stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 5.13 000/175] 5.13.10-rc1 review
@ 2021-08-10 17:28 Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 001/175] Revert "ACPICA: Fix memory leak caused by _CID repair function" Greg Kroah-Hartman
                   ` (179 more replies)
  0 siblings, 180 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 5.13.10 release.
There are 175 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 12 Aug 2021 17:29:30 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.13.10-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.13.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.13.10-rc1

Michael Zaidman <michael.zaidman@gmail.com>
    HID: ft260: fix device removal due to USB disconnect

Thomas Weißschuh <linux@weissschuh.net>
    platform/x86: gigabyte-wmi: add support for B550 Aorus Elite V2

Alex Deucher <alexander.deucher@amd.com>
    drm/amdgpu/display: only enable aux backlight control for OLED panels

Steve French <stfrench@microsoft.com>
    smb3: rc uninitialized in one fallocate path

Letu Ren <fantasquex@gmail.com>
    net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset

Prarit Bhargava <prarit@redhat.com>
    alpha: Send stop IPI to send to online CPUs

Harshvardhan Jha <harshvardhan.jha@oracle.com>
    net: qede: Fix end of loop tests for list_for_each_entry

Matteo Croce <mcroce@microsoft.com>
    virt_wifi: fix error on connect

Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
    reiserfs: check directory items on read from disk

Yu Kuai <yukuai3@huawei.com>
    reiserfs: add check for root_inode in reiserfs_fill_super

Christoph Hellwig <hch@lst.de>
    libata: fix ata_pio_sector for CONFIG_HIGHMEM

Qiu Wenbo <qiuwenbo@kylinos.com.cn>
    riscv: dts: fix memory size for the SiFive HiFive Unmatched

Peter Zijlstra <peterz@infradead.org>
    sched/rt: Fix double enqueue caused by rt_effective_prio

Like Xu <likexu@tencent.com>
    perf/x86/amd: Don't touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest

Arnd Bergmann <arnd@arndb.de>
    soc: ixp4xx/qmgr: fix invalid __iomem access

Matt Roper <matthew.d.roper@intel.com>
    drm/i915: Correct SFC_DONE register offset

Mike Tipton <mdtipton@codeaurora.org>
    interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate

Mike Tipton <mdtipton@codeaurora.org>
    interconnect: qcom: icc-rpmh: Ensure floor BW is enforced for all nodes

Mike Tipton <mdtipton@codeaurora.org>
    interconnect: Always call pre_aggregate before aggregate

Mike Tipton <mdtipton@codeaurora.org>
    interconnect: Zero initial BW after sync-state

Dongliang Mu <mudongliangabcd@gmail.com>
    spi: meson-spicc: fix memory leak in meson_spicc_remove

Pawel Laszczak <pawell@cadence.com>
    usb: cdnsp: Fix incorrect supported maximum speed

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    usb: cdnsp: Fix the IMAN_IE_SET and IMAN_IE_CLEAR macro

Colin Ian King <colin.king@canonical.com>
    interconnect: Fix undersized devress_alloc allocation

Arnd Bergmann <arnd@arndb.de>
    soc: ixp4xx: fix printing resources

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds

Paolo Bonzini <pbonzini@redhat.com>
    KVM: Do not leak memory for duplicate debugfs directories

Sean Christopherson <seanjc@google.com>
    KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB

Paolo Bonzini <pbonzini@redhat.com>
    KVM: x86: accept userspace interrupt only if no event is injected

Stefan Haberland <sth@linux.ibm.com>
    s390/dasd: fix use after free in dasd path handling

Jens Axboe <axboe@kernel.dk>
    io-wq: fix race between worker exiting and activating free worker

Wei Shuyu <wsy@dogben.com>
    md/raid10: properly indicate failure when ending a failed write request

Tero Kristo <t-kristo@ti.com>
    ARM: omap2+: hwmod: fix potential NULL pointer access

Mark Rutland <mark.rutland@arm.com>
    arm64: fix compat syscall return truncation

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    Revert "gpio: mpc8xxx: change the gpio interrupt flags."

Kevin Hilman <khilman@baylibre.com>
    bus: ti-sysc: AM3: RNG is GP only

Xiu Jianfeng <xiujianfeng@huawei.com>
    selinux: correct the return value when loads initial sids

Tyrel Datwyler <tyreld@linux.ibm.com>
    scsi: ibmvfc: Fix command state accounting and stale response detection

Zheyu Ma <zheyuma97@gmail.com>
    pcmcia: i82092: fix a null pointer dereference bug

Dmitry Safonov <0x7f454c46@gmail.com>
    net/xfrm/compat: Copy xfrm_spdattr_type_t atributes

Frederic Weisbecker <frederic@kernel.org>
    xfrm: Fix RCU vs hash_resize_mutex lock inversion

Marco Elver <elver@google.com>
    perf: Fix required permissions if sigtrap is requested

Shuo Liu <shuo.a.liu@intel.com>
    virt: acrn: Do hcall_destroy_vm() before resource release

Thomas Gleixner <tglx@linutronix.de>
    timers: Move clearing of base::timer_running under base:: Lock

Kajol Jain <kjain@linux.ibm.com>
    fpga: dfl: fme: Fix cpu hotplug issue in performance reporting

Mario Kleiner <mario.kleiner.de@gmail.com>
    serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts.

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver

Maciej W. Rozycki <macro@orcam.me.uk>
    MIPS: Malta: Do not byte-swap accesses to the CBUS UART

Johan Hovold <johan@kernel.org>
    serial: 8250: fix handle_irq locking

Maciej W. Rozycki <macro@orcam.me.uk>
    serial: 8250: Mask out floating 16/32-bit bus bits

Zhiyong Tao <zhiyong.tao@mediatek.com>
    serial: 8250_mtk: fix uart corruption issue when rx power off

Jon Hunter <jonathanh@nvidia.com>
    serial: tegra: Only print FIFO error message when an error occurs

Mika Westerberg <mika.westerberg@linux.intel.com>
    Revert "thunderbolt: Hide authorized attribute if router does not support PCIe tunnels"

Theodore Ts'o <tytso@mit.edu>
    ext4: fix potential htree corruption when growing large_dir directories

Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
    pipe: increase minimum default pipe size to 2 pages

Johan Hovold <johan@kernel.org>
    media: rtl28xxu: fix zero-length control request

Filip Schauer <filip@mg6.at>
    drivers core: Fix oops when driver probe fails

Pavel Skripkin <paskripkin@gmail.com>
    staging: rtl8712: error handling refactoring

Pavel Skripkin <paskripkin@gmail.com>
    staging: rtl8712: get rid of flush_scheduled_work

Xiangyang Zhang <xyz.sun.ok@gmail.com>
    staging: rtl8723bs: Fix a resource leak in sd_int_dpc

Tyler Hicks <tyhicks@linux.microsoft.com>
    tpm_ftpm_tee: Free and unregister TEE shared memory during kexec

Allen Pais <apais@linux.microsoft.com>
    optee: fix tee out of memory failure seen during kexec reboot

Tyler Hicks <tyhicks@linux.microsoft.com>
    optee: Refuse to load the driver under the kdump kernel

Tyler Hicks <tyhicks@linux.microsoft.com>
    optee: Fix memory leak when failing to register shm pages

Sumit Garg <sumit.garg@linaro.org>
    tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag

Jens Wiklander <jens.wiklander@linaro.org>
    tee: add tee_shm_alloc_kernel_buf()

Tyler Hicks <tyhicks@linux.microsoft.com>
    optee: Clear stale cache entries during initialization

Mark Rutland <mark.rutland@arm.com>
    arm64: stacktrace: avoid tracing arch_stack_walk()

Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    tracepoint: Use rcu get state and cond sync for static call updates

Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    tracepoint: Fix static call function vs data state mismatch

Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
    tracepoint: static call: Compare data on transition from 2->1 callees

Kamal Agrawal <kamaagra@codeaurora.org>
    tracing: Fix NULL pointer dereference in start_creating

Masami Hiramatsu <mhiramat@kernel.org>
    tracing: Reject string operand in the histogram expression

Steven Rostedt (VMware) <rostedt@goodmis.org>
    tracing / histogram: Give calculation hist_fields a size

Hui Su <suhui@zeku.com>
    scripts/tracing: fix the bug that can't parse raw_trace_func

Brian Norris <briannorris@chromium.org>
    clk: fix leak on devm_clk_bulk_get_all() unwind

Dmitry Osipenko <digetx@gmail.com>
    usb: otg-fsm: Fix hrtimer list corruption

Kyle Tso <kyletso@google.com>
    usb: typec: tcpm: Keep other events when receiving FRS and Sourcing_vbus events

Claudiu Beznea <claudiu.beznea@microchip.com>
    usb: host: ohci-at91: suspend/resume ports after/before OHCI accesses

Maxim Devaev <mdevaev@gmail.com>
    usb: gadget: f_hid: idle uses the highest byte for duration

Phil Elwell <phil@raspberrypi.com>
    usb: gadget: f_hid: fixed NULL pointer dereference

Maxim Devaev <mdevaev@gmail.com>
    usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers

Pawel Laszczak <pawell@cadence.com>
    usb: cdnsp: Fixed issue with ZLP

Pawel Laszczak <pawell@cadence.com>
    usb: cdns3: Fixed incorrect gadget state

Zhang Qilong <zhangqilong3@huawei.com>
    usb: gadget: remove leaked entry from udc driver list

Wesley Cheng <wcheng@codeaurora.org>
    usb: dwc3: gadget: Avoid runtime resume if disabling pullup

Wesley Cheng <wcheng@codeaurora.org>
    usb: dwc3: gadget: Use list_replace_init() before traversing lists

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Avoid unnecessary or invalid connector selection at resume

Alexander Tsoy <alexander@tsoy.me>
    ALSA: usb-audio: Add registration quirk for JBL Quantum 600

Takashi Iwai <tiwai@suse.de>
    ALSA: usb-audio: Fix superfluous autosuspend recovery

Nikos Liolios <liolios.nk@gmail.com>
    ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256)

Alexander Monakov <amonakov@ispras.ru>
    ALSA: hda/realtek: add mic quirk for Acer SF314-42

Jaroslav Kysela <perex@perex.cz>
    ALSA: pcm - fix mmap capability check for the snd-dummy driver

Shirish S <shirish.s@amd.com>
    drm/amdgpu/display: fix DMUB firmware version info

Randy Dunlap <rdunlap@infradead.org>
    drm/amdgpu: fix checking pmops when PM_SLEEP is not enabled

Anirudh Rayabharam <mail@anirudhrb.com>
    firmware_loader: fix use-after-free in firmware_fallback_sysfs

Anirudh Rayabharam <mail@anirudhrb.com>
    firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback

Johan Hovold <johan@kernel.org>
    USB: serial: pl2303: fix GT type detection

Johan Hovold <johan@kernel.org>
    USB: serial: pl2303: fix HX type detection

David Bauer <mail@david-bauer.net>
    USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2

Willy Tarreau <w@1wt.eu>
    USB: serial: ch341: fix character loss at high transfer rates

Daniele Palmas <dnlplm@gmail.com>
    USB: serial: option: add Telit FD980 composition 0x1056

Qiang.zhang <qiang.zhang@windriver.com>
    USB: usbtmc: Fix RCU stall warning

Hao Xu <haoxu@linux.alibaba.com>
    io-wq: fix lack of acct->nr_workers < acct->max_workers judgement

Hao Xu <haoxu@linux.alibaba.com>
    io-wq: fix no lock protection of acct->nr_worker

Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
    Bluetooth: defer cleanup of resources in hci_unregister_dev()

Yu Kuai <yukuai3@huawei.com>
    blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit()

Pavel Skripkin <paskripkin@gmail.com>
    net: vxge: fix use-after-free in vxge_device_unregister

Pavel Skripkin <paskripkin@gmail.com>
    net: fec: fix use-after-free in fec_drv_remove

Pavel Skripkin <paskripkin@gmail.com>
    net: pegasus: fix uninit-value in get_interrupt_interval

Grygorii Strashko <grygorii.strashko@ti.com>
    net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update()

Dan Carpenter <dan.carpenter@oracle.com>
    bnx2x: fix an error code in bnx2x_nic_load()

Masahiro Yamada <masahiroy@kernel.org>
    kbuild: cancel sub_make_done for the install target to fix DKMS

H. Nikolaus Schaller <hns@goldelico.com>
    mips: Fix non-POSIX regexp

H. Nikolaus Schaller <hns@goldelico.com>
    x86/tools/relocs: Fix non-POSIX regexp

Huang Pei <huangpei@loongson.cn>
    MIPS: check return value of pgtable_pmd_page_ctor

Randy Dunlap <rdunlap@infradead.org>
    drm/i915: fix i915_globals_exit() section mismatch error

Yunsheng Lin <linyunsheng@huawei.com>
    net: sched: fix lockdep_set_class() typo error for sch->seqlock

Guenter Roeck <linux@roeck-us.net>
    riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled

Oleksij Rempel <linux@rempel-privat.de>
    net: dsa: qca: ar9331: reorder MDIO write sequence

Yangyang Li <liyangyang20@huawei.com>
    RDMA/hns: Fix the double unlock problem of poll_sem

Antoine Tenart <atenart@kernel.org>
    net: ipv6: fix returned variable type in ip6_skb_dst_mtu

Fei Qin <fei.qin@corigine.com>
    nfp: update ethtool reporting of pauseframe control

Jason Ekstrand <jason@jlekstrand.net>
    drm/i915: Call i915_globals_exit() if pci_register_device() fails

Xin Long <lucien.xin@gmail.com>
    sctp: move the active_key update after sh_keys is added

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry

Aharon Landau <aharonl@nvidia.com>
    RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently

Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
    gpio: tqmx86: really make IRQ optional

Wang Hai <wanghai38@huawei.com>
    net: natsemi: Fix missing pci_disable_device() in probe and remove

Steve Bennett <steveb@workware.net.au>
    net: phy: micrel: Fix detection of ksz87xx switch

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: sja1105: match FDB entries regardless of inner/outer VLAN tag

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: sja1105: be stateless with FDB entries on SJA1105P/Q/R/S/SJA1110 too

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: sja1105: ignore the FDB entry for unknown multicast when adding a new address

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: sja1105: invalidate dynamic FDB entries learned concurrently with statically added ones

Vladimir Oltean <vladimir.oltean@nxp.com>
    net: dsa: sja1105: overwrite dynamic FDB entries with static ones in .port_fdb_add

Jakub Sitnicki <jakub@cloudflare.com>
    net, gro: Set inner transport header offset in tcp/udp GRO hook

Juergen Borleis <jbe@pengutronix.de>
    dmaengine: imx-dma: configure the generic DMA type to make it work

Marek Vasut <marex@denx.de>
    ARM: dts: stm32: Fix touchscreen IRQ line assignment on DHCOM

Marek Vasut <marex@denx.de>
    ARM: dts: stm32: Disable LAN8710 EDPD on DHCOM

Marek Vasut <marex@denx.de>
    ARM: dts: stm32: Prefer HW RTC on DHCOM SoM

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: videobuf2-core: dequeue if start_streaming fails

Li Manyi <limanyi@uniontech.com>
    scsi: sr: Return correct event when media event code is 3

Edmund Dea <edmund.j.dea@intel.com>
    drm/kmb: Enable LCD DMA for low TVDDCV

Marek Vasut <marex@denx.de>
    spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation

Marek Vasut <marex@denx.de>
    spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay

Zhang Qilong <zhangqilong3@huawei.com>
    dmaengine: stm32-dmamux: Fix PM usage counter unbalance in stm32 dmamux ops

Zhang Qilong <zhangqilong3@huawei.com>
    dmaengine: stm32-dma: Fix PM usage counter imbalance in stm32 dma ops

Dmitry Osipenko <digetx@gmail.com>
    clk: tegra: Implement disable_unused() of tegra_clk_sdmmc_mux_ops

Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
    dmaengine: uniphier-xdmac: Use readl_poll_timeout_atomic() in atomic state

H. Nikolaus Schaller <hns@goldelico.com>
    omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator

Dario Binacchi <dariobin@libero.it>
    ARM: dts: am437x-l4: fix typo in can@0 node

Dario Binacchi <dariobin@libero.it>
    clk: stm32f4: fix post divisor setup for I2S/SAI PLLs

Jisheng Zhang <jszhang@kernel.org>
    riscv: stacktrace: Fix NULL pointer dereference

chihhao.chen <chihhao.chen@mediatek.com>
    ALSA: usb-audio: fix incorrect clock source setting

Pali Rohár <pali@kernel.org>
    arm64: dts: armada-3720-turris-mox: remove mrvl,i2c-fast-mode

Ye Bin <yebin10@huawei.com>
    ext4: fix potential uninitialized access to retval in kmmpd

Vladimir Oltean <vladimir.oltean@nxp.com>
    arm64: dts: armada-3720-turris-mox: fixed indices for the SDHC controllers

Marek Vasut <marex@denx.de>
    ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out pins

Colin Ian King <colin.king@canonical.com>
    ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init

Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
    ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz

Michael Walle <michael@walle.cc>
    arm64: dts: ls1028: sl28: fix networking for variant 2

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: fix submission race window

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: fix sequence for pci driver remove() and shutdown()

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: fix desc->vector that isn't being updated

Lucas Stach <l.stach@pengutronix.de>
    Revert "soc: imx8m: change to use platform driver"

Maxime Chevallier <maxime.chevallier@bootlin.com>
    ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms

Yang Yingliang <yangyingliang@huawei.com>
    ARM: imx: add missing clk_disable_unprepare()

Yang Yingliang <yangyingliang@huawei.com>
    ARM: imx: add missing iounmap()

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: fix setup sequence for MSIXPERM table

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: fix array index when int_handles are being used

Vladimir Oltean <vladimir.oltean@nxp.com>
    arm64: dts: ls1028a: fix node name for the sysclk

Pavel Skripkin <paskripkin@gmail.com>
    net: xfrm: fix memory leak in xfrm_user_rcv_msg

Tony Lindgren <tony@atomide.com>
    bus: ti-sysc: Fix gpt12 system timer issue with reserved status

Takashi Iwai <tiwai@suse.de>
    ALSA: seq: Fix racy deletion of subscriber

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Revert "ACPICA: Fix memory leak caused by _CID repair function"


-------------

Diffstat:

 Makefile                                           |  13 +-
 arch/alpha/kernel/smp.c                            |   2 +-
 arch/arm/boot/dts/am437x-l4.dtsi                   |   2 +-
 arch/arm/boot/dts/imx53-m53menlo.dts               |   4 +-
 arch/arm/boot/dts/imx6qdl-sr-som.dtsi              |   8 +-
 arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi        |   1 +
 arch/arm/boot/dts/omap5-board-common.dtsi          |   9 +-
 arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi      |  24 ++--
 arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi       |   5 +-
 arch/arm/mach-imx/mmdc.c                           |  17 ++-
 arch/arm/mach-omap2/omap_hwmod.c                   |  10 +-
 .../freescale/fsl-ls1028a-kontron-sl28-var2.dts    |   2 +
 arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi     |   2 +-
 .../boot/dts/marvell/armada-3720-turris-mox.dts    |   3 +
 arch/arm64/include/asm/ptrace.h                    |  12 +-
 arch/arm64/include/asm/syscall.h                   |  19 +--
 arch/arm64/kernel/ptrace.c                         |   2 +-
 arch/arm64/kernel/signal.c                         |   3 +-
 arch/arm64/kernel/stacktrace.c                     |   2 +-
 arch/arm64/kernel/syscall.c                        |   9 +-
 arch/mips/Makefile                                 |   2 +-
 arch/mips/include/asm/pgalloc.h                    |  17 ++-
 arch/mips/mti-malta/malta-platform.c               |   3 +-
 arch/riscv/Kconfig                                 |   1 +
 .../riscv/boot/dts/sifive/hifive-unmatched-a00.dts |   2 +-
 arch/riscv/kernel/stacktrace.c                     |   2 +-
 arch/x86/events/perf_event.h                       |   3 +-
 arch/x86/kvm/mmu/mmu.c                             |   2 +-
 arch/x86/kvm/svm/sev.c                             |   2 +-
 arch/x86/kvm/x86.c                                 |  13 +-
 arch/x86/tools/relocs.c                            |   8 +-
 block/blk-iolatency.c                              |   6 +-
 drivers/acpi/acpica/nsrepair2.c                    |   7 -
 drivers/ata/libata-sff.c                           |  35 +++--
 drivers/base/dd.c                                  |   4 +-
 drivers/base/firmware_loader/fallback.c            |  14 +-
 drivers/base/firmware_loader/firmware.h            |  10 +-
 drivers/base/firmware_loader/main.c                |   2 +
 drivers/bus/ti-sysc.c                              |  22 ++-
 drivers/char/tpm/tpm_ftpm_tee.c                    |   8 +-
 drivers/clk/clk-devres.c                           |   9 +-
 drivers/clk/clk-stm32f4.c                          |  10 +-
 drivers/clk/tegra/clk-sdmmc-mux.c                  |  10 ++
 drivers/dma/idxd/idxd.h                            |  14 ++
 drivers/dma/idxd/init.c                            |  30 ++--
 drivers/dma/idxd/irq.c                             |  27 ++--
 drivers/dma/idxd/submit.c                          |  92 +++++++++---
 drivers/dma/idxd/sysfs.c                           |   2 -
 drivers/dma/imx-dma.c                              |   2 +
 drivers/dma/stm32-dma.c                            |   4 +-
 drivers/dma/stm32-dmamux.c                         |   6 +-
 drivers/dma/uniphier-xdmac.c                       |   4 +-
 drivers/fpga/dfl-fme-perf.c                        |   2 +
 drivers/gpio/gpio-mpc8xxx.c                        |   2 +-
 drivers/gpio/gpio-tqmx86.c                         |   6 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c           |   2 +-
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c  |   6 +-
 drivers/gpu/drm/i915/i915_globals.c                |   4 +-
 drivers/gpu/drm/i915/i915_pci.c                    |   1 +
 drivers/gpu/drm/i915/i915_reg.h                    |   2 +-
 drivers/gpu/drm/kmb/kmb_drv.c                      |  14 ++
 drivers/gpu/drm/kmb/kmb_plane.c                    |  15 +-
 drivers/hid/hid-ft260.c                            |  23 +--
 drivers/infiniband/hw/hns/hns_roce_cmd.c           |   7 +-
 drivers/infiniband/hw/hns/hns_roce_main.c          |   4 +-
 drivers/infiniband/hw/mlx5/mr.c                    |   4 +-
 drivers/interconnect/core.c                        |   9 +-
 drivers/interconnect/qcom/icc-rpmh.c               |  22 ++-
 drivers/md/raid1.c                                 |   2 -
 drivers/md/raid10.c                                |   4 +-
 drivers/media/common/videobuf2/videobuf2-core.c    |  13 +-
 drivers/media/usb/dvb-usb-v2/rtl28xxu.c            |  11 +-
 drivers/net/dsa/qca/ar9331.c                       |  14 +-
 drivers/net/dsa/sja1105/sja1105_main.c             |  94 +++++++++----
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c    |   3 +-
 drivers/net/ethernet/freescale/fec_main.c          |   2 +-
 drivers/net/ethernet/natsemi/natsemi.c             |   8 +-
 drivers/net/ethernet/neterion/vxge/vxge-main.c     |   6 +-
 .../net/ethernet/netronome/nfp/nfp_net_ethtool.c   |   2 +
 drivers/net/ethernet/qlogic/qede/qede_filter.c     |   4 +-
 drivers/net/ethernet/qlogic/qla3xxx.c              |   6 +-
 drivers/net/ethernet/ti/am65-cpsw-nuss.c           |   6 +-
 drivers/net/phy/micrel.c                           |  10 +-
 drivers/net/usb/pegasus.c                          |  14 +-
 drivers/net/wireless/virt_wifi.c                   |  52 ++++---
 drivers/pcmcia/i82092.c                            |   1 +
 drivers/platform/x86/gigabyte-wmi.c                |   1 +
 drivers/s390/block/dasd_eckd.c                     |  13 +-
 drivers/scsi/ibmvscsi/ibmvfc.c                     |  19 ++-
 drivers/scsi/ibmvscsi/ibmvfc.h                     |   1 +
 drivers/scsi/sr.c                                  |   2 +-
 drivers/soc/imx/soc-imx8m.c                        |  84 ++---------
 drivers/soc/ixp4xx/ixp4xx-npe.c                    |  11 +-
 drivers/soc/ixp4xx/ixp4xx-qmgr.c                   |   9 +-
 drivers/spi/spi-imx.c                              |  52 ++++---
 drivers/spi/spi-meson-spicc.c                      |   2 +
 drivers/staging/rtl8712/hal_init.c                 |  30 ++--
 drivers/staging/rtl8712/rtl8712_led.c              |   8 ++
 drivers/staging/rtl8712/rtl871x_led.h              |   1 +
 drivers/staging/rtl8712/rtl871x_pwrctrl.c          |   8 ++
 drivers/staging/rtl8712/rtl871x_pwrctrl.h          |   1 +
 drivers/staging/rtl8712/usb_intf.c                 |  51 +++----
 drivers/staging/rtl8723bs/hal/sdio_ops.c           |   2 +
 drivers/tee/optee/call.c                           |  38 ++++-
 drivers/tee/optee/core.c                           |  43 +++++-
 drivers/tee/optee/optee_private.h                  |   1 +
 drivers/tee/optee/rpc.c                            |   5 +-
 drivers/tee/optee/shm_pool.c                       |  20 ++-
 drivers/tee/tee_shm.c                              |  20 ++-
 drivers/thunderbolt/switch.c                       |  15 +-
 drivers/tty/serial/8250/8250_aspeed_vuart.c        |   5 +-
 drivers/tty/serial/8250/8250_fsl.c                 |   5 +-
 drivers/tty/serial/8250/8250_mtk.c                 |   5 +
 drivers/tty/serial/8250/8250_pci.c                 |   7 +
 drivers/tty/serial/8250/8250_port.c                |  17 ++-
 drivers/tty/serial/serial-tegra.c                  |   6 +-
 drivers/usb/cdns3/cdns3-ep0.c                      |   1 +
 drivers/usb/cdns3/cdnsp-gadget.c                   |   2 +-
 drivers/usb/cdns3/cdnsp-gadget.h                   |   4 +-
 drivers/usb/cdns3/cdnsp-ring.c                     |  18 ++-
 drivers/usb/class/usbtmc.c                         |   9 +-
 drivers/usb/common/usb-otg-fsm.c                   |   6 +-
 drivers/usb/dwc3/gadget.c                          |  29 +++-
 drivers/usb/gadget/function/f_hid.c                |  44 +++++-
 drivers/usb/gadget/udc/max3420_udc.c               |  14 +-
 drivers/usb/host/ohci-at91.c                       |   9 +-
 drivers/usb/serial/ch341.c                         |   1 +
 drivers/usb/serial/ftdi_sio.c                      |   1 +
 drivers/usb/serial/ftdi_sio_ids.h                  |   3 +
 drivers/usb/serial/option.c                        |   2 +
 drivers/usb/serial/pl2303.c                        |  42 +++---
 drivers/usb/typec/tcpm/tcpm.c                      |   4 +-
 drivers/virt/acrn/vm.c                             |  16 +--
 fs/cifs/smb2ops.c                                  |   3 +-
 fs/ext4/mmp.c                                      |   2 +-
 fs/ext4/namei.c                                    |   2 +-
 fs/io-wq.c                                         |  71 ++++++----
 fs/pipe.c                                          |  19 ++-
 fs/reiserfs/stree.c                                |  31 ++++-
 fs/reiserfs/super.c                                |   8 ++
 include/linux/serial_core.h                        |  24 ++++
 include/linux/tee_drv.h                            |   2 +
 include/linux/usb/otg-fsm.h                        |   1 +
 include/net/bluetooth/hci_core.h                   |   1 +
 include/net/ip6_route.h                            |   2 +-
 include/net/netns/xfrm.h                           |   1 +
 kernel/events/core.c                               |  25 +++-
 kernel/sched/core.c                                |  90 +++++-------
 kernel/time/timer.c                                |   6 +-
 kernel/trace/trace.c                               |   4 +-
 kernel/trace/trace_events_hist.c                   |  24 +++-
 kernel/tracepoint.c                                | 155 ++++++++++++++++++---
 net/bluetooth/hci_core.c                           |  16 +--
 net/bluetooth/hci_sock.c                           |  49 ++++---
 net/bluetooth/hci_sysfs.c                          |   3 +
 net/bridge/br.c                                    |   3 +-
 net/bridge/br_fdb.c                                |  30 +++-
 net/bridge/br_private.h                            |   2 +-
 net/ipv4/tcp_offload.c                             |   3 +
 net/ipv4/udp_offload.c                             |   4 +
 net/sched/sch_generic.c                            |   2 +-
 net/sctp/auth.c                                    |  14 +-
 net/xfrm/xfrm_compat.c                             |  49 ++++++-
 net/xfrm/xfrm_policy.c                             |  17 ++-
 net/xfrm/xfrm_user.c                               |  10 ++
 scripts/tracing/draw_functrace.py                  |   6 +-
 security/selinux/ss/policydb.c                     |  10 +-
 sound/core/pcm_native.c                            |   2 +-
 sound/core/seq/seq_ports.c                         |  39 ++++--
 sound/pci/hda/patch_realtek.c                      |   2 +
 sound/usb/card.c                                   |   2 +-
 sound/usb/clock.c                                  |   6 +
 sound/usb/mixer.c                                  |  35 +++--
 sound/usb/quirks.c                                 |   1 +
 virt/kvm/kvm_main.c                                |  18 ++-
 175 files changed, 1634 insertions(+), 744 deletions(-)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 001/175] Revert "ACPICA: Fix memory leak caused by _CID repair function"
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 002/175] ALSA: seq: Fix racy deletion of subscriber Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrien Precigout, Rafael J. Wysocki

From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

commit 6511a8b5b7a65037340cd8ee91a377811effbc83 upstream.

Revert commit c27bac0314131 ("ACPICA: Fix memory leak caused by _CID
repair function") which is reported to cause a boot issue on Acer
Swift 3 (SF314-51).

Reported-by: Adrien Precigout <dev@asdrip.fr>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/acpi/acpica/nsrepair2.c |    7 -------
 1 file changed, 7 deletions(-)

--- a/drivers/acpi/acpica/nsrepair2.c
+++ b/drivers/acpi/acpica/nsrepair2.c
@@ -379,13 +379,6 @@ acpi_ns_repair_CID(struct acpi_evaluate_
 
 			(*element_ptr)->common.reference_count =
 			    original_ref_count;
-
-			/*
-			 * The original_element holds a reference from the package object
-			 * that represents _HID. Since a new element was created by _HID,
-			 * remove the reference from the _CID package.
-			 */
-			acpi_ut_remove_reference(original_element);
 		}
 
 		element_ptr++;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 002/175] ALSA: seq: Fix racy deletion of subscriber
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 001/175] Revert "ACPICA: Fix memory leak caused by _CID repair function" Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 003/175] bus: ti-sysc: Fix gpt12 system timer issue with reserved status Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai, folkert

From: Takashi Iwai <tiwai@suse.de>

commit 97367c97226aab8b298ada954ce12659ee3ad2a4 upstream.

It turned out that the current implementation of the port subscription
is racy.  The subscription contains two linked lists, and we have to
add to or delete from both lists.  Since both connection and
disconnection procedures perform the same order for those two lists
(i.e. src list, then dest list), when a deletion happens during a
connection procedure, the src list may be deleted before the dest list
addition completes, and this may lead to a use-after-free or an Oops,
even though the access to both lists are protected via mutex.

The simple workaround for this race is to change the access order for
the disconnection, namely, dest list, then src list.  This assures
that the connection has been established when disconnecting, and also
the concurrent deletion can be avoided.

Reported-and-tested-by: folkert <folkert@vanheusden.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210801182754.GP890690@belle.intranet.vanheusden.com
Link: https://lore.kernel.org/r/20210803114312.2536-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/seq/seq_ports.c |   39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)

--- a/sound/core/seq/seq_ports.c
+++ b/sound/core/seq/seq_ports.c
@@ -514,10 +514,11 @@ static int check_and_subscribe_port(stru
 	return err;
 }
 
-static void delete_and_unsubscribe_port(struct snd_seq_client *client,
-					struct snd_seq_client_port *port,
-					struct snd_seq_subscribers *subs,
-					bool is_src, bool ack)
+/* called with grp->list_mutex held */
+static void __delete_and_unsubscribe_port(struct snd_seq_client *client,
+					  struct snd_seq_client_port *port,
+					  struct snd_seq_subscribers *subs,
+					  bool is_src, bool ack)
 {
 	struct snd_seq_port_subs_info *grp;
 	struct list_head *list;
@@ -525,7 +526,6 @@ static void delete_and_unsubscribe_port(
 
 	grp = is_src ? &port->c_src : &port->c_dest;
 	list = is_src ? &subs->src_list : &subs->dest_list;
-	down_write(&grp->list_mutex);
 	write_lock_irq(&grp->list_lock);
 	empty = list_empty(list);
 	if (!empty)
@@ -535,6 +535,18 @@ static void delete_and_unsubscribe_port(
 
 	if (!empty)
 		unsubscribe_port(client, port, grp, &subs->info, ack);
+}
+
+static void delete_and_unsubscribe_port(struct snd_seq_client *client,
+					struct snd_seq_client_port *port,
+					struct snd_seq_subscribers *subs,
+					bool is_src, bool ack)
+{
+	struct snd_seq_port_subs_info *grp;
+
+	grp = is_src ? &port->c_src : &port->c_dest;
+	down_write(&grp->list_mutex);
+	__delete_and_unsubscribe_port(client, port, subs, is_src, ack);
 	up_write(&grp->list_mutex);
 }
 
@@ -590,27 +602,30 @@ int snd_seq_port_disconnect(struct snd_s
 			    struct snd_seq_client_port *dest_port,
 			    struct snd_seq_port_subscribe *info)
 {
-	struct snd_seq_port_subs_info *src = &src_port->c_src;
+	struct snd_seq_port_subs_info *dest = &dest_port->c_dest;
 	struct snd_seq_subscribers *subs;
 	int err = -ENOENT;
 
-	down_write(&src->list_mutex);
+	/* always start from deleting the dest port for avoiding concurrent
+	 * deletions
+	 */
+	down_write(&dest->list_mutex);
 	/* look for the connection */
-	list_for_each_entry(subs, &src->list_head, src_list) {
+	list_for_each_entry(subs, &dest->list_head, dest_list) {
 		if (match_subs_info(info, &subs->info)) {
-			atomic_dec(&subs->ref_count); /* mark as not ready */
+			__delete_and_unsubscribe_port(dest_client, dest_port,
+						      subs, false,
+						      connector->number != dest_client->number);
 			err = 0;
 			break;
 		}
 	}
-	up_write(&src->list_mutex);
+	up_write(&dest->list_mutex);
 	if (err < 0)
 		return err;
 
 	delete_and_unsubscribe_port(src_client, src_port, subs, true,
 				    connector->number != src_client->number);
-	delete_and_unsubscribe_port(dest_client, dest_port, subs, false,
-				    connector->number != dest_client->number);
 	kfree(subs);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 003/175] bus: ti-sysc: Fix gpt12 system timer issue with reserved status
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 001/175] Revert "ACPICA: Fix memory leak caused by _CID repair function" Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 002/175] ALSA: seq: Fix racy deletion of subscriber Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 004/175] net: xfrm: fix memory leak in xfrm_user_rcv_msg Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jarkko Nikula, Tony Lindgren, Sasha Levin

From: Tony Lindgren <tony@atomide.com>

[ Upstream commit 3ff340e24c9dd5cff9fc07d67914c5adf67f80d6 ]

Jarkko Nikula <jarkko.nikula@bitmer.com> reported that Beagleboard
revision c2 stopped booting. Jarkko bisected the issue down to
commit 6cfcd5563b4f ("clocksource/drivers/timer-ti-dm: Fix suspend
and resume for am3 and am4").

Let's fix the issue by tagging system timers as reserved rather than
ignoring them. And let's not probe any interconnect target module child
devices for reserved modules.

This allows PM runtime to keep track of clocks and clockdomains for
the interconnect target module, and prevent the system timer from idling
as we already have SYSC_QUIRK_NO_IDLE and SYSC_QUIRK_NO_IDLE_ON_INIT
flags set for system timers.

Fixes: 6cfcd5563b4f ("clocksource/drivers/timer-ti-dm: Fix suspend and resume for am3 and am4")
Reported-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
Tested-by: Jarkko Nikula <jarkko.nikula@bitmer.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bus/ti-sysc.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
index 38cb116ed433..188cdb0a394e 100644
--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -100,6 +100,7 @@ static const char * const clock_names[SYSC_MAX_CLOCKS] = {
  * @cookie: data used by legacy platform callbacks
  * @name: name if available
  * @revision: interconnect target module revision
+ * @reserved: target module is reserved and already in use
  * @enabled: sysc runtime enabled status
  * @needs_resume: runtime resume needed on resume from suspend
  * @child_needs_resume: runtime resume needed for child on resume from suspend
@@ -130,6 +131,7 @@ struct sysc {
 	struct ti_sysc_cookie cookie;
 	const char *name;
 	u32 revision;
+	unsigned int reserved:1;
 	unsigned int enabled:1;
 	unsigned int needs_resume:1;
 	unsigned int child_needs_resume:1;
@@ -3093,8 +3095,8 @@ static int sysc_probe(struct platform_device *pdev)
 		return error;
 
 	error = sysc_check_active_timer(ddata);
-	if (error)
-		return error;
+	if (error == -EBUSY)
+		ddata->reserved = true;
 
 	error = sysc_get_clocks(ddata);
 	if (error)
@@ -3130,11 +3132,15 @@ static int sysc_probe(struct platform_device *pdev)
 	sysc_show_registers(ddata);
 
 	ddata->dev->type = &sysc_device_type;
-	error = of_platform_populate(ddata->dev->of_node, sysc_match_table,
-				     pdata ? pdata->auxdata : NULL,
-				     ddata->dev);
-	if (error)
-		goto err;
+
+	if (!ddata->reserved) {
+		error = of_platform_populate(ddata->dev->of_node,
+					     sysc_match_table,
+					     pdata ? pdata->auxdata : NULL,
+					     ddata->dev);
+		if (error)
+			goto err;
+	}
 
 	INIT_DELAYED_WORK(&ddata->idle_work, ti_sysc_idle);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 004/175] net: xfrm: fix memory leak in xfrm_user_rcv_msg
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 003/175] bus: ti-sysc: Fix gpt12 system timer issue with reserved status Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 005/175] arm64: dts: ls1028a: fix node name for the sysclk Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Steffen Klassert,
	Sasha Levin, syzbot+fb347cf82c73a90efcca

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 7c1a80e80cde008f271bae630d28cf684351e807 ]

Syzbot reported memory leak in xfrm_user_rcv_msg(). The
problem was is non-freed skb's frag_list.

In skb_release_all() skb_release_data() will be called only
in case of skb->head != NULL, but netlink_skb_destructor()
sets head to NULL. So, allocated frag_list skb should be
freed manualy, since consume_skb() won't take care of it

Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
Reported-and-tested-by: syzbot+fb347cf82c73a90efcca@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_user.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index b47d613409b7..7aff641c717d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2811,6 +2811,16 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
 
 	err = link->doit(skb, nlh, attrs);
 
+	/* We need to free skb allocated in xfrm_alloc_compat() before
+	 * returning from this function, because consume_skb() won't take
+	 * care of frag_list since netlink destructor sets
+	 * sbk->head to NULL. (see netlink_skb_destructor())
+	 */
+	if (skb_has_frag_list(skb)) {
+		kfree_skb(skb_shinfo(skb)->frag_list);
+		skb_shinfo(skb)->frag_list = NULL;
+	}
+
 err:
 	kvfree(nlh64);
 	return err;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 005/175] arm64: dts: ls1028a: fix node name for the sysclk
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 004/175] net: xfrm: fix memory leak in xfrm_user_rcv_msg Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 006/175] dmaengine: idxd: fix array index when int_handles are being used Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, Shawn Guo, Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 7e71b85473f863a29eb1c69265ef025389b4091d ]

U-Boot attempts to fix up the "clock-frequency" property of the "/sysclk" node:
https://elixir.bootlin.com/u-boot/v2021.04/source/arch/arm/cpu/armv8/fsl-layerscape/fdt.c#L512

but fails to do so:

  ## Booting kernel from Legacy Image at a1000000 ...
     Image Name:
     Created:      2021-06-08  10:31:38 UTC
     Image Type:   AArch64 Linux Kernel Image (gzip compressed)
     Data Size:    15431370 Bytes = 14.7 MiB
     Load Address: 80080000
     Entry Point:  80080000
     Verifying Checksum ... OK
  ## Flattened Device Tree blob at a0000000
     Booting using the fdt blob at 0xa0000000
     Uncompressing Kernel Image
     Loading Device Tree to 00000000fbb19000, end 00000000fbb22717 ... OK
  Unable to update property /sysclk:clock-frequency, err=FDT_ERR_NOTFOUND

  Starting kernel ...

All Layerscape SoCs except LS1028A use "sysclk" as the node name, and
not "clock-sysclk". So change the node name of LS1028A accordingly.

Fixes: 8897f3255c9c ("arm64: dts: Add support for NXP LS1028A SoC")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi b/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
index a30249ebffa8..a94cbd6dcce6 100644
--- a/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
@@ -66,7 +66,7 @@
 		};
 	};
 
-	sysclk: clock-sysclk {
+	sysclk: sysclk {
 		compatible = "fixed-clock";
 		#clock-cells = <0>;
 		clock-frequency = <100000000>;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 006/175] dmaengine: idxd: fix array index when int_handles are being used
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 005/175] arm64: dts: ls1028a: fix node name for the sysclk Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 007/175] dmaengine: idxd: fix setup sequence for MSIXPERM table Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jiang, Vinod Koul, Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit da435aedb00a4ef61019ff11ae0c08ffb9b1fb18 ]

The index to the irq vector should be local and has no relation to
the assigned interrupt handle. Assign the MSIX interrupt index that is
programmed for the descriptor. The interrupt handle only matters when it
comes to hardware descriptor programming.

Fixes: eb15e7154fbf ("dmaengine: idxd: add interrupt handle request and release support")
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/162456176939.1121476.3366256009925001897.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/submit.c | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
index 19afb62abaff..e29887528077 100644
--- a/drivers/dma/idxd/submit.c
+++ b/drivers/dma/idxd/submit.c
@@ -128,19 +128,8 @@ int idxd_submit_desc(struct idxd_wq *wq, struct idxd_desc *desc)
 	 * Pending the descriptor to the lockless list for the irq_entry
 	 * that we designated the descriptor to.
 	 */
-	if (desc->hw->flags & IDXD_OP_FLAG_RCI) {
-		int vec;
-
-		/*
-		 * If the driver is on host kernel, it would be the value
-		 * assigned to interrupt handle, which is index for MSIX
-		 * vector. If it's guest then can't use the int_handle since
-		 * that is the index to IMS for the entire device. The guest
-		 * device local index will be used.
-		 */
-		vec = !idxd->int_handles ? desc->hw->int_handle : desc->vector;
-		llist_add(&desc->llnode, &idxd->irq_entries[vec].pending_llist);
-	}
+	if (desc->hw->flags & IDXD_OP_FLAG_RCI)
+		llist_add(&desc->llnode, &idxd->irq_entries[desc->vector].pending_llist);
 
 	return 0;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 007/175] dmaengine: idxd: fix setup sequence for MSIXPERM table
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 006/175] dmaengine: idxd: fix array index when int_handles are being used Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 008/175] ARM: imx: add missing iounmap() Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vinod Koul, Sasha Levin, Dave Jiang

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit d5c10e0fc8645342fe5c9796b00c84ab078cd713 ]

The MSIX permission table should be programmed BEFORE request_irq()
happens. This prevents any possibility of an interrupt happening before the
MSIX perm table is setup, however slight.

Fixes: 6df0e6c57dfc ("dmaengine: idxd: clear MSIX permission entry on shutdown")
Sign-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/162456741222.1138073.1298447364671237896.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/init.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index 442d55c11a5f..4bc80eb6b9e7 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -102,6 +102,8 @@ static int idxd_setup_interrupts(struct idxd_device *idxd)
 		spin_lock_init(&idxd->irq_entries[i].list_lock);
 	}
 
+	idxd_msix_perm_setup(idxd);
+
 	irq_entry = &idxd->irq_entries[0];
 	rc = request_threaded_irq(irq_entry->vector, NULL, idxd_misc_thread,
 				  0, "idxd-misc", irq_entry);
@@ -148,7 +150,6 @@ static int idxd_setup_interrupts(struct idxd_device *idxd)
 	}
 
 	idxd_unmask_error_interrupts(idxd);
-	idxd_msix_perm_setup(idxd);
 	return 0;
 
  err_wq_irqs:
@@ -162,6 +163,7 @@ static int idxd_setup_interrupts(struct idxd_device *idxd)
  err_misc_irq:
 	/* Disable error interrupt generation */
 	idxd_mask_error_interrupts(idxd);
+	idxd_msix_perm_clear(idxd);
  err_irq_entries:
 	pci_free_irq_vectors(pdev);
 	dev_err(dev, "No usable interrupts\n");
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 008/175] ARM: imx: add missing iounmap()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 007/175] dmaengine: idxd: fix setup sequence for MSIXPERM table Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 009/175] ARM: imx: add missing clk_disable_unprepare() Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang,
	Dong Aisheng, Shawn Guo, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit f9613aa07f16d6042e74208d1b40a6104d72964a ]

Commit e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver")
introduced imx_mmdc_remove(), the mmdc_base need be unmapped in it if
config PERF_EVENTS is enabled.

If imx_mmdc_perf_init() fails, the mmdc_base also need be unmapped.

Fixes: e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-imx/mmdc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c
index 0dfd0ae7a63d..8e57691aafe2 100644
--- a/arch/arm/mach-imx/mmdc.c
+++ b/arch/arm/mach-imx/mmdc.c
@@ -462,6 +462,7 @@ static int imx_mmdc_remove(struct platform_device *pdev)
 
 	cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node);
 	perf_pmu_unregister(&pmu_mmdc->pmu);
+	iounmap(pmu_mmdc->mmdc_base);
 	kfree(pmu_mmdc);
 	return 0;
 }
@@ -567,7 +568,11 @@ static int imx_mmdc_probe(struct platform_device *pdev)
 	val &= ~(1 << BP_MMDC_MAPSR_PSD);
 	writel_relaxed(val, reg);
 
-	return imx_mmdc_perf_init(pdev, mmdc_base);
+	err = imx_mmdc_perf_init(pdev, mmdc_base);
+	if (err)
+		iounmap(mmdc_base);
+
+	return err;
 }
 
 int imx_mmdc_get_ddr_type(void)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 009/175] ARM: imx: add missing clk_disable_unprepare()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 008/175] ARM: imx: add missing iounmap() Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 010/175] ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang,
	Dong Aisheng, Shawn Guo, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit f07ec85365807b3939f32d0094a6dd5ce065d1b9 ]

clock source is prepared and enabled by clk_prepare_enable()
in probe function, but no disable or unprepare in remove and
error path.

Fixes: 9454a0caff6a ("ARM: imx: add mmdc ipg clock operation for mmdc")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Dong Aisheng <aisheng.dong@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-imx/mmdc.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c
index 8e57691aafe2..4a6f1359e1e9 100644
--- a/arch/arm/mach-imx/mmdc.c
+++ b/arch/arm/mach-imx/mmdc.c
@@ -103,6 +103,7 @@ struct mmdc_pmu {
 	struct perf_event *mmdc_events[MMDC_NUM_COUNTERS];
 	struct hlist_node node;
 	struct fsl_mmdc_devtype_data *devtype_data;
+	struct clk *mmdc_ipg_clk;
 };
 
 /*
@@ -463,11 +464,13 @@ static int imx_mmdc_remove(struct platform_device *pdev)
 	cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node);
 	perf_pmu_unregister(&pmu_mmdc->pmu);
 	iounmap(pmu_mmdc->mmdc_base);
+	clk_disable_unprepare(pmu_mmdc->mmdc_ipg_clk);
 	kfree(pmu_mmdc);
 	return 0;
 }
 
-static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_base)
+static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_base,
+			      struct clk *mmdc_ipg_clk)
 {
 	struct mmdc_pmu *pmu_mmdc;
 	char *name;
@@ -495,6 +498,7 @@ static int imx_mmdc_perf_init(struct platform_device *pdev, void __iomem *mmdc_b
 	}
 
 	mmdc_num = mmdc_pmu_init(pmu_mmdc, mmdc_base, &pdev->dev);
+	pmu_mmdc->mmdc_ipg_clk = mmdc_ipg_clk;
 	if (mmdc_num == 0)
 		name = "mmdc";
 	else
@@ -568,9 +572,11 @@ static int imx_mmdc_probe(struct platform_device *pdev)
 	val &= ~(1 << BP_MMDC_MAPSR_PSD);
 	writel_relaxed(val, reg);
 
-	err = imx_mmdc_perf_init(pdev, mmdc_base);
-	if (err)
+	err = imx_mmdc_perf_init(pdev, mmdc_base, mmdc_ipg_clk);
+	if (err) {
 		iounmap(mmdc_base);
+		clk_disable_unprepare(mmdc_ipg_clk);
+	}
 
 	return err;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 010/175] ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 009/175] ARM: imx: add missing clk_disable_unprepare() Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 011/175] Revert "soc: imx8m: change to use platform driver" Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maxime Chevallier, Hervé Codina,
	Russell King (Oracle),
	Shawn Guo, Sasha Levin

From: Maxime Chevallier <maxime.chevallier@bootlin.com>

[ Upstream commit fd8e83884fdd7b5fc411f201a58d8d01890198a2 ]

The AR803x PHY used on this modules seems to require the reset line to
be asserted for around 10ms in order to avoid rare cases where the PHY
gets stuck in an incoherent state that prevents it to function
correctly.

The previous value of 2ms was found to be problematic on some setups,
causing intermittent issues where the PHY would be unresponsive
every once in a while on some sytems, with a low occurrence (it typically
took around 30 consecutive reboots to encounter the issue).

Bumping the delay to the 10ms makes the issue dissapear, with more than
2500 consecutive reboots performed without the issue showing-up.

Fixes: 208d7baf8085 ("ARM: imx: initial SolidRun HummingBoard support")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Tested-by: Hervé Codina <herve.codina@bootlin.com>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx6qdl-sr-som.dtsi | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/imx6qdl-sr-som.dtsi b/arch/arm/boot/dts/imx6qdl-sr-som.dtsi
index 0ad8ccde0cf8..f86efd0ccc40 100644
--- a/arch/arm/boot/dts/imx6qdl-sr-som.dtsi
+++ b/arch/arm/boot/dts/imx6qdl-sr-som.dtsi
@@ -54,7 +54,13 @@
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_microsom_enet_ar8035>;
 	phy-mode = "rgmii-id";
-	phy-reset-duration = <2>;
+
+	/*
+	 * The PHY seems to require a long-enough reset duration to avoid
+	 * some rare issues where the PHY gets stuck in an inconsistent and
+	 * non-functional state at boot-up. 10ms proved to be fine .
+	 */
+	phy-reset-duration = <10>;
 	phy-reset-gpios = <&gpio4 15 GPIO_ACTIVE_LOW>;
 	status = "okay";
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 011/175] Revert "soc: imx8m: change to use platform driver"
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 010/175] ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 012/175] dmaengine: idxd: fix desc->vector that isnt being updated Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Frieder Schrempf,
	Peng Fan, Shawn Guo, Sasha Levin

From: Lucas Stach <l.stach@pengutronix.de>

[ Upstream commit ac34de14ac30ba4484d68f8845a54b6b6c23db42 ]

With the SoC matching changed to a platform driver the match data
is available only after other drivers, which may rely on it are
already probed. This breaks at least the CAAM driver on i.MX8M.
Revert the change until all those drivers have been audited and
changed to be able to eal with match data being available later
in the boot process.

