <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: Karun Eagalapati <karun256@gmail.com>
Cc: Martin Kepplinger <martink@posteo.de>
Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
Cc: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
Cc: Siva Rebbagondla <siva8118@gmail.com>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210507213105.140138-1-marex@denx.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rsi/rsi_91x_hal.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -470,9 +470,9 @@ int rsi_prepare_beacon(struct rsi_common
 	}
 
 	if (common->band == NL80211_BAND_2GHZ)
-		bcn_frm->bbp_info |= cpu_to_le16(RSI_RATE_1);
+		bcn_frm->rate_info |= cpu_to_le16(RSI_RATE_1);
 	else
-		bcn_frm->bbp_info |= cpu_to_le16(RSI_RATE_6);
+		bcn_frm->rate_info |= cpu_to_le16(RSI_RATE_6);
 
 	if (mac_bcn->data[tim_offset + 2] == 0)
 		bcn_frm->frame_info |= cpu_to_le16(RSI_DATA_DESC_DTIM_BEACON);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 085/593] rsi: fix AP mode with WPA failure due to encrypted EAPOL
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 084/593] rsi: Assign beacon rate settings to the correct rate_info descriptor field Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 086/593] tracing/histograms: Fix parsing of "sym-offset" modifier Greg Kroah-Hartman
                   ` (512 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin Fuzzey, Kalle Valo

From: Martin Fuzzey <martin.fuzzey@flowbird.group>

commit 314538041b5632ffaf64798faaeabaf2793fe029 upstream.

In AP mode WPA2-PSK connections were not established.

The reason was that the AP was sending the first message
of the 4 way handshake encrypted, even though no pairwise
key had (correctly) yet been set.

Encryption was enabled if the "security_enable" driver flag
was set and encryption was not explicitly disabled by
IEEE80211_TX_INTFL_DONT_ENCRYPT.

However security_enable was set when *any* key, including
the AP GTK key, had been set which was causing unwanted
encryption even if no key was avaialble for the unicast
packet to be sent.

Fix this by adding a check that we have a key and drop
the old security_enable driver flag which is insufficient
and redundant.

The Redpine downstream out of tree driver does it this way too.

Regarding the Fixes tag the actual code being modified was
introduced earlier, with the original driver submission, in
dad0d04fa7ba ("rsi: Add RS9113 wireless driver"), however
at that time AP mode was not yet supported so there was
no bug at that point.

So I have tagged the introduction of AP support instead
which was part of the patch set "rsi: support for AP mode" [1]

It is not clear whether AP WPA has ever worked, I can see nothing
on the kernel side that broke it afterwards yet the AP support
patch series says "Tests are performed to confirm aggregation,
connections in WEP and WPA/WPA2 security."

One possibility is that the initial tests were done with a modified
userspace (hostapd).

[1] https://www.spinics.net/lists/linux-wireless/msg165302.html

Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
Fixes: 38ef62353acb ("rsi: security enhancements for AP mode")
CC: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1622564459-24430-1-git-send-email-martin.fuzzey@flowbird.group
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/rsi/rsi_91x_hal.c      |    2 +-
 drivers/net/wireless/rsi/rsi_91x_mac80211.c |    3 ---
 drivers/net/wireless/rsi/rsi_91x_mgmt.c     |    3 +--
 drivers/net/wireless/rsi/rsi_main.h         |    1 -
 4 files changed, 2 insertions(+), 7 deletions(-)

--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -203,7 +203,7 @@ int rsi_prepare_data_desc(struct rsi_com
 		wh->frame_control |= cpu_to_le16(RSI_SET_PS_ENABLE);
 
 	if ((!(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) &&
-	    (common->secinfo.security_enable)) {
+	    info->control.hw_key) {
 		if (rsi_is_cipher_wep(common))
 			ieee80211_size += 4;
 		else
--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
@@ -1028,7 +1028,6 @@ static int rsi_mac80211_set_key(struct i
 	mutex_lock(&common->mutex);
 	switch (cmd) {
 	case SET_KEY:
-		secinfo->security_enable = true;
 		status = rsi_hal_key_config(hw, vif, key, sta);
 		if (status) {
 			mutex_unlock(&common->mutex);
@@ -1047,8 +1046,6 @@ static int rsi_mac80211_set_key(struct i
 		break;
 
 	case DISABLE_KEY:
-		if (vif->type == NL80211_IFTYPE_STATION)
-			secinfo->security_enable = false;
 		rsi_dbg(ERR_ZONE, "%s: RSI del key\n", __func__);
 		memset(key, 0, sizeof(struct ieee80211_key_conf));
 		status = rsi_hal_key_config(hw, vif, key, sta);
--- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c
+++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c
@@ -1803,8 +1803,7 @@ int rsi_send_wowlan_request(struct rsi_c
 			RSI_WIFI_MGMT_Q);
 	cmd_frame->desc.desc_dword0.frame_type = WOWLAN_CONFIG_PARAMS;
 	cmd_frame->host_sleep_status = sleep_status;
-	if (common->secinfo.security_enable &&
-	    common->secinfo.gtk_cipher)
+	if (common->secinfo.gtk_cipher)
 		flags |= RSI_WOW_GTK_REKEY;
 	if (sleep_status)
 		cmd_frame->wow_flags = flags;
--- a/drivers/net/wireless/rsi/rsi_main.h
+++ b/drivers/net/wireless/rsi/rsi_main.h
@@ -151,7 +151,6 @@ enum edca_queue {
 };
 
 struct security_info {
-	bool security_enable;
 	u32 ptk_cipher;
 	u32 gtk_cipher;
 };



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 086/593] tracing/histograms: Fix parsing of "sym-offset" modifier
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 085/593] rsi: fix AP mode with WPA failure due to encrypted EAPOL Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 087/593] tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing Greg Kroah-Hartman
                   ` (511 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton,
	Masami Hiramatsu, Namhyung Kim, Daniel Bristot de Oliveira,
	Tom Zanussi, Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 26c563731056c3ee66f91106c3078a8c36bb7a9e upstream.

With the addition of simple mathematical operations (plus and minus), the
parsing of the "sym-offset" modifier broke, as it took the '-' part of the
"sym-offset" as a minus, and tried to break it up into a mathematical
operation of "field.sym - offset", in which case it failed to parse
(unless the event had a field called "offset").

Both .sym and .sym-offset modifiers should not be entered into
mathematical calculations anyway. If ".sym-offset" is found in the
modifier, then simply make it not an operation that can be calculated on.

Link: https://lkml.kernel.org/r/20210707110821.188ae255@oasis.local.home

Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Daniel Bristot de Oliveira <bristot@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 100719dcef447 ("tracing: Add simple expression support to hist triggers")
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/trace/trace_events_hist.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -1539,6 +1539,13 @@ static int contains_operator(char *str)
 
 	switch (*op) {
 	case '-':
+		/*
+		 * Unfortunately, the modifier ".sym-offset"
+		 * can confuse things.
+		 */
+		if (op - str >= 4 && !strncmp(op - 4, ".sym-offset", 11))
+			return FIELD_OP_NONE;
+
 		if (*str == '-')
 			field_op = FIELD_OP_UNARY_MINUS;
 		else



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 087/593] tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 086/593] tracing/histograms: Fix parsing of "sym-offset" modifier Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 088/593] seq_buf: Make trace_seq_putmem_hex() support data longer than 8 Greg Kroah-Hartman
                   ` (510 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Tetsuo Handa,
	Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 9913d5745bd720c4266805c8d29952a3702e4eca upstream.

All internal use cases for tracepoint_probe_register() is set to not ever
be called with the same function and data. If it is, it is considered a
bug, as that means the accounting of handling tracepoints is corrupted.
If the function and data for a tracepoint is already registered when
tracepoint_probe_register() is called, it will call WARN_ON_ONCE() and
return with EEXISTS.

The BPF system call can end up calling tracepoint_probe_register() with
the same data, which now means that this can trigger the warning because
of a user space process. As WARN_ON_ONCE() should not be called because
user space called a system call with bad data, there needs to be a way to
register a tracepoint without triggering a warning.

Enter tracepoint_probe_register_may_exist(), which can be called, but will
not cause a WARN_ON() if the probe already exists. It will still error out
with EEXIST, which will then be sent to the user space that performed the
BPF system call.

This keeps the previous testing for issues with other users of the
tracepoint code, while letting BPF call it with duplicated data and not
warn about it.

Link: https://lore.kernel.org/lkml/20210626135845.4080-1-penguin-kernel@I-love.SAKURA.ne.jp/
Link: https://syzkaller.appspot.com/bug?id=41f4318cf01762389f4d1c1c459da4f542fe5153

Cc: stable@vger.kernel.org
Fixes: c4f6699dfcb85 ("bpf: introduce BPF_RAW_TRACEPOINT")
Reported-by: syzbot <syzbot+721aa903751db87aa244@syzkaller.appspotmail.com>
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot+721aa903751db87aa244@syzkaller.appspotmail.com
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/tracepoint.h |   10 ++++++++++
 kernel/trace/bpf_trace.c   |    3 ++-
 kernel/tracepoint.c        |   33 ++++++++++++++++++++++++++++++---
 3 files changed, 42 insertions(+), 4 deletions(-)

--- a/include/linux/tracepoint.h
+++ b/include/linux/tracepoint.h
@@ -41,7 +41,17 @@ extern int
 tracepoint_probe_register_prio(struct tracepoint *tp, void *probe, void *data,
 			       int prio);
 extern int
+tracepoint_probe_register_prio_may_exist(struct tracepoint *tp, void *probe, void *data,
+					 int prio);
+extern int
 tracepoint_probe_unregister(struct tracepoint *tp, void *probe, void *data);
+static inline int
+tracepoint_probe_register_may_exist(struct tracepoint *tp, void *probe,
+				    void *data)
+{
+	return tracepoint_probe_register_prio_may_exist(tp, probe, data,
+							TRACEPOINT_DEFAULT_PRIO);
+}
 extern void
 for_each_kernel_tracepoint(void (*fct)(struct tracepoint *tp, void *priv),
 		void *priv);
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -2106,7 +2106,8 @@ static int __bpf_probe_register(struct b
 	if (prog->aux->max_tp_access > btp->writable_size)
 		return -EINVAL;
 
-	return tracepoint_probe_register(tp, (void *)btp->bpf_func, prog);
+	return tracepoint_probe_register_may_exist(tp, (void *)btp->bpf_func,
+						   prog);
 }
 
 int bpf_probe_register(struct bpf_raw_event_map *btp, struct bpf_prog *prog)
--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -294,7 +294,8 @@ static void tracepoint_update_call(struc
  * Add the probe function to a tracepoint.
  */
 static int tracepoint_add_func(struct tracepoint *tp,
-			       struct tracepoint_func *func, int prio)
+			       struct tracepoint_func *func, int prio,
+			       bool warn)
 {
 	struct tracepoint_func *old, *tp_funcs;
 	int ret;
@@ -309,7 +310,7 @@ static int tracepoint_add_func(struct tr
 			lockdep_is_held(&tracepoints_mutex));
 	old = func_add(&tp_funcs, func, prio);
 	if (IS_ERR(old)) {
-		WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+		WARN_ON_ONCE(warn && PTR_ERR(old) != -ENOMEM);
 		return PTR_ERR(old);
 	}
 
@@ -365,6 +366,32 @@ static int tracepoint_remove_func(struct
 }
 
 /**
+ * tracepoint_probe_register_prio_may_exist -  Connect a probe to a tracepoint with priority
+ * @tp: tracepoint
+ * @probe: probe handler
+ * @data: tracepoint data
+ * @prio: priority of this function over other registered functions
+ *
+ * Same as tracepoint_probe_register_prio() except that it will not warn
+ * if the tracepoint is already registered.
+ */
+int tracepoint_probe_register_prio_may_exist(struct tracepoint *tp, void *probe,
+					     void *data, int prio)
+{
+	struct tracepoint_func tp_func;
+	int ret;
+
+	mutex_lock(&tracepoints_mutex);
+	tp_func.func = probe;
+	tp_func.data = data;
+	tp_func.prio = prio;
+	ret = tracepoint_add_func(tp, &tp_func, prio, false);
+	mutex_unlock(&tracepoints_mutex);
+	return ret;
+}
+EXPORT_SYMBOL_GPL(tracepoint_probe_register_prio_may_exist);
+
+/**
  * tracepoint_probe_register_prio -  Connect a probe to a tracepoint with priority
  * @tp: tracepoint
  * @probe: probe handler
@@ -387,7 +414,7 @@ int tracepoint_probe_register_prio(struc
 	tp_func.func = probe;
 	tp_func.data = data;
 	tp_func.prio = prio;
-	ret = tracepoint_add_func(tp, &tp_func, prio);
+	ret = tracepoint_add_func(tp, &tp_func, prio, true);
 	mutex_unlock(&tracepoints_mutex);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 088/593] seq_buf: Make trace_seq_putmem_hex() support data longer than 8
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 087/593] tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 089/593] powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi() Greg Kroah-Hartman
                   ` (509 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yun Zhou, Steven Rostedt (VMware)

From: Yun Zhou <yun.zhou@windriver.com>

commit 6a2cbc58d6c9d90cd74288cc497c2b45815bc064 upstream.

Since the raw memory 'data' does not go forward, it will dump repeated
data if the data length is more than 8. If we want to dump longer data
blocks, we need to repeatedly call macro SEQ_PUT_HEX_FIELD. I think it
is a bit redundant, and multiple function calls also affect the performance.

Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/
Link: https://lkml.kernel.org/r/20210626032156.47889-2-yun.zhou@windriver.com

Cc: stable@vger.kernel.org
Fixes: 6d2289f3faa7 ("tracing: Make trace_seq_putmem_hex() more robust")
Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/seq_buf.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -243,12 +243,14 @@ int seq_buf_putmem_hex(struct seq_buf *s
 			break;
 
 		/* j increments twice per loop */
-		len -= j / 2;
 		hex[j++] = ' ';
 
 		seq_buf_putmem(s, hex, j);
 		if (seq_buf_has_overflowed(s))
 			return -1;
+
+		len -= start_len;
+		data += start_len;
 	}
 	return 0;
 }



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 089/593] powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 088/593] seq_buf: Make trace_seq_putmem_hex() support data longer than 8 Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 090/593] loop: Fix missing discard support when using LOOP_CONFIGURE Greg Kroah-Hartman
                   ` (508 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nathan Lynch, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit 7c6986ade69e3c81bac831645bc72109cd798a80 upstream.

In raise_backtrace_ipi() we iterate through the cpumask of CPUs, sending
each an IPI asking them to do a backtrace, but we don't wait for the
backtrace to happen.

We then iterate through the CPU mask again, and if any CPU hasn't done
the backtrace and cleared itself from the mask, we print a trace on its
behalf, noting that the trace may be "stale".

This works well enough when a CPU is not responding, because in that
case it doesn't receive the IPI and the sending CPU is left to print the
trace. But when all CPUs are responding we are left with a race between
the sending and receiving CPUs, if the sending CPU wins the race then it
will erroneously print a trace.

This leads to spurious "stale" traces from the sending CPU, which can
then be interleaved messily with the receiving CPU, note the CPU
numbers, eg:

  [ 1658.929157][    C7] rcu: Stack dump where RCU GP kthread last ran:
  [ 1658.929223][    C7] Sending NMI from CPU 7 to CPUs 1:
  [ 1658.929303][    C1] NMI backtrace for cpu 1
  [ 1658.929303][    C7] CPU 1 didn't respond to backtrace IPI, inspecting paca.
  [ 1658.929362][    C1] CPU: 1 PID: 325 Comm: kworker/1:1H Tainted: G        W   E     5.13.0-rc2+ #46
  [ 1658.929405][    C7] irq_soft_mask: 0x01 in_mce: 0 in_nmi: 0 current: 325 (kworker/1:1H)
  [ 1658.929465][    C1] Workqueue: events_highpri test_work_fn [test_lockup]
  [ 1658.929549][    C7] Back trace of paca->saved_r1 (0xc0000000057fb400) (possibly stale):
  [ 1658.929592][    C1] NIP:  c00000000002cf50 LR: c008000000820178 CTR: c00000000002cfa0

To fix it, change the logic so that the sending CPU waits 5s for the
receiving CPU to print its trace. If the receiving CPU prints its trace
successfully then the sending CPU just continues, avoiding any spurious
"stale" trace.

This has the added benefit of allowing all CPUs to print their traces in
order and avoids any interleaving of their output.

Fixes: 5cc05910f26e ("powerpc/64s: Wire up arch_trigger_cpumask_backtrace()")
Cc: stable@vger.kernel.org # v4.18+
Reported-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210625140408.3351173-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/kernel/stacktrace.c |   26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

--- a/arch/powerpc/kernel/stacktrace.c
+++ b/arch/powerpc/kernel/stacktrace.c
@@ -230,17 +230,31 @@ static void handle_backtrace_ipi(struct
 
 static void raise_backtrace_ipi(cpumask_t *mask)
 {
+	struct paca_struct *p;
 	unsigned int cpu;
+	u64 delay_us;
 
 	for_each_cpu(cpu, mask) {
-		if (cpu == smp_processor_id())
+		if (cpu == smp_processor_id()) {
 			handle_backtrace_ipi(NULL);
-		else
-			smp_send_safe_nmi_ipi(cpu, handle_backtrace_ipi, 5 * USEC_PER_SEC);
-	}
+			continue;
+		}
 
-	for_each_cpu(cpu, mask) {
-		struct paca_struct *p = paca_ptrs[cpu];
+		delay_us = 5 * USEC_PER_SEC;
+
+		if (smp_send_safe_nmi_ipi(cpu, handle_backtrace_ipi, delay_us)) {
+			// Now wait up to 5s for the other CPU to do its backtrace
+			while (cpumask_test_cpu(cpu, mask) && delay_us) {
+				udelay(1);
+				delay_us--;
+			}
+
+			// Other CPU cleared itself from the mask
+			if (delay_us)
+				continue;
+		}
+
+		p = paca_ptrs[cpu];
 
 		cpumask_clear_cpu(cpu, mask);
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 090/593] loop: Fix missing discard support when using LOOP_CONFIGURE
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 089/593] powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi() Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 091/593] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Greg Kroah-Hartman
                   ` (507 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kristian Klausen, Jens Axboe

From: Kristian Klausen <kristian@klausen.dk>

commit 2b9ac22b12a266eb4fec246a07b504dd4983b16b upstream.

Without calling loop_config_discard() the discard flag and parameters
aren't set/updated for the loop device and worst-case they could
indicate discard support when it isn't the case (ex: if the
LOOP_SET_STATUS ioctl was used with a different file prior to
LOOP_CONFIGURE).

Cc: <stable@vger.kernel.org> # 5.8.x-
Fixes: 3448914e8cc5 ("loop: Add LOOP_CONFIGURE ioctl")
Signed-off-by: Kristian Klausen <kristian@klausen.dk>
Link: https://lore.kernel.org/r/20210618115157.31452-1-kristian@klausen.dk
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/block/loop.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1161,6 +1161,7 @@ static int loop_configure(struct loop_de
 	blk_queue_physical_block_size(lo->lo_queue, bsize);
 	blk_queue_io_min(lo->lo_queue, bsize);
 
+	loop_config_discard(lo);
 	loop_update_rotational(lo);
 	loop_update_dio(lo);
 	loop_sysfs_init(lo);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 091/593] evm: Execute evm_inode_init_security() only when an HMAC key is loaded
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 090/593] loop: Fix missing discard support when using LOOP_CONFIGURE Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 092/593] evm: Refuse EVM_ALLOW_METADATA_WRITES only if " Greg Kroah-Hartman
                   ` (506 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Roberto Sassu, Mimi Zohar

From: Roberto Sassu <roberto.sassu@huawei.com>

commit 9eea2904292c2d8fa98df141d3bf7c41ec9dc1b5 upstream.

evm_inode_init_security() requires an HMAC key to calculate the HMAC on
initial xattrs provided by LSMs. However, it checks generically whether a
key has been loaded, including also public keys, which is not correct as
public keys are not suitable to calculate the HMAC.

Originally, support for signature verification was introduced to verify a
possibly immutable initial ram disk, when no new files are created, and to
switch to HMAC for the root filesystem. By that time, an HMAC key should
have been loaded and usable to calculate HMACs for new files.

More recently support for requiring an HMAC key was removed from the
kernel, so that signature verification can be used alone. Since this is a
legitimate use case, evm_inode_init_security() should not return an error
when no HMAC key has been loaded.

This patch fixes this problem by replacing the evm_key_loaded() check with
a check of the EVM_INIT_HMAC flag in evm_initialized.

Fixes: 26ddabfe96b ("evm: enable EVM when X509 certificate is loaded")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org # 4.5.x
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 security/integrity/evm/evm_main.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/security/integrity/evm/evm_main.c
+++ b/security/integrity/evm/evm_main.c
@@ -521,7 +521,7 @@ void evm_inode_post_setattr(struct dentr
 }
 
 /*
- * evm_inode_init_security - initializes security.evm
+ * evm_inode_init_security - initializes security.evm HMAC value
  */
 int evm_inode_init_security(struct inode *inode,
 				 const struct xattr *lsm_xattr,
@@ -530,7 +530,8 @@ int evm_inode_init_security(struct inode
 	struct evm_xattr *xattr_data;
 	int rc;
 
-	if (!evm_key_loaded() || !evm_protected_xattr(lsm_xattr->name))
+	if (!(evm_initialized & EVM_INIT_HMAC) ||
+	    !evm_protected_xattr(lsm_xattr->name))
 		return 0;
 
 	xattr_data = kzalloc(sizeof(*xattr_data), GFP_NOFS);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 092/593] evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 091/593] evm: Execute evm_inode_init_security() only when an HMAC key is loaded Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 093/593] fuse: Fix crash in fuse_dentry_automount() error path Greg Kroah-Hartman
                   ` (505 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Roberto Sassu, Mimi Zohar

From: Roberto Sassu <roberto.sassu@huawei.com>

commit 9acc89d31f0c94c8e573ed61f3e4340bbd526d0c upstream.

EVM_ALLOW_METADATA_WRITES is an EVM initialization flag that can be set to
temporarily disable metadata verification until all xattrs/attrs necessary
to verify an EVM portable signature are copied to the file. This flag is
cleared when EVM is initialized with an HMAC key, to avoid that the HMAC is
calculated on unverified xattrs/attrs.

Currently EVM unnecessarily denies setting this flag if EVM is initialized
with a public key, which is not a concern as it cannot be used to trust
xattrs/attrs updates. This patch removes this limitation.

Fixes: ae1ba1676b88e ("EVM: Allow userland to permit modification of EVM-protected metadata")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Cc: stable@vger.kernel.org # 4.16.x
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/ABI/testing/evm      |   26 ++++++++++++++++++++++++--
 security/integrity/evm/evm_secfs.c |    8 ++++----
 2 files changed, 28 insertions(+), 6 deletions(-)

--- a/Documentation/ABI/testing/evm
+++ b/Documentation/ABI/testing/evm
@@ -49,8 +49,30 @@ Description:
 		modification of EVM-protected metadata and
 		disable all further modification of policy
 
-		Note that once a key has been loaded, it will no longer be
-		possible to enable metadata modification.
+		Echoing a value is additive, the new value is added to the
+		existing initialization flags.
+
+		For example, after::
+
+		  echo 2 ><securityfs>/evm
+
+		another echo can be performed::
+
+		  echo 1 ><securityfs>/evm
+
+		and the resulting value will be 3.
+
+		Note that once an HMAC key has been loaded, it will no longer
+		be possible to enable metadata modification. Signaling that an
+		HMAC key has been loaded will clear the corresponding flag.
+		For example, if the current value is 6 (2 and 4 set)::
+
+		  echo 1 ><securityfs>/evm
+
+		will set the new value to 3 (4 cleared).
+
+		Loading an HMAC key is the only way to disable metadata
+		modification.
 
 		Until key loading has been signaled EVM can not create
 		or validate the 'security.evm' xattr, but returns
--- a/security/integrity/evm/evm_secfs.c
+++ b/security/integrity/evm/evm_secfs.c
@@ -80,12 +80,12 @@ static ssize_t evm_write_key(struct file
 	if (!i || (i & ~EVM_INIT_MASK) != 0)
 		return -EINVAL;
 
-	/* Don't allow a request to freshly enable metadata writes if
-	 * keys are loaded.
+	/*
+	 * Don't allow a request to enable metadata writes if
+	 * an HMAC key is loaded.
 	 */
 	if ((i & EVM_ALLOW_METADATA_WRITES) &&
-	    ((evm_initialized & EVM_KEY_MASK) != 0) &&
-	    !(evm_initialized & EVM_ALLOW_METADATA_WRITES))
+	    (evm_initialized & EVM_INIT_HMAC) != 0)
 		return -EPERM;
 
 	if (i & EVM_INIT_HMAC) {



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 093/593] fuse: Fix crash in fuse_dentry_automount() error path
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 092/593] evm: Refuse EVM_ALLOW_METADATA_WRITES only if " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 094/593] fuse: Fix crash if superblock of submount gets killed early Greg Kroah-Hartman
                   ` (504 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Greg Kurz, Max Reitz, Miklos Szeredi

From: Greg Kurz <groug@kaod.org>

commit d92d88f0568e97c437eeb79d9c9609bd8277406f upstream.

If fuse_fill_super_submount() returns an error, the error path
triggers a crash:

[   26.206673] BUG: kernel NULL pointer dereference, address: 0000000000000000
[...]
[   26.226362] RIP: 0010:__list_del_entry_valid+0x25/0x90
[...]
[   26.247938] Call Trace:
[   26.248300]  fuse_mount_remove+0x2c/0x70 [fuse]
[   26.248892]  virtio_kill_sb+0x22/0x160 [virtiofs]
[   26.249487]  deactivate_locked_super+0x36/0xa0
[   26.250077]  fuse_dentry_automount+0x178/0x1a0 [fuse]

The crash happens because fuse_mount_remove() assumes that the FUSE
mount was already added to list under the FUSE connection, but this
only done after fuse_fill_super_submount() has returned success.

This means that until fuse_fill_super_submount() has returned success,
the FUSE mount isn't actually owned by the superblock. We should thus
reclaim ownership by clearing sb->s_fs_info, which will skip the call
to fuse_mount_remove(), and perform rollback, like virtio_fs_get_tree()
already does for the root sb.

Fixes: bf109c64040f ("fuse: implement crossmounts")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -340,8 +340,12 @@ static struct vfsmount *fuse_dentry_auto
 
 	/* Initialize superblock, making @mp_fi its root */
 	err = fuse_fill_super_submount(sb, mp_fi);
-	if (err)
+	if (err) {
+		fuse_conn_put(fc);
+		kfree(fm);
+		sb->s_fs_info = NULL;
 		goto out_put_sb;
+	}
 
 	sb->s_flags |= SB_ACTIVE;
 	fsc->root = dget(sb->s_root);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 094/593] fuse: Fix crash if superblock of submount gets killed early
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 093/593] fuse: Fix crash in fuse_dentry_automount() error path Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 095/593] fuse: Fix infinite loop in sget_fc() Greg Kroah-Hartman
                   ` (503 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Greg Kurz, Max Reitz, Miklos Szeredi

From: Greg Kurz <groug@kaod.org>

commit e3a43f2a95393000778f8f302d48795add2fc4a8 upstream.

As soon as fuse_dentry_automount() does up_write(&sb->s_umount), the
superblock can theoretically be killed. If this happens before the
submount was added to the &fc->mounts list, fuse_mount_remove() later
crashes in list_del_init() because it assumes the submount to be
already there.

Add the submount before dropping sb->s_umount to fix the inconsistency.
It is okay to nest fc->killsb under sb->s_umount, we already do this
on the ->kill_sb() path.

Signed-off-by: Greg Kurz <groug@kaod.org>
Fixes: bf109c64040f ("fuse: implement crossmounts")
Cc: stable@vger.kernel.org # v5.10+
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -347,15 +347,15 @@ static struct vfsmount *fuse_dentry_auto
 		goto out_put_sb;
 	}
 
+	down_write(&fc->killsb);
+	list_add_tail(&fm->fc_entry, &fc->mounts);
+	up_write(&fc->killsb);
+
 	sb->s_flags |= SB_ACTIVE;
 	fsc->root = dget(sb->s_root);
 	/* We are done configuring the superblock, so unlock it */
 	up_write(&sb->s_umount);
 
-	down_write(&fc->killsb);
-	list_add_tail(&fm->fc_entry, &fc->mounts);
-	up_write(&fc->killsb);
-
 	/* Create the submount */
 	mnt = vfs_create_mount(fsc);
 	if (IS_ERR(mnt)) {



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 095/593] fuse: Fix infinite loop in sget_fc()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 094/593] fuse: Fix crash if superblock of submount gets killed early Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 096/593] fuse: ignore PG_workingset after stealing Greg Kroah-Hartman
                   ` (502 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Greg Kurz, Max Reitz, Miklos Szeredi

From: Greg Kurz <groug@kaod.org>

commit e4a9ccdd1c03b3dc58214874399d24331ea0a3ab upstream.

We don't set the SB_BORN flag on submounts. This is wrong as these
superblocks are then considered as partially constructed or dying
in the rest of the code and can break some assumptions.

One such case is when you have a virtiofs filesystem with submounts
and you try to mount it again : virtio_fs_get_tree() tries to obtain
a superblock with sget_fc(). The logic in sget_fc() is to loop until
it has either found an existing matching superblock with SB_BORN set
or to create a brand new one. It is assumed that a superblock without
SB_BORN is transient and the loop is restarted. Forgetting to set
SB_BORN on submounts hence causes sget_fc() to retry forever.

Setting SB_BORN requires special care, i.e. a write barrier for
super_cache_count() which can check SB_BORN without taking any lock.
We should call vfs_get_tree() to deal with that but this requires
to have a proper ->get_tree() implementation for submounts, which
is a bigger piece of work. Go for a simple bug fix in the meatime.

Fixes: bf109c64040f ("fuse: implement crossmounts")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dir.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -353,6 +353,17 @@ static struct vfsmount *fuse_dentry_auto
 
 	sb->s_flags |= SB_ACTIVE;
 	fsc->root = dget(sb->s_root);
+
+	/*
+	 * FIXME: setting SB_BORN requires a write barrier for
+	 *        super_cache_count(). We should actually come
+	 *        up with a proper ->get_tree() implementation
+	 *        for submounts and call vfs_get_tree() to take
+	 *        care of the write barrier.
+	 */
+	smp_wmb();
+	sb->s_flags |= SB_BORN;
+
 	/* We are done configuring the superblock, so unlock it */
 	up_write(&sb->s_umount);
 



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 096/593] fuse: ignore PG_workingset after stealing
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 095/593] fuse: Fix infinite loop in sget_fc() Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 097/593] fuse: check connected before queueing on fpq->io Greg Kroah-Hartman
                   ` (501 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Lindroth, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit b89ecd60d38ec042d63bdb376c722a16f92bcb88 upstream.

Fix the "fuse: trying to steal weird page" warning.

Description from Johannes Weiner:

  "Think of it as similar to PG_active. It's just another usage/heat
   indicator of file and anon pages on the reclaim LRU that, unlike
   PG_active, persists across deactivation and even reclaim (we store it in
   the page cache / swapper cache tree until the page refaults).

   So if fuse accepts pages that can legally have PG_active set,
   PG_workingset is fine too."

Reported-by: Thomas Lindroth <thomas.lindroth@gmail.com>
Fixes: 1899ad18c607 ("mm: workingset: tell cache transitions from workingset thrashing")
Cc: <stable@vger.kernel.org> # v4.20
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -783,6 +783,7 @@ static int fuse_check_page(struct page *
 	       1 << PG_uptodate |
 	       1 << PG_lru |
 	       1 << PG_active |
+	       1 << PG_workingset |
 	       1 << PG_reclaim |
 	       1 << PG_waiters))) {
 		dump_page(page, "fuse: trying to steal weird page");



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 097/593] fuse: check connected before queueing on fpq->io
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 096/593] fuse: ignore PG_workingset after stealing Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 098/593] fuse: reject internal errno Greg Kroah-Hartman
                   ` (500 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pradeep P V K, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 80ef08670d4c28a06a3de954bd350368780bcfef upstream.

A request could end up on the fpq->io list after fuse_abort_conn() has
reset fpq->connected and aborted requests on that list:

Thread-1			  Thread-2
========			  ========
->fuse_simple_request()           ->shutdown
  ->__fuse_request_send()
    ->queue_request()		->fuse_abort_conn()
->fuse_dev_do_read()                ->acquire(fpq->lock)
  ->wait_for(fpq->lock) 	  ->set err to all req's in fpq->io
				  ->release(fpq->lock)
  ->acquire(fpq->lock)
  ->add req to fpq->io

After the userspace copy is done the request will be ended, but
req->out.h.error will remain uninitialized.  Also the copy might block
despite being already aborted.

Fix both issues by not allowing the request to be queued on the fpq->io
list after fuse_abort_conn() has processed this list.

Reported-by: Pradeep P V K <pragalla@codeaurora.org>
Fixes: fd22d62ed0c3 ("fuse: no fc->lock for iqueue parts")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1276,6 +1276,15 @@ static ssize_t fuse_dev_do_read(struct f
 		goto restart;
 	}
 	spin_lock(&fpq->lock);
+	/*
+	 *  Must not put request on fpq->io queue after having been shut down by
+	 *  fuse_abort_conn()
+	 */
+	if (!fpq->connected) {
+		req->out.h.error = err = -ECONNABORTED;
+		goto out_end;
+
+	}
 	list_add(&req->list, &fpq->io);
 	spin_unlock(&fpq->lock);
 	cs->req = req;



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 098/593] fuse: reject internal errno
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 097/593] fuse: check connected before queueing on fpq->io Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 099/593] thermal/cpufreq_cooling: Update offline CPUs per-cpu thermal_pressure Greg Kroah-Hartman
                   ` (499 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 49221cf86d18bb66fe95d3338cb33bd4b9880ca5 upstream.

Don't allow userspace to report errors that could be kernel-internal.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Fixes: 334f485df85a ("[PATCH] FUSE - device functions")
Cc: <stable@vger.kernel.org> # v2.6.14
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1871,7 +1871,7 @@ static ssize_t fuse_dev_do_write(struct
 	}
 
 	err = -EINVAL;
-	if (oh.error <= -1000 || oh.error > 0)
+	if (oh.error <= -512 || oh.error > 0)
 		goto copy_finish;
 
 	spin_lock(&fpq->lock);



^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 099/593] thermal/cpufreq_cooling: Update offline CPUs per-cpu thermal_pressure
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 098/593] fuse: reject internal errno Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 100/593] spi: Make of_register_spi_device also set the fwnode Greg Kroah-Hartman
                   ` (498 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lukasz Luba, Peter Zijlstra (Intel),
	Viresh Kumar, Sasha Levin

From: Lukasz Luba <lukasz.luba@arm.com>

[ Upstream commit 2ad8ccc17d1e4270cf65a3f2a07a7534aa23e3fb ]

The thermal pressure signal gives information to the scheduler about
reduced CPU capacity due to thermal. It is based on a value stored in
a per-cpu 'thermal_pressure' variable. The online CPUs will get the
new value there, while the offline won't. Unfortunately, when the CPU
is back online, the value read from per-cpu variable might be wrong
(stale data).  This might affect the scheduler decisions, since it
sees the CPU capacity differently than what is actually available.

Fix it by making sure that all online+offline CPUs would get the
proper value in their per-cpu variable when thermal framework sets
capping.

Fixes: f12e4f66ab6a3 ("thermal/cpu-cooling: Update thermal pressure in case of a maximum frequency capping")
Signed-off-by: Lukasz Luba <lukasz.luba@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://lore.kernel.org/r/20210614191030.22241-1-lukasz.luba@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/cpufreq_cooling.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/thermal/cpufreq_cooling.c b/drivers/thermal/cpufreq_cooling.c
index 3f6a69ccc173..6e1d6a31ee4f 100644
--- a/drivers/thermal/cpufreq_cooling.c
+++ b/drivers/thermal/cpufreq_cooling.c
@@ -443,7 +443,7 @@ static int cpufreq_set_cur_state(struct thermal_cooling_device *cdev,
 	ret = freq_qos_update_request(&cpufreq_cdev->qos_req, frequency);
 	if (ret >= 0) {
 		cpufreq_cdev->cpufreq_state = state;
-		cpus = cpufreq_cdev->policy->cpus;
+		cpus = cpufreq_cdev->policy->related_cpus;
 		max_capacity = arch_scale_cpu_capacity(cpumask_first(cpus));
 		capacity = frequency * max_capacity;
 		capacity /= cpufreq_cdev->policy->cpuinfo.max_freq;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 100/593] spi: Make of_register_spi_device also set the fwnode
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 099/593] thermal/cpufreq_cooling: Update offline CPUs per-cpu thermal_pressure Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 101/593] Add a reference to ucounts for each cred Greg Kroah-Hartman
                   ` (497 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Charles Keepax, Mark Brown, Sasha Levin

From: Charles Keepax <ckeepax@opensource.cirrus.com>

[ Upstream commit 0e793ba77c18382f08e440260fe72bc6fce2a3cb ]

Currently, the SPI core doesn't set the struct device fwnode pointer
when it creates a new SPI device. This means when the device is
registered the fwnode is NULL and the check in device_add which sets
the fwnode->dev pointer is skipped. This wasn't previously an issue,
however these two patches:

commit 4731210c09f5 ("gpiolib: Bind gpio_device to a driver to enable
fw_devlink=on by default")
commit ced2af419528 ("gpiolib: Don't probe gpio_device if it's not the
primary device")

Added some code to the GPIO core which relies on using that
fwnode->dev pointer to determine if a driver is bound to the fwnode
and if not bind a stub GPIO driver. This means the GPIO providers
behind SPI will get both the expected driver and this stub driver
causing the stub driver to fail if it attempts to request any pin
configuration. For example on my system:

madera-pinctrl madera-pinctrl: pin gpio5 already requested by madera-pinctrl; cannot claim for gpiochip3
madera-pinctrl madera-pinctrl: pin-4 (gpiochip3) status -22
madera-pinctrl madera-pinctrl: could not request pin 4 (gpio5) from group aif1  on device madera-pinctrl
gpio_stub_drv gpiochip3: Error applying setting, reverse things back
gpio_stub_drv: probe of gpiochip3 failed with error -22

The firmware node on the device created by the GPIO framework is set
through the of_node pointer hence things generally actually work,
however that fwnode->dev is never set, as the check was skipped at
device_add time. This fix appears to match how the I2C subsystem
handles the same situation.

Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20210421101402.8468-1-ckeepax@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 0cf67de741e7..bd8b1f79dce2 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -2050,6 +2050,7 @@ of_register_spi_device(struct spi_controller *ctlr, struct device_node *nc)
 	/* Store a pointer to the node in the device structure */
 	of_node_get(nc);
 	spi->dev.of_node = nc;
+	spi->dev.fwnode = of_fwnode_handle(nc);
 
 	/* Register the new device */
 	rc = spi_add_device(spi);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 101/593] Add a reference to ucounts for each cred
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 100/593] spi: Make of_register_spi_device also set the fwnode Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 102/593] staging: media: rkvdec: fix pm_runtime_get_sync() usage count Greg Kroah-Hartman
                   ` (496 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Alexey Gladkov,
	Eric W. Biederman, Sasha Levin

From: Alexey Gladkov <legion@kernel.org>

[ Upstream commit 905ae01c4ae2ae3df05bb141801b1db4b7d83c61 ]

For RLIMIT_NPROC and some other rlimits the user_struct that holds the
global limit is kept alive for the lifetime of a process by keeping it
in struct cred. Adding a pointer to ucounts in the struct cred will
allow to track RLIMIT_NPROC not only for user in the system, but for
user in the user_namespace.

Updating ucounts may require memory allocation which may fail. So, we
cannot change cred.ucounts in the commit_creds() because this function
cannot fail and it should always return 0. For this reason, we modify
cred.ucounts before calling the commit_creds().

Changelog

v6:
* Fix null-ptr-deref in is_ucounts_overlimit() detected by trinity. This
  error was caused by the fact that cred_alloc_blank() left the ucounts
  pointer empty.

Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Alexey Gladkov <legion@kernel.org>
Link: https://lkml.kernel.org/r/b37aaef28d8b9b0d757e07ba6dd27281bbe39259.1619094428.git.legion@kernel.org
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/exec.c                      |  4 ++++
 include/linux/cred.h           |  2 ++
 include/linux/user_namespace.h |  4 ++++
 kernel/cred.c                  | 40 ++++++++++++++++++++++++++++++++++
 kernel/fork.c                  |  6 +++++
 kernel/sys.c                   | 12 ++++++++++
 kernel/ucount.c                | 40 +++++++++++++++++++++++++++++++---
 kernel/user_namespace.c        |  3 +++
 8 files changed, 108 insertions(+), 3 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index ca89e0e3ef10..c7a4ef8df305 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1347,6 +1347,10 @@ int begin_new_exec(struct linux_binprm * bprm)
 	WRITE_ONCE(me->self_exec_id, me->self_exec_id + 1);
 	flush_signal_handlers(me, 0);
 
+	retval = set_cred_ucounts(bprm->cred);
+	if (retval < 0)
+		goto out_unlock;
+
 	/*
 	 * install the new credentials for this executable
 	 */
diff --git a/include/linux/cred.h b/include/linux/cred.h
index 18639c069263..ad160e5fe5c6 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h
@@ -144,6 +144,7 @@ struct cred {
 #endif
 	struct user_struct *user;	/* real user ID subscription */
 	struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
+	struct ucounts *ucounts;
 	struct group_info *group_info;	/* supplementary groups for euid/fsgid */
 	/* RCU deletion */
 	union {
@@ -170,6 +171,7 @@ extern int set_security_override_from_ctx(struct cred *, const char *);
 extern int set_create_files_as(struct cred *, struct inode *);
 extern int cred_fscmp(const struct cred *, const struct cred *);
 extern void __init cred_init(void);
+extern int set_cred_ucounts(struct cred *);
 
 /*
  * check for validity of credentials
diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
index 7616c7bf4b24..e1bd560da1cd 100644
--- a/include/linux/user_namespace.h
+++ b/include/linux/user_namespace.h
@@ -101,11 +101,15 @@ struct ucounts {
 };
 
 extern struct user_namespace init_user_ns;
+extern struct ucounts init_ucounts;
 
 bool setup_userns_sysctls(struct user_namespace *ns);
 void retire_userns_sysctls(struct user_namespace *ns);
 struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid, enum ucount_type type);
 void dec_ucount(struct ucounts *ucounts, enum ucount_type type);
+struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid);
+struct ucounts *get_ucounts(struct ucounts *ucounts);
+void put_ucounts(struct ucounts *ucounts);
 
 #ifdef CONFIG_USER_NS
 
diff --git a/kernel/cred.c b/kernel/cred.c
index 421b1149c651..58a8a9e24347 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -60,6 +60,7 @@ struct cred init_cred = {
 	.user			= INIT_USER,
 	.user_ns		= &init_user_ns,
 	.group_info		= &init_groups,
+	.ucounts		= &init_ucounts,
 };
 
 static inline void set_cred_subscribers(struct cred *cred, int n)
@@ -119,6 +120,8 @@ static void put_cred_rcu(struct rcu_head *rcu)
 	if (cred->group_info)
 		put_group_info(cred->group_info);
 	free_uid(cred->user);
+	if (cred->ucounts)
+		put_ucounts(cred->ucounts);
 	put_user_ns(cred->user_ns);
 	kmem_cache_free(cred_jar, cred);
 }
@@ -222,6 +225,7 @@ struct cred *cred_alloc_blank(void)
 #ifdef CONFIG_DEBUG_CREDENTIALS
 	new->magic = CRED_MAGIC;
 #endif
+	new->ucounts = get_ucounts(&init_ucounts);
 
 	if (security_cred_alloc_blank(new, GFP_KERNEL_ACCOUNT) < 0)
 		goto error;
@@ -284,6 +288,11 @@ struct cred *prepare_creds(void)
 
 	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
 		goto error;
+
+	new->ucounts = get_ucounts(new->ucounts);
+	if (!new->ucounts)
+		goto error;
+
 	validate_creds(new);
 	return new;
 
@@ -363,6 +372,8 @@ int copy_creds(struct task_struct *p, unsigned long clone_flags)
 		ret = create_user_ns(new);
 		if (ret < 0)
 			goto error_put;
+		if (set_cred_ucounts(new) < 0)
+			goto error_put;
 	}
 
 #ifdef CONFIG_KEYS
@@ -653,6 +664,31 @@ int cred_fscmp(const struct cred *a, const struct cred *b)
 }
 EXPORT_SYMBOL(cred_fscmp);
 
+int set_cred_ucounts(struct cred *new)
+{
+	struct task_struct *task = current;
+	const struct cred *old = task->real_cred;
+	struct ucounts *old_ucounts = new->ucounts;
+
+	if (new->user == old->user && new->user_ns == old->user_ns)
+		return 0;
+
+	/*
+	 * This optimization is needed because alloc_ucounts() uses locks
+	 * for table lookups.
+	 */
+	if (old_ucounts && old_ucounts->ns == new->user_ns && uid_eq(old_ucounts->uid, new->euid))
+		return 0;
+
+	if (!(new->ucounts = alloc_ucounts(new->user_ns, new->euid)))
+		return -EAGAIN;
+
+	if (old_ucounts)
+		put_ucounts(old_ucounts);
+
+	return 0;
+}
+
 /*
  * initialise the credentials stuff
  */
@@ -719,6 +755,10 @@ struct cred *prepare_kernel_cred(struct task_struct *daemon)
 	if (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)
 		goto error;
 
+	new->ucounts = get_ucounts(new->ucounts);
+	if (!new->ucounts)
+		goto error;
+
 	put_cred(old);
 	validate_creds(new);
 	return new;
diff --git a/kernel/fork.c b/kernel/fork.c
index 7c044d377926..281addb694df 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2960,6 +2960,12 @@ int ksys_unshare(unsigned long unshare_flags)
 	if (err)
 		goto bad_unshare_cleanup_cred;
 
+	if (new_cred) {
+		err = set_cred_ucounts(new_cred);
+		if (err)
+			goto bad_unshare_cleanup_cred;
+	}
+
 	if (new_fs || new_fd || do_sysvsem || new_cred || new_nsproxy) {
 		if (do_sysvsem) {
 			/*
diff --git a/kernel/sys.c b/kernel/sys.c
index a730c03ee607..0670e824e019 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -552,6 +552,10 @@ long __sys_setreuid(uid_t ruid, uid_t euid)
 	if (retval < 0)
 		goto error;
 
+	retval = set_cred_ucounts(new);
+	if (retval < 0)
+		goto error;
+
 	return commit_creds(new);
 
 error:
@@ -610,6 +614,10 @@ long __sys_setuid(uid_t uid)
 	if (retval < 0)
 		goto error;
 
+	retval = set_cred_ucounts(new);
+	if (retval < 0)
+		goto error;
+
 	return commit_creds(new);
 
 error:
@@ -685,6 +693,10 @@ long __sys_setresuid(uid_t ruid, uid_t euid, uid_t suid)
 	if (retval < 0)
 		goto error;
 
+	retval = set_cred_ucounts(new);
+	if (retval < 0)
+		goto error;
+
 	return commit_creds(new);
 
 error:
diff --git a/kernel/ucount.c b/kernel/ucount.c
index 11b1596e2542..9894795043c4 100644
--- a/kernel/ucount.c
+++ b/kernel/ucount.c
@@ -8,6 +8,12 @@
 #include <linux/kmemleak.h>
 #include <linux/user_namespace.h>
 
+struct ucounts init_ucounts = {
+	.ns    = &init_user_ns,
+	.uid   = GLOBAL_ROOT_UID,
+	.count = 1,
+};
+
 #define UCOUNTS_HASHTABLE_BITS 10
 static struct hlist_head ucounts_hashtable[(1 << UCOUNTS_HASHTABLE_BITS)];
 static DEFINE_SPINLOCK(ucounts_lock);
@@ -125,7 +131,15 @@ static struct ucounts *find_ucounts(struct user_namespace *ns, kuid_t uid, struc
 	return NULL;
 }
 
-static struct ucounts *get_ucounts(struct user_namespace *ns, kuid_t uid)
+static void hlist_add_ucounts(struct ucounts *ucounts)
+{
+	struct hlist_head *hashent = ucounts_hashentry(ucounts->ns, ucounts->uid);
+	spin_lock_irq(&ucounts_lock);
+	hlist_add_head(&ucounts->node, hashent);
+	spin_unlock_irq(&ucounts_lock);
+}
+
+struct ucounts *alloc_ucounts(struct user_namespace *ns, kuid_t uid)
 {
 	struct hlist_head *hashent = ucounts_hashentry(ns, uid);
 	struct ucounts *ucounts, *new;
@@ -160,7 +174,26 @@ static struct ucounts *get_ucounts(struct user_namespace *ns, kuid_t uid)
 	return ucounts;
 }
 
-static void put_ucounts(struct ucounts *ucounts)
+struct ucounts *get_ucounts(struct ucounts *ucounts)
+{
+	unsigned long flags;
+
+	if (!ucounts)
+		return NULL;
+
+	spin_lock_irqsave(&ucounts_lock, flags);
+	if (ucounts->count == INT_MAX) {
+		WARN_ONCE(1, "ucounts: counter has reached its maximum value");
+		ucounts = NULL;
+	} else {
+		ucounts->count += 1;
+	}
+	spin_unlock_irqrestore(&ucounts_lock, flags);
+
+	return ucounts;
+}
+
+void put_ucounts(struct ucounts *ucounts)
 {
 	unsigned long flags;
 
@@ -194,7 +227,7 @@ struct ucounts *inc_ucount(struct user_namespace *ns, kuid_t uid,
 {
 	struct ucounts *ucounts, *iter, *bad;
 	struct user_namespace *tns;
-	ucounts = get_ucounts(ns, uid);
+	ucounts = alloc_ucounts(ns, uid);
 	for (iter = ucounts; iter; iter = tns->ucounts) {
 		int max;
 		tns = iter->ns;
@@ -237,6 +270,7 @@ static __init int user_namespace_sysctl_init(void)
 	BUG_ON(!user_header);
 	BUG_ON(!setup_userns_sysctls(&init_user_ns));
 #endif
+	hlist_add_ucounts(&init_ucounts);
 	return 0;
 }
 subsys_initcall(user_namespace_sysctl_init);
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index ce396ea4de60..8206a13c81eb 100644
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -1340,6 +1340,9 @@ static int userns_install(struct nsset *nsset, struct ns_common *ns)
 	put_user_ns(cred->user_ns);
 	set_cred_user_ns(cred, get_user_ns(user_ns));
 
+	if (set_cred_ucounts(cred) < 0)
+		return -EINVAL;
+
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 102/593] staging: media: rkvdec: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 101/593] Add a reference to ucounts for each cred Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 103/593] media: marvel-ccic: fix some issues when getting pm_runtime Greg Kroah-Hartman
                   ` (495 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ezequiel Garcia, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit e90812c47b958407b54d05780dc483fdc1b57a93 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

Reviewed-by: Ezequiel Garcia <ezequiel@collabora.com>
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/media/rkvdec/rkvdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/media/rkvdec/rkvdec.c b/drivers/staging/media/rkvdec/rkvdec.c
index 1263991de76f..b630e161d4ce 100644
--- a/drivers/staging/media/rkvdec/rkvdec.c
+++ b/drivers/staging/media/rkvdec/rkvdec.c
@@ -691,7 +691,7 @@ static void rkvdec_device_run(void *priv)
 	if (WARN_ON(!desc))
 		return;
 
-	ret = pm_runtime_get_sync(rkvdec->dev);
+	ret = pm_runtime_resume_and_get(rkvdec->dev);
 	if (ret < 0) {
 		rkvdec_job_finish_no_pm(ctx, VB2_BUF_STATE_ERROR);
 		return;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 103/593] media: marvel-ccic: fix some issues when getting pm_runtime
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 102/593] staging: media: rkvdec: fix pm_runtime_get_sync() usage count Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 104/593] media: mdk-mdp: fix pm_runtime_get_sync() usage count Greg Kroah-Hartman
                   ` (494 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit e7c617cab7a522fba5b20f9033ee98565b6f3546 ]

Calling pm_runtime_get_sync() is bad, since even when it
returns an error, pm_runtime_put*() should be called.
So, use instead pm_runtime_resume_and_get().

While here, ensure that the error condition will be checked
during clock enable an media open() calls.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/marvell-ccic/mcam-core.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c
index 34266fba824f..e56c5e56e824 100644
--- a/drivers/media/platform/marvell-ccic/mcam-core.c
+++ b/drivers/media/platform/marvell-ccic/mcam-core.c
@@ -918,6 +918,7 @@ static int mclk_enable(struct clk_hw *hw)
 	struct mcam_camera *cam = container_of(hw, struct mcam_camera, mclk_hw);
 	int mclk_src;
 	int mclk_div;
+	int ret;
 
 	/*
 	 * Clock the sensor appropriately.  Controller clock should
@@ -931,7 +932,9 @@ static int mclk_enable(struct clk_hw *hw)
 		mclk_div = 2;
 	}
 
-	pm_runtime_get_sync(cam->dev);
+	ret = pm_runtime_resume_and_get(cam->dev);
+	if (ret < 0)
+		return ret;
 	clk_enable(cam->clk[0]);
 	mcam_reg_write(cam, REG_CLKCTRL, (mclk_src << 29) | mclk_div);
 	mcam_ctlr_power_up(cam);
@@ -1611,7 +1614,9 @@ static int mcam_v4l_open(struct file *filp)
 		ret = sensor_call(cam, core, s_power, 1);
 		if (ret)
 			goto out;
-		pm_runtime_get_sync(cam->dev);
+		ret = pm_runtime_resume_and_get(cam->dev);
+		if (ret < 0)
+			goto out;
 		__mcam_cam_reset(cam);
 		mcam_set_config_needed(cam, 1);
 	}
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 104/593] media: mdk-mdp: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 103/593] media: marvel-ccic: fix some issues when getting pm_runtime Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 105/593] media: s5p: " Greg Kroah-Hartman
                   ` (493 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit d07bb9702cf5f5ccf3fb661e6cab54bbc33cd23f ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

While here, fix the return contition of mtk_mdp_m2m_start_streaming(),
as it doesn't make any sense to return 0 if the PM runtime failed
to resume.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c b/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c
index 724c7333b6e5..45fc741c5541 100644
--- a/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c
+++ b/drivers/media/platform/mtk-mdp/mtk_mdp_m2m.c
@@ -394,12 +394,12 @@ static int mtk_mdp_m2m_start_streaming(struct vb2_queue *q, unsigned int count)
 	struct mtk_mdp_ctx *ctx = q->drv_priv;
 	int ret;
 
-	ret = pm_runtime_get_sync(&ctx->mdp_dev->pdev->dev);
+	ret = pm_runtime_resume_and_get(&ctx->mdp_dev->pdev->dev);
 	if (ret < 0)
-		mtk_mdp_dbg(1, "[%d] pm_runtime_get_sync failed:%d",
+		mtk_mdp_dbg(1, "[%d] pm_runtime_resume_and_get failed:%d",
 			    ctx->id, ret);
 
-	return 0;
+	return ret;
 }
 
 static void *mtk_mdp_m2m_buf_remove(struct mtk_mdp_ctx *ctx,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 105/593] media: s5p: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 104/593] media: mdk-mdp: fix pm_runtime_get_sync() usage count Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 106/593] media: am437x: " Greg Kroah-Hartman
                   ` (492 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Sylwester Nawrocki,
	Marek Szyprowski, Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit fdc34e82c0f968ac4c157bd3d8c299ebc24c9c63 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

While here, check if the PM runtime error was caught at
s5p_cec_adap_enable().

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/cec/platform/s5p/s5p_cec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/cec/platform/s5p/s5p_cec.c b/drivers/media/cec/platform/s5p/s5p_cec.c
index 2a3e7ffefe0a..2250c1cbc64e 100644
--- a/drivers/media/cec/platform/s5p/s5p_cec.c
+++ b/drivers/media/cec/platform/s5p/s5p_cec.c
@@ -35,10 +35,13 @@ MODULE_PARM_DESC(debug, "debug level (0-2)");
 
 static int s5p_cec_adap_enable(struct cec_adapter *adap, bool enable)
 {
+	int ret;
 	struct s5p_cec_dev *cec = cec_get_drvdata(adap);
 
 	if (enable) {
-		pm_runtime_get_sync(cec->dev);
+		ret = pm_runtime_resume_and_get(cec->dev);
+		if (ret < 0)
+			return ret;
 
 		s5p_cec_reset(cec);
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 106/593] media: am437x: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 105/593] media: s5p: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 107/593] media: sh_vou: " Greg Kroah-Hartman
                   ` (491 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit c41e02493334985cca1a22efd5ca962ce3abb061 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

While here, ensure that the driver will check if PM runtime
resumed at vpfe_initialize_device().

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/am437x/am437x-vpfe.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/media/platform/am437x/am437x-vpfe.c b/drivers/media/platform/am437x/am437x-vpfe.c
index 0fb9f9ba1219..31cee69adbe1 100644
--- a/drivers/media/platform/am437x/am437x-vpfe.c
+++ b/drivers/media/platform/am437x/am437x-vpfe.c
@@ -1021,7 +1021,9 @@ static int vpfe_initialize_device(struct vpfe_device *vpfe)
 	if (ret)
 		return ret;
 
-	pm_runtime_get_sync(vpfe->pdev);
+	ret = pm_runtime_resume_and_get(vpfe->pdev);
+	if (ret < 0)
+		return ret;
 
 	vpfe_config_enable(&vpfe->ccdc, 1);
 
@@ -2443,7 +2445,11 @@ static int vpfe_probe(struct platform_device *pdev)
 	pm_runtime_enable(&pdev->dev);
 
 	/* for now just enable it here instead of waiting for the open */
-	pm_runtime_get_sync(&pdev->dev);
+	ret = pm_runtime_resume_and_get(&pdev->dev);
+	if (ret < 0) {
+		vpfe_err(vpfe, "Unable to resume device.\n");
+		goto probe_out_v4l2_unregister;
+	}
 
 	vpfe_ccdc_config_defaults(ccdc);
 
@@ -2530,6 +2536,11 @@ static int vpfe_suspend(struct device *dev)
 
 	/* only do full suspend if streaming has started */
 	if (vb2_start_streaming_called(&vpfe->buffer_queue)) {
+		/*
+		 * ignore RPM resume errors here, as it is already too late.
+		 * A check like that should happen earlier, either at
+		 * open() or just before start streaming.
+		 */
 		pm_runtime_get_sync(dev);
 		vpfe_config_enable(ccdc, 1);
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 107/593] media: sh_vou: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 106/593] media: am437x: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 108/593] media: mtk-vcodec: fix PM runtime get logic Greg Kroah-Hartman
                   ` (490 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 6e8b1526db164c9d4b9dacfb9bc48e365d7c4860 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

While here, check if the PM runtime error was caught at open time.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/sh_vou.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/sh_vou.c b/drivers/media/platform/sh_vou.c
index b22dc1d72527..7d30e0c9447e 100644
--- a/drivers/media/platform/sh_vou.c
+++ b/drivers/media/platform/sh_vou.c
@@ -1133,7 +1133,11 @@ static int sh_vou_open(struct file *file)
 	if (v4l2_fh_is_singular_file(file) &&
 	    vou_dev->status == SH_VOU_INITIALISING) {
 		/* First open */
-		pm_runtime_get_sync(vou_dev->v4l2_dev.dev);
+		err = pm_runtime_resume_and_get(vou_dev->v4l2_dev.dev);
+		if (err < 0) {
+			v4l2_fh_release(file);
+			goto done_open;
+		}
 		err = sh_vou_hw_init(vou_dev);
 		if (err < 0) {
 			pm_runtime_put(vou_dev->v4l2_dev.dev);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 108/593] media: mtk-vcodec: fix PM runtime get logic
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 107/593] media: sh_vou: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 109/593] media: s5p-jpeg: fix pm_runtime_get_sync() usage count Greg Kroah-Hartman
                   ` (489 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 908711f542c17fe61e5d653da1beb8e5ab5c7b50 ]

Currently, the driver just assumes that PM runtime logic
succeded resuming the device.

That may not be the case, as pm_runtime_get_sync()
can fail (but keeping the usage count incremented).

Replace the code to use pm_runtime_resume_and_get(),
and letting it return the error code.

This way, if mtk_vcodec_dec_pw_on() fails, the logic
under fops_vcodec_open() will do the right thing and
return an error, instead of just assuming that the
device is ready to be used.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c | 4 +++-
 drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c  | 8 +++++---
 drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h  | 2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
index 145686d2c219..f59ef8c8c9db 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_drv.c
@@ -126,7 +126,9 @@ static int fops_vcodec_open(struct file *file)
 	mtk_vcodec_dec_set_default_params(ctx);
 
 	if (v4l2_fh_is_singular(&ctx->fh)) {
-		mtk_vcodec_dec_pw_on(&dev->pm);
+		ret = mtk_vcodec_dec_pw_on(&dev->pm);
+		if (ret < 0)
+			goto err_load_fw;
 		/*
 		 * Does nothing if firmware was already loaded.
 		 */
diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c
index ddee7046ce42..6038db96f71c 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.c
@@ -88,13 +88,15 @@ void mtk_vcodec_release_dec_pm(struct mtk_vcodec_dev *dev)
 	put_device(dev->pm.larbvdec);
 }
 
-void mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm)
+int mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm)
 {
 	int ret;
 
-	ret = pm_runtime_get_sync(pm->dev);
+	ret = pm_runtime_resume_and_get(pm->dev);
 	if (ret)
-		mtk_v4l2_err("pm_runtime_get_sync fail %d", ret);
+		mtk_v4l2_err("pm_runtime_resume_and_get fail %d", ret);
+
+	return ret;
 }
 
 void mtk_vcodec_dec_pw_off(struct mtk_vcodec_pm *pm)
diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h
index 872d8bf8cfaf..280aeaefdb65 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_dec_pm.h
@@ -12,7 +12,7 @@
 int mtk_vcodec_init_dec_pm(struct mtk_vcodec_dev *dev);
 void mtk_vcodec_release_dec_pm(struct mtk_vcodec_dev *dev);
 
-void mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm);
+int mtk_vcodec_dec_pw_on(struct mtk_vcodec_pm *pm);
 void mtk_vcodec_dec_pw_off(struct mtk_vcodec_pm *pm);
 void mtk_vcodec_dec_clock_on(struct mtk_vcodec_pm *pm);
 void mtk_vcodec_dec_clock_off(struct mtk_vcodec_pm *pm);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 109/593] media: s5p-jpeg: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 108/593] media: mtk-vcodec: fix PM runtime get logic Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 110/593] media: sunxi: " Greg Kroah-Hartman
                   ` (488 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Sylwester Nawrocki,
	Andrzej Pietrasiewicz, Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 10343de268d10cf07b092b8b525e12ad558ead77 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

As a plus, pm_runtime_resume_and_get() doesn't return
positive numbers, so the return code validation can
be removed.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Acked-by: Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/s5p-jpeg/jpeg-core.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/media/platform/s5p-jpeg/jpeg-core.c b/drivers/media/platform/s5p-jpeg/jpeg-core.c
index 9b22dd8e34f4..d515eb08c3ee 100644
--- a/drivers/media/platform/s5p-jpeg/jpeg-core.c
+++ b/drivers/media/platform/s5p-jpeg/jpeg-core.c
@@ -2566,11 +2566,8 @@ static void s5p_jpeg_buf_queue(struct vb2_buffer *vb)
 static int s5p_jpeg_start_streaming(struct vb2_queue *q, unsigned int count)
 {
 	struct s5p_jpeg_ctx *ctx = vb2_get_drv_priv(q);
-	int ret;
-
-	ret = pm_runtime_get_sync(ctx->jpeg->dev);
 
-	return ret > 0 ? 0 : ret;
+	return pm_runtime_resume_and_get(ctx->jpeg->dev);
 }
 
 static void s5p_jpeg_stop_streaming(struct vb2_queue *q)
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 110/593] media: sunxi: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 109/593] media: s5p-jpeg: fix pm_runtime_get_sync() usage count Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 111/593] media: sti/bdisp: " Greg Kroah-Hartman
                   ` (487 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 9c298f82d8392f799a0595f50076afa1d91e9092 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/sunxi/sun8i-rotate/sun8i_rotate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/platform/sunxi/sun8i-rotate/sun8i_rotate.c b/drivers/media/platform/sunxi/sun8i-rotate/sun8i_rotate.c
index 3f81dd17755c..fbcca59a0517 100644
--- a/drivers/media/platform/sunxi/sun8i-rotate/sun8i_rotate.c
+++ b/drivers/media/platform/sunxi/sun8i-rotate/sun8i_rotate.c
@@ -494,7 +494,7 @@ static int rotate_start_streaming(struct vb2_queue *vq, unsigned int count)
 		struct device *dev = ctx->dev->dev;
 		int ret;
 
-		ret = pm_runtime_get_sync(dev);
+		ret = pm_runtime_resume_and_get(dev);
 		if (ret < 0) {
 			dev_err(dev, "Failed to enable module\n");
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 111/593] media: sti/bdisp: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 110/593] media: sunxi: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 112/593] media: exynos4-is: " Greg Kroah-Hartman
                   ` (486 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit c44eac5b72e23c31eefc0e10a71d9650036b8341 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.

The bdisp_start_streaming() doesn't take it into account, which
would unbalance PM usage counter at bdisp_stop_streaming().

The logic at bdisp_probe() is correct, but the best is to use
the same call along the driver.

So, replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
index 060ca85f64d5..85288da9d2ae 100644
--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
+++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c
@@ -499,7 +499,7 @@ static int bdisp_start_streaming(struct vb2_queue *q, unsigned int count)
 {
 	struct bdisp_ctx *ctx = q->drv_priv;
 	struct vb2_v4l2_buffer *buf;
-	int ret = pm_runtime_get_sync(ctx->bdisp_dev->dev);
+	int ret = pm_runtime_resume_and_get(ctx->bdisp_dev->dev);
 
 	if (ret < 0) {
 		dev_err(ctx->bdisp_dev->dev, "failed to set runtime PM\n");
@@ -1364,10 +1364,10 @@ static int bdisp_probe(struct platform_device *pdev)
 
 	/* Power management */
 	pm_runtime_enable(dev);
-	ret = pm_runtime_get_sync(dev);
+	ret = pm_runtime_resume_and_get(dev);
 	if (ret < 0) {
 		dev_err(dev, "failed to set PM\n");
-		goto err_pm;
+		goto err_remove;
 	}
 
 	/* Filters */
@@ -1395,6 +1395,7 @@ err_filter:
 	bdisp_hw_free_filters(bdisp->dev);
 err_pm:
 	pm_runtime_put(dev);
+err_remove:
 	bdisp_debugfs_remove(bdisp);
 	v4l2_device_unregister(&bdisp->v4l2_dev);
 err_clk:
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 112/593] media: exynos4-is: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 111/593] media: sti/bdisp: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 113/593] media: exynos-gsc: " Greg Kroah-Hartman
                   ` (485 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sylwester Nawrocki,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 59f96244af9403ddf4810ec5c0fbe8920857634e ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.

On some places, this is ok, but on others the usage count
ended being unbalanced on failures.

Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

As a bonus, such function always return zero on success. So,
some code can be simplified.

Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/exynos4-is/fimc-capture.c   |  6 ++----
 drivers/media/platform/exynos4-is/fimc-is.c        |  4 ++--
 drivers/media/platform/exynos4-is/fimc-isp-video.c |  3 +--
 drivers/media/platform/exynos4-is/fimc-isp.c       |  7 +++----
 drivers/media/platform/exynos4-is/fimc-lite.c      |  5 +++--
 drivers/media/platform/exynos4-is/fimc-m2m.c       |  5 +----
 drivers/media/platform/exynos4-is/media-dev.c      |  9 +++------
 drivers/media/platform/exynos4-is/mipi-csis.c      | 10 ++++------
 8 files changed, 19 insertions(+), 30 deletions(-)

diff --git a/drivers/media/platform/exynos4-is/fimc-capture.c b/drivers/media/platform/exynos4-is/fimc-capture.c
index 6000a4e789ad..808b490c1910 100644
--- a/drivers/media/platform/exynos4-is/fimc-capture.c
+++ b/drivers/media/platform/exynos4-is/fimc-capture.c
@@ -478,11 +478,9 @@ static int fimc_capture_open(struct file *file)
 		goto unlock;
 
 	set_bit(ST_CAPT_BUSY, &fimc->state);
-	ret = pm_runtime_get_sync(&fimc->pdev->dev);
-	if (ret < 0) {
-		pm_runtime_put_sync(&fimc->pdev->dev);
+	ret = pm_runtime_resume_and_get(&fimc->pdev->dev);
+	if (ret < 0)
 		goto unlock;
-	}
 
 	ret = v4l2_fh_open(file);
 	if (ret) {
diff --git a/drivers/media/platform/exynos4-is/fimc-is.c b/drivers/media/platform/exynos4-is/fimc-is.c
index 32ab01e89196..d26fa5967d82 100644
--- a/drivers/media/platform/exynos4-is/fimc-is.c
+++ b/drivers/media/platform/exynos4-is/fimc-is.c
@@ -828,9 +828,9 @@ static int fimc_is_probe(struct platform_device *pdev)
 			goto err_irq;
 	}
 
-	ret = pm_runtime_get_sync(dev);
+	ret = pm_runtime_resume_and_get(dev);
 	if (ret < 0)
-		goto err_pm;
+		goto err_irq;
 
 	vb2_dma_contig_set_max_seg_size(dev, DMA_BIT_MASK(32));
 
diff --git a/drivers/media/platform/exynos4-is/fimc-isp-video.c b/drivers/media/platform/exynos4-is/fimc-isp-video.c
index 612b9872afc8..8d9dc597deaa 100644
--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c
+++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c
@@ -275,7 +275,7 @@ static int isp_video_open(struct file *file)
 	if (ret < 0)
 		goto unlock;
 
-	ret = pm_runtime_get_sync(&isp->pdev->dev);
+	ret = pm_runtime_resume_and_get(&isp->pdev->dev);
 	if (ret < 0)
 		goto rel_fh;
 
@@ -293,7 +293,6 @@ static int isp_video_open(struct file *file)
 	if (!ret)
 		goto unlock;
 rel_fh:
-	pm_runtime_put_noidle(&isp->pdev->dev);
 	v4l2_fh_release(file);
 unlock:
 	mutex_unlock(&isp->video_lock);
diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c
index a77c49b18511..74b49d30901e 100644
--- a/drivers/media/platform/exynos4-is/fimc-isp.c
+++ b/drivers/media/platform/exynos4-is/fimc-isp.c
@@ -304,11 +304,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on)
 	pr_debug("on: %d\n", on);
 
 	if (on) {
-		ret = pm_runtime_get_sync(&is->pdev->dev);
-		if (ret < 0) {
-			pm_runtime_put(&is->pdev->dev);
+		ret = pm_runtime_resume_and_get(&is->pdev->dev);
+		if (ret < 0)
 			return ret;
-		}
+
 		set_bit(IS_ST_PWR_ON, &is->state);
 
 		ret = fimc_is_start_firmware(is);
diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c
index fdd0d369b192..d279f282d592 100644
--- a/drivers/media/platform/exynos4-is/fimc-lite.c
+++ b/drivers/media/platform/exynos4-is/fimc-lite.c
@@ -469,9 +469,9 @@ static int fimc_lite_open(struct file *file)
 	}
 
 	set_bit(ST_FLITE_IN_USE, &fimc->state);
-	ret = pm_runtime_get_sync(&fimc->pdev->dev);
+	ret = pm_runtime_resume_and_get(&fimc->pdev->dev);
 	if (ret < 0)
-		goto err_pm;
+		goto err_in_use;
 
 	ret = v4l2_fh_open(file);
 	if (ret < 0)
@@ -499,6 +499,7 @@ static int fimc_lite_open(struct file *file)
 	v4l2_fh_release(file);
 err_pm:
 	pm_runtime_put_sync(&fimc->pdev->dev);
+err_in_use:
 	clear_bit(ST_FLITE_IN_USE, &fimc->state);
 unlock:
 	mutex_unlock(&fimc->lock);
diff --git a/drivers/media/platform/exynos4-is/fimc-m2m.c b/drivers/media/platform/exynos4-is/fimc-m2m.c
index 4acb179556c4..24b1badd2080 100644
--- a/drivers/media/platform/exynos4-is/fimc-m2m.c
+++ b/drivers/media/platform/exynos4-is/fimc-m2m.c
@@ -73,17 +73,14 @@ static void fimc_m2m_shutdown(struct fimc_ctx *ctx)
 static int start_streaming(struct vb2_queue *q, unsigned int count)
 {
 	struct fimc_ctx *ctx = q->drv_priv;
-	int ret;
 
-	ret = pm_runtime_get_sync(&ctx->fimc_dev->pdev->dev);
-	return ret > 0 ? 0 : ret;
+	return pm_runtime_resume_and_get(&ctx->fimc_dev->pdev->dev);
 }
 
 static void stop_streaming(struct vb2_queue *q)
 {
 	struct fimc_ctx *ctx = q->drv_priv;
 
-
 	fimc_m2m_shutdown(ctx);
 	fimc_m2m_job_finish(ctx, VB2_BUF_STATE_ERROR);
 	pm_runtime_put(&ctx->fimc_dev->pdev->dev);
diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c
index e636c33e847b..1272f4703b81 100644
--- a/drivers/media/platform/exynos4-is/media-dev.c
+++ b/drivers/media/platform/exynos4-is/media-dev.c
@@ -508,11 +508,9 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd)
 	if (!fmd->pmf)
 		return -ENXIO;
 
-	ret = pm_runtime_get_sync(fmd->pmf);
-	if (ret < 0) {
-		pm_runtime_put(fmd->pmf);
+	ret = pm_runtime_resume_and_get(fmd->pmf);
+	if (ret < 0)
 		return ret;
-	}
 
 	fmd->num_sensors = 0;
 
@@ -1287,8 +1285,7 @@ static int cam_clk_prepare(struct clk_hw *hw)
 	if (camclk->fmd->pmf == NULL)
 		return -ENODEV;
 
-	ret = pm_runtime_get_sync(camclk->fmd->pmf);
-	return ret < 0 ? ret : 0;
+	return pm_runtime_resume_and_get(camclk->fmd->pmf);
 }
 
 static void cam_clk_unprepare(struct clk_hw *hw)
diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c
index 1aac167abb17..ebf39c856894 100644
--- a/drivers/media/platform/exynos4-is/mipi-csis.c
+++ b/drivers/media/platform/exynos4-is/mipi-csis.c
@@ -494,7 +494,7 @@ static int s5pcsis_s_power(struct v4l2_subdev *sd, int on)
 	struct device *dev = &state->pdev->dev;
 
 	if (on)
-		return pm_runtime_get_sync(dev);
+		return pm_runtime_resume_and_get(dev);
 
 	return pm_runtime_put_sync(dev);
 }
@@ -509,11 +509,9 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable)
 
 	if (enable) {
 		s5pcsis_clear_counters(state);
-		ret = pm_runtime_get_sync(&state->pdev->dev);
-		if (ret && ret != 1) {
-			pm_runtime_put_noidle(&state->pdev->dev);
+		ret = pm_runtime_resume_and_get(&state->pdev->dev);
+		if (ret < 0)
 			return ret;
-		}
 	}
 
 	mutex_lock(&state->lock);
@@ -535,7 +533,7 @@ unlock:
 	if (!enable)
 		pm_runtime_put(&state->pdev->dev);
 
-	return ret == 1 ? 0 : ret;
+	return ret;
 }
 
 static int s5pcsis_enum_mbus_code(struct v4l2_subdev *sd,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 113/593] media: exynos-gsc: fix pm_runtime_get_sync() usage count
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 112/593] media: exynos4-is: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 114/593] spi: spi-loopback-test: Fix tx_buf might be rx_buf Greg Kroah-Hartman
                   ` (484 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Sylwester Nawrocki,
	Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 59087b66ea6730c130c57d23bd9fd139b78c1ba5 ]

The pm_runtime_get_sync() internally increments the
dev->power.usage_count without decrementing it, even on errors.
Replace it by the new pm_runtime_resume_and_get(), introduced by:
commit dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage counter")
in order to properly decrement the usage counter, avoiding
a potential PM usage counter leak.