Fixes: 7d981405d0fd ("soc: imx8m: change to use platform driver")
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Tested-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Acked-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/imx/soc-imx8m.c | 84 ++++++-------------------------------
 1 file changed, 12 insertions(+), 72 deletions(-)

diff --git a/drivers/soc/imx/soc-imx8m.c b/drivers/soc/imx/soc-imx8m.c
index 071e14496e4b..cc57a384d74d 100644
--- a/drivers/soc/imx/soc-imx8m.c
+++ b/drivers/soc/imx/soc-imx8m.c
@@ -5,8 +5,6 @@
 
 #include <linux/init.h>
 #include <linux/io.h>
-#include <linux/module.h>
-#include <linux/nvmem-consumer.h>
 #include <linux/of_address.h>
 #include <linux/slab.h>
 #include <linux/sys_soc.h>
@@ -31,7 +29,7 @@
 
 struct imx8_soc_data {
 	char *name;
-	u32 (*soc_revision)(struct device *dev);
+	u32 (*soc_revision)(void);
 };
 
 static u64 soc_uid;
@@ -52,7 +50,7 @@ static u32 imx8mq_soc_revision_from_atf(void)
 static inline u32 imx8mq_soc_revision_from_atf(void) { return 0; };
 #endif
 
-static u32 __init imx8mq_soc_revision(struct device *dev)
+static u32 __init imx8mq_soc_revision(void)
 {
 	struct device_node *np;
 	void __iomem *ocotp_base;
@@ -77,20 +75,9 @@ static u32 __init imx8mq_soc_revision(struct device *dev)
 			rev = REV_B1;
 	}
 
-	if (dev) {
-		int ret;
-
-		ret = nvmem_cell_read_u64(dev, "soc_unique_id", &soc_uid);
-		if (ret) {
-			iounmap(ocotp_base);
-			of_node_put(np);
-			return ret;
-		}
-	} else {
-		soc_uid = readl_relaxed(ocotp_base + OCOTP_UID_HIGH);
-		soc_uid <<= 32;
-		soc_uid |= readl_relaxed(ocotp_base + OCOTP_UID_LOW);
-	}
+	soc_uid = readl_relaxed(ocotp_base + OCOTP_UID_HIGH);
+	soc_uid <<= 32;
+	soc_uid |= readl_relaxed(ocotp_base + OCOTP_UID_LOW);
 
 	iounmap(ocotp_base);
 	of_node_put(np);
@@ -120,7 +107,7 @@ static void __init imx8mm_soc_uid(void)
 	of_node_put(np);
 }
 
-static u32 __init imx8mm_soc_revision(struct device *dev)
+static u32 __init imx8mm_soc_revision(void)
 {
 	struct device_node *np;
 	void __iomem *anatop_base;
@@ -138,15 +125,7 @@ static u32 __init imx8mm_soc_revision(struct device *dev)
 	iounmap(anatop_base);
 	of_node_put(np);
 
-	if (dev) {
-		int ret;
-
-		ret = nvmem_cell_read_u64(dev, "soc_unique_id", &soc_uid);
-		if (ret)
-			return ret;
-	} else {
-		imx8mm_soc_uid();
-	}
+	imx8mm_soc_uid();
 
 	return rev;
 }
@@ -171,7 +150,7 @@ static const struct imx8_soc_data imx8mp_soc_data = {
 	.soc_revision = imx8mm_soc_revision,
 };
 
-static __maybe_unused const struct of_device_id imx8_machine_match[] = {
+static __maybe_unused const struct of_device_id imx8_soc_match[] = {
 	{ .compatible = "fsl,imx8mq", .data = &imx8mq_soc_data, },
 	{ .compatible = "fsl,imx8mm", .data = &imx8mm_soc_data, },
 	{ .compatible = "fsl,imx8mn", .data = &imx8mn_soc_data, },
@@ -179,20 +158,12 @@ static __maybe_unused const struct of_device_id imx8_machine_match[] = {
 	{ }
 };
 
-static __maybe_unused const struct of_device_id imx8_soc_match[] = {
-	{ .compatible = "fsl,imx8mq-soc", .data = &imx8mq_soc_data, },
-	{ .compatible = "fsl,imx8mm-soc", .data = &imx8mm_soc_data, },
-	{ .compatible = "fsl,imx8mn-soc", .data = &imx8mn_soc_data, },
-	{ .compatible = "fsl,imx8mp-soc", .data = &imx8mp_soc_data, },
-	{ }
-};
-
 #define imx8_revision(soc_rev) \
 	soc_rev ? \
 	kasprintf(GFP_KERNEL, "%d.%d", (soc_rev >> 4) & 0xf,  soc_rev & 0xf) : \
 	"unknown"
 
-static int imx8_soc_info(struct platform_device *pdev)
+static int __init imx8_soc_init(void)
 {
 	struct soc_device_attribute *soc_dev_attr;
 	struct soc_device *soc_dev;
@@ -211,10 +182,7 @@ static int imx8_soc_info(struct platform_device *pdev)
 	if (ret)
 		goto free_soc;
 
-	if (pdev)
-		id = of_match_node(imx8_soc_match, pdev->dev.of_node);
-	else
-		id = of_match_node(imx8_machine_match, of_root);
+	id = of_match_node(imx8_soc_match, of_root);
 	if (!id) {
 		ret = -ENODEV;
 		goto free_soc;
@@ -223,16 +191,8 @@ static int imx8_soc_info(struct platform_device *pdev)
 	data = id->data;
 	if (data) {
 		soc_dev_attr->soc_id = data->name;
-		if (data->soc_revision) {
-			if (pdev) {
-				soc_rev = data->soc_revision(&pdev->dev);
-				ret = soc_rev;
-				if (ret < 0)
-					goto free_soc;
-			} else {
-				soc_rev = data->soc_revision(NULL);
-			}
-		}
+		if (data->soc_revision)
+			soc_rev = data->soc_revision();
 	}
 
 	soc_dev_attr->revision = imx8_revision(soc_rev);
@@ -270,24 +230,4 @@ free_soc:
 	kfree(soc_dev_attr);
 	return ret;
 }
-
-/* Retain device_initcall is for backward compatibility with DTS. */
-static int __init imx8_soc_init(void)
-{
-	if (of_find_matching_node_and_match(NULL, imx8_soc_match, NULL))
-		return 0;
-
-	return imx8_soc_info(NULL);
-}
 device_initcall(imx8_soc_init);
-
-static struct platform_driver imx8_soc_info_driver = {
-	.probe = imx8_soc_info,
-	.driver = {
-		.name = "imx8_soc_info",
-		.of_match_table = imx8_soc_match,
-	},
-};
-
-module_platform_driver(imx8_soc_info_driver);
-MODULE_LICENSE("GPL v2");
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 012/175] dmaengine: idxd: fix desc->vector that isnt being updated
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 011/175] Revert "soc: imx8m: change to use platform driver" Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 013/175] dmaengine: idxd: fix sequence for pci driver remove() and shutdown() Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jiang, Vinod Koul, Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit 8ba89a3c7967808f33478a8573277cf6a7412c4c ]

Missing update for desc->vector when the wq vector gets updated. This
causes the desc->vector to always be at 0.

Fixes: da435aedb00a ("dmaengine: idxd: fix array index when int_handles are being used")
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/162628784374.353761.4736602409627820431.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/submit.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
index e29887528077..21d7d09f73dd 100644
--- a/drivers/dma/idxd/submit.c
+++ b/drivers/dma/idxd/submit.c
@@ -25,11 +25,10 @@ static struct idxd_desc *__get_desc(struct idxd_wq *wq, int idx, int cpu)
 	 * Descriptor completion vectors are 1...N for MSIX. We will round
 	 * robin through the N vectors.
 	 */
-	wq->vec_ptr = (wq->vec_ptr % idxd->num_wq_irqs) + 1;
+	wq->vec_ptr = desc->vector = (wq->vec_ptr % idxd->num_wq_irqs) + 1;
 	if (!idxd->int_handles) {
 		desc->hw->int_handle = wq->vec_ptr;
 	} else {
-		desc->vector = wq->vec_ptr;
 		/*
 		 * int_handles are only for descriptor completion. However for device
 		 * MSIX enumeration, vec 0 is used for misc interrupts. Therefore even
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 013/175] dmaengine: idxd: fix sequence for pci driver remove() and shutdown()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 012/175] dmaengine: idxd: fix desc->vector that isnt being updated Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 014/175] dmaengine: idxd: fix submission race window Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jiang, Vinod Koul, Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit 7eb25da161befbc9a80e94e1bd90d6c06aa645cf ]

->shutdown() call should only be responsible for quiescing the device.
Currently it is doing PCI device tear down. This causes issue when things
like MMIO mapping is removed while idxd_unregister_devices() will trigger
removal of idxd device sub-driver and still initiates MMIO writes to the
device. Another issue is with the unregistering of idxd 'struct device',
the memory context gets freed. So the teardown calls are accessing freed
memory and can cause kernel oops. Move all the teardown bits that doesn't
belong in shutdown to ->remove() call. Move unregistering of the idxd
conf_dev 'struct device' to after doing all the teardown to free all
the memory that's no longer needed.

Fixes: 47c16ac27d4c ("dmaengine: idxd: fix idxd conf_dev 'struct device' lifetime")
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/162629983901.395844.17964803190905549615.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/init.c  | 26 +++++++++++++++++---------
 drivers/dma/idxd/sysfs.c |  2 --
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/drivers/dma/idxd/init.c b/drivers/dma/idxd/init.c
index 4bc80eb6b9e7..32cca6a0e66a 100644
--- a/drivers/dma/idxd/init.c
+++ b/drivers/dma/idxd/init.c
@@ -759,32 +759,40 @@ static void idxd_shutdown(struct pci_dev *pdev)
 	for (i = 0; i < msixcnt; i++) {
 		irq_entry = &idxd->irq_entries[i];
 		synchronize_irq(irq_entry->vector);
-		free_irq(irq_entry->vector, irq_entry);
 		if (i == 0)
 			continue;
 		idxd_flush_pending_llist(irq_entry);
 		idxd_flush_work_list(irq_entry);
 	}
-
-	idxd_msix_perm_clear(idxd);
-	idxd_release_int_handles(idxd);
-	pci_free_irq_vectors(pdev);
-	pci_iounmap(pdev, idxd->reg_base);
-	pci_disable_device(pdev);
-	destroy_workqueue(idxd->wq);
+	flush_workqueue(idxd->wq);
 }
 
 static void idxd_remove(struct pci_dev *pdev)
 {
 	struct idxd_device *idxd = pci_get_drvdata(pdev);
+	struct idxd_irq_entry *irq_entry;
+	int msixcnt = pci_msix_vec_count(pdev);
+	int i;
 
 	dev_dbg(&pdev->dev, "%s called\n", __func__);
 	idxd_shutdown(pdev);
 	if (device_pasid_enabled(idxd))
 		idxd_disable_system_pasid(idxd);
 	idxd_unregister_devices(idxd);
-	perfmon_pmu_remove(idxd);
+
+	for (i = 0; i < msixcnt; i++) {
+		irq_entry = &idxd->irq_entries[i];
+		free_irq(irq_entry->vector, irq_entry);
+	}
+	idxd_msix_perm_clear(idxd);
+	idxd_release_int_handles(idxd);
+	pci_free_irq_vectors(pdev);
+	pci_iounmap(pdev, idxd->reg_base);
 	iommu_dev_disable_feature(&pdev->dev, IOMMU_DEV_FEAT_SVA);
+	pci_disable_device(pdev);
+	destroy_workqueue(idxd->wq);
+	perfmon_pmu_remove(idxd);
+	device_unregister(&idxd->conf_dev);
 }
 
 static struct pci_driver idxd_pci_driver = {
diff --git a/drivers/dma/idxd/sysfs.c b/drivers/dma/idxd/sysfs.c
index 0460d58e3941..bb4df63906a7 100644
--- a/drivers/dma/idxd/sysfs.c
+++ b/drivers/dma/idxd/sysfs.c
@@ -1744,8 +1744,6 @@ void idxd_unregister_devices(struct idxd_device *idxd)
 
 		device_unregister(&group->conf_dev);
 	}
-
-	device_unregister(&idxd->conf_dev);
 }
 
 int idxd_register_bus_type(void)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 014/175] dmaengine: idxd: fix submission race window
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 013/175] dmaengine: idxd: fix sequence for pci driver remove() and shutdown() Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 015/175] arm64: dts: ls1028: sl28: fix networking for variant 2 Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Konstantin Ananyev, Dave Jiang,
	Vinod Koul, Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit 6b4b87f2c31ac1af4f244990a7cbfb50d3f3e33f ]

Konstantin observed that when descriptors are submitted, the descriptor is
added to the pending list after the submission. This creates a race window
with the slight possibility that the descriptor can complete before it
gets added to the pending list and this window would cause the completion
handler to miss processing the descriptor.

To address the issue, the addition of the descriptor to the pending list
must be done before it gets submitted to the hardware. However, submitting
to swq with ENQCMDS instruction can cause a failure with the condition of
either wq is full or wq is not "active".

With the descriptor allocation being the gate to the wq capacity, it is not
possible to hit a retry with ENQCMDS submission to the swq. The only
possible failure can happen is when wq is no longer "active" due to hw
error and therefore we are moving towards taking down the portal. Given
this is a rare condition and there's no longer concern over I/O
performance, the driver can walk the completion lists in order to retrieve
and abort the descriptor.

The error path will set the descriptor to aborted status. It will take the
work list lock to prevent further processing of worklist. It will do a
delete_all on the pending llist to retrieve all descriptors on the pending
llist. The delete_all action does not require a lock. It will walk through
the acquired llist to find the aborted descriptor while add all remaining
descriptors to the work list since it holds the lock. If it does not find
the aborted descriptor on the llist, it will walk through the work
list. And if it still does not find the descriptor, then it means the
interrupt handler has removed the desc from the llist but is pending on
the work list lock and will process it once the error path releases the
lock.

Fixes: eb15e7154fbf ("dmaengine: idxd: add interrupt handle request and release support")
Reported-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/162628855747.360485.10101925573082466530.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/idxd.h   | 14 +++++++
 drivers/dma/idxd/irq.c    | 27 +++++++++-----
 drivers/dma/idxd/submit.c | 78 ++++++++++++++++++++++++++++++++++-----
 3 files changed, 101 insertions(+), 18 deletions(-)

diff --git a/drivers/dma/idxd/idxd.h b/drivers/dma/idxd/idxd.h
index 26482c7d4c3a..fc708be7ad9a 100644
--- a/drivers/dma/idxd/idxd.h
+++ b/drivers/dma/idxd/idxd.h
@@ -294,6 +294,14 @@ struct idxd_desc {
 	struct idxd_wq *wq;
 };
 
+/*
+ * This is software defined error for the completion status. We overload the error code
+ * that will never appear in completion status and only SWERR register.
+ */
+enum idxd_completion_status {
+	IDXD_COMP_DESC_ABORT = 0xff,
+};
+
 #define confdev_to_idxd(dev) container_of(dev, struct idxd_device, conf_dev)
 #define confdev_to_wq(dev) container_of(dev, struct idxd_wq, conf_dev)
 
@@ -482,4 +490,10 @@ static inline void perfmon_init(void) {}
 static inline void perfmon_exit(void) {}
 #endif
 
+static inline void complete_desc(struct idxd_desc *desc, enum idxd_complete_type reason)
+{
+	idxd_dma_complete_txd(desc, reason);
+	idxd_free_desc(desc->wq, desc);
+}
+
 #endif
diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c
index ae68e1e5487a..4e3a7198c0ca 100644
--- a/drivers/dma/idxd/irq.c
+++ b/drivers/dma/idxd/irq.c
@@ -245,12 +245,6 @@ static inline bool match_fault(struct idxd_desc *desc, u64 fault_addr)
 	return false;
 }
 
-static inline void complete_desc(struct idxd_desc *desc, enum idxd_complete_type reason)
-{
-	idxd_dma_complete_txd(desc, reason);
-	idxd_free_desc(desc->wq, desc);
-}
-
 static int irq_process_pending_llist(struct idxd_irq_entry *irq_entry,
 				     enum irq_work_type wtype,
 				     int *processed, u64 data)
@@ -272,8 +266,16 @@ static int irq_process_pending_llist(struct idxd_irq_entry *irq_entry,
 		reason = IDXD_COMPLETE_DEV_FAIL;
 
 	llist_for_each_entry_safe(desc, t, head, llnode) {
-		if (desc->completion->status) {
-			if ((desc->completion->status & DSA_COMP_STATUS_MASK) != DSA_COMP_SUCCESS)
+		u8 status = desc->completion->status & DSA_COMP_STATUS_MASK;
+
+		if (status) {
+			if (unlikely(status == IDXD_COMP_DESC_ABORT)) {
+				complete_desc(desc, IDXD_COMPLETE_ABORT);
+				(*processed)++;
+				continue;
+			}
+
+			if (unlikely(status != DSA_COMP_SUCCESS))
 				match_fault(desc, data);
 			complete_desc(desc, reason);
 			(*processed)++;
@@ -329,7 +331,14 @@ static int irq_process_work_list(struct idxd_irq_entry *irq_entry,
 	spin_unlock_irqrestore(&irq_entry->list_lock, flags);
 
 	list_for_each_entry(desc, &flist, list) {
-		if ((desc->completion->status & DSA_COMP_STATUS_MASK) != DSA_COMP_SUCCESS)
+		u8 status = desc->completion->status & DSA_COMP_STATUS_MASK;
+
+		if (unlikely(status == IDXD_COMP_DESC_ABORT)) {
+			complete_desc(desc, IDXD_COMPLETE_ABORT);
+			continue;
+		}
+
+		if (unlikely(status != DSA_COMP_SUCCESS))
 			match_fault(desc, data);
 		complete_desc(desc, reason);
 	}
diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
index 21d7d09f73dd..36c9c1a89b7e 100644
--- a/drivers/dma/idxd/submit.c
+++ b/drivers/dma/idxd/submit.c
@@ -87,9 +87,64 @@ void idxd_free_desc(struct idxd_wq *wq, struct idxd_desc *desc)
 	sbitmap_queue_clear(&wq->sbq, desc->id, cpu);
 }
 
+static struct idxd_desc *list_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
+					 struct idxd_desc *desc)
+{
+	struct idxd_desc *d, *n;
+
+	lockdep_assert_held(&ie->list_lock);
+	list_for_each_entry_safe(d, n, &ie->work_list, list) {
+		if (d == desc) {
+			list_del(&d->list);
+			return d;
+		}
+	}
+
+	/*
+	 * At this point, the desc needs to be aborted is held by the completion
+	 * handler where it has taken it off the pending list but has not added to the
+	 * work list. It will be cleaned up by the interrupt handler when it sees the
+	 * IDXD_COMP_DESC_ABORT for completion status.
+	 */
+	return NULL;
+}
+
+static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
+			     struct idxd_desc *desc)
+{
+	struct idxd_desc *d, *t, *found = NULL;
+	struct llist_node *head;
+	unsigned long flags;
+
+	desc->completion->status = IDXD_COMP_DESC_ABORT;
+	/*
+	 * Grab the list lock so it will block the irq thread handler. This allows the
+	 * abort code to locate the descriptor need to be aborted.
+	 */
+	spin_lock_irqsave(&ie->list_lock, flags);
+	head = llist_del_all(&ie->pending_llist);
+	if (head) {
+		llist_for_each_entry_safe(d, t, head, llnode) {
+			if (d == desc) {
+				found = desc;
+				continue;
+			}
+			list_add_tail(&desc->list, &ie->work_list);
+		}
+	}
+
+	if (!found)
+		found = list_abort_desc(wq, ie, desc);
+	spin_unlock_irqrestore(&ie->list_lock, flags);
+
+	if (found)
+		complete_desc(found, IDXD_COMPLETE_ABORT);
+}
+
 int idxd_submit_desc(struct idxd_wq *wq, struct idxd_desc *desc)
 {
 	struct idxd_device *idxd = wq->idxd;
+	struct idxd_irq_entry *ie = NULL;
 	void __iomem *portal;
 	int rc;
 
@@ -107,6 +162,16 @@ int idxd_submit_desc(struct idxd_wq *wq, struct idxd_desc *desc)
 	 * even on UP because the recipient is a device.
 	 */
 	wmb();
+
+	/*
+	 * Pending the descriptor to the lockless list for the irq_entry
+	 * that we designated the descriptor to.
+	 */
+	if (desc->hw->flags & IDXD_OP_FLAG_RCI) {
+		ie = &idxd->irq_entries[desc->vector];
+		llist_add(&desc->llnode, &ie->pending_llist);
+	}
+
 	if (wq_dedicated(wq)) {
 		iosubmit_cmds512(portal, desc->hw, 1);
 	} else {
@@ -117,18 +182,13 @@ int idxd_submit_desc(struct idxd_wq *wq, struct idxd_desc *desc)
 		 * device is not accepting descriptor at all.
 		 */
 		rc = enqcmds(portal, desc->hw);
-		if (rc < 0)
+		if (rc < 0) {
+			if (ie)
+				llist_abort_desc(wq, ie, desc);
 			return rc;
+		}
 	}
 
 	percpu_ref_put(&wq->wq_active);
-
-	/*
-	 * Pending the descriptor to the lockless list for the irq_entry
-	 * that we designated the descriptor to.
-	 */
-	if (desc->hw->flags & IDXD_OP_FLAG_RCI)
-		llist_add(&desc->llnode, &idxd->irq_entries[desc->vector].pending_llist);
-
 	return 0;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 015/175] arm64: dts: ls1028: sl28: fix networking for variant 2
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 014/175] dmaengine: idxd: fix submission race window Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 016/175] ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Walle, Shawn Guo, Sasha Levin

From: Michael Walle <michael@walle.cc>

[ Upstream commit 29f6a20c21b5bdc7eb623a712bbf7b99612ee746 ]

The PHY configuration for the variant 2 is still missing the flag for
in-band signalling between PHY and MAC. Both sides - MAC and PHY - have
to match the setting. For now, Linux only supports setting the MAC side
and thus it has to match the setting the bootloader is configuring.
Enable in-band signalling to make ethernet work.

Fixes: ab43f0307449 ("arm64: dts: ls1028a: sl28: add support for variant 2")
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/fsl-ls1028a-kontron-sl28-var2.dts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1028a-kontron-sl28-var2.dts b/arch/arm64/boot/dts/freescale/fsl-ls1028a-kontron-sl28-var2.dts
index dd764b720fb0..f6a79c8080d1 100644
--- a/arch/arm64/boot/dts/freescale/fsl-ls1028a-kontron-sl28-var2.dts
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1028a-kontron-sl28-var2.dts
@@ -54,6 +54,7 @@
 
 &mscc_felix_port0 {
 	label = "swp0";
+	managed = "in-band-status";
 	phy-handle = <&phy0>;
 	phy-mode = "sgmii";
 	status = "okay";
@@ -61,6 +62,7 @@
 
 &mscc_felix_port1 {
 	label = "swp1";
+	managed = "in-band-status";
 	phy-handle = <&phy1>;
 	phy-mode = "sgmii";
 	status = "okay";
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 016/175] ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 015/175] arm64: dts: ls1028: sl28: fix networking for variant 2 Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 017/175] ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleksandr Suvorov, Fabio Estevam,
	Shawn Guo, Sasha Levin

From: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>

[ Upstream commit 828db68f4ff1ab6982a36a56522b585160dc8c8e ]

NXP and AzureWave don't recommend using SDIO bus mode 3.3V@50MHz due
to noise affecting the wireless throughput. Colibri iMX6ULL uses only
3.3V signaling for Wi-Fi module AW-CM276NF.

Limit the SDIO Clock on Colibri iMX6ULL to 25MHz.

Fixes: c2e4987e0e02 ("ARM: dts: imx6ull: add Toradex Colibri iMX6ULL support")
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi b/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi
index a0545431b3dc..9f1e38282bee 100644
--- a/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi
+++ b/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi
@@ -43,6 +43,7 @@
 	assigned-clock-rates = <0>, <198000000>;
 	cap-power-off-card;
 	keep-power-in-suspend;
+	max-frequency = <25000000>;
 	mmc-pwrseq = <&wifi_pwrseq>;
 	no-1-8-v;
 	non-removable;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 017/175] ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 016/175] ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 018/175] ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out pins Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Shawn Guo, Sasha Levin

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit 20fb73911fec01f06592de1cdbca00b66602ebd7 ]

The function imx_mmdc_perf_init recently had a 3rd argument added to
it but the equivalent macro was not updated and is still the older
2 argument version. Fix this by adding in the missing 3rd argumement
mmdc_ipg_clk.

Fixes: f07ec8536580 ("ARM: imx: add missing clk_disable_unprepare()")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-imx/mmdc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c
index 4a6f1359e1e9..af12668d0bf5 100644
--- a/arch/arm/mach-imx/mmdc.c
+++ b/arch/arm/mach-imx/mmdc.c
@@ -534,7 +534,7 @@ pmu_free:
 
 #else
 #define imx_mmdc_remove NULL
-#define imx_mmdc_perf_init(pdev, mmdc_base) 0
+#define imx_mmdc_perf_init(pdev, mmdc_base, mmdc_ipg_clk) 0
 #endif
 
 static int imx_mmdc_probe(struct platform_device *pdev)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 018/175] ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out pins
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 017/175] ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 019/175] arm64: dts: armada-3720-turris-mox: fixed indices for the SDHC controllers Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Shawn Guo,
	Fabio Estevam, NXP Linux Team, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 3d9e30a52047f2d464efdfd1d561ae1f707a0286 ]

The pinctrl_power_button/pinctrl_power_out each define single GPIO
pinmux, except it is exactly the other one than the matching gpio-keys
and gpio-poweroff DT nodes use for that functionality. Swap the two
GPIOs to correct this error.

Fixes: 50d29fdb765d ("ARM: dts: imx53: Add power GPIOs on M53Menlo")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: NXP Linux Team <linux-imx@nxp.com>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx53-m53menlo.dts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm/boot/dts/imx53-m53menlo.dts b/arch/arm/boot/dts/imx53-m53menlo.dts
index f98691ae4415..d3082b9774e4 100644
--- a/arch/arm/boot/dts/imx53-m53menlo.dts
+++ b/arch/arm/boot/dts/imx53-m53menlo.dts
@@ -388,13 +388,13 @@
 
 		pinctrl_power_button: powerbutgrp {
 			fsl,pins = <
-				MX53_PAD_SD2_DATA2__GPIO1_13		0x1e4
+				MX53_PAD_SD2_DATA0__GPIO1_15		0x1e4
 			>;
 		};
 
 		pinctrl_power_out: poweroutgrp {
 			fsl,pins = <
-				MX53_PAD_SD2_DATA0__GPIO1_15		0x1e4
+				MX53_PAD_SD2_DATA2__GPIO1_13		0x1e4
 			>;
 		};
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 019/175] arm64: dts: armada-3720-turris-mox: fixed indices for the SDHC controllers
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 018/175] ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out pins Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 020/175] ext4: fix potential uninitialized access to retval in kmmpd Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, Gregory CLEMENT,
	Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 923f98929182dfd04e9149be839160b63a3db145 ]

Since drivers/mmc/host/sdhci-xenon.c declares the PROBE_PREFER_ASYNCHRONOUS
probe type, it is not guaranteed whether /dev/mmcblk0 will belong to
sdhci0 or sdhci1. In turn, this will break booting by:

root=/dev/mmcblk0p1

Fix the issue by adding aliases so that the old MMC controller indices
are preserved.

Fixes: 7320915c8861 ("mmc: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in v4.14")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
index ce2bcddf396f..f2d7d6f071bc 100644
--- a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
+++ b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
@@ -19,6 +19,8 @@
 	aliases {
 		spi0 = &spi0;
 		ethernet1 = &eth1;
+		mmc0 = &sdhci0;
+		mmc1 = &sdhci1;
 	};
 
 	chosen {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 020/175] ext4: fix potential uninitialized access to retval in kmmpd
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 019/175] arm64: dts: armada-3720-turris-mox: fixed indices for the SDHC controllers Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 021/175] arm64: dts: armada-3720-turris-mox: remove mrvl,i2c-fast-mode Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ye Bin, Theodore Tso, Sasha Levin

From: Ye Bin <yebin10@huawei.com>

[ Upstream commit b66541422824cf6cf20e9a35112e9cb5d82cdf62 ]

if (!ext4_has_feature_mmp(sb)) then retval can be unitialized before
we jump to the wait_to_exit label.

Fixes: 61bb4a1c417e ("ext4: fix possible UAF when remounting r/o a mmp-protected file system")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/r/20210713022728.2533770-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ext4/mmp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
index bc364c119af6..cebea4270817 100644
--- a/fs/ext4/mmp.c
+++ b/fs/ext4/mmp.c
@@ -138,7 +138,7 @@ static int kmmpd(void *data)
 	unsigned mmp_check_interval;
 	unsigned long last_update_time;
 	unsigned long diff;
-	int retval;
+	int retval = 0;
 
 	mmp_block = le64_to_cpu(es->s_mmp_block);
 	mmp = (struct mmp_struct *)(bh->b_data);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 021/175] arm64: dts: armada-3720-turris-mox: remove mrvl,i2c-fast-mode
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 020/175] ext4: fix potential uninitialized access to retval in kmmpd Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 022/175] ALSA: usb-audio: fix incorrect clock source setting Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pali Rohár, Marek Behún,
	Russell King (Oracle),
	Gregory CLEMENT, Sasha Levin

From: Pali Rohár <pali@kernel.org>

[ Upstream commit ee7ab3f263f8131722cff3871b9618b1e7478f07 ]

Some SFP modules are not detected when i2c-fast-mode is enabled even when
clock-frequency is already set to 100000. The I2C bus violates the timing
specifications when run in fast mode. So disable fast mode on Turris Mox.

Same change was already applied for uDPU (also Armada 3720 board with SFP)
in commit fe3ec631a77d ("arm64: dts: uDPU: remove i2c-fast-mode").

Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox")
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Marek Behún <kabel@kernel.org>
Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
index f2d7d6f071bc..a05b1ab2dd12 100644
--- a/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
+++ b/arch/arm64/boot/dts/marvell/armada-3720-turris-mox.dts
@@ -121,6 +121,7 @@
 	pinctrl-names = "default";
 	pinctrl-0 = <&i2c1_pins>;
 	clock-frequency = <100000>;
+	/delete-property/ mrvl,i2c-fast-mode;
 	status = "okay";
 
 	rtc@6f {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 022/175] ALSA: usb-audio: fix incorrect clock source setting
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 021/175] arm64: dts: armada-3720-turris-mox: remove mrvl,i2c-fast-mode Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 023/175] riscv: stacktrace: Fix NULL pointer dereference Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, chihhao.chen, Takashi Iwai, Sasha Levin

From: chihhao.chen <chihhao.chen@mediatek.com>

[ Upstream commit 4511781f95da0a3b2bad34f3f5e3967e80cd2d18 ]

The following scenario describes an echo test for
Samsung USBC Headset (AKG) with VID/PID (0x04e8/0xa051).

We first start a capture stream(USB IN transfer) in 96Khz/24bit/1ch mode.
In clock find source function, we get value 0x2 for clock selector
and 0x1 for clock source.

Kernel-4.14 behavior
Since clock source is valid so clock selector was not set again.
We pass through this function and start a playback stream(USB OUT transfer)
in 48Khz/32bit/2ch mode. This time we get value 0x1 for clock selector
and 0x1 for clock source. Finally clock id with this setting is 0x9.

Kernel-5.10 behavior
Clock selector was always set one more time even it is valid.
When we start a playback stream, we will get 0x2 for clock selector
and 0x1 for clock source. In this case clock id becomes 0xA.
This is an incorrect clock source setting and results in severe noises.
We see wrong data rate in USB IN transfer.
(From 288 bytes/ms becomes 144 bytes/ms) It should keep in 288 bytes/ms.

This earphone works fine on older kernel version load because
this is a newly-added behavior.

Fixes: d2e8f641257d ("ALSA: usb-audio: Explicitly set up the clock selector")
Signed-off-by: chihhao.chen <chihhao.chen@mediatek.com>
Link: https://lore.kernel.org/r/1627100621-19225-1-git-send-email-chihhao.chen@mediatek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/usb/clock.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index 17bbde73d4d1..14772209194b 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -325,6 +325,12 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
 					      selector->baCSourceID[ret - 1],
 					      visited, validate);
 		if (ret > 0) {
+			/*
+			 * For Samsung USBC Headset (AKG), setting clock selector again
+			 * will result in incorrect default clock setting problems
+			 */
+			if (chip->usb_id == USB_ID(0x04e8, 0xa051))
+				return ret;
 			err = uac_clock_selector_set_val(chip, entity_id, cur);
 			if (err < 0)
 				return err;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 023/175] riscv: stacktrace: Fix NULL pointer dereference
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 022/175] ALSA: usb-audio: fix incorrect clock source setting Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 024/175] clk: stm32f4: fix post divisor setup for I2S/SAI PLLs Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jisheng Zhang, Atish Patra,
	Wende Tan, Palmer Dabbelt, Sasha Levin

From: Jisheng Zhang <jszhang@kernel.org>

[ Upstream commit 78d9d8005e4556448f398d876f29d0ca7ab8e398 ]

When CONFIG_FRAME_POINTER=y, calling dump_stack() can always trigger
NULL pointer dereference panic similar as below:

[    0.396060] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc5+ #47
[    0.396692] Hardware name: riscv-virtio,qemu (DT)
[    0.397176] Call Trace:
[    0.398191] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000960
[    0.399487] Oops [#1]
[    0.399739] Modules linked in:
[    0.400135] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc5+ #47
[    0.400570] Hardware name: riscv-virtio,qemu (DT)
[    0.400926] epc : walk_stackframe+0xc4/0xdc
[    0.401291]  ra : dump_backtrace+0x30/0x38
[    0.401630] epc : ffffffff80004922 ra : ffffffff8000496a sp : ffffffe000f3bd00
[    0.402115]  gp : ffffffff80cfdcb8 tp : ffffffe000f30000 t0 : ffffffff80d0b0cf
[    0.402602]  t1 : ffffffff80d0b0c0 t2 : 0000000000000000 s0 : ffffffe000f3bd60
[    0.403071]  s1 : ffffffff808bc2e8 a0 : 0000000000001000 a1 : 0000000000000000
[    0.403448]  a2 : ffffffff803d7088 a3 : ffffffff808bc2e8 a4 : 6131725dbc24d400
[    0.403820]  a5 : 0000000000001000 a6 : 0000000000000002 a7 : ffffffffffffffff
[    0.404226]  s2 : 0000000000000000 s3 : 0000000000000000 s4 : 0000000000000000
[    0.404634]  s5 : ffffffff803d7088 s6 : ffffffff808bc2e8 s7 : ffffffff80630650
[    0.405085]  s8 : ffffffff80912a80 s9 : 0000000000000008 s10: ffffffff804000fc
[    0.405388]  s11: 0000000000000000 t3 : 0000000000000043 t4 : ffffffffffffffff
[    0.405616]  t5 : 000000000000003d t6 : ffffffe000f3baa8
[    0.405793] status: 0000000000000100 badaddr: 0000000000000960 cause: 000000000000000d
[    0.406135] [<ffffffff80004922>] walk_stackframe+0xc4/0xdc
[    0.407032] [<ffffffff8000496a>] dump_backtrace+0x30/0x38
[    0.407797] [<ffffffff803d7100>] show_stack+0x40/0x4c
[    0.408234] [<ffffffff803d9e5c>] dump_stack+0x90/0xb6
[    0.409019] [<ffffffff8040423e>] ptdump_init+0x20/0xc4
[    0.409681] [<ffffffff800015b6>] do_one_initcall+0x4c/0x226
[    0.410110] [<ffffffff80401094>] kernel_init_freeable+0x1f4/0x258
[    0.410562] [<ffffffff803dba88>] kernel_init+0x22/0x148
[    0.410959] [<ffffffff800029e2>] ret_from_exception+0x0/0x14
[    0.412241] ---[ end trace b2ab92c901b96251 ]---
[    0.413099] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

The reason is the task is NULL when we finally call walk_stackframe()
the NULL is passed from __dump_stack():

|static void __dump_stack(void)
|{
|        dump_stack_print_info(KERN_DEFAULT);
|        show_stack(NULL, NULL, KERN_DEFAULT);
|}

Fix this issue by checking "task == NULL" case in walk_stackframe().

Fixes: eac2f3059e02 ("riscv: stacktrace: fix the riscv stacktrace when CONFIG_FRAME_POINTER enabled")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Reviewed-by: Atish Patra <atish.patra@wdc.com>
Tested-by: Wende Tan <twd2.me@gmail.com>
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/riscv/kernel/stacktrace.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
index bde85fc53357..7bc8af75933a 100644
--- a/arch/riscv/kernel/stacktrace.c
+++ b/arch/riscv/kernel/stacktrace.c
@@ -27,7 +27,7 @@ void notrace walk_stackframe(struct task_struct *task, struct pt_regs *regs,
 		fp = frame_pointer(regs);
 		sp = user_stack_pointer(regs);
 		pc = instruction_pointer(regs);
-	} else if (task == current) {
+	} else if (task == NULL || task == current) {
 		fp = (unsigned long)__builtin_frame_address(1);
 		sp = (unsigned long)__builtin_frame_address(0);
 		pc = (unsigned long)__builtin_return_address(0);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 024/175] clk: stm32f4: fix post divisor setup for I2S/SAI PLLs
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 023/175] riscv: stacktrace: Fix NULL pointer dereference Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 025/175] ARM: dts: am437x-l4: fix typo in can@0 node Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dario Binacchi, Gabriel Fernandez,
	Stephen Boyd, Sasha Levin

From: Dario Binacchi <dariobin@libero.it>

[ Upstream commit 24b5b1978cd5a80db58e2a19db2f9c36fe8d4f7a ]

Enabling the framebuffer leads to a system hang. Running, as a debug
hack, the store_pan() function in drivers/video/fbdev/core/fbsysfs.c
without taking the console_lock, allows to see the crash backtrace on
the serial line.

~ # echo 0 0 > /sys/class/graphics/fb0/pan

[    9.719414] Unhandled exception: IPSR = 00000005 LR = fffffff1
[    9.726937] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9
[    9.733008] Hardware name: STM32 (Device Tree Support)
[    9.738296] PC is at clk_gate_is_enabled+0x0/0x28
[    9.743426] LR is at stm32f4_pll_div_set_rate+0xf/0x38
[    9.748857] pc : [<0011e4be>]    lr : [<0011f9e3>]    psr: 0100000b
[    9.755373] sp : 00bc7be0  ip : 00000000  fp : 001f3ac4
[    9.760812] r10: 002610d0  r9 : 01efe920  r8 : 00540560
[    9.766269] r7 : 02e7ddb0  r6 : 0173eed8  r5 : 00000000  r4 : 004027c0
[    9.773081] r3 : 0011e4bf  r2 : 02e7ddb0  r1 : 0173eed8  r0 : 1d3267b8
[    9.779911] xPSR: 0100000b
[    9.782719] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9
[    9.788791] Hardware name: STM32 (Device Tree Support)
[    9.794120] [<0000afa1>] (unwind_backtrace) from [<0000a33f>] (show_stack+0xb/0xc)
[    9.802421] [<0000a33f>] (show_stack) from [<0000a8df>] (__invalid_entry+0x4b/0x4c)

The `pll_num' field in the post_div_data configuration contained a wrong
value which also referenced an uninitialized hardware clock when
clk_register_pll_div() was called.

Fixes: 517633ef630e ("clk: stm32f4: Add post divisor for I2S & SAI PLLs")
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Reviewed-by: Gabriel Fernandez <gabriel.fernandez@st.com>
Link: https://lore.kernel.org/r/20210725160725.10788-1-dariobin@libero.it
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/clk-stm32f4.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c
index 18117ce5ff85..5c75e3d906c2 100644
--- a/drivers/clk/clk-stm32f4.c
+++ b/drivers/clk/clk-stm32f4.c
@@ -526,7 +526,7 @@ struct stm32f4_pll {
 
 struct stm32f4_pll_post_div_data {
 	int idx;
-	u8 pll_num;
+	int pll_idx;
 	const char *name;
 	const char *parent;
 	u8 flag;
@@ -557,13 +557,13 @@ static const struct clk_div_table post_divr_table[] = {
 
 #define MAX_POST_DIV 3
 static const struct stm32f4_pll_post_div_data  post_div_data[MAX_POST_DIV] = {
-	{ CLK_I2SQ_PDIV, PLL_I2S, "plli2s-q-div", "plli2s-q",
+	{ CLK_I2SQ_PDIV, PLL_VCO_I2S, "plli2s-q-div", "plli2s-q",
 		CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 0, 5, 0, NULL},
 
-	{ CLK_SAIQ_PDIV, PLL_SAI, "pllsai-q-div", "pllsai-q",
+	{ CLK_SAIQ_PDIV, PLL_VCO_SAI, "pllsai-q-div", "pllsai-q",
 		CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 8, 5, 0, NULL },
 
-	{ NO_IDX, PLL_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT,
+	{ NO_IDX, PLL_VCO_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT,
 		STM32F4_RCC_DCKCFGR, 16, 2, 0, post_divr_table },
 };
 
@@ -1774,7 +1774,7 @@ static void __init stm32f4_rcc_init(struct device_node *np)
 				post_div->width,
 				post_div->flag_div,
 				post_div->div_table,
-				clks[post_div->pll_num],
+				clks[post_div->pll_idx],
 				&stm32f4_clk_lock);
 
 		if (post_div->idx != NO_IDX)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 025/175] ARM: dts: am437x-l4: fix typo in can@0 node
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 024/175] clk: stm32f4: fix post divisor setup for I2S/SAI PLLs Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 026/175] omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dario Binacchi, Tony Lindgren, Sasha Levin

From: Dario Binacchi <dariobin@libero.it>

[ Upstream commit 0162a9964365fd26e34575e121b17d021204c481 ]

Replace clock-name with clock-names.

Fixes: 2a4117df9b43 ("ARM: dts: Fix dcan driver probe failed on am437x platform")
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/am437x-l4.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/am437x-l4.dtsi b/arch/arm/boot/dts/am437x-l4.dtsi
index a6f19ae7d3e6..f73ecec1995a 100644
--- a/arch/arm/boot/dts/am437x-l4.dtsi
+++ b/arch/arm/boot/dts/am437x-l4.dtsi
@@ -1595,7 +1595,7 @@
 				compatible = "ti,am4372-d_can", "ti,am3352-d_can";
 				reg = <0x0 0x2000>;
 				clocks = <&dcan1_fck>;
-				clock-name = "fck";
+				clock-names = "fck";
 				syscon-raminit = <&scm_conf 0x644 1>;
 				interrupts = <GIC_SPI 49 IRQ_TYPE_LEVEL_HIGH>;
 				status = "disabled";
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 026/175] omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 025/175] ARM: dts: am437x-l4: fix typo in can@0 node Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 027/175] dmaengine: uniphier-xdmac: Use readl_poll_timeout_atomic() in atomic state Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller, Tony Lindgren,
	Sasha Levin

From: H. Nikolaus Schaller <hns@goldelico.com>

[ Upstream commit c68ef4ad180e09805fa46965d15e1dfadf09ffa5 ]

This device tree include file describes a fixed-regulator
connecting smps7_reg output (1.8V) to some 1.8V rail and
consumers (vdds_1v8_main).

This regulator does not physically exist.

I assume it was introduced as a wrapper around smps7_reg
to provide a speaking signal name "vdds_1v8_main" as label.

This fixed-regulator without real function was not an issue
in driver code until

  Commit 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators")

introduced a new check for regulator initialization which
makes Palmas regulator registration fail:

[    5.407712] ldo1: supplied by vsys_cobra
[    5.412748] ldo2: supplied by vsys_cobra
[    5.417603] palmas-pmic 48070000.i2c:palmas@48:palmas_pmic: failed to register 48070000.i2c:palmas@48:palmas_pmic regulator

The reason is that the supply-chain of regulators is too
long and goes from ldo3 through the virtual vdds_1v8_main
regulator and then back to smps7. This adds a cross-dependency
of probing Palmas regulators and the fixed-regulator which
leads to probe deferral by the new check and is no longer
resolved.

Since we do not control what device tree files including this
one reference (either &vdds_1v8_main or &smps7_reg or both)
we keep both labels for smps7 for compatibility.

Fixes: 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/omap5-board-common.dtsi | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/arch/arm/boot/dts/omap5-board-common.dtsi b/arch/arm/boot/dts/omap5-board-common.dtsi
index d8f13626cfd1..3a8f10231475 100644
--- a/arch/arm/boot/dts/omap5-board-common.dtsi
+++ b/arch/arm/boot/dts/omap5-board-common.dtsi
@@ -30,14 +30,6 @@
 		regulator-max-microvolt = <5000000>;
 	};
 
-	vdds_1v8_main: fixedregulator-vdds_1v8_main {
-		compatible = "regulator-fixed";
-		regulator-name = "vdds_1v8_main";
-		vin-supply = <&smps7_reg>;
-		regulator-min-microvolt = <1800000>;
-		regulator-max-microvolt = <1800000>;
-	};
-
 	vmmcsd_fixed: fixedregulator-mmcsd {
 		compatible = "regulator-fixed";
 		regulator-name = "vmmcsd_fixed";
@@ -487,6 +479,7 @@
 					regulator-boot-on;
 				};
 
+				vdds_1v8_main:
 				smps7_reg: smps7 {
 					/* VDDS_1v8_OMAP over VDDS_1v8_MAIN */
 					regulator-name = "smps7";
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 027/175] dmaengine: uniphier-xdmac: Use readl_poll_timeout_atomic() in atomic state
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 026/175] omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 028/175] clk: tegra: Implement disable_unused() of tegra_clk_sdmmc_mux_ops Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Kunihiko Hayashi,
	Vinod Koul, Sasha Levin

From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>

[ Upstream commit 55f24c27b6c1a840b62fe297616f1f9ea3576cb7 ]

The function uniphier_xdmac_chan_stop() is only called in atomic state.
Should use readl_poll_timeout_atomic() there instead of
readl_poll_timeout().

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 667b9251440b ("dmaengine: uniphier-xdmac: Add UniPhier external DMA controller driver")
Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
Link: https://lore.kernel.org/r/1627364852-28432-1-git-send-email-hayashi.kunihiko@socionext.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/uniphier-xdmac.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/dma/uniphier-xdmac.c b/drivers/dma/uniphier-xdmac.c
index 16b19654873d..d6b8a202474f 100644
--- a/drivers/dma/uniphier-xdmac.c
+++ b/drivers/dma/uniphier-xdmac.c
@@ -209,8 +209,8 @@ static int uniphier_xdmac_chan_stop(struct uniphier_xdmac_chan *xc)
 	writel(0, xc->reg_ch_base + XDMAC_TSS);
 
 	/* wait until transfer is stopped */
-	return readl_poll_timeout(xc->reg_ch_base + XDMAC_STAT, val,
-				  !(val & XDMAC_STAT_TENF), 100, 1000);
+	return readl_poll_timeout_atomic(xc->reg_ch_base + XDMAC_STAT, val,
+					 !(val & XDMAC_STAT_TENF), 100, 1000);
 }
 
 /* xc->vc.lock must be held by caller */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 028/175] clk: tegra: Implement disable_unused() of tegra_clk_sdmmc_mux_ops
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 027/175] dmaengine: uniphier-xdmac: Use readl_poll_timeout_atomic() in atomic state Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 029/175] dmaengine: stm32-dma: Fix PM usage counter imbalance in stm32 dma ops Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Hunter, Dmitry Osipenko,
	Stephen Boyd, Sasha Levin

From: Dmitry Osipenko <digetx@gmail.com>

[ Upstream commit 2bcc025ab9bbd029b1730cde71cb4e4f0ed35d0f ]

Implement disable_unused() callback of tegra_clk_sdmmc_mux_ops to fix
imbalanced disabling of the unused MMC clock on Tegra210 Jetson Nano.

Fixes: c592c8a28f58 ("clk: tegra: Fix refcounting of gate clocks")
Reported-by: Jon Hunter <jonathanh@nvidia.com> # T210 Nano
Tested-by: Jon Hunter <jonathanh@nvidia.com> # T210 Nano
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Link: https://lore.kernel.org/r/20210717112742.7196-1-digetx@gmail.com
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/tegra/clk-sdmmc-mux.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/clk/tegra/clk-sdmmc-mux.c b/drivers/clk/tegra/clk-sdmmc-mux.c
index 316912d3b1a4..4f2c3309eea4 100644
--- a/drivers/clk/tegra/clk-sdmmc-mux.c
+++ b/drivers/clk/tegra/clk-sdmmc-mux.c
@@ -194,6 +194,15 @@ static void clk_sdmmc_mux_disable(struct clk_hw *hw)
 	gate_ops->disable(gate_hw);
 }
 
+static void clk_sdmmc_mux_disable_unused(struct clk_hw *hw)
+{
+	struct tegra_sdmmc_mux *sdmmc_mux = to_clk_sdmmc_mux(hw);
+	const struct clk_ops *gate_ops = sdmmc_mux->gate_ops;
+	struct clk_hw *gate_hw = &sdmmc_mux->gate.hw;
+
+	gate_ops->disable_unused(gate_hw);
+}
+
 static void clk_sdmmc_mux_restore_context(struct clk_hw *hw)
 {
 	struct clk_hw *parent = clk_hw_get_parent(hw);
@@ -218,6 +227,7 @@ static const struct clk_ops tegra_clk_sdmmc_mux_ops = {
 	.is_enabled = clk_sdmmc_mux_is_enabled,
 	.enable = clk_sdmmc_mux_enable,
 	.disable = clk_sdmmc_mux_disable,
+	.disable_unused = clk_sdmmc_mux_disable_unused,
 	.restore_context = clk_sdmmc_mux_restore_context,
 };
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 029/175] dmaengine: stm32-dma: Fix PM usage counter imbalance in stm32 dma ops
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 028/175] clk: tegra: Implement disable_unused() of tegra_clk_sdmmc_mux_ops Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 030/175] dmaengine: stm32-dmamux: Fix PM usage counter unbalance in stm32 dmamux ops Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhang Qilong, Vinod Koul, Sasha Levin

From: Zhang Qilong <zhangqilong3@huawei.com>

[ Upstream commit d54db74ad6e0dea8c253fb68c689b836657ab914 ]

pm_runtime_get_sync will increment pm usage counter
even it failed. Forgetting to putting operation will
result in reference leak here. We fix it by replacing
it with pm_runtime_resume_and_get to keep usage counter
balanced.