As a bonus, as pm_runtime_get_sync() always return 0 on
success, the logic can be simplified.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/exynos-gsc/gsc-m2m.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/media/platform/exynos-gsc/gsc-m2m.c b/drivers/media/platform/exynos-gsc/gsc-m2m.c
index 27a3c92c73bc..f1cf847d1cc2 100644
--- a/drivers/media/platform/exynos-gsc/gsc-m2m.c
+++ b/drivers/media/platform/exynos-gsc/gsc-m2m.c
@@ -56,10 +56,8 @@ static void __gsc_m2m_job_abort(struct gsc_ctx *ctx)
 static int gsc_m2m_start_streaming(struct vb2_queue *q, unsigned int count)
 {
 	struct gsc_ctx *ctx = q->drv_priv;
-	int ret;
 
-	ret = pm_runtime_get_sync(&ctx->gsc_dev->pdev->dev);
-	return ret > 0 ? 0 : ret;
+	return pm_runtime_resume_and_get(&ctx->gsc_dev->pdev->dev);
 }
 
 static void __gsc_m2m_cleanup_queue(struct gsc_ctx *ctx)
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 114/593] spi: spi-loopback-test: Fix tx_buf might be rx_buf
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 113/593] media: exynos-gsc: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 115/593] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() Greg Kroah-Hartman
                   ` (483 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jay Fang, Mark Brown, Sasha Levin

From: Jay Fang <f.fangjian@huawei.com>

[ Upstream commit 9e37a3ab0627011fb63875e9a93094b6fc8ddf48 ]

In function 'spi_test_run_iter': Value 'tx_buf' might be 'rx_buf'.

Signed-off-by: Jay Fang <f.fangjian@huawei.com>
Link: https://lore.kernel.org/r/1620629903-15493-5-git-send-email-f.fangjian@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-loopback-test.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c
index df981e55c24c..89b91cdfb2a5 100644
--- a/drivers/spi/spi-loopback-test.c
+++ b/drivers/spi/spi-loopback-test.c
@@ -874,7 +874,7 @@ static int spi_test_run_iter(struct spi_device *spi,
 		test.transfers[i].len = len;
 		if (test.transfers[i].tx_buf)
 			test.transfers[i].tx_buf += tx_off;
-		if (test.transfers[i].tx_buf)
+		if (test.transfers[i].rx_buf)
 			test.transfers[i].rx_buf += rx_off;
 	}
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 115/593] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 114/593] spi: spi-loopback-test: Fix tx_buf might be rx_buf Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 116/593] spi: omap-100k: Fix the length judgment problem Greg Kroah-Hartman
                   ` (482 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jay Fang, Mark Brown, Sasha Levin

From: Jay Fang <f.fangjian@huawei.com>

[ Upstream commit 026a1dc1af52742c5897e64a3431445371a71871 ]

pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for
data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will
free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after
kfree() to avoid double free.

Signed-off-by: Jay Fang <f.fangjian@huawei.com>
Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-topcliff-pch.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
index b459e369079f..7fb020a1d66a 100644
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -580,8 +580,10 @@ static void pch_spi_set_tx(struct pch_spi_data *data, int *bpw)
 	data->pkt_tx_buff = kzalloc(size, GFP_KERNEL);
 	if (data->pkt_tx_buff != NULL) {
 		data->pkt_rx_buff = kzalloc(size, GFP_KERNEL);
-		if (!data->pkt_rx_buff)
+		if (!data->pkt_rx_buff) {
 			kfree(data->pkt_tx_buff);
+			data->pkt_tx_buff = NULL;
+		}
 	}
 
 	if (!data->pkt_rx_buff) {
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 116/593] spi: omap-100k: Fix the length judgment problem
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 115/593] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 117/593] regulator: uniphier: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (481 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tian Tao, Mark Brown, Sasha Levin

From: Tian Tao <tiantao6@hisilicon.com>

[ Upstream commit e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 ]

word_len should be checked in the omap1_spi100k_setup_transfer
function to see if it exceeds 32.

Signed-off-by: Tian Tao <tiantao6@hisilicon.com>
Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-omap-100k.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
index ccd817ee4917..0d0cd061d356 100644
--- a/drivers/spi/spi-omap-100k.c
+++ b/drivers/spi/spi-omap-100k.c
@@ -241,7 +241,7 @@ static int omap1_spi100k_setup_transfer(struct spi_device *spi,
 	else
 		word_len = spi->bits_per_word;
 
-	if (spi->bits_per_word > 32)
+	if (word_len > 32)
 		return -EINVAL;
 	cs->word_len = word_len;
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 117/593] regulator: uniphier: Add missing MODULE_DEVICE_TABLE
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 116/593] spi: omap-100k: Fix the length judgment problem Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 118/593] sched/core: Initialize the idle task with preemption disabled Greg Kroah-Hartman
                   ` (480 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, Mark Brown, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit d019f38a1af3c6015cde6a47951a3ec43beeed80 ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Link: https://lore.kernel.org/r/1620705198-104566-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/regulator/uniphier-regulator.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/regulator/uniphier-regulator.c b/drivers/regulator/uniphier-regulator.c
index 2e02e26b516c..e75b0973e325 100644
--- a/drivers/regulator/uniphier-regulator.c
+++ b/drivers/regulator/uniphier-regulator.c
@@ -201,6 +201,7 @@ static const struct of_device_id uniphier_regulator_match[] = {
 	},
 	{ /* Sentinel */ },
 };
+MODULE_DEVICE_TABLE(of, uniphier_regulator_match);
 
 static struct platform_driver uniphier_regulator_driver = {
 	.probe = uniphier_regulator_probe,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 118/593] sched/core: Initialize the idle task with preemption disabled
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 117/593] regulator: uniphier: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 119/593] hwrng: exynos - Fix runtime PM imbalance on error Greg Kroah-Hartman
                   ` (479 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Valentin Schneider, Ingo Molnar,
	Peter Zijlstra, Sasha Levin

From: Valentin Schneider <valentin.schneider@arm.com>

[ Upstream commit f1a0a376ca0c4ef1fc3d24e3e502acbb5b795674 ]

As pointed out by commit

  de9b8f5dcbd9 ("sched: Fix crash trying to dequeue/enqueue the idle thread")

init_idle() can and will be invoked more than once on the same idle
task. At boot time, it is invoked for the boot CPU thread by
sched_init(). Then smp_init() creates the threads for all the secondary
CPUs and invokes init_idle() on them.

As the hotplug machinery brings the secondaries to life, it will issue
calls to idle_thread_get(), which itself invokes init_idle() yet again.
In this case it's invoked twice more per secondary: at _cpu_up(), and at
bringup_cpu().

Given smp_init() already initializes the idle tasks for all *possible*
CPUs, no further initialization should be required. Now, removing
init_idle() from idle_thread_get() exposes some interesting expectations
with regards to the idle task's preempt_count: the secondary startup always
issues a preempt_disable(), requiring some reset of the preempt count to 0
between hot-unplug and hotplug, which is currently served by
idle_thread_get() -> idle_init().

Given the idle task is supposed to have preemption disabled once and never
see it re-enabled, it seems that what we actually want is to initialize its
preempt_count to PREEMPT_DISABLED and leave it there. Do that, and remove
init_idle() from idle_thread_get().

Secondary startups were patched via coccinelle:

  @begone@
  @@

  -preempt_disable();
  ...
  cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);

Signed-off-by: Valentin Schneider <valentin.schneider@arm.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20210512094636.2958515-1-valentin.schneider@arm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/alpha/kernel/smp.c          | 1 -
 arch/arc/kernel/smp.c            | 1 -
 arch/arm/kernel/smp.c            | 1 -
 arch/arm64/include/asm/preempt.h | 2 +-
 arch/arm64/kernel/smp.c          | 1 -
 arch/csky/kernel/smp.c           | 1 -
 arch/ia64/kernel/smpboot.c       | 1 -
 arch/mips/kernel/smp.c           | 1 -
 arch/openrisc/kernel/smp.c       | 2 --
 arch/parisc/kernel/smp.c         | 1 -
 arch/powerpc/kernel/smp.c        | 1 -
 arch/riscv/kernel/smpboot.c      | 1 -
 arch/s390/include/asm/preempt.h  | 4 ++--
 arch/s390/kernel/smp.c           | 1 -
 arch/sh/kernel/smp.c             | 2 --
 arch/sparc/kernel/smp_32.c       | 1 -
 arch/sparc/kernel/smp_64.c       | 3 ---
 arch/x86/include/asm/preempt.h   | 2 +-
 arch/x86/kernel/smpboot.c        | 1 -
 arch/xtensa/kernel/smp.c         | 1 -
 include/asm-generic/preempt.h    | 2 +-
 init/main.c                      | 6 +-----
 kernel/fork.c                    | 2 +-
 kernel/sched/core.c              | 2 +-
 kernel/smpboot.c                 | 1 -
 25 files changed, 8 insertions(+), 34 deletions(-)

diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c
index f4dd9f3f3001..4b2575f936d4 100644
--- a/arch/alpha/kernel/smp.c
+++ b/arch/alpha/kernel/smp.c
@@ -166,7 +166,6 @@ smp_callin(void)
 	DBGS(("smp_callin: commencing CPU %d current %p active_mm %p\n",
 	      cpuid, current, current->active_mm));
 
-	preempt_disable();
 	cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
 }
 
diff --git a/arch/arc/kernel/smp.c b/arch/arc/kernel/smp.c
index 52906d314537..db0e104d6835 100644
--- a/arch/arc/kernel/smp.c
+++ b/arch/arc/kernel/smp.c
@@ -189,7 +189,6 @@ void start_kernel_secondary(void)
 	pr_info("## CPU%u LIVE ##: Executing Code...\n", cpu);
 
 	local_irq_enable();
-	preempt_disable();
 	cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
 }
 
diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
index 48099c6e1e4a..8aa7fa949c23 100644
--- a/arch/arm/kernel/smp.c
+++ b/arch/arm/kernel/smp.c
@@ -432,7 +432,6 @@ asmlinkage void secondary_start_kernel(void)
 #endif
 	pr_debug("CPU%u: Booted secondary processor\n", cpu);
 
-	preempt_disable();
 	trace_hardirqs_off();
 
 	/*
diff --git a/arch/arm64/include/asm/preempt.h b/arch/arm64/include/asm/preempt.h
index 80e946b2abee..e83f0982b99c 100644
--- a/arch/arm64/include/asm/preempt.h
+++ b/arch/arm64/include/asm/preempt.h
@@ -23,7 +23,7 @@ static inline void preempt_count_set(u64 pc)
 } while (0)
 
 #define init_idle_preempt_count(p, cpu) do { \
-	task_thread_info(p)->preempt_count = PREEMPT_ENABLED; \
+	task_thread_info(p)->preempt_count = PREEMPT_DISABLED; \
 } while (0)
 
 static inline void set_preempt_need_resched(void)
diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c
index 18e9727d3f64..feee5a3cd128 100644
--- a/arch/arm64/kernel/smp.c
+++ b/arch/arm64/kernel/smp.c
@@ -223,7 +223,6 @@ asmlinkage notrace void secondary_start_kernel(void)
 		init_gic_priority_masking();
 
 	rcu_cpu_starting(cpu);
-	preempt_disable();
 	trace_hardirqs_off();
 
 	/*
diff --git a/arch/csky/kernel/smp.c b/arch/csky/kernel/smp.c
index 041d0de6a1b6..1a8d7eaf1ff7 100644
--- a/arch/csky/kernel/smp.c
+++ b/arch/csky/kernel/smp.c
@@ -282,7 +282,6 @@ void csky_start_secondary(void)
 	pr_info("CPU%u Online: %s...\n", cpu, __func__);
 
 	local_irq_enable();
-	preempt_disable();
 	cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
 }
 
diff --git a/arch/ia64/kernel/smpboot.c b/arch/ia64/kernel/smpboot.c
index 093040f7e626..0cad990385c0 100644
--- a/arch/ia64/kernel/smpboot.c
+++ b/arch/ia64/kernel/smpboot.c
@@ -440,7 +440,6 @@ start_secondary (void *unused)
 #endif
 	efi_map_pal_code();
 	cpu_init();
-	preempt_disable();
 	smp_callin();
 
 	cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
diff --git a/arch/mips/kernel/smp.c b/arch/mips/kernel/smp.c
index 48d84d5fcc36..ff25926c5458 100644
--- a/arch/mips/kernel/smp.c
+++ b/arch/mips/kernel/smp.c
@@ -348,7 +348,6 @@ asmlinkage void start_secondary(void)
 	 */
 
 	calibrate_delay();
-	preempt_disable();
 	cpu = smp_processor_id();
 	cpu_data[cpu].udelay_val = loops_per_jiffy;
 
diff --git a/arch/openrisc/kernel/smp.c b/arch/openrisc/kernel/smp.c
index 29c82ef2e207..e4dad76066ae 100644
--- a/arch/openrisc/kernel/smp.c
+++ b/arch/openrisc/kernel/smp.c
@@ -134,8 +134,6 @@ asmlinkage __init void secondary_start_kernel(void)
 	set_cpu_online(cpu, true);
 
 	local_irq_enable();
-
-	preempt_disable();
 	/*
 	 * OK, it's off to the idle thread for us
 	 */
diff --git a/arch/parisc/kernel/smp.c b/arch/parisc/kernel/smp.c
index 10227f667c8a..1405b603b91b 100644
--- a/arch/parisc/kernel/smp.c
+++ b/arch/parisc/kernel/smp.c
@@ -302,7 +302,6 @@ void __init smp_callin(unsigned long pdce_proc)
 #endif
 
 	smp_cpu_init(slave_id);
-	preempt_disable();
 
 	flush_cache_all_local(); /* start with known state */
 	flush_tlb_all_local(NULL);
diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
index db7ac77bea3a..0760230be56f 100644
--- a/arch/powerpc/kernel/smp.c
+++ b/arch/powerpc/kernel/smp.c
@@ -1426,7 +1426,6 @@ void start_secondary(void *unused)
 	smp_store_cpu_info(cpu);
 	set_dec(tb_ticks_per_jiffy);
 	rcu_cpu_starting(cpu);
-	preempt_disable();
 	cpu_callin_map[cpu] = 1;
 
 	if (smp_ops->setup_cpu)
diff --git a/arch/riscv/kernel/smpboot.c b/arch/riscv/kernel/smpboot.c
index 96167d55ed98..0b04e0eae3ab 100644
--- a/arch/riscv/kernel/smpboot.c
+++ b/arch/riscv/kernel/smpboot.c
@@ -166,7 +166,6 @@ asmlinkage __visible void smp_callin(void)
 	 * Disable preemption before enabling interrupts, so we don't try to
 	 * schedule a CPU that hasn't actually started yet.
 	 */
-	preempt_disable();
 	local_irq_enable();
 	cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
 }
diff --git a/arch/s390/include/asm/preempt.h b/arch/s390/include/asm/preempt.h
index 6ede29907fbf..e38480eb58fa 100644
--- a/arch/s390/include/asm/preempt.h
+++ b/arch/s390/include/asm/preempt.h
@@ -32,7 +32,7 @@ static inline void preempt_count_set(int pc)
 #define init_task_preempt_count(p)	do { } while (0)
 
 #define init_idle_preempt_count(p, cpu)	do { \
-	S390_lowcore.preempt_count = PREEMPT_ENABLED; \
+	S390_lowcore.preempt_count = PREEMPT_DISABLED; \
 } while (0)
 
 static inline void set_preempt_need_resched(void)
@@ -91,7 +91,7 @@ static inline void preempt_count_set(int pc)
 #define init_task_preempt_count(p)	do { } while (0)
 
 #define init_idle_preempt_count(p, cpu)	do { \
-	S390_lowcore.preempt_count = PREEMPT_ENABLED; \
+	S390_lowcore.preempt_count = PREEMPT_DISABLED; \
 } while (0)
 
 static inline void set_preempt_need_resched(void)
diff --git a/arch/s390/kernel/smp.c b/arch/s390/kernel/smp.c
index 791bc373418b..7db5460553b7 100644
--- a/arch/s390/kernel/smp.c
+++ b/arch/s390/kernel/smp.c
@@ -863,7 +863,6 @@ static void smp_init_secondary(void)
 	set_cpu_flag(CIF_ASCE_SECONDARY);
 	cpu_init();
 	rcu_cpu_starting(cpu);
-	preempt_disable();
 	init_cpu_timer();
 	vtime_init();
 	pfault_init();
diff --git a/arch/sh/kernel/smp.c b/arch/sh/kernel/smp.c
index 372acdc9033e..65924d9ec245 100644
--- a/arch/sh/kernel/smp.c
+++ b/arch/sh/kernel/smp.c
@@ -186,8 +186,6 @@ asmlinkage void start_secondary(void)
 
 	per_cpu_trap_init();
 
-	preempt_disable();
-
 	notify_cpu_starting(cpu);
 
 	local_irq_enable();
diff --git a/arch/sparc/kernel/smp_32.c b/arch/sparc/kernel/smp_32.c
index 50c127ab46d5..22b148e5a5f8 100644
--- a/arch/sparc/kernel/smp_32.c
+++ b/arch/sparc/kernel/smp_32.c
@@ -348,7 +348,6 @@ static void sparc_start_secondary(void *arg)
 	 */
 	arch_cpu_pre_starting(arg);
 
-	preempt_disable();
 	cpu = smp_processor_id();
 
 	notify_cpu_starting(cpu);
diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
index e38d8bf454e8..ae5faa1d989d 100644
--- a/arch/sparc/kernel/smp_64.c
+++ b/arch/sparc/kernel/smp_64.c
@@ -138,9 +138,6 @@ void smp_callin(void)
 
 	set_cpu_online(cpuid, true);
 
-	/* idle thread is expected to have preempt disabled */
-	preempt_disable();
-
 	local_irq_enable();
 
 	cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
diff --git a/arch/x86/include/asm/preempt.h b/arch/x86/include/asm/preempt.h
index 69485ca13665..a334dd0d7c42 100644
--- a/arch/x86/include/asm/preempt.h
+++ b/arch/x86/include/asm/preempt.h
@@ -43,7 +43,7 @@ static __always_inline void preempt_count_set(int pc)
 #define init_task_preempt_count(p) do { } while (0)
 
 #define init_idle_preempt_count(p, cpu) do { \
-	per_cpu(__preempt_count, (cpu)) = PREEMPT_ENABLED; \
+	per_cpu(__preempt_count, (cpu)) = PREEMPT_DISABLED; \
 } while (0)
 
 /*
diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index 582387fc939f..8baff500914e 100644
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -230,7 +230,6 @@ static void notrace start_secondary(void *unused)
 	cpu_init_exception_handling();
 	cpu_init();
 	x86_cpuinit.early_percpu_clock_init();
-	preempt_disable();
 	smp_callin();
 
 	enable_start_cpu0 = 0;
diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
index cd85a7a2722b..1254da07ead1 100644
--- a/arch/xtensa/kernel/smp.c
+++ b/arch/xtensa/kernel/smp.c
@@ -145,7 +145,6 @@ void secondary_start_kernel(void)
 	cpumask_set_cpu(cpu, mm_cpumask(mm));
 	enter_lazy_tlb(mm, current);
 
-	preempt_disable();
 	trace_hardirqs_off();
 
 	calibrate_delay();
diff --git a/include/asm-generic/preempt.h b/include/asm-generic/preempt.h
index d683f5e6d791..b4d43a4af5f7 100644
--- a/include/asm-generic/preempt.h
+++ b/include/asm-generic/preempt.h
@@ -29,7 +29,7 @@ static __always_inline void preempt_count_set(int pc)
 } while (0)
 
 #define init_idle_preempt_count(p, cpu) do { \
-	task_thread_info(p)->preempt_count = PREEMPT_ENABLED; \
+	task_thread_info(p)->preempt_count = PREEMPT_DISABLED; \
 } while (0)
 
 static __always_inline void set_preempt_need_resched(void)
diff --git a/init/main.c b/init/main.c
index b4449544390c..dd26a42e80a8 100644
--- a/init/main.c
+++ b/init/main.c
@@ -914,11 +914,7 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void)
 	 * time - but meanwhile we still have a functioning scheduler.
 	 */
 	sched_init();
-	/*
-	 * Disable preemption - early bootup scheduling is extremely
-	 * fragile until we cpu_idle() for the first time.
-	 */
-	preempt_disable();
+
 	if (WARN(!irqs_disabled(),
 		 "Interrupts were enabled *very* early, fixing it\n"))
 		local_irq_disable();
diff --git a/kernel/fork.c b/kernel/fork.c
index 281addb694df..096945ef49ad 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2392,7 +2392,7 @@ static inline void init_idle_pids(struct task_struct *idle)
 	}
 }
 
-struct task_struct *fork_idle(int cpu)
+struct task_struct * __init fork_idle(int cpu)
 {
 	struct task_struct *task;
 	struct kernel_clone_args args = {
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 57b236251884..bd3fa14fda1f 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -6512,7 +6512,7 @@ void show_state_filter(unsigned long state_filter)
  * NOTE: this function does not set the idle thread's NEED_RESCHED
  * flag, to make booting more robust.
  */
-void init_idle(struct task_struct *idle, int cpu)
+void __init init_idle(struct task_struct *idle, int cpu)
 {
 	struct rq *rq = cpu_rq(cpu);
 	unsigned long flags;
diff --git a/kernel/smpboot.c b/kernel/smpboot.c
index f25208e8df83..e4163042c4d6 100644
--- a/kernel/smpboot.c
+++ b/kernel/smpboot.c
@@ -33,7 +33,6 @@ struct task_struct *idle_thread_get(unsigned int cpu)
 
 	if (!tsk)
 		return ERR_PTR(-ENOMEM);
-	init_idle(tsk, cpu);
 	return tsk;
 }
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 119/593] hwrng: exynos - Fix runtime PM imbalance on error
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 118/593] sched/core: Initialize the idle task with preemption disabled Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 120/593] crypto: nx - add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (478 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Łukasz Stelmach,
	Krzysztof Kozlowski, Herbert Xu, Sasha Levin

From: Łukasz Stelmach <l.stelmach@samsung.com>

[ Upstream commit 0cdbabf8bb7a6147f5adf37dbc251e92a1bbc2c7 ]

pm_runtime_resume_and_get() wraps around pm_runtime_get_sync() and
decrements the runtime PM usage counter in case the latter function
fails and keeps the counter balanced.

Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/hw_random/exynos-trng.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/hw_random/exynos-trng.c b/drivers/char/hw_random/exynos-trng.c
index 8e1fe3f8dd2d..c8db62bc5ff7 100644
--- a/drivers/char/hw_random/exynos-trng.c
+++ b/drivers/char/hw_random/exynos-trng.c
@@ -132,7 +132,7 @@ static int exynos_trng_probe(struct platform_device *pdev)
 		return PTR_ERR(trng->mem);
 
 	pm_runtime_enable(&pdev->dev);
-	ret = pm_runtime_get_sync(&pdev->dev);
+	ret = pm_runtime_resume_and_get(&pdev->dev);
 	if (ret < 0) {
 		dev_err(&pdev->dev, "Could not get runtime PM.\n");
 		goto err_pm_get;
@@ -165,7 +165,7 @@ err_register:
 	clk_disable_unprepare(trng->clk);
 
 err_clock:
-	pm_runtime_put_sync(&pdev->dev);
+	pm_runtime_put_noidle(&pdev->dev);
 
 err_pm_get:
 	pm_runtime_disable(&pdev->dev);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 120/593] crypto: nx - add missing MODULE_DEVICE_TABLE
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 119/593] hwrng: exynos - Fix runtime PM imbalance on error Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 121/593] media: sti: fix obj-$(config) targets Greg Kroah-Hartman
                   ` (477 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Bixuan Cui, Herbert Xu,
	Sasha Levin

From: Bixuan Cui <cuibixuan@huawei.com>

[ Upstream commit 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/nx/nx-842-pseries.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c
index 2de5e3672e42..258c5e38a551 100644
--- a/drivers/crypto/nx/nx-842-pseries.c
+++ b/drivers/crypto/nx/nx-842-pseries.c
@@ -1071,6 +1071,7 @@ static const struct vio_device_id nx842_vio_driver_ids[] = {
 	{"ibm,compression-v1", "ibm,compression"},
 	{"", ""},
 };
+MODULE_DEVICE_TABLE(vio, nx842_vio_driver_ids);
 
 static struct vio_driver nx842_vio_driver = {
 	.name = KBUILD_MODNAME,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 121/593] media: sti: fix obj-$(config) targets
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 120/593] crypto: nx - add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 122/593] media: cpia2: fix memory leak in cpia2_usb_probe Greg Kroah-Hartman
                   ` (476 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 56c1f0876293888f686e31278d183d4af2cac3c3 ]

The right thing to do is to add a new object to the building
system when a certain config option is selected, and *not*
override them.

So, fix obj-$(config) logic at sti makefiles, using "+=",
instead of ":=".

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/sti/bdisp/Makefile | 2 +-
 drivers/media/platform/sti/delta/Makefile | 2 +-
 drivers/media/platform/sti/hva/Makefile   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/platform/sti/bdisp/Makefile b/drivers/media/platform/sti/bdisp/Makefile
index caf7ccd193ea..39ade0a34723 100644
--- a/drivers/media/platform/sti/bdisp/Makefile
+++ b/drivers/media/platform/sti/bdisp/Makefile
@@ -1,4 +1,4 @@
 # SPDX-License-Identifier: GPL-2.0-only
-obj-$(CONFIG_VIDEO_STI_BDISP) := bdisp.o
+obj-$(CONFIG_VIDEO_STI_BDISP) += bdisp.o
 
 bdisp-objs := bdisp-v4l2.o bdisp-hw.o bdisp-debug.o
diff --git a/drivers/media/platform/sti/delta/Makefile b/drivers/media/platform/sti/delta/Makefile
index 92b37e216f00..32412fa4c632 100644
--- a/drivers/media/platform/sti/delta/Makefile
+++ b/drivers/media/platform/sti/delta/Makefile
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: GPL-2.0-only
-obj-$(CONFIG_VIDEO_STI_DELTA_DRIVER) := st-delta.o
+obj-$(CONFIG_VIDEO_STI_DELTA_DRIVER) += st-delta.o
 st-delta-y := delta-v4l2.o delta-mem.o delta-ipc.o delta-debug.o
 
 # MJPEG support
diff --git a/drivers/media/platform/sti/hva/Makefile b/drivers/media/platform/sti/hva/Makefile
index 74b41ec52f97..b5a5478bdd01 100644
--- a/drivers/media/platform/sti/hva/Makefile
+++ b/drivers/media/platform/sti/hva/Makefile
@@ -1,4 +1,4 @@
 # SPDX-License-Identifier: GPL-2.0-only
-obj-$(CONFIG_VIDEO_STI_HVA) := st-hva.o
+obj-$(CONFIG_VIDEO_STI_HVA) += st-hva.o
 st-hva-y := hva-v4l2.o hva-hw.o hva-mem.o hva-h264.o
 st-hva-$(CONFIG_VIDEO_STI_HVA_DEBUGFS) += hva-debugfs.o
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 122/593] media: cpia2: fix memory leak in cpia2_usb_probe
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 121/593] media: sti: fix obj-$(config) targets Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 123/593] media: cobalt: fix race condition in setting HPD Greg Kroah-Hartman
                   ` (475 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d1e69c888f0d3866ead4,
	Pavel Skripkin, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit be8656e62e9e791837b606a027802b504a945c97 ]

syzbot reported leak in cpia2 usb driver. The problem was
in invalid error handling.

v4l2_device_register() is called in cpia2_init_camera_struct(), but
all error cases after cpia2_init_camera_struct() did not call the
v4l2_device_unregister()

Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/cpia2/cpia2.h      |  1 +
 drivers/media/usb/cpia2/cpia2_core.c | 12 ++++++++++++
 drivers/media/usb/cpia2/cpia2_usb.c  | 13 +++++++------
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/drivers/media/usb/cpia2/cpia2.h b/drivers/media/usb/cpia2/cpia2.h
index 50835f5f7512..57b7f1ea68da 100644
--- a/drivers/media/usb/cpia2/cpia2.h
+++ b/drivers/media/usb/cpia2/cpia2.h
@@ -429,6 +429,7 @@ int cpia2_send_command(struct camera_data *cam, struct cpia2_command *cmd);
 int cpia2_do_command(struct camera_data *cam,
 		     unsigned int command,
 		     unsigned char direction, unsigned char param);
+void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf);
 struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf);
 int cpia2_init_camera(struct camera_data *cam);
 int cpia2_allocate_buffers(struct camera_data *cam);
diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c
index e747548ab286..b5a2d06fb356 100644
--- a/drivers/media/usb/cpia2/cpia2_core.c
+++ b/drivers/media/usb/cpia2/cpia2_core.c
@@ -2163,6 +2163,18 @@ static void reset_camera_struct(struct camera_data *cam)
 	cam->height = cam->params.roi.height;
 }
 
+/******************************************************************************
+ *
+ *  cpia2_init_camera_struct
+ *
+ *  Deinitialize camera struct
+ *****************************************************************************/
+void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf)
+{
+	v4l2_device_unregister(&cam->v4l2_dev);
+	kfree(cam);
+}
+
 /******************************************************************************
  *
  *  cpia2_init_camera_struct
diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c
index 3ab80a7b4498..76aac06f9fb8 100644
--- a/drivers/media/usb/cpia2/cpia2_usb.c
+++ b/drivers/media/usb/cpia2/cpia2_usb.c
@@ -844,15 +844,13 @@ static int cpia2_usb_probe(struct usb_interface *intf,
 	ret = set_alternate(cam, USBIF_CMDONLY);
 	if (ret < 0) {
 		ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret);
-		kfree(cam);
-		return ret;
+		goto alt_err;
 	}
 
 
 	if((ret = cpia2_init_camera(cam)) < 0) {
 		ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret);
-		kfree(cam);
-		return ret;
+		goto alt_err;
 	}
 	LOG("  CPiA Version: %d.%02d (%d.%d)\n",
 	       cam->params.version.firmware_revision_hi,
@@ -872,11 +870,14 @@ static int cpia2_usb_probe(struct usb_interface *intf,
 	ret = cpia2_register_camera(cam);
 	if (ret < 0) {
 		ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret);
-		kfree(cam);
-		return ret;
+		goto alt_err;
 	}
 
 	return 0;
+
+alt_err:
+	cpia2_deinit_camera_struct(cam, intf);
+	return ret;
 }
 
 /******************************************************************************
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 123/593] media: cobalt: fix race condition in setting HPD
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 122/593] media: cpia2: fix memory leak in cpia2_usb_probe Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 124/593] media: hevc: Fix dependent slice segment flags Greg Kroah-Hartman
                   ` (474 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Mauro Carvalho Chehab,
	Sasha Levin

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

[ Upstream commit 3d37ef41bed0854805ab9af22c422267510e1344 ]

The cobalt_s_bit_sysctrl reads the old register value over PCI,
then changes a bit and sets writes the new value to the register.

This is used among other things for setting the HPD output pin.

But if the HPD is changed for multiple inputs at the same time,
then this causes a race condition where a stale value is read.

Serialize this function with a mutex.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/pci/cobalt/cobalt-driver.c | 1 +
 drivers/media/pci/cobalt/cobalt-driver.h | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/media/pci/cobalt/cobalt-driver.c b/drivers/media/pci/cobalt/cobalt-driver.c
index 0695078ef812..1bd8bbe57a30 100644
--- a/drivers/media/pci/cobalt/cobalt-driver.c
+++ b/drivers/media/pci/cobalt/cobalt-driver.c
@@ -667,6 +667,7 @@ static int cobalt_probe(struct pci_dev *pci_dev,
 		return -ENOMEM;
 	cobalt->pci_dev = pci_dev;
 	cobalt->instance = i;
+	mutex_init(&cobalt->pci_lock);
 
 	retval = v4l2_device_register(&pci_dev->dev, &cobalt->v4l2_dev);
 	if (retval) {
diff --git a/drivers/media/pci/cobalt/cobalt-driver.h b/drivers/media/pci/cobalt/cobalt-driver.h
index bca68572b324..12c33e035904 100644
--- a/drivers/media/pci/cobalt/cobalt-driver.h
+++ b/drivers/media/pci/cobalt/cobalt-driver.h
@@ -251,6 +251,8 @@ struct cobalt {
 	int instance;
 	struct pci_dev *pci_dev;
 	struct v4l2_device v4l2_dev;
+	/* serialize PCI access in cobalt_s_bit_sysctrl() */
+	struct mutex pci_lock;
 
 	void __iomem *bar0, *bar1;
 
@@ -320,10 +322,13 @@ static inline u32 cobalt_g_sysctrl(struct cobalt *cobalt)
 static inline void cobalt_s_bit_sysctrl(struct cobalt *cobalt,
 					int bit, int val)
 {
-	u32 ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE);
+	u32 ctrl;
 
+	mutex_lock(&cobalt->pci_lock);
+	ctrl = cobalt_read_bar1(cobalt, COBALT_SYS_CTRL_BASE);
 	cobalt_write_bar1(cobalt, COBALT_SYS_CTRL_BASE,
 			(ctrl & ~(1UL << bit)) | (val << bit));
+	mutex_unlock(&cobalt->pci_lock);
 }
 
 static inline u32 cobalt_g_sysstat(struct cobalt *cobalt)
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 124/593] media: hevc: Fix dependent slice segment flags
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 123/593] media: cobalt: fix race condition in setting HPD Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 125/593] media: pvrusb2: fix warning in pvr2_i2c_core_done Greg Kroah-Hartman
                   ` (473 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jernej Skrabec, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Jernej Skrabec <jernej.skrabec@siol.net>

[ Upstream commit 67a7e53d5b21f3a84efc03a4e62db7caf97841ef ]

Dependent slice segment flag for PPS control is misnamed. It should have
"enabled" at the end. It only tells if this flag is present in slice
header or not and not the actual value.

Fix this by renaming the PPS flag and introduce another flag for slice
control which tells actual value.

Signed-off-by: Jernej Skrabec <jernej.skrabec@siol.net>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/userspace-api/media/v4l/ext-ctrls-codec.rst | 5 ++++-
 drivers/staging/media/sunxi/cedrus/cedrus_h265.c          | 4 ++--
 include/media/hevc-ctrls.h                                | 3 ++-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/Documentation/userspace-api/media/v4l/ext-ctrls-codec.rst b/Documentation/userspace-api/media/v4l/ext-ctrls-codec.rst
index ce728c757eaf..b864869b42bc 100644
--- a/Documentation/userspace-api/media/v4l/ext-ctrls-codec.rst
+++ b/Documentation/userspace-api/media/v4l/ext-ctrls-codec.rst
@@ -4030,7 +4030,7 @@ enum v4l2_mpeg_video_hevc_size_of_length_field -
     :stub-columns: 0
     :widths:       1 1 2
 
-    * - ``V4L2_HEVC_PPS_FLAG_DEPENDENT_SLICE_SEGMENT``
+    * - ``V4L2_HEVC_PPS_FLAG_DEPENDENT_SLICE_SEGMENT_ENABLED``
       - 0x00000001
       -
     * - ``V4L2_HEVC_PPS_FLAG_OUTPUT_FLAG_PRESENT``
@@ -4238,6 +4238,9 @@ enum v4l2_mpeg_video_hevc_size_of_length_field -
     * - ``V4L2_HEVC_SLICE_PARAMS_FLAG_SLICE_LOOP_FILTER_ACROSS_SLICES_ENABLED``
       - 0x00000100
       -
+    * - ``V4L2_HEVC_SLICE_PARAMS_FLAG_DEPENDENT_SLICE_SEGMENT``
+      - 0x00000200
+      -
 
 .. c:type:: v4l2_hevc_dpb_entry
 
diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_h265.c b/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
index ce497d0197df..10744fab7cea 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
@@ -477,8 +477,8 @@ static void cedrus_h265_setup(struct cedrus_ctx *ctx,
 				slice_params->flags);
 
 	reg |= VE_DEC_H265_FLAG(VE_DEC_H265_DEC_SLICE_HDR_INFO0_FLAG_DEPENDENT_SLICE_SEGMENT,
-				V4L2_HEVC_PPS_FLAG_DEPENDENT_SLICE_SEGMENT,
-				pps->flags);
+				V4L2_HEVC_SLICE_PARAMS_FLAG_DEPENDENT_SLICE_SEGMENT,
+				slice_params->flags);
 
 	/* FIXME: For multi-slice support. */
 	reg |= VE_DEC_H265_DEC_SLICE_HDR_INFO0_FLAG_FIRST_SLICE_SEGMENT_IN_PIC;
diff --git a/include/media/hevc-ctrls.h b/include/media/hevc-ctrls.h
index 1009cf0891cc..a3b650ab00f6 100644
--- a/include/media/hevc-ctrls.h
+++ b/include/media/hevc-ctrls.h
@@ -81,7 +81,7 @@ struct v4l2_ctrl_hevc_sps {
 	__u64	flags;
 };
 
-#define V4L2_HEVC_PPS_FLAG_DEPENDENT_SLICE_SEGMENT		(1ULL << 0)
+#define V4L2_HEVC_PPS_FLAG_DEPENDENT_SLICE_SEGMENT_ENABLED	(1ULL << 0)
 #define V4L2_HEVC_PPS_FLAG_OUTPUT_FLAG_PRESENT			(1ULL << 1)
 #define V4L2_HEVC_PPS_FLAG_SIGN_DATA_HIDING_ENABLED		(1ULL << 2)
 #define V4L2_HEVC_PPS_FLAG_CABAC_INIT_PRESENT			(1ULL << 3)
@@ -160,6 +160,7 @@ struct v4l2_hevc_pred_weight_table {
 #define V4L2_HEVC_SLICE_PARAMS_FLAG_USE_INTEGER_MV		(1ULL << 6)
 #define V4L2_HEVC_SLICE_PARAMS_FLAG_SLICE_DEBLOCKING_FILTER_DISABLED (1ULL << 7)
 #define V4L2_HEVC_SLICE_PARAMS_FLAG_SLICE_LOOP_FILTER_ACROSS_SLICES_ENABLED (1ULL << 8)
+#define V4L2_HEVC_SLICE_PARAMS_FLAG_DEPENDENT_SLICE_SEGMENT	(1ULL << 9)
 
 struct v4l2_ctrl_hevc_slice_params {
 	__u32	bit_size;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 125/593] media: pvrusb2: fix warning in pvr2_i2c_core_done
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 124/593] media: hevc: Fix dependent slice segment flags Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 126/593] media: imx: imx7_mipi_csis: Fix logging of only error event counters Greg Kroah-Hartman
                   ` (472 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e74a998ca8f1df9cc332,
	Anirudh Rayabharam, Hans Verkuil, Mauro Carvalho Chehab,
	Sasha Levin

From: Anirudh Rayabharam <mail@anirudhrb.com>

[ Upstream commit f8194e5e63fdcb349e8da9eef9e574d5b1d687cb ]

syzbot has reported the following warning in pvr2_i2c_done:

	sysfs group 'power' not found for kobject '1-0043'

When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
not unregistered along with the USB and v4l2 teardown. As part of the USB
device disconnect, the sysfs files of the subdevices are also deleted.
So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the
sysfs files have been deleted.

To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
the device deregistration code shared by calling pvr_hdw_disconnect from
pvr2_hdw_destroy.

Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index f4a727918e35..d38dee1792e4 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -2676,9 +2676,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
 		pvr2_stream_destroy(hdw->vid_stream);
 		hdw->vid_stream = NULL;
 	}
-	pvr2_i2c_core_done(hdw);
 	v4l2_device_unregister(&hdw->v4l2_dev);
-	pvr2_hdw_remove_usb_stuff(hdw);
+	pvr2_hdw_disconnect(hdw);
 	mutex_lock(&pvr2_unit_mtx);
 	do {
 		if ((hdw->unit_number >= 0) &&
@@ -2705,6 +2704,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
 {
 	pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
 	LOCK_TAKE(hdw->big_lock);
+	pvr2_i2c_core_done(hdw);
 	LOCK_TAKE(hdw->ctl_lock);
 	pvr2_hdw_remove_usb_stuff(hdw);
 	LOCK_GIVE(hdw->ctl_lock);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 126/593] media: imx: imx7_mipi_csis: Fix logging of only error event counters
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 125/593] media: pvrusb2: fix warning in pvr2_i2c_core_done Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 127/593] crypto: qat - check return code of qat_hal_rd_rel_reg() Greg Kroah-Hartman
                   ` (471 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Laurent Pinchart, Rui Miguel Silva,
	Frieder Schrempf, Mauro Carvalho Chehab, Sasha Levin

From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

[ Upstream commit d2fcc9c2de1191ea80366e3658711753738dd10a ]

The mipi_csis_events array ends with 6 non-error events, not 4. Update
mipi_csis_log_counters() accordingly. While at it, log event counters in
forward order, as there's no reason to log them backward.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Rui Miguel Silva <rmfrfs@gmail.com>
Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Tested-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/media/imx/imx7-mipi-csis.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/media/imx/imx7-mipi-csis.c b/drivers/staging/media/imx/imx7-mipi-csis.c
index 7612993cc1d6..c5a548976f1d 100644
--- a/drivers/staging/media/imx/imx7-mipi-csis.c
+++ b/drivers/staging/media/imx/imx7-mipi-csis.c
@@ -597,13 +597,15 @@ static void mipi_csis_clear_counters(struct csi_state *state)
 
 static void mipi_csis_log_counters(struct csi_state *state, bool non_errors)
 {
-	int i = non_errors ? MIPI_CSIS_NUM_EVENTS : MIPI_CSIS_NUM_EVENTS - 4;
+	unsigned int num_events = non_errors ? MIPI_CSIS_NUM_EVENTS
+				: MIPI_CSIS_NUM_EVENTS - 6;
 	struct device *dev = &state->pdev->dev;
 	unsigned long flags;
+	unsigned int i;
 
 	spin_lock_irqsave(&state->slock, flags);
 
-	for (i--; i >= 0; i--) {
+	for (i = 0; i < num_events; ++i) {
 		if (state->events[i].counter > 0 || state->debug)
 			dev_info(dev, "%s events: %d\n", state->events[i].name,
 				 state->events[i].counter);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 127/593] crypto: qat - check return code of qat_hal_rd_rel_reg()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 126/593] media: imx: imx7_mipi_csis: Fix logging of only error event counters Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 128/593] crypto: qat - remove unused macro in FW loader Greg Kroah-Hartman
                   ` (470 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jack Xu, Zhehui Xiang,
	Giovanni Cabiddu, Herbert Xu, Sasha Levin

From: Jack Xu <jack.xu@intel.com>

[ Upstream commit 96b57229209490c8bca4335b01a426a96173dc56 ]

Check the return code of the function qat_hal_rd_rel_reg() and return it
to the caller.

This is to fix the following warning when compiling the driver with
clang scan-build:

    drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value

Signed-off-by: Jack Xu <jack.xu@intel.com>
Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/qat/qat_common/qat_hal.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c
index 52ef80efeddc..b40e81e0088f 100644
--- a/drivers/crypto/qat/qat_common/qat_hal.c
+++ b/drivers/crypto/qat/qat_common/qat_hal.c
@@ -1213,7 +1213,11 @@ static int qat_hal_put_rel_wr_xfer(struct icp_qat_fw_loader_handle *handle,
 		pr_err("QAT: bad xfrAddr=0x%x\n", xfr_addr);
 		return -EINVAL;
 	}
-	qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
+	status = qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
+	if (status) {
+		pr_err("QAT: failed to read register");
+		return status;
+	}
 	gpr_addr = qat_hal_get_reg_addr(ICP_GPB_REL, gprnum);
 	data16low = 0xffff & data;
 	data16hi = 0xffff & (data >> 0x10);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 128/593] crypto: qat - remove unused macro in FW loader
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 127/593] crypto: qat - check return code of qat_hal_rd_rel_reg() Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 129/593] crypto: qce: skcipher: Fix incorrect sg count for dma transfers Greg Kroah-Hartman
                   ` (469 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jack Xu, Zhehui Xiang,
	Giovanni Cabiddu, Herbert Xu, Sasha Levin

From: Jack Xu <jack.xu@intel.com>

[ Upstream commit 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 ]

Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware
loader.

This is to fix the following warning when compiling the driver using the
clang compiler with CC=clang W=2:

    drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros]

Signed-off-by: Jack Xu <jack.xu@intel.com>
Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/qat/qat_common/qat_uclo.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c
index 5d1f28cd6680..6adc91fedb08 100644
--- a/drivers/crypto/qat/qat_common/qat_uclo.c
+++ b/drivers/crypto/qat/qat_common/qat_uclo.c
@@ -342,7 +342,6 @@ static int qat_uclo_init_umem_seg(struct icp_qat_fw_loader_handle *handle,
 	return 0;
 }
 
-#define ICP_DH895XCC_PESRAM_BAR_SIZE 0x80000
 static int qat_uclo_init_ae_memory(struct icp_qat_fw_loader_handle *handle,
 				   struct icp_qat_uof_initmem *init_mem)
 {
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 129/593] crypto: qce: skcipher: Fix incorrect sg count for dma transfers
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 128/593] crypto: qat - remove unused macro in FW loader Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-14 19:40   ` Pavel Machek
  2021-07-12  6:04 ` [PATCH 5.10 130/593] arm64: perf: Convert snprintf to sysfs_emit Greg Kroah-Hartman
                   ` (468 subsequent siblings)
  597 siblings, 1 reply; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thara Gopinath, Herbert Xu, Sasha Levin

From: Thara Gopinath <thara.gopinath@linaro.org>

[ Upstream commit 1339a7c3ba05137a2d2fe75f602311bbfc6fab33 ]

Use the sg count returned by dma_map_sg to call into
dmaengine_prep_slave_sg rather than using the original sg count. dma_map_sg
can merge consecutive sglist entries, thus making the original sg count
wrong. This is a fix for memory coruption issues observed while testing
encryption/decryption of large messages using libkcapi framework.

Patch has been tested further by running full suite of tcrypt.ko tests
including fuzz tests.

Signed-off-by: Thara Gopinath <thara.gopinath@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/qce/skcipher.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/crypto/qce/skcipher.c b/drivers/crypto/qce/skcipher.c
index a2d3da0ad95f..5a6559131eac 100644
--- a/drivers/crypto/qce/skcipher.c
+++ b/drivers/crypto/qce/skcipher.c
@@ -71,7 +71,7 @@ qce_skcipher_async_req_handle(struct crypto_async_request *async_req)
 	struct scatterlist *sg;
 	bool diff_dst;
 	gfp_t gfp;
-	int ret;
+	int dst_nents, src_nents, ret;
 
 	rctx->iv = req->iv;
 	rctx->ivsize = crypto_skcipher_ivsize(skcipher);
@@ -122,21 +122,22 @@ qce_skcipher_async_req_handle(struct crypto_async_request *async_req)
 	sg_mark_end(sg);
 	rctx->dst_sg = rctx->dst_tbl.sgl;
 
-	ret = dma_map_sg(qce->dev, rctx->dst_sg, rctx->dst_nents, dir_dst);
-	if (ret < 0)
+	dst_nents = dma_map_sg(qce->dev, rctx->dst_sg, rctx->dst_nents, dir_dst);
+	if (dst_nents < 0)
 		goto error_free;
 
 	if (diff_dst) {
-		ret = dma_map_sg(qce->dev, req->src, rctx->src_nents, dir_src);
-		if (ret < 0)
+		src_nents = dma_map_sg(qce->dev, req->src, rctx->src_nents, dir_src);
+		if (src_nents < 0)
 			goto error_unmap_dst;
 		rctx->src_sg = req->src;
 	} else {
 		rctx->src_sg = rctx->dst_sg;
+		src_nents = dst_nents - 1;
 	}
 
-	ret = qce_dma_prep_sgs(&qce->dma, rctx->src_sg, rctx->src_nents,
-			       rctx->dst_sg, rctx->dst_nents,
+	ret = qce_dma_prep_sgs(&qce->dma, rctx->src_sg, src_nents,
+			       rctx->dst_sg, dst_nents,
 			       qce_skcipher_done, async_req);
 	if (ret)
 		goto error_unmap_src;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 130/593] arm64: perf: Convert snprintf to sysfs_emit
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 129/593] crypto: qce: skcipher: Fix incorrect sg count for dma transfers Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 131/593] sched/fair: Fix ascii art by relpacing tabs Greg Kroah-Hartman
                   ` (467 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tian Tao, Will Deacon, Sasha Levin

From: Tian Tao <tiantao6@hisilicon.com>

[ Upstream commit a5740e955540181f4ab8f076cc9795c6bbe4d730 ]

Use sysfs_emit instead of snprintf to avoid buf overrun,because in
sysfs_emit it strictly checks whether buf is null or buf whether
pagesize aligned, otherwise it returns an error.

Signed-off-by: Tian Tao <tiantao6@hisilicon.com>
Link: https://lore.kernel.org/r/1621497585-30887-1-git-send-email-tiantao6@hisilicon.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/perf_event.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
index 11852e05ee32..cdb3d4549b3a 100644
--- a/arch/arm64/kernel/perf_event.c
+++ b/arch/arm64/kernel/perf_event.c
@@ -312,7 +312,7 @@ static ssize_t slots_show(struct device *dev, struct device_attribute *attr,
 	struct arm_pmu *cpu_pmu = container_of(pmu, struct arm_pmu, pmu);
 	u32 slots = cpu_pmu->reg_pmmir & ARMV8_PMU_SLOTS_MASK;
 
-	return snprintf(page, PAGE_SIZE, "0x%08x\n", slots);
+	return sysfs_emit(page, "0x%08x\n", slots);
 }
 
 static DEVICE_ATTR_RO(slots);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 131/593] sched/fair: Fix ascii art by relpacing tabs
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 130/593] arm64: perf: Convert snprintf to sysfs_emit Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-14 19:44   ` Pavel Machek
  2021-07-12  6:04 ` [PATCH 5.10 132/593] media: i2c: ov2659: Use clk_{prepare_enable,disable_unprepare}() to set xvclk on/off Greg Kroah-Hartman
                   ` (466 subsequent siblings)
  597 siblings, 1 reply; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Odin Ugedal, Peter Zijlstra (Intel),
	Vincent Guittot, Sasha Levin

From: Odin Ugedal <odin@uged.al>

[ Upstream commit 08f7c2f4d0e9f4283f5796b8168044c034a1bfcb ]

When using something other than 8 spaces per tab, this ascii art
makes not sense, and the reader might end up wondering what this
advanced equation "is".

Signed-off-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lkml.kernel.org/r/20210518125202.78658-4-odin@uged.al
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/fair.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index d6e1c90de570..3d92de7909bf 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -3141,7 +3141,7 @@ void reweight_task(struct task_struct *p, int prio)
  *
  *                     tg->weight * grq->load.weight
  *   ge->load.weight = -----------------------------               (1)
- *			  \Sum grq->load.weight
+ *                       \Sum grq->load.weight
  *
  * Now, because computing that sum is prohibitively expensive to compute (been
  * there, done that) we approximate it with this average stuff. The average
@@ -3155,7 +3155,7 @@ void reweight_task(struct task_struct *p, int prio)
  *
  *                     tg->weight * grq->avg.load_avg
  *   ge->load.weight = ------------------------------              (3)
- *				tg->load_avg
+ *                             tg->load_avg
  *
  * Where: tg->load_avg ~= \Sum grq->avg.load_avg
  *
@@ -3171,7 +3171,7 @@ void reweight_task(struct task_struct *p, int prio)
  *
  *                     tg->weight * grq->load.weight
  *   ge->load.weight = ----------------------------- = tg->weight   (4)
- *			    grp->load.weight
+ *                         grp->load.weight
  *
  * That is, the sum collapses because all other CPUs are idle; the UP scenario.
  *
@@ -3190,7 +3190,7 @@ void reweight_task(struct task_struct *p, int prio)
  *
  *                     tg->weight * grq->load.weight
  *   ge->load.weight = -----------------------------		   (6)
- *				tg_load_avg'
+ *                             tg_load_avg'
  *
  * Where:
  *
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 132/593] media: i2c: ov2659: Use clk_{prepare_enable,disable_unprepare}() to set xvclk on/off
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 131/593] sched/fair: Fix ascii art by relpacing tabs Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 133/593] media: bt878: do not schedule tasklet when it is not setup Greg Kroah-Hartman
                   ` (465 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dillon Min, Lad Prabhakar,
	Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin

From: Dillon Min <dillon.minfei@gmail.com>

[ Upstream commit 24786ccd9c80fdb05494aa4d90fcb8f34295c193 ]

On some platform(imx6q), xvclk might not switch on in advance,
also for power save purpose, xvclk should not be always on.
so, add clk_prepare_enable(), clk_disable_unprepare() in driver
side to set xvclk on/off at proper stage.

Add following changes:
- add 'struct clk *clk;' in 'struct ov2659 {}'
- enable xvclk in ov2659_power_on()
- disable xvclk in ov2659_power_off()

Signed-off-by: Dillon Min <dillon.minfei@gmail.com>
Acked-by: Lad Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/i2c/ov2659.c | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
index 42f64175a6df..fb78a1cedc03 100644
--- a/drivers/media/i2c/ov2659.c
+++ b/drivers/media/i2c/ov2659.c
@@ -204,6 +204,7 @@ struct ov2659 {
 	struct i2c_client *client;
 	struct v4l2_ctrl_handler ctrls;
 	struct v4l2_ctrl *link_frequency;
+	struct clk *clk;
 	const struct ov2659_framesize *frame_size;
 	struct sensor_register *format_ctrl_regs;
 	struct ov2659_pll_ctrl pll;
@@ -1270,6 +1271,8 @@ static int ov2659_power_off(struct device *dev)
 
 	gpiod_set_value(ov2659->pwdn_gpio, 1);
 
+	clk_disable_unprepare(ov2659->clk);
+
 	return 0;
 }
 
@@ -1278,9 +1281,17 @@ static int ov2659_power_on(struct device *dev)
 	struct i2c_client *client = to_i2c_client(dev);
 	struct v4l2_subdev *sd = i2c_get_clientdata(client);
 	struct ov2659 *ov2659 = to_ov2659(sd);
+	int ret;
 
 	dev_dbg(&client->dev, "%s:\n", __func__);
 
+	ret = clk_prepare_enable(ov2659->clk);
+	if (ret) {
+		dev_err(&client->dev, "%s: failed to enable clock\n",
+			__func__);
+		return ret;
+	}
+
 	gpiod_set_value(ov2659->pwdn_gpio, 0);
 
 	if (ov2659->resetb_gpio) {
@@ -1425,7 +1436,6 @@ static int ov2659_probe(struct i2c_client *client)
 	const struct ov2659_platform_data *pdata = ov2659_get_pdata(client);
 	struct v4l2_subdev *sd;
 	struct ov2659 *ov2659;
-	struct clk *clk;
 	int ret;
 
 	if (!pdata) {
@@ -1440,11 +1450,11 @@ static int ov2659_probe(struct i2c_client *client)
 	ov2659->pdata = pdata;
 	ov2659->client = client;
 
-	clk = devm_clk_get(&client->dev, "xvclk");
-	if (IS_ERR(clk))
-		return PTR_ERR(clk);
+	ov2659->clk = devm_clk_get(&client->dev, "xvclk");
+	if (IS_ERR(ov2659->clk))
+		return PTR_ERR(ov2659->clk);
 
-	ov2659->xvclk_frequency = clk_get_rate(clk);
+	ov2659->xvclk_frequency = clk_get_rate(ov2659->clk);
 	if (ov2659->xvclk_frequency < 6000000 ||
 	    ov2659->xvclk_frequency > 27000000)
 		return -EINVAL;
@@ -1506,7 +1516,9 @@ static int ov2659_probe(struct i2c_client *client)
 	ov2659->frame_size = &ov2659_framesizes[2];
 	ov2659->format_ctrl_regs = ov2659_formats[0].format_ctrl_regs;
 
-	ov2659_power_on(&client->dev);
+	ret = ov2659_power_on(&client->dev);
+	if (ret < 0)
+		goto error;
 
 	ret = ov2659_detect(sd);
 	if (ret < 0)
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 133/593] media: bt878: do not schedule tasklet when it is not setup
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 132/593] media: i2c: ov2659: Use clk_{prepare_enable,disable_unprepare}() to set xvclk on/off Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 134/593] media: em28xx: Fix possible memory leak of em28xx struct Greg Kroah-Hartman
                   ` (464 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tong Zhang, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Tong Zhang <ztong0001@gmail.com>

[ Upstream commit a3a54bf4bddaecda8b5767209cfc703f0be2841d ]

There is a problem with the tasklet in bt878. bt->tasklet is set by
dvb-bt8xx.ko, and bt878.ko can be loaded independently.
In this case if interrupt comes it may cause null-ptr-dereference.
To solve this issue, we check if the tasklet is actually set before
calling tasklet_schedule.

[    1.750438] bt878(0): irq FDSR FBUS risc_pc=
[    1.750728] BUG: kernel NULL pointer dereference, address: 0000000000000000
[    1.752969] RIP: 0010:0x0
[    1.757526] Call Trace:
[    1.757659]  <IRQ>
[    1.757770]  tasklet_action_common.isra.0+0x107/0x110
[    1.758041]  tasklet_action+0x22/0x30
[    1.758237]  __do_softirq+0xe0/0x29b
[    1.758430]  irq_exit_rcu+0xa4/0xb0
[    1.758618]  common_interrupt+0x8d/0xa0
[    1.758824]  </IRQ>

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/pci/bt8xx/bt878.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c
index 79ba15a9385a..69a304e0db11 100644
--- a/drivers/media/pci/bt8xx/bt878.c
+++ b/drivers/media/pci/bt8xx/bt878.c
@@ -300,7 +300,8 @@ static irqreturn_t bt878_irq(int irq, void *dev_id)
 		}
 		if (astat & BT878_ARISCI) {
 			bt->finished_block = (stat & BT878_ARISCS) >> 28;
-			tasklet_schedule(&bt->tasklet);
+			if (bt->tasklet.callback)
+				tasklet_schedule(&bt->tasklet);
 			break;
 		}
 		count++;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 134/593] media: em28xx: Fix possible memory leak of em28xx struct
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 133/593] media: bt878: do not schedule tasklet when it is not setup Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 135/593] media: hantro: Fix .buf_prepare Greg Kroah-Hartman
                   ` (463 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Igor Matheus Andrade Torrente,
	Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin

From: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>

[ Upstream commit ac5688637144644f06ed1f3c6d4dd8bb7db96020 ]

The em28xx struct kref isn't being decreased after an error in the
em28xx_ir_init, leading to a possible memory leak.

A kref_put and em28xx_shutdown_buttons is added to the error handler code.

Signed-off-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/em28xx/em28xx-input.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/em28xx/em28xx-input.c b/drivers/media/usb/em28xx/em28xx-input.c
index 5aa15a7a49de..59529cbf9cd0 100644
--- a/drivers/media/usb/em28xx/em28xx-input.c
+++ b/drivers/media/usb/em28xx/em28xx-input.c
@@ -720,7 +720,8 @@ static int em28xx_ir_init(struct em28xx *dev)
 			dev->board.has_ir_i2c = 0;
 			dev_warn(&dev->intf->dev,
 				 "No i2c IR remote control device found.\n");
-			return -ENODEV;
+			err = -ENODEV;
+			goto ref_put;
 		}
 	}
 
@@ -735,7 +736,7 @@ static int em28xx_ir_init(struct em28xx *dev)
 
 	ir = kzalloc(sizeof(*ir), GFP_KERNEL);
 	if (!ir)
-		return -ENOMEM;
+		goto ref_put;
 	rc = rc_allocate_device(RC_DRIVER_SCANCODE);
 	if (!rc)
 		goto error;
@@ -839,6 +840,9 @@ error:
 	dev->ir = NULL;
 	rc_free_device(rc);
 	kfree(ir);
+ref_put:
+	em28xx_shutdown_buttons(dev);
+	kref_put(&dev->ref, em28xx_free_device);
 	return err;
 }
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 135/593] media: hantro: Fix .buf_prepare
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 134/593] media: em28xx: Fix possible memory leak of em28xx struct Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 136/593] media: cedrus: " Greg Kroah-Hartman
                   ` (462 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrzej Pietrasiewicz, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Andrzej Pietrasiewicz <andrzej.p@collabora.com>

[ Upstream commit 082aaecff35fbe1937531057911b1dd1fc6b496e ]

The driver should only set the payload on .buf_prepare if the
buffer is CAPTURE type. If an OUTPUT buffer has a zero bytesused
set by userspace then v4l2-core will set it to buffer length.

If we overwrite bytesused for OUTPUT buffers, too, then
vb2_get_plane_payload() will return incorrect value which might be then
written to hw registers by the driver in hantro_g1_h264_dec.c.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/media/hantro/hantro_v4l2.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/media/hantro/hantro_v4l2.c b/drivers/staging/media/hantro/hantro_v4l2.c
index f5fbdbc4ffdb..5c2ca61add8e 100644
--- a/drivers/staging/media/hantro/hantro_v4l2.c
+++ b/drivers/staging/media/hantro/hantro_v4l2.c
@@ -639,7 +639,14 @@ static int hantro_buf_prepare(struct vb2_buffer *vb)
 	ret = hantro_buf_plane_check(vb, pix_fmt);
 	if (ret)
 		return ret;
-	vb2_set_plane_payload(vb, 0, pix_fmt->plane_fmt[0].sizeimage);
+	/*
+	 * Buffer's bytesused must be written by driver for CAPTURE buffers.
+	 * (for OUTPUT buffers, if userspace passes 0 bytesused, v4l2-core sets
+	 * it to buffer length).
+	 */
+	if (V4L2_TYPE_IS_CAPTURE(vq->type))
+		vb2_set_plane_payload(vb, 0, pix_fmt->plane_fmt[0].sizeimage);
+
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 136/593] media: cedrus: Fix .buf_prepare
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 135/593] media: hantro: Fix .buf_prepare Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 137/593] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release Greg Kroah-Hartman
                   ` (461 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrzej Pietrasiewicz, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Andrzej Pietrasiewicz <andrzej.p@collabora.com>

[ Upstream commit d84b9202d712309840f8b5abee0ed272506563bd ]

The driver should only set the payload on .buf_prepare if the
buffer is CAPTURE type. If an OUTPUT buffer has a zero bytesused
set by userspace then v4l2-core will set it to buffer length.

If we overwrite bytesused for OUTPUT buffers, too, then
vb2_get_plane_payload() will return incorrect value which might be then
written to hw registers by the driver in cedrus_h264.c or cedrus_vp8.c.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/media/sunxi/cedrus/cedrus_video.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/media/sunxi/cedrus/cedrus_video.c b/drivers/staging/media/sunxi/cedrus/cedrus_video.c
index 911f607d9b09..16327be904d1 100644
--- a/drivers/staging/media/sunxi/cedrus/cedrus_video.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus_video.c
@@ -449,7 +449,13 @@ static int cedrus_buf_prepare(struct vb2_buffer *vb)
 	if (vb2_plane_size(vb, 0) < pix_fmt->sizeimage)
 		return -EINVAL;
 
-	vb2_set_plane_payload(vb, 0, pix_fmt->sizeimage);
+	/*
+	 * Buffer's bytesused must be written by driver for CAPTURE buffers.
+	 * (for OUTPUT buffers, if userspace passes 0 bytesused, v4l2-core sets
+	 * it to buffer length).
+	 */
+	if (V4L2_TYPE_IS_CAPTURE(vq->type))
+		vb2_set_plane_payload(vb, 0, pix_fmt->sizeimage);
 
 	return 0;
 }
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 137/593] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 136/593] media: cedrus: " Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 138/593] media: bt8xx: Fix a missing check bug in bt878_probe Greg Kroah-Hartman
                   ` (460 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lv Yunlong, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>

[ Upstream commit 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c ]

A use after free bug caused by the dangling pointer
filp->privitate_data in v4l2_fh_release.
See https://lore.kernel.org/patchwork/patch/1419058/.

My patch sets the dangling pointer to NULL to provide
robust.

Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/v4l2-core/v4l2-fh.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c
index 684574f58e82..90eec79ee995 100644
--- a/drivers/media/v4l2-core/v4l2-fh.c
+++ b/drivers/media/v4l2-core/v4l2-fh.c
@@ -96,6 +96,7 @@ int v4l2_fh_release(struct file *filp)
 		v4l2_fh_del(fh);
 		v4l2_fh_exit(fh);
 		kfree(fh);
+		filp->private_data = NULL;
 	}
 	return 0;
 }
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 138/593] media: bt8xx: Fix a missing check bug in bt878_probe
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 137/593] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:04 ` [PATCH 5.10 139/593] media: st-hva: Fix potential NULL pointer dereferences Greg Kroah-Hartman
                   ` (459 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 1a4520090681853e6b850cbe54b27247a013e0e5 ]

In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is
set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'.
However, this two drivers are separate. The user may not load the
'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet
has not been initialized when 'tasklet_schedule' is called, so it is
necessary to check whether the tasklet is initialized in 'bt878_probe'.

Fix this by adding a check at the end of bt878_probe.

The KASAN's report reveals it:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN PTI
CPU: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177-
gdba4159c14ef-dirty #40
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-
gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:          (null)
Code: Bad RIP value.
RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
FS:  00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522
 tasklet_action+0x50/0x70 kernel/softirq.c:540
 __do_softirq+0x224/0x92c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x15a/0x180 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:535 [inline]
 do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260
 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
 </IRQ>
RIP: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline]
RIP: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline]
RIP: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584
Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8
14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad
24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec
RSP: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde
RAX: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000
RDX: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0
RBP: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58
R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000
 do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4692a9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f
RAX: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
RBP: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60
R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: 0000000000000000
---[ end trace 68e5849c3f77cbb6 ]---
RIP: 0010:          (null)
Code: Bad RIP value.
RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
FS:  00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/pci/bt8xx/bt878.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c
index 69a304e0db11..0705913972c6 100644
--- a/drivers/media/pci/bt8xx/bt878.c
+++ b/drivers/media/pci/bt8xx/bt878.c
@@ -478,6 +478,9 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
 	btwrite(0, BT878_AINT_MASK);
 	bt878_num++;
 
+	if (!bt->tasklet.func)
+		tasklet_disable(&bt->tasklet);
+
 	return 0;
 
       fail2:
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 139/593] media: st-hva: Fix potential NULL pointer dereferences
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 138/593] media: bt8xx: Fix a missing check bug in bt878_probe Greg Kroah-Hartman
@ 2021-07-12  6:04 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 140/593] crypto: hisilicon/sec - fixup 3des minimum key size declaration Greg Kroah-Hartman
                   ` (458 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:04 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Evgeny Novikov, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Evgeny Novikov <novikov@ispras.ru>

[ Upstream commit b7fdd208687ba59ebfb09b2199596471c63b69e3 ]

When ctx_id >= HVA_MAX_INSTANCES in hva_hw_its_irq_thread() it tries to
access fields of ctx that is NULL at that point. The patch gets rid of
these accesses.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/sti/hva/hva-hw.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/media/platform/sti/hva/hva-hw.c b/drivers/media/platform/sti/hva/hva-hw.c
index 43f279e2a6a3..cf4c891bf619 100644
--- a/drivers/media/platform/sti/hva/hva-hw.c
+++ b/drivers/media/platform/sti/hva/hva-hw.c
@@ -130,8 +130,7 @@ static irqreturn_t hva_hw_its_irq_thread(int irq, void *arg)
 	ctx_id = (hva->sts_reg & 0xFF00) >> 8;
 	if (ctx_id >= HVA_MAX_INSTANCES) {
 		dev_err(dev, "%s     %s: bad context identifier: %d\n",
-			ctx->name, __func__, ctx_id);
-		ctx->hw_err = true;
+			HVA_PREFIX, __func__, ctx_id);
 		goto out;
 	}
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 140/593] crypto: hisilicon/sec - fixup 3des minimum key size declaration
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2021-07-12  6:04 ` [PATCH 5.10 139/593] media: st-hva: Fix potential NULL pointer dereferences Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 141/593] Makefile: fix GDB warning with CONFIG_RELR Greg Kroah-Hartman
                   ` (457 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai Ye, Herbert Xu, Sasha Levin

From: Kai Ye <yekai13@huawei.com>

[ Upstream commit 6161f40c630bd7ced5f236cd5fbabec06e47afae ]

Fixup the 3des algorithm  minimum key size declaration.

Signed-off-by: Kai Ye <yekai13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/hisilicon/sec2/sec_crypto.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/hisilicon/sec2/sec_crypto.c b/drivers/crypto/hisilicon/sec2/sec_crypto.c
index 41f1fcacb280..630dcb59ad56 100644
--- a/drivers/crypto/hisilicon/sec2/sec_crypto.c
+++ b/drivers/crypto/hisilicon/sec2/sec_crypto.c
@@ -1515,11 +1515,11 @@ static struct skcipher_alg sec_skciphers[] = {
 			 AES_BLOCK_SIZE, AES_BLOCK_SIZE)
 
 	SEC_SKCIPHER_ALG("ecb(des3_ede)", sec_setkey_3des_ecb,
-			 SEC_DES3_2KEY_SIZE, SEC_DES3_3KEY_SIZE,
+			 SEC_DES3_3KEY_SIZE, SEC_DES3_3KEY_SIZE,
 			 DES3_EDE_BLOCK_SIZE, 0)
 
 	SEC_SKCIPHER_ALG("cbc(des3_ede)", sec_setkey_3des_cbc,
-			 SEC_DES3_2KEY_SIZE, SEC_DES3_3KEY_SIZE,
+			 SEC_DES3_3KEY_SIZE, SEC_DES3_3KEY_SIZE,
 			 DES3_EDE_BLOCK_SIZE, DES3_EDE_BLOCK_SIZE)
 
 	SEC_SKCIPHER_ALG("xts(sm4)", sec_setkey_sm4_xts,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 141/593] Makefile: fix GDB warning with CONFIG_RELR
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 140/593] crypto: hisilicon/sec - fixup 3des minimum key size declaration Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 142/593] media: dvd_usb: memory leak in cinergyt2_fe_attach Greg Kroah-Hartman
                   ` (456 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Collingbourne,
	Nathan Chancellor, Nick Desaulniers, Will Deacon, Sasha Levin

From: Nick Desaulniers <ndesaulniers@google.com>

[ Upstream commit 27f2a4db76e8d8a8b601fc1c6a7a17f88bd907ab ]

GDB produces the following warning when debugging kernels built with
CONFIG_RELR:

BFD: /android0/linux-next/vmlinux: unknown type [0x13] section `.relr.dyn'

when loading a kernel built with CONFIG_RELR into GDB. It can also
prevent debugging symbols using such relocations.

Peter sugguests:
  [That flag] means that lld will use dynamic tags and section type
  numbers in the OS-specific range rather than the generic range. The
  kernel itself doesn't care about these numbers; it determines the
  location of the RELR section using symbols defined by a linker script.