Fixes: 48bc73ba14bcd ("dmaengine: stm32-dma: Add PM Runtime support")
Fixes: 05f8740a0e6fc ("dmaengine: stm32-dma: add suspend/resume power management support")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Link: https://lore.kernel.org/r/20210607064640.121394-2-zhangqilong3@huawei.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/stm32-dma.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c
index f54ecb123a52..7dd1d3d0bf06 100644
--- a/drivers/dma/stm32-dma.c
+++ b/drivers/dma/stm32-dma.c
@@ -1200,7 +1200,7 @@ static int stm32_dma_alloc_chan_resources(struct dma_chan *c)
 
 	chan->config_init = false;
 
-	ret = pm_runtime_get_sync(dmadev->ddev.dev);
+	ret = pm_runtime_resume_and_get(dmadev->ddev.dev);
 	if (ret < 0)
 		return ret;
 
@@ -1470,7 +1470,7 @@ static int stm32_dma_suspend(struct device *dev)
 	struct stm32_dma_device *dmadev = dev_get_drvdata(dev);
 	int id, ret, scr;
 
-	ret = pm_runtime_get_sync(dev);
+	ret = pm_runtime_resume_and_get(dev);
 	if (ret < 0)
 		return ret;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 030/175] dmaengine: stm32-dmamux: Fix PM usage counter unbalance in stm32 dmamux ops
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 029/175] dmaengine: stm32-dma: Fix PM usage counter imbalance in stm32 dma ops Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:28 ` [PATCH 5.13 031/175] spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhang Qilong, Vinod Koul, Sasha Levin

From: Zhang Qilong <zhangqilong3@huawei.com>

[ Upstream commit baa16371c9525f24d508508e4d296c031e1de29c ]

pm_runtime_get_sync will increment pm usage counter
even it failed. Forgetting to putting operation will
result in reference leak here. We fix it by replacing
it with pm_runtime_resume_and_get to keep usage counter
balanced.

Fixes: 4f3ceca254e0f ("dmaengine: stm32-dmamux: Add PM Runtime support")
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Link: https://lore.kernel.org/r/20210607064640.121394-3-zhangqilong3@huawei.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/stm32-dmamux.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/dma/stm32-dmamux.c b/drivers/dma/stm32-dmamux.c
index ef0d0555103d..a42164389ebc 100644
--- a/drivers/dma/stm32-dmamux.c
+++ b/drivers/dma/stm32-dmamux.c
@@ -137,7 +137,7 @@ static void *stm32_dmamux_route_allocate(struct of_phandle_args *dma_spec,
 
 	/* Set dma request */
 	spin_lock_irqsave(&dmamux->lock, flags);
-	ret = pm_runtime_get_sync(&pdev->dev);
+	ret = pm_runtime_resume_and_get(&pdev->dev);
 	if (ret < 0) {
 		spin_unlock_irqrestore(&dmamux->lock, flags);
 		goto error;
@@ -336,7 +336,7 @@ static int stm32_dmamux_suspend(struct device *dev)
 	struct stm32_dmamux_data *stm32_dmamux = platform_get_drvdata(pdev);
 	int i, ret;
 
-	ret = pm_runtime_get_sync(dev);
+	ret = pm_runtime_resume_and_get(dev);
 	if (ret < 0)
 		return ret;
 
@@ -361,7 +361,7 @@ static int stm32_dmamux_resume(struct device *dev)
 	if (ret < 0)
 		return ret;
 
-	ret = pm_runtime_get_sync(dev);
+	ret = pm_runtime_resume_and_get(dev);
 	if (ret < 0)
 		return ret;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 031/175] spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 030/175] dmaengine: stm32-dmamux: Fix PM usage counter unbalance in stm32 dmamux ops Greg Kroah-Hartman
@ 2021-08-10 17:28 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 032/175] spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:28 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Uwe Kleine-König,
	Mark Brown, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 135cbd378eab336da15de9c84bbb22bf743b38a5 ]

Since 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to
prepare_message hook."), the MX51_ECSPI_CONFIG write no longer happens
in prepare_transfer hook, but rather in prepare_message hook, however
the MX51_ECSPI_CONFIG delay is still left in prepare_transfer hook and
thus has no effect. This leads to low bus frequency operation problems
described in 6fd8b8503a0dc ("spi: spi-imx: Fix out-of-order CS/SCLK
operation at low speeds") again.

Move the MX51_ECSPI_CONFIG write delay into the prepare_message hook
as well, thus reinstating the low bus frequency fix.

Fixes: 00b80ac935539 ("spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Cc: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20210703022300.296114-1-marex@denx.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-imx.c | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 39dc02e366f4..4aee3db6d6df 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -506,7 +506,7 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
 {
 	struct spi_device *spi = msg->spi;
 	u32 ctrl = MX51_ECSPI_CTRL_ENABLE;
-	u32 testreg;
+	u32 testreg, delay;
 	u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG);
 
 	/* set Master or Slave mode */
@@ -567,6 +567,23 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
 
 	writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG);
 
+	/*
+	 * Wait until the changes in the configuration register CONFIGREG
+	 * propagate into the hardware. It takes exactly one tick of the
+	 * SCLK clock, but we will wait two SCLK clock just to be sure. The
+	 * effect of the delay it takes for the hardware to apply changes
+	 * is noticable if the SCLK clock run very slow. In such a case, if
+	 * the polarity of SCLK should be inverted, the GPIO ChipSelect might
+	 * be asserted before the SCLK polarity changes, which would disrupt
+	 * the SPI communication as the device on the other end would consider
+	 * the change of SCLK polarity as a clock tick already.
+	 */
+	delay = (2 * 1000000) / spi_imx->spi_bus_clk;
+	if (likely(delay < 10))	/* SCLK is faster than 100 kHz */
+		udelay(delay);
+	else			/* SCLK is _very_ slow */
+		usleep_range(delay, delay + 10);
+
 	return 0;
 }
 
@@ -574,7 +591,7 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
 				       struct spi_device *spi)
 {
 	u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL);
-	u32 clk, delay;
+	u32 clk;
 
 	/* Clear BL field and set the right value */
 	ctrl &= ~MX51_ECSPI_CTRL_BL_MASK;
@@ -596,23 +613,6 @@ static int mx51_ecspi_prepare_transfer(struct spi_imx_data *spi_imx,
 
 	writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
 
-	/*
-	 * Wait until the changes in the configuration register CONFIGREG
-	 * propagate into the hardware. It takes exactly one tick of the
-	 * SCLK clock, but we will wait two SCLK clock just to be sure. The
-	 * effect of the delay it takes for the hardware to apply changes
-	 * is noticable if the SCLK clock run very slow. In such a case, if
-	 * the polarity of SCLK should be inverted, the GPIO ChipSelect might
-	 * be asserted before the SCLK polarity changes, which would disrupt
-	 * the SPI communication as the device on the other end would consider
-	 * the change of SCLK polarity as a clock tick already.
-	 */
-	delay = (2 * 1000000) / clk;
-	if (likely(delay < 10))	/* SCLK is faster than 100 kHz */
-		udelay(delay);
-	else			/* SCLK is _very_ slow */
-		usleep_range(delay, delay + 10);
-
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 032/175] spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-08-10 17:28 ` [PATCH 5.13 031/175] spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 033/175] drm/kmb: Enable LCD DMA for low TVDDCV Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Uwe Kleine-König,
	Mark Brown, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 53ca18acbe645656132fb5a329833db711067e54 ]

The spi_imx->spi_bus_clk may be uninitialized and thus also zero in
mx51_ecspi_prepare_message(), which would lead to division by zero
in kernel. Since bitbang .setup_transfer callback which initializes
the spi_imx->spi_bus_clk is called after bitbang prepare_message
callback, iterate over all the transfers in spi_message, find the
one with lowest bus frequency, and use that bus frequency for the
delay calculation.

Note that it is not possible to move this CONFIGREG delay back into
the .setup_transfer callback, because that is invoked too late, after
the GPIO chipselects were already configured.

Fixes: 135cbd378eab ("spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Cc: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20210726100102.5188-1-marex@denx.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-imx.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 4aee3db6d6df..2872993550bd 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -505,7 +505,9 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
 				      struct spi_message *msg)
 {
 	struct spi_device *spi = msg->spi;
+	struct spi_transfer *xfer;
 	u32 ctrl = MX51_ECSPI_CTRL_ENABLE;
+	u32 min_speed_hz = ~0U;
 	u32 testreg, delay;
 	u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG);
 
@@ -577,8 +579,20 @@ static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
 	 * be asserted before the SCLK polarity changes, which would disrupt
 	 * the SPI communication as the device on the other end would consider
 	 * the change of SCLK polarity as a clock tick already.
+	 *
+	 * Because spi_imx->spi_bus_clk is only set in bitbang prepare_message
+	 * callback, iterate over all the transfers in spi_message, find the
+	 * one with lowest bus frequency, and use that bus frequency for the
+	 * delay calculation. In case all transfers have speed_hz == 0, then
+	 * min_speed_hz is ~0 and the resulting delay is zero.
 	 */
-	delay = (2 * 1000000) / spi_imx->spi_bus_clk;
+	list_for_each_entry(xfer, &msg->transfers, transfer_list) {
+		if (!xfer->speed_hz)
+			continue;
+		min_speed_hz = min(xfer->speed_hz, min_speed_hz);
+	}
+
+	delay = (2 * 1000000) / min_speed_hz;
 	if (likely(delay < 10))	/* SCLK is faster than 100 kHz */
 		udelay(delay);
 	else			/* SCLK is _very_ slow */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 033/175] drm/kmb: Enable LCD DMA for low TVDDCV
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 032/175] spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 034/175] scsi: sr: Return correct event when media event code is 3 Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Edmund Dea, Anitha Chrisanthus,
	Sam Ravnborg, Sasha Levin

From: Edmund Dea <edmund.j.dea@intel.com>

[ Upstream commit 0aab5dce395636eddf4e5f33eba88390328a95b4 ]

There's an undocumented dependency between LCD layer enable bits [2-5]
and the AXI pipelined read enable bit [28] in the LCD_CONTROL register.
The proper order of operation is:

1) Clear AXI pipelined read enable bit
2) Set LCD layers
3) Set AXI pipelined read enable bit

With this update, LCD can start DMA when TVDDCV is reduced down to 700mV.

Fixes: 7f7b96a8a0a1 ("drm/kmb: Add support for KeemBay Display")
Signed-off-by: Edmund Dea <edmund.j.dea@intel.com>
Signed-off-by: Anitha Chrisanthus <anitha.chrisanthus@intel.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20210728003126.1425028-1-anitha.chrisanthus@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/kmb/kmb_drv.c   | 14 ++++++++++++++
 drivers/gpu/drm/kmb/kmb_plane.c | 15 +++++++++++++--
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/kmb/kmb_drv.c b/drivers/gpu/drm/kmb/kmb_drv.c
index 96ea1a2c11dd..c0b1c6f99249 100644
--- a/drivers/gpu/drm/kmb/kmb_drv.c
+++ b/drivers/gpu/drm/kmb/kmb_drv.c
@@ -203,6 +203,7 @@ static irqreturn_t handle_lcd_irq(struct drm_device *dev)
 	unsigned long status, val, val1;
 	int plane_id, dma0_state, dma1_state;
 	struct kmb_drm_private *kmb = to_kmb(dev);
+	u32 ctrl = 0;
 
 	status = kmb_read_lcd(kmb, LCD_INT_STATUS);
 
@@ -227,6 +228,19 @@ static irqreturn_t handle_lcd_irq(struct drm_device *dev)
 				kmb_clr_bitmask_lcd(kmb, LCD_CONTROL,
 						    kmb->plane_status[plane_id].ctrl);
 
+				ctrl = kmb_read_lcd(kmb, LCD_CONTROL);
+				if (!(ctrl & (LCD_CTRL_VL1_ENABLE |
+				    LCD_CTRL_VL2_ENABLE |
+				    LCD_CTRL_GL1_ENABLE |
+				    LCD_CTRL_GL2_ENABLE))) {
+					/* If no LCD layers are using DMA,
+					 * then disable DMA pipelined AXI read
+					 * transactions.
+					 */
+					kmb_clr_bitmask_lcd(kmb, LCD_CONTROL,
+							    LCD_CTRL_PIPELINE_DMA);
+				}
+
 				kmb->plane_status[plane_id].disable = false;
 			}
 		}
diff --git a/drivers/gpu/drm/kmb/kmb_plane.c b/drivers/gpu/drm/kmb/kmb_plane.c
index d5b6195856d1..ecee6782612d 100644
--- a/drivers/gpu/drm/kmb/kmb_plane.c
+++ b/drivers/gpu/drm/kmb/kmb_plane.c
@@ -427,8 +427,14 @@ static void kmb_plane_atomic_update(struct drm_plane *plane,
 
 	kmb_set_bitmask_lcd(kmb, LCD_CONTROL, ctrl);
 
-	/* FIXME no doc on how to set output format,these values are
-	 * taken from the Myriadx tests
+	/* Enable pipeline AXI read transactions for the DMA
+	 * after setting graphics layers. This must be done
+	 * in a separate write cycle.
+	 */
+	kmb_set_bitmask_lcd(kmb, LCD_CONTROL, LCD_CTRL_PIPELINE_DMA);
+
+	/* FIXME no doc on how to set output format, these values are taken
+	 * from the Myriadx tests
 	 */
 	out_format |= LCD_OUTF_FORMAT_RGB888;
 
@@ -526,6 +532,11 @@ struct kmb_plane *kmb_plane_init(struct drm_device *drm)
 		plane->id = i;
 	}
 
+	/* Disable pipeline AXI read transactions for the DMA
+	 * prior to setting graphics layers
+	 */
+	kmb_clr_bitmask_lcd(kmb, LCD_CONTROL, LCD_CTRL_PIPELINE_DMA);
+
 	return primary;
 cleanup:
 	drmm_kfree(drm, plane);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 034/175] scsi: sr: Return correct event when media event code is 3
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 033/175] drm/kmb: Enable LCD DMA for low TVDDCV Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 035/175] media: videobuf2-core: dequeue if start_streaming fails Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Li Manyi, Martin K. Petersen, Sasha Levin

From: Li Manyi <limanyi@uniontech.com>

[ Upstream commit 5c04243a56a7977185b00400e59ca7e108004faf ]

Media event code 3 is defined in the MMC-6 spec as follows:

  "MediaRemoval: The media has been removed from the specified slot, and
   the Drive is unable to access the media without user intervention. This
   applies to media changers only."

This indicated that treating the condition as an EJECT_REQUEST was
appropriate. However, doing so had the unfortunate side-effect of causing
the drive tray to be physically ejected on resume. Instead treat the event
as a MEDIA_CHANGE request.

Fixes: 7dd753ca59d6 ("scsi: sr: Return appropriate error code when disk is ejected")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=213759
Link: https://lore.kernel.org/r/20210726114913.6760-1-limanyi@uniontech.com
Signed-off-by: Li Manyi <limanyi@uniontech.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/sr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
index 1a94c7b1de2d..261d3663cbb7 100644
--- a/drivers/scsi/sr.c
+++ b/drivers/scsi/sr.c
@@ -221,7 +221,7 @@ static unsigned int sr_get_events(struct scsi_device *sdev)
 	else if (med->media_event_code == 2)
 		return DISK_EVENT_MEDIA_CHANGE;
 	else if (med->media_event_code == 3)
-		return DISK_EVENT_EJECT_REQUEST;
+		return DISK_EVENT_MEDIA_CHANGE;
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 035/175] media: videobuf2-core: dequeue if start_streaming fails
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 034/175] scsi: sr: Return correct event when media event code is 3 Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 036/175] ARM: dts: stm32: Prefer HW RTC on DHCOM SoM Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Laurent Pinchart,
	Kieran Bingham, Mauro Carvalho Chehab, Sasha Levin

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

[ Upstream commit c592b46907adbeb81243f7eb7a468c36692658b8 ]

If a vb2_queue sets q->min_buffers_needed then when the number of
queued buffers reaches q->min_buffers_needed, vb2_core_qbuf() will call
the start_streaming() callback. If start_streaming() returns an error,
then that error was just returned by vb2_core_qbuf(), but the buffer
was still queued. However, userspace expects that if VIDIOC_QBUF fails,
the buffer is returned dequeued.

So if start_streaming() fails, then remove the buffer from the queue,
thus avoiding this unwanted side-effect.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Tested-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Fixes: b3379c6201bb ("[media] vb2: only call start_streaming if sufficient buffers are queued")
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/common/videobuf2/videobuf2-core.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
index 02281d13505f..508ac295eb06 100644
--- a/drivers/media/common/videobuf2/videobuf2-core.c
+++ b/drivers/media/common/videobuf2/videobuf2-core.c
@@ -1573,6 +1573,7 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb,
 		  struct media_request *req)
 {
 	struct vb2_buffer *vb;
+	enum vb2_buffer_state orig_state;
 	int ret;
 
 	if (q->error) {
@@ -1673,6 +1674,7 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb,
 	 * Add to the queued buffers list, a buffer will stay on it until
 	 * dequeued in dqbuf.
 	 */
+	orig_state = vb->state;
 	list_add_tail(&vb->queued_entry, &q->queued_list);
 	q->queued_count++;
 	q->waiting_for_buffers = false;
@@ -1703,8 +1705,17 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb,
 	if (q->streaming && !q->start_streaming_called &&
 	    q->queued_count >= q->min_buffers_needed) {
 		ret = vb2_start_streaming(q);
-		if (ret)
+		if (ret) {
+			/*
+			 * Since vb2_core_qbuf will return with an error,
+			 * we should return it to state DEQUEUED since
+			 * the error indicates that the buffer wasn't queued.
+			 */
+			list_del(&vb->queued_entry);
+			q->queued_count--;
+			vb->state = orig_state;
 			return ret;
+		}
 	}
 
 	dprintk(q, 2, "qbuf of buffer %d succeeded\n", vb->index);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 036/175] ARM: dts: stm32: Prefer HW RTC on DHCOM SoM
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 035/175] media: videobuf2-core: dequeue if start_streaming fails Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 037/175] ARM: dts: stm32: Disable LAN8710 EDPD on DHCOM Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel, linux-arm-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Alexandre Torgue,
	Patrice Chotard, Patrick Delaunay, linux-stm32, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 3a0670824979a986a2314c921aa092e60730eeae ]

The DHCOM SoM has two RTC, one is the STM32 RTC built into the SoC
and another is Microcrystal RV RTC. By default, only the later has
battery backup, the former does not. The order in which the RTCs
are probed on boot is random, which means the kernel might pick up
system time from the STM32 RTC which has no battery backup. This
then leads to incorrect initial system time setup, even though the
HW RTC has correct time configured in it.

Add DT alias entries, so that the RTCs get assigned fixed IDs and
the HW RTC is always picked by the kernel as the default RTC, thus
resulting in correct system time in early userspace.

Fixes: 34e0c7847dcf ("ARM: dts: stm32: Add DH Electronics DHCOM STM32MP1 SoM and PDK2 board")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: linux-stm32@st-md-mailman.stormreply.com
To: linux-arm-kernel@lists.infradead.org
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi
index 2af0a6752674..8349c9099e30 100644
--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi
+++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi
@@ -12,6 +12,8 @@
 	aliases {
 		ethernet0 = &ethernet0;
 		ethernet1 = &ksz8851;
+		rtc0 = &hwrtc;
+		rtc1 = &rtc;
 	};
 
 	memory@c0000000 {
@@ -248,7 +250,7 @@
 	/delete-property/dmas;
 	/delete-property/dma-names;
 
-	rtc@32 {
+	hwrtc: rtc@32 {
 		compatible = "microcrystal,rv8803";
 		reg = <0x32>;
 	};
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 037/175] ARM: dts: stm32: Disable LAN8710 EDPD on DHCOM
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 036/175] ARM: dts: stm32: Prefer HW RTC on DHCOM SoM Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 038/175] ARM: dts: stm32: Fix touchscreen IRQ line assignment " Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel, linux-arm-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Alexandre Torgue,
	Patrice Chotard, Patrick Delaunay, linux-stm32, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 36862c1ebc92a7e6fcc55002965c44b8ad17d4ca ]

The LAN8710 Energy Detect Power Down (EDPD) functionality might cause
unreliable cable detection. There are multiple accounts of this in the
SMSC PHY driver patches which attempted to make EDPD reliable, however
it seems there is always some sort of corner case left. Unfortunatelly,
there is no errata documented which would confirm this to be a silicon
bug on the LAN87xx series of PHYs (LAN8700, LAN8710, LAN8720 at least).

Disable EDPD on the DHCOM SoM, just like multiple other boards already
do as well, to make the cable detection reliable.

Fixes: 34e0c7847dcf ("ARM: dts: stm32: Add DH Electronics DHCOM STM32MP1 SoM and PDK2 board")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: linux-stm32@st-md-mailman.stormreply.com
To: linux-arm-kernel@lists.infradead.org
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi
index 8349c9099e30..8c41f819f776 100644
--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi
+++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-som.dtsi
@@ -140,6 +140,7 @@
 			reset-gpios = <&gpioh 3 GPIO_ACTIVE_LOW>;
 			reset-assert-us = <500>;
 			reset-deassert-us = <500>;
+			smsc,disable-energy-detect;
 			interrupt-parent = <&gpioi>;
 			interrupts = <11 IRQ_TYPE_LEVEL_LOW>;
 		};
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 038/175] ARM: dts: stm32: Fix touchscreen IRQ line assignment on DHCOM
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 037/175] ARM: dts: stm32: Disable LAN8710 EDPD on DHCOM Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 039/175] dmaengine: imx-dma: configure the generic DMA type to make it work Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel, linux-arm-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Vasut, Alexandre Torgue,
	Patrice Chotard, Patrick Delaunay, linux-stm32, Sasha Levin

From: Marek Vasut <marex@denx.de>

[ Upstream commit 15f68f027ebd961b99a1c420f96ff3838c5e4450 ]

While 7e5f3155dcbb4 ("ARM: dts: stm32: Fix LED5 on STM32MP1 DHCOM PDK2")
fixed the LED0 assignment on the PDK2 board, the same commit did not
update the touchscreen IRQ line assignment, which is the same GPIO line,
shared between the LED0 output and touchscreen IRQ input. To make this
more convoluted, the same EXTI input (not the same GPIO line) is shared
between Button B which is Active-Low IRQ, and touchscreen IRQ which is
Edge-Falling IRQ, which cannot be used at the same time. In case the LCD
board with touchscreen is in use, which is the case here, LED0 must be
disabled, Button B must be polled, so the touchscreen interrupt works as
it should.

Update the touchscreen IRQ line assignment, disable LED0 and use polled
GPIO button driver for Button B, since the DT here describes baseboard
with LCD board.

Fixes: 7e5f3155dcbb4 ("ARM: dts: stm32: Fix LED5 on STM32MP1 DHCOM PDK2")
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Alexandre Torgue <alexandre.torgue@foss.st.com>
Cc: Patrice Chotard <patrice.chotard@foss.st.com>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Cc: linux-stm32@st-md-mailman.stormreply.com
To: linux-arm-kernel@lists.infradead.org
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi | 24 +++++++++++--------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi
index c5ea08fec535..6cf1c8b4c6e2 100644
--- a/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi
+++ b/arch/arm/boot/dts/stm32mp15xx-dhcom-pdk2.dtsi
@@ -37,7 +37,7 @@
 		poll-interval = <20>;
 
 		/*
-		 * The EXTi IRQ line 3 is shared with touchscreen and ethernet,
+		 * The EXTi IRQ line 3 is shared with ethernet,
 		 * so mark this as polled GPIO key.
 		 */
 		button-0 {
@@ -46,6 +46,16 @@
 			gpios = <&gpiof 3 GPIO_ACTIVE_LOW>;
 		};
 
+		/*
+		 * The EXTi IRQ line 6 is shared with touchscreen,
+		 * so mark this as polled GPIO key.
+		 */
+		button-1 {
+			label = "TA2-GPIO-B";
+			linux,code = <KEY_B>;
+			gpios = <&gpiod 6 GPIO_ACTIVE_LOW>;
+		};
+
 		/*
 		 * The EXTi IRQ line 0 is shared with PMIC,
 		 * so mark this as polled GPIO key.
@@ -60,13 +70,6 @@
 	gpio-keys {
 		compatible = "gpio-keys";
 
-		button-1 {
-			label = "TA2-GPIO-B";
-			linux,code = <KEY_B>;
-			gpios = <&gpiod 6 GPIO_ACTIVE_LOW>;
-			wakeup-source;
-		};
-
 		button-3 {
 			label = "TA4-GPIO-D";
 			linux,code = <KEY_D>;
@@ -82,6 +85,7 @@
 			label = "green:led5";
 			gpios = <&gpioc 6 GPIO_ACTIVE_HIGH>;
 			default-state = "off";
+			status = "disabled";
 		};
 
 		led-1 {
@@ -185,8 +189,8 @@
 	touchscreen@38 {
 		compatible = "edt,edt-ft5406";
 		reg = <0x38>;
-		interrupt-parent = <&gpiog>;
-		interrupts = <2 IRQ_TYPE_EDGE_FALLING>; /* GPIO E */
+		interrupt-parent = <&gpioc>;
+		interrupts = <6 IRQ_TYPE_EDGE_FALLING>; /* GPIO E */
 	};
 };
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 039/175] dmaengine: imx-dma: configure the generic DMA type to make it work
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 038/175] ARM: dts: stm32: Fix touchscreen IRQ line assignment " Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 040/175] net, gro: Set inner transport header offset in tcp/udp GRO hook Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Juergen Borleis, Vinod Koul, Sasha Levin

From: Juergen Borleis <jbe@pengutronix.de>

[ Upstream commit 7199ddede9f0f2f68d41e6928e1c6c4bca9c39c0 ]

Commit dea7a9fbb009 ("dmaengine: imx-dma: remove dma_slave_config
direction usage") changes the method from a "configuration when called"
to an "configuration when used". Due to this, only the cyclic DMA type
gets configured correctly, while the generic DMA type is left
non-configured.

Without this additional call, the struct imxdma_channel::word_size member
is stuck at DMA_SLAVE_BUSWIDTH_UNDEFINED and imxdma_prep_slave_sg() always
returns NULL.

Signed-off-by: Juergen Borleis <jbe@pengutronix.de>
Fixes: dea7a9fbb009 ("dmaengine: imx-dma: remove dma_slave_config direction usage")
Link: https://lore.kernel.org/r/20210729071821.9857-1-jbe@pengutronix.de
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/imx-dma.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c
index 7f116bbcfad2..2ddc31e64db0 100644
--- a/drivers/dma/imx-dma.c
+++ b/drivers/dma/imx-dma.c
@@ -812,6 +812,8 @@ static struct dma_async_tx_descriptor *imxdma_prep_slave_sg(
 		dma_length += sg_dma_len(sg);
 	}
 
+	imxdma_config_write(chan, &imxdmac->config, direction);
+
 	switch (imxdmac->word_size) {
 	case DMA_SLAVE_BUSWIDTH_4_BYTES:
 		if (sg_dma_len(sgl) & 3 || sgl->dma_address & 3)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 040/175] net, gro: Set inner transport header offset in tcp/udp GRO hook
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 039/175] dmaengine: imx-dma: configure the generic DMA type to make it work Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 041/175] net: dsa: sja1105: overwrite dynamic FDB entries with static ones in .port_fdb_add Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alex Forster, Jakub Sitnicki,
	David S. Miller, Sasha Levin

From: Jakub Sitnicki <jakub@cloudflare.com>

[ Upstream commit d51c5907e9809a803b276883d203f45849abd4d6 ]

GSO expects inner transport header offset to be valid when
skb->encapsulation flag is set. GSO uses this value to calculate the length
of an individual segment of a GSO packet in skb_gso_transport_seglen().

However, tcp/udp gro_complete callbacks don't update the
skb->inner_transport_header when processing an encapsulated TCP/UDP
segment. As a result a GRO skb has ->inner_transport_header set to a value
carried over from earlier skb processing.

This can have mild to tragic consequences. From miscalculating the GSO
segment length to triggering a page fault [1], when trying to read TCP/UDP
header at an address past the skb->data page.

The latter scenario leads to an oops report like so:

  BUG: unable to handle page fault for address: ffff9fa7ec00d008
  #PF: supervisor read access in kernel mode
  #PF: error_code(0x0000) - not-present page
  PGD 123f201067 P4D 123f201067 PUD 123f209067 PMD 0
  Oops: 0000 [#1] SMP NOPTI
  CPU: 44 PID: 0 Comm: swapper/44 Not tainted 5.4.53-cloudflare-2020.7.21 #1
  Hardware name: HYVE EDGE-METAL-GEN10/HS-1811DLite1, BIOS V2.15 02/21/2020
  RIP: 0010:skb_gso_transport_seglen+0x44/0xa0
  Code: c0 41 83 e0 11 f6 87 81 00 00 00 20 74 30 0f b7 87 aa 00 00 00 0f [...]
  RSP: 0018:ffffad8640bacbb8 EFLAGS: 00010202
  RAX: 000000000000feda RBX: ffff9fcc8d31bc00 RCX: ffff9fa7ec00cffc
  RDX: ffff9fa7ebffdec0 RSI: 000000000000feda RDI: 0000000000000122
  RBP: 00000000000005c4 R08: 0000000000000001 R09: 0000000000000000
  R10: ffff9fe588ae3800 R11: ffff9fe011fc92f0 R12: ffff9fcc8d31bc00
  R13: ffff9fe0119d4300 R14: 00000000000005c4 R15: ffff9fba57d70900
  FS:  0000000000000000(0000) GS:ffff9fe68df00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: ffff9fa7ec00d008 CR3: 0000003e99b1c000 CR4: 0000000000340ee0
  Call Trace:
   <IRQ>
   skb_gso_validate_network_len+0x11/0x70
   __ip_finish_output+0x109/0x1c0
   ip_sublist_rcv_finish+0x57/0x70
   ip_sublist_rcv+0x2aa/0x2d0
   ? ip_rcv_finish_core.constprop.0+0x390/0x390
   ip_list_rcv+0x12b/0x14f
   __netif_receive_skb_list_core+0x2a9/0x2d0
   netif_receive_skb_list_internal+0x1b5/0x2e0
   napi_complete_done+0x93/0x140
   veth_poll+0xc0/0x19f [veth]
   ? mlx5e_napi_poll+0x221/0x610 [mlx5_core]
   net_rx_action+0x1f8/0x790
   __do_softirq+0xe1/0x2bf
   irq_exit+0x8e/0xc0
   do_IRQ+0x58/0xe0
   common_interrupt+0xf/0xf
   </IRQ>

The bug can be observed in a simple setup where we send IP/GRE/IP/TCP
packets into a netns over a veth pair. Inside the netns, packets are
forwarded to dummy device:

  trafgen -> [veth A]--[veth B] -forward-> [dummy]

For veth B to GRO aggregate packets on receive, it needs to have an XDP
program attached (for example, a trivial XDP_PASS). Additionally, for UDP,
we need to enable GSO_UDP_L4 feature on the device:

  ip netns exec A ethtool -K AB rx-udp-gro-forwarding on

The last component is an artificial delay to increase the chances of GRO
batching happening:

  ip netns exec A tc qdisc add dev AB root \
     netem delay 200us slot 5ms 10ms packets 2 bytes 64k

With such a setup in place, the bug can be observed by tracing the skb
outer and inner offsets when GSO skb is transmitted from the dummy device:

tcp:

FUNC              DEV   SKB_LEN  NH  TH ENC INH ITH GSO_SIZE GSO_TYPE
ip_finish_output  dumB     2830 270 290   1 294 254     1383 (tcpv4,gre,)
                                                ^^^
udp:

FUNC              DEV   SKB_LEN  NH  TH ENC INH ITH GSO_SIZE GSO_TYPE
ip_finish_output  dumB     2818 270 290   1 294 254     1383 (gre,udp_l4,)
                                                ^^^

Fix it by updating the inner transport header offset in tcp/udp
gro_complete callbacks, similar to how {inet,ipv6}_gro_complete callbacks
update the inner network header offset, when skb->encapsulation flag is
set.

[1] https://lore.kernel.org/netdev/CAKxSbF01cLpZem2GFaUaifh0S-5WYViZemTicAg7FCHOnh6kug@mail.gmail.com/

Fixes: bf296b125b21 ("tcp: Add GRO support")
Fixes: f993bc25e519 ("net: core: handle encapsulation offloads when computing segment lengths")
Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.")
Reported-by: Alex Forster <aforster@cloudflare.com>
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp_offload.c | 3 +++
 net/ipv4/udp_offload.c | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/net/ipv4/tcp_offload.c b/net/ipv4/tcp_offload.c
index e09147ac9a99..fc61cd3fea65 100644
--- a/net/ipv4/tcp_offload.c
+++ b/net/ipv4/tcp_offload.c
@@ -298,6 +298,9 @@ int tcp_gro_complete(struct sk_buff *skb)
 	if (th->cwr)
 		skb_shinfo(skb)->gso_type |= SKB_GSO_TCP_ECN;
 
+	if (skb->encapsulation)
+		skb->inner_transport_header = skb->transport_header;
+
 	return 0;
 }
 EXPORT_SYMBOL(tcp_gro_complete);
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 9dde1e5fb449..1380a6b6f4ff 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -624,6 +624,10 @@ static int udp_gro_complete_segment(struct sk_buff *skb)
 
 	skb_shinfo(skb)->gso_segs = NAPI_GRO_CB(skb)->count;
 	skb_shinfo(skb)->gso_type |= SKB_GSO_UDP_L4;
+
+	if (skb->encapsulation)
+		skb->inner_transport_header = skb->transport_header;
+
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 041/175] net: dsa: sja1105: overwrite dynamic FDB entries with static ones in .port_fdb_add
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 040/175] net, gro: Set inner transport header offset in tcp/udp GRO hook Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 042/175] net: dsa: sja1105: invalidate dynamic FDB entries learned concurrently with statically added ones Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, David S. Miller,
	Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit e11e865bf84e3c6ea91563ff3e858cfe0e184bd2 ]

The SJA1105 switch family leaves it up to software to decide where
within the FDB to install a static entry, and to concatenate destination
ports for already existing entries (the FDB is also used for multicast
entries), it is not as simple as just saying "please add this entry".

This means we first need to search for an existing FDB entry before
adding a new one. The driver currently manages to fool itself into
thinking that if an FDB entry already exists, there is nothing to be
done. But that FDB entry might be dynamically learned, case in which it
should be replaced with a static entry, but instead it is left alone.

This patch checks the LOCKEDS ("locked/static") bit from found FDB
entries, and lets the code "goto skip_finding_an_index;" if the FDB
entry was not static. So we also need to move the place where we set
LOCKEDS = true, to cover the new case where a dynamic FDB entry existed
but was dynamic.

Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management")
Fixes: 1da73821343c ("net: dsa: sja1105: Add FDB operations for P/Q/R/S series")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/sja1105/sja1105_main.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index 5b7947832b87..c671d43a4724 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1323,7 +1323,7 @@ int sja1105et_fdb_add(struct dsa_switch *ds, int port,
 		 * mask? If yes, we need to do nothing. If not, we need
 		 * to rewrite the entry by adding this port to it.
 		 */
-		if (l2_lookup.destports & BIT(port))
+		if ((l2_lookup.destports & BIT(port)) && l2_lookup.lockeds)
 			return 0;
 		l2_lookup.destports |= BIT(port);
 	} else {
@@ -1354,6 +1354,7 @@ int sja1105et_fdb_add(struct dsa_switch *ds, int port,
 						     index, NULL, false);
 		}
 	}
+	l2_lookup.lockeds = true;
 	l2_lookup.index = sja1105et_fdb_index(bin, way);
 
 	rc = sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP,
@@ -1424,10 +1425,10 @@ int sja1105pqrs_fdb_add(struct dsa_switch *ds, int port,
 	rc = sja1105_dynamic_config_read(priv, BLK_IDX_L2_LOOKUP,
 					 SJA1105_SEARCH, &l2_lookup);
 	if (rc == 0) {
-		/* Found and this port is already in the entry's
+		/* Found a static entry and this port is already in the entry's
 		 * port mask => job done
 		 */
-		if (l2_lookup.destports & BIT(port))
+		if ((l2_lookup.destports & BIT(port)) && l2_lookup.lockeds)
 			return 0;
 		/* l2_lookup.index is populated by the switch in case it
 		 * found something.
@@ -1450,10 +1451,11 @@ int sja1105pqrs_fdb_add(struct dsa_switch *ds, int port,
 		dev_err(ds->dev, "FDB is full, cannot add entry.\n");
 		return -EINVAL;
 	}
-	l2_lookup.lockeds = true;
 	l2_lookup.index = i;
 
 skip_finding_an_index:
+	l2_lookup.lockeds = true;
+
 	rc = sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP,
 					  l2_lookup.index, &l2_lookup,
 					  true);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 042/175] net: dsa: sja1105: invalidate dynamic FDB entries learned concurrently with statically added ones
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 041/175] net: dsa: sja1105: overwrite dynamic FDB entries with static ones in .port_fdb_add Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 043/175] net: dsa: sja1105: ignore the FDB entry for unknown multicast when adding a new address Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, David S. Miller,
	Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 6c5fc159e0927531707895709eee1f8bfa04289f ]

The procedure to add a static FDB entry in sja1105 is concurrent with
dynamic learning performed on all bridge ports and the CPU port.

The switch looks up the FDB from left to right, and also learns
dynamically from left to right, so it is possible that between the
moment when we pick up a free slot to install an FDB entry, another slot
to the left of that one becomes free due to an address ageing out, and
that other slot is then immediately used by the switch to learn
dynamically the same address as we're trying to add statically.

The result is that we succeeded to add our static FDB entry, but it is
being shadowed by a dynamic FDB entry to its left, and the switch will
behave as if our static FDB entry did not exist.

We cannot really prevent this from happening unless we make the entire
process to add a static FDB entry a huge critical section where address
learning is temporarily disabled on _all_ ports, and then re-enabled
according to the configuration done by sja1105_port_set_learning.
However, that is kind of disruptive for the operation of the network.

What we can do alternatively is to simply read back the FDB for dynamic
entries located before our newly added static one, and delete them.
This will guarantee that our static FDB entry is now operational. It
will still not guarantee that there aren't dynamic FDB entries to the
_right_ of that static FDB entry, but at least those entries will age
out by themselves since they aren't hit, and won't bother anyone.

Fixes: 291d1e72b756 ("net: dsa: sja1105: Add support for FDB and MDB management")
Fixes: 1da73821343c ("net: dsa: sja1105: Add FDB operations for P/Q/R/S series")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/sja1105/sja1105_main.c | 57 +++++++++++++++++++++++++-
 1 file changed, 55 insertions(+), 2 deletions(-)

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index c671d43a4724..5e88632e10b9 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1308,10 +1308,11 @@ static int sja1105et_is_fdb_entry_in_bin(struct sja1105_private *priv, int bin,
 int sja1105et_fdb_add(struct dsa_switch *ds, int port,
 		      const unsigned char *addr, u16 vid)
 {
-	struct sja1105_l2_lookup_entry l2_lookup = {0};
+	struct sja1105_l2_lookup_entry l2_lookup = {0}, tmp;
 	struct sja1105_private *priv = ds->priv;
 	struct device *dev = ds->dev;
 	int last_unused = -1;
+	int start, end, i;
 	int bin, way, rc;
 
 	bin = sja1105et_fdb_hash(priv, addr, vid);
@@ -1363,6 +1364,29 @@ int sja1105et_fdb_add(struct dsa_switch *ds, int port,
 	if (rc < 0)
 		return rc;
 
+	/* Invalidate a dynamically learned entry if that exists */
+	start = sja1105et_fdb_index(bin, 0);
+	end = sja1105et_fdb_index(bin, way);
+
+	for (i = start; i < end; i++) {
+		rc = sja1105_dynamic_config_read(priv, BLK_IDX_L2_LOOKUP,
+						 i, &tmp);
+		if (rc == -ENOENT)
+			continue;
+		if (rc)
+			return rc;
+
+		if (tmp.macaddr != ether_addr_to_u64(addr) || tmp.vlanid != vid)
+			continue;
+
+		rc = sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP,
+						  i, NULL, false);
+		if (rc)
+			return rc;
+
+		break;
+	}
+
 	return sja1105_static_fdb_change(priv, port, &l2_lookup, true);
 }
 
@@ -1404,7 +1428,7 @@ int sja1105et_fdb_del(struct dsa_switch *ds, int port,
 int sja1105pqrs_fdb_add(struct dsa_switch *ds, int port,
 			const unsigned char *addr, u16 vid)
 {
-	struct sja1105_l2_lookup_entry l2_lookup = {0};
+	struct sja1105_l2_lookup_entry l2_lookup = {0}, tmp;
 	struct sja1105_private *priv = ds->priv;
 	int rc, i;
 
@@ -1462,6 +1486,35 @@ skip_finding_an_index:
 	if (rc < 0)
 		return rc;
 
+	/* The switch learns dynamic entries and looks up the FDB left to
+	 * right. It is possible that our addition was concurrent with the
+	 * dynamic learning of the same address, so now that the static entry
+	 * has been installed, we are certain that address learning for this
+	 * particular address has been turned off, so the dynamic entry either
+	 * is in the FDB at an index smaller than the static one, or isn't (it
+	 * can also be at a larger index, but in that case it is inactive
+	 * because the static FDB entry will match first, and the dynamic one
+	 * will eventually age out). Search for a dynamically learned address
+	 * prior to our static one and invalidate it.
+	 */
+	tmp = l2_lookup;
+
+	rc = sja1105_dynamic_config_read(priv, BLK_IDX_L2_LOOKUP,
+					 SJA1105_SEARCH, &tmp);
+	if (rc < 0) {
+		dev_err(ds->dev,
+			"port %d failed to read back entry for %pM vid %d: %pe\n",
+			port, addr, vid, ERR_PTR(rc));
+		return rc;
+	}
+
+	if (tmp.index < l2_lookup.index) {
+		rc = sja1105_dynamic_config_write(priv, BLK_IDX_L2_LOOKUP,
+						  tmp.index, NULL, false);
+		if (rc < 0)
+			return rc;
+	}
+
 	return sja1105_static_fdb_change(priv, port, &l2_lookup, true);
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 043/175] net: dsa: sja1105: ignore the FDB entry for unknown multicast when adding a new address
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 042/175] net: dsa: sja1105: invalidate dynamic FDB entries learned concurrently with statically added ones Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 044/175] net: dsa: sja1105: be stateless with FDB entries on SJA1105P/Q/R/S/SJA1110 too Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, David S. Miller,
	Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 728db843df88753aeb7224314807a203afa8eb32 ]

Currently, when sja1105pqrs_fdb_add() is called for a host-joined IPv6
MDB entry such as 33:33:00:00:00:6a, the search for that address will
return the FDB entry for SJA1105_UNKNOWN_MULTICAST, which has a
destination MAC of 01:00:00:00:00:00 and a mask of 01:00:00:00:00:00.
It returns that entry because, well, it matches, in the sense that
unknown multicast is supposed by design to match it...

But the issue is that we then proceed to overwrite this entry with the
one for our precise host-joined multicast address, and the unknown
multicast entry is no longer there - unknown multicast is now flooded to
the same group of ports as broadcast, which does not look up the FDB.

To solve this problem, we should ignore searches that return the unknown
multicast address as the match, and treat them as "no match" which will
result in the entry being installed to hardware.

For this to work properly, we need to put the result of the FDB search
in a temporary variable in order to avoid overwriting the l2_lookup
entry we want to program. The l2_lookup entry returned by the search
might not have the same set of DESTPORTS and not even the same MACADDR
as the entry we're trying to add.

Fixes: 4d9423549501 ("net: dsa: sja1105: offload bridge port flags to device")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/sja1105/sja1105_main.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index 5e88632e10b9..edc9462c6d4e 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1446,14 +1446,19 @@ int sja1105pqrs_fdb_add(struct dsa_switch *ds, int port,
 	}
 	l2_lookup.destports = BIT(port);
 
+	tmp = l2_lookup;
+
 	rc = sja1105_dynamic_config_read(priv, BLK_IDX_L2_LOOKUP,
-					 SJA1105_SEARCH, &l2_lookup);
-	if (rc == 0) {
+					 SJA1105_SEARCH, &tmp);
+	if (rc == 0 && tmp.index != SJA1105_MAX_L2_LOOKUP_COUNT - 1) {
 		/* Found a static entry and this port is already in the entry's
 		 * port mask => job done
 		 */
-		if ((l2_lookup.destports & BIT(port)) && l2_lookup.lockeds)
+		if ((tmp.destports & BIT(port)) && tmp.lockeds)
 			return 0;
+
+		l2_lookup = tmp;
+
 		/* l2_lookup.index is populated by the switch in case it
 		 * found something.
 		 */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 044/175] net: dsa: sja1105: be stateless with FDB entries on SJA1105P/Q/R/S/SJA1110 too
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 043/175] net: dsa: sja1105: ignore the FDB entry for unknown multicast when adding a new address Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 045/175] net: dsa: sja1105: match FDB entries regardless of inner/outer VLAN tag Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, David S. Miller,
	Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 589918df93226a1e5f104306c185b6dcf2bd8051 ]

Similar but not quite the same with what was done in commit b11f0a4c0c81
("net: dsa: sja1105: be stateless when installing FDB entries") for
SJA1105E/T, it is desirable to drop the priv->vlan_aware check and
simply go ahead and install FDB entries in the VLAN that was given by
the bridge.

As opposed to SJA1105E/T, in SJA1105P/Q/R/S and SJA1110, the FDB is a
maskable TCAM, and we are installing VLAN-unaware FDB entries with the
VLAN ID masked off. However, such FDB entries might completely obscure
VLAN-aware entries where the VLAN ID is included in the search mask,
because the switch looks up the FDB from left to right and picks the
first entry which results in a masked match. So it depends on whether
the bridge installs first the VLAN-unaware or the VLAN-aware FDB entries.

Anyway, if we had a VLAN-unaware FDB entry towards one set of DESTPORTS
and a VLAN-aware one towards other set of DESTPORTS, the result is that
the packets in VLAN-aware mode will be forwarded towards the DESTPORTS
specified by the VLAN-unaware entry.

To solve this, simply do not use the masked matching ability of the FDB
for VLAN ID, and always match precisely on it. In VLAN-unaware mode, we
configure the switch for shared VLAN learning, so the VLAN ID will be
ignored anyway during lookup, so it is redundant to mask it off in the
TCAM.

This patch conflicts with net-next commit 0fac6aa098ed ("net: dsa: sja1105:
delete the best_effort_vlan_filtering mode") which changed this line:
	if (priv->vlan_state != SJA1105_VLAN_UNAWARE) {
into:
	if (priv->vlan_aware) {

When merging with net-next, the lines added by this patch should take
precedence in the conflict resolution (i.e. the "if" condition should be
deleted in both cases).

Fixes: 1da73821343c ("net: dsa: sja1105: Add FDB operations for P/Q/R/S series")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/sja1105/sja1105_main.c | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index edc9462c6d4e..19d321ac6532 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1437,13 +1437,8 @@ int sja1105pqrs_fdb_add(struct dsa_switch *ds, int port,
 	l2_lookup.vlanid = vid;
 	l2_lookup.iotag = SJA1105_S_TAG;
 	l2_lookup.mask_macaddr = GENMASK_ULL(ETH_ALEN * 8 - 1, 0);
-	if (priv->vlan_state != SJA1105_VLAN_UNAWARE) {
-		l2_lookup.mask_vlanid = VLAN_VID_MASK;
-		l2_lookup.mask_iotag = BIT(0);
-	} else {
-		l2_lookup.mask_vlanid = 0;
-		l2_lookup.mask_iotag = 0;
-	}
+	l2_lookup.mask_vlanid = VLAN_VID_MASK;
+	l2_lookup.mask_iotag = BIT(0);
 	l2_lookup.destports = BIT(port);
 
 	tmp = l2_lookup;
@@ -1535,13 +1530,8 @@ int sja1105pqrs_fdb_del(struct dsa_switch *ds, int port,
 	l2_lookup.vlanid = vid;
 	l2_lookup.iotag = SJA1105_S_TAG;
 	l2_lookup.mask_macaddr = GENMASK_ULL(ETH_ALEN * 8 - 1, 0);
-	if (priv->vlan_state != SJA1105_VLAN_UNAWARE) {
-		l2_lookup.mask_vlanid = VLAN_VID_MASK;
-		l2_lookup.mask_iotag = BIT(0);
-	} else {
-		l2_lookup.mask_vlanid = 0;
-		l2_lookup.mask_iotag = 0;
-	}
+	l2_lookup.mask_vlanid = VLAN_VID_MASK;
+	l2_lookup.mask_iotag = BIT(0);
 	l2_lookup.destports = BIT(port);
 
 	rc = sja1105_dynamic_config_read(priv, BLK_IDX_L2_LOOKUP,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 045/175] net: dsa: sja1105: match FDB entries regardless of inner/outer VLAN tag
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 044/175] net: dsa: sja1105: be stateless with FDB entries on SJA1105P/Q/R/S/SJA1110 too Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 046/175] net: phy: micrel: Fix detection of ksz87xx switch Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Oltean, David S. Miller,
	Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 47c2c0c2312118a478f738503781de1d1a6020d2 ]

On SJA1105P/Q/R/S and SJA1110, the L2 Lookup Table entries contain a
maskable "inner/outer tag" bit which means:
- when set to 1: match single-outer and double tagged frames
- when set to 0: match untagged and single-inner tagged frames
- when masked off: match all frames regardless of the type of tag

This driver does not make any meaningful distinction between inner tags
(matches on TPID) and outer tags (matches on TPID2). In fact, all VLAN
table entries are installed as SJA1110_VLAN_D_TAG, which means that they
match on both inner and outer tags.

So it does not make sense that we install FDB entries with the IOTAG bit
set to 1.

In VLAN-unaware mode, we set both TPID and TPID2 to 0xdadb, so the
switch will see frames as outer-tagged or double-tagged (never inner).
So the FDB entries will match if IOTAG is set to 1.

In VLAN-aware mode, we set TPID to 0x8100 and TPID2 to 0x88a8. So the
switch will see untagged and 802.1Q-tagged packets as inner-tagged, and
802.1ad-tagged packets as outer-tagged. So untagged and 802.1Q-tagged
packets will not match FDB entries if IOTAG is set to 1, but 802.1ad
tagged packets will. Strange.

To fix this, simply mask off the IOTAG bit from FDB entries, and make
them match regardless of whether the VLAN tag is inner or outer.

Fixes: 1da73821343c ("net: dsa: sja1105: Add FDB operations for P/Q/R/S series")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/sja1105/sja1105_main.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/net/dsa/sja1105/sja1105_main.c b/drivers/net/dsa/sja1105/sja1105_main.c
index 19d321ac6532..4b05a2424623 100644
--- a/drivers/net/dsa/sja1105/sja1105_main.c
+++ b/drivers/net/dsa/sja1105/sja1105_main.c
@@ -1435,10 +1435,8 @@ int sja1105pqrs_fdb_add(struct dsa_switch *ds, int port,
 	/* Search for an existing entry in the FDB table */
 	l2_lookup.macaddr = ether_addr_to_u64(addr);
 	l2_lookup.vlanid = vid;
-	l2_lookup.iotag = SJA1105_S_TAG;
 	l2_lookup.mask_macaddr = GENMASK_ULL(ETH_ALEN * 8 - 1, 0);
 	l2_lookup.mask_vlanid = VLAN_VID_MASK;
-	l2_lookup.mask_iotag = BIT(0);
 	l2_lookup.destports = BIT(port);
 
 	tmp = l2_lookup;
@@ -1528,10 +1526,8 @@ int sja1105pqrs_fdb_del(struct dsa_switch *ds, int port,
 
 	l2_lookup.macaddr = ether_addr_to_u64(addr);
 	l2_lookup.vlanid = vid;
-	l2_lookup.iotag = SJA1105_S_TAG;
 	l2_lookup.mask_macaddr = GENMASK_ULL(ETH_ALEN * 8 - 1, 0);
 	l2_lookup.mask_vlanid = VLAN_VID_MASK;
-	l2_lookup.mask_iotag = BIT(0);
 	l2_lookup.destports = BIT(port);
 
 	rc = sja1105_dynamic_config_read(priv, BLK_IDX_L2_LOOKUP,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 046/175] net: phy: micrel: Fix detection of ksz87xx switch
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 045/175] net: dsa: sja1105: match FDB entries regardless of inner/outer VLAN tag Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 047/175] net: natsemi: Fix missing pci_disable_device() in probe and remove Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Steve Bennett, Marek Vasut,
	David S. Miller, Sasha Levin

From: Steve Bennett <steveb@workware.net.au>

[ Upstream commit a5e63c7d38d548b8dab6c6205e0b6af76899dbf5 ]

The logic for discerning between KSZ8051 and KSZ87XX PHYs is incorrect
such that the that KSZ87XX switch is not identified correctly.

ksz8051_ksz8795_match_phy_device() uses the parameter ksz_phy_id
to discriminate whether it was called from ksz8051_match_phy_device()
or from ksz8795_match_phy_device() but since PHY_ID_KSZ87XX is the
same value as PHY_ID_KSZ8051, this doesn't work.