Link: https://github.com/ClangBuiltLinux/linux/issues/1057
Suggested-by: Peter Collingbourne <pcc@google.com>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://lore.kernel.org/r/20210522012626.2811297-1-ndesaulniers@google.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Makefile                      | 2 +-
 scripts/tools-support-relr.sh | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index c51b73455ea3..ddd30b068be7 100644
--- a/Makefile
+++ b/Makefile
@@ -978,7 +978,7 @@ LDFLAGS_vmlinux	+= $(call ld-option, -X,)
 endif
 
 ifeq ($(CONFIG_RELR),y)
-LDFLAGS_vmlinux	+= --pack-dyn-relocs=relr
+LDFLAGS_vmlinux	+= --pack-dyn-relocs=relr --use-android-relr-tags
 endif
 
 # We never want expected sections to be placed heuristically by the
diff --git a/scripts/tools-support-relr.sh b/scripts/tools-support-relr.sh
index 45e8aa360b45..cb55878bd5b8 100755
--- a/scripts/tools-support-relr.sh
+++ b/scripts/tools-support-relr.sh
@@ -7,7 +7,8 @@ trap "rm -f $tmp_file.o $tmp_file $tmp_file.bin" EXIT
 cat << "END" | $CC -c -x c - -o $tmp_file.o >/dev/null 2>&1
 void *p = &p;
 END
-$LD $tmp_file.o -shared -Bsymbolic --pack-dyn-relocs=relr -o $tmp_file
+$LD $tmp_file.o -shared -Bsymbolic --pack-dyn-relocs=relr \
+  --use-android-relr-tags -o $tmp_file
 
 # Despite printing an error message, GNU nm still exits with exit code 0 if it
 # sees a relr section. So we need to check that nothing is printed to stderr.
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 142/593] media: dvd_usb: memory leak in cinergyt2_fe_attach
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 141/593] Makefile: fix GDB warning with CONFIG_RELR Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 143/593] memstick: rtsx_usb_ms: fix UAF Greg Kroah-Hartman
                   ` (455 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e1de8986786b3722050e,
	Dongliang Mu, Sean Young, Mauro Carvalho Chehab, Sasha Levin

From: Dongliang Mu <mudongliangabcd@gmail.com>

[ Upstream commit 9ad1efee086e0e913914fa2b2173efb830bad68c ]

When the driver fails to talk with the hardware with dvb_usb_generic_rw,
it will return an error to dvb_usb_adapter_frontend_init. However, the
driver forgets to free the resource (e.g., struct cinergyt2_fe_state),
which leads to a memory leak.

Fix this by freeing struct cinergyt2_fe_state when dvb_usb_generic_rw
fails in cinergyt2_frontend_attach.

backtrace:
  [<0000000056e17b1a>] kmalloc include/linux/slab.h:552 [inline]
  [<0000000056e17b1a>] kzalloc include/linux/slab.h:682 [inline]
  [<0000000056e17b1a>] cinergyt2_fe_attach+0x21/0x80 drivers/media/usb/dvb-usb/cinergyT2-fe.c:271
  [<00000000ae0b1711>] cinergyt2_frontend_attach+0x21/0x70 drivers/media/usb/dvb-usb/cinergyT2-core.c:74
  [<00000000d0254861>] dvb_usb_adapter_frontend_init+0x11b/0x1b0 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:290
  [<0000000002e08ac6>] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:84 [inline]
  [<0000000002e08ac6>] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:173 [inline]
  [<0000000002e08ac6>] dvb_usb_device_init.cold+0x4d0/0x6ae drivers/media/usb/dvb-usb/dvb-usb-init.c:287

Reported-by: syzbot+e1de8986786b3722050e@syzkaller.appspotmail.com
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/dvb-usb/cinergyT2-core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
index 969a7ec71dff..4116ba5c45fc 100644
--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
+++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
@@ -78,6 +78,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
 
 	ret = dvb_usb_generic_rw(d, st->data, 1, st->data, 3, 0);
 	if (ret < 0) {
+		if (adap->fe_adap[0].fe)
+			adap->fe_adap[0].fe->ops.release(adap->fe_adap[0].fe);
 		deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep state info\n");
 	}
 	mutex_unlock(&d->data_mutex);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 143/593] memstick: rtsx_usb_ms: fix UAF
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 142/593] media: dvd_usb: memory leak in cinergyt2_fe_attach Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 144/593] mmc: sdhci-sprd: use sdhci_sprd_writew Greg Kroah-Hartman
                   ` (454 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tong Zhang, Ulf Hansson, Sasha Levin

From: Tong Zhang <ztong0001@gmail.com>

[ Upstream commit 42933c8aa14be1caa9eda41f65cde8a3a95d3e39 ]

This patch fixes the following issues:
1. memstick_free_host() will free the host, so the use of ms_dev(host) after
it will be a problem. To fix this, move memstick_free_host() after when we
are done with ms_dev(host).
2. In rtsx_usb_ms_drv_remove(), pm need to be disabled before we remove
and free host otherwise memstick_check will be called and UAF will
happen.

[   11.351173] BUG: KASAN: use-after-free in rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
[   11.357077]  rtsx_usb_ms_drv_remove+0x94/0x140 [rtsx_usb_ms]
[   11.357376]  platform_remove+0x2a/0x50
[   11.367531] Freed by task 298:
[   11.368537]  kfree+0xa4/0x2a0
[   11.368711]  device_release+0x51/0xe0
[   11.368905]  kobject_put+0xa2/0x120
[   11.369090]  rtsx_usb_ms_drv_remove+0x8c/0x140 [rtsx_usb_ms]
[   11.369386]  platform_remove+0x2a/0x50

[   12.038408] BUG: KASAN: use-after-free in __mutex_lock.isra.0+0x3ec/0x7c0
[   12.045432]  mutex_lock+0xc9/0xd0
[   12.046080]  memstick_check+0x6a/0x578 [memstick]
[   12.046509]  process_one_work+0x46d/0x750
[   12.052107] Freed by task 297:
[   12.053115]  kfree+0xa4/0x2a0
[   12.053272]  device_release+0x51/0xe0
[   12.053463]  kobject_put+0xa2/0x120
[   12.053647]  rtsx_usb_ms_drv_remove+0xc4/0x140 [rtsx_usb_ms]
[   12.053939]  platform_remove+0x2a/0x50

Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Co-developed-by: Ulf Hansson <ulf.hansson@linaro.org>
Link: https://lore.kernel.org/r/20210511163944.1233295-1-ztong0001@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/memstick/host/rtsx_usb_ms.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/drivers/memstick/host/rtsx_usb_ms.c b/drivers/memstick/host/rtsx_usb_ms.c
index 102dbb8080da..29271ad4728a 100644
--- a/drivers/memstick/host/rtsx_usb_ms.c
+++ b/drivers/memstick/host/rtsx_usb_ms.c
@@ -799,9 +799,9 @@ static int rtsx_usb_ms_drv_probe(struct platform_device *pdev)
 
 	return 0;
 err_out:
-	memstick_free_host(msh);
 	pm_runtime_disable(ms_dev(host));
 	pm_runtime_put_noidle(ms_dev(host));
+	memstick_free_host(msh);
 	return err;
 }
 
@@ -828,9 +828,6 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev)
 	}
 	mutex_unlock(&host->host_mutex);
 
-	memstick_remove_host(msh);
-	memstick_free_host(msh);
-
 	/* Balance possible unbalanced usage count
 	 * e.g. unconditional module removal
 	 */
@@ -838,10 +835,11 @@ static int rtsx_usb_ms_drv_remove(struct platform_device *pdev)
 		pm_runtime_put(ms_dev(host));
 
 	pm_runtime_disable(ms_dev(host));
-	platform_set_drvdata(pdev, NULL);
-
+	memstick_remove_host(msh);
 	dev_dbg(ms_dev(host),
 		": Realtek USB Memstick controller has been removed\n");
+	memstick_free_host(msh);
+	platform_set_drvdata(pdev, NULL);
 
 	return 0;
 }
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 144/593] mmc: sdhci-sprd: use sdhci_sprd_writew
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 143/593] memstick: rtsx_usb_ms: fix UAF Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 145/593] mmc: via-sdmmc: add a check against NULL pointer dereference Greg Kroah-Hartman
                   ` (453 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Krzysztof Kozlowski, Ulf Hansson, Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

[ Upstream commit 961470820021e6f9d74db4837bd6831a1a30341b ]

The sdhci_sprd_writew() was defined by never used in sdhci_ops:

    drivers/mmc/host/sdhci-sprd.c:134:20: warning: unused function 'sdhci_sprd_writew'

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20210601095403.236007-2-krzysztof.kozlowski@canonical.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/sdhci-sprd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/mmc/host/sdhci-sprd.c b/drivers/mmc/host/sdhci-sprd.c
index 19cbb6171b35..9cd8862e6cbd 100644
--- a/drivers/mmc/host/sdhci-sprd.c
+++ b/drivers/mmc/host/sdhci-sprd.c
@@ -393,6 +393,7 @@ static void sdhci_sprd_request_done(struct sdhci_host *host,
 static struct sdhci_ops sdhci_sprd_ops = {
 	.read_l = sdhci_sprd_readl,
 	.write_l = sdhci_sprd_writel,
+	.write_w = sdhci_sprd_writew,
 	.write_b = sdhci_sprd_writeb,
 	.set_clock = sdhci_sprd_set_clock,
 	.get_max_clock = sdhci_sprd_get_max_clock,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 145/593] mmc: via-sdmmc: add a check against NULL pointer dereference
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 144/593] mmc: sdhci-sprd: use sdhci_sprd_writew Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 146/593] spi: meson-spicc: fix a wrong goto jump for avoiding memory leak Greg Kroah-Hartman
                   ` (452 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Ulf Hansson, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 ]

Before referencing 'host->data', the driver needs to check whether it is
null pointer, otherwise it will cause a null pointer reference.

This log reveals it:

[   29.355199] BUG: kernel NULL pointer dereference, address:
0000000000000014
[   29.357323] #PF: supervisor write access in kernel mode
[   29.357706] #PF: error_code(0x0002) - not-present page
[   29.358088] PGD 0 P4D 0
[   29.358280] Oops: 0002 [#1] PREEMPT SMP PTI
[   29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-
g70e7f0549188-dirty #102
[   29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410
[   29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
[   29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
[   29.362042] RAX: 0000000000000000 RBX: ffff888107d77880
RCX: 0000000000000000
[   29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb
RDI: 00000000ffffffff
[   29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001
R09: 0000000000000001
[   29.363604] R10: 0000000000000000 R11: 0000000000000001
R12: 0000000000008600
[   29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200
R15: 0000000000008000
[   29.364651] FS:  0000000000000000(0000) GS:ffff88817bc80000(0000)
knlGS:0000000000000000
[   29.365235] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000
CR4: 00000000000006e0
[   29.366170] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   29.367197] Call Trace:
[   29.367381]  <IRQ>
[   29.367537]  __handle_irq_event_percpu+0x53/0x3e0
[   29.367916]  handle_irq_event_percpu+0x35/0x90
[   29.368247]  handle_irq_event+0x39/0x60
[   29.368632]  handle_fasteoi_irq+0xc2/0x1d0
[   29.368950]  __common_interrupt+0x7f/0x150
[   29.369254]  common_interrupt+0xb4/0xd0
[   29.369547]  </IRQ>
[   29.369708]  asm_common_interrupt+0x1e/0x40
[   29.370016] RIP: 0010:native_safe_halt+0x17/0x20
[   29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00
00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb
f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91
[   29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
[   29.372079] RAX: 0000000000000000 RBX: 0000000000000002
RCX: 0000000000000000
[   29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4
RDI: ffffffff85403406
[   29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001
R09: 0000000000000001
[   29.373646] R10: 0000000000000000 R11: 0000000000000001
R12: ffffffff86009188
[   29.374160] R13: 0000000000000000 R14: 0000000000000000
R15: ffff888100258000
[   29.374690]  default_idle+0x9/0x10
[   29.374944]  arch_cpu_idle+0xa/0x10
[   29.375198]  default_idle_call+0x6e/0x250
[   29.375491]  do_idle+0x1f0/0x2d0
[   29.375740]  cpu_startup_entry+0x18/0x20
[   29.376034]  start_secondary+0x11f/0x160
[   29.376328]  secondary_startup_64_no_verify+0xb0/0xbb
[   29.376705] Modules linked in:
[   29.376939] Dumping ftrace buffer:
[   29.377187]    (ftrace buffer empty)
[   29.377460] CR2: 0000000000000014
[   29.377712] ---[ end trace 51a473dffb618c47 ]---
[   29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410
[   29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
[   29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
[   29.380098] RAX: 0000000000000000 RBX: ffff888107d77880
RCX: 0000000000000000
[   29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb
RDI: 00000000ffffffff
[   29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001
R09: 0000000000000001
[   29.381653] R10: 0000000000000000 R11: 0000000000000001
R12: 0000000000008600
[   29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200
R15: 0000000000008000
[   29.382697] FS:  0000000000000000(0000) GS:ffff88817bc80000(0000)
knlGS:0000000000000000
[   29.383277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000
CR4: 00000000000006e0
[   29.384223] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   29.385260] Kernel panic - not syncing: Fatal exception in interrupt
[   29.385882] Dumping ftrace buffer:
[   29.386135]    (ftrace buffer empty)
[   29.386401] Kernel Offset: disabled
[   29.386656] Rebooting in 1 seconds..

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/via-sdmmc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
index 9b755ea0fa03..f07c71db3caf 100644
--- a/drivers/mmc/host/via-sdmmc.c
+++ b/drivers/mmc/host/via-sdmmc.c
@@ -857,6 +857,9 @@ static void via_sdc_data_isr(struct via_crdr_mmc_host *host, u16 intmask)
 {
 	BUG_ON(intmask == 0);
 
+	if (!host->data)
+		return;
+
 	if (intmask & VIA_CRDR_SDSTS_DT)
 		host->data->error = -ETIMEDOUT;
 	else if (intmask & (VIA_CRDR_SDSTS_RC | VIA_CRDR_SDSTS_WC))
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 146/593] spi: meson-spicc: fix a wrong goto jump for avoiding memory leak.
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 145/593] mmc: via-sdmmc: add a check against NULL pointer dereference Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 147/593] spi: meson-spicc: fix memory leak in meson_spicc_probe Greg Kroah-Hartman
                   ` (451 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zpershuai, Neil Armstrong,
	Mark Brown, Sasha Levin

From: zpershuai <zpershuai@gmail.com>

[ Upstream commit 95730d5eb73170a6d225a9998c478be273598634 ]

In meson_spifc_probe function, when enable the device pclk clock is
error, it should use clk_disable_unprepare to release the core clock.

Signed-off-by: zpershuai <zpershuai@gmail.com>
Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
Link: https://lore.kernel.org/r/1623562172-22056-1-git-send-email-zpershuai@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-meson-spicc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
index ecba6b4a5d85..51aef2c6e966 100644
--- a/drivers/spi/spi-meson-spicc.c
+++ b/drivers/spi/spi-meson-spicc.c
@@ -725,7 +725,7 @@ static int meson_spicc_probe(struct platform_device *pdev)
 	ret = clk_prepare_enable(spicc->pclk);
 	if (ret) {
 		dev_err(&pdev->dev, "pclk clock enable failed\n");
-		goto out_master;
+		goto out_core_clk;
 	}
 
 	device_reset_optional(&pdev->dev);
@@ -764,9 +764,11 @@ static int meson_spicc_probe(struct platform_device *pdev)
 	return 0;
 
 out_clk:
-	clk_disable_unprepare(spicc->core);
 	clk_disable_unprepare(spicc->pclk);
 
+out_core_clk:
+	clk_disable_unprepare(spicc->core);
+
 out_master:
 	spi_master_put(master);
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 147/593] spi: meson-spicc: fix memory leak in meson_spicc_probe
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 146/593] spi: meson-spicc: fix a wrong goto jump for avoiding memory leak Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 148/593] crypto: shash - avoid comparing pointers to exported functions under CFI Greg Kroah-Hartman
                   ` (450 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zpershuai, Neil Armstrong,
	Mark Brown, Sasha Levin

From: zpershuai <zpershuai@gmail.com>

[ Upstream commit b2d501c13470409ee7613855b17e5e5ec4111e1c ]

when meson_spicc_clk_init returns failed, it should goto the
out_clk label.

Signed-off-by: zpershuai <zpershuai@gmail.com>
Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
Link: https://lore.kernel.org/r/1623562156-21995-1-git-send-email-zpershuai@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-meson-spicc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/spi/spi-meson-spicc.c b/drivers/spi/spi-meson-spicc.c
index 51aef2c6e966..b2c4621db34d 100644
--- a/drivers/spi/spi-meson-spicc.c
+++ b/drivers/spi/spi-meson-spicc.c
@@ -752,7 +752,7 @@ static int meson_spicc_probe(struct platform_device *pdev)
 	ret = meson_spicc_clk_init(spicc);
 	if (ret) {
 		dev_err(&pdev->dev, "clock registration failed\n");
-		goto out_master;
+		goto out_clk;
 	}
 
 	ret = devm_spi_register_master(&pdev->dev, master);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 148/593] crypto: shash - avoid comparing pointers to exported functions under CFI
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 147/593] spi: meson-spicc: fix memory leak in meson_spicc_probe Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 149/593] media: dvb_net: avoid speculation from net slot Greg Kroah-Hartman
                   ` (449 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sami Tolvanen, Eric Biggers,
	Ard Biesheuvel, Eric Biggers, Herbert Xu, Sasha Levin

From: Ard Biesheuvel <ardb@kernel.org>

[ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ]

crypto_shash_alg_has_setkey() is implemented by testing whether the
.setkey() member of a struct shash_alg points to the default version,
called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static
inline, this requires shash_no_setkey() to be exported to modules.

Unfortunately, when building with CFI, function pointers are routed
via CFI stubs which are private to each module (or to the kernel proper)
and so this function pointer comparison may fail spuriously.

Let's fix this by turning crypto_shash_alg_has_setkey() into an out of
line function.

Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 crypto/shash.c                 | 18 +++++++++++++++---
 include/crypto/internal/hash.h |  8 +-------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/crypto/shash.c b/crypto/shash.c
index 2e3433ad9762..0a0a50cb694f 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -20,12 +20,24 @@
 
 static const struct crypto_type crypto_shash_type;
 
-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-		    unsigned int keylen)
+static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+			   unsigned int keylen)
 {
 	return -ENOSYS;
 }
-EXPORT_SYMBOL_GPL(shash_no_setkey);
+
+/*
+ * Check whether an shash algorithm has a setkey function.
+ *
+ * For CFI compatibility, this must not be an inline function.  This is because
+ * when CFI is enabled, modules won't get the same address for shash_no_setkey
+ * (if it were exported, which inlining would require) as the core kernel will.
+ */
+bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
+{
+	return alg->setkey != shash_no_setkey;
+}
+EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey);
 
 static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
 				  unsigned int keylen)
diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
index 0a288dddcf5b..25806141db59 100644
--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -75,13 +75,7 @@ void crypto_unregister_ahashes(struct ahash_alg *algs, int count);
 int ahash_register_instance(struct crypto_template *tmpl,
 			    struct ahash_instance *inst);
 
-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-		    unsigned int keylen);
-
-static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
-{
-	return alg->setkey != shash_no_setkey;
-}
+bool crypto_shash_alg_has_setkey(struct shash_alg *alg);
 
 static inline bool crypto_shash_alg_needs_key(struct shash_alg *alg)
 {
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 149/593] media: dvb_net: avoid speculation from net slot
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 148/593] crypto: shash - avoid comparing pointers to exported functions under CFI Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 150/593] media: siano: fix device register error path Greg Kroah-Hartman
                   ` (448 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit abc0226df64dc137b48b911c1fe4319aec5891bb ]

The risk of especulation is actually almost-non-existing here,
as there are very few users of TCP/IP using the DVB stack,
as, this is mainly used with DVB-S/S2 cards, and only by people
that receives TCP/IP from satellite connections, which limits
a lot the number of users of such feature(*).

(*) In thesis, DVB-C cards could also benefit from it, but I'm
yet to see a hardware that supports it.

Yet, fixing it is trivial.

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/dvb-core/dvb_net.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c
index 89620da983ba..dddebea644bb 100644
--- a/drivers/media/dvb-core/dvb_net.c
+++ b/drivers/media/dvb-core/dvb_net.c
@@ -45,6 +45,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/netdevice.h>
+#include <linux/nospec.h>
 #include <linux/etherdevice.h>
 #include <linux/dvb/net.h>
 #include <linux/uio.h>
@@ -1462,14 +1463,20 @@ static int dvb_net_do_ioctl(struct file *file,
 		struct net_device *netdev;
 		struct dvb_net_priv *priv_data;
 		struct dvb_net_if *dvbnetif = parg;
+		int if_num = dvbnetif->if_num;
 
-		if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
-		    !dvbnet->state[dvbnetif->if_num]) {
+		if (if_num >= DVB_NET_DEVICES_MAX) {
 			ret = -EINVAL;
 			goto ioctl_error;
 		}
+		if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
 
-		netdev = dvbnet->device[dvbnetif->if_num];
+		if (!dvbnet->state[if_num]) {
+			ret = -EINVAL;
+			goto ioctl_error;
+		}
+
+		netdev = dvbnet->device[if_num];
 
 		priv_data = netdev_priv(netdev);
 		dvbnetif->pid=priv_data->pid;
@@ -1522,14 +1529,20 @@ static int dvb_net_do_ioctl(struct file *file,
 		struct net_device *netdev;
 		struct dvb_net_priv *priv_data;
 		struct __dvb_net_if_old *dvbnetif = parg;
+		int if_num = dvbnetif->if_num;
+
+		if (if_num >= DVB_NET_DEVICES_MAX) {
+			ret = -EINVAL;
+			goto ioctl_error;
+		}
+		if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
 
-		if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
-		    !dvbnet->state[dvbnetif->if_num]) {
+		if (!dvbnet->state[if_num]) {
 			ret = -EINVAL;
 			goto ioctl_error;
 		}
 
-		netdev = dvbnet->device[dvbnetif->if_num];
+		netdev = dvbnet->device[if_num];
 
 		priv_data = netdev_priv(netdev);
 		dvbnetif->pid=priv_data->pid;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 150/593] media: siano: fix device register error path
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 149/593] media: dvb_net: avoid speculation from net slot Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 151/593] media: imx-csi: Skip first few frames from a BT.656 source Greg Kroah-Hartman
                   ` (447 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit 5368b1ee2939961a16e74972b69088433fc52195 ]

As reported by smatch:
	drivers/media/common/siano/smsdvb-main.c:1231 smsdvb_hotplug() warn: '&client->entry' not removed from list

If an error occur at the end of the registration logic, it won't
drop the device from the list.

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/common/siano/smsdvb-main.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/media/common/siano/smsdvb-main.c b/drivers/media/common/siano/smsdvb-main.c
index ae17407e477a..7cc654bc52d3 100644
--- a/drivers/media/common/siano/smsdvb-main.c
+++ b/drivers/media/common/siano/smsdvb-main.c
@@ -1176,6 +1176,10 @@ static int smsdvb_hotplug(struct smscore_device_t *coredev,
 	return 0;
 
 media_graph_error:
+	mutex_lock(&g_smsdvb_clientslock);
+	list_del(&client->entry);
+	mutex_unlock(&g_smsdvb_clientslock);
+
 	smsdvb_debugfs_release(client);
 
 client_error:
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 151/593] media: imx-csi: Skip first few frames from a BT.656 source
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 150/593] media: siano: fix device register error path Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 152/593] hwmon: (max31790) Report correct current pwm duty cycles Greg Kroah-Hartman
                   ` (446 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Longerbeam, Fabio Estevam,
	Tim Harvey, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin

From: Steve Longerbeam <slongerbeam@gmail.com>

[ Upstream commit e198be37e52551bb863d07d2edc535d0932a3c4f ]

Some BT.656 sensors (e.g. ADV718x) transmit frames with unstable BT.656
sync codes after initial power on. This confuses the imx CSI,resulting
in vertical and/or horizontal sync issues. Skip the first 20 frames
to avoid the unstable sync codes.

[fabio: fixed checkpatch warning and increased the frame skipping to 20]

Signed-off-by: Steve Longerbeam <slongerbeam@gmail.com>
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/media/imx/imx-media-csi.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/media/imx/imx-media-csi.c b/drivers/staging/media/imx/imx-media-csi.c
index 21ebf7769696..899d29f4c91a 100644
--- a/drivers/staging/media/imx/imx-media-csi.c
+++ b/drivers/staging/media/imx/imx-media-csi.c
@@ -753,9 +753,10 @@ static int csi_setup(struct csi_priv *priv)
 
 static int csi_start(struct csi_priv *priv)
 {
-	struct v4l2_fract *output_fi;
+	struct v4l2_fract *input_fi, *output_fi;
 	int ret;
 
+	input_fi = &priv->frame_interval[CSI_SINK_PAD];
 	output_fi = &priv->frame_interval[priv->active_output_pad];
 
 	/* start upstream */
@@ -764,6 +765,17 @@ static int csi_start(struct csi_priv *priv)
 	if (ret)
 		return ret;
 
+	/* Skip first few frames from a BT.656 source */
+	if (priv->upstream_ep.bus_type == V4L2_MBUS_BT656) {
+		u32 delay_usec, bad_frames = 20;
+
+		delay_usec = DIV_ROUND_UP_ULL((u64)USEC_PER_SEC *
+			input_fi->numerator * bad_frames,
+			input_fi->denominator);
+
+		usleep_range(delay_usec, delay_usec + 1000);
+	}
+
 	if (priv->dest == IPU_CSI_DEST_IDMAC) {
 		ret = csi_idmac_start(priv);
 		if (ret)
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 152/593] hwmon: (max31790) Report correct current pwm duty cycles
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 151/593] media: imx-csi: Skip first few frames from a BT.656 source Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 153/593] hwmon: (max31790) Fix pwmX_enable attributes Greg Kroah-Hartman
                   ` (445 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kundrát,
	Václav Kubernát, Guenter Roeck,
	Václav Kubernát, Sasha Levin

From: Guenter Roeck <linux@roeck-us.net>

[ Upstream commit 897f6339893b741a5d68ae8e2475df65946041c2 ]

The MAX31790 has two sets of registers for pwm duty cycles, one to request
a duty cycle and one to read the actual current duty cycle. Both do not
have to be the same.

When reporting the pwm duty cycle to the user, the actual pwm duty cycle
from pwm duty cycle registers needs to be reported. When setting it, the
pwm target duty cycle needs to be written. Since we don't know the actual
pwm duty cycle after a target pwm duty cycle has been written, set the
valid flag to false to indicate that actual pwm duty cycle should be read
from the chip instead of using cached values.

Cc: Jan Kundrát <jan.kundrat@cesnet.cz>
Cc: Václav Kubernát <kubernat@cesnet.cz>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Václav Kubernát <kubernat@ceesnet.cz>
Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Link: https://lore.kernel.org/r/20210526154022.3223012-3-linux@roeck-us.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/hwmon/max31790.rst | 3 ++-
 drivers/hwmon/max31790.c         | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/Documentation/hwmon/max31790.rst b/Documentation/hwmon/max31790.rst
index f301385d8cef..54ff0f49e28f 100644
--- a/Documentation/hwmon/max31790.rst
+++ b/Documentation/hwmon/max31790.rst
@@ -39,5 +39,6 @@ fan[1-12]_input    RO  fan tachometer speed in RPM
 fan[1-12]_fault    RO  fan experienced fault
 fan[1-6]_target    RW  desired fan speed in RPM
 pwm[1-6]_enable    RW  regulator mode, 0=disabled, 1=manual mode, 2=rpm mode
-pwm[1-6]           RW  fan target duty cycle (0-255)
+pwm[1-6]           RW  read: current pwm duty cycle,
+                       write: target pwm duty cycle (0-255)
 ================== === =======================================================
diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c
index 86e6c71db685..8ad7a45bfe68 100644
--- a/drivers/hwmon/max31790.c
+++ b/drivers/hwmon/max31790.c
@@ -104,7 +104,7 @@ static struct max31790_data *max31790_update_device(struct device *dev)
 				data->tach[NR_CHANNEL + i] = rv;
 			} else {
 				rv = i2c_smbus_read_word_swapped(client,
-						MAX31790_REG_PWMOUT(i));
+						MAX31790_REG_PWM_DUTY_CYCLE(i));
 				if (rv < 0)
 					goto abort;
 				data->pwm[i] = rv;
@@ -299,10 +299,10 @@ static int max31790_write_pwm(struct device *dev, u32 attr, int channel,
 			err = -EINVAL;
 			break;
 		}
-		data->pwm[channel] = val << 8;
+		data->valid = false;
 		err = i2c_smbus_write_word_swapped(client,
 						   MAX31790_REG_PWMOUT(channel),
-						   data->pwm[channel]);
+						   val << 8);
 		break;
 	case hwmon_pwm_enable:
 		fan_config = data->fan_config[channel];
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 153/593] hwmon: (max31790) Fix pwmX_enable attributes
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 152/593] hwmon: (max31790) Report correct current pwm duty cycles Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 154/593] drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe() Greg Kroah-Hartman
                   ` (444 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kundrát,
	Václav Kubernát, Guenter Roeck, Sasha Levin

From: Guenter Roeck <linux@roeck-us.net>

[ Upstream commit 148c847c9e5a54b99850617bf9c143af9a344f92 ]

pwmX_enable supports three possible values:

0: Fan control disabled. Duty cycle is fixed to 0%
1: Fan control enabled, pwm mode. Duty cycle is determined by
   values written into Target Duty Cycle registers.
2: Fan control enabled, rpm mode
   Duty cycle is adjusted such that fan speed matches
   the values in Target Count registers

The current code does not do this; instead, it mixes pwm control
configuration with fan speed monitoring configuration. Worse, it
reports that pwm control would be disabled (pwmX_enable==0) when
it is in fact enabled in pwm mode. Part of the problem may be that
the chip sets the "TACH input enable" bit on its own whenever the
mode bit is set to RPM mode, but that doesn't mean that "TACH input
enable" accurately reflects the pwm mode.

Fix it up and only handle pwm control with the pwmX_enable attributes.
In the documentation, clarify that disabling pwm control (pwmX_enable=0)
sets the pwm duty cycle to 0%. In the code, explain why TACH_INPUT_EN
is set together with RPM_MODE.

While at it, only update the configuration register if the configuration
has changed, and only update the cached configuration if updating the
chip configuration was successful.

Cc: Jan Kundrát <jan.kundrat@cesnet.cz>
Cc: Václav Kubernát <kubernat@cesnet.cz>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Václav Kubernát <kubernat@cesnet.cz>
Reviewed-by: Jan Kundrát <jan.kundrat@cesnet.cz>
Link: https://lore.kernel.org/r/20210526154022.3223012-4-linux@roeck-us.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Documentation/hwmon/max31790.rst |  2 +-
 drivers/hwmon/max31790.c         | 41 ++++++++++++++++++++------------
 2 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/Documentation/hwmon/max31790.rst b/Documentation/hwmon/max31790.rst
index 54ff0f49e28f..7b097c3b9b90 100644
--- a/Documentation/hwmon/max31790.rst
+++ b/Documentation/hwmon/max31790.rst
@@ -38,7 +38,7 @@ Sysfs entries
 fan[1-12]_input    RO  fan tachometer speed in RPM
 fan[1-12]_fault    RO  fan experienced fault
 fan[1-6]_target    RW  desired fan speed in RPM
-pwm[1-6]_enable    RW  regulator mode, 0=disabled, 1=manual mode, 2=rpm mode
+pwm[1-6]_enable    RW  regulator mode, 0=disabled (duty cycle=0%), 1=manual mode, 2=rpm mode
 pwm[1-6]           RW  read: current pwm duty cycle,
                        write: target pwm duty cycle (0-255)
 ================== === =======================================================
diff --git a/drivers/hwmon/max31790.c b/drivers/hwmon/max31790.c
index 8ad7a45bfe68..76aa96f5b984 100644
--- a/drivers/hwmon/max31790.c
+++ b/drivers/hwmon/max31790.c
@@ -27,6 +27,7 @@
 
 /* Fan Config register bits */
 #define MAX31790_FAN_CFG_RPM_MODE	0x80
+#define MAX31790_FAN_CFG_CTRL_MON	0x10
 #define MAX31790_FAN_CFG_TACH_INPUT_EN	0x08
 #define MAX31790_FAN_CFG_TACH_INPUT	0x01
 
@@ -271,12 +272,12 @@ static int max31790_read_pwm(struct device *dev, u32 attr, int channel,
 		*val = data->pwm[channel] >> 8;
 		return 0;
 	case hwmon_pwm_enable:
-		if (fan_config & MAX31790_FAN_CFG_RPM_MODE)
+		if (fan_config & MAX31790_FAN_CFG_CTRL_MON)
+			*val = 0;
+		else if (fan_config & MAX31790_FAN_CFG_RPM_MODE)
 			*val = 2;
-		else if (fan_config & MAX31790_FAN_CFG_TACH_INPUT_EN)
-			*val = 1;
 		else
-			*val = 0;
+			*val = 1;
 		return 0;
 	default:
 		return -EOPNOTSUPP;
@@ -307,23 +308,33 @@ static int max31790_write_pwm(struct device *dev, u32 attr, int channel,
 	case hwmon_pwm_enable:
 		fan_config = data->fan_config[channel];
 		if (val == 0) {
-			fan_config &= ~(MAX31790_FAN_CFG_TACH_INPUT_EN |
-					MAX31790_FAN_CFG_RPM_MODE);
+			fan_config |= MAX31790_FAN_CFG_CTRL_MON;
+			/*
+			 * Disable RPM mode; otherwise disabling fan speed
+			 * monitoring is not possible.
+			 */
+			fan_config &= ~MAX31790_FAN_CFG_RPM_MODE;
 		} else if (val == 1) {
-			fan_config = (fan_config |
-				      MAX31790_FAN_CFG_TACH_INPUT_EN) &
-				     ~MAX31790_FAN_CFG_RPM_MODE;
+			fan_config &= ~(MAX31790_FAN_CFG_CTRL_MON | MAX31790_FAN_CFG_RPM_MODE);
 		} else if (val == 2) {
-			fan_config |= MAX31790_FAN_CFG_TACH_INPUT_EN |
-				      MAX31790_FAN_CFG_RPM_MODE;
+			fan_config &= ~MAX31790_FAN_CFG_CTRL_MON;
+			/*
+			 * The chip sets MAX31790_FAN_CFG_TACH_INPUT_EN on its
+			 * own if MAX31790_FAN_CFG_RPM_MODE is set.
+			 * Do it here as well to reflect the actual register
+			 * value in the cache.
+			 */
+			fan_config |= (MAX31790_FAN_CFG_RPM_MODE | MAX31790_FAN_CFG_TACH_INPUT_EN);
 		} else {
 			err = -EINVAL;
 			break;
 		}
-		data->fan_config[channel] = fan_config;
-		err = i2c_smbus_write_byte_data(client,
-					MAX31790_REG_FAN_CONFIG(channel),
-					fan_config);
+		if (fan_config != data->fan_config[channel]) {
+			err = i2c_smbus_write_byte_data(client, MAX31790_REG_FAN_CONFIG(channel),
+							fan_config);
+			if (!err)
+				data->fan_config[channel] = fan_config;
+		}
 		break;
 	default:
 		err = -EOPNOTSUPP;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 154/593] drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 153/593] hwmon: (max31790) Fix pwmX_enable attributes Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 155/593] KVM: PPC: Book3S HV: Fix TLB management on SMT8 POWER9 and POWER10 processors Greg Kroah-Hartman
                   ` (443 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jing Xiangfeng, Dong Aisheng,
	Will Deacon, Sasha Levin

From: Jing Xiangfeng <jingxiangfeng@huawei.com>

[ Upstream commit d96b1b8c9f79b6bb234a31c80972a6f422079376 ]

ddr_perf_probe() misses to call ida_simple_remove() in an error path.
Jump to cpuhp_state_err to fix it.

Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
Link: https://lore.kernel.org/r/20210617122614.166823-1-jingxiangfeng@huawei.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/perf/fsl_imx8_ddr_perf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/perf/fsl_imx8_ddr_perf.c b/drivers/perf/fsl_imx8_ddr_perf.c
index 397540a4b799..7f7bc0993670 100644
--- a/drivers/perf/fsl_imx8_ddr_perf.c
+++ b/drivers/perf/fsl_imx8_ddr_perf.c
@@ -623,8 +623,10 @@ static int ddr_perf_probe(struct platform_device *pdev)
 
 	name = devm_kasprintf(&pdev->dev, GFP_KERNEL, DDR_PERF_DEV_NAME "%d",
 			      num);
-	if (!name)
-		return -ENOMEM;
+	if (!name) {
+		ret = -ENOMEM;
+		goto cpuhp_state_err;
+	}
 
 	pmu->devtype_data = of_device_get_match_data(&pdev->dev);
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 155/593] KVM: PPC: Book3S HV: Fix TLB management on SMT8 POWER9 and POWER10 processors
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 154/593] drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe() Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 156/593] btrfs: fix error handling in __btrfs_update_delayed_inode Greg Kroah-Hartman
                   ` (442 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paul Mackerras, Nicholas Piggin,
	Fabiano Rosas, Michael Ellerman, Sasha Levin

From: Suraj Jitindar Singh <sjitindarsingh@gmail.com>

[ Upstream commit 77bbbc0cf84834ed130838f7ac1988567f4d0288 ]

The POWER9 vCPU TLB management code assumes all threads in a core share
a TLB, and that TLBIEL execued by one thread will invalidate TLBs for
all threads. This is not the case for SMT8 capable POWER9 and POWER10
(big core) processors, where the TLB is split between groups of threads.
This results in TLB multi-hits, random data corruption, etc.

Fix this by introducing cpu_first_tlb_thread_sibling etc., to determine
which siblings share TLBs, and use that in the guest TLB flushing code.

[npiggin@gmail.com: add changelog and comment]

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Reviewed-by: Fabiano Rosas <farosas@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210602040441.3984352-1-npiggin@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/cputhreads.h | 30 +++++++++++++++++++++++++++
 arch/powerpc/kvm/book3s_hv.c          | 13 ++++++------
 arch/powerpc/kvm/book3s_hv_builtin.c  |  2 +-
 arch/powerpc/kvm/book3s_hv_rm_mmu.c   |  2 +-
 4 files changed, 39 insertions(+), 8 deletions(-)

diff --git a/arch/powerpc/include/asm/cputhreads.h b/arch/powerpc/include/asm/cputhreads.h
index 98c8bd155bf9..b167186aaee4 100644
--- a/arch/powerpc/include/asm/cputhreads.h
+++ b/arch/powerpc/include/asm/cputhreads.h
@@ -98,6 +98,36 @@ static inline int cpu_last_thread_sibling(int cpu)
 	return cpu | (threads_per_core - 1);
 }
 
+/*
+ * tlb_thread_siblings are siblings which share a TLB. This is not
+ * architected, is not something a hypervisor could emulate and a future
+ * CPU may change behaviour even in compat mode, so this should only be
+ * used on PowerNV, and only with care.
+ */
+static inline int cpu_first_tlb_thread_sibling(int cpu)
+{
+	if (cpu_has_feature(CPU_FTR_ARCH_300) && (threads_per_core == 8))
+		return cpu & ~0x6;	/* Big Core */
+	else
+		return cpu_first_thread_sibling(cpu);
+}
+
+static inline int cpu_last_tlb_thread_sibling(int cpu)
+{
+	if (cpu_has_feature(CPU_FTR_ARCH_300) && (threads_per_core == 8))
+		return cpu | 0x6;	/* Big Core */
+	else
+		return cpu_last_thread_sibling(cpu);
+}
+
+static inline int cpu_tlb_thread_sibling_step(void)
+{
+	if (cpu_has_feature(CPU_FTR_ARCH_300) && (threads_per_core == 8))
+		return 2;		/* Big Core */
+	else
+		return 1;
+}
+
 static inline u32 get_tensr(void)
 {
 #ifdef	CONFIG_BOOKE
diff --git a/arch/powerpc/kvm/book3s_hv.c b/arch/powerpc/kvm/book3s_hv.c
index 965b702208d8..2325b7a6e95f 100644
--- a/arch/powerpc/kvm/book3s_hv.c
+++ b/arch/powerpc/kvm/book3s_hv.c
@@ -2578,7 +2578,7 @@ static void radix_flush_cpu(struct kvm *kvm, int cpu, struct kvm_vcpu *vcpu)
 	cpumask_t *cpu_in_guest;
 	int i;
 
-	cpu = cpu_first_thread_sibling(cpu);
+	cpu = cpu_first_tlb_thread_sibling(cpu);
 	if (nested) {
 		cpumask_set_cpu(cpu, &nested->need_tlb_flush);
 		cpu_in_guest = &nested->cpu_in_guest;
@@ -2592,9 +2592,10 @@ static void radix_flush_cpu(struct kvm *kvm, int cpu, struct kvm_vcpu *vcpu)
 	 * the other side is the first smp_mb() in kvmppc_run_core().
 	 */
 	smp_mb();
-	for (i = 0; i < threads_per_core; ++i)
-		if (cpumask_test_cpu(cpu + i, cpu_in_guest))
-			smp_call_function_single(cpu + i, do_nothing, NULL, 1);
+	for (i = cpu; i <= cpu_last_tlb_thread_sibling(cpu);
+					i += cpu_tlb_thread_sibling_step())
+		if (cpumask_test_cpu(i, cpu_in_guest))
+			smp_call_function_single(i, do_nothing, NULL, 1);
 }
 
 static void kvmppc_prepare_radix_vcpu(struct kvm_vcpu *vcpu, int pcpu)
@@ -2625,8 +2626,8 @@ static void kvmppc_prepare_radix_vcpu(struct kvm_vcpu *vcpu, int pcpu)
 	 */
 	if (prev_cpu != pcpu) {
 		if (prev_cpu >= 0 &&
-		    cpu_first_thread_sibling(prev_cpu) !=
-		    cpu_first_thread_sibling(pcpu))
+		    cpu_first_tlb_thread_sibling(prev_cpu) !=
+		    cpu_first_tlb_thread_sibling(pcpu))
 			radix_flush_cpu(kvm, prev_cpu, vcpu);
 		if (nested)
 			nested->prev_cpu[vcpu->arch.nested_vcpu_id] = pcpu;
diff --git a/arch/powerpc/kvm/book3s_hv_builtin.c b/arch/powerpc/kvm/book3s_hv_builtin.c
index 8f58dd20b362..4621905bdd9e 100644
--- a/arch/powerpc/kvm/book3s_hv_builtin.c
+++ b/arch/powerpc/kvm/book3s_hv_builtin.c
@@ -893,7 +893,7 @@ void kvmppc_check_need_tlb_flush(struct kvm *kvm, int pcpu,
 	 * Thus we make all 4 threads use the same bit.
 	 */
 	if (cpu_has_feature(CPU_FTR_ARCH_300))
-		pcpu = cpu_first_thread_sibling(pcpu);
+		pcpu = cpu_first_tlb_thread_sibling(pcpu);
 
 	if (nested)
 		need_tlb_flush = &nested->need_tlb_flush;
diff --git a/arch/powerpc/kvm/book3s_hv_rm_mmu.c b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
index 88da2764c1bb..3ddc83d2e849 100644
--- a/arch/powerpc/kvm/book3s_hv_rm_mmu.c
+++ b/arch/powerpc/kvm/book3s_hv_rm_mmu.c
@@ -67,7 +67,7 @@ static int global_invalidates(struct kvm *kvm)
 		 * so use the bit for the first thread to represent the core.
 		 */
 		if (cpu_has_feature(CPU_FTR_ARCH_300))
-			cpu = cpu_first_thread_sibling(cpu);
+			cpu = cpu_first_tlb_thread_sibling(cpu);
 		cpumask_clear_cpu(cpu, &kvm->arch.need_tlb_flush);
 	}
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 156/593] btrfs: fix error handling in __btrfs_update_delayed_inode
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 155/593] KVM: PPC: Book3S HV: Fix TLB management on SMT8 POWER9 and POWER10 processors Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 157/593] btrfs: abort transaction if we fail to update the delayed inode Greg Kroah-Hartman
                   ` (441 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba, Sasha Levin

From: Josef Bacik <josef@toxicpanda.com>

[ Upstream commit bb385bedded3ccbd794559600de4a09448810f4a ]

If we get an error while looking up the inode item we'll simply bail
without cleaning up the delayed node.  This results in this style of
warning happening on commit:

  WARNING: CPU: 0 PID: 76403 at fs/btrfs/delayed-inode.c:1365 btrfs_assert_delayed_root_empty+0x5b/0x90
  CPU: 0 PID: 76403 Comm: fsstress Tainted: G        W         5.13.0-rc1+ #373
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
  RIP: 0010:btrfs_assert_delayed_root_empty+0x5b/0x90
  RSP: 0018:ffffb8bb815a7e50 EFLAGS: 00010286
  RAX: 0000000000000000 RBX: ffff95d6d07e1888 RCX: ffff95d6c0fa3000
  RDX: 0000000000000002 RSI: 000000000029e91c RDI: ffff95d6c0fc8060
  RBP: ffff95d6c0fc8060 R08: 00008d6d701a2c1d R09: 0000000000000000
  R10: ffff95d6d1760ea0 R11: 0000000000000001 R12: ffff95d6c15a4d00
  R13: ffff95d6c0fa3000 R14: 0000000000000000 R15: ffffb8bb815a7e90
  FS:  00007f490e8dbb80(0000) GS:ffff95d73bc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00007f6e75555cb0 CR3: 00000001101ce001 CR4: 0000000000370ef0
  Call Trace:
   btrfs_commit_transaction+0x43c/0xb00
   ? finish_wait+0x80/0x80
   ? vfs_fsync_range+0x90/0x90
   iterate_supers+0x8c/0x100
   ksys_sync+0x50/0x90
   __do_sys_sync+0xa/0x10
   do_syscall_64+0x3d/0x80
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Because the iref isn't dropped and this leaves an elevated node->count,
so any release just re-queues it onto the delayed inodes list.  Fix this
by going to the out label to handle the proper cleanup of the delayed
node.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/delayed-inode.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 4e2cce5ca7f6..3af06ef98b12 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1032,12 +1032,10 @@ static int __btrfs_update_delayed_inode(struct btrfs_trans_handle *trans,
 	nofs_flag = memalloc_nofs_save();
 	ret = btrfs_lookup_inode(trans, root, path, &key, mod);
 	memalloc_nofs_restore(nofs_flag);
-	if (ret > 0) {
-		btrfs_release_path(path);
-		return -ENOENT;
-	} else if (ret < 0) {
-		return ret;
-	}
+	if (ret > 0)
+		ret = -ENOENT;
+	if (ret < 0)
+		goto out;
 
 	leaf = path->nodes[0];
 	inode_item = btrfs_item_ptr(leaf, path->slots[0],
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 157/593] btrfs: abort transaction if we fail to update the delayed inode
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 156/593] btrfs: fix error handling in __btrfs_update_delayed_inode Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 158/593] btrfs: sysfs: fix format string for some discard stats Greg Kroah-Hartman
                   ` (440 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba, Sasha Levin

From: Josef Bacik <josef@toxicpanda.com>

[ Upstream commit 04587ad9bef6ce9d510325b4ba9852b6129eebdb ]

If we fail to update the delayed inode we need to abort the transaction,
because we could leave an inode with the improper counts or some other
such corruption behind.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/delayed-inode.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 3af06ef98b12..04422d929c23 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -1073,6 +1073,14 @@ err_out:
 	btrfs_delayed_inode_release_metadata(fs_info, node, (ret < 0));
 	btrfs_release_delayed_inode(node);
 
+	/*
+	 * If we fail to update the delayed inode we need to abort the
+	 * transaction, because we could leave the inode with the improper
+	 * counts behind.
+	 */
+	if (ret && ret != -ENOENT)
+		btrfs_abort_transaction(trans, ret);
+
 	return ret;
 
 search:
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 158/593] btrfs: sysfs: fix format string for some discard stats
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 157/593] btrfs: abort transaction if we fail to update the delayed inode Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 159/593] btrfs: dont clear page extent mapped if were not invalidating the full page Greg Kroah-Hartman
                   ` (439 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Anand Jain, David Sterba,
	Sasha Levin

From: David Sterba <dsterba@suse.com>

[ Upstream commit 8c5ec995616f1202ab92e195fd75d6f60d86f85c ]

The type of discard_bitmap_bytes and discard_extent_bytes is u64 so the
format should be %llu, though the actual values would hardly ever
overflow to negative values.

Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/sysfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
index 279d9262b676..3bb6b688ece5 100644
--- a/fs/btrfs/sysfs.c
+++ b/fs/btrfs/sysfs.c
@@ -382,7 +382,7 @@ static ssize_t btrfs_discard_bitmap_bytes_show(struct kobject *kobj,
 {
 	struct btrfs_fs_info *fs_info = discard_to_fs_info(kobj);
 
-	return scnprintf(buf, PAGE_SIZE, "%lld\n",
+	return scnprintf(buf, PAGE_SIZE, "%llu\n",
 			fs_info->discard_ctl.discard_bitmap_bytes);
 }
 BTRFS_ATTR(discard, discard_bitmap_bytes, btrfs_discard_bitmap_bytes_show);
@@ -404,7 +404,7 @@ static ssize_t btrfs_discard_extent_bytes_show(struct kobject *kobj,
 {
 	struct btrfs_fs_info *fs_info = discard_to_fs_info(kobj);
 
-	return scnprintf(buf, PAGE_SIZE, "%lld\n",
+	return scnprintf(buf, PAGE_SIZE, "%llu\n",
 			fs_info->discard_ctl.discard_extent_bytes);
 }
 BTRFS_ATTR(discard, discard_extent_bytes, btrfs_discard_extent_bytes_show);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 159/593] btrfs: dont clear page extent mapped if were not invalidating the full page
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 158/593] btrfs: sysfs: fix format string for some discard stats Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 160/593] btrfs: disable build on platforms having page size 256K Greg Kroah-Hartman
                   ` (438 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, David Sterba, Sasha Levin,
	Ritesh Harjani, Anand Jain

From: Qu Wenruo <wqu@suse.com>

[ Upstream commit bcd77455d590eaa0422a5e84ae852007cfce574a ]

[BUG]
With current btrfs subpage rw support, the following script can lead to
fs hang:

  $ mkfs.btrfs -f -s 4k $dev
  $ mount $dev -o nospace_cache $mnt
  $ fsstress -w -n 100 -p 1 -s 1608140256 -v -d $mnt

The fs will hang at btrfs_start_ordered_extent().

[CAUSE]
In above test case, btrfs_invalidate() will be called with the following
parameters:

  offset = 0 length = 53248 page dirty = 1 subpage dirty bitmap = 0x2000

Since @offset is 0, btrfs_invalidate() will try to invalidate the full
page, and finally call clear_page_extent_mapped() which will detach
subpage structure from the page.

And since the page no longer has subpage structure, the subpage dirty
bitmap will be cleared, preventing the dirty range from being written
back, thus no way to wake up the ordered extent.

[FIX]
Just follow other filesystems, only to invalidate the page if the range
covers the full page.

There are cases like truncate_setsize() which can call
btrfs_invalidatepage() with offset == 0 and length != 0 for the last
page of an inode.

Although the old code will still try to invalidate the full page, we are
still safe to just wait for ordered extent to finish.
So it shouldn't cause extra problems.

Tested-by: Ritesh Harjani <riteshh@linux.ibm.com> # [ppc64]
Tested-by: Anand Jain <anand.jain@oracle.com> # [aarch64]
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/inode.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index a03d3bad2139..4f21b8fbfd4b 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -8213,7 +8213,19 @@ static void btrfs_invalidatepage(struct page *page, unsigned int offset,
 	 */
 	wait_on_page_writeback(page);
 
-	if (offset) {
+	/*
+	 * For subpage case, we have call sites like
+	 * btrfs_punch_hole_lock_range() which passes range not aligned to
+	 * sectorsize.
+	 * If the range doesn't cover the full page, we don't need to and
+	 * shouldn't clear page extent mapped, as page->private can still
+	 * record subpage dirty bits for other part of the range.
+	 *
+	 * For cases that can invalidate the full even the range doesn't
+	 * cover the full page, like invalidating the last page, we're
+	 * still safe to wait for ordered extent to finish.
+	 */
+	if (!(offset == 0 && length == PAGE_SIZE)) {
 		btrfs_releasepage(page, GFP_NOFS);
 		return;
 	}
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 160/593] btrfs: disable build on platforms having page size 256K
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 159/593] btrfs: dont clear page extent mapped if were not invalidating the full page Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 161/593] locking/lockdep: Fix the dep path printing for backwards BFS Greg Kroah-Hartman
                   ` (437 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Christophe Leroy,
	David Sterba, Sasha Levin

From: Christophe Leroy <christophe.leroy@csgroup.eu>

[ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ]

With a config having PAGE_SIZE set to 256K, BTRFS build fails
with the following message

  include/linux/compiler_types.h:326:38: error: call to
  '__compiletime_assert_791' declared with attribute error:
  BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0

BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with
256K pages at the time being.

There are two platforms that can select 256K pages:
 - hexagon
 - powerpc

Disable BTRFS when 256K page size is selected. Supporting this would
require changes to the subpage mode that's currently being developed.
Given that 256K is many times larger than page sizes commonly used and
for what the algorithms and structures have been tuned, it's out of
scope and disabling build is a reasonable option.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
[ update changelog ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/Kconfig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig
index 68b95ad82126..520a0f6a7d9e 100644
--- a/fs/btrfs/Kconfig
+++ b/fs/btrfs/Kconfig
@@ -18,6 +18,8 @@ config BTRFS_FS
 	select RAID6_PQ
 	select XOR_BLOCKS
 	select SRCU
+	depends on !PPC_256K_PAGES	# powerpc
+	depends on !PAGE_SIZE_256KB	# hexagon
 
 	help
 	  Btrfs is a general purpose copy-on-write filesystem with extents,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 161/593] locking/lockdep: Fix the dep path printing for backwards BFS
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 160/593] btrfs: disable build on platforms having page size 256K Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 162/593] lockding/lockdep: Avoid to find wrong lock dep path in check_irq_usage() Greg Kroah-Hartman
                   ` (436 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Boqun Feng,
	Peter Zijlstra (Intel),
	Sasha Levin

From: Boqun Feng <boqun.feng@gmail.com>

[ Upstream commit 69c7a5fb2482636f525f016c8333fdb9111ecb9d ]

We use the same code to print backwards lock dependency path as the
forwards lock dependency path, and this could result into incorrect
printing because for a backwards lock_list ->trace is not the call trace
where the lock of ->class is acquired.

Fix this by introducing a separate function on printing the backwards
dependency path. Also add a few comments about the printing while we are
at it.

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20210618170110.3699115-2-boqun.feng@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/locking/lockdep.c | 108 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 106 insertions(+), 2 deletions(-)

diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index cdca007551e7..78b51b8ad4f6 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -2297,7 +2297,56 @@ static void print_lock_class_header(struct lock_class *class, int depth)
 }
 
 /*
- * printk the shortest lock dependencies from @start to @end in reverse order:
+ * Dependency path printing:
+ *
+ * After BFS we get a lock dependency path (linked via ->parent of lock_list),
+ * printing out each lock in the dependency path will help on understanding how
+ * the deadlock could happen. Here are some details about dependency path
+ * printing:
+ *
+ * 1)	A lock_list can be either forwards or backwards for a lock dependency,
+ * 	for a lock dependency A -> B, there are two lock_lists:
+ *
+ * 	a)	lock_list in the ->locks_after list of A, whose ->class is B and
+ * 		->links_to is A. In this case, we can say the lock_list is
+ * 		"A -> B" (forwards case).
+ *
+ * 	b)	lock_list in the ->locks_before list of B, whose ->class is A
+ * 		and ->links_to is B. In this case, we can say the lock_list is
+ * 		"B <- A" (bacwards case).
+ *
+ * 	The ->trace of both a) and b) point to the call trace where B was
+ * 	acquired with A held.
+ *
+ * 2)	A "helper" lock_list is introduced during BFS, this lock_list doesn't
+ * 	represent a certain lock dependency, it only provides an initial entry
+ * 	for BFS. For example, BFS may introduce a "helper" lock_list whose
+ * 	->class is A, as a result BFS will search all dependencies starting with
+ * 	A, e.g. A -> B or A -> C.
+ *
+ * 	The notation of a forwards helper lock_list is like "-> A", which means
+ * 	we should search the forwards dependencies starting with "A", e.g A -> B
+ * 	or A -> C.
+ *
+ * 	The notation of a bacwards helper lock_list is like "<- B", which means
+ * 	we should search the backwards dependencies ending with "B", e.g.
+ * 	B <- A or B <- C.
+ */
+
+/*
+ * printk the shortest lock dependencies from @root to @leaf in reverse order.
+ *
+ * We have a lock dependency path as follow:
+ *
+ *    @root                                                                 @leaf
+ *      |                                                                     |
+ *      V                                                                     V
+ *	          ->parent                                   ->parent
+ * | lock_list | <--------- | lock_list | ... | lock_list  | <--------- | lock_list |
+ * |    -> L1  |            | L1 -> L2  | ... |Ln-2 -> Ln-1|            | Ln-1 -> Ln|
+ *
+ * , so it's natural that we start from @leaf and print every ->class and
+ * ->trace until we reach the @root.
  */
 static void __used
 print_shortest_lock_dependencies(struct lock_list *leaf,
@@ -2325,6 +2374,61 @@ print_shortest_lock_dependencies(struct lock_list *leaf,
 	} while (entry && (depth >= 0));
 }
 
+/*
+ * printk the shortest lock dependencies from @leaf to @root.
+ *
+ * We have a lock dependency path (from a backwards search) as follow:
+ *
+ *    @leaf                                                                 @root
+ *      |                                                                     |
+ *      V                                                                     V
+ *	          ->parent                                   ->parent
+ * | lock_list | ---------> | lock_list | ... | lock_list  | ---------> | lock_list |
+ * | L2 <- L1  |            | L3 <- L2  | ... | Ln <- Ln-1 |            |    <- Ln  |
+ *
+ * , so when we iterate from @leaf to @root, we actually print the lock
+ * dependency path L1 -> L2 -> .. -> Ln in the non-reverse order.
+ *
+ * Another thing to notice here is that ->class of L2 <- L1 is L1, while the
+ * ->trace of L2 <- L1 is the call trace of L2, in fact we don't have the call
+ * trace of L1 in the dependency path, which is alright, because most of the
+ * time we can figure out where L1 is held from the call trace of L2.
+ */
+static void __used
+print_shortest_lock_dependencies_backwards(struct lock_list *leaf,
+					   struct lock_list *root)
+{
+	struct lock_list *entry = leaf;
+	const struct lock_trace *trace = NULL;
+	int depth;
+
+	/*compute depth from generated tree by BFS*/
+	depth = get_lock_depth(leaf);
+
+	do {
+		print_lock_class_header(entry->class, depth);
+		if (trace) {
+			printk("%*s ... acquired at:\n", depth, "");
+			print_lock_trace(trace, 2);
+			printk("\n");
+		}
+
+		/*
+		 * Record the pointer to the trace for the next lock_list
+		 * entry, see the comments for the function.
+		 */
+		trace = entry->trace;
+
+		if (depth == 0 && (entry != root)) {
+			printk("lockdep:%s bad path found in chain graph\n", __func__);
+			break;
+		}
+
+		entry = get_lock_parent(entry);
+		depth--;
+	} while (entry && (depth >= 0));
+}
+
 static void
 print_irq_lock_scenario(struct lock_list *safe_entry,
 			struct lock_list *unsafe_entry,
@@ -2442,7 +2546,7 @@ print_bad_irq_dependency(struct task_struct *curr,
 	prev_root->trace = save_trace();
 	if (!prev_root->trace)
 		return;
-	print_shortest_lock_dependencies(backwards_entry, prev_root);
+	print_shortest_lock_dependencies_backwards(backwards_entry, prev_root);
 
 	pr_warn("\nthe dependencies between the lock to be acquired");
 	pr_warn(" and %s-irq-unsafe lock:\n", irqclass);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 162/593] lockding/lockdep: Avoid to find wrong lock dep path in check_irq_usage()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 161/593] locking/lockdep: Fix the dep path printing for backwards BFS Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 163/593] KVM: s390: get rid of register asm usage Greg Kroah-Hartman
                   ` (435 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Boqun Feng,
	Peter Zijlstra (Intel),
	Sasha Levin

From: Boqun Feng <boqun.feng@gmail.com>

[ Upstream commit 7b1f8c6179769af6ffa055e1169610b51d71edd5 ]

In the step #3 of check_irq_usage(), we seach backwards to find a lock
whose usage conflicts the usage of @target_entry1 on safe/unsafe.
However, we should only keep the irq-unsafe usage of @target_entry1 into
consideration, because it could be a case where a lock is hardirq-unsafe
but soft-safe, and in check_irq_usage() we find it because its
hardirq-unsafe could result into a hardirq-safe-unsafe deadlock, but
currently since we don't filter out the other usage bits, so we may find
a lock dependency path softirq-unsafe -> softirq-safe, which in fact
doesn't cause a deadlock. And this may cause misleading lockdep splats.

Fix this by only keeping LOCKF_ENABLED_IRQ_ALL bits when we try the
backwards search.

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/20210618170110.3699115-4-boqun.feng@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/locking/lockdep.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 78b51b8ad4f6..788629c06ce9 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -2764,8 +2764,18 @@ static int check_irq_usage(struct task_struct *curr, struct held_lock *prev,
 	 * Step 3: we found a bad match! Now retrieve a lock from the backward
 	 * list whose usage mask matches the exclusive usage mask from the
 	 * lock found on the forward list.
+	 *
+	 * Note, we should only keep the LOCKF_ENABLED_IRQ_ALL bits, considering
+	 * the follow case:
+	 *
+	 * When trying to add A -> B to the graph, we find that there is a
+	 * hardirq-safe L, that L -> ... -> A, and another hardirq-unsafe M,
+	 * that B -> ... -> M. However M is **softirq-safe**, if we use exact
+	 * invert bits of M's usage_mask, we will find another lock N that is
+	 * **softirq-unsafe** and N -> ... -> A, however N -> .. -> M will not
+	 * cause a inversion deadlock.
 	 */
-	backward_mask = original_mask(target_entry1->class->usage_mask);
+	backward_mask = original_mask(target_entry1->class->usage_mask & LOCKF_ENABLED_IRQ_ALL);
 
 	ret = find_usage_backwards(&this, backward_mask, &target_entry);
 	if (bfs_error(ret)) {
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 163/593] KVM: s390: get rid of register asm usage
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 162/593] lockding/lockdep: Avoid to find wrong lock dep path in check_irq_usage() Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 164/593] regulator: mt6358: Fix vdram2 .vsel_mask Greg Kroah-Hartman
                   ` (434 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heiko Carstens,
	Christian Borntraeger, Thomas Huth, Cornelia Huck,
	Claudio Imbrenda, Sasha Levin

From: Heiko Carstens <hca@linux.ibm.com>

[ Upstream commit 4fa3b91bdee1b08348c82660668ca0ca34e271ad ]

Using register asm statements has been proven to be very error prone,
especially when using code instrumentation where gcc may add function
calls, which clobbers register contents in an unexpected way.

Therefore get rid of register asm statements in kvm code, even though
there is currently nothing wrong with them. This way we know for sure
that this bug class won't be introduced here.

Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Link: https://lore.kernel.org/r/20210621140356.1210771-1-hca@linux.ibm.com
[borntraeger@de.ibm.com: checkpatch strict fix]
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/kvm/kvm-s390.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 20afffd6b982..f94b4f78d4da 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -327,31 +327,31 @@ static void allow_cpu_feat(unsigned long nr)
 
 static inline int plo_test_bit(unsigned char nr)
 {
-	register unsigned long r0 asm("0") = (unsigned long) nr | 0x100;
+	unsigned long function = (unsigned long)nr | 0x100;
 	int cc;
 
 	asm volatile(
+		"	lgr	0,%[function]\n"
 		/* Parameter registers are ignored for "test bit" */
 		"	plo	0,0,0,0(0)\n"
 		"	ipm	%0\n"
 		"	srl	%0,28\n"
 		: "=d" (cc)
-		: "d" (r0)
-		: "cc");
+		: [function] "d" (function)
+		: "cc", "0");
 	return cc == 0;
 }
 
 static __always_inline void __insn32_query(unsigned int opcode, u8 *query)
 {
-	register unsigned long r0 asm("0") = 0;	/* query function */
-	register unsigned long r1 asm("1") = (unsigned long) query;
-
 	asm volatile(
-		/* Parameter regs are ignored */
+		"	lghi	0,0\n"
+		"	lgr	1,%[query]\n"
+		/* Parameter registers are ignored */
 		"	.insn	rrf,%[opc] << 16,2,4,6,0\n"
 		:
-		: "d" (r0), "a" (r1), [opc] "i" (opcode)
-		: "cc", "memory");
+		: [query] "d" ((unsigned long)query), [opc] "i" (opcode)
+		: "cc", "memory", "0", "1");
 }
 
 #define INSN_SORTL 0xb938
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 164/593] regulator: mt6358: Fix vdram2 .vsel_mask
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 163/593] KVM: s390: get rid of register asm usage Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 165/593] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel Greg Kroah-Hartman
                   ` (433 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hsin-Hsiung Wang, Axel Lin,
	Mark Brown, Sasha Levin

From: Hsin-Hsiung Wang <hsin-hsiung.wang@mediatek.com>

[ Upstream commit 50c9462edcbf900f3d5097ca3ad60171346124de ]

The valid vsel value are 0 and 12, so the .vsel_mask should be 0xf.

Signed-off-by: Hsin-Hsiung Wang <hsin-hsiung.wang@mediatek.com>
Reviewed-by: Axel Lin <axel.lin@ingics.com>
Link: https://lore.kernel.org/r/1624424169-510-1-git-send-email-hsin-hsiung.wang@mediatek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/regulator/mt6358-regulator.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/regulator/mt6358-regulator.c b/drivers/regulator/mt6358-regulator.c
index 13cb6ac9a892..1d4eb5dc4fac 100644
--- a/drivers/regulator/mt6358-regulator.c
+++ b/drivers/regulator/mt6358-regulator.c
@@ -457,7 +457,7 @@ static struct mt6358_regulator_info mt6358_regulators[] = {
 	MT6358_REG_FIXED("ldo_vaud28", VAUD28,
 			 MT6358_LDO_VAUD28_CON0, 0, 2800000),
 	MT6358_LDO("ldo_vdram2", VDRAM2, vdram2_voltages, vdram2_idx,
-		   MT6358_LDO_VDRAM2_CON0, 0, MT6358_LDO_VDRAM2_ELR0, 0x10, 0),
+		   MT6358_LDO_VDRAM2_CON0, 0, MT6358_LDO_VDRAM2_ELR0, 0xf, 0),
 	MT6358_LDO("ldo_vsim1", VSIM1, vsim_voltages, vsim_idx,
 		   MT6358_LDO_VSIM1_CON0, 0, MT6358_VSIM1_ANA_CON0, 0xf00, 8),
 	MT6358_LDO("ldo_vibr", VIBR, vibr_voltages, vibr_idx,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 165/593] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 164/593] regulator: mt6358: Fix vdram2 .vsel_mask Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 166/593] media: Fix Media Controller API config checks Greg Kroah-Hartman
                   ` (432 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, Mark Brown, Sasha Levin

From: Axel Lin <axel.lin@ingics.com>

[ Upstream commit a336dc8f683e5be794186b5643cd34cb28dd2c53 ]

Use DIV_ROUND_UP to prevent truncation by integer division issue.
This ensures we return enough delay time.

Also fix returning negative value when new_sel < old_sel.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/regulator/da9052-regulator.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c
index e18d291c7f21..23fa429ebe76 100644
--- a/drivers/regulator/da9052-regulator.c
+++ b/drivers/regulator/da9052-regulator.c
@@ -250,7 +250,8 @@ static int da9052_regulator_set_voltage_time_sel(struct regulator_dev *rdev,
 	case DA9052_ID_BUCK3:
 	case DA9052_ID_LDO2:
 	case DA9052_ID_LDO3:
-		ret = (new_sel - old_sel) * info->step_uV / 6250;
+		ret = DIV_ROUND_UP(abs(new_sel - old_sel) * info->step_uV,
+				   6250);
 		break;
 	}
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 166/593] media: Fix Media Controller API config checks
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 165/593] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 167/593] ACPI: video: use native backlight for GA401/GA502/GA503 Greg Kroah-Hartman
                   ` (431 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Shuah Khan,
	Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin

From: Shuah Khan <skhan@linuxfoundation.org>

[ Upstream commit 50e7a31d30e8221632675abed3be306382324ca2 ]

Smatch static checker warns that "mdev" can be null:

sound/usb/media.c:287 snd_media_device_create()
    warn: 'mdev' can also be NULL

If CONFIG_MEDIA_CONTROLLER is disabled, this file should not be included
in the build.

The below conditions in the sound/usb/Makefile are in place to ensure that
media.c isn't included in the build.

sound/usb/Makefile:
snd-usb-audio-$(CONFIG_SND_USB_AUDIO_USE_MEDIA_CONTROLLER) += media.o

select SND_USB_AUDIO_USE_MEDIA_CONTROLLER if MEDIA_CONTROLLER &&
       (MEDIA_SUPPORT=y || MEDIA_SUPPORT=SND_USB_AUDIO)

The following config check in include/media/media-dev-allocator.h is
in place to enable the API only when CONFIG_MEDIA_CONTROLLER and
CONFIG_USB are enabled.

 #if defined(CONFIG_MEDIA_CONTROLLER) && defined(CONFIG_USB)

This check doesn't work as intended when CONFIG_USB=m. When CONFIG_USB=m,
CONFIG_USB_MODULE is defined and CONFIG_USB is not. The above config check
doesn't catch that CONFIG_USB is defined as a module and disables the API.
This results in sound/usb enabling Media Controller specific ALSA driver
code, while Media disables the Media Controller API.

Fix the problem requires two changes:

1. Change the check to use IS_ENABLED to detect when CONFIG_USB is enabled
   as a module or static. Since CONFIG_MEDIA_CONTROLLER is a bool, leave
   the check unchanged to be consistent with drivers/media/Makefile.

2. Change the drivers/media/mc/Makefile to include mc-dev-allocator.o
   in mc-objs when CONFIG_USB is enabled.

Link: https://lore.kernel.org/alsa-devel/YLeAvT+R22FQ%2FEyw@mwanda/

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/mc/Makefile           | 2 +-
 include/media/media-dev-allocator.h | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/mc/Makefile b/drivers/media/mc/Makefile
index 119037f0e686..2b7af42ba59c 100644
--- a/drivers/media/mc/Makefile
+++ b/drivers/media/mc/Makefile
@@ -3,7 +3,7 @@
 mc-objs	:= mc-device.o mc-devnode.o mc-entity.o \
 	   mc-request.o
 
-ifeq ($(CONFIG_USB),y)
+ifneq ($(CONFIG_USB),)
 	mc-objs += mc-dev-allocator.o
 endif
 
diff --git a/include/media/media-dev-allocator.h b/include/media/media-dev-allocator.h
index b35ea6062596..2ab54d426c64 100644
--- a/include/media/media-dev-allocator.h
+++ b/include/media/media-dev-allocator.h
@@ -19,7 +19,7 @@
 
 struct usb_device;
 
-#if defined(CONFIG_MEDIA_CONTROLLER) && defined(CONFIG_USB)
+#if defined(CONFIG_MEDIA_CONTROLLER) && IS_ENABLED(CONFIG_USB)
 /**
  * media_device_usb_allocate() - Allocate and return struct &media device
  *
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 167/593] ACPI: video: use native backlight for GA401/GA502/GA503
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 166/593] media: Fix Media Controller API config checks Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 168/593] HID: do not use down_interruptible() when unbinding devices Greg Kroah-Hartman
                   ` (430 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luke D. Jones, Rafael J. Wysocki,
	Sasha Levin

From: Luke D Jones <luke@ljones.dev>

[ Upstream commit 2dfbacc65d1d2eae587ccb6b93f6280542641858 ]

Force backlight control in these models to use the native interface
at /sys/class/backlight/amdgpu_bl0.