Instead use a bool to discriminate the caller.

Without this patch, the KSZ8795 switch port identifies as:

ksz8795-switch spi3.1 ade1 (uninitialized): PHY [dsa-0.1:03] driver [Generic PHY]

With the patch, it identifies correctly:

ksz8795-switch spi3.1 ade1 (uninitialized): PHY [dsa-0.1:03] driver [Micrel KSZ87XX Switch]

Fixes: 8b95599c55ed24b36cf4 ("net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs")
Signed-off-by: Steve Bennett <steveb@workware.net.au>
Reviewed-by: Marek Vasut <marex@denx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/phy/micrel.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/phy/micrel.c b/drivers/net/phy/micrel.c
index a14a00328fa3..7afd9edaf249 100644
--- a/drivers/net/phy/micrel.c
+++ b/drivers/net/phy/micrel.c
@@ -382,11 +382,11 @@ static int ksz8041_config_aneg(struct phy_device *phydev)
 }
 
 static int ksz8051_ksz8795_match_phy_device(struct phy_device *phydev,
-					    const u32 ksz_phy_id)
+					    const bool ksz_8051)
 {
 	int ret;
 
-	if ((phydev->phy_id & MICREL_PHY_ID_MASK) != ksz_phy_id)
+	if ((phydev->phy_id & MICREL_PHY_ID_MASK) != PHY_ID_KSZ8051)
 		return 0;
 
 	ret = phy_read(phydev, MII_BMSR);
@@ -399,7 +399,7 @@ static int ksz8051_ksz8795_match_phy_device(struct phy_device *phydev,
 	 * the switch does not.
 	 */
 	ret &= BMSR_ERCAP;
-	if (ksz_phy_id == PHY_ID_KSZ8051)
+	if (ksz_8051)
 		return ret;
 	else
 		return !ret;
@@ -407,7 +407,7 @@ static int ksz8051_ksz8795_match_phy_device(struct phy_device *phydev,
 
 static int ksz8051_match_phy_device(struct phy_device *phydev)
 {
-	return ksz8051_ksz8795_match_phy_device(phydev, PHY_ID_KSZ8051);
+	return ksz8051_ksz8795_match_phy_device(phydev, true);
 }
 
 static int ksz8081_config_init(struct phy_device *phydev)
@@ -435,7 +435,7 @@ static int ksz8061_config_init(struct phy_device *phydev)
 
 static int ksz8795_match_phy_device(struct phy_device *phydev)
 {
-	return ksz8051_ksz8795_match_phy_device(phydev, PHY_ID_KSZ87XX);
+	return ksz8051_ksz8795_match_phy_device(phydev, false);
 }
 
 static int ksz9021_load_values_from_of(struct phy_device *phydev,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 047/175] net: natsemi: Fix missing pci_disable_device() in probe and remove
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 046/175] net: phy: micrel: Fix detection of ksz87xx switch Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 048/175] gpio: tqmx86: really make IRQ optional Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Wang Hai,
	David S. Miller, Sasha Levin

From: Wang Hai <wanghai38@huawei.com>

[ Upstream commit 7fe74dfd41c428afb24e2e615470832fa997ff14 ]

Replace pci_enable_device() with pcim_enable_device(),
pci_disable_device() and pci_release_regions() will be
called in release automatically.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/natsemi/natsemi.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/natsemi/natsemi.c b/drivers/net/ethernet/natsemi/natsemi.c
index b81e1487945c..14a17ad730f0 100644
--- a/drivers/net/ethernet/natsemi/natsemi.c
+++ b/drivers/net/ethernet/natsemi/natsemi.c
@@ -819,7 +819,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
 		printk(version);
 #endif
 
-	i = pci_enable_device(pdev);
+	i = pcim_enable_device(pdev);
 	if (i) return i;
 
 	/* natsemi has a non-standard PM control register
@@ -852,7 +852,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
 	ioaddr = ioremap(iostart, iosize);
 	if (!ioaddr) {
 		i = -ENOMEM;
-		goto err_ioremap;
+		goto err_pci_request_regions;
 	}
 
 	/* Work around the dropped serial bit. */
@@ -974,9 +974,6 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
  err_register_netdev:
 	iounmap(ioaddr);
 
- err_ioremap:
-	pci_release_regions(pdev);
-
  err_pci_request_regions:
 	free_netdev(dev);
 	return i;
@@ -3241,7 +3238,6 @@ static void natsemi_remove1(struct pci_dev *pdev)
 
 	NATSEMI_REMOVE_FILE(pdev, dspcfg_workaround);
 	unregister_netdev (dev);
-	pci_release_regions (pdev);
 	iounmap(ioaddr);
 	free_netdev (dev);
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 048/175] gpio: tqmx86: really make IRQ optional
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 047/175] net: natsemi: Fix missing pci_disable_device() in probe and remove Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 049/175] RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Schiffer, Andrew Lunn,
	Linus Walleij, Bartosz Golaszewski, Sasha Levin

From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>

[ Upstream commit 9b87f43537acfa24b95c236beba0f45901356eb2 ]

The tqmx86 MFD driver was passing IRQ 0 for "no IRQ" in the past. This
causes warnings with newer kernels.

Prepare the gpio-tqmx86 driver for the fixed MFD driver by handling a
missing IRQ properly.

Fixes: b868db94a6a7 ("gpio: tqmx86: Add GPIO from for this IO controller")
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpio/gpio-tqmx86.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpio/gpio-tqmx86.c b/drivers/gpio/gpio-tqmx86.c
index 5022e0ad0fae..0f5d17f343f1 100644
--- a/drivers/gpio/gpio-tqmx86.c
+++ b/drivers/gpio/gpio-tqmx86.c
@@ -238,8 +238,8 @@ static int tqmx86_gpio_probe(struct platform_device *pdev)
 	struct resource *res;
 	int ret, irq;
 
-	irq = platform_get_irq(pdev, 0);
-	if (irq < 0)
+	irq = platform_get_irq_optional(pdev, 0);
+	if (irq < 0 && irq != -ENXIO)
 		return irq;
 
 	res = platform_get_resource(pdev, IORESOURCE_IO, 0);
@@ -278,7 +278,7 @@ static int tqmx86_gpio_probe(struct platform_device *pdev)
 
 	pm_runtime_enable(&pdev->dev);
 
-	if (irq) {
+	if (irq > 0) {
 		struct irq_chip *irq_chip = &gpio->irq_chip;
 		u8 irq_status;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 049/175] RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 048/175] gpio: tqmx86: really make IRQ optional Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 050/175] net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aharon Landau, Maor Gottlieb,
	Leon Romanovsky, Jason Gunthorpe, Sasha Levin

From: Aharon Landau <aharonl@nvidia.com>

[ Upstream commit d6793ca97b76642b77629dd0783ec64782a50bdb ]

Fixing a typo that causes a cache entry to shrink immediately after adding
to it new MRs if the entry size exceeds the high limit.  In doing so, the
cache misses its purpose to prevent the creation of new mkeys on the
runtime by using the cached ones.

Fixes: b9358bdbc713 ("RDMA/mlx5: Fix locking in MR cache work queue")
Link: https://lore.kernel.org/r/fcb546986be346684a016f5ca23a0567399145fa.1627370131.git.leonro@nvidia.com
Signed-off-by: Aharon Landau <aharonl@nvidia.com>
Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/mlx5/mr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/mlx5/mr.c b/drivers/infiniband/hw/mlx5/mr.c
index 425423dfac72..fd113ddf6e86 100644
--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -530,8 +530,8 @@ static void __cache_work_func(struct mlx5_cache_ent *ent)
 		 */
 		spin_unlock_irq(&ent->lock);
 		need_delay = need_resched() || someone_adding(cache) ||
-			     time_after(jiffies,
-					READ_ONCE(cache->last_add) + 300 * HZ);
+			     !time_after(jiffies,
+					 READ_ONCE(cache->last_add) + 300 * HZ);
 		spin_lock_irq(&ent->lock);
 		if (ent->disabled)
 			goto out;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 050/175] net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 049/175] RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 051/175] sctp: move the active_key update after sh_keys is added Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+9ba1174359adba5a5b7c,
	Vladimir Oltean, Nikolay Aleksandrov, Jakub Kicinski,
	Sasha Levin

From: Vladimir Oltean <vladimir.oltean@nxp.com>

[ Upstream commit 0541a6293298fb52789de389dfb27ef54df81f73 ]

Currently it is possible to add broken extern_learn FDB entries to the
bridge in two ways:

1. Entries pointing towards the bridge device that are not local/permanent:

ip link add br0 type bridge
bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn static

2. Entries pointing towards the bridge device or towards a port that
are marked as local/permanent, however the bridge does not process the
'permanent' bit in any way, therefore they are recorded as though they
aren't permanent:

ip link add br0 type bridge
bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn permanent

Since commit 52e4bec15546 ("net: bridge: switchdev: treat local FDBs the
same as entries towards the bridge"), these incorrect FDB entries can
even trigger NULL pointer dereferences inside the kernel.

This is because that commit made the assumption that all FDB entries
that are not local/permanent have a valid destination port. For context,
local / permanent FDB entries either have fdb->dst == NULL, and these
point towards the bridge device and are therefore local and not to be
used for forwarding, or have fdb->dst == a net_bridge_port structure
(but are to be treated in the same way, i.e. not for forwarding).

That assumption _is_ correct as long as things are working correctly in
the bridge driver, i.e. we cannot logically have fdb->dst == NULL under
any circumstance for FDB entries that are not local. However, the
extern_learn code path where FDB entries are managed by a user space
controller show that it is possible for the bridge kernel driver to
misinterpret the NUD flags of an entry transmitted by user space, and
end up having fdb->dst == NULL while not being a local entry. This is
invalid and should be rejected.

Before, the two commands listed above both crashed the kernel in this
check from br_switchdev_fdb_notify:

	struct net_device *dev = info.is_local ? br->dev : dst->dev;

info.is_local == false, dst == NULL.

After this patch, the invalid entry added by the first command is
rejected:

ip link add br0 type bridge && bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn static; ip link del br0
Error: bridge: FDB entry towards bridge must be permanent.

and the valid entry added by the second command is properly treated as a
local address and does not crash br_switchdev_fdb_notify anymore:

ip link add br0 type bridge && bridge fdb add 00:01:02:03:04:05 dev br0 self extern_learn permanent; ip link del br0

Fixes: eb100e0e24a2 ("net: bridge: allow to add externally learned entries from user-space")
Reported-by: syzbot+9ba1174359adba5a5b7c@syzkaller.appspotmail.com
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Link: https://lore.kernel.org/r/20210801231730.7493-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bridge/br.c         |  3 ++-
 net/bridge/br_fdb.c     | 30 ++++++++++++++++++++++++------
 net/bridge/br_private.h |  2 +-
 3 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/net/bridge/br.c b/net/bridge/br.c
index ef743f94254d..bbab9984f24e 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -166,7 +166,8 @@ static int br_switchdev_event(struct notifier_block *unused,
 	case SWITCHDEV_FDB_ADD_TO_BRIDGE:
 		fdb_info = ptr;
 		err = br_fdb_external_learn_add(br, p, fdb_info->addr,
-						fdb_info->vid, false);
+						fdb_info->vid,
+						fdb_info->is_local, false);
 		if (err) {
 			err = notifier_from_errno(err);
 			break;
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 698b79747d32..87ce52bba649 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -1001,7 +1001,8 @@ static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
 
 static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
 			struct net_bridge_port *p, const unsigned char *addr,
-			u16 nlh_flags, u16 vid, struct nlattr *nfea_tb[])
+			u16 nlh_flags, u16 vid, struct nlattr *nfea_tb[],
+			struct netlink_ext_ack *extack)
 {
 	int err = 0;
 
@@ -1020,7 +1021,15 @@ static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
 		rcu_read_unlock();
 		local_bh_enable();
 	} else if (ndm->ndm_flags & NTF_EXT_LEARNED) {
-		err = br_fdb_external_learn_add(br, p, addr, vid, true);
+		if (!p && !(ndm->ndm_state & NUD_PERMANENT)) {
+			NL_SET_ERR_MSG_MOD(extack,
+					   "FDB entry towards bridge must be permanent");
+			return -EINVAL;
+		}
+
+		err = br_fdb_external_learn_add(br, p, addr, vid,
+						ndm->ndm_state & NUD_PERMANENT,
+						true);
 	} else {
 		spin_lock_bh(&br->hash_lock);
 		err = fdb_add_entry(br, p, addr, ndm, nlh_flags, vid, nfea_tb);
@@ -1092,9 +1101,11 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
 		}
 
 		/* VID was specified, so use it. */
-		err = __br_fdb_add(ndm, br, p, addr, nlh_flags, vid, nfea_tb);
+		err = __br_fdb_add(ndm, br, p, addr, nlh_flags, vid, nfea_tb,
+				   extack);
 	} else {
-		err = __br_fdb_add(ndm, br, p, addr, nlh_flags, 0, nfea_tb);
+		err = __br_fdb_add(ndm, br, p, addr, nlh_flags, 0, nfea_tb,
+				   extack);
 		if (err || !vg || !vg->num_vlans)
 			goto out;
 
@@ -1106,7 +1117,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
 			if (!br_vlan_should_use(v))
 				continue;
 			err = __br_fdb_add(ndm, br, p, addr, nlh_flags, v->vid,
-					   nfea_tb);
+					   nfea_tb, extack);
 			if (err)
 				goto out;
 		}
@@ -1246,7 +1257,7 @@ void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p)
 }
 
 int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
-			      const unsigned char *addr, u16 vid,
+			      const unsigned char *addr, u16 vid, bool is_local,
 			      bool swdev_notify)
 {
 	struct net_bridge_fdb_entry *fdb;
@@ -1263,6 +1274,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
 
 		if (swdev_notify)
 			flags |= BIT(BR_FDB_ADDED_BY_USER);
+
+		if (is_local)
+			flags |= BIT(BR_FDB_LOCAL);
+
 		fdb = fdb_create(br, p, addr, vid, flags);
 		if (!fdb) {
 			err = -ENOMEM;
@@ -1289,6 +1304,9 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
 		if (swdev_notify)
 			set_bit(BR_FDB_ADDED_BY_USER, &fdb->flags);
 
+		if (is_local)
+			set_bit(BR_FDB_LOCAL, &fdb->flags);
+
 		if (modified)
 			fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
 	}
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index e013d33f1c7c..4e3d26e0a2d1 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -707,7 +707,7 @@ int br_fdb_get(struct sk_buff *skb, struct nlattr *tb[], struct net_device *dev,
 int br_fdb_sync_static(struct net_bridge *br, struct net_bridge_port *p);
 void br_fdb_unsync_static(struct net_bridge *br, struct net_bridge_port *p);
 int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
-			      const unsigned char *addr, u16 vid,
+			      const unsigned char *addr, u16 vid, bool is_local,
 			      bool swdev_notify);
 int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
 			      const unsigned char *addr, u16 vid,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 051/175] sctp: move the active_key update after sh_keys is added
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 050/175] net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 052/175] drm/i915: Call i915_globals_exit() if pci_register_device() fails Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ying Xu, Xin Long, David S. Miller,
	Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit ae954bbc451d267f7d60d7b49db811d5a68ebd7b ]

In commit 58acd1009226 ("sctp: update active_key for asoc when old key is
being replaced"), sctp_auth_asoc_init_active_key() is called to update
the active_key right after the old key is deleted and before the new key
is added, and it caused that the active_key could be found with the key_id.

In Ying Xu's testing, the BUG_ON in sctp_auth_asoc_init_active_key() was
triggered:

  [ ] kernel BUG at net/sctp/auth.c:416!
  [ ] RIP: 0010:sctp_auth_asoc_init_active_key.part.8+0xe7/0xf0 [sctp]
  [ ] Call Trace:
  [ ]  sctp_auth_set_key+0x16d/0x1b0 [sctp]
  [ ]  sctp_setsockopt.part.33+0x1ba9/0x2bd0 [sctp]
  [ ]  __sys_setsockopt+0xd6/0x1d0
  [ ]  __x64_sys_setsockopt+0x20/0x30
  [ ]  do_syscall_64+0x5b/0x1a0

So fix it by moving the active_key update after sh_keys is added.

Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced")
Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/auth.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index fe74c5f95630..db6b7373d16c 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -857,14 +857,18 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
 	memcpy(key->data, &auth_key->sca_key[0], auth_key->sca_keylength);
 	cur_key->key = key;
 
-	if (replace) {
-		list_del_init(&shkey->key_list);
-		sctp_auth_shkey_release(shkey);
-		if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
-			sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
+	if (!replace) {
+		list_add(&cur_key->key_list, sh_keys);
+		return 0;
 	}
+
+	list_del_init(&shkey->key_list);
+	sctp_auth_shkey_release(shkey);
 	list_add(&cur_key->key_list, sh_keys);
 
+	if (asoc && asoc->active_key_id == auth_key->sca_keynumber)
+		sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL);
+
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 052/175] drm/i915: Call i915_globals_exit() if pci_register_device() fails
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 051/175] sctp: move the active_key update after sh_keys is added Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 053/175] nfp: update ethtool reporting of pauseframe control Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jason Ekstrand, Daniel Vetter,
	Rodrigo Vivi, Sasha Levin

From: Jason Ekstrand <jason@jlekstrand.net>

[ Upstream commit 1354d830cb8f9be966cc07fc61368af27ffb7c4a ]

In the unlikely event that pci_register_device() fails, we were tearing
down our PMU setup but not globals.  This leaves a bunch of memory slabs
lying around.

Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
Fixes: 32eb6bcfdda9 ("drm/i915: Make request allocation caches global")
[danvet: Fix conflicts against removal of the globals_flush
infrastructure.]
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20210721152358.2893314-3-jason@jlekstrand.net
(cherry picked from commit db484889d1ff0645e07e360d3e3ad306c0515821)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
[Fixed small conflict while cherry picking]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/i915/i915_globals.c | 2 +-
 drivers/gpu/drm/i915/i915_pci.c     | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_globals.c b/drivers/gpu/drm/i915/i915_globals.c
index 3aa213684293..e27739a50bee 100644
--- a/drivers/gpu/drm/i915/i915_globals.c
+++ b/drivers/gpu/drm/i915/i915_globals.c
@@ -149,7 +149,7 @@ static void __exit __i915_globals_flush(void)
 	atomic_dec(&active);
 }
 
-void __exit i915_globals_exit(void)
+void i915_globals_exit(void)
 {
 	GEM_BUG_ON(atomic_read(&active));
 
diff --git a/drivers/gpu/drm/i915/i915_pci.c b/drivers/gpu/drm/i915/i915_pci.c
index 480553746794..a6261a8103f4 100644
--- a/drivers/gpu/drm/i915/i915_pci.c
+++ b/drivers/gpu/drm/i915/i915_pci.c
@@ -1168,6 +1168,7 @@ static int __init i915_init(void)
 	err = pci_register_driver(&i915_pci_driver);
 	if (err) {
 		i915_pmu_exit();
+		i915_globals_exit();
 		return err;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 053/175] nfp: update ethtool reporting of pauseframe control
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 052/175] drm/i915: Call i915_globals_exit() if pci_register_device() fails Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 054/175] net: ipv6: fix returned variable type in ip6_skb_dst_mtu Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fei Qin, Louis Peens, Simon Horman,
	David S. Miller, Sasha Levin

From: Fei Qin <fei.qin@corigine.com>

[ Upstream commit 9fdc5d85a8fe684cdf24dc31c6bc4a727decfe87 ]

Pauseframe control is set to symmetric mode by default on the NFP.
Pause frames can not be configured through ethtool now, but ethtool can
report the supported mode.

Fixes: 265aeb511bd5 ("nfp: add support for .get_link_ksettings()")
Signed-off-by: Fei Qin <fei.qin@corigine.com>
Signed-off-by: Louis Peens <louis.peens@corigine.com>
Signed-off-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
index 1b482446536d..8803faadd302 100644
--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
@@ -286,6 +286,8 @@ nfp_net_get_link_ksettings(struct net_device *netdev,
 
 	/* Init to unknowns */
 	ethtool_link_ksettings_add_link_mode(cmd, supported, FIBRE);
+	ethtool_link_ksettings_add_link_mode(cmd, supported, Pause);
+	ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause);
 	cmd->base.port = PORT_OTHER;
 	cmd->base.speed = SPEED_UNKNOWN;
 	cmd->base.duplex = DUPLEX_UNKNOWN;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 054/175] net: ipv6: fix returned variable type in ip6_skb_dst_mtu
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 053/175] nfp: update ethtool reporting of pauseframe control Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 055/175] RDMA/hns: Fix the double unlock problem of poll_sem Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vadim Fedorenko, Antoine Tenart,
	David S. Miller, Sasha Levin

From: Antoine Tenart <atenart@kernel.org>

[ Upstream commit 4039146777a91e1576da2bf38e0d8a1061a1ae47 ]

The patch fixing the returned value of ip6_skb_dst_mtu (int -> unsigned
int) was rebased between its initial review and the version applied. In
the meantime fade56410c22 was applied, which added a new variable (int)
used as the returned value. This lead to a mismatch between the function
prototype and the variable used as the return value.

Fixes: 40fc3054b458 ("net: ipv6: fix return value of ip6_skb_dst_mtu")
Cc: Vadim Fedorenko <vfedorenko@novek.ru>
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/net/ip6_route.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
index 625a38ccb5d9..0bf09a9bca4e 100644
--- a/include/net/ip6_route.h
+++ b/include/net/ip6_route.h
@@ -265,7 +265,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
 
 static inline unsigned int ip6_skb_dst_mtu(struct sk_buff *skb)
 {
-	int mtu;
+	unsigned int mtu;
 
 	struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ?
 				inet6_sk(skb->sk) : NULL;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 055/175] RDMA/hns: Fix the double unlock problem of poll_sem
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 054/175] net: ipv6: fix returned variable type in ip6_skb_dst_mtu Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 056/175] net: dsa: qca: ar9331: reorder MDIO write sequence Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Yangyang Li,
	Wenpeng Liang, Leon Romanovsky, Jason Gunthorpe, Sasha Levin

From: Yangyang Li <liyangyang20@huawei.com>

[ Upstream commit 8b436a99cd708bd158231a0630ffa49b1d6175e4 ]

If hns_roce_cmd_use_events() fails then it means that the poll_sem is not
obtained, but the poll_sem is released in hns_roce_cmd_use_polling(), this
will cause an unlock problem.

This is the static checker warning:
	drivers/infiniband/hw/hns/hns_roce_main.c:926 hns_roce_init()
	error: double unlocked '&hr_dev->cmd.poll_sem' (orig line 879)

Event mode and polling mode are mutually exclusive and resources are
separated, so there is no need to process polling mode resources in event
mode.

The initial mode of cmd is polling mode, so even if cmd fails to switch to
event mode, it is not necessary to switch to polling mode.

Fixes: a389d016c030 ("RDMA/hns: Enable all CMDQ context")
Fixes: 3d50503b3b33 ("RDMA/hns: Optimize cmd init and mode selection for hip08")
Link: https://lore.kernel.org/r/1627887374-20019-1-git-send-email-liangwenpeng@huawei.com
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Yangyang Li <liyangyang20@huawei.com>
Signed-off-by: Wenpeng Liang <liangwenpeng@huawei.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hns/hns_roce_cmd.c  | 7 +++----
 drivers/infiniband/hw/hns/hns_roce_main.c | 4 +---
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_cmd.c b/drivers/infiniband/hw/hns/hns_roce_cmd.c
index 8f68cc3ff193..84f3f2b5f097 100644
--- a/drivers/infiniband/hw/hns/hns_roce_cmd.c
+++ b/drivers/infiniband/hw/hns/hns_roce_cmd.c
@@ -213,8 +213,10 @@ int hns_roce_cmd_use_events(struct hns_roce_dev *hr_dev)
 
 	hr_cmd->context =
 		kcalloc(hr_cmd->max_cmds, sizeof(*hr_cmd->context), GFP_KERNEL);
-	if (!hr_cmd->context)
+	if (!hr_cmd->context) {
+		hr_dev->cmd_mod = 0;
 		return -ENOMEM;
+	}
 
 	for (i = 0; i < hr_cmd->max_cmds; ++i) {
 		hr_cmd->context[i].token = i;
@@ -228,7 +230,6 @@ int hns_roce_cmd_use_events(struct hns_roce_dev *hr_dev)
 	spin_lock_init(&hr_cmd->context_lock);
 
 	hr_cmd->use_events = 1;
-	down(&hr_cmd->poll_sem);
 
 	return 0;
 }
@@ -239,8 +240,6 @@ void hns_roce_cmd_use_polling(struct hns_roce_dev *hr_dev)
 
 	kfree(hr_cmd->context);
 	hr_cmd->use_events = 0;
-
-	up(&hr_cmd->poll_sem);
 }
 
 struct hns_roce_cmd_mailbox *
diff --git a/drivers/infiniband/hw/hns/hns_roce_main.c b/drivers/infiniband/hw/hns/hns_roce_main.c
index 6c6e82b11d8b..33b84f219d0d 100644
--- a/drivers/infiniband/hw/hns/hns_roce_main.c
+++ b/drivers/infiniband/hw/hns/hns_roce_main.c
@@ -897,11 +897,9 @@ int hns_roce_init(struct hns_roce_dev *hr_dev)
 
 	if (hr_dev->cmd_mod) {
 		ret = hns_roce_cmd_use_events(hr_dev);
-		if (ret) {
+		if (ret)
 			dev_warn(dev,
 				 "Cmd event  mode failed, set back to poll!\n");
-			hns_roce_cmd_use_polling(hr_dev);
-		}
 	}
 
 	ret = hns_roce_init_hem(hr_dev);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 056/175] net: dsa: qca: ar9331: reorder MDIO write sequence
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 055/175] RDMA/hns: Fix the double unlock problem of poll_sem Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 057/175] riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oleksij Rempel, Andrew Lunn,
	Florian Fainelli, Vladimir Oltean, Jakub Kicinski, Sasha Levin

From: Oleksij Rempel <o.rempel@pengutronix.de>

[ Upstream commit d1a58c013a5837451e3213e7a426d350fa524ead ]

In case of this switch we work with 32bit registers on top of 16bit
bus. Some registers (for example access to forwarding database) have
trigger bit on the first 16bit half of request and the result +
configuration of request in the second half. Without this patch, we would
trigger database operation and overwrite result in one run.

To make it work properly, we should do the second part of transfer
before the first one is done.

So far, this rule seems to work for all registers on this switch.

Fixes: ec6698c272de ("net: dsa: add support for Atheros AR9331 built-in switch")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Link: https://lore.kernel.org/r/20210803063746.3600-1-o.rempel@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/qca/ar9331.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/net/dsa/qca/ar9331.c b/drivers/net/dsa/qca/ar9331.c
index ca2ad77b71f1..6686192e1883 100644
--- a/drivers/net/dsa/qca/ar9331.c
+++ b/drivers/net/dsa/qca/ar9331.c
@@ -837,16 +837,24 @@ static int ar9331_mdio_write(void *ctx, u32 reg, u32 val)
 		return 0;
 	}
 
-	ret = __ar9331_mdio_write(sbus, AR9331_SW_MDIO_PHY_MODE_REG, reg, val);
+	/* In case of this switch we work with 32bit registers on top of 16bit
+	 * bus. Some registers (for example access to forwarding database) have
+	 * trigger bit on the first 16bit half of request, the result and
+	 * configuration of request in the second half.
+	 * To make it work properly, we should do the second part of transfer
+	 * before the first one is done.
+	 */
+	ret = __ar9331_mdio_write(sbus, AR9331_SW_MDIO_PHY_MODE_REG, reg + 2,
+				  val >> 16);
 	if (ret < 0)
 		goto error;
 
-	ret = __ar9331_mdio_write(sbus, AR9331_SW_MDIO_PHY_MODE_REG, reg + 2,
-				  val >> 16);
+	ret = __ar9331_mdio_write(sbus, AR9331_SW_MDIO_PHY_MODE_REG, reg, val);
 	if (ret < 0)
 		goto error;
 
 	return 0;
+
 error:
 	dev_err_ratelimited(&sbus->dev, "Bus error. Failed to write register.\n");
 	return ret;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 057/175] riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 056/175] net: dsa: qca: ar9331: reorder MDIO write sequence Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 058/175] net: sched: fix lockdep_set_class() typo error for sch->seqlock Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Palmer Dabbelt, Sasha Levin

From: Guenter Roeck <linux@roeck-us.net>

[ Upstream commit a18b14d8886614b3c7d290c4cfc33389822b0535 ]

riscv uses the value of TSK_STACK_CANARY to set
stack-protector-guard-offset. With GCC_PLUGIN_RANDSTRUCT enabled, that
value is non-deterministic, and with riscv:allmodconfig often results
in build errors such as

cc1: error: '8120' is not a valid offset in '-mstack-protector-guard-offset='

Enable STACKPROTECTOR_PER_TASK only if GCC_PLUGIN_RANDSTRUCT is disabled
to fix the problem.

Fixes: fea2fed201ee5 ("riscv: Enable per-task stack canaries")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/riscv/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
index 18ec0f9bb8d5..3c3647ac33cb 100644
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -489,6 +489,7 @@ config CC_HAVE_STACKPROTECTOR_TLS
 
 config STACKPROTECTOR_PER_TASK
 	def_bool y
+	depends on !GCC_PLUGIN_RANDSTRUCT
 	depends on STACKPROTECTOR && CC_HAVE_STACKPROTECTOR_TLS
 
 config PHYS_RAM_BASE_FIXED
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 058/175] net: sched: fix lockdep_set_class() typo error for sch->seqlock
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 057/175] riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 059/175] drm/i915: fix i915_globals_exit() section mismatch error Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunsheng Lin, David S. Miller, Sasha Levin

From: Yunsheng Lin <linyunsheng@huawei.com>

[ Upstream commit 06f5553e0f0c2182268179b93856187d9cb86dd5 ]

According to comment in qdisc_alloc(), sch->seqlock's lockdep
class key should be set to qdisc_tx_busylock, due to possible
type error, sch->busylock's lockdep class key is set to
qdisc_tx_busylock, which is duplicated because sch->busylock's
lockdep class key is already set in qdisc_alloc().

So fix it by replacing sch->busylock with sch->seqlock.

Fixes: 96009c7d500e ("sched: replace __QDISC_STATE_RUNNING bit with a spin lock")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/sch_generic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index fc8b56bcabf3..1ee96a5c5ee0 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -886,7 +886,7 @@ struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
 
 	/* seqlock has the same scope of busylock, for NOLOCK qdisc */
 	spin_lock_init(&sch->seqlock);
-	lockdep_set_class(&sch->busylock,
+	lockdep_set_class(&sch->seqlock,
 			  dev->qdisc_tx_busylock ?: &qdisc_tx_busylock);
 
 	seqcount_init(&sch->running);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 059/175] drm/i915: fix i915_globals_exit() section mismatch error
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 058/175] net: sched: fix lockdep_set_class() typo error for sch->seqlock Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 060/175] MIPS: check return value of pgtable_pmd_page_ctor Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Jason Ekstrand,
	Daniel Vetter, Rodrigo Vivi, Jani Nikula, Joonas Lahtinen,
	intel-gfx, dri-devel, Dave Airlie, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit a07296453bf2778952a09b6244a695bf7607babb ]

Fix modpost Section mismatch error in i915_globals_exit().
Since both an __init function and an __exit function can call
i915_globals_exit(), any function that i915_globals_exit() calls
should not be marked as __init or __exit. I.e., it needs to be
available for either of them.

WARNING: modpost: vmlinux.o(.text+0x8b796a): Section mismatch in reference from the function i915_globals_exit() to the function .exit.text:__i915_globals_flush()
The function i915_globals_exit() references a function in an exit section.
Often the function __i915_globals_flush() has valid usage outside the exit section
and the fix is to remove the __exit annotation of __i915_globals_flush.

ERROR: modpost: Section mismatches detected.
Set CONFIG_SECTION_MISMATCH_WARN_ONLY=y to allow them.

Fixes: 1354d830cb8f ("drm/i915: Call i915_globals_exit() if pci_register_device() fails")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Jason Ekstrand <jason@jlekstrand.net>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: intel-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210804204147.2070-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/i915/i915_globals.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_globals.c b/drivers/gpu/drm/i915/i915_globals.c
index e27739a50bee..57d2943884ab 100644
--- a/drivers/gpu/drm/i915/i915_globals.c
+++ b/drivers/gpu/drm/i915/i915_globals.c
@@ -139,7 +139,7 @@ void i915_globals_unpark(void)
 	atomic_inc(&active);
 }
 
-static void __exit __i915_globals_flush(void)
+static void  __i915_globals_flush(void)
 {
 	atomic_inc(&active); /* skip shrinking */
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 060/175] MIPS: check return value of pgtable_pmd_page_ctor
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 059/175] drm/i915: fix i915_globals_exit() section mismatch error Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 061/175] x86/tools/relocs: Fix non-POSIX regexp Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joshua Kinard, Huang Pei,
	Thomas Bogendoerfer, Sasha Levin

From: Huang Pei <huangpei@loongson.cn>

[ Upstream commit 6aa32467299e9e12280a6aec9dbc21bf2db830b0 ]

+. According to Documentation/vm/split_page_table_lock, handle failure
of pgtable_pmd_page_ctor

+. Use GFP_KERNEL_ACCOUNT instead of GFP_KERNEL|__GFP_ACCOUNT

+. Adjust coding style

Fixes: ed914d48b6a1 ("MIPS: add PMD table accounting into MIPS')
Reported-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Huang Pei <huangpei@loongson.cn>
Reviewed-by: Joshua Kinard <kumba@gentoo.org>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/include/asm/pgalloc.h | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
index d0cf997b4ba8..139b4050259f 100644
--- a/arch/mips/include/asm/pgalloc.h
+++ b/arch/mips/include/asm/pgalloc.h
@@ -59,15 +59,20 @@ do {							\
 
 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
 {
-	pmd_t *pmd = NULL;
+	pmd_t *pmd;
 	struct page *pg;
 
-	pg = alloc_pages(GFP_KERNEL | __GFP_ACCOUNT, PMD_ORDER);
-	if (pg) {
-		pgtable_pmd_page_ctor(pg);
-		pmd = (pmd_t *)page_address(pg);
-		pmd_init((unsigned long)pmd, (unsigned long)invalid_pte_table);
+	pg = alloc_pages(GFP_KERNEL_ACCOUNT, PMD_ORDER);
+	if (!pg)
+		return NULL;
+
+	if (!pgtable_pmd_page_ctor(pg)) {
+		__free_pages(pg, PMD_ORDER);
+		return NULL;
 	}
+
+	pmd = (pmd_t *)page_address(pg);
+	pmd_init((unsigned long)pmd, (unsigned long)invalid_pte_table);
 	return pmd;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 061/175] x86/tools/relocs: Fix non-POSIX regexp
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 060/175] MIPS: check return value of pgtable_pmd_page_ctor Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 062/175] mips: " Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller,
	Masahiro Yamada, Sasha Levin

From: H. Nikolaus Schaller <hns@goldelico.com>

[ Upstream commit fa953adfad7cf9c7e30d9ea0e4ccfd38cfb5495d ]

Trying to run a cross-compiled x86 relocs tool on a BSD based
HOSTCC leads to errors like

  VOFFSET arch/x86/boot/compressed/../voffset.h - due to: vmlinux
  CC      arch/x86/boot/compressed/misc.o - due to: arch/x86/boot/compressed/../voffset.h
  OBJCOPY arch/x86/boot/compressed/vmlinux.bin - due to: vmlinux
  RELOCS  arch/x86/boot/compressed/vmlinux.relocs - due to: vmlinux
empty (sub)expressionarch/x86/boot/compressed/Makefile:118: recipe for target 'arch/x86/boot/compressed/vmlinux.relocs' failed
make[3]: *** [arch/x86/boot/compressed/vmlinux.relocs] Error 1

It turns out that relocs.c uses patterns like

	"something(|_end)"

This is not valid syntax or gives undefined results according
to POSIX 9.5.3 ERE Grammar

	https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html

It seems to be silently accepted by the Linux regexp() implementation
while a BSD host complains.

Such patterns can be replaced by a transformation like

	"(|p1|p2)" -> "(p1|p2)?"

Fixes: fd952815307f ("x86-32, relocs: Whitelist more symbols for ld bug workaround")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/tools/relocs.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
index 04c5a44b9682..9ba700dc47de 100644
--- a/arch/x86/tools/relocs.c
+++ b/arch/x86/tools/relocs.c
@@ -57,12 +57,12 @@ static const char * const sym_regex_kernel[S_NSYMTYPES] = {
 	[S_REL] =
 	"^(__init_(begin|end)|"
 	"__x86_cpu_dev_(start|end)|"
-	"(__parainstructions|__alt_instructions)(|_end)|"
-	"(__iommu_table|__apicdrivers|__smp_locks)(|_end)|"
+	"(__parainstructions|__alt_instructions)(_end)?|"
+	"(__iommu_table|__apicdrivers|__smp_locks)(_end)?|"
 	"__(start|end)_pci_.*|"
 	"__(start|end)_builtin_fw|"
-	"__(start|stop)___ksymtab(|_gpl)|"
-	"__(start|stop)___kcrctab(|_gpl)|"
+	"__(start|stop)___ksymtab(_gpl)?|"
+	"__(start|stop)___kcrctab(_gpl)?|"
 	"__(start|stop)___param|"
 	"__(start|stop)___modver|"
 	"__(start|stop)___bug_table|"
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 062/175] mips: Fix non-POSIX regexp
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 061/175] x86/tools/relocs: Fix non-POSIX regexp Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 063/175] kbuild: cancel sub_make_done for the install target to fix DKMS Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, H. Nikolaus Schaller,
	Masahiro Yamada, Sasha Levin

From: H. Nikolaus Schaller <hns@goldelico.com>

[ Upstream commit 28bbbb9875a35975904e46f9b06fa689d051b290 ]

When cross compiling a MIPS kernel on a BSD based HOSTCC leads
to errors like

  SYNC    include/config/auto.conf.cmd - due to: .config
egrep: empty (sub)expression
  UPD     include/config/kernel.release
  HOSTCC  scripts/dtc/dtc.o - due to target missing

It turns out that egrep uses this egrep pattern:

		(|MINOR_|PATCHLEVEL_)

This is not valid syntax or gives undefined results according
to POSIX 9.5.3 ERE Grammar

	https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html

It seems to be silently accepted by the Linux egrep implementation
while a BSD host complains.

Such patterns can be replaced by a transformation like

	"(|p1|p2)" -> "(p1|p2)?"

Fixes: 48c35b2d245f ("[MIPS] There is no __GNUC_MAJOR__")
Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/Makefile b/arch/mips/Makefile
index 258234c35a09..674f68d16a73 100644
--- a/arch/mips/Makefile
+++ b/arch/mips/Makefile
@@ -321,7 +321,7 @@ KBUILD_LDFLAGS		+= -m $(ld-emul)
 
 ifdef CONFIG_MIPS
 CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
-	egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \
+	egrep -vw '__GNUC_(MINOR_|PATCHLEVEL_)?_' | \
 	sed -e "s/^\#define /-D'/" -e "s/ /'='/" -e "s/$$/'/" -e 's/\$$/&&/g')
 endif
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 063/175] kbuild: cancel sub_make_done for the install target to fix DKMS
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 062/175] mips: " Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 064/175] bnx2x: fix an error code in bnx2x_nic_load() Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John S Gruber, Masahiro Yamada, Sasha Levin

From: Masahiro Yamada <masahiroy@kernel.org>

[ Upstream commit 14ccc638b02f9ec500c17d9e39efe979145a4b61 ]

Since commit bcf637f54f6d ("kbuild: parse C= and M= before changing the
working directory"), external module builds invoked by DKMS fail because
M= option is not parsed.

I wanted to add 'unset sub_make_done' in install.sh but similar scripts,
arch/*/boot/install.sh, are duplicated, so I set sub_make_done empty in
the top Makefile.

Fixes: bcf637f54f6d ("kbuild: parse C= and M= before changing the working directory")
Reported-by: John S Gruber <johnsgruber@gmail.com>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Tested-by: John S Gruber <johnsgruber@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 Makefile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Makefile b/Makefile
index 9d810e13a83f..218f44d7fc80 100644
--- a/Makefile
+++ b/Makefile
@@ -1366,6 +1366,15 @@ scripts_unifdef: scripts_basic
 	$(Q)$(MAKE) $(build)=scripts scripts/unifdef
 
 # ---------------------------------------------------------------------------
+# Install
+
+# Many distributions have the custom install script, /sbin/installkernel.
+# If DKMS is installed, 'make install' will eventually recuses back
+# to the this Makefile to build and install external modules.
+# Cancel sub_make_done so that options such as M=, V=, etc. are parsed.
+
+install: sub_make_done :=
+
 # Kernel selftest
 
 PHONY += kselftest
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 064/175] bnx2x: fix an error code in bnx2x_nic_load()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 063/175] kbuild: cancel sub_make_done for the install target to fix DKMS Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 065/175] net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update() Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit fb653827c758725b149b5c924a5eb50ab4812750 ]

Set the error code if bnx2x_alloc_fw_stats_mem() fails.  The current
code returns success.

Fixes: ad5afc89365e ("bnx2x: Separate VF and PF logic")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
index 1a6ec1a12d53..b5d954cb409a 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
@@ -2669,7 +2669,8 @@ int bnx2x_nic_load(struct bnx2x *bp, int load_mode)
 	}
 
 	/* Allocated memory for FW statistics  */
-	if (bnx2x_alloc_fw_stats_mem(bp))
+	rc = bnx2x_alloc_fw_stats_mem(bp);
+	if (rc)
 		LOAD_ERROR_EXIT(bp, load_error0);
 
 	/* request pf to initialize status blocks */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 065/175] net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 064/175] bnx2x: fix an error code in bnx2x_nic_load() Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 066/175] net: pegasus: fix uninit-value in get_interrupt_interval Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Grygorii Strashko, David S. Miller,
	Sasha Levin

From: Grygorii Strashko <grygorii.strashko@ti.com>

[ Upstream commit ae03d189bae306e1e00aa631feee090ebda6cf63 ]

The am65_cpsw_port_offload_fwd_mark_update() causes NULL exception crash
when there is at least one disabled port and any other port added to the
bridge first time.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000858
pc : am65_cpsw_port_offload_fwd_mark_update+0x54/0x68
lr : am65_cpsw_netdevice_event+0x8c/0xf0
Call trace:
am65_cpsw_port_offload_fwd_mark_update+0x54/0x68
notifier_call_chain+0x54/0x98
raw_notifier_call_chain+0x14/0x20
call_netdevice_notifiers_info+0x34/0x78
__netdev_upper_dev_link+0x1c8/0x290
netdev_master_upper_dev_link+0x1c/0x28
br_add_if+0x3f0/0x6d0 [bridge]

Fix it by adding proper check for port->ndev != NULL.

Fixes: 2934db9bcb30 ("net: ti: am65-cpsw-nuss: Add netdevice notifiers")
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ti/am65-cpsw-nuss.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
index 718539cdd2f2..67a08cbba859 100644
--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
@@ -2060,8 +2060,12 @@ static void am65_cpsw_port_offload_fwd_mark_update(struct am65_cpsw_common *comm
 
 	for (i = 1; i <= common->port_num; i++) {
 		struct am65_cpsw_port *port = am65_common_get_port(common, i);
-		struct am65_cpsw_ndev_priv *priv = am65_ndev_to_priv(port->ndev);
+		struct am65_cpsw_ndev_priv *priv;
 
+		if (!port->ndev)
+			continue;
+
+		priv = am65_ndev_to_priv(port->ndev);
 		priv->offload_fwd_mark = set_val;
 	}
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 066/175] net: pegasus: fix uninit-value in get_interrupt_interval
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 065/175] net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update() Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 067/175] net: fec: fix use-after-free in fec_drv_remove Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Jakub Kicinski,
	Sasha Levin, syzbot+02c9f70f3afae308464a

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit af35fc37354cda3c9c8cc4961b1d24bdc9d27903 ]

Syzbot reported uninit value pegasus_probe(). The problem was in missing
error handling.

get_interrupt_interval() internally calls read_eprom_word() which can
fail in some cases. For example: failed to receive usb control message.
These cases should be handled to prevent uninit value bug, since
read_eprom_word() will not initialize passed stack variable in case of
internal failure.

Fail log:

BUG: KMSAN: uninit-value in get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
BUG: KMSAN: uninit-value in pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
CPU: 1 PID: 825 Comm: kworker/1:1 Not tainted 5.12.0-rc6-syzkaller #0
...
Workqueue: usb_hub_wq hub_event
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x24c/0x2e0 lib/dump_stack.c:120
 kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197
 get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
 pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
....

Local variable ----data.i@pegasus_probe created at:
 get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
 pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152
 get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
 pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152

Reported-and-tested-by: syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/20210804143005.439-1-paskripkin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/pegasus.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
index 9a907182569c..bc2dbf86496b 100644
--- a/drivers/net/usb/pegasus.c
+++ b/drivers/net/usb/pegasus.c
@@ -735,12 +735,16 @@ static inline void disable_net_traffic(pegasus_t *pegasus)
 	set_registers(pegasus, EthCtrl0, sizeof(tmp), &tmp);
 }
 
-static inline void get_interrupt_interval(pegasus_t *pegasus)
+static inline int get_interrupt_interval(pegasus_t *pegasus)
 {
 	u16 data;
 	u8 interval;
+	int ret;
+
+	ret = read_eprom_word(pegasus, 4, &data);
+	if (ret < 0)
+		return ret;
 
-	read_eprom_word(pegasus, 4, &data);
 	interval = data >> 8;
 	if (pegasus->usb->speed != USB_SPEED_HIGH) {
 		if (interval < 0x80) {
@@ -755,6 +759,8 @@ static inline void get_interrupt_interval(pegasus_t *pegasus)
 		}
 	}
 	pegasus->intr_interval = interval;
+
+	return 0;
 }
 
 static void set_carrier(struct net_device *net)
@@ -1149,7 +1155,9 @@ static int pegasus_probe(struct usb_interface *intf,
 				| NETIF_MSG_PROBE | NETIF_MSG_LINK);
 
 	pegasus->features = usb_dev_id[dev_index].private;
-	get_interrupt_interval(pegasus);
+	res = get_interrupt_interval(pegasus);
+	if (res)
+		goto out2;
 	if (reset_mac(pegasus)) {
 		dev_err(&intf->dev, "can't reset MAC\n");
 		res = -EIO;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 067/175] net: fec: fix use-after-free in fec_drv_remove
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 066/175] net: pegasus: fix uninit-value in get_interrupt_interval Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 068/175] net: vxge: fix use-after-free in vxge_device_unregister Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Pavel Skripkin,
	Joakim Zhang, Jesse Brandeburg, Jakub Kicinski, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 44712965bf12ae1758cec4de53816ed4b914ca1a ]

Smatch says:
	drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
	drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);

Since fep pointer is netdev private data, accessing it after free_netdev()
call can cause use-after-free bug. Fix it by moving free_netdev() call at
the end of the function

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Joakim Zhang <qiangqing.zhang@nxp.com>
Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/freescale/fec_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 8aea707a65a7..7e4c4980ced7 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3843,13 +3843,13 @@ fec_drv_remove(struct platform_device *pdev)
 	if (of_phy_is_fixed_link(np))
 		of_phy_deregister_fixed_link(np);
 	of_node_put(fep->phy_node);
-	free_netdev(ndev);
 
 	clk_disable_unprepare(fep->clk_ahb);
 	clk_disable_unprepare(fep->clk_ipg);
 	pm_runtime_put_noidle(&pdev->dev);
 	pm_runtime_disable(&pdev->dev);
 
+	free_netdev(ndev);
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 068/175] net: vxge: fix use-after-free in vxge_device_unregister
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 067/175] net: fec: fix use-after-free in fec_drv_remove Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 069/175] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Pavel Skripkin,
	Jesse Brandeburg, Jakub Kicinski, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 942e560a3d3862dd5dee1411dbdd7097d29b8416 ]

Smatch says:
drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);

Since vdev pointer is netdev private data accessing it after free_netdev()
call can cause use-after-free bug. Fix it by moving free_netdev() call at
the end of the function

Fixes: 6cca200362b4 ("vxge: cleanup probe error paths")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/neterion/vxge/vxge-main.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c
index 87892bd992b1..56556373548c 100644
--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c
+++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c
@@ -3527,13 +3527,13 @@ static void vxge_device_unregister(struct __vxge_hw_device *hldev)
 
 	kfree(vdev->vpaths);
 
-	/* we are safe to free it now */
-	free_netdev(dev);
-
 	vxge_debug_init(vdev->level_trace, "%s: ethernet device unregistered",
 			buf);
 	vxge_debug_entryexit(vdev->level_trace,	"%s: %s:%d  Exiting...", buf,
 			     __func__, __LINE__);
+
+	/* we are safe to free it now */
+	free_netdev(dev);
 }
 
 /*
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 069/175] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 068/175] net: vxge: fix use-after-free in vxge_device_unregister Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 070/175] Bluetooth: defer cleanup of resources in hci_unregister_dev() Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yu Kuai, Tejun Heo, Jens Axboe, Sasha Levin

From: Yu Kuai <yukuai3@huawei.com>

[ Upstream commit 8d75d0eff6887bcac7225e12b9c75595e523d92d ]

If queue is dying while iolatency_set_limit() is in progress,
blk_get_queue() won't increment the refcount of the queue. However,
blk_put_queue() will still decrement the refcount later, which will
cause the refcout to be unbalanced.

Thus error out in such case to fix the problem.

Fixes: 8c772a9bfc7c ("blk-iolatency: fix IO hang due to negative inflight counter")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20210805124645.543797-1-yukuai3@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-iolatency.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
index 81be0096411d..d8b0d8bd132b 100644
--- a/block/blk-iolatency.c
+++ b/block/blk-iolatency.c
@@ -833,7 +833,11 @@ static ssize_t iolatency_set_limit(struct kernfs_open_file *of, char *buf,
 
 	enable = iolatency_set_min_lat_nsec(blkg, lat_val);
 	if (enable) {
-		WARN_ON_ONCE(!blk_get_queue(blkg->q));
+		if (!blk_get_queue(blkg->q)) {
+			ret = -ENODEV;
+			goto out;
+		}
+
 		blkg_get(blkg);
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 070/175] Bluetooth: defer cleanup of resources in hci_unregister_dev()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 069/175] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 071/175] io-wq: fix no lock protection of acct->nr_worker Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Linus Torvalds, Tetsuo Handa,
	Luiz Augusto von Dentz, Sasha Levin

From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>

[ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ]

syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
calling lock_sock() with rw spinlock held [1].

It seems that history of this locking problem is a trial and error.

Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in
hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
lock_sock() as an attempt to fix lockdep warning.

Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in
hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
sleep in atomic context warning.

Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from
hci_sock.c") in 3.3-rc1 removed local_bh_disable().

Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF
of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
lock_sock() as an attempt to fix CVE-2021-3573.

This difficulty comes from current implementation that
hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
references from sockets because hci_unregister_dev() immediately
reclaims resources as soon as returning from
hci_sock_dev_event(HCI_DEV_UNREG).

But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
doing what it should do.

Therefore, instead of trying to detach sockets from device, let's accept
not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
by moving actual cleanup of resources from hci_unregister_dev() to
hci_cleanup_dev() which is called by bt_host_release() when all
references to this unregistered device (which is a kobject) are gone.

Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
hci_pi(sk)->hdev, we need to check whether this device was unregistered
and return an error based on HCI_UNREGISTER flag.  There might be subtle
behavioral difference in "monitor the hdev" functionality; please report
if you found something went wrong due to this patch.

Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object")
Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/net/bluetooth/hci_core.h |  1 +
 net/bluetooth/hci_core.c         | 16 +++++------
 net/bluetooth/hci_sock.c         | 49 +++++++++++++++++++++-----------
 net/bluetooth/hci_sysfs.c        |  3 ++
 4 files changed, 45 insertions(+), 24 deletions(-)

diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 89c8406dddb4..34a92d5ed12b 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -1229,6 +1229,7 @@ struct hci_dev *hci_alloc_dev(void);
 void hci_free_dev(struct hci_dev *hdev);
 int hci_register_dev(struct hci_dev *hdev);
 void hci_unregister_dev(struct hci_dev *hdev);
+void hci_cleanup_dev(struct hci_dev *hdev);
 int hci_suspend_dev(struct hci_dev *hdev);
 int hci_resume_dev(struct hci_dev *hdev);
 int hci_reset_dev(struct hci_dev *hdev);
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 7d71d104fdfd..ee59d1c7f1f6 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3976,14 +3976,10 @@ EXPORT_SYMBOL(hci_register_dev);
 /* Unregister HCI device */
 void hci_unregister_dev(struct hci_dev *hdev)
 {
-	int id;
-
 	BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
 
 	hci_dev_set_flag(hdev, HCI_UNREGISTER);
 
-	id = hdev->id;
-
 	write_lock(&hci_dev_list_lock);
 	list_del(&hdev->list);
 	write_unlock(&hci_dev_list_lock);
@@ -4018,7 +4014,14 @@ void hci_unregister_dev(struct hci_dev *hdev)
 	}
 
 	device_del(&hdev->dev);
+	/* Actual cleanup is deferred until hci_cleanup_dev(). */
+	hci_dev_put(hdev);
+}
+EXPORT_SYMBOL(hci_unregister_dev);
 
+/* Cleanup HCI device */
+void hci_cleanup_dev(struct hci_dev *hdev)
+{
 	debugfs_remove_recursive(hdev->debugfs);
 	kfree_const(hdev->hw_info);
 	kfree_const(hdev->fw_info);
@@ -4043,11 +4046,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
 	hci_blocked_keys_clear(hdev);
 	hci_dev_unlock(hdev);
 
-	hci_dev_put(hdev);
-
-	ida_simple_remove(&hci_index_ida, id);
+	ida_simple_remove(&hci_index_ida, hdev->id);
 }
-EXPORT_SYMBOL(hci_unregister_dev);
 
 /* Suspend HCI device */
 int hci_suspend_dev(struct hci_dev *hdev)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index eed0dd066e12..53f85d7c5f9e 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -59,6 +59,17 @@ struct hci_pinfo {
 	char              comm[TASK_COMM_LEN];
 };
 
+static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
+{
+	struct hci_dev *hdev = hci_pi(sk)->hdev;
+
+	if (!hdev)
+		return ERR_PTR(-EBADFD);
+	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+		return ERR_PTR(-EPIPE);
+	return hdev;
+}
+
 void hci_sock_set_flag(struct sock *sk, int nr)
 {
 	set_bit(nr, &hci_pi(sk)->flags);
@@ -759,19 +770,13 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
 	if (event == HCI_DEV_UNREG) {
 		struct sock *sk;
 
-		/* Detach sockets from device */
+		/* Wake up sockets using this dead device */
 		read_lock(&hci_sk_list.lock);
 		sk_for_each(sk, &hci_sk_list.head) {
-			lock_sock(sk);
 			if (hci_pi(sk)->hdev == hdev) {
-				hci_pi(sk)->hdev = NULL;
 				sk->sk_err = EPIPE;
-				sk->sk_state = BT_OPEN;
 				sk->sk_state_change(sk);
-
-				hci_dev_put(hdev);
 			}
-			release_sock(sk);
 		}
 		read_unlock(&hci_sk_list.lock);
 	}
@@ -930,10 +935,10 @@ static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
 static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
 				unsigned long arg)
 {
-	struct hci_dev *hdev = hci_pi(sk)->hdev;
+	struct hci_dev *hdev = hci_hdev_from_sock(sk);
 
-	if (!hdev)
-		return -EBADFD;
+	if (IS_ERR(hdev))
+		return PTR_ERR(hdev);
 
 	if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
 		return -EBUSY;
@@ -1103,6 +1108,18 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
 
 	lock_sock(sk);
 
+	/* Allow detaching from dead device and attaching to alive device, if
+	 * the caller wants to re-bind (instead of close) this socket in
+	 * response to hci_sock_dev_event(HCI_DEV_UNREG) notification.
+	 */
+	hdev = hci_pi(sk)->hdev;
+	if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
+		hci_pi(sk)->hdev = NULL;
+		sk->sk_state = BT_OPEN;
+		hci_dev_put(hdev);
+	}
+	hdev = NULL;
+
 	if (sk->sk_state == BT_BOUND) {
 		err = -EALREADY;
 		goto done;
@@ -1379,9 +1396,9 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
 
 	lock_sock(sk);
 
-	hdev = hci_pi(sk)->hdev;
-	if (!hdev) {
-		err = -EBADFD;
+	hdev = hci_hdev_from_sock(sk);
+	if (IS_ERR(hdev)) {
+		err = PTR_ERR(hdev);
 		goto done;
 	}
 
@@ -1743,9 +1760,9 @@ static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
 		goto done;
 	}
 
-	hdev = hci_pi(sk)->hdev;
-	if (!hdev) {
-		err = -EBADFD;
+	hdev = hci_hdev_from_sock(sk);
+	if (IS_ERR(hdev)) {
+		err = PTR_ERR(hdev);
 		goto done;
 	}
 
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 9874844a95a9..b69d88b88d2e 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,6 +83,9 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
 static void bt_host_release(struct device *dev)
 {
 	struct hci_dev *hdev = to_hci_dev(dev);
+
+	if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+		hci_cleanup_dev(hdev);
 	kfree(hdev);
 	module_put(THIS_MODULE);
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 071/175] io-wq: fix no lock protection of acct->nr_worker
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 070/175] Bluetooth: defer cleanup of resources in hci_unregister_dev() Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 072/175] io-wq: fix lack of acct->nr_workers < acct->max_workers judgement Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hao Xu, Jens Axboe, Sasha Levin

From: Hao Xu <haoxu@linux.alibaba.com>

[ Upstream commit 3d4e4face9c1548752a2891e98b38b100feee336 ]

There is an acct->nr_worker visit without lock protection. Think about
the case: two callers call io_wqe_wake_worker(), one is the original
context and the other one is an io-worker(by calling
io_wqe_enqueue(wqe, linked)), on two cpus paralelly, this may cause
nr_worker to be larger than max_worker.
Let's fix it by adding lock for it, and let's do nr_workers++ before
create_io_worker. There may be a edge cause that the first caller fails
to create an io-worker, but the second caller doesn't know it and then
quit creating io-worker as well:

say nr_worker = max_worker - 1
        cpu 0                        cpu 1
   io_wqe_wake_worker()          io_wqe_wake_worker()
      nr_worker < max_worker
      nr_worker++
      create_io_worker()         nr_worker == max_worker
         failed                  return
      return

But the chance of this case is very slim.

Fixes: 685fe7feedb9 ("io-wq: eliminate the need for a manager thread")
Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
[axboe: fix unconditional create_io_worker() call]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/io-wq.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/fs/io-wq.c b/fs/io-wq.c
index 9efecdf025b9..e00ac0969470 100644
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -248,10 +248,19 @@ static void io_wqe_wake_worker(struct io_wqe *wqe, struct io_wqe_acct *acct)
 	ret = io_wqe_activate_free_worker(wqe);
 	rcu_read_unlock();
 
-	if (!ret && acct->nr_workers < acct->max_workers) {
-		atomic_inc(&acct->nr_running);
-		atomic_inc(&wqe->wq->worker_refs);
-		create_io_worker(wqe->wq, wqe, acct->index);
+	if (!ret) {
+		bool do_create = false;
+
+		raw_spin_lock_irq(&wqe->lock);
+		if (acct->nr_workers < acct->max_workers) {
+			atomic_inc(&acct->nr_running);
+			atomic_inc(&wqe->wq->worker_refs);
+			acct->nr_workers++;
+			do_create = true;
+		}
+		raw_spin_unlock_irq(&wqe->lock);
+		if (do_create)
+			create_io_worker(wqe->wq, wqe, acct->index);
 	}
 }
 
@@ -640,6 +649,9 @@ static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index)
 		kfree(worker);
 fail:
 		atomic_dec(&acct->nr_running);
+		raw_spin_lock_irq(&wqe->lock);
+		acct->nr_workers--;
+		raw_spin_unlock_irq(&wqe->lock);
 		io_worker_ref_put(wq);
 		return;
 	}
@@ -655,9 +667,8 @@ fail:
 	worker->flags |= IO_WORKER_F_FREE;
 	if (index == IO_WQ_ACCT_BOUND)
 		worker->flags |= IO_WORKER_F_BOUND;
-	if (!acct->nr_workers && (worker->flags & IO_WORKER_F_BOUND))
+	if ((acct->nr_workers == 1) && (worker->flags & IO_WORKER_F_BOUND))
 		worker->flags |= IO_WORKER_F_FIXED;
-	acct->nr_workers++;
 	raw_spin_unlock_irq(&wqe->lock);
 	wake_up_new_task(tsk);
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 072/175] io-wq: fix lack of acct->nr_workers < acct->max_workers judgement
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 071/175] io-wq: fix no lock protection of acct->nr_worker Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 073/175] USB: usbtmc: Fix RCU stall warning Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hao Xu, Jens Axboe, Sasha Levin

From: Hao Xu <haoxu@linux.alibaba.com>

[ Upstream commit 21698274da5b6fc724b005bc7ec3e6b9fbcfaa06 ]

There should be this judgement before we create an io-worker

Fixes: 685fe7feedb9 ("io-wq: eliminate the need for a manager thread")
Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/io-wq.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/fs/io-wq.c b/fs/io-wq.c
index e00ac0969470..400fba839734 100644
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -281,9 +281,17 @@ static void create_worker_cb(struct callback_head *cb)
 {
 	struct create_worker_data *cwd;
 	struct io_wq *wq;
+	struct io_wqe *wqe;
+	struct io_wqe_acct *acct;
 
 	cwd = container_of(cb, struct create_worker_data, work);
-	wq = cwd->wqe->wq;
+	wqe = cwd->wqe;
+	wq = wqe->wq;
+	acct = &wqe->acct[cwd->index];
+	raw_spin_lock_irq(&wqe->lock);
+	if (acct->nr_workers < acct->max_workers)
+		acct->nr_workers++;
+	raw_spin_unlock_irq(&wqe->lock);
 	create_io_worker(wq, cwd->wqe, cwd->index);
 	kfree(cwd);
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 073/175] USB: usbtmc: Fix RCU stall warning
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 072/175] io-wq: fix lack of acct->nr_workers < acct->max_workers judgement Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 074/175] USB: serial: option: add Telit FD980 composition 0x1056 Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e2eae5639e7203360018,
	Qiang.zhang, Guido Kiener

From: Qiang.zhang <qiang.zhang@windriver.com>

commit 30fad76ce4e98263edfa8f885c81d5426c1bf169 upstream.

rcu: INFO: rcu_preempt self-detected stall on CPU
rcu:    1-...!: (2 ticks this GP) idle=d92/1/0x4000000000000000
        softirq=25390/25392 fqs=3
        (t=12164 jiffies g=31645 q=43226)
rcu: rcu_preempt kthread starved for 12162 jiffies! g31645 f0x0
     RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu:    Unless rcu_preempt kthread gets sufficient CPU time,
        OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task
...........
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: unknown status received: -71
usbtmc 3-1:0.0: usb_submit_urb failed: -19

The function usbtmc_interrupt() resubmits urbs when the error status
of an urb is -EPROTO. In systems using the dummy_hcd usb controller
this can result in endless interrupt loops when the usbtmc device is
disconnected from the host system.

Since host controller drivers already try to recover from transmission
errors, there is no need to resubmit the urb or try other solutions
to repair the error situation.

In case of errors the INT pipe just stops to wait for further packets.

Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation")
Cc: stable@vger.kernel.org
Reported-by: syzbot+e2eae5639e7203360018@syzkaller.appspotmail.com
Signed-off-by: Qiang.zhang <qiang.zhang@windriver.com>
Acked-by: Guido Kiener <guido.kiener@rohde-schwarz.com>
Link: https://lore.kernel.org/r/20210723004334.458930-1-qiang.zhang@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/class/usbtmc.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -2324,17 +2324,10 @@ static void usbtmc_interrupt(struct urb
 		dev_err(dev, "overflow with length %d, actual length is %d\n",
 			data->iin_wMaxPacketSize, urb->actual_length);
 		fallthrough;
-	case -ECONNRESET:
-	case -ENOENT:
-	case -ESHUTDOWN:
-	case -EILSEQ:
-	case -ETIME:
-	case -EPIPE:
+	default:
 		/* urb terminated, clean up */
 		dev_dbg(dev, "urb terminated, status: %d\n", status);
 		return;
-	default:
-		dev_err(dev, "unknown status received: %d\n", status);
 	}
 exit:
 	rv = usb_submit_urb(urb, GFP_ATOMIC);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 074/175] USB: serial: option: add Telit FD980 composition 0x1056
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 073/175] USB: usbtmc: Fix RCU stall warning Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 075/175] USB: serial: ch341: fix character loss at high transfer rates Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniele Palmas, Johan Hovold

From: Daniele Palmas <dnlplm@gmail.com>

commit 5648c073c33d33a0a19d0cb1194a4eb88efe2b71 upstream.

Add the following Telit FD980 composition 0x1056:

Cfg #1: mass storage
Cfg #2: rndis, tty, adb, tty, tty, tty, tty

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Link: https://lore.kernel.org/r/20210803194711.3036-1-dnlplm@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1203,6 +1203,8 @@ static const struct usb_device_id option
 	  .driver_info = NCTRL(2) | RSVD(3) },
 	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1055, 0xff),	/* Telit FN980 (PCIe) */
 	  .driver_info = NCTRL(0) | RSVD(1) },
+	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1056, 0xff),	/* Telit FD980 */
+	  .driver_info = NCTRL(2) | RSVD(3) },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
 	  .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 075/175] USB: serial: ch341: fix character loss at high transfer rates
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 074/175] USB: serial: option: add Telit FD980 composition 0x1056 Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 076/175] USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Willy Tarreau, Johan Hovold

From: Willy Tarreau <w@1wt.eu>

commit 3c18e9baee0ef97510dcda78c82285f52626764b upstream.

The chip supports high transfer rates, but with the small default buffers
(64 bytes read), some entire blocks are regularly lost. This typically
happens at 1.5 Mbps (which is the default speed on Rockchip devices) when
used as a console to access U-Boot where the output of the "help" command
misses many lines and where "printenv" mangles the environment.

The FTDI driver doesn't suffer at all from this. One difference is that
it uses 512 bytes rx buffers and 256 bytes tx buffers. Adopting these
values completely resolved the issue, even the output of "dmesg" is
reliable. I preferred to leave the Tx value unchanged as it is not
involved in this issue, while a change could increase the risk of
triggering the same issue with other devices having too small buffers.

I verified that it backports well (and works) at least to 5.4. It's of
low importance enough to be dropped where it doesn't trivially apply
anymore.

Cc: stable@vger.kernel.org
Signed-off-by: Willy Tarreau <w@1wt.eu>
Link: https://lore.kernel.org/r/20210724152739.18726-1-w@1wt.eu
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/ch341.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/ch341.c
+++ b/drivers/usb/serial/ch341.c
@@ -851,6 +851,7 @@ static struct usb_serial_driver ch341_de
 		.owner	= THIS_MODULE,
 		.name	= "ch341-uart",
 	},
+	.bulk_in_size      = 512,
 	.id_table          = id_table,
 	.num_ports         = 1,
 	.open              = ch341_open,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 076/175] USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 075/175] USB: serial: ch341: fix character loss at high transfer rates Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 077/175] USB: serial: pl2303: fix HX type detection Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Bauer, Johan Hovold

From: David Bauer <mail@david-bauer.net>

commit 8da0e55c7988ef9f08a708c38e5c75ecd8862cf8 upstream.

The Auto-M3 OP-COM v2 is a OBD diagnostic device using a FTD232 for the
USB connection.

Signed-off-by: David Bauer <mail@david-bauer.net>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/ftdi_sio.c     |    1 +
 drivers/usb/serial/ftdi_sio_ids.h |    3 +++
 2 files changed, 4 insertions(+)

--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -219,6 +219,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(FTDI_VID, FTDI_MTXORB_6_PID) },
 	{ USB_DEVICE(FTDI_VID, FTDI_R2000KU_TRUE_RNG) },
 	{ USB_DEVICE(FTDI_VID, FTDI_VARDAAN_PID) },
+	{ USB_DEVICE(FTDI_VID, FTDI_AUTO_M3_OP_COM_V2_PID) },
 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_0100_PID) },
 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_0101_PID) },
 	{ USB_DEVICE(MTXORB_VID, MTXORB_FTDI_RANGE_0102_PID) },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -159,6 +159,9 @@
 /* Vardaan Enterprises Serial Interface VEUSB422R3 */
 #define FTDI_VARDAAN_PID	0xF070
 
+/* Auto-M3 Ltd. - OP-COM USB V2 - OBD interface Adapter */
+#define FTDI_AUTO_M3_OP_COM_V2_PID	0x4f50
+
 /*
  * Xsens Technologies BV products (http://www.xsens.com).
  */



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 077/175] USB: serial: pl2303: fix HX type detection
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 076/175] USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 078/175] USB: serial: pl2303: fix GT " Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chris, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 1e9faef4d26de33bd6b5018695996e7394119e5b upstream.

The device release number for HX-type devices is configurable in
EEPROM/OTPROM and cannot be used reliably for type detection.

Assume all (non-H) devices with bcdUSB 1.1 and unknown bcdDevice to be
of HX type while adding a bcdDevice check for HXD and TB (1.1 and 2.0,
respectively).

Reported-by: Chris <chris@cyber-anlage.de>
Fixes: 8a7bf7510d1f ("USB: serial: pl2303: amend and tighten type detection")
Cc: stable@vger.kernel.org	# 5.13
Link: https://lore.kernel.org/r/20210730122156.718-1-johan@kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/pl2303.c |   41 +++++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 16 deletions(-)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -418,24 +418,33 @@ static int pl2303_detect_type(struct usb
 	bcdDevice = le16_to_cpu(desc->bcdDevice);
 	bcdUSB = le16_to_cpu(desc->bcdUSB);
 
-	switch (bcdDevice) {
-	case 0x100:
-		/*
-		 * Assume it's an HXN-type if the device doesn't support the old read
-		 * request value.
-		 */
-		if (bcdUSB == 0x200 && !pl2303_supports_hx_status(serial))
-			return TYPE_HXN;
+	switch (bcdUSB) {
+	case 0x110:
+		switch (bcdDevice) {
+		case 0x300:
+			return TYPE_HX;
+		case 0x400:
+			return TYPE_HXD;
+		default:
+			return TYPE_HX;
+		}
 		break;
-	case 0x300:
-		if (bcdUSB == 0x200)
+	case 0x200:
+		switch (bcdDevice) {
+		case 0x100:
+			/*
+			 * Assume it's an HXN-type if the device doesn't
+			 * support the old read request value.
+			 */
+			if (!pl2303_supports_hx_status(serial))
+				return TYPE_HXN;
+			break;
+		case 0x300:
 			return TYPE_TA;
-
-		return TYPE_HX;
-	case 0x400:
-		return TYPE_HXD;
-	case 0x500:
-		return TYPE_TB;
+		case 0x500:
+			return TYPE_TB;
+		}
+		break;
 	}
 
 	dev_err(&serial->interface->dev,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 078/175] USB: serial: pl2303: fix GT type detection
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 077/175] USB: serial: pl2303: fix HX type detection Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 079/175] firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vasily Khoruzhick, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 3212a99349cee5fb611d3ffcf0e65bc3cd6dcf2f upstream.

At least some PL2303GT have a bcdDevice of 0x305 instead of 0x100 as the
datasheet claims. Add it to the list of known release numbers for the
HXN (G) type.

Fixes: 894758d0571d ("USB: serial: pl2303: tighten type HXN (G) detection")
Reported-by: Vasily Khoruzhick <anarsoul@gmail.com>
Tested-by: Vasily Khoruzhick <anarsoul@gmail.com>
Cc: stable@vger.kernel.org	# 5.13
Link: https://lore.kernel.org/r/20210804093100.24811-1-johan@kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/pl2303.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -432,6 +432,7 @@ static int pl2303_detect_type(struct usb
 	case 0x200:
 		switch (bcdDevice) {
 		case 0x100:
+		case 0x305:
 			/*
 			 * Assume it's an HXN-type if the device doesn't
 			 * support the old read request value.



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 079/175] firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 078/175] USB: serial: pl2303: fix GT " Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 080/175] firmware_loader: fix use-after-free in firmware_fallback_sysfs Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Luis Chamberlain, Shuah Khan,
	Anirudh Rayabharam

From: Anirudh Rayabharam <mail@anirudhrb.com>

commit 0d6434e10b5377a006f6dd995c8fc5e2d82acddc upstream.

The only motivation for using -EAGAIN in commit 0542ad88fbdd81bb
("firmware loader: Fix _request_firmware_load() return val for fw load
abort") was to distinguish the error from -ENOMEM, and so there is no
real reason in keeping it. -EAGAIN is typically used to tell the
userspace to try something again and in this case re-using the sysfs
loading interface cannot be retried when a timeout happens, so the
return value is also bogus.

-ETIMEDOUT is received when the wait times out and returning that
is much more telling of what the reason for the failure was. So, just
propagate that instead of returning -EAGAIN.

Suggested-by: Luis Chamberlain <mcgrof@kernel.org>
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210728085107.4141-2-mail@anirudhrb.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/base/firmware_loader/fallback.c |    2 --
 1 file changed, 2 deletions(-)

--- a/drivers/base/firmware_loader/fallback.c
+++ b/drivers/base/firmware_loader/fallback.c
@@ -535,8 +535,6 @@ static int fw_load_sysfs_fallback(struct
 	if (fw_state_is_aborted(fw_priv)) {
 		if (retval == -ERESTARTSYS)
 			retval = -EINTR;
-		else
-			retval = -EAGAIN;
 	} else if (fw_priv->is_paged_buf && !fw_priv->data)
 		retval = -ENOMEM;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 080/175] firmware_loader: fix use-after-free in firmware_fallback_sysfs
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 079/175] firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 081/175] drm/amdgpu: fix checking pmops when PM_SLEEP is not enabled Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+de271708674e2093097b,
	Shuah Khan, Luis Chamberlain, Anirudh Rayabharam

From: Anirudh Rayabharam <mail@anirudhrb.com>

commit 75d95e2e39b27f733f21e6668af1c9893a97de5e upstream.

This use-after-free happens when a fw_priv object has been freed but
hasn't been removed from the pending list (pending_fw_head). The next
time fw_load_sysfs_fallback tries to insert into the list, it ends up
accessing the pending_list member of the previously freed fw_priv.

The root cause here is that all code paths that abort the fw load
don't delete it from the pending list. For example:

        _request_firmware()
          -> fw_abort_batch_reqs()
              -> fw_state_aborted()

To fix this, delete the fw_priv from the list in __fw_set_state() if
the new state is DONE or ABORTED. This way, all aborts will remove
the fw_priv from the list. Accordingly, remove calls to list_del_init
that were being made before calling fw_state_(aborted|done).

Also, in fw_load_sysfs_fallback, don't add the fw_priv to the pending
list if it is already aborted. Instead, just jump out and return early.

Fixes: bcfbd3523f3c ("firmware: fix a double abort case with fw_load_sysfs_fallback")
Cc: stable <stable@vger.kernel.org>
Reported-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com
Tested-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Link: https://lore.kernel.org/r/20210728085107.4141-3-mail@anirudhrb.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/base/firmware_loader/fallback.c |   12 ++++++++----
 drivers/base/firmware_loader/firmware.h |   10 +++++++++-
 drivers/base/firmware_loader/main.c     |    2 ++
 3 files changed, 19 insertions(+), 5 deletions(-)

--- a/drivers/base/firmware_loader/fallback.c
+++ b/drivers/base/firmware_loader/fallback.c
@@ -89,12 +89,11 @@ static void __fw_load_abort(struct fw_pr
 {
 	/*
 	 * There is a small window in which user can write to 'loading'
-	 * between loading done and disappearance of 'loading'
+	 * between loading done/aborted and disappearance of 'loading'
 	 */
-	if (fw_sysfs_done(fw_priv))
+	if (fw_state_is_aborted(fw_priv) || fw_sysfs_done(fw_priv))
 		return;
 
-	list_del_init(&fw_priv->pending_list);
 	fw_state_aborted(fw_priv);
 }
 
@@ -280,7 +279,6 @@ static ssize_t firmware_loading_store(st
 			 * Same logic as fw_load_abort, only the DONE bit
 			 * is ignored and we set ABORT only on failure.
 			 */
-			list_del_init(&fw_priv->pending_list);
 			if (rc) {
 				fw_state_aborted(fw_priv);
 				written = rc;
@@ -513,6 +511,11 @@ static int fw_load_sysfs_fallback(struct
 	}
 
 	mutex_lock(&fw_lock);
+	if (fw_state_is_aborted(fw_priv)) {
+		mutex_unlock(&fw_lock);
+		retval = -EINTR;
+		goto out;
+	}
 	list_add(&fw_priv->pending_list, &pending_fw_head);
 	mutex_unlock(&fw_lock);
 
@@ -538,6 +541,7 @@ static int fw_load_sysfs_fallback(struct
 	} else if (fw_priv->is_paged_buf && !fw_priv->data)
 		retval = -ENOMEM;
 
+out:
 	device_del(f_dev);
 err_put_dev:
 	put_device(f_dev);
--- a/drivers/base/firmware_loader/firmware.h
+++ b/drivers/base/firmware_loader/firmware.h
@@ -117,8 +117,16 @@ static inline void __fw_state_set(struct
 
 	WRITE_ONCE(fw_st->status, status);
 
-	if (status == FW_STATUS_DONE || status == FW_STATUS_ABORTED)
+	if (status == FW_STATUS_DONE || status == FW_STATUS_ABORTED) {
+#ifdef CONFIG_FW_LOADER_USER_HELPER
+		/*
+		 * Doing this here ensures that the fw_priv is deleted from
+		 * the pending list in all abort/done paths.
+		 */
+		list_del_init(&fw_priv->pending_list);
+#endif
 		complete_all(&fw_st->completion);
+	}
 }
 
 static inline void fw_state_aborted(struct fw_priv *fw_priv)
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -783,8 +783,10 @@ static void fw_abort_batch_reqs(struct f
 		return;
 
 	fw_priv = fw->priv;
+	mutex_lock(&fw_lock);
 	if (!fw_state_is_aborted(fw_priv))
 		fw_state_aborted(fw_priv);
+	mutex_unlock(&fw_lock);
 }
 
 /* called from request_firmware() and request_firmware_work_func() */



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 081/175] drm/amdgpu: fix checking pmops when PM_SLEEP is not enabled
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 080/175] firmware_loader: fix use-after-free in firmware_fallback_sysfs Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 082/175] drm/amdgpu/display: fix DMUB firmware version info Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Alex Deucher,
	Christian König, Pan, Xinhui, amd-gfx, dri-devel,
	linux-next

From: Randy Dunlap <rdunlap@infradead.org>

commit 5706cb3c910cc8283f344bc37a889a8d523a2c6d upstream.

'pm_suspend_target_state' is only available when CONFIG_PM_SLEEP
is set/enabled. OTOH, when both SUSPEND and HIBERNATION are not set,
PM_SLEEP is not set, so this variable cannot be used.

../drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c: In function ‘amdgpu_acpi_is_s0ix_active’:
../drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:1046:11: error: ‘pm_suspend_target_state’ undeclared (first use in this function); did you mean ‘__KSYM_pm_suspend_target_state’?
    return pm_suspend_target_state == PM_SUSPEND_TO_IDLE;
           ^~~~~~~~~~~~~~~~~~~~~~~
           __KSYM_pm_suspend_target_state

Also use shorter IS_ENABLED(CONFIG_foo) notation for checking the
2 config symbols.

Fixes: 91e273712ab8dd ("drm/amdgpu: Check pmops for desired suspend state")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: "Pan, Xinhui" <Xinhui.Pan@amd.com>
Cc: amd-gfx@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Cc: linux-next@vger.kernel.org
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c
@@ -904,7 +904,7 @@ void amdgpu_acpi_fini(struct amdgpu_devi
  */
 bool amdgpu_acpi_is_s0ix_supported(struct amdgpu_device *adev)
 {
-#if defined(CONFIG_AMD_PMC) || defined(CONFIG_AMD_PMC_MODULE)
+#if IS_ENABLED(CONFIG_AMD_PMC) && IS_ENABLED(CONFIG_PM_SLEEP)
 	if (acpi_gbl_FADT.flags & ACPI_FADT_LOW_POWER_S0) {
 		if (adev->flags & AMD_IS_APU)
 			return pm_suspend_target_state == PM_SUSPEND_TO_IDLE;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 082/175] drm/amdgpu/display: fix DMUB firmware version info
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 081/175] drm/amdgpu: fix checking pmops when PM_SLEEP is not enabled Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 083/175] ALSA: pcm - fix mmap capability check for the snd-dummy driver Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shirish S, Alex Deucher

From: Shirish S <shirish.s@amd.com>

commit 0e99e960ce6d5ff586fc0733bc393c087f52c27b upstream.

DMUB firmware info is printed before it gets initialized.
Correct this order to ensure true value is conveyed.

Signed-off-by: Shirish S <shirish.s@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -1493,6 +1493,7 @@ static int dm_dmub_sw_init(struct amdgpu
 	}
 
 	hdr = (const struct dmcub_firmware_header_v1_0 *)adev->dm.dmub_fw->data;
+	adev->dm.dmcub_fw_version = le32_to_cpu(hdr->header.ucode_version);
 
 	if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) {
 		adev->firmware.ucode[AMDGPU_UCODE_ID_DMCUB].ucode_id =
@@ -1506,7 +1507,6 @@ static int dm_dmub_sw_init(struct amdgpu
 			 adev->dm.dmcub_fw_version);
 	}
 
-	adev->dm.dmcub_fw_version = le32_to_cpu(hdr->header.ucode_version);
 
 	adev->dm.dmub_srv = kzalloc(sizeof(*adev->dm.dmub_srv), GFP_KERNEL);
 	dmub_srv = adev->dm.dmub_srv;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 083/175] ALSA: pcm - fix mmap capability check for the snd-dummy driver
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 082/175] drm/amdgpu/display: fix DMUB firmware version info Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 084/175] ALSA: hda/realtek: add mic quirk for Acer SF314-42 Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jaroslav Kysela, Takashi Iwai

From: Jaroslav Kysela <perex@perex.cz>

commit 852a8a97776a153be2e6c803218eced45f37a19c upstream.

The snd-dummy driver (fake_buffer configuration) uses the ops->page
callback for the mmap operations. Allow mmap for this case, too.

Cc: <stable@vger.kernel.org>
Fixes: c4824ae7db41 ("ALSA: pcm: Fix mmap capability check")
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://lore.kernel.org/r/20210730090254.612478-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/pcm_native.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/core/pcm_native.c
+++ b/sound/core/pcm_native.c
@@ -246,7 +246,7 @@ static bool hw_support_mmap(struct snd_p
 	if (!(substream->runtime->hw.info & SNDRV_PCM_INFO_MMAP))
 		return false;
 
-	if (substream->ops->mmap)
+	if (substream->ops->mmap || substream->ops->page)
 		return true;
 
 	switch (substream->dma_buffer.dev.type) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 084/175] ALSA: hda/realtek: add mic quirk for Acer SF314-42
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 083/175] ALSA: pcm - fix mmap capability check for the snd-dummy driver Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 085/175] ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Monakov, Takashi Iwai

From: Alexander Monakov <amonakov@ispras.ru>

commit 0d4867a185460397af56b9afe3e2243d3e610e37 upstream.

The Acer Swift SF314-42 laptop is using Realtek ALC255 codec. Add a
quirk so microphone in a headset connected via the right-hand side jack
is usable.

Signed-off-by: Alexander Monakov <amonakov@ispras.ru>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210721170141.24807-1-amonakov@ispras.ru
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8217,6 +8217,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1025, 0x1308, "Acer Aspire Z24-890", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC),
+	SND_PCI_QUIRK(0x1025, 0x142b, "Acer Swift SF314-42", ALC255_FIXUP_ACER_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1025, 0x1430, "Acer TravelMate B311R-31", ALC256_FIXUP_ACER_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1025, 0x1466, "Acer Aspire A515-56", ALC255_FIXUP_ACER_HEADPHONE_AND_MIC),
 	SND_PCI_QUIRK(0x1028, 0x0470, "Dell M101z", ALC269_FIXUP_DELL_M101Z),



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 085/175] ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256)
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 084/175] ALSA: hda/realtek: add mic quirk for Acer SF314-42 Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 086/175] ALSA: usb-audio: Fix superfluous autosuspend recovery Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nikos Liolios, Takashi Iwai

From: Nikos Liolios <liolios.nk@gmail.com>

commit 35171fbfc0d94aa31b009bb475d156ad1941ab50 upstream.

The issue on Acer SWIFT SF314-56 is that headset microphone doesn't work.
The following quirk fixed headset microphone issue. The fixup was found by trial and error.
Note that the fixup of SF314-54/55 (ALC256_FIXUP_ACER_HEADSET_MIC) was not successful on my SF314-56.

Signed-off-by: Nikos Liolios <liolios.nk@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210727030510.36292-1-liolios.nk@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8214,6 +8214,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x1025, 0x1290, "Acer Veriton Z4860G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1291, "Acer Veriton Z4660G", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x129c, "Acer SWIFT SF314-55", ALC256_FIXUP_ACER_HEADSET_MIC),
+	SND_PCI_QUIRK(0x1025, 0x1300, "Acer SWIFT SF314-56", ALC256_FIXUP_ACER_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x1025, 0x1308, "Acer Aspire Z24-890", ALC286_FIXUP_ACER_AIO_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x132a, "Acer TravelMate B114-21", ALC233_FIXUP_ACER_HEADSET_MIC),
 	SND_PCI_QUIRK(0x1025, 0x1330, "Acer TravelMate X514-51T", ALC255_FIXUP_ACER_HEADSET_MIC),



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 086/175] ALSA: usb-audio: Fix superfluous autosuspend recovery
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 085/175] ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 087/175] ALSA: usb-audio: Add registration quirk for JBL Quantum 600 Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 66291b6adb66dd3bc96b0f594d88c2ff1300d95f upstream.

The change to restore the autosuspend from the disabled state uses a
wrong check: namely, it should have been the exact comparison of the
quirk_type instead of the bitwise and (&).  Otherwise it matches
wrongly with the other quirk types.

Although re-enabling the autosuspend for the already enabled device
shouldn't matter much, it's better to fix the unbalanced call.

Fixes: 9799110825db ("ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend()")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/s5hr1flh9ov.wl-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/usb/card.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -907,7 +907,7 @@ static void usb_audio_disconnect(struct
 		}
 	}
 
-	if (chip->quirk_type & QUIRK_SETUP_DISABLE_AUTOSUSPEND)
+	if (chip->quirk_type == QUIRK_SETUP_DISABLE_AUTOSUSPEND)
 		usb_enable_autosuspend(interface_to_usbdev(intf));
 
 	chip->num_interfaces--;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 087/175] ALSA: usb-audio: Add registration quirk for JBL Quantum 600
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 086/175] ALSA: usb-audio: Fix superfluous autosuspend recovery Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 088/175] ALSA: usb-audio: Avoid unnecessary or invalid connector selection at resume Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Tsoy, Takashi Iwai

From: Alexander Tsoy <alexander@tsoy.me>

commit 4b0556b96e1fe7723629bd40e3813a30cd632faf upstream.

Apparently JBL Quantum 600 has multiple hardware revisions. Apply
registration quirk to another device id as well.

Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210727093326.1153366-1-alexander@tsoy.me
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/usb/quirks.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1899,6 +1899,7 @@ static const struct registration_quirk r
 	REG_QUIRK_ENTRY(0x0951, 0x16ea, 2),	/* Kingston HyperX Cloud Flight S */
 	REG_QUIRK_ENTRY(0x0ecb, 0x1f46, 2),	/* JBL Quantum 600 */
 	REG_QUIRK_ENTRY(0x0ecb, 0x2039, 2),	/* JBL Quantum 400 */
+	REG_QUIRK_ENTRY(0x0ecb, 0x203c, 2),	/* JBL Quantum 600 */
 	REG_QUIRK_ENTRY(0x0ecb, 0x203e, 2),	/* JBL Quantum 800 */
 	{ 0 }					/* terminator */
 };



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 088/175] ALSA: usb-audio: Avoid unnecessary or invalid connector selection at resume
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 087/175] ALSA: usb-audio: Add registration quirk for JBL Quantum 600 Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 089/175] usb: dwc3: gadget: Use list_replace_init() before traversing lists Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 8dde723fcde4479f256441da03793e37181d9f21 upstream.

The recent fix for the resume on Lenovo machines seems causing a
regression on others.  It's because the change always triggers the
connector selection no matter which widget node type is.

This patch addresses the regression by setting the resume callback
selectively only for the connector widget.

Fixes: 44609fc01f28 ("ALSA: usb-audio: Check connector value on resume")
Cc: <stable@vger.kernel.org>
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213897
Link: https://lore.kernel.org/r/20210729185126.24432-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/usb/mixer.c |   35 ++++++++++++++++++++---------------
 1 file changed, 20 insertions(+), 15 deletions(-)

--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1816,6 +1816,15 @@ static void get_connector_control_name(s
 		strlcat(name, " - Output Jack", name_size);
 }
 
+/* get connector value to "wake up" the USB audio */
+static int connector_mixer_resume(struct usb_mixer_elem_list *list)
+{
+	struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
+
+	get_connector_value(cval, NULL, NULL);
+	return 0;
+}
+
 /* Build a mixer control for a UAC connector control (jack-detect) */
 static void build_connector_control(struct usb_mixer_interface *mixer,
 				    const struct usbmix_name_map *imap,
@@ -1833,6 +1842,10 @@ static void build_connector_control(stru
 	if (!cval)
 		return;
 	snd_usb_mixer_elem_init_std(&cval->head, mixer, term->id);
+
+	/* set up a specific resume callback */
+	cval->head.resume = connector_mixer_resume;
+
 	/*
 	 * UAC2: The first byte from reading the UAC2_TE_CONNECTOR control returns the
 	 * number of channels connected.
@@ -3642,23 +3655,15 @@ static int restore_mixer_value(struct us
 	return 0;
 }
 
-static int default_mixer_resume(struct usb_mixer_elem_list *list)
-{
-	struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list);
-
-	/* get connector value to "wake up" the USB audio */
-	if (cval->val_type == USB_MIXER_BOOLEAN && cval->channels == 1)
-		get_connector_value(cval, NULL, NULL);
-
-	return 0;
-}
-
 static int default_mixer_reset_resume(struct usb_mixer_elem_list *list)
 {
-	int err = default_mixer_resume(list);
+	int err;
 
-	if (err < 0)
-		return err;
+	if (list->resume) {
+		err = list->resume(list);
+		if (err < 0)
+			return err;
+	}
 	return restore_mixer_value(list);
 }
 
@@ -3697,7 +3702,7 @@ void snd_usb_mixer_elem_init_std(struct
 	list->id = unitid;
 	list->dump = snd_usb_mixer_dump_cval;
 #ifdef CONFIG_PM
-	list->resume = default_mixer_resume;
+	list->resume = NULL;
 	list->reset_resume = default_mixer_reset_resume;
 #endif
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 089/175] usb: dwc3: gadget: Use list_replace_init() before traversing lists
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 088/175] ALSA: usb-audio: Avoid unnecessary or invalid connector selection at resume Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 090/175] usb: dwc3: gadget: Avoid runtime resume if disabling pullup Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Wesley Cheng

From: Wesley Cheng <wcheng@codeaurora.org>

commit d25d85061bd856d6be221626605319154f9b5043 upstream.

The list_for_each_entry_safe() macro saves the current item (n) and
the item after (n+1), so that n can be safely removed without
corrupting the list.  However, when traversing the list and removing
items using gadget giveback, the DWC3 lock is briefly released,
allowing other routines to execute.  There is a situation where, while
items are being removed from the cancelled_list using
dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable
routine is running in parallel (due to UDC unbind).  As the cleanup
routine removes n, and the pullup disable removes n+1, once the
cleanup retakes the DWC3 lock, it references a request who was already
removed/handled.  With list debug enabled, this leads to a panic.
Ensure all instances of the macro are replaced where gadget giveback
is used.

Example call stack:

Thread#1:
__dwc3_gadget_ep_set_halt() - CLEAR HALT
  -> dwc3_gadget_ep_cleanup_cancelled_requests()
    ->list_for_each_entry_safe()
    ->dwc3_gadget_giveback(n)
      ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list]
      ->spin_unlock
      ->Thread#2 executes
      ...
    ->dwc3_gadget_giveback(n+1)
      ->Already removed!

Thread#2:
dwc3_gadget_pullup()
  ->waiting for dwc3 spin_lock
  ...
  ->Thread#1 released lock
  ->dwc3_stop_active_transfers()
    ->dwc3_remove_requests()
      ->fetches n+1 item from cancelled_list (n removed by Thread#1)
      ->dwc3_gadget_giveback()
        ->dwc3_gadget_del_and_unmap_request()- n+1
deleted[cancelled_list]
        ->spin_unlock

Fix this condition by utilizing list_replace_init(), and traversing
through a local copy of the current elements in the endpoint lists.
This will also set the parent list as empty, so if another thread is
also looping through the list, it will be empty on the next iteration.

Fixes: d4f1afe5e896 ("usb: dwc3: gadget: move requests to cancelled_list")
Cc: stable <stable@vger.kernel.org>
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
Link: https://lore.kernel.org/r/1627543994-20327-1-git-send-email-wcheng@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1741,9 +1741,13 @@ static void dwc3_gadget_ep_cleanup_cance
 {
 	struct dwc3_request		*req;
 	struct dwc3_request		*tmp;
+	struct list_head		local;
 	struct dwc3			*dwc = dep->dwc;
 
-	list_for_each_entry_safe(req, tmp, &dep->cancelled_list, list) {
+restart:
+	list_replace_init(&dep->cancelled_list, &local);
+
+	list_for_each_entry_safe(req, tmp, &local, list) {
 		dwc3_gadget_ep_skip_trbs(dep, req);
 		switch (req->status) {
 		case DWC3_REQUEST_STATUS_DISCONNECTED:
@@ -1761,6 +1765,9 @@ static void dwc3_gadget_ep_cleanup_cance
 			break;
 		}
 	}
+
+	if (!list_empty(&dep->cancelled_list))
+		goto restart;
 }
 
 static int dwc3_gadget_ep_dequeue(struct usb_ep *ep,
@@ -2945,8 +2952,12 @@ static void dwc3_gadget_ep_cleanup_compl
 {
 	struct dwc3_request	*req;
 	struct dwc3_request	*tmp;
+	struct list_head	local;
 
-	list_for_each_entry_safe(req, tmp, &dep->started_list, list) {
+restart:
+	list_replace_init(&dep->started_list, &local);
+
+	list_for_each_entry_safe(req, tmp, &local, list) {
 		int ret;
 
 		ret = dwc3_gadget_ep_cleanup_completed_request(dep, event,
@@ -2954,6 +2965,9 @@ static void dwc3_gadget_ep_cleanup_compl
 		if (ret)
 			break;
 	}
+
+	if (!list_empty(&dep->started_list))
+		goto restart;
 }
 
 static bool dwc3_gadget_ep_should_continue(struct dwc3_ep *dep)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 090/175] usb: dwc3: gadget: Avoid runtime resume if disabling pullup
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 089/175] usb: dwc3: gadget: Use list_replace_init() before traversing lists Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:29 ` [PATCH 5.13 091/175] usb: gadget: remove leaked entry from udc driver list Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Wesley Cheng

From: Wesley Cheng <wcheng@codeaurora.org>

commit cb10f68ad8150f243964b19391711aaac5e8ff42 upstream.

If the device is already in the runtime suspended state, any call to
the pullup routine will issue a runtime resume on the DWC3 core
device.  If the USB gadget is disabling the pullup, then avoid having
to issue a runtime resume, as DWC3 gadget has already been
halted/stopped.

This fixes an issue where the following condition occurs:

usb_gadget_remove_driver()
-->usb_gadget_disconnect()
 -->dwc3_gadget_pullup(0)
  -->pm_runtime_get_sync() -> ret = 0
  -->pm_runtime_put() [async]
-->usb_gadget_udc_stop()
 -->dwc3_gadget_stop()
  -->dwc->gadget_driver = NULL
...

dwc3_suspend_common()
-->dwc3_gadget_suspend()
 -->DWC3 halt/stop routine skipped, driver_data == NULL

This leads to a situation where the DWC3 gadget is not properly
stopped, as the runtime resume would have re-enabled EP0 and event
interrupts, and since we avoided the DWC3 gadget suspend, these
resources were never disabled.

Fixes: 77adb8bdf422 ("usb: dwc3: gadget: Allow runtime suspend if UDC unbinded")
Cc: stable <stable@vger.kernel.org>
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
Link: https://lore.kernel.org/r/1628058245-30692-1-git-send-email-wcheng@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2257,6 +2257,17 @@ static int dwc3_gadget_pullup(struct usb
 	}
 
 	/*
+	 * Avoid issuing a runtime resume if the device is already in the
+	 * suspended state during gadget disconnect.  DWC3 gadget was already
+	 * halted/stopped during runtime suspend.
+	 */
+	if (!is_on) {
+		pm_runtime_barrier(dwc->dev);
+		if (pm_runtime_suspended(dwc->dev))
+			return 0;
+	}
+
+	/*
 	 * Check the return value for successful resume, or error.  For a
 	 * successful resume, the DWC3 runtime PM resume routine will handle
 	 * the run stop sequence, so avoid duplicate operations here.



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 091/175] usb: gadget: remove leaked entry from udc driver list
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 090/175] usb: dwc3: gadget: Avoid runtime resume if disabling pullup Greg Kroah-Hartman
@ 2021-08-10 17:29 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 092/175] usb: cdns3: Fixed incorrect gadget state Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:29 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Zhang Qilong

From: Zhang Qilong <zhangqilong3@huawei.com>

commit fa4a8dcfd51b911f101ebc461dfe22230b74dd64 upstream.

The usb_add_gadget_udc will add a new gadget to the udc class
driver list. Not calling usb_del_gadget_udc in error branch
will result in residual gadget entry in the udc driver list.
We fix it by calling usb_del_gadget_udc to clean it when error
return.

Fixes: 48ba02b2e2b1 ("usb: gadget: add udc driver for max3420")
Acked-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com>
Link: https://lore.kernel.org/r/20210727073142.84666-1-zhangqilong3@huawei.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/udc/max3420_udc.c |   14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/udc/max3420_udc.c
+++ b/drivers/usb/gadget/udc/max3420_udc.c
@@ -1260,12 +1260,14 @@ static int max3420_probe(struct spi_devi
 	err = devm_request_irq(&spi->dev, irq, max3420_irq_handler, 0,
 			       "max3420", udc);
 	if (err < 0)
-		return err;
+		goto del_gadget;
 
 	udc->thread_task = kthread_create(max3420_thread, udc,
 					  "max3420-thread");
-	if (IS_ERR(udc->thread_task))
-		return PTR_ERR(udc->thread_task);
+	if (IS_ERR(udc->thread_task)) {
+		err = PTR_ERR(udc->thread_task);
+		goto del_gadget;
+	}
 
 	irq = of_irq_get_byname(spi->dev.of_node, "vbus");
 	if (irq <= 0) { /* no vbus irq implies self-powered design */
@@ -1285,10 +1287,14 @@ static int max3420_probe(struct spi_devi
 		err = devm_request_irq(&spi->dev, irq,
 				       max3420_vbus_handler, 0, "vbus", udc);
 		if (err < 0)
-			return err;
+			goto del_gadget;
 	}
 
 	return 0;
+
+del_gadget:
+	usb_del_gadget_udc(&udc->gadget);
+	return err;
 }
 
 static int max3420_remove(struct spi_device *spi)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 092/175] usb: cdns3: Fixed incorrect gadget state
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2021-08-10 17:29 ` [PATCH 5.13 091/175] usb: gadget: remove leaked entry from udc driver list Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 093/175] usb: cdnsp: Fixed issue with ZLP Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Laszczak, Peter Chen

From: Pawel Laszczak <pawell@cadence.com>

commit aa35772f61752d4c636d46be51a4f7ca6c029ee6 upstream.

For delayed status phase, the usb_gadget->state was set
to USB_STATE_ADDRESS and it has never been updated to
USB_STATE_CONFIGURED.
Patch updates the gadget state to correct USB_STATE_CONFIGURED.
As a result of this bug the controller was not able to enter to
Test Mode while using MSC function.

Cc: <stable@vger.kernel.org>
Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20210623070247.46151-1-pawell@gli-login.cadence.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdns3-ep0.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/cdns3/cdns3-ep0.c
+++ b/drivers/usb/cdns3/cdns3-ep0.c
@@ -731,6 +731,7 @@ static int cdns3_gadget_ep0_queue(struct
 		request->actual = 0;
 		priv_dev->status_completion_no_call = true;
 		priv_dev->pending_status_request = request;
+		usb_gadget_set_state(&priv_dev->gadget, USB_STATE_CONFIGURED);
 		spin_unlock_irqrestore(&priv_dev->lock, flags);
 
 		/*



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 093/175] usb: cdnsp: Fixed issue with ZLP
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 092/175] usb: cdns3: Fixed incorrect gadget state Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 094/175] usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Laszczak, Peter Chen

From: Pawel Laszczak <pawell@cadence.com>

commit e913aada06830338633fb8524733b0ad3d38a7c1 upstream.

The condition "if (need_zero_pkt && zero_len_trb)" was always false
and it caused that TRB for ZLP was not prepared.