Signed-off-by: Luke D. Jones <luke@ljones.dev>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/video_detect.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
index 83cd4c95faf0..33474fd96991 100644
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -385,6 +385,30 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
 		DMI_MATCH(DMI_BOARD_NAME, "BA51_MV"),
 		},
 	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "ASUSTeK COMPUTER INC. GA401",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+		DMI_MATCH(DMI_PRODUCT_NAME, "GA401"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "ASUSTeK COMPUTER INC. GA502",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+		DMI_MATCH(DMI_PRODUCT_NAME, "GA502"),
+		},
+	},
+	{
+	.callback = video_detect_force_native,
+	.ident = "ASUSTeK COMPUTER INC. GA503",
+	.matches = {
+		DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+		DMI_MATCH(DMI_PRODUCT_NAME, "GA503"),
+		},
+	},
 
 	/*
 	 * Desktops which falsely report a backlight and which our heuristics
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 168/593] HID: do not use down_interruptible() when unbinding devices
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 167/593] ACPI: video: use native backlight for GA401/GA502/GA503 Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 169/593] EDAC/ti: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (429 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Torokhov, Jiri Kosina, Sasha Levin

From: Dmitry Torokhov <dmitry.torokhov@gmail.com>

[ Upstream commit f2145f8dc566c4f3b5a8deb58dcd12bed4e20194 ]

Action of unbinding driver from a device is not cancellable and should not
fail, and driver core does not pay attention to the result of "remove"
method, therefore using down_interruptible() in hid_device_remove() does
not make sense.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-core.c | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 0f69f35f2957..5550c943f985 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -2306,12 +2306,8 @@ static int hid_device_remove(struct device *dev)
 {
 	struct hid_device *hdev = to_hid_device(dev);
 	struct hid_driver *hdrv;
-	int ret = 0;
 
-	if (down_interruptible(&hdev->driver_input_lock)) {
-		ret = -EINTR;
-		goto end;
-	}
+	down(&hdev->driver_input_lock);
 	hdev->io_started = false;
 
 	hdrv = hdev->driver;
@@ -2326,8 +2322,8 @@ static int hid_device_remove(struct device *dev)
 
 	if (!hdev->io_started)
 		up(&hdev->driver_input_lock);
-end:
-	return ret;
+
+	return 0;
 }
 
 static ssize_t modalias_show(struct device *dev, struct device_attribute *a,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 169/593] EDAC/ti: Add missing MODULE_DEVICE_TABLE
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 168/593] HID: do not use down_interruptible() when unbinding devices Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 170/593] ACPI: processor idle: Fix up C-state latency if not ordered Greg Kroah-Hartman
                   ` (428 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Bixuan Cui,
	Borislav Petkov, Tero Kristo, Sasha Levin

From: Bixuan Cui <cuibixuan@huawei.com>

[ Upstream commit 0a37f32ba5272b2d4ec8c8d0f6b212b81b578f7e ]

The module misses MODULE_DEVICE_TABLE() for of_device_id tables and thus
never autoloads on ID matches.

Add the missing declaration.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Tero Kristo <kristo@kernel.org>
Link: https://lkml.kernel.org/r/20210512033727.26701-1-cuibixuan@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/edac/ti_edac.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/edac/ti_edac.c b/drivers/edac/ti_edac.c
index e7eae20f83d1..169f96e51c29 100644
--- a/drivers/edac/ti_edac.c
+++ b/drivers/edac/ti_edac.c
@@ -197,6 +197,7 @@ static const struct of_device_id ti_edac_of_match[] = {
 	{ .compatible = "ti,emif-dra7xx", .data = (void *)EMIF_TYPE_DRA7 },
 	{},
 };
+MODULE_DEVICE_TABLE(of, ti_edac_of_match);
 
 static int _emif_get_id(struct device_node *node)
 {
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 170/593] ACPI: processor idle: Fix up C-state latency if not ordered
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 169/593] EDAC/ti: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 171/593] hv_utils: Fix passing zero to PTR_ERR warning Greg Kroah-Hartman
                   ` (427 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Prike Liang, Alex Deucher,
	Mario Limonciello, Rafael J. Wysocki, Sasha Levin

From: Mario Limonciello <mario.limonciello@amd.com>

[ Upstream commit 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 ]

Generally, the C-state latency is provided by the _CST method or
FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh,
and Cezanne set the C2 latency greater than C3's which causes the
C2 state to be skipped.

That will block the core entering PC6, which prevents S0ix working
properly on Linux systems.

In other operating systems, the latency values are not validated and
this does not cause problems by skipping states.

To avoid this issue on Linux, detect when latencies are not an
arithmetic progression and sort them.

Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174
Suggested-by: Prike Liang <Prike.Liang@amd.com>
Suggested-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/processor_idle.c | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
index fb161a21d0ae..8377c3ed10ff 100644
--- a/drivers/acpi/processor_idle.c
+++ b/drivers/acpi/processor_idle.c
@@ -16,6 +16,7 @@
 #include <linux/acpi.h>
 #include <linux/dmi.h>
 #include <linux/sched.h>       /* need_resched() */
+#include <linux/sort.h>
 #include <linux/tick.h>
 #include <linux/cpuidle.h>
 #include <linux/cpu.h>
@@ -389,10 +390,37 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr,
 	return;
 }
 
+static int acpi_cst_latency_cmp(const void *a, const void *b)
+{
+	const struct acpi_processor_cx *x = a, *y = b;
+
+	if (!(x->valid && y->valid))
+		return 0;
+	if (x->latency > y->latency)
+		return 1;
+	if (x->latency < y->latency)
+		return -1;
+	return 0;
+}
+static void acpi_cst_latency_swap(void *a, void *b, int n)
+{
+	struct acpi_processor_cx *x = a, *y = b;
+	u32 tmp;
+
+	if (!(x->valid && y->valid))
+		return;
+	tmp = x->latency;
+	x->latency = y->latency;
+	y->latency = tmp;
+}
+
 static int acpi_processor_power_verify(struct acpi_processor *pr)
 {
 	unsigned int i;
 	unsigned int working = 0;
+	unsigned int last_latency = 0;
+	unsigned int last_type = 0;
+	bool buggy_latency = false;
 
 	pr->power.timer_broadcast_on_state = INT_MAX;
 
@@ -416,12 +444,24 @@ static int acpi_processor_power_verify(struct acpi_processor *pr)
 		}
 		if (!cx->valid)
 			continue;
+		if (cx->type >= last_type && cx->latency < last_latency)
+			buggy_latency = true;
+		last_latency = cx->latency;
+		last_type = cx->type;
 
 		lapic_timer_check_state(i, pr, cx);
 		tsc_check_state(cx->type);
 		working++;
 	}
 
+	if (buggy_latency) {
+		pr_notice("FW issue: working around C-state latencies out of order\n");
+		sort(&pr->power.states[1], max_cstate,
+		     sizeof(struct acpi_processor_cx),
+		     acpi_cst_latency_cmp,
+		     acpi_cst_latency_swap);
+	}
+
 	lapic_timer_propagate_broadcast(pr);
 
 	return (working);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 171/593] hv_utils: Fix passing zero to PTR_ERR warning
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 170/593] ACPI: processor idle: Fix up C-state latency if not ordered Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 172/593] lib: vsprintf: Fix handling of number field widths in vsscanf Greg Kroah-Hartman
                   ` (426 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, YueHaibing, Wei Liu, Sasha Levin

From: YueHaibing <yuehaibing@huawei.com>

[ Upstream commit c6a8625fa4c6b0a97860d053271660ccedc3d1b3 ]

Sparse warn this:

drivers/hv/hv_util.c:753 hv_timesync_init() warn:
 passing zero to 'PTR_ERR'

Use PTR_ERR_OR_ZERO instead of PTR_ERR to fix this.

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Link: https://lore.kernel.org/r/20210514070116.16800-1-yuehaibing@huawei.com
[ wei: change %ld to %d ]
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hv/hv_util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hv/hv_util.c b/drivers/hv/hv_util.c
index 05566ecdbe4b..1b914e418e41 100644
--- a/drivers/hv/hv_util.c
+++ b/drivers/hv/hv_util.c
@@ -696,8 +696,8 @@ static int hv_timesync_init(struct hv_util_service *srv)
 	 */
 	hv_ptp_clock = ptp_clock_register(&ptp_hyperv_info, NULL);
 	if (IS_ERR_OR_NULL(hv_ptp_clock)) {
-		pr_err("cannot register PTP clock: %ld\n",
-		       PTR_ERR(hv_ptp_clock));
+		pr_err("cannot register PTP clock: %d\n",
+		       PTR_ERR_OR_ZERO(hv_ptp_clock));
 		hv_ptp_clock = NULL;
 	}
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 172/593] lib: vsprintf: Fix handling of number field widths in vsscanf
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 171/593] hv_utils: Fix passing zero to PTR_ERR warning Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 173/593] Input: goodix - platform/x86: touchscreen_dmi - Move upside down quirks to touchscreen_dmi.c Greg Kroah-Hartman
                   ` (425 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Fitzgerald, Petr Mladek, Sasha Levin

From: Richard Fitzgerald <rf@opensource.cirrus.com>

[ Upstream commit 900fdc4573766dd43b847b4f54bd4a1ee2bc7360 ]

The existing code attempted to handle numbers by doing a strto[u]l(),
ignoring the field width, and then repeatedly dividing to extract the
field out of the full converted value. If the string contains a run of
valid digits longer than will fit in a long or long long, this would
overflow and no amount of dividing can recover the correct value.

This patch fixes vsscanf() to obey number field widths when parsing
the number.

A new _parse_integer_limit() is added that takes a limit for the number
of characters to parse. The number field conversion in vsscanf is changed
to use this new function.

If a number starts with a radix prefix, the field width  must be long
enough for at last one digit after the prefix. If not, it will be handled
like this:

 sscanf("0x4", "%1i", &i): i=0, scanning continues with the 'x'
 sscanf("0x4", "%2i", &i): i=0, scanning continues with the '4'

This is consistent with the observed behaviour of userland sscanf.

Note that this patch does NOT fix the problem of a single field value
overflowing the target type. So for example:

  sscanf("123456789abcdef", "%x", &i);

Will not produce the correct result because the value obviously overflows
INT_MAX. But sscanf will report a successful conversion.

Note that where a very large number is used to mean "unlimited", the value
INT_MAX is used for consistency with the behaviour of vsnprintf().

Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20210514161206.30821-2-rf@opensource.cirrus.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/kstrtox.c  | 13 ++++++--
 lib/kstrtox.h  |  2 ++
 lib/vsprintf.c | 82 +++++++++++++++++++++++++++++---------------------
 3 files changed, 60 insertions(+), 37 deletions(-)

diff --git a/lib/kstrtox.c b/lib/kstrtox.c
index a14ccf905055..8504526541c1 100644
--- a/lib/kstrtox.c
+++ b/lib/kstrtox.c
@@ -39,20 +39,22 @@ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base)
 
 /*
  * Convert non-negative integer string representation in explicitly given radix
- * to an integer.
+ * to an integer. A maximum of max_chars characters will be converted.
+ *
  * Return number of characters consumed maybe or-ed with overflow bit.
  * If overflow occurs, result integer (incorrect) is still returned.
  *
  * Don't you dare use this function.
  */
-unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p)
+unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *p,
+				  size_t max_chars)
 {
 	unsigned long long res;
 	unsigned int rv;
 
 	res = 0;
 	rv = 0;
-	while (1) {
+	while (max_chars--) {
 		unsigned int c = *s;
 		unsigned int lc = c | 0x20; /* don't tolower() this line */
 		unsigned int val;
@@ -82,6 +84,11 @@ unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long
 	return rv;
 }
 
+unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *p)
+{
+	return _parse_integer_limit(s, base, p, INT_MAX);
+}
+
 static int _kstrtoull(const char *s, unsigned int base, unsigned long long *res)
 {
 	unsigned long long _res;
diff --git a/lib/kstrtox.h b/lib/kstrtox.h
index 3b4637bcd254..158c400ca865 100644
--- a/lib/kstrtox.h
+++ b/lib/kstrtox.h
@@ -4,6 +4,8 @@
 
 #define KSTRTOX_OVERFLOW	(1U << 31)
 const char *_parse_integer_fixup_radix(const char *s, unsigned int *base);
+unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *res,
+				  size_t max_chars);
 unsigned int _parse_integer(const char *s, unsigned int base, unsigned long long *res);
 
 #endif
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index fd0fde639ec9..8ade1a86d818 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -53,6 +53,31 @@
 #include <linux/string_helpers.h>
 #include "kstrtox.h"
 
+static unsigned long long simple_strntoull(const char *startp, size_t max_chars,
+					   char **endp, unsigned int base)
+{
+	const char *cp;
+	unsigned long long result = 0ULL;
+	size_t prefix_chars;
+	unsigned int rv;
+
+	cp = _parse_integer_fixup_radix(startp, &base);
+	prefix_chars = cp - startp;
+	if (prefix_chars < max_chars) {
+		rv = _parse_integer_limit(cp, base, &result, max_chars - prefix_chars);
+		/* FIXME */
+		cp += (rv & ~KSTRTOX_OVERFLOW);
+	} else {
+		/* Field too short for prefix + digit, skip over without converting */
+		cp = startp + max_chars;
+	}
+
+	if (endp)
+		*endp = (char *)cp;
+
+	return result;
+}
+
 /**
  * simple_strtoull - convert a string to an unsigned long long
  * @cp: The start of the string
@@ -63,18 +88,7 @@
  */
 unsigned long long simple_strtoull(const char *cp, char **endp, unsigned int base)
 {
-	unsigned long long result;
-	unsigned int rv;
-
-	cp = _parse_integer_fixup_radix(cp, &base);
-	rv = _parse_integer(cp, base, &result);
-	/* FIXME */
-	cp += (rv & ~KSTRTOX_OVERFLOW);
-
-	if (endp)
-		*endp = (char *)cp;
-
-	return result;
+	return simple_strntoull(cp, INT_MAX, endp, base);
 }
 EXPORT_SYMBOL(simple_strtoull);
 
@@ -109,6 +123,21 @@ long simple_strtol(const char *cp, char **endp, unsigned int base)
 }
 EXPORT_SYMBOL(simple_strtol);
 
+static long long simple_strntoll(const char *cp, size_t max_chars, char **endp,
+				 unsigned int base)
+{
+	/*
+	 * simple_strntoull() safely handles receiving max_chars==0 in the
+	 * case cp[0] == '-' && max_chars == 1.
+	 * If max_chars == 0 we can drop through and pass it to simple_strntoull()
+	 * and the content of *cp is irrelevant.
+	 */
+	if (*cp == '-' && max_chars > 0)
+		return -simple_strntoull(cp + 1, max_chars - 1, endp, base);
+
+	return simple_strntoull(cp, max_chars, endp, base);
+}
+
 /**
  * simple_strtoll - convert a string to a signed long long
  * @cp: The start of the string
@@ -119,10 +148,7 @@ EXPORT_SYMBOL(simple_strtol);
  */
 long long simple_strtoll(const char *cp, char **endp, unsigned int base)
 {
-	if (*cp == '-')
-		return -simple_strtoull(cp + 1, endp, base);
-
-	return simple_strtoull(cp, endp, base);
+	return simple_strntoll(cp, INT_MAX, endp, base);
 }
 EXPORT_SYMBOL(simple_strtoll);
 
@@ -3442,25 +3468,13 @@ int vsscanf(const char *buf, const char *fmt, va_list args)
 			break;
 
 		if (is_sign)
-			val.s = qualifier != 'L' ?
-				simple_strtol(str, &next, base) :
-				simple_strtoll(str, &next, base);
+			val.s = simple_strntoll(str,
+						field_width >= 0 ? field_width : INT_MAX,
+						&next, base);
 		else
-			val.u = qualifier != 'L' ?
-				simple_strtoul(str, &next, base) :
-				simple_strtoull(str, &next, base);
-
-		if (field_width > 0 && next - str > field_width) {
-			if (base == 0)
-				_parse_integer_fixup_radix(str, &base);
-			while (next - str > field_width) {
-				if (is_sign)
-					val.s = div_s64(val.s, base);
-				else
-					val.u = div_u64(val.u, base);
-				--next;
-			}
-		}
+			val.u = simple_strntoull(str,
+						 field_width >= 0 ? field_width : INT_MAX,
+						 &next, base);
 
 		switch (qualifier) {
 		case 'H':	/* that's 'hh' in format */
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 173/593] Input: goodix - platform/x86: touchscreen_dmi - Move upside down quirks to touchscreen_dmi.c
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 172/593] lib: vsprintf: Fix handling of number field widths in vsscanf Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 174/593] platform/x86: touchscreen_dmi: Add an extra entry for the upside down Goodix touchscreen on Teclast X89 tablets Greg Kroah-Hartman
                   ` (424 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit 5a6f0dbe621a5c20dc912ac474debf9f11129e03 ]

Move the DMI quirks for upside-down mounted Goodix touchscreens from
drivers/input/touchscreen/goodix.c to
drivers/platform/x86/touchscreen_dmi.c,
where all the other x86 touchscreen quirks live.

Note the touchscreen_dmi.c code attaches standard touchscreen
device-properties to an i2c-client device based on a combination of a
DMI match + a device-name match. I've verified that the: Teclast X98 Pro,
WinBook TW100 and WinBook TW700 uses an ACPI devicename of "GDIX1001:00"
based on acpidumps and/or dmesg output available on the web.

This patch was tested on a Teclast X89 tablet.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20210504185746.175461-2-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/touchscreen/goodix.c     | 52 ------------------------
 drivers/platform/x86/touchscreen_dmi.c | 56 ++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 52 deletions(-)

diff --git a/drivers/input/touchscreen/goodix.c b/drivers/input/touchscreen/goodix.c
index 45113767db96..a06385c55af2 100644
--- a/drivers/input/touchscreen/goodix.c
+++ b/drivers/input/touchscreen/goodix.c
@@ -178,51 +178,6 @@ static const unsigned long goodix_irq_flags[] = {
 	IRQ_TYPE_LEVEL_HIGH,
 };
 
-/*
- * Those tablets have their coordinates origin at the bottom right
- * of the tablet, as if rotated 180 degrees
- */
-static const struct dmi_system_id rotated_screen[] = {
-#if defined(CONFIG_DMI) && defined(CONFIG_X86)
-	{
-		.ident = "Teclast X89",
-		.matches = {
-			/* tPAD is too generic, also match on bios date */
-			DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"),
-			DMI_MATCH(DMI_BOARD_NAME, "tPAD"),
-			DMI_MATCH(DMI_BIOS_DATE, "12/19/2014"),
-		},
-	},
-	{
-		.ident = "Teclast X98 Pro",
-		.matches = {
-			/*
-			 * Only match BIOS date, because the manufacturers
-			 * BIOS does not report the board name at all
-			 * (sometimes)...
-			 */
-			DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"),
-			DMI_MATCH(DMI_BIOS_DATE, "10/28/2015"),
-		},
-	},
-	{
-		.ident = "WinBook TW100",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "WinBook"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "TW100")
-		}
-	},
-	{
-		.ident = "WinBook TW700",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "WinBook"),
-			DMI_MATCH(DMI_PRODUCT_NAME, "TW700")
-		},
-	},
-#endif
-	{}
-};
-
 static const struct dmi_system_id nine_bytes_report[] = {
 #if defined(CONFIG_DMI) && defined(CONFIG_X86)
 	{
@@ -1121,13 +1076,6 @@ static int goodix_configure_dev(struct goodix_ts_data *ts)
 				  ABS_MT_POSITION_Y, ts->prop.max_y);
 	}
 
-	if (dmi_check_system(rotated_screen)) {
-		ts->prop.invert_x = true;
-		ts->prop.invert_y = true;
-		dev_dbg(&ts->client->dev,
-			"Applying '180 degrees rotated screen' quirk\n");
-	}
-
 	if (dmi_check_system(nine_bytes_report)) {
 		ts->contact_size = 9;
 
diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
index 3743d895399e..e52ff09b81de 100644
--- a/drivers/platform/x86/touchscreen_dmi.c
+++ b/drivers/platform/x86/touchscreen_dmi.c
@@ -299,6 +299,23 @@ static const struct ts_dmi_data estar_beauty_hd_data = {
 	.properties	= estar_beauty_hd_props,
 };
 
+/* Generic props + data for upside-down mounted GDIX1001 touchscreens */
+static const struct property_entry gdix1001_upside_down_props[] = {
+	PROPERTY_ENTRY_BOOL("touchscreen-inverted-x"),
+	PROPERTY_ENTRY_BOOL("touchscreen-inverted-y"),
+	{ }
+};
+
+static const struct ts_dmi_data gdix1001_00_upside_down_data = {
+	.acpi_name	= "GDIX1001:00",
+	.properties	= gdix1001_upside_down_props,
+};
+
+static const struct ts_dmi_data gdix1001_01_upside_down_data = {
+	.acpi_name	= "GDIX1001:01",
+	.properties	= gdix1001_upside_down_props,
+};
+
 static const struct property_entry gp_electronic_t701_props[] = {
 	PROPERTY_ENTRY_U32("touchscreen-size-x", 960),
 	PROPERTY_ENTRY_U32("touchscreen-size-y", 640),
@@ -1268,6 +1285,16 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
 			DMI_MATCH(DMI_BOARD_NAME, "X3 Plus"),
 		},
 	},
+	{
+		/* Teclast X89 (Windows version / BIOS) */
+		.driver_data = (void *)&gdix1001_01_upside_down_data,
+		.matches = {
+			/* tPAD is too generic, also match on bios date */
+			DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"),
+			DMI_MATCH(DMI_BOARD_NAME, "tPAD"),
+			DMI_MATCH(DMI_BIOS_DATE, "12/19/2014"),
+		},
+	},
 	{
 		/* Teclast X98 Plus II */
 		.driver_data = (void *)&teclast_x98plus2_data,
@@ -1276,6 +1303,19 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
 			DMI_MATCH(DMI_PRODUCT_NAME, "X98 Plus II"),
 		},
 	},
+	{
+		/* Teclast X98 Pro */
+		.driver_data = (void *)&gdix1001_00_upside_down_data,
+		.matches = {
+			/*
+			 * Only match BIOS date, because the manufacturers
+			 * BIOS does not report the board name at all
+			 * (sometimes)...
+			 */
+			DMI_MATCH(DMI_BOARD_VENDOR, "TECLAST"),
+			DMI_MATCH(DMI_BIOS_DATE, "10/28/2015"),
+		},
+	},
 	{
 		/* Trekstor Primebook C11 */
 		.driver_data = (void *)&trekstor_primebook_c11_data,
@@ -1351,6 +1391,22 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
 			DMI_MATCH(DMI_PRODUCT_NAME, "VINGA Twizzle J116"),
 		},
 	},
+	{
+		/* "WinBook TW100" */
+		.driver_data = (void *)&gdix1001_00_upside_down_data,
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "WinBook"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "TW100")
+		}
+	},
+	{
+		/* WinBook TW700 */
+		.driver_data = (void *)&gdix1001_00_upside_down_data,
+		.matches = {
+			DMI_MATCH(DMI_SYS_VENDOR, "WinBook"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "TW700")
+		},
+	},
 	{
 		/* Yours Y8W81, same case and touchscreen as Chuwi Vi8 */
 		.driver_data = (void *)&chuwi_vi8_data,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 174/593] platform/x86: touchscreen_dmi: Add an extra entry for the upside down Goodix touchscreen on Teclast X89 tablets
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 173/593] Input: goodix - platform/x86: touchscreen_dmi - Move upside down quirks to touchscreen_dmi.c Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 175/593] platform/x86: touchscreen_dmi: Add info for the Goodix GT912 panel of TM800A550L tablets Greg Kroah-Hartman
                   ` (423 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit a22e3803f2a4d947ff0083a9448a169269ea0f62 ]

Teclast X89 tablets come in 2 versions, with Windows pre-installed and with
Android pre-installed. These 2 versions have different DMI strings.

Add a match for the DMI strings used by the Android version BIOS.

Note the Android version BIOS has a bug in the DSDT where no IRQ is
provided, so for the touchscreen to work a DSDT override fixing this
is necessary as well.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20210504185746.175461-4-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/touchscreen_dmi.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
index e52ff09b81de..ebae21b78327 100644
--- a/drivers/platform/x86/touchscreen_dmi.c
+++ b/drivers/platform/x86/touchscreen_dmi.c
@@ -1285,6 +1285,14 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
 			DMI_MATCH(DMI_BOARD_NAME, "X3 Plus"),
 		},
 	},
+	{
+		/* Teclast X89 (Android version / BIOS) */
+		.driver_data = (void *)&gdix1001_00_upside_down_data,
+		.matches = {
+			DMI_MATCH(DMI_BOARD_VENDOR, "WISKY"),
+			DMI_MATCH(DMI_BOARD_NAME, "3G062i"),
+		},
+	},
 	{
 		/* Teclast X89 (Windows version / BIOS) */
 		.driver_data = (void *)&gdix1001_01_upside_down_data,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 175/593] platform/x86: touchscreen_dmi: Add info for the Goodix GT912 panel of TM800A550L tablets
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 174/593] platform/x86: touchscreen_dmi: Add an extra entry for the upside down Goodix touchscreen on Teclast X89 tablets Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 176/593] ACPI: EC: Make more Asus laptops use ECDT _GPE Greg Kroah-Hartman
                   ` (422 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bastien Nocera, Hans de Goede, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit fcd8cf0e3e48f4c66af82c8e799c37cb0cccffe0 ]

The Bay Trail Glavey TM800A550L tablet, which ships with Android installed
from the factory, uses a GT912 touchscreen controller which needs to have
its firmware uploaded by the OS to work (this is a first for a x86 based
device with a Goodix touchscreen controller).

Add a touchscreen_dmi entry for this which specifies the filenames
to use for the firmware and config files needed for this.

Note this matches on a GDIX1001 ACPI HID, while the original DSDT uses
a HID of GODX0911. For the touchscreen to work on these devices a DSDT
override is necessary to fix a missing IRQ and broken GPIO settings in
the ACPI-resources for the touchscreen. This override also changes the
HID to the standard GDIX1001 id typically used for Goodix touchscreens.
The DSDT override is available here:
https://fedorapeople.org/~jwrdegoede/glavey-tm800a550l-dsdt-override/

Reviewed-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20210504185746.175461-5-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/touchscreen_dmi.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
index ebae21b78327..99260915122c 100644
--- a/drivers/platform/x86/touchscreen_dmi.c
+++ b/drivers/platform/x86/touchscreen_dmi.c
@@ -316,6 +316,18 @@ static const struct ts_dmi_data gdix1001_01_upside_down_data = {
 	.properties	= gdix1001_upside_down_props,
 };
 
+static const struct property_entry glavey_tm800a550l_props[] = {
+	PROPERTY_ENTRY_STRING("firmware-name", "gt912-glavey-tm800a550l.fw"),
+	PROPERTY_ENTRY_STRING("goodix,config-name", "gt912-glavey-tm800a550l.cfg"),
+	PROPERTY_ENTRY_U32("goodix,main-clk", 54),
+	{ }
+};
+
+static const struct ts_dmi_data glavey_tm800a550l_data = {
+	.acpi_name	= "GDIX1001:00",
+	.properties	= glavey_tm800a550l_props,
+};
+
 static const struct property_entry gp_electronic_t701_props[] = {
 	PROPERTY_ENTRY_U32("touchscreen-size-x", 960),
 	PROPERTY_ENTRY_U32("touchscreen-size-y", 640),
@@ -1012,6 +1024,15 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
 			DMI_MATCH(DMI_PRODUCT_NAME, "eSTAR BEAUTY HD Intel Quad core"),
 		},
 	},
+	{	/* Glavey TM800A550L */
+		.driver_data = (void *)&glavey_tm800a550l_data,
+		.matches = {
+			DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
+			DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
+			/* Above strings are too generic, also match on BIOS version */
+			DMI_MATCH(DMI_BIOS_VERSION, "ZY-8-BI-PX4S70VTR400-X423B-005-D"),
+		},
+	},
 	{
 		/* GP-electronic T701 */
 		.driver_data = (void *)&gp_electronic_t701_data,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 176/593] ACPI: EC: Make more Asus laptops use ECDT _GPE
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 175/593] platform/x86: touchscreen_dmi: Add info for the Goodix GT912 panel of TM800A550L tablets Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 177/593] block_dump: remove block_dump feature in mark_inode_dirty() Greg Kroah-Hartman
                   ` (421 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Chiu, Jian-Hong Pan,
	Rafael J. Wysocki, Sasha Levin

From: Chris Chiu <chris.chiu@canonical.com>

[ Upstream commit 6306f0431914beaf220634ad36c08234006571d5 ]

More ASUS laptops have the _GPE define in the DSDT table with a
different value than the _GPE number in the ECDT.

This is causing media keys not working on ASUS X505BA/BP, X542BA/BP

Add model info to the quirks list.

Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/ec.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index e0cb1bcfffb2..32f3b6d268f5 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -1859,6 +1859,22 @@ static const struct dmi_system_id ec_dmi_table[] __initconst = {
 	DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 	DMI_MATCH(DMI_PRODUCT_NAME, "GL702VMK"),}, NULL},
 	{
+	ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BA", {
+	DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+	DMI_MATCH(DMI_PRODUCT_NAME, "X505BA"),}, NULL},
+	{
+	ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X505BP", {
+	DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+	DMI_MATCH(DMI_PRODUCT_NAME, "X505BP"),}, NULL},
+	{
+	ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BA", {
+	DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+	DMI_MATCH(DMI_PRODUCT_NAME, "X542BA"),}, NULL},
+	{
+	ec_honor_ecdt_gpe, "ASUSTeK COMPUTER INC. X542BP", {
+	DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+	DMI_MATCH(DMI_PRODUCT_NAME, "X542BP"),}, NULL},
+	{
 	ec_honor_ecdt_gpe, "ASUS X550VXK", {
 	DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 	DMI_MATCH(DMI_PRODUCT_NAME, "X550VXK"),}, NULL},
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 177/593] block_dump: remove block_dump feature in mark_inode_dirty()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 176/593] ACPI: EC: Make more Asus laptops use ECDT _GPE Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 178/593] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Greg Kroah-Hartman
                   ` (420 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zhangyi (F),
	Jan Kara, Christoph Hellwig, Jens Axboe, Sasha Levin

From: zhangyi (F) <yi.zhang@huawei.com>

[ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ]

block_dump is an old debugging interface, one of it's functions is used
to print the information about who write which file on disk. If we
enable block_dump through /proc/sys/vm/block_dump and turn on debug log
level, we can gather information about write process name, target file
name and disk from kernel message. This feature is realized in
block_dump___mark_inode_dirty(), it print above information into kernel
message directly when marking inode dirty, so it is noisy and can easily
trigger log storm. At the same time, get the dentry refcount is also not
safe, we found it will lead to deadlock on ext4 file system with
data=journal mode.

After tracepoints has been introduced into the kernel, we got a
tracepoint in __mark_inode_dirty(), which is a better replacement of
block_dump___mark_inode_dirty(). The only downside is that it only trace
the inode number and not a file name, but it probably doesn't matter
because the original printed file name in block_dump is not accurate in
some cases, and we can still find it through the inode number and device
id. So this patch delete the dirting inode part of block_dump feature.

Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fs-writeback.c | 25 -------------------------
 1 file changed, 25 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 90dddb507e4a..0d0f014b09ec 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -2196,28 +2196,6 @@ int dirtytime_interval_handler(struct ctl_table *table, int write,
 	return ret;
 }
 
-static noinline void block_dump___mark_inode_dirty(struct inode *inode)
-{
-	if (inode->i_ino || strcmp(inode->i_sb->s_id, "bdev")) {
-		struct dentry *dentry;
-		const char *name = "?";
-
-		dentry = d_find_alias(inode);
-		if (dentry) {
-			spin_lock(&dentry->d_lock);
-			name = (const char *) dentry->d_name.name;
-		}
-		printk(KERN_DEBUG
-		       "%s(%d): dirtied inode %lu (%s) on %s\n",
-		       current->comm, task_pid_nr(current), inode->i_ino,
-		       name, inode->i_sb->s_id);
-		if (dentry) {
-			spin_unlock(&dentry->d_lock);
-			dput(dentry);
-		}
-	}
-}
-
 /**
  * __mark_inode_dirty -	internal function
  *
@@ -2277,9 +2255,6 @@ void __mark_inode_dirty(struct inode *inode, int flags)
 	    (dirtytime && (inode->i_state & I_DIRTY_INODE)))
 		return;
 
-	if (unlikely(block_dump))
-		block_dump___mark_inode_dirty(inode);
-
 	spin_lock(&inode->i_lock);
 	if (dirtytime && (inode->i_state & I_DIRTY_INODE))
 		goto out_unlock_inode;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 178/593] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 177/593] block_dump: remove block_dump feature in mark_inode_dirty() Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 179/593] blk-mq: clear stale request in tags->rq[] before freeing one request pool Greg Kroah-Hartman
                   ` (419 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Garry, Christoph Hellwig,
	Bart Van Assche, Ming Lei, Jens Axboe, Sasha Levin

From: Ming Lei <ming.lei@redhat.com>

[ Upstream commit 2e315dc07df009c3e29d6926871f62a30cfae394 ]

Grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter(), and
this way will prevent the request from being re-used when ->fn is
running. The approach is same as what we do during handling timeout.

Fix request use-after-free(UAF) related with completion race or queue
releasing:

- If one rq is referred before rq->q is frozen, then queue won't be
frozen before the request is released during iteration.

- If one rq is referred after rq->q is frozen, refcount_inc_not_zero()
will return false, and we won't iterate over this request.

However, still one request UAF not covered: refcount_inc_not_zero() may
read one freed request, and it will be handled in next patch.

Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210511152236.763464-3-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-mq-tag.c | 44 +++++++++++++++++++++++++++++++++-----------
 block/blk-mq.c     | 14 +++++++++-----
 block/blk-mq.h     |  1 +
 3 files changed, 43 insertions(+), 16 deletions(-)

diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index 9c92053e704d..6772c3728865 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -199,6 +199,16 @@ struct bt_iter_data {
 	bool reserved;
 };
 
+static struct request *blk_mq_find_and_get_req(struct blk_mq_tags *tags,
+		unsigned int bitnr)
+{
+	struct request *rq = tags->rqs[bitnr];
+
+	if (!rq || !refcount_inc_not_zero(&rq->ref))
+		return NULL;
+	return rq;
+}
+
 static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
 {
 	struct bt_iter_data *iter_data = data;
@@ -206,18 +216,22 @@ static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
 	struct blk_mq_tags *tags = hctx->tags;
 	bool reserved = iter_data->reserved;
 	struct request *rq;
+	bool ret = true;
 
 	if (!reserved)
 		bitnr += tags->nr_reserved_tags;
-	rq = tags->rqs[bitnr];
-
 	/*
 	 * We can hit rq == NULL here, because the tagging functions
 	 * test and set the bit before assigning ->rqs[].
 	 */
-	if (rq && rq->q == hctx->queue && rq->mq_hctx == hctx)
-		return iter_data->fn(hctx, rq, iter_data->data, reserved);
-	return true;
+	rq = blk_mq_find_and_get_req(tags, bitnr);
+	if (!rq)
+		return true;
+
+	if (rq->q == hctx->queue && rq->mq_hctx == hctx)
+		ret = iter_data->fn(hctx, rq, iter_data->data, reserved);
+	blk_mq_put_rq_ref(rq);
+	return ret;
 }
 
 /**
@@ -264,6 +278,8 @@ static bool bt_tags_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
 	struct blk_mq_tags *tags = iter_data->tags;
 	bool reserved = iter_data->flags & BT_TAG_ITER_RESERVED;
 	struct request *rq;
+	bool ret = true;
+	bool iter_static_rqs = !!(iter_data->flags & BT_TAG_ITER_STATIC_RQS);
 
 	if (!reserved)
 		bitnr += tags->nr_reserved_tags;
@@ -272,16 +288,19 @@ static bool bt_tags_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
 	 * We can hit rq == NULL here, because the tagging functions
 	 * test and set the bit before assigning ->rqs[].
 	 */
-	if (iter_data->flags & BT_TAG_ITER_STATIC_RQS)
+	if (iter_static_rqs)
 		rq = tags->static_rqs[bitnr];
 	else
-		rq = tags->rqs[bitnr];
+		rq = blk_mq_find_and_get_req(tags, bitnr);
 	if (!rq)
 		return true;
-	if ((iter_data->flags & BT_TAG_ITER_STARTED) &&
-	    !blk_mq_request_started(rq))
-		return true;
-	return iter_data->fn(rq, iter_data->data, reserved);
+
+	if (!(iter_data->flags & BT_TAG_ITER_STARTED) ||
+	    blk_mq_request_started(rq))
+		ret = iter_data->fn(rq, iter_data->data, reserved);
+	if (!iter_static_rqs)
+		blk_mq_put_rq_ref(rq);
+	return ret;
 }
 
 /**
@@ -348,6 +367,9 @@ void blk_mq_all_tag_iter(struct blk_mq_tags *tags, busy_tag_iter_fn *fn,
  *		indicates whether or not @rq is a reserved request. Return
  *		true to continue iterating tags, false to stop.
  * @priv:	Will be passed as second argument to @fn.
+ *
+ * We grab one request reference before calling @fn and release it after
+ * @fn returns.
  */
 void blk_mq_tagset_busy_iter(struct blk_mq_tag_set *tagset,
 		busy_tag_iter_fn *fn, void *priv)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 4bf9449b4586..50d3527a5d97 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -927,6 +927,14 @@ static bool blk_mq_req_expired(struct request *rq, unsigned long *next)
 	return false;
 }
 
+void blk_mq_put_rq_ref(struct request *rq)
+{
+	if (is_flush_rq(rq, rq->mq_hctx))
+		rq->end_io(rq, 0);
+	else if (refcount_dec_and_test(&rq->ref))
+		__blk_mq_free_request(rq);
+}
+
 static bool blk_mq_check_expired(struct blk_mq_hw_ctx *hctx,
 		struct request *rq, void *priv, bool reserved)
 {
@@ -960,11 +968,7 @@ static bool blk_mq_check_expired(struct blk_mq_hw_ctx *hctx,
 	if (blk_mq_req_expired(rq, next))
 		blk_mq_rq_timed_out(rq, reserved);
 
-	if (is_flush_rq(rq, hctx))
-		rq->end_io(rq, 0);
-	else if (refcount_dec_and_test(&rq->ref))
-		__blk_mq_free_request(rq);
-
+	blk_mq_put_rq_ref(rq);
 	return true;
 }
 
diff --git a/block/blk-mq.h b/block/blk-mq.h
index d2359f7cfd5f..f792a0920ebb 100644
--- a/block/blk-mq.h
+++ b/block/blk-mq.h
@@ -47,6 +47,7 @@ void blk_mq_add_to_requeue_list(struct request *rq, bool at_head,
 void blk_mq_flush_busy_ctxs(struct blk_mq_hw_ctx *hctx, struct list_head *list);
 struct request *blk_mq_dequeue_from_ctx(struct blk_mq_hw_ctx *hctx,
 					struct blk_mq_ctx *start);
+void blk_mq_put_rq_ref(struct request *rq);
 
 /*
  * Internal helpers for allocating/freeing the request map
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 179/593] blk-mq: clear stale request in tags->rq[] before freeing one request pool
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 178/593] blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 180/593] fs: dlm: cancel work sync othercon Greg Kroah-Hartman
                   ` (418 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Garry, David Jeffery,
	Bart Van Assche, Ming Lei, Jens Axboe, Sasha Levin

From: Ming Lei <ming.lei@redhat.com>

[ Upstream commit bd63141d585bef14f4caf111f6d0e27fe2300ec6 ]

refcount_inc_not_zero() in bt_tags_iter() still may read one freed
request.