Fix causes that after preparing last TRB in TD, the driver prepares
additional TD with ZLP when a ZLP is required.

Cc: <stable@vger.kernel.org>
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20210623072728.41275-1-pawell@gli-login.cadence.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-ring.c |   18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

--- a/drivers/usb/cdns3/cdnsp-ring.c
+++ b/drivers/usb/cdns3/cdnsp-ring.c
@@ -1932,15 +1932,13 @@ int cdnsp_queue_bulk_tx(struct cdnsp_dev
 		}
 
 		if (enqd_len + trb_buff_len >= full_len) {
-			if (need_zero_pkt && zero_len_trb) {
-				zero_len_trb = true;
-			} else {
-				field &= ~TRB_CHAIN;
-				field |= TRB_IOC;
-				more_trbs_coming = false;
-				need_zero_pkt = false;
-				preq->td.last_trb = ring->enqueue;
-			}
+			if (need_zero_pkt)
+				zero_len_trb = !zero_len_trb;
+
+			field &= ~TRB_CHAIN;
+			field |= TRB_IOC;
+			more_trbs_coming = false;
+			preq->td.last_trb = ring->enqueue;
 		}
 
 		/* Only set interrupt on short packet for OUT endpoints. */
@@ -1955,7 +1953,7 @@ int cdnsp_queue_bulk_tx(struct cdnsp_dev
 		length_field = TRB_LEN(trb_buff_len) | TRB_TD_SIZE(remainder) |
 			TRB_INTR_TARGET(0);
 
-		cdnsp_queue_trb(pdev, ring, more_trbs_coming | need_zero_pkt,
+		cdnsp_queue_trb(pdev, ring, more_trbs_coming | zero_len_trb,
 				lower_32_bits(send_addr),
 				upper_32_bits(send_addr),
 				length_field,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 094/175] usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 093/175] usb: cdnsp: Fixed issue with ZLP Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 095/175] usb: gadget: f_hid: fixed NULL pointer dereference Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Maxim Devaev

From: Maxim Devaev <mdevaev@gmail.com>

commit afcff6dc690e24d636a41fd4bee6057e7c70eebd upstream.

The USB HID standard declares mandatory support for GET_IDLE and SET_IDLE
requests for Boot Keyboard. Most hosts can handle their absence, but others
like some old/strange UEFIs and BIOSes consider this a critical error
and refuse to work with f_hid.

This primitive implementation of saving and returning idle is sufficient
to meet the requirements of the standard and these devices.

Acked-by: Felipe Balbi <balbi@kernel.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Maxim Devaev <mdevaev@gmail.com>
Link: https://lore.kernel.org/r/20210721180351.129450-1-mdevaev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_hid.c |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -41,6 +41,7 @@ struct f_hidg {
 	unsigned char			bInterfaceSubClass;
 	unsigned char			bInterfaceProtocol;
 	unsigned char			protocol;
+	unsigned char			idle;
 	unsigned short			report_desc_length;
 	char				*report_desc;
 	unsigned short			report_length;
@@ -523,6 +524,14 @@ static int hidg_setup(struct usb_functio
 		goto respond;
 		break;
 
+	case ((USB_DIR_IN | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
+		  | HID_REQ_GET_IDLE):
+		VDBG(cdev, "get_idle\n");
+		length = min_t(unsigned int, length, 1);
+		((u8 *) req->buf)[0] = hidg->idle;
+		goto respond;
+		break;
+
 	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
 		  | HID_REQ_SET_REPORT):
 		VDBG(cdev, "set_report | wLength=%d\n", ctrl->wLength);
@@ -546,6 +555,14 @@ static int hidg_setup(struct usb_functio
 		goto stall;
 		break;
 
+	case ((USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE) << 8
+		  | HID_REQ_SET_IDLE):
+		VDBG(cdev, "set_idle\n");
+		length = 0;
+		hidg->idle = value;
+		goto respond;
+		break;
+
 	case ((USB_DIR_IN | USB_TYPE_STANDARD | USB_RECIP_INTERFACE) << 8
 		  | USB_REQ_GET_DESCRIPTOR):
 		switch (value >> 8) {
@@ -773,6 +790,7 @@ static int hidg_bind(struct usb_configur
 	hidg_interface_desc.bInterfaceSubClass = hidg->bInterfaceSubClass;
 	hidg_interface_desc.bInterfaceProtocol = hidg->bInterfaceProtocol;
 	hidg->protocol = HID_REPORT_PROTOCOL;
+	hidg->idle = 1;
 	hidg_ss_in_ep_desc.wMaxPacketSize = cpu_to_le16(hidg->report_length);
 	hidg_ss_in_comp_desc.wBytesPerInterval =
 				cpu_to_le16(hidg->report_length);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 095/175] usb: gadget: f_hid: fixed NULL pointer dereference
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 094/175] usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 096/175] usb: gadget: f_hid: idle uses the highest byte for duration Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maxim Devaev, Phil Elwell

From: Phil Elwell <phil@raspberrypi.com>

commit 2867652e4766360adf14dfda3832455e04964f2a upstream.

Disconnecting and reconnecting the USB cable can lead to crashes
and a variety of kernel log spam.

The problem was found and reproduced on the Raspberry Pi [1]
and the original fix was created in Raspberry's own fork [2].

Link: https://github.com/raspberrypi/linux/issues/3870 [1]
Link: https://github.com/raspberrypi/linux/commit/a6e47d5f4efbd2ea6a0b6565cd2f9b7bb217ded5 [2]
Signed-off-by: Maxim Devaev <mdevaev@gmail.com>
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210723155928.210019-1-mdevaev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_hid.c |   26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -339,6 +339,11 @@ static ssize_t f_hidg_write(struct file
 
 	spin_lock_irqsave(&hidg->write_spinlock, flags);
 
+	if (!hidg->req) {
+		spin_unlock_irqrestore(&hidg->write_spinlock, flags);
+		return -ESHUTDOWN;
+	}
+
 #define WRITE_COND (!hidg->write_pending)
 try_again:
 	/* write queue */
@@ -359,8 +364,14 @@ try_again:
 	count  = min_t(unsigned, count, hidg->report_length);
 
 	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
-	status = copy_from_user(req->buf, buffer, count);
 
+	if (!req) {
+		ERROR(hidg->func.config->cdev, "hidg->req is NULL\n");
+		status = -ESHUTDOWN;
+		goto release_write_pending;
+	}
+
+	status = copy_from_user(req->buf, buffer, count);
 	if (status != 0) {
 		ERROR(hidg->func.config->cdev,
 			"copy_from_user error\n");
@@ -388,14 +399,17 @@ try_again:
 
 	spin_unlock_irqrestore(&hidg->write_spinlock, flags);
 
+	if (!hidg->in_ep->enabled) {
+		ERROR(hidg->func.config->cdev, "in_ep is disabled\n");
+		status = -ESHUTDOWN;
+		goto release_write_pending;
+	}
+
 	status = usb_ep_queue(hidg->in_ep, req, GFP_ATOMIC);
-	if (status < 0) {
-		ERROR(hidg->func.config->cdev,
-			"usb_ep_queue error on int endpoint %zd\n", status);
+	if (status < 0)
 		goto release_write_pending;
-	} else {
+	else
 		status = count;
-	}
 
 	return status;
 release_write_pending:



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 096/175] usb: gadget: f_hid: idle uses the highest byte for duration
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 095/175] usb: gadget: f_hid: fixed NULL pointer dereference Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 097/175] usb: host: ohci-at91: suspend/resume ports after/before OHCI accesses Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maxim Devaev

From: Maxim Devaev <mdevaev@gmail.com>

commit fa20bada3f934e3b3e4af4c77e5b518cd5a282e5 upstream.

SET_IDLE value must be shifted 8 bits to the right to get duration.
This confirmed by USBCV test.

Fixes: afcff6dc690e ("usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Maxim Devaev <mdevaev@gmail.com>
Link: https://lore.kernel.org/r/20210727185800.43796-1-mdevaev@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_hid.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -573,7 +573,7 @@ static int hidg_setup(struct usb_functio
 		  | HID_REQ_SET_IDLE):
 		VDBG(cdev, "set_idle\n");
 		length = 0;
-		hidg->idle = value;
+		hidg->idle = value >> 8;
 		goto respond;
 		break;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 097/175] usb: host: ohci-at91: suspend/resume ports after/before OHCI accesses
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 096/175] usb: gadget: f_hid: idle uses the highest byte for duration Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 098/175] usb: typec: tcpm: Keep other events when receiving FRS and Sourcing_vbus events Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, Claudiu Beznea

From: Claudiu Beznea <claudiu.beznea@microchip.com>

commit 00de6a572f30ee93cad7e0704ec4232e5e72bda8 upstream.

On SAMA7G5 suspending ports will cut the access to OHCI registers and
any subsequent access to them will lead to CPU being blocked trying to
access that memory. Same thing happens on resume: if OHCI memory is
accessed before resuming ports the CPU will block on that access. The
OCHI memory is accessed on suspend/resume though
ohci_suspend()/ohci_resume().

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210721132905.1970713-1-claudiu.beznea@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/ohci-at91.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/usb/host/ohci-at91.c
+++ b/drivers/usb/host/ohci-at91.c
@@ -611,8 +611,6 @@ ohci_hcd_at91_drv_suspend(struct device
 	if (ohci_at91->wakeup)
 		enable_irq_wake(hcd->irq);
 
-	ohci_at91_port_suspend(ohci_at91->sfr_regmap, 1);
-
 	ret = ohci_suspend(hcd, ohci_at91->wakeup);
 	if (ret) {
 		if (ohci_at91->wakeup)
@@ -632,7 +630,10 @@ ohci_hcd_at91_drv_suspend(struct device
 		/* flush the writes */
 		(void) ohci_readl (ohci, &ohci->regs->control);
 		msleep(1);
+		ohci_at91_port_suspend(ohci_at91->sfr_regmap, 1);
 		at91_stop_clock(ohci_at91);
+	} else {
+		ohci_at91_port_suspend(ohci_at91->sfr_regmap, 1);
 	}
 
 	return ret;
@@ -644,6 +645,8 @@ ohci_hcd_at91_drv_resume(struct device *
 	struct usb_hcd	*hcd = dev_get_drvdata(dev);
 	struct ohci_at91_priv *ohci_at91 = hcd_to_ohci_at91_priv(hcd);
 
+	ohci_at91_port_suspend(ohci_at91->sfr_regmap, 0);
+
 	if (ohci_at91->wakeup)
 		disable_irq_wake(hcd->irq);
 	else
@@ -651,8 +654,6 @@ ohci_hcd_at91_drv_resume(struct device *
 
 	ohci_resume(hcd, false);
 
-	ohci_at91_port_suspend(ohci_at91->sfr_regmap, 0);
-
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 098/175] usb: typec: tcpm: Keep other events when receiving FRS and Sourcing_vbus events
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 097/175] usb: host: ohci-at91: suspend/resume ports after/before OHCI accesses Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 099/175] usb: otg-fsm: Fix hrtimer list corruption Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Badhri Jagan Sridharan,
	Guenter Roeck, Kyle Tso

From: Kyle Tso <kyletso@google.com>

commit 43ad944cd73f2360ec8ff31d29ea44830b3119af upstream.

When receiving FRS and Sourcing_Vbus events from low-level drivers, keep
other events which come a bit earlier so that they will not be ignored
in the event handler.

Fixes: 8dc4bd073663 ("usb: typec: tcpm: Add support for Sink Fast Role SWAP(FRS)")
Cc: stable <stable@vger.kernel.org>
Cc: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
Signed-off-by: Kyle Tso <kyletso@google.com>
Link: https://lore.kernel.org/r/20210803091314.3051302-1-kyletso@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -5355,7 +5355,7 @@ EXPORT_SYMBOL_GPL(tcpm_pd_hard_reset);
 void tcpm_sink_frs(struct tcpm_port *port)
 {
 	spin_lock(&port->pd_event_lock);
-	port->pd_events = TCPM_FRS_EVENT;
+	port->pd_events |= TCPM_FRS_EVENT;
 	spin_unlock(&port->pd_event_lock);
 	kthread_queue_work(port->wq, &port->event_work);
 }
@@ -5364,7 +5364,7 @@ EXPORT_SYMBOL_GPL(tcpm_sink_frs);
 void tcpm_sourcing_vbus(struct tcpm_port *port)
 {
 	spin_lock(&port->pd_event_lock);
-	port->pd_events = TCPM_SOURCING_VBUS;
+	port->pd_events |= TCPM_SOURCING_VBUS;
 	spin_unlock(&port->pd_event_lock);
 	kthread_queue_work(port->wq, &port->event_work);
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 099/175] usb: otg-fsm: Fix hrtimer list corruption
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 098/175] usb: typec: tcpm: Keep other events when receiving FRS and Sourcing_vbus events Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 100/175] clk: fix leak on devm_clk_bulk_get_all() unwind Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Dmitry Osipenko

From: Dmitry Osipenko <digetx@gmail.com>

commit bf88fef0b6f1488abeca594d377991171c00e52a upstream.

The HNP work can be re-scheduled while it's still in-fly. This results in
re-initialization of the busy work, resetting the hrtimer's list node of
the work and crashing kernel with null dereference within kernel/timer
once work's timer is expired. It's very easy to trigger this problem by
re-plugging USB cable quickly. Initialize HNP work only once to fix this
trouble.

 Unable to handle kernel NULL pointer dereference at virtual address 00000126)
 ...
 PC is at __run_timers.part.0+0x150/0x228
 LR is at __next_timer_interrupt+0x51/0x9c
 ...
 (__run_timers.part.0) from [<c0187a2b>] (run_timer_softirq+0x2f/0x50)
 (run_timer_softirq) from [<c01013ad>] (__do_softirq+0xd5/0x2f0)
 (__do_softirq) from [<c012589b>] (irq_exit+0xab/0xb8)
 (irq_exit) from [<c0170341>] (handle_domain_irq+0x45/0x60)
 (handle_domain_irq) from [<c04c4a43>] (gic_handle_irq+0x6b/0x7c)
 (gic_handle_irq) from [<c0100b65>] (__irq_svc+0x65/0xac)

Cc: stable@vger.kernel.org
Acked-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Link: https://lore.kernel.org/r/20210717182134.30262-6-digetx@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/common/usb-otg-fsm.c |    6 +++++-
 include/linux/usb/otg-fsm.h      |    1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/usb/common/usb-otg-fsm.c
+++ b/drivers/usb/common/usb-otg-fsm.c
@@ -193,7 +193,11 @@ static void otg_start_hnp_polling(struct
 	if (!fsm->host_req_flag)
 		return;
 
-	INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
+	if (!fsm->hnp_work_inited) {
+		INIT_DELAYED_WORK(&fsm->hnp_polling_work, otg_hnp_polling_work);
+		fsm->hnp_work_inited = true;
+	}
+
 	schedule_delayed_work(&fsm->hnp_polling_work,
 					msecs_to_jiffies(T_HOST_REQ_POLL));
 }
--- a/include/linux/usb/otg-fsm.h
+++ b/include/linux/usb/otg-fsm.h
@@ -196,6 +196,7 @@ struct otg_fsm {
 	struct mutex lock;
 	u8 *host_req_flag;
 	struct delayed_work hnp_polling_work;
+	bool hnp_work_inited;
 	bool state_changed;
 };
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 100/175] clk: fix leak on devm_clk_bulk_get_all() unwind
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 099/175] usb: otg-fsm: Fix hrtimer list corruption Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 101/175] scripts/tracing: fix the bug that cant parse raw_trace_func Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dong Aisheng, Brian Norris, Stephen Boyd

From: Brian Norris <briannorris@chromium.org>

commit f828b0bcacef189edbd247e9f48864fc36bfbe33 upstream.

clk_bulk_get_all() allocates an array of struct clk_bulk data for us
(unlike clk_bulk_get()), so we need to free it. Let's use the
clk_bulk_put_all() helper.

kmemleak complains, on an RK3399 Gru/Kevin system:

unreferenced object 0xffffff80045def00 (size 128):
  comm "swapper/0", pid 1, jiffies 4294667682 (age 86.394s)
  hex dump (first 32 bytes):
    44 32 60 fe fe ff ff ff 00 00 00 00 00 00 00 00  D2`.............
    48 32 60 fe fe ff ff ff 00 00 00 00 00 00 00 00  H2`.............
  backtrace:
    [<00000000742860d6>] __kmalloc+0x22c/0x39c
    [<00000000b0493f2c>] clk_bulk_get_all+0x64/0x188
    [<00000000325f5900>] devm_clk_bulk_get_all+0x58/0xa8
    [<00000000175b9bc5>] dwc3_probe+0x8ac/0xb5c
    [<000000009169e2f9>] platform_drv_probe+0x9c/0xbc
    [<000000005c51e2ee>] really_probe+0x13c/0x378
    [<00000000c47b1f24>] driver_probe_device+0x84/0xc0
    [<00000000f870fcfb>] __device_attach_driver+0x94/0xb0
    [<000000004d1b92ae>] bus_for_each_drv+0x8c/0xd8
    [<00000000481d60c3>] __device_attach+0xc4/0x150
    [<00000000a163bd36>] device_initial_probe+0x1c/0x28
    [<00000000accb6bad>] bus_probe_device+0x3c/0x9c
    [<000000001a199f89>] device_add+0x218/0x3cc
    [<000000001bd84952>] of_device_add+0x40/0x50
    [<000000009c658c29>] of_platform_device_create_pdata+0xac/0x100
    [<0000000021c69ba4>] of_platform_bus_create+0x190/0x224

Fixes: f08c2e2865f6 ("clk: add managed version of clk_bulk_get_all")
Cc: Dong Aisheng <aisheng.dong@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Brian Norris <briannorris@chromium.org>
Link: https://lore.kernel.org/r/20210731025950.2238582-1-briannorris@chromium.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/clk-devres.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/clk/clk-devres.c
+++ b/drivers/clk/clk-devres.c
@@ -92,13 +92,20 @@ int __must_check devm_clk_bulk_get_optio
 }
 EXPORT_SYMBOL_GPL(devm_clk_bulk_get_optional);
 
+static void devm_clk_bulk_release_all(struct device *dev, void *res)
+{
+	struct clk_bulk_devres *devres = res;
+
+	clk_bulk_put_all(devres->num_clks, devres->clks);
+}
+
 int __must_check devm_clk_bulk_get_all(struct device *dev,
 				       struct clk_bulk_data **clks)
 {
 	struct clk_bulk_devres *devres;
 	int ret;
 
-	devres = devres_alloc(devm_clk_bulk_release,
+	devres = devres_alloc(devm_clk_bulk_release_all,
 			      sizeof(*devres), GFP_KERNEL);
 	if (!devres)
 		return -ENOMEM;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 101/175] scripts/tracing: fix the bug that cant parse raw_trace_func
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 100/175] clk: fix leak on devm_clk_bulk_get_all() unwind Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 102/175] tracing / histogram: Give calculation hist_fields a size Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hui Su, Steven Rostedt (VMware)

From: Hui Su <suhui@zeku.com>

commit 1c0cec64a7cc545eb49f374a43e9f7190a14defa upstream.

Since commit 77271ce4b2c0 ("tracing: Add irq, preempt-count and need resched info
to default trace output"), the default trace output format has been changed to:
          <idle>-0       [009] d.h. 22420.068695: _raw_spin_lock_irqsave <-hrtimer_interrupt
          <idle>-0       [000] ..s. 22420.068695: _nohz_idle_balance <-run_rebalance_domains
          <idle>-0       [011] d.h. 22420.068695: account_process_tick <-update_process_times

origin trace output format:(before v3.2.0)
     # tracer: nop
     #
     #           TASK-PID    CPU#    TIMESTAMP  FUNCTION
     #              | |       |          |         |
          migration/0-6     [000]    50.025810: rcu_note_context_switch <-__schedule
          migration/0-6     [000]    50.025812: trace_rcu_utilization <-rcu_note_context_switch
          migration/0-6     [000]    50.025813: rcu_sched_qs <-rcu_note_context_switch
          migration/0-6     [000]    50.025815: rcu_preempt_qs <-rcu_note_context_switch
          migration/0-6     [000]    50.025817: trace_rcu_utilization <-rcu_note_context_switch
          migration/0-6     [000]    50.025818: debug_lockdep_rcu_enabled <-__schedule
          migration/0-6     [000]    50.025820: debug_lockdep_rcu_enabled <-__schedule

The draw_functrace.py(introduced in v2.6.28) can't parse the new version format trace_func,
So we need modify draw_functrace.py to adapt the new version trace output format.

Link: https://lkml.kernel.org/r/20210611022107.608787-1-suhui@zeku.com

Cc: stable@vger.kernel.org
Fixes: 77271ce4b2c0 tracing: Add irq, preempt-count and need resched info to default trace output
Signed-off-by: Hui Su <suhui@zeku.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/tracing/draw_functrace.py |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/scripts/tracing/draw_functrace.py
+++ b/scripts/tracing/draw_functrace.py
@@ -17,7 +17,7 @@ Usage:
 	$ cat /sys/kernel/debug/tracing/trace_pipe > ~/raw_trace_func
 	Wait some times but not too much, the script is a bit slow.
 	Break the pipe (Ctrl + Z)
-	$ scripts/draw_functrace.py < raw_trace_func > draw_functrace
+	$ scripts/tracing/draw_functrace.py < ~/raw_trace_func > draw_functrace
 	Then you have your drawn trace in draw_functrace
 """
 
@@ -103,10 +103,10 @@ def parseLine(line):
 	line = line.strip()
 	if line.startswith("#"):
 		raise CommentLineException
-	m = re.match("[^]]+?\\] +([0-9.]+): (\\w+) <-(\\w+)", line)
+	m = re.match("[^]]+?\\] +([a-z.]+) +([0-9.]+): (\\w+) <-(\\w+)", line)
 	if m is None:
 		raise BrokenLineException
-	return (m.group(1), m.group(2), m.group(3))
+	return (m.group(2), m.group(3), m.group(4))
 
 
 def main():



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 102/175] tracing / histogram: Give calculation hist_fields a size
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 101/175] scripts/tracing: fix the bug that cant parse raw_trace_func Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 103/175] tracing: Reject string operand in the histogram expression Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tom Zanussi, Masami Hiramatsu,
	Namhyung Kim, Ingo Molnar, Andrew Morton, Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 2c05caa7ba8803209769b9e4fe02c38d77ae88d0 upstream.

When working on my user space applications, I found a bug in the synthetic
event code where the automated synthetic event field was not matching the
event field calculation it was attached to. Looking deeper into it, it was
because the calculation hist_field was not given a size.

The synthetic event fields are matched to their hist_fields either by
having the field have an identical string type, or if that does not match,
then the size and signed values are used to match the fields.

The problem arose when I tried to match a calculation where the fields
were "unsigned int". My tool created a synthetic event of type "u32". But
it failed to match. The string was:

  diff=field1-field2:onmatch(event).trace(synth,$diff)

Adding debugging into the kernel, I found that the size of "diff" was 0.
And since it was given "unsigned int" as a type, the histogram fallback
code used size and signed. The signed matched, but the size of u32 (4) did
not match zero, and the event failed to be created.

This can be worse if the field you want to match is not one of the
acceptable fields for a synthetic event. As event fields can have any type
that is supported in Linux, this can cause an issue. For example, if a
type is an enum. Then there's no way to use that with any calculations.

Have the calculation field simply take on the size of what it is
calculating.

Link: https://lkml.kernel.org/r/20210730171951.59c7743f@oasis.local.home

Cc: Tom Zanussi <zanussi@kernel.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Fixes: 100719dcef447 ("tracing: Add simple expression support to hist triggers")
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace_events_hist.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -2287,6 +2287,10 @@ static struct hist_field *parse_expr(str
 
 	expr->operands[0] = operand1;
 	expr->operands[1] = operand2;
+
+	/* The operand sizes should be the same, so just pick one */
+	expr->size = operand1->size;
+
 	expr->operator = field_op;
 	expr->name = expr_str(expr, 0);
 	expr->type = kstrdup(operand1->type, GFP_KERNEL);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 103/175] tracing: Reject string operand in the histogram expression
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 102/175] tracing / histogram: Give calculation hist_fields a size Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 104/175] tracing: Fix NULL pointer dereference in start_creating Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu, Steven Rostedt (VMware)

From: Masami Hiramatsu <mhiramat@kernel.org>

commit a9d10ca4986571bffc19778742d508cc8dd13e02 upstream.

Since the string type can not be the target of the addition / subtraction
operation, it must be rejected. Without this fix, the string type silently
converted to digits.

Link: https://lkml.kernel.org/r/162742654278.290973.1523000673366456634.stgit@devnote2

Cc: stable@vger.kernel.org
Fixes: 100719dcef447 ("tracing: Add simple expression support to hist triggers")
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace_events_hist.c |   20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -65,7 +65,8 @@
 	C(INVALID_SORT_MODIFIER,"Invalid sort modifier"),		\
 	C(EMPTY_SORT_FIELD,	"Empty sort field"),			\
 	C(TOO_MANY_SORT_FIELDS,	"Too many sort fields (Max = 2)"),	\
-	C(INVALID_SORT_FIELD,	"Sort field must be a key or a val"),
+	C(INVALID_SORT_FIELD,	"Sort field must be a key or a val"),	\
+	C(INVALID_STR_OPERAND,	"String type can not be an operand in expression"),
 
 #undef C
 #define C(a, b)		HIST_ERR_##a
@@ -2156,6 +2157,13 @@ static struct hist_field *parse_unary(st
 		ret = PTR_ERR(operand1);
 		goto free;
 	}
+	if (operand1->flags & HIST_FIELD_FL_STRING) {
+		/* String type can not be the operand of unary operator. */
+		hist_err(file->tr, HIST_ERR_INVALID_STR_OPERAND, errpos(str));
+		destroy_hist_field(operand1, 0);
+		ret = -EINVAL;
+		goto free;
+	}
 
 	expr->flags |= operand1->flags &
 		(HIST_FIELD_FL_TIMESTAMP | HIST_FIELD_FL_TIMESTAMP_USECS);
@@ -2257,6 +2265,11 @@ static struct hist_field *parse_expr(str
 		operand1 = NULL;
 		goto free;
 	}
+	if (operand1->flags & HIST_FIELD_FL_STRING) {
+		hist_err(file->tr, HIST_ERR_INVALID_STR_OPERAND, errpos(operand1_str));
+		ret = -EINVAL;
+		goto free;
+	}
 
 	/* rest of string could be another expression e.g. b+c in a+b+c */
 	operand_flags = 0;
@@ -2266,6 +2279,11 @@ static struct hist_field *parse_expr(str
 		operand2 = NULL;
 		goto free;
 	}
+	if (operand2->flags & HIST_FIELD_FL_STRING) {
+		hist_err(file->tr, HIST_ERR_INVALID_STR_OPERAND, errpos(str));
+		ret = -EINVAL;
+		goto free;
+	}
 
 	ret = check_expr_operands(file->tr, operand1, operand2);
 	if (ret)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 104/175] tracing: Fix NULL pointer dereference in start_creating
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 103/175] tracing: Reject string operand in the histogram expression Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 105/175] tracepoint: static call: Compare data on transition from 2->1 callees Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kamal Agrawal, Steven Rostedt (VMware)

From: Kamal Agrawal <kamaagra@codeaurora.org>

commit ff41c28c4b54052942180d8b3f49e75f1445135a upstream.

The event_trace_add_tracer() can fail. In this case, it leads to a crash
in start_creating with below call stack. Handle the error scenario
properly in trace_array_create_dir.

Call trace:
down_write+0x7c/0x204
start_creating.25017+0x6c/0x194
tracefs_create_file+0xc4/0x2b4
init_tracer_tracefs+0x5c/0x940
trace_array_create_dir+0x58/0xb4
trace_array_create+0x1bc/0x2b8
trace_array_get_by_name+0xdc/0x18c

Link: https://lkml.kernel.org/r/1627651386-21315-1-git-send-email-kamaagra@codeaurora.org

Cc: stable@vger.kernel.org
Fixes: 4114fbfd02f1 ("tracing: Enable creating new instance early boot")
Signed-off-by: Kamal Agrawal <kamaagra@codeaurora.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/trace/trace.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -9006,8 +9006,10 @@ static int trace_array_create_dir(struct
 		return -EINVAL;
 
 	ret = event_trace_add_tracer(tr->dir, tr);
-	if (ret)
+	if (ret) {
 		tracefs_remove(tr->dir);
+		return ret;
+	}
 
 	init_tracer_tracefs(tr, tr->dir);
 	__update_tracer_options(tr);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 105/175] tracepoint: static call: Compare data on transition from 2->1 callees
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 104/175] tracing: Fix NULL pointer dereference in start_creating Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 106/175] tracepoint: Fix static call function vs data state mismatch Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Peter Zijlstra,
	Andrew Morton, Paul E. McKenney, Stefan Metzmacher,
	Mathieu Desnoyers, Steven Rostedt (VMware)

From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

commit f7ec4121256393e1d03274acdca73eb18958f27e upstream.

On transition from 2->1 callees, we should be comparing .data rather
than .func, because the same callback can be registered twice with
different data, and what we care about here is that the data of array
element 0 is unchanged to skip rcu sync.

Link: https://lkml.kernel.org/r/20210805132717.23813-2-mathieu.desnoyers@efficios.com
Link: https://lore.kernel.org/io-uring/4ebea8f0-58c9-e571-fd30-0ce4f6f09c70@samba.org/

Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Stefan Metzmacher <metze@samba.org>
Fixes: 547305a64632 ("tracepoint: Fix out of sync data passing by static caller")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/tracepoint.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -338,7 +338,7 @@ static int tracepoint_remove_func(struct
 	} else {
 		rcu_assign_pointer(tp->funcs, tp_funcs);
 		tracepoint_update_call(tp, tp_funcs,
-				       tp_funcs[0].func != old[0].func);
+				       tp_funcs[0].data != old[0].data);
 	}
 	release_probes(old);
 	return 0;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 106/175] tracepoint: Fix static call function vs data state mismatch
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 105/175] tracepoint: static call: Compare data on transition from 2->1 callees Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 107/175] tracepoint: Use rcu get state and cond sync for static call updates Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Peter Zijlstra,
	Andrew Morton, Paul E. McKenney, Stefan Metzmacher,
	Mathieu Desnoyers, Steven Rostedt (VMware)

From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

commit 231264d6927f6740af36855a622d0e240be9d94c upstream.

On a 1->0->1 callbacks transition, there is an issue with the new
callback using the old callback's data.

Considering __DO_TRACE_CALL:

        do {                                                            \
                struct tracepoint_func *it_func_ptr;                    \
                void *__data;                                           \
                it_func_ptr =                                           \
                        rcu_dereference_raw((&__tracepoint_##name)->funcs); \
                if (it_func_ptr) {                                      \
                        __data = (it_func_ptr)->data;                   \

----> [ delayed here on one CPU (e.g. vcpu preempted by the host) ]

                        static_call(tp_func_##name)(__data, args);      \
                }                                                       \
        } while (0)

It has loaded the tp->funcs of the old callback, so it will try to use the old
data. This can be fixed by adding a RCU sync anywhere in the 1->0->1
transition chain.

On a N->2->1 transition, we need an rcu-sync because you may have a
sequence of 3->2->1 (or 1->2->1) where the element 0 data is unchanged
between 2->1, but was changed from 3->2 (or from 1->2), which may be
observed by the static call. This can be fixed by adding an
unconditional RCU sync in transition 2->1.

Note, this fixes a correctness issue at the cost of adding a tremendous
performance regression to the disabling of tracepoints.

Before this commit:

  # trace-cmd start -e all
  # time trace-cmd start -p nop

  real	0m0.778s
  user	0m0.000s
  sys	0m0.061s

After this commit:

  # trace-cmd start -e all
  # time trace-cmd start -p nop

  real	0m10.593s
  user	0m0.017s
  sys	0m0.259s

A follow up fix will introduce a more lightweight scheme based on RCU
get_state and cond_sync, that will return the performance back to what it
was. As both this change and the lightweight versions are complex on their
own, for bisecting any issues that this may cause, they are kept as two
separate changes.

Link: https://lkml.kernel.org/r/20210805132717.23813-3-mathieu.desnoyers@efficios.com
Link: https://lore.kernel.org/io-uring/4ebea8f0-58c9-e571-fd30-0ce4f6f09c70@samba.org/

Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Stefan Metzmacher <metze@samba.org>
Fixes: d25e37d89dd2 ("tracepoint: Optimize using static_call()")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/tracepoint.c |  102 +++++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 82 insertions(+), 20 deletions(-)

--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -15,6 +15,13 @@
 #include <linux/sched/task.h>
 #include <linux/static_key.h>
 
+enum tp_func_state {
+	TP_FUNC_0,
+	TP_FUNC_1,
+	TP_FUNC_2,
+	TP_FUNC_N,
+};
+
 extern tracepoint_ptr_t __start___tracepoints_ptrs[];
 extern tracepoint_ptr_t __stop___tracepoints_ptrs[];
 
@@ -246,26 +253,29 @@ static void *func_remove(struct tracepoi
 	return old;
 }
 
-static void tracepoint_update_call(struct tracepoint *tp, struct tracepoint_func *tp_funcs, bool sync)
+/*
+ * Count the number of functions (enum tp_func_state) in a tp_funcs array.
+ */
+static enum tp_func_state nr_func_state(const struct tracepoint_func *tp_funcs)
+{
+	if (!tp_funcs)
+		return TP_FUNC_0;
+	if (!tp_funcs[1].func)
+		return TP_FUNC_1;
+	if (!tp_funcs[2].func)
+		return TP_FUNC_2;
+	return TP_FUNC_N;	/* 3 or more */
+}
+
+static void tracepoint_update_call(struct tracepoint *tp, struct tracepoint_func *tp_funcs)
 {
 	void *func = tp->iterator;
 
 	/* Synthetic events do not have static call sites */
 	if (!tp->static_call_key)
 		return;
-
-	if (!tp_funcs[1].func) {
+	if (nr_func_state(tp_funcs) == TP_FUNC_1)
 		func = tp_funcs[0].func;
-		/*
-		 * If going from the iterator back to a single caller,
-		 * we need to synchronize with __DO_TRACE to make sure
-		 * that the data passed to the callback is the one that
-		 * belongs to that callback.
-		 */
-		if (sync)
-			tracepoint_synchronize_unregister();
-	}
-
 	__static_call_update(tp->static_call_key, tp->static_call_tramp, func);
 }
 
@@ -299,9 +309,31 @@ static int tracepoint_add_func(struct tr
 	 * a pointer to it.  This array is referenced by __DO_TRACE from
 	 * include/linux/tracepoint.h using rcu_dereference_sched().
 	 */
-	tracepoint_update_call(tp, tp_funcs, false);
-	rcu_assign_pointer(tp->funcs, tp_funcs);
-	static_key_enable(&tp->key);
+	switch (nr_func_state(tp_funcs)) {
+	case TP_FUNC_1:		/* 0->1 */
+		/* Set static call to first function */
+		tracepoint_update_call(tp, tp_funcs);
+		/* Both iterator and static call handle NULL tp->funcs */
+		rcu_assign_pointer(tp->funcs, tp_funcs);
+		static_key_enable(&tp->key);
+		break;
+	case TP_FUNC_2:		/* 1->2 */
+		/* Set iterator static call */
+		tracepoint_update_call(tp, tp_funcs);
+		/*
+		 * Iterator callback installed before updating tp->funcs.
+		 * Requires ordering between RCU assign/dereference and
+		 * static call update/call.
+		 */
+		rcu_assign_pointer(tp->funcs, tp_funcs);
+		break;
+	case TP_FUNC_N:		/* N->N+1 (N>1) */
+		rcu_assign_pointer(tp->funcs, tp_funcs);
+		break;
+	default:
+		WARN_ON_ONCE(1);
+		break;
+	}
 
 	release_probes(old);
 	return 0;
@@ -328,17 +360,47 @@ static int tracepoint_remove_func(struct
 		/* Failed allocating new tp_funcs, replaced func with stub */
 		return 0;
 
-	if (!tp_funcs) {
+	switch (nr_func_state(tp_funcs)) {
+	case TP_FUNC_0:		/* 1->0 */
 		/* Removed last function */
 		if (tp->unregfunc && static_key_enabled(&tp->key))
 			tp->unregfunc();
 
 		static_key_disable(&tp->key);
+		/* Set iterator static call */
+		tracepoint_update_call(tp, tp_funcs);
+		/* Both iterator and static call handle NULL tp->funcs */
+		rcu_assign_pointer(tp->funcs, NULL);
+		/*
+		 * Make sure new func never uses old data after a 1->0->1
+		 * transition sequence.
+		 * Considering that transition 0->1 is the common case
+		 * and don't have rcu-sync, issue rcu-sync after
+		 * transition 1->0 to break that sequence by waiting for
+		 * readers to be quiescent.
+		 */
+		tracepoint_synchronize_unregister();
+		break;
+	case TP_FUNC_1:		/* 2->1 */
 		rcu_assign_pointer(tp->funcs, tp_funcs);
-	} else {
+		/*
+		 * On 2->1 transition, RCU sync is needed before setting
+		 * static call to first callback, because the observer
+		 * may have loaded any prior tp->funcs after the last one
+		 * associated with an rcu-sync.
+		 */
+		tracepoint_synchronize_unregister();
+		/* Set static call to first function */
+		tracepoint_update_call(tp, tp_funcs);
+		break;
+	case TP_FUNC_2:		/* N->N-1 (N>2) */
+		fallthrough;
+	case TP_FUNC_N:
 		rcu_assign_pointer(tp->funcs, tp_funcs);
-		tracepoint_update_call(tp, tp_funcs,
-				       tp_funcs[0].data != old[0].data);
+		break;
+	default:
+		WARN_ON_ONCE(1);
+		break;
 	}
 	release_probes(old);
 	return 0;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 107/175] tracepoint: Use rcu get state and cond sync for static call updates
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 106/175] tracepoint: Fix static call function vs data state mismatch Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 108/175] arm64: stacktrace: avoid tracing arch_stack_walk() Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Peter Zijlstra,
	Andrew Morton, Paul E. McKenney, Stefan Metzmacher,
	Mathieu Desnoyers, Steven Rostedt (VMware)

From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

commit 7b40066c97ec66a44e388f82fcf694987451768f upstream.

State transitions from 1->0->1 and N->2->1 callbacks require RCU
synchronization. Rather than performing the RCU synchronization every
time the state change occurs, which is quite slow when many tracepoints
are registered in batch, instead keep a snapshot of the RCU state on the
most recent transitions which belong to a chain, and conditionally wait
for a grace period on the last transition of the chain if one g.p. has
not elapsed since the last snapshot.

This applies to both RCU and SRCU.

This brings the performance regression caused by commit 231264d6927f
("Fix: tracepoint: static call function vs data state mismatch") back to
what it was originally.

Before this commit:

  # trace-cmd start -e all
  # time trace-cmd start -p nop

  real	0m10.593s
  user	0m0.017s
  sys	0m0.259s

After this commit:

  # trace-cmd start -e all
  # time trace-cmd start -p nop

  real	0m0.878s
  user	0m0.000s
  sys	0m0.103s

Link: https://lkml.kernel.org/r/20210805192954.30688-1-mathieu.desnoyers@efficios.com
Link: https://lore.kernel.org/io-uring/4ebea8f0-58c9-e571-fd30-0ce4f6f09c70@samba.org/

Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Paul E. McKenney" <paulmck@kernel.org>
Cc: Stefan Metzmacher <metze@samba.org>
Fixes: 231264d6927f ("Fix: tracepoint: static call function vs data state mismatch")
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/tracepoint.c |   81 +++++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 67 insertions(+), 14 deletions(-)

--- a/kernel/tracepoint.c
+++ b/kernel/tracepoint.c
@@ -28,6 +28,44 @@ extern tracepoint_ptr_t __stop___tracepo
 DEFINE_SRCU(tracepoint_srcu);
 EXPORT_SYMBOL_GPL(tracepoint_srcu);
 
+enum tp_transition_sync {
+	TP_TRANSITION_SYNC_1_0_1,
+	TP_TRANSITION_SYNC_N_2_1,
+
+	_NR_TP_TRANSITION_SYNC,
+};
+
+struct tp_transition_snapshot {
+	unsigned long rcu;
+	unsigned long srcu;
+	bool ongoing;
+};
+
+/* Protected by tracepoints_mutex */
+static struct tp_transition_snapshot tp_transition_snapshot[_NR_TP_TRANSITION_SYNC];
+
+static void tp_rcu_get_state(enum tp_transition_sync sync)
+{
+	struct tp_transition_snapshot *snapshot = &tp_transition_snapshot[sync];
+
+	/* Keep the latest get_state snapshot. */
+	snapshot->rcu = get_state_synchronize_rcu();
+	snapshot->srcu = start_poll_synchronize_srcu(&tracepoint_srcu);
+	snapshot->ongoing = true;
+}
+
+static void tp_rcu_cond_sync(enum tp_transition_sync sync)
+{
+	struct tp_transition_snapshot *snapshot = &tp_transition_snapshot[sync];
+
+	if (!snapshot->ongoing)
+		return;
+	cond_synchronize_rcu(snapshot->rcu);
+	if (!poll_state_synchronize_srcu(&tracepoint_srcu, snapshot->srcu))
+		synchronize_srcu(&tracepoint_srcu);
+	snapshot->ongoing = false;
+}
+
 /* Set to 1 to enable tracepoint debug output */
 static const int tracepoint_debug;
 
@@ -311,6 +349,11 @@ static int tracepoint_add_func(struct tr
 	 */
 	switch (nr_func_state(tp_funcs)) {
 	case TP_FUNC_1:		/* 0->1 */
+		/*
+		 * Make sure new static func never uses old data after a
+		 * 1->0->1 transition sequence.
+		 */
+		tp_rcu_cond_sync(TP_TRANSITION_SYNC_1_0_1);
 		/* Set static call to first function */
 		tracepoint_update_call(tp, tp_funcs);
 		/* Both iterator and static call handle NULL tp->funcs */
@@ -325,10 +368,15 @@ static int tracepoint_add_func(struct tr
 		 * Requires ordering between RCU assign/dereference and
 		 * static call update/call.
 		 */
-		rcu_assign_pointer(tp->funcs, tp_funcs);
-		break;
+		fallthrough;
 	case TP_FUNC_N:		/* N->N+1 (N>1) */
 		rcu_assign_pointer(tp->funcs, tp_funcs);
+		/*
+		 * Make sure static func never uses incorrect data after a
+		 * N->...->2->1 (N>1) transition sequence.
+		 */
+		if (tp_funcs[0].data != old[0].data)
+			tp_rcu_get_state(TP_TRANSITION_SYNC_N_2_1);
 		break;
 	default:
 		WARN_ON_ONCE(1);
@@ -372,24 +420,23 @@ static int tracepoint_remove_func(struct
 		/* Both iterator and static call handle NULL tp->funcs */
 		rcu_assign_pointer(tp->funcs, NULL);
 		/*
-		 * Make sure new func never uses old data after a 1->0->1
-		 * transition sequence.
-		 * Considering that transition 0->1 is the common case
-		 * and don't have rcu-sync, issue rcu-sync after
-		 * transition 1->0 to break that sequence by waiting for
-		 * readers to be quiescent.
+		 * Make sure new static func never uses old data after a
+		 * 1->0->1 transition sequence.
 		 */
-		tracepoint_synchronize_unregister();
+		tp_rcu_get_state(TP_TRANSITION_SYNC_1_0_1);
 		break;
 	case TP_FUNC_1:		/* 2->1 */
 		rcu_assign_pointer(tp->funcs, tp_funcs);
 		/*
-		 * On 2->1 transition, RCU sync is needed before setting
-		 * static call to first callback, because the observer
-		 * may have loaded any prior tp->funcs after the last one
-		 * associated with an rcu-sync.
+		 * Make sure static func never uses incorrect data after a
+		 * N->...->2->1 (N>2) transition sequence. If the first
+		 * element's data has changed, then force the synchronization
+		 * to prevent current readers that have loaded the old data
+		 * from calling the new function.
 		 */
-		tracepoint_synchronize_unregister();
+		if (tp_funcs[0].data != old[0].data)
+			tp_rcu_get_state(TP_TRANSITION_SYNC_N_2_1);
+		tp_rcu_cond_sync(TP_TRANSITION_SYNC_N_2_1);
 		/* Set static call to first function */
 		tracepoint_update_call(tp, tp_funcs);
 		break;
@@ -397,6 +444,12 @@ static int tracepoint_remove_func(struct
 		fallthrough;
 	case TP_FUNC_N:
 		rcu_assign_pointer(tp->funcs, tp_funcs);
+		/*
+		 * Make sure static func never uses incorrect data after a
+		 * N->...->2->1 (N>2) transition sequence.
+		 */
+		if (tp_funcs[0].data != old[0].data)
+			tp_rcu_get_state(TP_TRANSITION_SYNC_N_2_1);
 		break;
 	default:
 		WARN_ON_ONCE(1);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 108/175] arm64: stacktrace: avoid tracing arch_stack_walk()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 107/175] tracepoint: Use rcu get state and cond sync for static call updates Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 109/175] optee: Clear stale cache entries during initialization Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Catalin Marinas,
	Madhavan T. Venkataraman, Mark Brown, Will Deacon

From: Mark Rutland <mark.rutland@arm.com>

commit 0c32706dac1b0a72713184246952ab0f54327c21 upstream.

When the function_graph tracer is in use, arch_stack_walk() may unwind
the stack incorrectly, erroneously reporting itself, missing the final
entry which is being traced, and reporting all traced entries between
these off-by-one from where they should be.

When ftrace hooks a function return, the original return address is
saved to the fgraph ret_stack, and the return address  in the LR (or the
function's frame record) is replaced with `return_to_handler`.

When arm64's unwinder encounter frames returning to `return_to_handler`,
it finds the associated original return address from the fgraph ret
stack, assuming the most recent `ret_to_hander` entry on the stack
corresponds to the most recent entry in the fgraph ret stack, and so on.

When arch_stack_walk() is used to dump the current task's stack, it
starts from the caller of arch_stack_walk(). However, arch_stack_walk()
can be traced, and so may push an entry on to the fgraph ret stack,
leaving the fgraph ret stack offset by one from the expected position.

This can be seen when dumping the stack via /proc/self/stack, where
enabling the graph tracer results in an unexpected
`stack_trace_save_tsk` entry at the start of the trace, and `el0_svc`
missing form the end of the trace.

This patch fixes this by marking arch_stack_walk() as notrace, as we do
for all other functions on the path to ftrace_graph_get_ret_stack().
While a few helper functions are not marked notrace, their calls/returns
are balanced, and will have no observable effect when examining the
fgraph ret stack.

It is possible for an exeption boundary to cause a similar offset if the
return address of the interrupted context was in the LR. Fixing those
cases will require some more substantial rework, and is left for
subsequent patches.

Before:

| # cat /proc/self/stack
| [<0>] proc_pid_stack+0xc4/0x140
| [<0>] proc_single_show+0x6c/0x120
| [<0>] seq_read_iter+0x240/0x4e0
| [<0>] seq_read+0xe8/0x140
| [<0>] vfs_read+0xb8/0x1e4
| [<0>] ksys_read+0x74/0x100
| [<0>] __arm64_sys_read+0x28/0x3c
| [<0>] invoke_syscall+0x50/0x120
| [<0>] el0_svc_common.constprop.0+0xc4/0xd4
| [<0>] do_el0_svc+0x30/0x9c
| [<0>] el0_svc+0x2c/0x54
| [<0>] el0t_64_sync_handler+0x1a8/0x1b0
| [<0>] el0t_64_sync+0x198/0x19c
| # echo function_graph > /sys/kernel/tracing/current_tracer
| # cat /proc/self/stack
| [<0>] stack_trace_save_tsk+0xa4/0x110
| [<0>] proc_pid_stack+0xc4/0x140
| [<0>] proc_single_show+0x6c/0x120
| [<0>] seq_read_iter+0x240/0x4e0
| [<0>] seq_read+0xe8/0x140
| [<0>] vfs_read+0xb8/0x1e4
| [<0>] ksys_read+0x74/0x100
| [<0>] __arm64_sys_read+0x28/0x3c
| [<0>] invoke_syscall+0x50/0x120
| [<0>] el0_svc_common.constprop.0+0xc4/0xd4
| [<0>] do_el0_svc+0x30/0x9c
| [<0>] el0t_64_sync_handler+0x1a8/0x1b0
| [<0>] el0t_64_sync+0x198/0x19c

After:

| # cat /proc/self/stack
| [<0>] proc_pid_stack+0xc4/0x140
| [<0>] proc_single_show+0x6c/0x120
| [<0>] seq_read_iter+0x240/0x4e0
| [<0>] seq_read+0xe8/0x140
| [<0>] vfs_read+0xb8/0x1e4
| [<0>] ksys_read+0x74/0x100
| [<0>] __arm64_sys_read+0x28/0x3c
| [<0>] invoke_syscall+0x50/0x120
| [<0>] el0_svc_common.constprop.0+0xc4/0xd4
| [<0>] do_el0_svc+0x30/0x9c
| [<0>] el0_svc+0x2c/0x54
| [<0>] el0t_64_sync_handler+0x1a8/0x1b0
| [<0>] el0t_64_sync+0x198/0x19c
| # echo function_graph > /sys/kernel/tracing/current_tracer
| # cat /proc/self/stack
| [<0>] proc_pid_stack+0xc4/0x140
| [<0>] proc_single_show+0x6c/0x120
| [<0>] seq_read_iter+0x240/0x4e0
| [<0>] seq_read+0xe8/0x140
| [<0>] vfs_read+0xb8/0x1e4
| [<0>] ksys_read+0x74/0x100
| [<0>] __arm64_sys_read+0x28/0x3c
| [<0>] invoke_syscall+0x50/0x120
| [<0>] el0_svc_common.constprop.0+0xc4/0xd4
| [<0>] do_el0_svc+0x30/0x9c
| [<0>] el0_svc+0x2c/0x54
| [<0>] el0t_64_sync_handler+0x1a8/0x1b0
| [<0>] el0t_64_sync+0x198/0x19c

Cc: <stable@vger.kernel.org>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Madhavan T. Venkataraman <madvenka@linux.microsoft.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>
Reviwed-by: Mark Brown <broonie@kernel.org>
Link: https://lore.kernel.org/r/20210802164845.45506-3-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/stacktrace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/kernel/stacktrace.c
+++ b/arch/arm64/kernel/stacktrace.c
@@ -220,7 +220,7 @@ void show_stack(struct task_struct *tsk,
 
 #ifdef CONFIG_STACKTRACE
 
-noinline void arch_stack_walk(stack_trace_consume_fn consume_entry,
+noinline notrace void arch_stack_walk(stack_trace_consume_fn consume_entry,
 			      void *cookie, struct task_struct *task,
 			      struct pt_regs *regs)
 {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 109/175] optee: Clear stale cache entries during initialization
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 108/175] arm64: stacktrace: avoid tracing arch_stack_walk() Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 110/175] tee: add tee_shm_alloc_kernel_buf() Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyler Hicks, Jens Wiklander, Sumit Garg

From: Tyler Hicks <tyhicks@linux.microsoft.com>

commit b5c10dd04b7418793517e3286cde5c04759a86de upstream.

The shm cache could contain invalid addresses if
optee_disable_shm_cache() was not called from the .shutdown hook of the
previous kernel before a kexec. These addresses could be unmapped or
they could point to mapped but unintended locations in memory.

Clear the shared memory cache, while being careful to not translate the
addresses returned from OPTEE_SMC_DISABLE_SHM_CACHE, during driver
initialization. Once all pre-cache shm objects are removed, proceed with
enabling the cache so that we know that we can handle cached shm objects
with confidence later in the .shutdown hook.

Cc: stable@vger.kernel.org
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tee/optee/call.c          |   36 +++++++++++++++++++++++++++++++++---
 drivers/tee/optee/core.c          |    9 +++++++++
 drivers/tee/optee/optee_private.h |    1 +
 3 files changed, 43 insertions(+), 3 deletions(-)

--- a/drivers/tee/optee/call.c
+++ b/drivers/tee/optee/call.c
@@ -416,11 +416,13 @@ void optee_enable_shm_cache(struct optee
 }
 
 /**
- * optee_disable_shm_cache() - Disables caching of some shared memory allocation
- *			      in OP-TEE
+ * __optee_disable_shm_cache() - Disables caching of some shared memory
+ *                               allocation in OP-TEE
  * @optee:	main service struct
+ * @is_mapped:	true if the cached shared memory addresses were mapped by this
+ *		kernel, are safe to dereference, and should be freed
  */
-void optee_disable_shm_cache(struct optee *optee)
+static void __optee_disable_shm_cache(struct optee *optee, bool is_mapped)
 {
 	struct optee_call_waiter w;
 
@@ -439,6 +441,13 @@ void optee_disable_shm_cache(struct opte
 		if (res.result.status == OPTEE_SMC_RETURN_OK) {
 			struct tee_shm *shm;
 
+			/*
+			 * Shared memory references that were not mapped by
+			 * this kernel must be ignored to prevent a crash.
+			 */
+			if (!is_mapped)
+				continue;
+
 			shm = reg_pair_to_ptr(res.result.shm_upper32,
 					      res.result.shm_lower32);
 			tee_shm_free(shm);
@@ -449,6 +458,27 @@ void optee_disable_shm_cache(struct opte
 	optee_cq_wait_final(&optee->call_queue, &w);
 }
 
+/**
+ * optee_disable_shm_cache() - Disables caching of mapped shared memory
+ *                             allocations in OP-TEE
+ * @optee:	main service struct
+ */
+void optee_disable_shm_cache(struct optee *optee)
+{
+	return __optee_disable_shm_cache(optee, true);
+}
+
+/**
+ * optee_disable_unmapped_shm_cache() - Disables caching of shared memory
+ *                                      allocations in OP-TEE which are not
+ *                                      currently mapped
+ * @optee:	main service struct
+ */
+void optee_disable_unmapped_shm_cache(struct optee *optee)
+{
+	return __optee_disable_shm_cache(optee, false);
+}
+
 #define PAGELIST_ENTRIES_PER_PAGE				\
 	((OPTEE_MSG_NONCONTIG_PAGE_SIZE / sizeof(u64)) - 1)
 
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -686,6 +686,15 @@ static int optee_probe(struct platform_d
 	optee->memremaped_shm = memremaped_shm;
 	optee->pool = pool;
 
+	/*
+	 * Ensure that there are no pre-existing shm objects before enabling
+	 * the shm cache so that there's no chance of receiving an invalid
+	 * address during shutdown. This could occur, for example, if we're
+	 * kexec booting from an older kernel that did not properly cleanup the
+	 * shm cache.
+	 */
+	optee_disable_unmapped_shm_cache(optee);
+
 	optee_enable_shm_cache(optee);
 
 	if (optee->sec_caps & OPTEE_SMC_SEC_CAP_DYNAMIC_SHM)
--- a/drivers/tee/optee/optee_private.h
+++ b/drivers/tee/optee/optee_private.h
@@ -159,6 +159,7 @@ int optee_cancel_req(struct tee_context
 
 void optee_enable_shm_cache(struct optee *optee);
 void optee_disable_shm_cache(struct optee *optee);
+void optee_disable_unmapped_shm_cache(struct optee *optee);
 
 int optee_shm_register(struct tee_context *ctx, struct tee_shm *shm,
 		       struct page **pages, size_t num_pages,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 110/175] tee: add tee_shm_alloc_kernel_buf()
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 109/175] optee: Clear stale cache entries during initialization Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 111/175] tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyler Hicks, Sumit Garg, Jens Wiklander

From: Jens Wiklander <jens.wiklander@linaro.org>

commit dc7019b7d0e188d4093b34bd0747ed0d668c63bf upstream.

Adds a new function tee_shm_alloc_kernel_buf() to allocate shared memory
from a kernel driver. This function can later be made more lightweight
by unnecessary dma-buf export.

Cc: stable@vger.kernel.org
Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tee/tee_shm.c   |   18 ++++++++++++++++++
 include/linux/tee_drv.h |    1 +
 2 files changed, 19 insertions(+)

--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -193,6 +193,24 @@ err_dev_put:
 }
 EXPORT_SYMBOL_GPL(tee_shm_alloc);
 
+/**
+ * tee_shm_alloc_kernel_buf() - Allocate shared memory for kernel buffer
+ * @ctx:	Context that allocates the shared memory
+ * @size:	Requested size of shared memory
+ *
+ * The returned memory registered in secure world and is suitable to be
+ * passed as a memory buffer in parameter argument to
+ * tee_client_invoke_func(). The memory allocated is later freed with a
+ * call to tee_shm_free().
+ *
+ * @returns a pointer to 'struct tee_shm'
+ */
+struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size)
+{
+	return tee_shm_alloc(ctx, size, TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
+}
+EXPORT_SYMBOL_GPL(tee_shm_alloc_kernel_buf);
+
 struct tee_shm *tee_shm_register(struct tee_context *ctx, unsigned long addr,
 				 size_t length, u32 flags)
 {
--- a/include/linux/tee_drv.h
+++ b/include/linux/tee_drv.h
@@ -332,6 +332,7 @@ void *tee_get_drvdata(struct tee_device
  * @returns a pointer to 'struct tee_shm'
  */
 struct tee_shm *tee_shm_alloc(struct tee_context *ctx, size_t size, u32 flags);
+struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size);
 
 /**
  * tee_shm_register() - Register shared memory buffer



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 111/175] tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 110/175] tee: add tee_shm_alloc_kernel_buf() Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 112/175] optee: Fix memory leak when failing to register shm pages Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sumit Garg, Tyler Hicks, Jens Wiklander

From: Sumit Garg <sumit.garg@linaro.org>

commit 376e4199e327a5cf29b8ec8fb0f64f3d8b429819 upstream.

Currently TEE_SHM_DMA_BUF flag has been inappropriately used to not
register shared memory allocated for private usage by underlying TEE
driver: OP-TEE in this case. So rather add a new flag as TEE_SHM_PRIV
that can be utilized by underlying TEE drivers for private allocation
and usage of shared memory.

With this corrected, allow tee_shm_alloc_kernel_buf() to allocate a
shared memory region without the backing of dma-buf.

Cc: stable@vger.kernel.org
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Co-developed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tee/optee/call.c     |    2 +-
 drivers/tee/optee/core.c     |    3 ++-
 drivers/tee/optee/rpc.c      |    5 +++--
 drivers/tee/optee/shm_pool.c |    8 ++++++--
 drivers/tee/tee_shm.c        |    4 ++--
 include/linux/tee_drv.h      |    1 +
 6 files changed, 15 insertions(+), 8 deletions(-)

--- a/drivers/tee/optee/call.c
+++ b/drivers/tee/optee/call.c
@@ -184,7 +184,7 @@ static struct tee_shm *get_msg_arg(struc
 	struct optee_msg_arg *ma;
 
 	shm = tee_shm_alloc(ctx, OPTEE_MSG_GET_ARG_SIZE(num_params),
-			    TEE_SHM_MAPPED);
+			    TEE_SHM_MAPPED | TEE_SHM_PRIV);
 	if (IS_ERR(shm))
 		return shm;
 
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -277,7 +277,8 @@ static void optee_release(struct tee_con
 	if (!ctxdata)
 		return;
 
-	shm = tee_shm_alloc(ctx, sizeof(struct optee_msg_arg), TEE_SHM_MAPPED);
+	shm = tee_shm_alloc(ctx, sizeof(struct optee_msg_arg),
+			    TEE_SHM_MAPPED | TEE_SHM_PRIV);
 	if (!IS_ERR(shm)) {
 		arg = tee_shm_get_va(shm, 0);
 		/*
--- a/drivers/tee/optee/rpc.c
+++ b/drivers/tee/optee/rpc.c
@@ -314,7 +314,7 @@ static void handle_rpc_func_cmd_shm_allo
 		shm = cmd_alloc_suppl(ctx, sz);
 		break;
 	case OPTEE_RPC_SHM_TYPE_KERNEL:
-		shm = tee_shm_alloc(ctx, sz, TEE_SHM_MAPPED);
+		shm = tee_shm_alloc(ctx, sz, TEE_SHM_MAPPED | TEE_SHM_PRIV);
 		break;
 	default:
 		arg->ret = TEEC_ERROR_BAD_PARAMETERS;
@@ -502,7 +502,8 @@ void optee_handle_rpc(struct tee_context
 
 	switch (OPTEE_SMC_RETURN_GET_RPC_FUNC(param->a0)) {
 	case OPTEE_SMC_RPC_FUNC_ALLOC:
-		shm = tee_shm_alloc(ctx, param->a1, TEE_SHM_MAPPED);
+		shm = tee_shm_alloc(ctx, param->a1,
+				    TEE_SHM_MAPPED | TEE_SHM_PRIV);
 		if (!IS_ERR(shm) && !tee_shm_get_pa(shm, 0, &pa)) {
 			reg_pair_from_64(&param->a1, &param->a2, pa);
 			reg_pair_from_64(&param->a4, &param->a5,
--- a/drivers/tee/optee/shm_pool.c
+++ b/drivers/tee/optee/shm_pool.c
@@ -27,7 +27,11 @@ static int pool_op_alloc(struct tee_shm_
 	shm->paddr = page_to_phys(page);
 	shm->size = PAGE_SIZE << order;
 
-	if (shm->flags & TEE_SHM_DMA_BUF) {
+	/*
+	 * Shared memory private to the OP-TEE driver doesn't need
+	 * to be registered with OP-TEE.
+	 */
+	if (!(shm->flags & TEE_SHM_PRIV)) {
 		unsigned int nr_pages = 1 << order, i;
 		struct page **pages;
 
@@ -52,7 +56,7 @@ static int pool_op_alloc(struct tee_shm_
 static void pool_op_free(struct tee_shm_pool_mgr *poolm,
 			 struct tee_shm *shm)
 {
-	if (shm->flags & TEE_SHM_DMA_BUF)
+	if (!(shm->flags & TEE_SHM_PRIV))
 		optee_shm_unregister(shm->ctx, shm);
 
 	free_pages((unsigned long)shm->kaddr, get_order(shm->size));
--- a/drivers/tee/tee_shm.c
+++ b/drivers/tee/tee_shm.c
@@ -117,7 +117,7 @@ struct tee_shm *tee_shm_alloc(struct tee
 		return ERR_PTR(-EINVAL);
 	}
 
-	if ((flags & ~(TEE_SHM_MAPPED | TEE_SHM_DMA_BUF))) {
+	if ((flags & ~(TEE_SHM_MAPPED | TEE_SHM_DMA_BUF | TEE_SHM_PRIV))) {
 		dev_err(teedev->dev.parent, "invalid shm flags 0x%x", flags);
 		return ERR_PTR(-EINVAL);
 	}
@@ -207,7 +207,7 @@ EXPORT_SYMBOL_GPL(tee_shm_alloc);
  */
 struct tee_shm *tee_shm_alloc_kernel_buf(struct tee_context *ctx, size_t size)
 {
-	return tee_shm_alloc(ctx, size, TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
+	return tee_shm_alloc(ctx, size, TEE_SHM_MAPPED);
 }
 EXPORT_SYMBOL_GPL(tee_shm_alloc_kernel_buf);
 
--- a/include/linux/tee_drv.h
+++ b/include/linux/tee_drv.h
@@ -27,6 +27,7 @@
 #define TEE_SHM_USER_MAPPED	BIT(4)  /* Memory mapped in user space */
 #define TEE_SHM_POOL		BIT(5)  /* Memory allocated from pool */
 #define TEE_SHM_KERNEL_MAPPED	BIT(6)  /* Memory mapped in kernel space */
+#define TEE_SHM_PRIV		BIT(7)  /* Memory private to TEE driver */
 
 struct device;
 struct tee_device;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 112/175] optee: Fix memory leak when failing to register shm pages
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 111/175] tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 113/175] optee: Refuse to load the driver under the kdump kernel Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyler Hicks, Jens Wiklander, Sumit Garg

From: Tyler Hicks <tyhicks@linux.microsoft.com>

commit ec185dd3ab257dc2a60953fdf1b6622f524cc5b7 upstream.

Free the previously allocated pages when we encounter an error condition
while attempting to register the pages with the secure world.

Fixes: a249dd200d03 ("tee: optee: Fix dynamic shm pool allocations")
Fixes: 5a769f6ff439 ("optee: Fix multi page dynamic shm pool alloc")
Cc: stable@vger.kernel.org
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tee/optee/shm_pool.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/tee/optee/shm_pool.c
+++ b/drivers/tee/optee/shm_pool.c
@@ -36,8 +36,10 @@ static int pool_op_alloc(struct tee_shm_
 		struct page **pages;
 
 		pages = kcalloc(nr_pages, sizeof(pages), GFP_KERNEL);
-		if (!pages)
-			return -ENOMEM;
+		if (!pages) {
+			rc = -ENOMEM;
+			goto err;
+		}
 
 		for (i = 0; i < nr_pages; i++) {
 			pages[i] = page;
@@ -48,8 +50,14 @@ static int pool_op_alloc(struct tee_shm_
 		rc = optee_shm_register(shm->ctx, shm, pages, nr_pages,
 					(unsigned long)shm->kaddr);
 		kfree(pages);
+		if (rc)
+			goto err;
 	}
 
+	return 0;
+
+err:
+	__free_pages(page, order);
 	return rc;
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 113/175] optee: Refuse to load the driver under the kdump kernel
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 112/175] optee: Fix memory leak when failing to register shm pages Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 114/175] optee: fix tee out of memory failure seen during kexec reboot Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyler Hicks, Jens Wiklander, Sumit Garg

From: Tyler Hicks <tyhicks@linux.microsoft.com>

commit adf752af454e91e123e85e3784972d166837af73 upstream.

Fix a hung task issue, seen when booting the kdump kernel, that is
caused by all of the secure world threads being in a permanent suspended
state:

 INFO: task swapper/0:1 blocked for more than 120 seconds.
       Not tainted 5.4.83 #1
 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
 swapper/0       D    0     1      0 0x00000028
 Call trace:
  __switch_to+0xc8/0x118
  __schedule+0x2e0/0x700
  schedule+0x38/0xb8
  schedule_timeout+0x258/0x388
  wait_for_completion+0x16c/0x4b8
  optee_cq_wait_for_completion+0x28/0xa8
  optee_disable_shm_cache+0xb8/0xf8
  optee_probe+0x560/0x61c
  platform_drv_probe+0x58/0xa8
  really_probe+0xe0/0x338
  driver_probe_device+0x5c/0xf0
  device_driver_attach+0x74/0x80
  __driver_attach+0x64/0xe0
  bus_for_each_dev+0x84/0xd8
  driver_attach+0x30/0x40
  bus_add_driver+0x188/0x1e8
  driver_register+0x64/0x110
  __platform_driver_register+0x54/0x60
  optee_driver_init+0x20/0x28
  do_one_initcall+0x54/0x24c
  kernel_init_freeable+0x1e8/0x2c0
  kernel_init+0x18/0x118
  ret_from_fork+0x10/0x18

The invoke_fn hook returned OPTEE_SMC_RETURN_ETHREAD_LIMIT, indicating
that the secure world threads were all in a suspended state at the time
of the kernel crash. This intermittently prevented the kdump kernel from
booting, resulting in a failure to collect the kernel dump.

Make kernel dump collection more reliable on systems utilizing OP-TEE by
refusing to load the driver under the kdump kernel.

Cc: stable@vger.kernel.org
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tee/optee/core.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -6,6 +6,7 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/arm-smccc.h>
+#include <linux/crash_dump.h>
 #include <linux/errno.h>
 #include <linux/io.h>
 #include <linux/module.h>
@@ -613,6 +614,16 @@ static int optee_probe(struct platform_d
 	u32 sec_caps;
 	int rc;
 
+	/*
+	 * The kernel may have crashed at the same time that all available
+	 * secure world threads were suspended and we cannot reschedule the
+	 * suspended threads without access to the crashed kernel's wait_queue.
+	 * Therefore, we cannot reliably initialize the OP-TEE driver in the
+	 * kdump kernel.
+	 */
+	if (is_kdump_kernel())
+		return -ENODEV;
+
 	invoke_fn = get_invoke_func(&pdev->dev);
 	if (IS_ERR(invoke_fn))
 		return PTR_ERR(invoke_fn);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 114/175] optee: fix tee out of memory failure seen during kexec reboot
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 113/175] optee: Refuse to load the driver under the kdump kernel Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 115/175] tpm_ftpm_tee: Free and unregister TEE shared memory during kexec Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Allen Pais, Tyler Hicks,
	Jens Wiklander, Sumit Garg

From: Allen Pais <apais@linux.microsoft.com>

commit f25889f93184db8b07a543cc2bbbb9a8fcaf4333 upstream.

The following out of memory errors are seen on kexec reboot
from the optee core.

[    0.368428] tee_bnxt_fw optee-clnt0: tee_shm_alloc failed
[    0.368461] tee_bnxt_fw: probe of optee-clnt0 failed with error -22

tee_shm_release() is not invoked on dma shm buffer.

Implement .shutdown() method to handle the release of the buffers
correctly.

More info:
https://github.com/OP-TEE/optee_os/issues/3637

Cc: stable@vger.kernel.org
Signed-off-by: Allen Pais <apais@linux.microsoft.com>
Reviewed-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tee/optee/core.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -574,6 +574,13 @@ static optee_invoke_fn *get_invoke_func(
 	return ERR_PTR(-EINVAL);
 }
 
+/* optee_remove - Device Removal Routine
+ * @pdev: platform device information struct
+ *
+ * optee_remove is called by platform subsystem to alert the driver
+ * that it should release the device
+ */
+
 static int optee_remove(struct platform_device *pdev)
 {
 	struct optee *optee = platform_get_drvdata(pdev);
@@ -604,6 +611,18 @@ static int optee_remove(struct platform_
 	return 0;
 }
 
+/* optee_shutdown - Device Removal Routine
+ * @pdev: platform device information struct
+ *
+ * platform_shutdown is called by the platform subsystem to alert
+ * the driver that a shutdown, reboot, or kexec is happening and
+ * device must be disabled.
+ */
+static void optee_shutdown(struct platform_device *pdev)
+{
+	optee_disable_shm_cache(platform_get_drvdata(pdev));
+}
+
 static int optee_probe(struct platform_device *pdev)
 {
 	optee_invoke_fn *invoke_fn;
@@ -749,6 +768,7 @@ MODULE_DEVICE_TABLE(of, optee_dt_match);
 static struct platform_driver optee_driver = {
 	.probe  = optee_probe,
 	.remove = optee_remove,
+	.shutdown = optee_shutdown,
 	.driver = {
 		.name = "optee",
 		.of_match_table = optee_dt_match,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 115/175] tpm_ftpm_tee: Free and unregister TEE shared memory during kexec
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 114/175] optee: fix tee out of memory failure seen during kexec reboot Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 116/175] staging: rtl8723bs: Fix a resource leak in sd_int_dpc Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyler Hicks, Sumit Garg,
	Jarkko Sakkinen, Jens Wiklander

From: Tyler Hicks <tyhicks@linux.microsoft.com>

commit dfb703ad2a8d366b829818a558337be779746575 upstream.

dma-buf backed shared memory cannot be reliably freed and unregistered
during a kexec operation even when tee_shm_free() is called on the shm
from a .shutdown hook. The problem occurs because dma_buf_put() calls
fput() which then uses task_work_add(), with the TWA_RESUME parameter,
to queue tee_shm_release() to be called before the current task returns
to user mode. However, the current task never returns to user mode
before the kexec completes so the memory is never freed nor
unregistered.

Use tee_shm_alloc_kernel_buf() to avoid dma-buf backed shared memory
allocation so that tee_shm_free() can directly call tee_shm_release().
This will ensure that the shm can be freed and unregistered during a
kexec operation.

Fixes: 09e574831b27 ("tpm/tpm_ftpm_tee: A driver for firmware TPM running inside TEE")
Fixes: 1760eb689ed6 ("tpm/tpm_ftpm_tee: add shutdown call back")
Cc: stable@vger.kernel.org
Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/tpm/tpm_ftpm_tee.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/char/tpm/tpm_ftpm_tee.c
+++ b/drivers/char/tpm/tpm_ftpm_tee.c
@@ -254,11 +254,11 @@ static int ftpm_tee_probe(struct device
 	pvt_data->session = sess_arg.session;
 
 	/* Allocate dynamic shared memory with fTPM TA */
-	pvt_data->shm = tee_shm_alloc(pvt_data->ctx,
-				      MAX_COMMAND_SIZE + MAX_RESPONSE_SIZE,
-				      TEE_SHM_MAPPED | TEE_SHM_DMA_BUF);
+	pvt_data->shm = tee_shm_alloc_kernel_buf(pvt_data->ctx,
+						 MAX_COMMAND_SIZE +
+						 MAX_RESPONSE_SIZE);
 	if (IS_ERR(pvt_data->shm)) {
-		dev_err(dev, "%s: tee_shm_alloc failed\n", __func__);
+		dev_err(dev, "%s: tee_shm_alloc_kernel_buf failed\n", __func__);
 		rc = -ENOMEM;
 		goto out_shm_alloc;
 	}



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 116/175] staging: rtl8723bs: Fix a resource leak in sd_int_dpc
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 115/175] tpm_ftpm_tee: Free and unregister TEE shared memory during kexec Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 117/175] staging: rtl8712: get rid of flush_scheduled_work Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Xiangyang Zhang

From: Xiangyang Zhang <xyz.sun.ok@gmail.com>

commit 990e4ad3ddcb72216caeddd6e62c5f45a21e8121 upstream.

The "c2h_evt" variable is not freed when function call
"c2h_evt_read_88xx" failed

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Xiangyang Zhang <xyz.sun.ok@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210628152239.5475-1-xyz.sun.ok@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8723bs/hal/sdio_ops.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/staging/rtl8723bs/hal/sdio_ops.c
+++ b/drivers/staging/rtl8723bs/hal/sdio_ops.c
@@ -921,6 +921,8 @@ void sd_int_dpc(struct adapter *adapter)
 				} else {
 					rtw_c2h_wk_cmd(adapter, (u8 *)c2h_evt);
 				}
+			} else {
+				kfree(c2h_evt);
 			}
 		} else {
 			/* Error handling for malloc fail */



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 117/175] staging: rtl8712: get rid of flush_scheduled_work
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 116/175] staging: rtl8723bs: Fix a resource leak in sd_int_dpc Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 118/175] staging: rtl8712: error handling refactoring Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Skripkin

From: Pavel Skripkin <paskripkin@gmail.com>

commit 9be550ee43919b070bcd77f9228bdbbbc073245b upstream.

This patch is preparation for following patch for error handling
refactoring.

flush_scheduled_work() takes (wq_completion)events lock and
it can lead to deadlock when r871xu_dev_remove() is called from workqueue.
To avoid deadlock sutiation we can change flush_scheduled_work() call to
flush_work() call for all possibly scheduled works in this driver,
since next patch adds device_release_driver() in case of fw load failure.

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/6e028b4c457eeb7156c76c6ea3cdb3cb0207c7e1.1626895918.git.paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8712/rtl8712_led.c     |    8 ++++++++
 drivers/staging/rtl8712/rtl871x_led.h     |    1 +
 drivers/staging/rtl8712/rtl871x_pwrctrl.c |    8 ++++++++
 drivers/staging/rtl8712/rtl871x_pwrctrl.h |    1 +
 drivers/staging/rtl8712/usb_intf.c        |    3 ++-
 5 files changed, 20 insertions(+), 1 deletion(-)

--- a/drivers/staging/rtl8712/rtl8712_led.c
+++ b/drivers/staging/rtl8712/rtl8712_led.c
@@ -1820,3 +1820,11 @@ void LedControl871x(struct _adapter *pad
 		break;
 	}
 }
+
+void r8712_flush_led_works(struct _adapter *padapter)
+{
+	struct led_priv *pledpriv = &padapter->ledpriv;
+
+	flush_work(&pledpriv->SwLed0.BlinkWorkItem);
+	flush_work(&pledpriv->SwLed1.BlinkWorkItem);
+}
--- a/drivers/staging/rtl8712/rtl871x_led.h
+++ b/drivers/staging/rtl8712/rtl871x_led.h
@@ -112,6 +112,7 @@ struct led_priv {
 void r8712_InitSwLeds(struct _adapter *padapter);
 void r8712_DeInitSwLeds(struct _adapter *padapter);
 void LedControl871x(struct _adapter *padapter, enum LED_CTL_MODE LedAction);
+void r8712_flush_led_works(struct _adapter *padapter);
 
 #endif
 
--- a/drivers/staging/rtl8712/rtl871x_pwrctrl.c
+++ b/drivers/staging/rtl8712/rtl871x_pwrctrl.c
@@ -224,3 +224,11 @@ void r8712_unregister_cmd_alive(struct _
 	}
 	mutex_unlock(&pwrctrl->mutex_lock);
 }
+
+void r8712_flush_rwctrl_works(struct _adapter *padapter)
+{
+	struct pwrctrl_priv *pwrctrl = &padapter->pwrctrlpriv;
+
+	flush_work(&pwrctrl->SetPSModeWorkItem);
+	flush_work(&pwrctrl->rpwm_workitem);
+}
--- a/drivers/staging/rtl8712/rtl871x_pwrctrl.h
+++ b/drivers/staging/rtl8712/rtl871x_pwrctrl.h
@@ -108,5 +108,6 @@ void r8712_cpwm_int_hdl(struct _adapter
 void r8712_set_ps_mode(struct _adapter *padapter, uint ps_mode,
 			uint smart_ps);
 void r8712_set_rpwm(struct _adapter *padapter, u8 val8);
+void r8712_flush_rwctrl_works(struct _adapter *padapter);
 
 #endif  /* __RTL871X_PWRCTRL_H_ */
--- a/drivers/staging/rtl8712/usb_intf.c
+++ b/drivers/staging/rtl8712/usb_intf.c
@@ -609,7 +609,8 @@ static void r871xu_dev_remove(struct usb
 			padapter->surprise_removed = true;
 		if (pnetdev->reg_state != NETREG_UNINITIALIZED)
 			unregister_netdev(pnetdev); /* will call netdev_close() */
-		flush_scheduled_work();
+		r8712_flush_rwctrl_works(padapter);
+		r8712_flush_led_works(padapter);
 		udelay(1);
 		/* Stop driver mlme relation timer */
 		r8712_stop_drv_timers(padapter);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 118/175] staging: rtl8712: error handling refactoring
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 117/175] staging: rtl8712: get rid of flush_scheduled_work Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 119/175] drivers core: Fix oops when driver probe fails Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin,
	syzbot+5872a520e0ce0a7c7230, syzbot+cc699626e48a6ebaf295

From: Pavel Skripkin <paskripkin@gmail.com>

commit e9e6aa51b2735d83a67d9fa0119cf11abef80d99 upstream.

There was strange error handling logic in case of fw load failure. For
some reason fw loader callback was doing clean up stuff when fw is not
available. I don't see any reason behind doing this. Since this driver
doesn't have EEPROM firmware let's just disconnect it in case of fw load
failure. Doing clean up stuff in 2 different place which can run
concurently is not good idea and syzbot found 2 bugs related to this
strange approach.

So, in this pacth I deleted all clean up code from fw callback and made
a call to device_release_driver() under device_lock(parent) in case of fw
load failure. This approach is more generic and it defend driver from UAF
bugs, since all clean up code is moved to one place.

Fixes: e02a3b945816 ("staging: rtl8712: fix memory leak in rtl871x_load_fw_cb")
Fixes: 8c213fa59199 ("staging: r8712u: Use asynchronous firmware loading")
Cc: stable <stable@vger.kernel.org>
Reported-and-tested-by: syzbot+5872a520e0ce0a7c7230@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+cc699626e48a6ebaf295@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/d49ecc56e97c4df181d7bd4d240b031f315eacc3.1626895918.git.paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/rtl8712/hal_init.c |   30 +++++++++++++++--------
 drivers/staging/rtl8712/usb_intf.c |   48 ++++++++++++++++---------------------
 2 files changed, 41 insertions(+), 37 deletions(-)

--- a/drivers/staging/rtl8712/hal_init.c
+++ b/drivers/staging/rtl8712/hal_init.c
@@ -29,21 +29,31 @@
 #define FWBUFF_ALIGN_SZ 512
 #define MAX_DUMP_FWSZ (48 * 1024)
 
+static void rtl871x_load_fw_fail(struct _adapter *adapter)
+{
+	struct usb_device *udev = adapter->dvobjpriv.pusbdev;
+	struct device *dev = &udev->dev;
+	struct device *parent = dev->parent;
+
+	complete(&adapter->rtl8712_fw_ready);
+
+	dev_err(&udev->dev, "r8712u: Firmware request failed\n");
+
+	if (parent)
+		device_lock(parent);
+
+	device_release_driver(dev);
+
+	if (parent)
+		device_unlock(parent);
+}
+
 static void rtl871x_load_fw_cb(const struct firmware *firmware, void *context)
 {
 	struct _adapter *adapter = context;
 
 	if (!firmware) {
-		struct usb_device *udev = adapter->dvobjpriv.pusbdev;
-		struct usb_interface *usb_intf = adapter->pusb_intf;
-
-		dev_err(&udev->dev, "r8712u: Firmware request failed\n");
-		usb_put_dev(udev);
-		usb_set_intfdata(usb_intf, NULL);
-		r8712_free_drv_sw(adapter);
-		adapter->dvobj_deinit(adapter);
-		complete(&adapter->rtl8712_fw_ready);
-		free_netdev(adapter->pnetdev);
+		rtl871x_load_fw_fail(adapter);
 		return;
 	}
 	adapter->fw = firmware;
--- a/drivers/staging/rtl8712/usb_intf.c
+++ b/drivers/staging/rtl8712/usb_intf.c
@@ -594,36 +594,30 @@ static void r871xu_dev_remove(struct usb
 {
 	struct net_device *pnetdev = usb_get_intfdata(pusb_intf);
 	struct usb_device *udev = interface_to_usbdev(pusb_intf);
+	struct _adapter *padapter = netdev_priv(pnetdev);
 
-	if (pnetdev) {
-		struct _adapter *padapter = netdev_priv(pnetdev);
+	/* never exit with a firmware callback pending */
+	wait_for_completion(&padapter->rtl8712_fw_ready);
+	usb_set_intfdata(pusb_intf, NULL);
+	release_firmware(padapter->fw);
+	if (drvpriv.drv_registered)
+		padapter->surprise_removed = true;
+	if (pnetdev->reg_state != NETREG_UNINITIALIZED)
+		unregister_netdev(pnetdev); /* will call netdev_close() */
+	r8712_flush_rwctrl_works(padapter);
+	r8712_flush_led_works(padapter);
+	udelay(1);
+	/* Stop driver mlme relation timer */
+	r8712_stop_drv_timers(padapter);
+	r871x_dev_unload(padapter);
+	r8712_free_drv_sw(padapter);
+	free_netdev(pnetdev);
 
-		/* never exit with a firmware callback pending */
-		wait_for_completion(&padapter->rtl8712_fw_ready);
-		pnetdev = usb_get_intfdata(pusb_intf);
-		usb_set_intfdata(pusb_intf, NULL);
-		if (!pnetdev)
-			goto firmware_load_fail;
-		release_firmware(padapter->fw);
-		if (drvpriv.drv_registered)
-			padapter->surprise_removed = true;
-		if (pnetdev->reg_state != NETREG_UNINITIALIZED)
-			unregister_netdev(pnetdev); /* will call netdev_close() */
-		r8712_flush_rwctrl_works(padapter);
-		r8712_flush_led_works(padapter);
-		udelay(1);
-		/* Stop driver mlme relation timer */
-		r8712_stop_drv_timers(padapter);
-		r871x_dev_unload(padapter);
-		r8712_free_drv_sw(padapter);
-		free_netdev(pnetdev);
+	/* decrease the reference count of the usb device structure
+	 * when disconnect
+	 */
+	usb_put_dev(udev);
 
-		/* decrease the reference count of the usb device structure
-		 * when disconnect
-		 */
-		usb_put_dev(udev);
-	}
-firmware_load_fail:
 	/* If we didn't unplug usb dongle and remove/insert module, driver
 	 * fails on sitesurvey for the first time when device is up.
 	 * Reset usb port for sitesurvey fail issue.



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 119/175] drivers core: Fix oops when driver probe fails
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 118/175] staging: rtl8712: error handling refactoring Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 120/175] media: rtl28xxu: fix zero-length control request Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filip Schauer

From: Filip Schauer <filip@mg6.at>

commit 4d1014c1816c0395eca5d1d480f196a4c63119d0 upstream.

dma_range_map is freed to early, which might cause an oops when
a driver probe fails.
 Call trace:
  is_free_buddy_page+0xe4/0x1d4
  __free_pages+0x2c/0x88
  dma_free_contiguous+0x64/0x80
  dma_direct_free+0x38/0xb4
  dma_free_attrs+0x88/0xa0
  dmam_release+0x28/0x34
  release_nodes+0x78/0x8c
  devres_release_all+0xa8/0x110
  really_probe+0x118/0x2d0
  __driver_probe_device+0xc8/0xe0
  driver_probe_device+0x54/0xec
  __driver_attach+0xe0/0xf0
  bus_for_each_dev+0x7c/0xc8
  driver_attach+0x30/0x3c
  bus_add_driver+0x17c/0x1c4
  driver_register+0xc0/0xf8
  __platform_driver_register+0x34/0x40
  ...

This issue is introduced by commit d0243bbd5dd3 ("drivers core:
Free dma_range_map when driver probe failed"). It frees
dma_range_map before the call to devres_release_all, which is too
early. The solution is to free dma_range_map only after
devres_release_all.

Fixes: d0243bbd5dd3 ("drivers core: Free dma_range_map when driver probe failed")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Filip Schauer <filip@mg6.at>
Link: https://lore.kernel.org/r/20210727112311.GA7645@DESKTOP-E8BN1B0.localdomain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/base/dd.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -634,8 +634,6 @@ dev_groups_failed:
 	else if (drv->remove)
 		drv->remove(dev);
 probe_failed:
-	kfree(dev->dma_range_map);
-	dev->dma_range_map = NULL;
 	if (dev->bus)
 		blocking_notifier_call_chain(&dev->bus->p->bus_notifier,
 					     BUS_NOTIFY_DRIVER_NOT_BOUND, dev);
@@ -643,6 +641,8 @@ pinctrl_bind_failed:
 	device_links_no_driver(dev);
 	devres_release_all(dev);
 	arch_teardown_dma_ops(dev);
+	kfree(dev->dma_range_map);
+	dev->dma_range_map = NULL;
 	driver_sysfs_remove(dev);
 	dev->driver = NULL;
 	dev_set_drvdata(dev, NULL);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 120/175] media: rtl28xxu: fix zero-length control request
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 119/175] drivers core: Fix oops when driver probe fails Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 121/175] pipe: increase minimum default pipe size to 2 pages Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+faf11bbadc5a372564da,
	Eero Lehtinen, Antti Palosaari, Johan Hovold, Sean Young,
	Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 76f22c93b209c811bd489950f17f8839adb31901 upstream.

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Control transfers without a data stage are treated as OUT requests by
the USB stack and should be using usb_sndctrlpipe(). Failing to do so
will now trigger a warning.

The driver uses a zero-length i2c-read request for type detection so
update the control-request code to use usb_sndctrlpipe() in this case.

Note that actually trying to read the i2c register in question does not
work as the register might not exist (e.g. depending on the demodulator)
as reported by Eero Lehtinen <debiangamer2@gmail.com>.

Reported-by: syzbot+faf11bbadc5a372564da@syzkaller.appspotmail.com
Reported-by: Eero Lehtinen <debiangamer2@gmail.com>
Tested-by: Eero Lehtinen <debiangamer2@gmail.com>
Fixes: d0f232e823af ("[media] rtl28xxu: add heuristic to detect chip type")
Cc: stable@vger.kernel.org      # 4.0
Cc: Antti Palosaari <crope@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/usb/dvb-usb-v2/rtl28xxu.c |   11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

--- a/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
+++ b/drivers/media/usb/dvb-usb-v2/rtl28xxu.c
@@ -37,7 +37,16 @@ static int rtl28xxu_ctrl_msg(struct dvb_
 	} else {
 		/* read */
 		requesttype = (USB_TYPE_VENDOR | USB_DIR_IN);
-		pipe = usb_rcvctrlpipe(d->udev, 0);
+
+		/*
+		 * Zero-length transfers must use usb_sndctrlpipe() and
+		 * rtl28xxu_identify_state() uses a zero-length i2c read
+		 * command to determine the chip type.
+		 */
+		if (req->size)
+			pipe = usb_rcvctrlpipe(d->udev, 0);
+		else
+			pipe = usb_sndctrlpipe(d->udev, 0);
 	}
 
 	ret = usb_control_msg(d->udev, pipe, 0, requesttype, req->value,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 121/175] pipe: increase minimum default pipe size to 2 pages
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 120/175] media: rtl28xxu: fix zero-length control request Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 122/175] ext4: fix potential htree corruption when growing large_dir directories Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alex Xu (Hello71), Linus Torvalds

From: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>

commit 46c4c9d1beb7f5b4cec4dd90e7728720583ee348 upstream.

This program always prints 4096 and hangs before the patch, and always
prints 8192 and exits successfully after:

  int main()
  {
      int pipefd[2];
      for (int i = 0; i < 1025; i++)
          if (pipe(pipefd) == -1)
              return 1;
      size_t bufsz = fcntl(pipefd[1], F_GETPIPE_SZ);
      printf("%zd\n", bufsz);
      char *buf = calloc(bufsz, 1);
      write(pipefd[1], buf, bufsz);
      read(pipefd[0], buf, bufsz-1);
      write(pipefd[1], buf, 1);
  }

Note that you may need to increase your RLIMIT_NOFILE before running the
program.

Fixes: 759c01142a ("pipe: limit the per-user amount of pages allocated in pipes")
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/
Link: https://lore.kernel.org/lkml/1628127094.lxxn016tj7.none@localhost/
Signed-off-by: Alex Xu (Hello71) <alex_y_xu@yahoo.ca>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/pipe.c |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -32,6 +32,21 @@
 #include "internal.h"
 
 /*
+ * New pipe buffers will be restricted to this size while the user is exceeding
+ * their pipe buffer quota. The general pipe use case needs at least two
+ * buffers: one for data yet to be read, and one for new data. If this is less
+ * than two, then a write to a non-empty pipe may block even if the pipe is not
+ * full. This can occur with GNU make jobserver or similar uses of pipes as
+ * semaphores: multiple processes may be waiting to write tokens back to the
+ * pipe before reading tokens: https://lore.kernel.org/lkml/1628086770.5rn8p04n6j.none@localhost/.
+ *
+ * Users can reduce their pipe buffers with F_SETPIPE_SZ below this at their
+ * own risk, namely: pipe writes to non-full pipes may block until the pipe is
+ * emptied.
+ */
+#define PIPE_MIN_DEF_BUFFERS 2
+
+/*
  * The max size that a non-root user is allowed to grow the pipe. Can
  * be set by root in /proc/sys/fs/pipe-max-size
  */
@@ -781,8 +796,8 @@ struct pipe_inode_info *alloc_pipe_info(
 	user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
 
 	if (too_many_pipe_buffers_soft(user_bufs) && pipe_is_unprivileged_user()) {
-		user_bufs = account_pipe_buffers(user, pipe_bufs, 1);
-		pipe_bufs = 1;
+		user_bufs = account_pipe_buffers(user, pipe_bufs, PIPE_MIN_DEF_BUFFERS);
+		pipe_bufs = PIPE_MIN_DEF_BUFFERS;
 	}
 
 	if (too_many_pipe_buffers_hard(user_bufs) && pipe_is_unprivileged_user())



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 122/175] ext4: fix potential htree corruption when growing large_dir directories
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 121/175] pipe: increase minimum default pipe size to 2 pages Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 123/175] Revert "thunderbolt: Hide authorized attribute if router does not support PCIe tunnels" Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable,
	Благодаренко
	Артём,
	Denis, Theodore Tso, stable

From: Theodore Ts'o <tytso@mit.edu>

commit 877ba3f729fd3d8ef0e29bc2a55e57cfa54b2e43 upstream.

Commit b5776e7524af ("ext4: fix potential htree index checksum
corruption) removed a required restart when multiple levels of index
nodes need to be split.  Fix this to avoid directory htree corruptions
when using the large_dir feature.

Cc: stable@kernel.org # v5.11
Cc: Благодаренко Артём <artem.blagodarenko@gmail.com>
Fixes: b5776e7524af ("ext4: fix potential htree index checksum corruption)
Reported-by: Denis <denis@voxelsoft.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/namei.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2517,7 +2517,7 @@ again:
 				goto journal_error;
 			err = ext4_handle_dirty_dx_node(handle, dir,
 							frame->bh);
-			if (err)
+			if (restart || err)
 				goto journal_error;
 		} else {
 			struct dx_root *dxroot;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 123/175] Revert "thunderbolt: Hide authorized attribute if router does not support PCIe tunnels"
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 122/175] ext4: fix potential htree corruption when growing large_dir directories Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 124/175] serial: tegra: Only print FIFO error message when an error occurs Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Kellner, Mika Westerberg

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit 8e3341257e3b5774ec8cd3ef1ba0c0d3fada322b upstream.

This reverts commit 6f3badead6a078cf3c71f381f9d84ac922984a00.

It turns out bolt depends on having authorized attribute visible under
each device. Hiding it makes bolt crash as several people have reported
on various bug trackers. For this reason revert the commit.

Link: https://gitlab.freedesktop.org/bolt/bolt/-/issues/174
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1979765
Link: https://bugs.archlinux.org/task/71569
Cc: stable@vger.kernel.org
Cc: Christian Kellner <ckellner@redhat.com>
Fixes: 6f3badead6a0 ("thunderbolt: Hide authorized attribute if router does not support PCIe tunnels")
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Link: https://lore.kernel.org/r/20210727142501.27476-1-mika.westerberg@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/thunderbolt/switch.c |   15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

--- a/drivers/thunderbolt/switch.c
+++ b/drivers/thunderbolt/switch.c
@@ -1740,18 +1740,6 @@ static struct attribute *switch_attrs[]
 	NULL,
 };
 
-static bool has_port(const struct tb_switch *sw, enum tb_port_type type)
-{
-	const struct tb_port *port;
-
-	tb_switch_for_each_port(sw, port) {
-		if (!port->disabled && port->config.type == type)
-			return true;
-	}
-
-	return false;
-}
-
 static umode_t switch_attr_is_visible(struct kobject *kobj,
 				      struct attribute *attr, int n)
 {
@@ -1760,8 +1748,7 @@ static umode_t switch_attr_is_visible(st
 
 	if (attr == &dev_attr_authorized.attr) {
 		if (sw->tb->security_level == TB_SECURITY_NOPCIE ||
-		    sw->tb->security_level == TB_SECURITY_DPONLY ||
-		    !has_port(sw, TB_TYPE_PCIE_UP))
+		    sw->tb->security_level == TB_SECURITY_DPONLY)
 			return 0;
 	} else if (attr == &dev_attr_device.attr) {
 		if (!sw->device)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 124/175] serial: tegra: Only print FIFO error message when an error occurs
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 123/175] Revert "thunderbolt: Hide authorized attribute if router does not support PCIe tunnels" Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 125/175] serial: 8250_mtk: fix uart corruption issue when rx power off Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thierry Reding, Jon Hunter

From: Jon Hunter <jonathanh@nvidia.com>

commit cc9ca4d95846cbbece48d9cd385550f8fba6a3c1 upstream.

The Tegra serial driver always prints an error message when enabling the
FIFO for devices that have support for checking the FIFO enable status.
Fix this by displaying the error message, only when an error occurs.

Finally, update the error message to make it clear that enabling the
FIFO failed and display the error code.

Fixes: 222dcdff3405 ("serial: tegra: check for FIFO mode enabled status")
Cc: <stable@vger.kernel.org>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://lore.kernel.org/r/20210630125643.264264-1-jonathanh@nvidia.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/serial-tegra.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/tty/serial/serial-tegra.c
+++ b/drivers/tty/serial/serial-tegra.c
@@ -1045,9 +1045,11 @@ static int tegra_uart_hw_init(struct teg
 
 	if (tup->cdata->fifo_mode_enable_status) {
 		ret = tegra_uart_wait_fifo_mode_enabled(tup);
-		dev_err(tup->uport.dev, "FIFO mode not enabled\n");
-		if (ret < 0)
+		if (ret < 0) {
+			dev_err(tup->uport.dev,
+				"Failed to enable FIFO mode: %d\n", ret);
 			return ret;
+		}
 	} else {
 		/*
 		 * For all tegra devices (up to t210), there is a hardware



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 125/175] serial: 8250_mtk: fix uart corruption issue when rx power off
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 124/175] serial: tegra: Only print FIFO error message when an error occurs Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 126/175] serial: 8250: Mask out floating 16/32-bit bus bits Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhiyong Tao

From: Zhiyong Tao <zhiyong.tao@mediatek.com>

commit 7c4a509d3815a260c423c0633bd73695250ac26d upstream.

Fix uart corruption issue when rx power off.
Add spin lock in mtk8250_dma_rx_complete function in APDMA mode.

when uart is used as a communication port with external device(GPS).
when external device(GPS) power off, the power of rx pin is also from
1.8v to 0v. Even if there is not any data in rx. But uart rx pin can
capture the data "0".
If uart don't receive any data in specified cycle, uart will generates
BI(Break interrupt) interrupt.
If external device(GPS) power off, we found that BI interrupt appeared
continuously and very frequently.
When uart interrupt type is BI, uart IRQ handler(8250 framwork
API:serial8250_handle_irq) will push data to tty buffer.
mtk8250_dma_rx_complete is a task of mtk_uart_apdma_rx_handler.
mtk8250_dma_rx_complete priority is lower than uart irq
handler(serial8250_handle_irq).
if we are in process of mtk8250_dma_rx_complete, uart appear BI
interrupt:1)serial8250_handle_irq will priority execution.2)it may cause
write tty buffer conflict in mtk8250_dma_rx_complete.
So the spin lock protect the rx receive data process is not break.

Signed-off-by: Zhiyong Tao <zhiyong.tao@mediatek.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210729084640.17613-2-zhiyong.tao@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/8250/8250_mtk.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/tty/serial/8250/8250_mtk.c
+++ b/drivers/tty/serial/8250/8250_mtk.c
@@ -93,10 +93,13 @@ static void mtk8250_dma_rx_complete(void
 	struct dma_tx_state state;
 	int copied, total, cnt;
 	unsigned char *ptr;
+	unsigned long flags;
 
 	if (data->rx_status == DMA_RX_SHUTDOWN)
 		return;
 
+	spin_lock_irqsave(&up->port.lock, flags);
+
 	dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state);
 	total = dma->rx_size - state.residue;
 	cnt = total;
@@ -120,6 +123,8 @@ static void mtk8250_dma_rx_complete(void
 	tty_flip_buffer_push(tty_port);
 
 	mtk8250_rx_dma(up);
+
+	spin_unlock_irqrestore(&up->port.lock, flags);
 }
 
 static void mtk8250_rx_dma(struct uart_8250_port *up)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 126/175] serial: 8250: Mask out floating 16/32-bit bus bits
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 125/175] serial: 8250_mtk: fix uart corruption issue when rx power off Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 127/175] serial: 8250: fix handle_irq locking Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philippe Mathieu-Daudé,
	Maciej W. Rozycki

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit e5227c51090e165db4b48dcaa300605bfced7014 upstream.

Make sure only actual 8 bits of the IIR register are used in determining
the port type in `autoconfig'.

The `serial_in' port accessor returns the `unsigned int' type, meaning
that with UPIO_AU, UPIO_MEM16, UPIO_MEM32, and UPIO_MEM32BE access types
more than 8 bits of data are returned, of which the high order bits will
often come from bus lines that are left floating in the data phase.  For
example with the MIPS Malta board's CBUS UART, where the registers are
aligned on 8-byte boundaries and which uses 32-bit accesses, data as
follows is returned:

YAMON> dump -32 0xbf000900 0x40

BF000900: 1F000942 1F000942 1F000900 1F000900  ...B...B........
BF000910: 1F000901 1F000901 1F000900 1F000900  ................
BF000920: 1F000900 1F000900 1F000960 1F000960  ...........`...`
BF000930: 1F000900 1F000900 1F0009FF 1F0009FF  ................

YAMON>

Evidently high-order 24 bits return values previously driven in the
address phase (the 3 highest order address bits used with the command
above are masked out in the simple virtual address mapping used here and
come out at zeros on the external bus), a common scenario with bus lines
left floating, due to bus capacitance.

Consequently when the value of IIR, mapped at 0x1f000910, is retrieved
in `autoconfig', it comes out at 0x1f0009c1 and when it is right-shifted
by 6 and then assigned to 8-bit `scratch' variable, the value calculated
is 0x27, not one of 0, 1, 2, 3 expected in port type determination.

Fix the issue then, by assigning the value returned from `serial_in' to
`scratch' first, which masks out 24 high-order bits retrieved, and only
then right-shift the resulting 8-bit data quantity, producing the value
of 3 in this case, as expected.  Fix the same issue in `serial_dl_read'.

The problem first appeared with Linux 2.6.9-rc3 which predates our repo
history, but the origin could be identified with the old MIPS/Linux repo
also at: <git://git.kernel.org/pub/scm/linux/kernel/git/ralf/linux.git>
as commit e0d2356c0777 ("Merge with Linux 2.6.9-rc3."), where code in
`serial_in' was updated with this case:

+	case UPIO_MEM32:
+		return readl(up->port.membase + offset);
+

which made it produce results outside the unsigned 8-bit range for the
first time, though obviously it is system dependent what actual values
appear in the high order bits retrieved and it may well have been zeros
in the relevant positions with the system the change originally was
intended for.  It is at that point that code in `autoconf' should have
been updated accordingly, but clearly it was overlooked.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org # v2.6.12+
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2106260516220.37803@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/8250/8250_port.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -311,7 +311,11 @@ static const struct serial8250_config ua
 /* Uart divisor latch read */
 static int default_serial_dl_read(struct uart_8250_port *up)
 {
-	return serial_in(up, UART_DLL) | serial_in(up, UART_DLM) << 8;
+	/* Assign these in pieces to truncate any bits above 7.  */
+	unsigned char dll = serial_in(up, UART_DLL);
+	unsigned char dlm = serial_in(up, UART_DLM);
+
+	return dll | dlm << 8;
 }
 
 /* Uart divisor latch write */
@@ -1297,9 +1301,11 @@ static void autoconfig(struct uart_8250_
 	serial_out(up, UART_LCR, 0);
 
 	serial_out(up, UART_FCR, UART_FCR_ENABLE_FIFO);
-	scratch = serial_in(up, UART_IIR) >> 6;
 
-	switch (scratch) {
+	/* Assign this as it is to truncate any bits above 7.  */
+	scratch = serial_in(up, UART_IIR);
+
+	switch (scratch >> 6) {
 	case 0:
 		autoconfig_8250(up);
 		break;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 127/175] serial: 8250: fix handle_irq locking
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 126/175] serial: 8250: Mask out floating 16/32-bit bus bits Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 128/175] MIPS: Malta: Do not byte-swap accesses to the CBUS UART Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joel Stanley, Andrew Jeffery,
	kernel test robot, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 853a9ae29e978d37f5dfa72622a68c9ae3d7fa89 upstream.