Fix the issue by the following approach:

1) hold a per-tags spinlock when reading ->rqs[tag] and calling
refcount_inc_not_zero in bt_tags_iter()

2) clearing stale request referred via ->rqs[tag] before freeing
request pool, the per-tags spinlock is held for clearing stale
->rq[tag]

So after we cleared stale requests, bt_tags_iter() won't observe
freed request any more, also the clearing will wait for pending
request reference.

The idea of clearing ->rqs[] is borrowed from John Garry's previous
patch and one recent David's patch.

Tested-by: John Garry <john.garry@huawei.com>
Reviewed-by: David Jeffery <djeffery@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210511152236.763464-4-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-mq-tag.c |  9 +++++++--
 block/blk-mq-tag.h |  6 ++++++
 block/blk-mq.c     | 46 +++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 54 insertions(+), 7 deletions(-)

diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
index 6772c3728865..c4f2f6c123ae 100644
--- a/block/blk-mq-tag.c
+++ b/block/blk-mq-tag.c
@@ -202,10 +202,14 @@ struct bt_iter_data {
 static struct request *blk_mq_find_and_get_req(struct blk_mq_tags *tags,
 		unsigned int bitnr)
 {
-	struct request *rq = tags->rqs[bitnr];
+	struct request *rq;
+	unsigned long flags;
 
+	spin_lock_irqsave(&tags->lock, flags);
+	rq = tags->rqs[bitnr];
 	if (!rq || !refcount_inc_not_zero(&rq->ref))
-		return NULL;
+		rq = NULL;
+	spin_unlock_irqrestore(&tags->lock, flags);
 	return rq;
 }
 
@@ -538,6 +542,7 @@ struct blk_mq_tags *blk_mq_init_tags(unsigned int total_tags,
 
 	tags->nr_tags = total_tags;
 	tags->nr_reserved_tags = reserved_tags;
+	spin_lock_init(&tags->lock);
 
 	if (flags & BLK_MQ_F_TAG_HCTX_SHARED)
 		return tags;
diff --git a/block/blk-mq-tag.h b/block/blk-mq-tag.h
index 7d3e6b333a4a..f887988e5ef6 100644
--- a/block/blk-mq-tag.h
+++ b/block/blk-mq-tag.h
@@ -20,6 +20,12 @@ struct blk_mq_tags {
 	struct request **rqs;
 	struct request **static_rqs;
 	struct list_head page_list;
+
+	/*
+	 * used to clear request reference in rqs[] before freeing one
+	 * request pool
+	 */
+	spinlock_t lock;
 };
 
 extern struct blk_mq_tags *blk_mq_init_tags(unsigned int nr_tags,
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 50d3527a5d97..00d6ed2fe812 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2276,6 +2276,45 @@ queue_exit:
 	return BLK_QC_T_NONE;
 }
 
+static size_t order_to_size(unsigned int order)
+{
+	return (size_t)PAGE_SIZE << order;
+}
+
+/* called before freeing request pool in @tags */
+static void blk_mq_clear_rq_mapping(struct blk_mq_tag_set *set,
+		struct blk_mq_tags *tags, unsigned int hctx_idx)
+{
+	struct blk_mq_tags *drv_tags = set->tags[hctx_idx];
+	struct page *page;
+	unsigned long flags;
+
+	list_for_each_entry(page, &tags->page_list, lru) {
+		unsigned long start = (unsigned long)page_address(page);
+		unsigned long end = start + order_to_size(page->private);
+		int i;
+
+		for (i = 0; i < set->queue_depth; i++) {
+			struct request *rq = drv_tags->rqs[i];
+			unsigned long rq_addr = (unsigned long)rq;
+
+			if (rq_addr >= start && rq_addr < end) {
+				WARN_ON_ONCE(refcount_read(&rq->ref) != 0);
+				cmpxchg(&drv_tags->rqs[i], rq, NULL);
+			}
+		}
+	}
+
+	/*
+	 * Wait until all pending iteration is done.
+	 *
+	 * Request reference is cleared and it is guaranteed to be observed
+	 * after the ->lock is released.
+	 */
+	spin_lock_irqsave(&drv_tags->lock, flags);
+	spin_unlock_irqrestore(&drv_tags->lock, flags);
+}
+
 void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
 		     unsigned int hctx_idx)
 {
@@ -2294,6 +2333,8 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
 		}
 	}
 
+	blk_mq_clear_rq_mapping(set, tags, hctx_idx);
+
 	while (!list_empty(&tags->page_list)) {
 		page = list_first_entry(&tags->page_list, struct page, lru);
 		list_del_init(&page->lru);
@@ -2353,11 +2394,6 @@ struct blk_mq_tags *blk_mq_alloc_rq_map(struct blk_mq_tag_set *set,
 	return tags;
 }
 
-static size_t order_to_size(unsigned int order)
-{
-	return (size_t)PAGE_SIZE << order;
-}
-
 static int blk_mq_init_request(struct blk_mq_tag_set *set, struct request *rq,
 			       unsigned int hctx_idx, int node)
 {
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 180/593] fs: dlm: cancel work sync othercon
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 179/593] blk-mq: clear stale request in tags->rq[] before freeing one request pool Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 181/593] random32: Fix implicit truncation warning in prandom_seed_state() Greg Kroah-Hartman
                   ` (417 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland, Sasha Levin

From: Alexander Aring <aahringo@redhat.com>

[ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ]

These rx tx flags arguments are for signaling close_connection() from
which worker they are called. Obviously the receive worker cannot cancel
itself and vice versa for swork. For the othercon the receive worker
should only be used, however to avoid deadlocks we should pass the same
flags as the original close_connection() was called.

Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/lowcomms.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
index 44e2716ac158..0c78fdfb1f6f 100644
--- a/fs/dlm/lowcomms.c
+++ b/fs/dlm/lowcomms.c
@@ -599,7 +599,7 @@ static void close_connection(struct connection *con, bool and_other,
 	}
 	if (con->othercon && and_other) {
 		/* Will only re-enter once. */
-		close_connection(con->othercon, false, true, true);
+		close_connection(con->othercon, false, tx, rx);
 	}
 
 	con->rx_leftover = 0;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 181/593] random32: Fix implicit truncation warning in prandom_seed_state()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 180/593] fs: dlm: cancel work sync othercon Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 182/593] open: dont silently ignore unknown O-flags in openat2() Greg Kroah-Hartman
                   ` (416 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Richard Fitzgerald, Petr Mladek, Sasha Levin

From: Richard Fitzgerald <rf@opensource.cirrus.com>

[ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ]

sparse generates the following warning:

 include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from
 constant value

This is because the 64-bit seed value is manipulated and then placed in a
u32, causing an implicit cast and truncation. A forced cast to u32 doesn't
prevent this warning, which is reasonable because a typecast doesn't prove
that truncation was expected.

Logical-AND the value with 0xffffffff to make explicit that truncation to
32-bit is intended.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/prandom.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/prandom.h b/include/linux/prandom.h
index bbf4b4ad61df..056d31317e49 100644
--- a/include/linux/prandom.h
+++ b/include/linux/prandom.h
@@ -111,7 +111,7 @@ static inline u32 __seed(u32 x, u32 m)
  */
 static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
 {
-	u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
+	u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL;
 
 	state->s1 = __seed(i,   2U);
 	state->s2 = __seed(i,   8U);
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 182/593] open: dont silently ignore unknown O-flags in openat2()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 181/593] random32: Fix implicit truncation warning in prandom_seed_state() Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 183/593] drivers: hv: Fix missing error code in vmbus_connect() Greg Kroah-Hartman
                   ` (415 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Aleksa Sarai,
	Al Viro, linux-fsdevel, Richard Guy Briggs, Christian Brauner,
	Sasha Levin

From: Christian Brauner <christian.brauner@ubuntu.com>

[ Upstream commit cfe80306a0dd6d363934913e47c3f30d71b721e5 ]

The new openat2() syscall verifies that no unknown O-flag values are
set and returns an error to userspace if they are while the older open
syscalls like open() and openat() simply ignore unknown flag values:

  #define O_FLAG_CURRENTLY_INVALID (1 << 31)
  struct open_how how = {
          .flags = O_RDONLY | O_FLAG_CURRENTLY_INVALID,
          .resolve = 0,
  };

  /* fails */
  fd = openat2(-EBADF, "/dev/null", &how, sizeof(how));

  /* succeeds */
  fd = openat(-EBADF, "/dev/null", O_RDONLY | O_FLAG_CURRENTLY_INVALID);

However, openat2() silently truncates the upper 32 bits meaning:

  #define O_FLAG_CURRENTLY_INVALID_LOWER32 (1 << 31)
  #define O_FLAG_CURRENTLY_INVALID_UPPER32 (1 << 40)

  struct open_how how_lowe32 = {
          .flags = O_RDONLY | O_FLAG_CURRENTLY_INVALID_LOWER32,
  };

  struct open_how how_upper32 = {
          .flags = O_RDONLY | O_FLAG_CURRENTLY_INVALID_UPPER32,
  };

  /* fails */
  fd = openat2(-EBADF, "/dev/null", &how_lower32, sizeof(how_lower32));

  /* succeeds */
  fd = openat2(-EBADF, "/dev/null", &how_upper32, sizeof(how_upper32));

Fix this by preventing the immediate truncation in build_open_flags().

There's a snafu here though stripping FMODE_* directly from flags would
cause the upper 32 bits to be truncated as well due to integer promotion
rules since FMODE_* is unsigned int, O_* are signed ints (yuck).

In addition, struct open_flags currently defines flags to be 32 bit
which is reasonable. If we simply were to bump it to 64 bit we would
need to change a lot of code preemptively which doesn't seem worth it.
So simply add a compile-time check verifying that all currently known
O_* flags are within the 32 bit range and fail to build if they aren't
anymore.

This change shouldn't regress old open syscalls since they silently
truncate any unknown values anyway. It is a tiny semantic change for
openat2() but it is very unlikely people pass ing > 32 bit unknown flags
and the syscall is relatively new too.

Link: https://lore.kernel.org/r/20210528092417.3942079-3-brauner@kernel.org
Cc: Christoph Hellwig <hch@lst.de>
Cc: Aleksa Sarai <cyphar@cyphar.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Reported-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/open.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/fs/open.c b/fs/open.c
index 4d7537ae59df..3aaaad47d9ca 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -993,12 +993,20 @@ inline struct open_how build_open_how(int flags, umode_t mode)
 
 inline int build_open_flags(const struct open_how *how, struct open_flags *op)
 {
-	int flags = how->flags;
+	u64 flags = how->flags;
+	u64 strip = FMODE_NONOTIFY | O_CLOEXEC;
 	int lookup_flags = 0;
 	int acc_mode = ACC_MODE(flags);
 
-	/* Must never be set by userspace */
-	flags &= ~(FMODE_NONOTIFY | O_CLOEXEC);
+	BUILD_BUG_ON_MSG(upper_32_bits(VALID_OPEN_FLAGS),
+			 "struct open_flags doesn't yet handle flags > 32 bits");
+
+	/*
+	 * Strip flags that either shouldn't be set by userspace like
+	 * FMODE_NONOTIFY or that aren't relevant in determining struct
+	 * open_flags like O_CLOEXEC.
+	 */
+	flags &= ~strip;
 
 	/*
 	 * Older syscalls implicitly clear all of the invalid flags or argument
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 183/593] drivers: hv: Fix missing error code in vmbus_connect()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 182/593] open: dont silently ignore unknown O-flags in openat2() Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 184/593] fs: dlm: fix memory leak when fenced Greg Kroah-Hartman
                   ` (414 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abaci Robot, Jiapeng Chong,
	Michael Kelley, Wei Liu, Sasha Levin

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit 9de6655cc5a6a1febc514465c87c24a0e96d8dba ]

Eliminate the follow smatch warning:

drivers/hv/connection.c:236 vmbus_connect() warn: missing error code
'ret'.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/1621940321-72353-1-git-send-email-jiapeng.chong@linux.alibaba.com
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hv/connection.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/hv/connection.c b/drivers/hv/connection.c
index 11170d9a2e1a..bfd7f00a59ec 100644
--- a/drivers/hv/connection.c
+++ b/drivers/hv/connection.c
@@ -229,8 +229,10 @@ int vmbus_connect(void)
 	 */
 
 	for (i = 0; ; i++) {
-		if (i == ARRAY_SIZE(vmbus_versions))
+		if (i == ARRAY_SIZE(vmbus_versions)) {
+			ret = -EDOM;
 			goto cleanup;
+		}
 
 		version = vmbus_versions[i];
 		if (version > max_version)
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 184/593] fs: dlm: fix memory leak when fenced
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 183/593] drivers: hv: Fix missing error code in vmbus_connect() Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 185/593] ACPICA: Fix memory leak caused by _CID repair function Greg Kroah-Hartman
                   ` (413 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland, Sasha Levin

From: Alexander Aring <aahringo@redhat.com>

[ Upstream commit 700ab1c363c7b54c9ea3222379b33fc00ab02f7b ]

I got some kmemleak report when a node was fenced. The user space tool
dlm_controld will therefore run some rmdir() in dlm configfs which was
triggering some memleaks. This patch stores the sps and cms attributes
which stores some handling for subdirectories of the configfs cluster
entry and free them if they get released as the parent directory gets
freed.

unreferenced object 0xffff88810d9e3e00 (size 192):
  comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 73 70 61 63 65 73 00 00  ........spaces..
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000db8b640b>] make_cluster+0x5d/0x360
    [<000000006a571db4>] configfs_mkdir+0x274/0x730
    [<00000000b094501c>] vfs_mkdir+0x27e/0x340
    [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0
    [<00000000d1ffd156>] do_syscall_64+0x40/0x80
    [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae
unreferenced object 0xffff88810d9e3a00 (size 192):
  comm "dlm_controld", pid 342, jiffies 4294698126 (age 55438.801s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 63 6f 6d 6d 73 00 00 00  ........comms...
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000a7ef6ad2>] make_cluster+0x82/0x360
    [<000000006a571db4>] configfs_mkdir+0x274/0x730
    [<00000000b094501c>] vfs_mkdir+0x27e/0x340
    [<0000000058b0adaf>] do_mkdirat+0xff/0x1b0
    [<00000000d1ffd156>] do_syscall_64+0x40/0x80
    [<00000000ab1408c8>] entry_SYSCALL_64_after_hwframe+0x44/0xae

Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/config.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fs/dlm/config.c b/fs/dlm/config.c
index 73e6643903af..18a8ffcea0aa 100644
--- a/fs/dlm/config.c
+++ b/fs/dlm/config.c
@@ -79,6 +79,9 @@ struct dlm_cluster {
 	unsigned int cl_new_rsb_count;
 	unsigned int cl_recover_callbacks;
 	char cl_cluster_name[DLM_LOCKSPACE_LEN];
+
+	struct dlm_spaces *sps;
+	struct dlm_comms *cms;
 };
 
 static struct dlm_cluster *config_item_to_cluster(struct config_item *i)
@@ -379,6 +382,9 @@ static struct config_group *make_cluster(struct config_group *g,
 	if (!cl || !sps || !cms)
 		goto fail;
 
+	cl->sps = sps;
+	cl->cms = cms;
+
 	config_group_init_type_name(&cl->group, name, &cluster_type);
 	config_group_init_type_name(&sps->ss_group, "spaces", &spaces_type);
 	config_group_init_type_name(&cms->cs_group, "comms", &comms_type);
@@ -428,6 +434,9 @@ static void drop_cluster(struct config_group *g, struct config_item *i)
 static void release_cluster(struct config_item *i)
 {
 	struct dlm_cluster *cl = config_item_to_cluster(i);
+
+	kfree(cl->sps);
+	kfree(cl->cms);
 	kfree(cl);
 }
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 185/593] ACPICA: Fix memory leak caused by _CID repair function
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 184/593] fs: dlm: fix memory leak when fenced Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 186/593] ACPI: bus: Call kobject_put() in acpi_init() error path Greg Kroah-Hartman
                   ` (412 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shawn Guo, Erik Kaneda, Bob Moore,
	Rafael J. Wysocki, Sasha Levin

From: Erik Kaneda <erik.kaneda@intel.com>

[ Upstream commit c27bac0314131b11bccd735f7e8415ac6444b667 ]

ACPICA commit 180cb53963aa876c782a6f52cc155d951b26051a

According to the ACPI spec, _CID returns a package containing
hardware ID's. Each element of an ASL package contains a reference
count from the parent package as well as the element itself.

Name (TEST, Package() {
    "String object" // this package element has a reference count of 2
})

A memory leak was caused in the _CID repair function because it did
not decrement the reference count created by the package. Fix the
memory leak by calling acpi_ut_remove_reference on _CID package elements
that represent a hardware ID (_HID).

Link: https://github.com/acpica/acpica/commit/180cb539
Tested-by: Shawn Guo <shawn.guo@linaro.org>
Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/acpica/nsrepair2.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/acpi/acpica/nsrepair2.c b/drivers/acpi/acpica/nsrepair2.c
index 125143c41bb8..8768594c79e5 100644
--- a/drivers/acpi/acpica/nsrepair2.c
+++ b/drivers/acpi/acpica/nsrepair2.c
@@ -375,6 +375,13 @@ acpi_ns_repair_CID(struct acpi_evaluate_info *info,
 
 			(*element_ptr)->common.reference_count =
 			    original_ref_count;
+
+			/*
+			 * The original_element holds a reference from the package object
+			 * that represents _HID. Since a new element was created by _HID,
+			 * remove the reference from the _CID package.
+			 */
+			acpi_ut_remove_reference(original_element);
 		}
 
 		element_ptr++;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 186/593] ACPI: bus: Call kobject_put() in acpi_init() error path
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 185/593] ACPICA: Fix memory leak caused by _CID repair function Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 187/593] ACPI: resources: Add checks for ACPI IRQ override Greg Kroah-Hartman
                   ` (411 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hanjun Guo, Rafael J. Wysocki, Sasha Levin

From: Hanjun Guo <guohanjun@huawei.com>

[ Upstream commit 4ac7a817f1992103d4e68e9837304f860b5e7300 ]

Although the system will not be in a good condition or it will not
boot if acpi_bus_init() fails, it is still necessary to put the
kobject in the error path before returning to avoid leaking memory.

Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/bus.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
index 1682f8b454a2..e317214aabec 100644
--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -1245,6 +1245,7 @@ static int __init acpi_init(void)
 
 	result = acpi_bus_init();
 	if (result) {
+		kobject_put(acpi_kobj);
 		disable_acpi();
 		return result;
 	}
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 187/593] ACPI: resources: Add checks for ACPI IRQ override
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 186/593] ACPI: bus: Call kobject_put() in acpi_init() error path Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-15  8:49   ` Jamie Heilman
  2021-07-12  6:05 ` [PATCH 5.10 188/593] block: fix race between adding/removing rq qos and normal IO Greg Kroah-Hartman
                   ` (410 subsequent siblings)
  597 siblings, 1 reply; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rafael J. Wysocki, Manuel Krause,
	Hui Wang, Sasha Levin

From: Hui Wang <hui.wang@canonical.com>

[ Upstream commit 0ec4e55e9f571f08970ed115ec0addc691eda613 ]

The laptop keyboard doesn't work on many MEDION notebooks, but the
keyboard works well under Windows and Unix.

Through debugging, we found this log in the dmesg:

 ACPI: IRQ 1 override to edge, high
 pnp 00:03: Plug and Play ACPI device, IDs PNP0303 (active)

 And we checked the IRQ definition in the DSDT, it is:

    IRQ (Level, ActiveLow, Exclusive, )
        {1}

So the BIOS defines the keyboard IRQ to Level_Low, but the Linux
kernel override it to Edge_High. If the Linux kernel is modified
to skip the IRQ override, the keyboard will work normally.

>From the existing comment in acpi_dev_get_irqresource(), the override
function only needs to be called when IRQ() or IRQNoFlags() is used
to populate the resource descriptor, and according to Section 6.4.2.1
of ACPI 6.4 [1], if IRQ() is empty or IRQNoFlags() is used, the IRQ
is High true, edge sensitive and non-shareable. ACPICA also assumes
that to be the case (see acpi_rs_set_irq[] in rsirq.c).

In accordance with the above, check 3 additional conditions
(EdgeSensitive, ActiveHigh and Exclusive) when deciding whether or
not to treat an ACPI_RESOURCE_TYPE_IRQ resource as "legacy", in which
case the IRQ override is applicable to it.

Link: https://uefi.org/specs/ACPI/6.4/06_Device_Configuration/Device_Configuration.html#irq-descriptor # [1]
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213031
BugLink: http://bugs.launchpad.net/bugs/1909814
Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reported-by: Manuel Krause <manuelkrause@netscape.net>
Tested-by: Manuel Krause <manuelkrause@netscape.net>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
[ rjw: Subject rewrite, changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/resource.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/acpi/resource.c b/drivers/acpi/resource.c
index f2f5f1dc7c61..9d82440a1d75 100644
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -430,6 +430,13 @@ static void acpi_dev_get_irqresource(struct resource *res, u32 gsi,
 	}
 }
 
+static bool irq_is_legacy(struct acpi_resource_irq *irq)
+{
+	return irq->triggering == ACPI_EDGE_SENSITIVE &&
+		irq->polarity == ACPI_ACTIVE_HIGH &&
+		irq->shareable == ACPI_EXCLUSIVE;
+}
+
 /**
  * acpi_dev_resource_interrupt - Extract ACPI interrupt resource information.
  * @ares: Input ACPI resource object.
@@ -468,7 +475,7 @@ bool acpi_dev_resource_interrupt(struct acpi_resource *ares, int index,
 		}
 		acpi_dev_get_irqresource(res, irq->interrupts[index],
 					 irq->triggering, irq->polarity,
-					 irq->shareable, true);
+					 irq->shareable, irq_is_legacy(irq));
 		break;
 	case ACPI_RESOURCE_TYPE_EXTENDED_IRQ:
 		ext_irq = &ares->data.extended_irq;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 188/593] block: fix race between adding/removing rq qos and normal IO
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 187/593] ACPI: resources: Add checks for ACPI IRQ override Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 189/593] platform/x86: asus-nb-wmi: Revert "Drop duplicate DMI quirk structures" Greg Kroah-Hartman
                   ` (409 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yi Zhang, Bart Van Assche, Ming Lei,
	Jens Axboe, Sasha Levin

From: Ming Lei <ming.lei@redhat.com>

[ Upstream commit 2cafe29a8d03f02a3d16193bdaae2f3e82a423f9 ]

Yi reported several kernel panics on:

[16687.001777] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
...
[16687.163549] pc : __rq_qos_track+0x38/0x60

or

[  997.690455] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
...
[  997.850347] pc : __rq_qos_done+0x2c/0x50

Turns out it is caused by race between adding rq qos(wbt) and normal IO
because rq_qos_add can be run when IO is being submitted, fix this issue
by freezing queue before adding/deleting rq qos to queue.

rq_qos_exit() needn't to freeze queue because it is called after queue
has been frozen.

iolatency calls rq_qos_add() during allocating queue, so freezing won't
add delay because queue usage refcount works at atomic mode at that
time.

iocost calls rq_qos_add() when writing cgroup attribute file, that is
fine to freeze queue at that time since we usually freeze queue when
storing to queue sysfs attribute, meantime iocost only exists on the
root cgroup.

wbt_init calls it in blk_register_queue() and queue sysfs attribute
store(queue_wb_lat_store() when write it 1st time in case of !BLK_WBT_MQ),
the following patch will speedup the queue freezing in wbt_init.

Reported-by: Yi Zhang <yi.zhang@redhat.com>
Cc: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Yi Zhang <yi.zhang@redhat.com>
Link: https://lore.kernel.org/r/20210609015822.103433-2-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-rq-qos.h | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/block/blk-rq-qos.h b/block/blk-rq-qos.h
index 2bc43e94f4c4..2bcb3495e376 100644
--- a/block/blk-rq-qos.h
+++ b/block/blk-rq-qos.h
@@ -7,6 +7,7 @@
 #include <linux/blk_types.h>
 #include <linux/atomic.h>
 #include <linux/wait.h>
+#include <linux/blk-mq.h>
 
 #include "blk-mq-debugfs.h"
 
@@ -99,8 +100,21 @@ static inline void rq_wait_init(struct rq_wait *rq_wait)
 
 static inline void rq_qos_add(struct request_queue *q, struct rq_qos *rqos)
 {
+	/*
+	 * No IO can be in-flight when adding rqos, so freeze queue, which
+	 * is fine since we only support rq_qos for blk-mq queue.
+	 *
+	 * Reuse ->queue_lock for protecting against other concurrent
+	 * rq_qos adding/deleting
+	 */
+	blk_mq_freeze_queue(q);
+
+	spin_lock_irq(&q->queue_lock);
 	rqos->next = q->rq_qos;
 	q->rq_qos = rqos;
+	spin_unlock_irq(&q->queue_lock);
+
+	blk_mq_unfreeze_queue(q);
 
 	if (rqos->ops->debugfs_attrs)
 		blk_mq_debugfs_register_rqos(rqos);
@@ -110,12 +124,22 @@ static inline void rq_qos_del(struct request_queue *q, struct rq_qos *rqos)
 {
 	struct rq_qos **cur;
 
+	/*
+	 * See comment in rq_qos_add() about freezing queue & using
+	 * ->queue_lock.
+	 */
+	blk_mq_freeze_queue(q);
+
+	spin_lock_irq(&q->queue_lock);
 	for (cur = &q->rq_qos; *cur; cur = &(*cur)->next) {
 		if (*cur == rqos) {
 			*cur = rqos->next;
 			break;
 		}
 	}
+	spin_unlock_irq(&q->queue_lock);
+
+	blk_mq_unfreeze_queue(q);
 
 	blk_mq_debugfs_unregister_rqos(rqos);
 }
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 189/593] platform/x86: asus-nb-wmi: Revert "Drop duplicate DMI quirk structures"
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 188/593] block: fix race between adding/removing rq qos and normal IO Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 190/593] platform/x86: asus-nb-wmi: Revert "add support for ASUS ROG Zephyrus G14 and G15" Greg Kroah-Hartman
                   ` (408 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luke D. Jones, Hans de Goede, Sasha Levin

From: Luke D. Jones <luke@ljones.dev>

[ Upstream commit 98c0c85b1040db24f0d04d3e1d315c6c7b05cc07 ]

This is a preparation revert for reverting the "add support for ASUS ROG
Zephyrus G14 and G15" change. This reverts
commit 67186653c903 ("platform/x86: asus-nb-wmi: Drop duplicate DMI quirk
structures")

Signed-off-by: Luke D. Jones <luke@ljones.dev>
Link: https://lore.kernel.org/r/20210419074915.393433-2-luke@ljones.dev
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/asus-nb-wmi.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
index 1d9fbabd02fb..ff39079e2d75 100644
--- a/drivers/platform/x86/asus-nb-wmi.c
+++ b/drivers/platform/x86/asus-nb-wmi.c
@@ -110,7 +110,12 @@ static struct quirk_entry quirk_asus_forceals = {
 	.wmi_force_als_set = true,
 };
 
-static struct quirk_entry quirk_asus_vendor_backlight = {
+static struct quirk_entry quirk_asus_ga401i = {
+	.wmi_backlight_power = true,
+	.wmi_backlight_set_devstate = true,
+};
+
+static struct quirk_entry quirk_asus_ga502i = {
 	.wmi_backlight_power = true,
 	.wmi_backlight_set_devstate = true,
 };
@@ -427,7 +432,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IH"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga401i,
 	},
 	{
 		.callback = dmi_matched,
@@ -436,7 +441,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA401II"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga401i,
 	},
 	{
 		.callback = dmi_matched,
@@ -445,7 +450,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IU"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga401i,
 	},
 	{
 		.callback = dmi_matched,
@@ -454,7 +459,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IV"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga401i,
 	},
 	{
 		.callback = dmi_matched,
@@ -463,7 +468,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IVC"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga401i,
 	},
 		{
 		.callback = dmi_matched,
@@ -472,7 +477,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA502II"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga502i,
 	},
 	{
 		.callback = dmi_matched,
@@ -481,7 +486,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA502IU"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga502i,
 	},
 	{
 		.callback = dmi_matched,
@@ -490,7 +495,7 @@ static const struct dmi_system_id asus_quirks[] = {
 			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
 			DMI_MATCH(DMI_PRODUCT_NAME, "GA502IV"),
 		},
-		.driver_data = &quirk_asus_vendor_backlight,
+		.driver_data = &quirk_asus_ga502i,
 	},
 	{
 		.callback = dmi_matched,
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 190/593] platform/x86: asus-nb-wmi: Revert "add support for ASUS ROG Zephyrus G14 and G15"
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 189/593] platform/x86: asus-nb-wmi: Revert "Drop duplicate DMI quirk structures" Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 191/593] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() Greg Kroah-Hartman
                   ` (407 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luke D. Jones, Hans de Goede, Sasha Levin

From: Luke D. Jones <luke@ljones.dev>

[ Upstream commit 28117f3a5c3c8375a3304af76357d5bf9cf30f0b ]

The quirks added to asus-nb-wmi for the ASUS ROG Zephyrus G14 and G15 are
wrong, they tell the asus-wmi code to use the vendor specific WMI backlight
interface. But there is no such interface on these laptops.

As a side effect, these quirks stop the acpi_video driver to register since
they make acpi_video_get_backlight_type() return acpi_backlight_vendor,
leaving only the native AMD backlight driver in place, which is the one we
want. This happy coincidence is being replaced with a new quirk in
drivers/acpi/video_detect.c which actually sets the backlight_type to
acpi_backlight_native fixinf this properly. This reverts
commit 13bceda68fb9 ("platform/x86: asus-nb-wmi: add support for ASUS ROG
Zephyrus G14 and G15").

Signed-off-by: Luke D. Jones <luke@ljones.dev>
Link: https://lore.kernel.org/r/20210419074915.393433-3-luke@ljones.dev
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/asus-nb-wmi.c | 82 ------------------------------
 1 file changed, 82 deletions(-)

diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c
index ff39079e2d75..949ddeb673bc 100644
--- a/drivers/platform/x86/asus-nb-wmi.c
+++ b/drivers/platform/x86/asus-nb-wmi.c
@@ -110,16 +110,6 @@ static struct quirk_entry quirk_asus_forceals = {
 	.wmi_force_als_set = true,
 };
 
-static struct quirk_entry quirk_asus_ga401i = {
-	.wmi_backlight_power = true,
-	.wmi_backlight_set_devstate = true,
-};
-
-static struct quirk_entry quirk_asus_ga502i = {
-	.wmi_backlight_power = true,
-	.wmi_backlight_set_devstate = true,
-};
-
 static struct quirk_entry quirk_asus_use_kbd_dock_devid = {
 	.use_kbd_dock_devid = true,
 };
@@ -425,78 +415,6 @@ static const struct dmi_system_id asus_quirks[] = {
 		},
 		.driver_data = &quirk_asus_forceals,
 	},
-	{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA401IH",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IH"),
-		},
-		.driver_data = &quirk_asus_ga401i,
-	},
-	{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA401II",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA401II"),
-		},
-		.driver_data = &quirk_asus_ga401i,
-	},
-	{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA401IU",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IU"),
-		},
-		.driver_data = &quirk_asus_ga401i,
-	},
-	{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA401IV",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IV"),
-		},
-		.driver_data = &quirk_asus_ga401i,
-	},
-	{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA401IVC",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA401IVC"),
-		},
-		.driver_data = &quirk_asus_ga401i,
-	},
-		{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA502II",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA502II"),
-		},
-		.driver_data = &quirk_asus_ga502i,
-	},
-	{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA502IU",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA502IU"),
-		},
-		.driver_data = &quirk_asus_ga502i,
-	},
-	{
-		.callback = dmi_matched,
-		.ident = "ASUSTeK COMPUTER INC. GA502IV",
-		.matches = {
-			DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "GA502IV"),
-		},
-		.driver_data = &quirk_asus_ga502i,
-	},
 	{
 		.callback = dmi_matched,
 		.ident = "Asus Transformer T100TA / T100HA / T100CHI",
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 191/593] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 190/593] platform/x86: asus-nb-wmi: Revert "add support for ASUS ROG Zephyrus G14 and G15" Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 192/593] nvme-pci: fix var. type for increasing cq_head Greg Kroah-Hartman
                   ` (406 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abaci Robot, Jiapeng Chong,
	Hans de Goede, Sasha Levin

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit 28e367127718a9cb85d615a71e152f7acee41bfc ]

The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'error'.

Eliminate the follow smatch warning:

drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard()
warn: missing error code 'error'.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/toshiba_acpi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c
index fa7232ad8c39..352508d30467 100644
--- a/drivers/platform/x86/toshiba_acpi.c
+++ b/drivers/platform/x86/toshiba_acpi.c
@@ -2831,6 +2831,7 @@ static int toshiba_acpi_setup_keyboard(struct toshiba_acpi_dev *dev)
 
 	if (!dev->info_supported && !dev->system_event_supported) {
 		pr_warn("No hotkey query interface found\n");
+		error = -EINVAL;
 		goto err_remove_filter;
 	}
 
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 192/593] nvme-pci: fix var. type for increasing cq_head
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 191/593] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-07-12  6:05 ` [PATCH 5.10 193/593] nvmet-fc: do not check for invalid target port in nvmet_fc_handle_fcp_rqst() Greg Kroah-Hartman
                   ` (405 subsequent siblings)
  597 siblings, 0 replies; 615+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-12  6:05 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, JK Kim, Christoph Hellwig, Sasha Levin

From: JK Kim <jongkang.kim2@gmail.com>

[ Upstream commit a0aac973a26d1ac814b9e131e209eb39472a67ce ]

nvmeq->cq_head is compared with nvmeq->q_depth and changed the value
and cq_phase for handling the next cq db.

but, nvmeq->q_depth's type is u32 and max. value is 0x10000 when
CQP.MSQE is 0xffff and io_queue_depth is 0x10000.

current temp. variable for comparing with nvmeq->q_depth is overflowed
when previous nvmeq->cq_head is 0xffff.

in this case, nvmeq->cq_phase is not updated.
so, fix data type for temp. variable to u32.

Signed-off-by: JK Kim <jongkang.kim2@gmail.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/host/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index c1f3446216c5..56263214ea06 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -1027,7 +1027,7 @@ static inline void nvme_handle_cqe(struct nvme_queue *nvmeq, u16 idx)
 
 static inline void nvme_update_cq_head(struct nvme_queue *nvmeq)
 {
-	u16 tmp = nvmeq->cq_head + 1;
+	u32 tmp = nvmeq->cq_head + 1;
 
 	if (tmp == nvmeq->q_depth) {
 		nvmeq->cq_head = 0;
-- 
2.30.2




^ permalink raw reply	[flat|nested] 615+ messages in thread

* [PATCH 5.10 193/593] nvmet-fc: do not check for invalid target port in nvmet_fc_handle_fcp_rqst()
  2021-07-12  6:02 [PATCH 5.10 000/593] 5.10.50-rc1 review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2021-07-12  6:05 ` [PATCH 5.10 192/593] nvme-pci: fix var. type for increasing cq_head Greg Kroah-Hartman
@ 2021-07-12  6:05 ` Greg Kroah-Hartman
  2021-0