The 8250 handle_irq callback is not just called from the interrupt
handler but also from a timer callback when polling (e.g. for ports
without an interrupt line). Consequently the callback must explicitly
disable interrupts to avoid a potential deadlock with another interrupt
in polled mode.

Add back an irqrestore-version of the sysrq port-unlock helper and use
it in the 8250 callbacks that need it.

Fixes: 75f4e830fa9c ("serial: do not restore interrupt state in sysrq helper")
Cc: stable@vger.kernel.org	# 5.13
Cc: Joel Stanley <joel@jms.id.au>
Cc: Andrew Jeffery <andrew@aj.id.au>
Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20210714080427.28164-1-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/8250/8250_aspeed_vuart.c |    5 +++--
 drivers/tty/serial/8250/8250_fsl.c          |    5 +++--
 drivers/tty/serial/8250/8250_port.c         |    5 +++--
 include/linux/serial_core.h                 |   24 ++++++++++++++++++++++++
 4 files changed, 33 insertions(+), 6 deletions(-)

--- a/drivers/tty/serial/8250/8250_aspeed_vuart.c
+++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c
@@ -320,6 +320,7 @@ static int aspeed_vuart_handle_irq(struc
 {
 	struct uart_8250_port *up = up_to_u8250p(port);
 	unsigned int iir, lsr;
+	unsigned long flags;
 	int space, count;
 
 	iir = serial_port_in(port, UART_IIR);
@@ -327,7 +328,7 @@ static int aspeed_vuart_handle_irq(struc
 	if (iir & UART_IIR_NO_INT)
 		return 0;
 
-	spin_lock(&port->lock);
+	spin_lock_irqsave(&port->lock, flags);
 
 	lsr = serial_port_in(port, UART_LSR);
 
@@ -363,7 +364,7 @@ static int aspeed_vuart_handle_irq(struc
 	if (lsr & UART_LSR_THRE)
 		serial8250_tx_chars(up);
 
-	uart_unlock_and_check_sysrq(port);
+	uart_unlock_and_check_sysrq_irqrestore(port, flags);
 
 	return 1;
 }
--- a/drivers/tty/serial/8250/8250_fsl.c
+++ b/drivers/tty/serial/8250/8250_fsl.c
@@ -30,10 +30,11 @@ struct fsl8250_data {
 int fsl8250_handle_irq(struct uart_port *port)
 {
 	unsigned char lsr, orig_lsr;
+	unsigned long flags;
 	unsigned int iir;
 	struct uart_8250_port *up = up_to_u8250p(port);
 
-	spin_lock(&up->port.lock);
+	spin_lock_irqsave(&up->port.lock, flags);
 
 	iir = port->serial_in(port, UART_IIR);
 	if (iir & UART_IIR_NO_INT) {
@@ -82,7 +83,7 @@ int fsl8250_handle_irq(struct uart_port
 
 	up->lsr_saved_flags = orig_lsr;
 
-	uart_unlock_and_check_sysrq(&up->port);
+	uart_unlock_and_check_sysrq_irqrestore(&up->port, flags);
 
 	return 1;
 }
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -1899,11 +1899,12 @@ int serial8250_handle_irq(struct uart_po
 	unsigned char status;
 	struct uart_8250_port *up = up_to_u8250p(port);
 	bool skip_rx = false;
+	unsigned long flags;
 
 	if (iir & UART_IIR_NO_INT)
 		return 0;
 
-	spin_lock(&port->lock);
+	spin_lock_irqsave(&port->lock, flags);
 
 	status = serial_port_in(port, UART_LSR);
 
@@ -1929,7 +1930,7 @@ int serial8250_handle_irq(struct uart_po
 		(up->ier & UART_IER_THRI))
 		serial8250_tx_chars(up);
 
-	uart_unlock_and_check_sysrq(port);
+	uart_unlock_and_check_sysrq_irqrestore(port, flags);
 
 	return 1;
 }
--- a/include/linux/serial_core.h
+++ b/include/linux/serial_core.h
@@ -517,6 +517,25 @@ static inline void uart_unlock_and_check
 	if (sysrq_ch)
 		handle_sysrq(sysrq_ch);
 }
+
+static inline void uart_unlock_and_check_sysrq_irqrestore(struct uart_port *port,
+		unsigned long flags)
+{
+	int sysrq_ch;
+
+	if (!port->has_sysrq) {
+		spin_unlock_irqrestore(&port->lock, flags);
+		return;
+	}
+
+	sysrq_ch = port->sysrq_ch;
+	port->sysrq_ch = 0;
+
+	spin_unlock_irqrestore(&port->lock, flags);
+
+	if (sysrq_ch)
+		handle_sysrq(sysrq_ch);
+}
 #else	/* CONFIG_MAGIC_SYSRQ_SERIAL */
 static inline int uart_handle_sysrq_char(struct uart_port *port, unsigned int ch)
 {
@@ -530,6 +549,11 @@ static inline void uart_unlock_and_check
 {
 	spin_unlock(&port->lock);
 }
+static inline void uart_unlock_and_check_sysrq_irqrestore(struct uart_port *port,
+		unsigned long flags)
+{
+	spin_unlock_irqrestore(&port->lock, flags);
+}
 #endif	/* CONFIG_MAGIC_SYSRQ_SERIAL */
 
 /*



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 128/175] MIPS: Malta: Do not byte-swap accesses to the CBUS UART
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 127/175] serial: 8250: fix handle_irq locking Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 129/175] serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Philippe Mathieu-Daudé,
	Maciej W. Rozycki

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit 9a936d6c3d3d6c33ecbadf72dccdb567b5cd3c72 upstream.

Correct big-endian accesses to the CBUS UART, a Malta on-board discrete
TI16C550C part wired directly to the system controller's device bus, and
do not use byte swapping with the 32-bit accesses to the device.

The CBUS is used for devices such as the boot flash memory needed early
on in system bootstrap even before PCI has been initialised.  Therefore
it uses the system controller's device bus, which follows the endianness
set with the CPU, which means no byte-swapping is ever required for data
accesses to CBUS, unlike with PCI.

The CBUS UART uses the UPIO_MEM32 access method, that is the `readl' and
`writel' MMIO accessors, which on the MIPS platform imply byte-swapping
with PCI systems.  Consequently the wrong byte lane is accessed with the
big-endian configuration and the UART is not correctly accessed.

As it happens the UPIO_MEM32BE access method makes use of the `ioread32'
and `iowrite32' MMIO accessors, which still use `readl' and `writel'
respectively, however they byte-swap data passed, effectively cancelling
swapping done with the accessors themselves and making it suitable for
the CBUS UART.

Make the CBUS UART switch between UPIO_MEM32 and UPIO_MEM32BE then,
based on the endianness selected.  With this change in place the device
is correctly recognised with big-endian Malta at boot, along with the
Super I/O devices behind PCI:

Serial: 8250/16550 driver, 5 ports, IRQ sharing enabled
printk: console [ttyS0] disabled
serial8250.0: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
printk: console [ttyS0] enabled
printk: bootconsole [uart8250] disabled
serial8250.0: ttyS1 at I/O 0x2f8 (irq = 3, base_baud = 115200) is a 16550A
serial8250.0: ttyS2 at MMIO 0x1f000900 (irq = 20, base_baud = 230400) is a 16550A

Fixes: e7c4782f92fc ("[MIPS] Put an end to <asm/serial.h>'s long and annyoing existence")
Cc: stable@vger.kernel.org # v2.6.23+
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2106260524430.37803@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/mti-malta/malta-platform.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/mips/mti-malta/malta-platform.c
+++ b/arch/mips/mti-malta/malta-platform.c
@@ -47,7 +47,8 @@ static struct plat_serial8250_port uart8
 		.mapbase	= 0x1f000900,	/* The CBUS UART */
 		.irq		= MIPS_CPU_IRQ_BASE + MIPSCPU_INT_MB2,
 		.uartclk	= 3686400,	/* Twice the usual clk! */
-		.iotype		= UPIO_MEM32,
+		.iotype		= IS_ENABLED(CONFIG_CPU_BIG_ENDIAN) ?
+				  UPIO_MEM32BE : UPIO_MEM32,
 		.flags		= CBUS_UART_FLAGS,
 		.regshift	= 3,
 	},



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 129/175] serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 128/175] MIPS: Malta: Do not byte-swap accesses to the CBUS UART Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 130/175] serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Shevchenko

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit 7f0909db761535aefafa77031062603a71557267 upstream.

Elkhart Lake UARTs are PCI enumerated Synopsys DesignWare v4.0+ UART
integrated with Intel iDMA 32-bit DMA controller. There is a specific
driver to handle them, i.e. 8250_lpss. Hence, disable 8250_pci
enumeration for these UARTs.

Fixes: 1b91d97c66ef ("serial: 8250_lpss: Add ->setup() for Elkhart Lake ports")
Fixes: 4f912b898dc2 ("serial: 8250_lpss: Enable HS UART on Elkhart Lake")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20210713101739.36962-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/8250/8250_pci.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -3804,6 +3804,12 @@ static const struct pci_device_id blackl
 	{ PCI_VDEVICE(INTEL, 0x0f0c), },
 	{ PCI_VDEVICE(INTEL, 0x228a), },
 	{ PCI_VDEVICE(INTEL, 0x228c), },
+	{ PCI_VDEVICE(INTEL, 0x4b96), },
+	{ PCI_VDEVICE(INTEL, 0x4b97), },
+	{ PCI_VDEVICE(INTEL, 0x4b98), },
+	{ PCI_VDEVICE(INTEL, 0x4b99), },
+	{ PCI_VDEVICE(INTEL, 0x4b9a), },
+	{ PCI_VDEVICE(INTEL, 0x4b9b), },
 	{ PCI_VDEVICE(INTEL, 0x9ce3), },
 	{ PCI_VDEVICE(INTEL, 0x9ce4), },
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 130/175] serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts.
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 129/175] serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 131/175] fpga: dfl: fme: Fix cpu hotplug issue in performance reporting Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ralf Ramsauer, Andy Shevchenko,
	Mario Kleiner

From: Mario Kleiner <mario.kleiner.de@gmail.com>

commit 341abd693d10e5f337a51f140ae3e7a1ae0febf6 upstream.

This attempts to fix a bug found with a serial port card which uses
an MCS9922 chip, one of the 4 models for which MSI-X interrupts are
currently supported. I don't possess such a card, and i'm not
experienced with the serial subsystem, so this patch is based on what
i think i found as a likely reason for failure, based on walking the
user who actually owns the card through some diagnostic.

The user who reported the problem finds the following in his dmesg
output for the relevant ttyS4 and ttyS5:

[    0.580425] serial 0000:02:00.0: enabling device (0000 -> 0003)
[    0.601448] 0000:02:00.0: ttyS4 at I/O 0x3010 (irq = 125, base_baud = 115200) is a ST16650V2
[    0.603089] serial 0000:02:00.1: enabling device (0000 -> 0003)
[    0.624119] 0000:02:00.1: ttyS5 at I/O 0x3000 (irq = 126, base_baud = 115200) is a ST16650V2
...
[    6.323784] genirq: Flags mismatch irq 128. 00000080 (ttyS5) vs. 00000000 (xhci_hcd)
[    6.324128] genirq: Flags mismatch irq 128. 00000080 (ttyS5) vs. 00000000 (xhci_hcd)
...

Output of setserial -a:

/dev/ttyS4, Line 4, UART: 16650V2, Port: 0x3010, IRQ: 127
	Baud_base: 115200, close_delay: 50, divisor: 0
	closing_wait: 3000
	Flags: spd_normal skip_test

This suggests to me that the serial driver wants to register and share a
MSI/MSI-X irq 128 with the xhci_hcd driver, whereas the xhci driver does
not want to share the irq, as flags 0x00000080 (== IRQF_SHARED) from the
serial port driver means to share the irq, and this mismatch ends in some
failed irq init?

With this setup, data reception works very unreliable, with dropped data,
already at a transmission rate of only a 16 Bytes chunk every 1/120th of
a second, ie. 1920 Bytes/sec, presumably due to rx fifo overflow due to
mishandled or not used at all rx irq's?

See full discussion thread with attempted diagnosis at:

https://psychtoolbox.discourse.group/t/issues-with-iscan-serial-port-recording/3886

Disabling the use of MSI interrupts for the serial port pci card did
fix the reliability problems. The user executed the following sequence
of commands to achieve this:

echo 0000:02:00.0 | sudo tee /sys/bus/pci/drivers/serial/unbind
echo 0000:02:00.1 | sudo tee /sys/bus/pci/drivers/serial/unbind

echo 0 | sudo tee /sys/bus/pci/devices/0000:02:00.0/msi_bus
echo 0 | sudo tee /sys/bus/pci/devices/0000:02:00.1/msi_bus

echo 0000:02:00.0 | sudo tee /sys/bus/pci/drivers/serial/bind
echo 0000:02:00.1 | sudo tee /sys/bus/pci/drivers/serial/bind

This resulted in the following log output:

[   82.179021] pci 0000:02:00.0: MSI/MSI-X disallowed for future drivers
[   87.003031] pci 0000:02:00.1: MSI/MSI-X disallowed for future drivers
[   98.537010] 0000:02:00.0: ttyS4 at I/O 0x3010 (irq = 17, base_baud = 115200) is a ST16650V2
[  103.648124] 0000:02:00.1: ttyS5 at I/O 0x3000 (irq = 18, base_baud = 115200) is a ST16650V2

This patch attempts to fix the problem by disabling irq sharing when
using MSI irq's. Note that all i know for sure is that disabling MSI
irq's fixed the problem for the user, so this patch could be wrong and
is untested. Please review with caution, keeping this in mind.

Fixes: 8428413b1d14 ("serial: 8250_pci: Implement MSI(-X) support")
Cc: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
Cc: stable <stable@vger.kernel.org>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Link: https://lore.kernel.org/r/20210729043306.18528-1-mario.kleiner.de@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/8250/8250_pci.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -3970,6 +3970,7 @@ pciserial_init_ports(struct pci_dev *dev
 		if (pci_match_id(pci_use_msi, dev)) {
 			dev_dbg(&dev->dev, "Using MSI(-X) interrupts\n");
 			pci_set_master(dev);
+			uart.port.flags &= ~UPF_SHARE_IRQ;
 			rc = pci_alloc_irq_vectors(dev, 1, 1, PCI_IRQ_ALL_TYPES);
 		} else {
 			dev_dbg(&dev->dev, "Using legacy interrupts\n");



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 131/175] fpga: dfl: fme: Fix cpu hotplug issue in performance reporting
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 130/175] serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 132/175] timers: Move clearing of base::timer_running under base:: Lock Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xu Yilun, Wu Hao, Kajol Jain, Moritz Fischer

From: Kajol Jain <kjain@linux.ibm.com>

commit ec6446d5304b3c3dd692a1e244df7e40bbb5af36 upstream.

The performance reporting driver added cpu hotplug
feature but it didn't add pmu migration call in cpu
offline function.
This can create an issue incase the current designated
cpu being used to collect fme pmu data got offline,
as based on current code we are not migrating fme pmu to
new target cpu. Because of that perf will still try to
fetch data from that offline cpu and hence we will not
get counter data.

Patch fixed this issue by adding pmu_migrate_context call
in fme_perf_offline_cpu function.

Fixes: 724142f8c42a ("fpga: dfl: fme: add performance reporting support")
Cc: stable@vger.kernel.org
Tested-by: Xu Yilun <yilun.xu@intel.com>
Acked-by: Wu Hao <hao.wu@intel.com>
Signed-off-by: Kajol Jain <kjain@linux.ibm.com>
Signed-off-by: Moritz Fischer <mdf@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/fpga/dfl-fme-perf.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/fpga/dfl-fme-perf.c
+++ b/drivers/fpga/dfl-fme-perf.c
@@ -953,6 +953,8 @@ static int fme_perf_offline_cpu(unsigned
 		return 0;
 
 	priv->cpu = target;
+	perf_pmu_migrate_context(&priv->pmu, cpu, target);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 132/175] timers: Move clearing of base::timer_running under base:: Lock
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 131/175] fpga: dfl: fme: Fix cpu hotplug issue in performance reporting Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 133/175] virt: acrn: Do hcall_destroy_vm() before resource release Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+aa7c2385d46c5eba0b89,
	syzbot+abea4558531bae1ba9fe, Thomas Gleixner,
	Sebastian Andrzej Siewior

From: Thomas Gleixner <tglx@linutronix.de>

commit bb7262b295472eb6858b5c49893954794027cd84 upstream.

syzbot reported KCSAN data races vs. timer_base::timer_running being set to
NULL without holding base::lock in expire_timers().

This looks innocent and most reads are clearly not problematic, but
Frederic identified an issue which is:

 int data = 0;

 void timer_func(struct timer_list *t)
 {
    data = 1;
 }

 CPU 0                                            CPU 1
 ------------------------------                   --------------------------
 base = lock_timer_base(timer, &flags);           raw_spin_unlock(&base->lock);
 if (base->running_timer != timer)                call_timer_fn(timer, fn, baseclk);
   ret = detach_if_pending(timer, base, true);    base->running_timer = NULL;
 raw_spin_unlock_irqrestore(&base->lock, flags);  raw_spin_lock(&base->lock);

 x = data;

If the timer has previously executed on CPU 1 and then CPU 0 can observe
base->running_timer == NULL and returns, assuming the timer has completed,
but it's not guaranteed on all architectures. The comment for
del_timer_sync() makes that guarantee. Moving the assignment under
base->lock prevents this.

For non-RT kernel it's performance wise completely irrelevant whether the
store happens before or after taking the lock. For an RT kernel moving the
store under the lock requires an extra unlock/lock pair in the case that
there is a waiter for the timer, but that's not the end of the world.

Reported-by: syzbot+aa7c2385d46c5eba0b89@syzkaller.appspotmail.com
Reported-by: syzbot+abea4558531bae1ba9fe@syzkaller.appspotmail.com
Fixes: 030dcdd197d7 ("timers: Prepare support for PREEMPT_RT")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Link: https://lore.kernel.org/r/87lfea7gw8.fsf@nanos.tec.linutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/time/timer.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/kernel/time/timer.c
+++ b/kernel/time/timer.c
@@ -1279,8 +1279,10 @@ static inline void timer_base_unlock_exp
 static void timer_sync_wait_running(struct timer_base *base)
 {
 	if (atomic_read(&base->timer_waiters)) {
+		raw_spin_unlock_irq(&base->lock);
 		spin_unlock(&base->expiry_lock);
 		spin_lock(&base->expiry_lock);
+		raw_spin_lock_irq(&base->lock);
 	}
 }
 
@@ -1471,14 +1473,14 @@ static void expire_timers(struct timer_b
 		if (timer->flags & TIMER_IRQSAFE) {
 			raw_spin_unlock(&base->lock);
 			call_timer_fn(timer, fn, baseclk);
-			base->running_timer = NULL;
 			raw_spin_lock(&base->lock);
+			base->running_timer = NULL;
 		} else {
 			raw_spin_unlock_irq(&base->lock);
 			call_timer_fn(timer, fn, baseclk);
+			raw_spin_lock_irq(&base->lock);
 			base->running_timer = NULL;
 			timer_sync_wait_running(base);
-			raw_spin_lock_irq(&base->lock);
 		}
 	}
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 133/175] virt: acrn: Do hcall_destroy_vm() before resource release
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 132/175] timers: Move clearing of base::timer_running under base:: Lock Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 134/175] perf: Fix required permissions if sigtrap is requested Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shuo Liu, Fei Li

From: Shuo Liu <shuo.a.liu@intel.com>

commit 4c4c1257b844ffe5d0933684e612f92c4b78e120 upstream.

The ACRN hypervisor has scenarios which could run a real-time guest VM.
The real-time guest VM occupies dedicated CPU cores, be assigned with
dedicated PCI devices. It can run without the Service VM after boot up.
hcall_destroy_vm() returns failure when a real-time guest VM refuses.
The clearing of flag ACRN_VM_FLAG_DESTROYED causes some kernel resource
double-freed in a later acrn_vm_destroy().

Do hcall_destroy_vm() before resource release to drop this chance to
destroy the VM if hypercall fails.

Fixes: 9c5137aedd11 ("virt: acrn: Introduce VM management interfaces")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Shuo Liu <shuo.a.liu@intel.com>
Signed-off-by: Fei Li <fei1.li@intel.com>
Link: https://lore.kernel.org/r/20210722062736.15050-1-fei1.li@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/virt/acrn/vm.c |   16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/virt/acrn/vm.c
+++ b/drivers/virt/acrn/vm.c
@@ -64,6 +64,14 @@ int acrn_vm_destroy(struct acrn_vm *vm)
 	    test_and_set_bit(ACRN_VM_FLAG_DESTROYED, &vm->flags))
 		return 0;
 
+	ret = hcall_destroy_vm(vm->vmid);
+	if (ret < 0) {
+		dev_err(acrn_dev.this_device,
+			"Failed to destroy VM %u\n", vm->vmid);
+		clear_bit(ACRN_VM_FLAG_DESTROYED, &vm->flags);
+		return ret;
+	}
+
 	/* Remove from global VM list */
 	write_lock_bh(&acrn_vm_list_lock);
 	list_del_init(&vm->list);
@@ -78,14 +86,6 @@ int acrn_vm_destroy(struct acrn_vm *vm)
 		vm->monitor_page = NULL;
 	}
 
-	ret = hcall_destroy_vm(vm->vmid);
-	if (ret < 0) {
-		dev_err(acrn_dev.this_device,
-			"Failed to destroy VM %u\n", vm->vmid);
-		clear_bit(ACRN_VM_FLAG_DESTROYED, &vm->flags);
-		return ret;
-	}
-
 	acrn_vm_all_ram_unmap(vm);
 
 	dev_dbg(acrn_dev.this_device, "VM %u destroyed.\n", vm->vmid);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 134/175] perf: Fix required permissions if sigtrap is requested
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 133/175] virt: acrn: Do hcall_destroy_vm() before resource release Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 135/175] xfrm: Fix RCU vs hash_resize_mutex lock inversion Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Vyukov, Marco Elver,
	Peter Zijlstra (Intel)

From: Marco Elver <elver@google.com>

commit 9d7a6c95f62bc335b62aaf9d50590122bd03a796 upstream.

If perf_event_open() is called with another task as target and
perf_event_attr::sigtrap is set, and the target task's user does not
match the calling user, also require the CAP_KILL capability or
PTRACE_MODE_ATTACH permissions.

Otherwise, with the CAP_PERFMON capability alone it would be possible
for a user to send SIGTRAP signals via perf events to another user's
tasks. This could potentially result in those tasks being terminated if
they cannot handle SIGTRAP signals.

Note: The check complements the existing capability check, but is not
supposed to supersede the ptrace_may_access() check. At a high level we
now have:

	capable of CAP_PERFMON and (CAP_KILL if sigtrap)
		OR
	ptrace_may_access(...) // also checks for same thread-group and uid

Fixes: 97ba62b27867 ("perf: Add support for SIGTRAP on perf events")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org> # 5.13+
Link: https://lore.kernel.org/r/20210705084453.2151729-1-elver@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/events/core.c |   25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -12159,10 +12159,33 @@ SYSCALL_DEFINE5(perf_event_open,
 	}
 
 	if (task) {
+		unsigned int ptrace_mode = PTRACE_MODE_READ_REALCREDS;
+		bool is_capable;
+
 		err = down_read_interruptible(&task->signal->exec_update_lock);
 		if (err)
 			goto err_file;
 
+		is_capable = perfmon_capable();
+		if (attr.sigtrap) {
+			/*
+			 * perf_event_attr::sigtrap sends signals to the other
+			 * task. Require the current task to also have
+			 * CAP_KILL.
+			 */
+			rcu_read_lock();
+			is_capable &= ns_capable(__task_cred(task)->user_ns, CAP_KILL);
+			rcu_read_unlock();
+
+			/*
+			 * If the required capabilities aren't available, checks
+			 * for ptrace permissions: upgrade to ATTACH, since
+			 * sending signals can effectively change the target
+			 * task.
+			 */
+			ptrace_mode = PTRACE_MODE_ATTACH_REALCREDS;
+		}
+
 		/*
 		 * Preserve ptrace permission check for backwards compatibility.
 		 *
@@ -12172,7 +12195,7 @@ SYSCALL_DEFINE5(perf_event_open,
 		 * perf_event_exit_task() that could imply).
 		 */
 		err = -EACCES;
-		if (!perfmon_capable() && !ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS))
+		if (!is_capable && !ptrace_may_access(task, ptrace_mode))
 			goto err_cred;
 	}
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 135/175] xfrm: Fix RCU vs hash_resize_mutex lock inversion
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 134/175] perf: Fix required permissions if sigtrap is requested Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 136/175] net/xfrm/compat: Copy xfrm_spdattr_type_t atributes Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ahmed S. Darwish,
	Peter Zijlstra (Intel),
	Varad Gautam, Steffen Klassert, Herbert Xu, David S. Miller,
	Frederic Weisbecker

From: Frederic Weisbecker <frederic@kernel.org>

commit 2580d3f40022642452dd8422bfb8c22e54cf84bb upstream.

xfrm_bydst_resize() calls synchronize_rcu() while holding
hash_resize_mutex. But then on PREEMPT_RT configurations,
xfrm_policy_lookup_bytype() may acquire that mutex while running in an
RCU read side critical section. This results in a deadlock.

In fact the scope of hash_resize_mutex is way beyond the purpose of
xfrm_policy_lookup_bytype() to just fetch a coherent and stable policy
for a given destination/direction, along with other details.

The lower level net->xfrm.xfrm_policy_lock, which among other things
protects per destination/direction references to policy entries, is
enough to serialize and benefit from priority inheritance against the
write side. As a bonus, it makes it officially a per network namespace
synchronization business where a policy table resize on namespace A
shouldn't block a policy lookup on namespace B.

Fixes: 77cc278f7b20 (xfrm: policy: Use sequence counters with associated lock)
Cc: stable@vger.kernel.org
Cc: Ahmed S. Darwish <a.darwish@linutronix.de>
Cc: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Varad Gautam <varad.gautam@suse.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netns/xfrm.h |    1 +
 net/xfrm/xfrm_policy.c   |   17 ++++++++---------
 2 files changed, 9 insertions(+), 9 deletions(-)

--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -74,6 +74,7 @@ struct netns_xfrm {
 #endif
 	spinlock_t		xfrm_state_lock;
 	seqcount_spinlock_t	xfrm_state_hash_generation;
+	seqcount_spinlock_t	xfrm_policy_hash_generation;
 
 	spinlock_t xfrm_policy_lock;
 	struct mutex xfrm_cfg_mutex;
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -155,7 +155,6 @@ static struct xfrm_policy_afinfo const _
 						__read_mostly;
 
 static struct kmem_cache *xfrm_dst_cache __ro_after_init;
-static __read_mostly seqcount_mutex_t xfrm_policy_hash_generation;
 
 static struct rhashtable xfrm_policy_inexact_table;
 static const struct rhashtable_params xfrm_pol_inexact_params;
@@ -585,7 +584,7 @@ static void xfrm_bydst_resize(struct net
 		return;
 
 	spin_lock_bh(&net->xfrm.xfrm_policy_lock);
-	write_seqcount_begin(&xfrm_policy_hash_generation);
+	write_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
 
 	odst = rcu_dereference_protected(net->xfrm.policy_bydst[dir].table,
 				lockdep_is_held(&net->xfrm.xfrm_policy_lock));
@@ -596,7 +595,7 @@ static void xfrm_bydst_resize(struct net
 	rcu_assign_pointer(net->xfrm.policy_bydst[dir].table, ndst);
 	net->xfrm.policy_bydst[dir].hmask = nhashmask;
 
-	write_seqcount_end(&xfrm_policy_hash_generation);
+	write_seqcount_end(&net->xfrm.xfrm_policy_hash_generation);
 	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
 
 	synchronize_rcu();
@@ -1245,7 +1244,7 @@ static void xfrm_hash_rebuild(struct wor
 	} while (read_seqretry(&net->xfrm.policy_hthresh.lock, seq));
 
 	spin_lock_bh(&net->xfrm.xfrm_policy_lock);
-	write_seqcount_begin(&xfrm_policy_hash_generation);
+	write_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
 
 	/* make sure that we can insert the indirect policies again before
 	 * we start with destructive action.
@@ -1354,7 +1353,7 @@ static void xfrm_hash_rebuild(struct wor
 
 out_unlock:
 	__xfrm_policy_inexact_flush(net);
-	write_seqcount_end(&xfrm_policy_hash_generation);
+	write_seqcount_end(&net->xfrm.xfrm_policy_hash_generation);
 	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
 
 	mutex_unlock(&hash_resize_mutex);
@@ -2095,9 +2094,9 @@ static struct xfrm_policy *xfrm_policy_l
 	rcu_read_lock();
  retry:
 	do {
-		sequence = read_seqcount_begin(&xfrm_policy_hash_generation);
+		sequence = read_seqcount_begin(&net->xfrm.xfrm_policy_hash_generation);
 		chain = policy_hash_direct(net, daddr, saddr, family, dir);
-	} while (read_seqcount_retry(&xfrm_policy_hash_generation, sequence));
+	} while (read_seqcount_retry(&net->xfrm.xfrm_policy_hash_generation, sequence));
 
 	ret = NULL;
 	hlist_for_each_entry_rcu(pol, chain, bydst) {
@@ -2128,7 +2127,7 @@ static struct xfrm_policy *xfrm_policy_l
 	}
 
 skip_inexact:
-	if (read_seqcount_retry(&xfrm_policy_hash_generation, sequence))
+	if (read_seqcount_retry(&net->xfrm.xfrm_policy_hash_generation, sequence))
 		goto retry;
 
 	if (ret && !xfrm_pol_hold_rcu(ret))
@@ -4084,6 +4083,7 @@ static int __net_init xfrm_net_init(stru
 	/* Initialize the per-net locks here */
 	spin_lock_init(&net->xfrm.xfrm_state_lock);
 	spin_lock_init(&net->xfrm.xfrm_policy_lock);
+	seqcount_spinlock_init(&net->xfrm.xfrm_policy_hash_generation, &net->xfrm.xfrm_policy_lock);
 	mutex_init(&net->xfrm.xfrm_cfg_mutex);
 
 	rv = xfrm_statistics_init(net);
@@ -4128,7 +4128,6 @@ void __init xfrm_init(void)
 {
 	register_pernet_subsys(&xfrm_net_ops);
 	xfrm_dev_init();
-	seqcount_mutex_init(&xfrm_policy_hash_generation, &hash_resize_mutex);
 	xfrm_input_init();
 
 #ifdef CONFIG_XFRM_ESPINTCP



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 136/175] net/xfrm/compat: Copy xfrm_spdattr_type_t atributes
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 135/175] xfrm: Fix RCU vs hash_resize_mutex lock inversion Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 137/175] pcmcia: i82092: fix a null pointer dereference bug Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, YueHaibing, Dmitry Safonov,
	Steffen Klassert

From: Dmitry Safonov <dima@arista.com>

commit 4e9505064f58d1252805952f8547a5b7dbc5c111 upstream.

The attribute-translator has to take in mind maxtype, that is
xfrm_link::nla_max. When it is set, attributes are not of xfrm_attr_type_t.
Currently, they can be only XFRMA_SPD_MAX (message XFRM_MSG_NEWSPDINFO),
their UABI is the same for 64/32-bit, so just copy them.

Thanks to YueHaibing for reporting this:
In xfrm_user_rcv_msg_compat() if maxtype is not zero and less than
XFRMA_MAX, nlmsg_parse_deprecated() do not initialize attrs array fully.
xfrm_xlate32() will access uninit 'attrs[i]' while iterating all attrs
array.

KASAN: probably user-memory-access in range [0x0000000041b58ab0-0x0000000041b58ab7]
CPU: 0 PID: 15799 Comm: syz-executor.2 Tainted: G        W         5.14.0-rc1-syzkaller #0
RIP: 0010:nla_type include/net/netlink.h:1130 [inline]
RIP: 0010:xfrm_xlate32_attr net/xfrm/xfrm_compat.c:410 [inline]
RIP: 0010:xfrm_xlate32 net/xfrm/xfrm_compat.c:532 [inline]
RIP: 0010:xfrm_user_rcv_msg_compat+0x5e5/0x1070 net/xfrm/xfrm_compat.c:577
[...]
Call Trace:
 xfrm_user_rcv_msg+0x556/0x8b0 net/xfrm/xfrm_user.c:2774
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
 xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2824
 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
 sock_sendmsg_nosec net/socket.c:702 [inline]

Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
Cc: <stable@kernel.org>
Reported-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xfrm/xfrm_compat.c |   49 ++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 44 insertions(+), 5 deletions(-)

--- a/net/xfrm/xfrm_compat.c
+++ b/net/xfrm/xfrm_compat.c
@@ -298,8 +298,16 @@ static int xfrm_xlate64(struct sk_buff *
 	len = nlmsg_attrlen(nlh_src, xfrm_msg_min[type]);
 
 	nla_for_each_attr(nla, attrs, len, remaining) {
-		int err = xfrm_xlate64_attr(dst, nla);
+		int err;
 
+		switch (type) {
+		case XFRM_MSG_NEWSPDINFO:
+			err = xfrm_nla_cpy(dst, nla, nla_len(nla));
+			break;
+		default:
+			err = xfrm_xlate64_attr(dst, nla);
+			break;
+		}
 		if (err)
 			return err;
 	}
@@ -341,7 +349,8 @@ static int xfrm_alloc_compat(struct sk_b
 
 /* Calculates len of translated 64-bit message. */
 static size_t xfrm_user_rcv_calculate_len64(const struct nlmsghdr *src,
-					    struct nlattr *attrs[XFRMA_MAX+1])
+					    struct nlattr *attrs[XFRMA_MAX + 1],
+					    int maxtype)
 {
 	size_t len = nlmsg_len(src);
 
@@ -358,10 +367,20 @@ static size_t xfrm_user_rcv_calculate_le
 	case XFRM_MSG_POLEXPIRE:
 		len += 8;
 		break;
+	case XFRM_MSG_NEWSPDINFO:
+		/* attirbutes are xfrm_spdattr_type_t, not xfrm_attr_type_t */
+		return len;
 	default:
 		break;
 	}
 
+	/* Unexpected for anything, but XFRM_MSG_NEWSPDINFO, please
+	 * correct both 64=>32-bit and 32=>64-bit translators to copy
+	 * new attributes.
+	 */
+	if (WARN_ON_ONCE(maxtype))
+		return len;
+
 	if (attrs[XFRMA_SA])
 		len += 4;
 	if (attrs[XFRMA_POLICY])
@@ -440,7 +459,8 @@ static int xfrm_xlate32_attr(void *dst,
 
 static int xfrm_xlate32(struct nlmsghdr *dst, const struct nlmsghdr *src,
 			struct nlattr *attrs[XFRMA_MAX+1],
-			size_t size, u8 type, struct netlink_ext_ack *extack)
+			size_t size, u8 type, int maxtype,
+			struct netlink_ext_ack *extack)
 {
 	size_t pos;
 	int i;
@@ -520,6 +540,25 @@ static int xfrm_xlate32(struct nlmsghdr
 	}
 	pos = dst->nlmsg_len;
 
+	if (maxtype) {
+		/* attirbutes are xfrm_spdattr_type_t, not xfrm_attr_type_t */
+		WARN_ON_ONCE(src->nlmsg_type != XFRM_MSG_NEWSPDINFO);
+
+		for (i = 1; i <= maxtype; i++) {
+			int err;
+
+			if (!attrs[i])
+				continue;
+
+			/* just copy - no need for translation */
+			err = xfrm_attr_cpy32(dst, &pos, attrs[i], size,
+					nla_len(attrs[i]), nla_len(attrs[i]));
+			if (err)
+				return err;
+		}
+		return 0;
+	}
+
 	for (i = 1; i < XFRMA_MAX + 1; i++) {
 		int err;
 
@@ -564,7 +603,7 @@ static struct nlmsghdr *xfrm_user_rcv_ms
 	if (err < 0)
 		return ERR_PTR(err);
 
-	len = xfrm_user_rcv_calculate_len64(h32, attrs);
+	len = xfrm_user_rcv_calculate_len64(h32, attrs, maxtype);
 	/* The message doesn't need translation */
 	if (len == nlmsg_len(h32))
 		return NULL;
@@ -574,7 +613,7 @@ static struct nlmsghdr *xfrm_user_rcv_ms
 	if (!h64)
 		return ERR_PTR(-ENOMEM);
 
-	err = xfrm_xlate32(h64, h32, attrs, len, type, extack);
+	err = xfrm_xlate32(h64, h32, attrs, len, type, maxtype, extack);
 	if (err < 0) {
 		kvfree(h64);
 		return ERR_PTR(err);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 137/175] pcmcia: i82092: fix a null pointer dereference bug
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 136/175] net/xfrm/compat: Copy xfrm_spdattr_type_t atributes Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 138/175] scsi: ibmvfc: Fix command state accounting and stale response detection Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Dominik Brodowski

From: Zheyu Ma <zheyuma97@gmail.com>

commit e39cdacf2f664b09029e7c1eb354c91a20c367af upstream.

During the driver loading process, the 'dev' field was not assigned, but
the 'dev' field was referenced in the subsequent 'i82092aa_set_mem_map'
function.

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
CC: <stable@vger.kernel.org>
[linux@dominikbrodowski.net: shorten commit message, add Cc to stable]
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pcmcia/i82092.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/pcmcia/i82092.c
+++ b/drivers/pcmcia/i82092.c
@@ -112,6 +112,7 @@ static int i82092aa_pci_probe(struct pci
 	for (i = 0; i < socket_count; i++) {
 		sockets[i].card_state = 1; /* 1 = present but empty */
 		sockets[i].io_base = pci_resource_start(dev, 0);
+		sockets[i].dev = dev;
 		sockets[i].socket.features |= SS_CAP_PCCARD;
 		sockets[i].socket.map_size = 0x1000;
 		sockets[i].socket.irq_mask = 0;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 138/175] scsi: ibmvfc: Fix command state accounting and stale response detection
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 137/175] pcmcia: i82092: fix a null pointer dereference bug Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 139/175] selinux: correct the return value when loads initial sids Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyrel Datwyler, Martin K. Petersen

From: Tyrel Datwyler <tyreld@linux.ibm.com>

commit a264cf5e81c78e2b9918b8b9ef2ace9dde1850df upstream.

Prior to commit 1f4a4a19508d ("scsi: ibmvfc: Complete commands outside the
host/queue lock") responses to commands were completed sequentially with
the host lock held such that a command had a basic binary state of active
or free. It was therefore a simple affair of ensuring the assocaiated
ibmvfc_event to a VIOS response was valid by testing that it was not
already free. The lock relexation work to complete commands outside the
lock inadverdently made it a trinary command state such that a command is
either in flight, received and being completed, or completed and now
free. This breaks the stale command detection logic as a command may be
still marked active and been placed on the delayed completion list when a
second stale response for the same command arrives. This can lead to double
completions and list corruption. This issue was exposed by a recent VIOS
regression were a missing memory barrier could occasionally result in the
ibmvfc client receiving a duplicate response for the same command.

Fix the issue by introducing the atomic ibmvfc_event.active to track the
trinary state of a command. The state is explicitly set to 1 when a command
is successfully sent. The CRQ response handlers use
atomic_dec_if_positive() to test for stale responses and correctly
transition to the completion state when a active command is received.
Finally, atomic_dec_and_test() is used to sanity check transistions when
commands are freed as a result of a completion, or moved to the purge list
as a result of error handling or adapter reset.

Link: https://lore.kernel.org/r/20210716205220.1101150-1-tyreld@linux.ibm.com
Fixes: 1f4a4a19508d ("scsi: ibmvfc: Complete commands outside the host/queue lock")
Cc: stable@vger.kernel.org
Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/ibmvscsi/ibmvfc.c |   19 +++++++++++++++++--
 drivers/scsi/ibmvscsi/ibmvfc.h |    1 +
 2 files changed, 18 insertions(+), 2 deletions(-)

--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -804,6 +804,13 @@ static int ibmvfc_init_event_pool(struct
 	for (i = 0; i < size; ++i) {
 		struct ibmvfc_event *evt = &pool->events[i];
 
+		/*
+		 * evt->active states
+		 *  1 = in flight
+		 *  0 = being completed
+		 * -1 = free/freed
+		 */
+		atomic_set(&evt->active, -1);
 		atomic_set(&evt->free, 1);
 		evt->crq.valid = 0x80;
 		evt->crq.ioba = cpu_to_be64(pool->iu_token + (sizeof(*evt->xfer_iu) * i));
@@ -1014,6 +1021,7 @@ static void ibmvfc_free_event(struct ibm
 
 	BUG_ON(!ibmvfc_valid_event(pool, evt));
 	BUG_ON(atomic_inc_return(&evt->free) != 1);
+	BUG_ON(atomic_dec_and_test(&evt->active));
 
 	spin_lock_irqsave(&evt->queue->l_lock, flags);
 	list_add_tail(&evt->queue_list, &evt->queue->free);
@@ -1069,6 +1077,12 @@ static void ibmvfc_complete_purge(struct
  **/
 static void ibmvfc_fail_request(struct ibmvfc_event *evt, int error_code)
 {
+	/*
+	 * Anything we are failing should still be active. Otherwise, it
+	 * implies we already got a response for the command and are doing
+	 * something bad like double completing it.
+	 */
+	BUG_ON(!atomic_dec_and_test(&evt->active));
 	if (evt->cmnd) {
 		evt->cmnd->result = (error_code << 16);
 		evt->done = ibmvfc_scsi_eh_done;
@@ -1720,6 +1734,7 @@ static int ibmvfc_send_event(struct ibmv
 
 		evt->done(evt);
 	} else {
+		atomic_set(&evt->active, 1);
 		spin_unlock_irqrestore(&evt->queue->l_lock, flags);
 		ibmvfc_trc_start(evt);
 	}
@@ -3248,7 +3263,7 @@ static void ibmvfc_handle_crq(struct ibm
 		return;
 	}
 
-	if (unlikely(atomic_read(&evt->free))) {
+	if (unlikely(atomic_dec_if_positive(&evt->active))) {
 		dev_err(vhost->dev, "Received duplicate correlation_token 0x%08llx!\n",
 			crq->ioba);
 		return;
@@ -3775,7 +3790,7 @@ static void ibmvfc_handle_scrq(struct ib
 		return;
 	}
 
-	if (unlikely(atomic_read(&evt->free))) {
+	if (unlikely(atomic_dec_if_positive(&evt->active))) {
 		dev_err(vhost->dev, "Received duplicate correlation_token 0x%08llx!\n",
 			crq->ioba);
 		return;
--- a/drivers/scsi/ibmvscsi/ibmvfc.h
+++ b/drivers/scsi/ibmvscsi/ibmvfc.h
@@ -744,6 +744,7 @@ struct ibmvfc_event {
 	struct ibmvfc_target *tgt;
 	struct scsi_cmnd *cmnd;
 	atomic_t free;
+	atomic_t active;
 	union ibmvfc_iu *xfer_iu;
 	void (*done)(struct ibmvfc_event *evt);
 	void (*_done)(struct ibmvfc_event *evt);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 139/175] selinux: correct the return value when loads initial sids
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 138/175] scsi: ibmvfc: Fix command state accounting and stale response detection Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 140/175] bus: ti-sysc: AM3: RNG is GP only Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xiu Jianfeng, Paul Moore

From: Xiu Jianfeng <xiujianfeng@huawei.com>

commit 4c156084daa8ee70978e4b150b5eb5fc7b1f15be upstream.

It should not return 0 when SID 0 is assigned to isids.
This patch fixes it.

Cc: stable@vger.kernel.org
Fixes: e3e0b582c321a ("selinux: remove unused initial SIDs and improve handling")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
[PM: remove changelog from description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/selinux/ss/policydb.c |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -874,7 +874,7 @@ int policydb_load_isids(struct policydb
 	rc = sidtab_init(s);
 	if (rc) {
 		pr_err("SELinux:  out of memory on SID table init\n");
-		goto out;
+		return rc;
 	}
 
 	head = p->ocontexts[OCON_ISID];
@@ -885,7 +885,7 @@ int policydb_load_isids(struct policydb
 		if (sid == SECSID_NULL) {
 			pr_err("SELinux:  SID 0 was assigned a context.\n");
 			sidtab_destroy(s);
-			goto out;
+			return -EINVAL;
 		}
 
 		/* Ignore initial SIDs unused by this kernel. */
@@ -897,12 +897,10 @@ int policydb_load_isids(struct policydb
 			pr_err("SELinux:  unable to load initial SID %s.\n",
 			       name);
 			sidtab_destroy(s);
-			goto out;
+			return rc;
 		}
 	}
-	rc = 0;
-out:
-	return rc;
+	return 0;
 }
 
 int policydb_class_isvalid(struct policydb *p, unsigned int class)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 140/175] bus: ti-sysc: AM3: RNG is GP only
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 139/175] selinux: correct the return value when loads initial sids Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 141/175] Revert "gpio: mpc8xxx: change the gpio interrupt flags." Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kevin Hilman, Tony Lindgren

From: Kevin Hilman <khilman@baylibre.com>

commit a6d90e9f22328f07343e49e08a4ca483ae8e8abb upstream.

Make the RNG on AM3 GP only.

Based on this patch from TI v5.4 tree which is based on hwmod data
which are now removed:

| ARM: AM43xx: hwmod: Move RNG to a GP only links table
|
| On non-GP devices the RNG is controlled by the secure-side software,
| like in DRA7xx hwmod we should not control this IP when we are not
| a GP device.
|
| Signed-off-by: Andrew F. Davis <afd@ti.com>

Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bus/ti-sysc.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -2953,6 +2953,8 @@ static int sysc_init_soc(struct sysc *dd
 		case SOC_3430 ... SOC_3630:
 			sysc_add_disabled(0x48304000);	/* timer12 */
 			break;
+		case SOC_AM3:
+			sysc_add_disabled(0x48310000);  /* rng */
 		default:
 			break;
 		}



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 141/175] Revert "gpio: mpc8xxx: change the gpio interrupt flags."
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 140/175] bus: ti-sysc: AM3: RNG is GP only Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 142/175] arm64: fix compat syscall return truncation Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Bartosz Golaszewski

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

commit ec7099fdea8025988710ee6fecfd4e4210c29ab5 upstream.

This reverts commit 3d5bfbd9716318b1ca5c38488aa69f64d38a9aa5.

When booting with threadirqs, it causes a splat

  WARNING: CPU: 0 PID: 29 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x1ec/0x27c
  irq 66 handler irq_default_primary_handler+0x0/0x1c enabled interrupts

That splat later went away with commit 81e2073c175b ("genirq: Disable
interrupts for force threaded handlers"), which got backported to
-stable. However, when running an -rt kernel, the splat still
exists. Moreover, quoting Thomas Gleixner [1]

  But 3d5bfbd97163 ("gpio: mpc8xxx: change the gpio interrupt flags.")
  has nothing to do with that:

      "Delete the interrupt IRQF_NO_THREAD flags in order to gpio interrupts
       can be threaded to allow high-priority processes to preempt."

  This changelog is blatantly wrong. In mainline forced irq threads
  have always been invoked with softirqs disabled, which obviously
  makes them non-preemptible.

So the patch didn't even do what its commit log said.

[1] https://lore.kernel.org/lkml/871r8zey88.ffs@nanos.tec.linutronix.de/

Cc: stable@vger.kernel.org # v5.9+
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpio/gpio-mpc8xxx.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpio/gpio-mpc8xxx.c
+++ b/drivers/gpio/gpio-mpc8xxx.c
@@ -405,7 +405,7 @@ static int mpc8xxx_probe(struct platform
 
 	ret = devm_request_irq(&pdev->dev, mpc8xxx_gc->irqn,
 			       mpc8xxx_gpio_irq_cascade,
-			       IRQF_SHARED, "gpio-cascade",
+			       IRQF_NO_THREAD | IRQF_SHARED, "gpio-cascade",
 			       mpc8xxx_gc);
 	if (ret) {
 		dev_err(&pdev->dev,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 142/175] arm64: fix compat syscall return truncation
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 141/175] Revert "gpio: mpc8xxx: change the gpio interrupt flags." Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 143/175] ARM: omap2+: hwmod: fix potential NULL pointer access Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, He Zhe, weiyuchen, Catalin Marinas,
	Will Deacon

From: Mark Rutland <mark.rutland@arm.com>

commit e30e8d46cf605d216a799a28c77b8a41c328613a upstream.

Due to inconsistencies in the way we manipulate compat GPRs, we have a
few issues today:

* For audit and tracing, where error codes are handled as a (native)
  long, negative error codes are expected to be sign-extended to the
  native 64-bits, or they may fail to be matched correctly. Thus a
  syscall which fails with an error may erroneously be identified as
  failing.

* For ptrace, *all* compat return values should be sign-extended for
  consistency with 32-bit arm, but we currently only do this for
  negative return codes.

* As we may transiently set the upper 32 bits of some compat GPRs while
  in the kernel, these can be sampled by perf, which is somewhat
  confusing. This means that where a syscall returns a pointer above 2G,
  this will be sign-extended, but will not be mistaken for an error as
  error codes are constrained to the inclusive range [-4096, -1] where
  no user pointer can exist.

To fix all of these, we must consistently use helpers to get/set the
compat GPRs, ensuring that we never write the upper 32 bits of the
return code, and always sign-extend when reading the return code.  This
patch does so, with the following changes:

* We re-organise syscall_get_return_value() to always sign-extend for
  compat tasks, and reimplement syscall_get_error() atop. We update
  syscall_trace_exit() to use syscall_get_return_value().

* We consistently use syscall_set_return_value() to set the return
  value, ensureing the upper 32 bits are never set unexpectedly.

* As the core audit code currently uses regs_return_value() rather than
  syscall_get_return_value(), we special-case this for
  compat_user_mode(regs) such that this will do the right thing. Going
  forward, we should try to move the core audit code over to
  syscall_get_return_value().

Cc: <stable@vger.kernel.org>
Reported-by: He Zhe <zhe.he@windriver.com>
Reported-by: weiyuchen <weiyuchen3@huawei.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20210802104200.21390-1-mark.rutland@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/ptrace.h  |   12 +++++++++++-
 arch/arm64/include/asm/syscall.h |   19 ++++++++++---------
 arch/arm64/kernel/ptrace.c       |    2 +-
 arch/arm64/kernel/signal.c       |    3 ++-
 arch/arm64/kernel/syscall.c      |    9 +++------
 5 files changed, 27 insertions(+), 18 deletions(-)

--- a/arch/arm64/include/asm/ptrace.h
+++ b/arch/arm64/include/asm/ptrace.h
@@ -320,7 +320,17 @@ static inline unsigned long kernel_stack
 
 static inline unsigned long regs_return_value(struct pt_regs *regs)
 {
-	return regs->regs[0];
+	unsigned long val = regs->regs[0];
+
+	/*
+	 * Audit currently uses regs_return_value() instead of
+	 * syscall_get_return_value(). Apply the same sign-extension here until
+	 * audit is updated to use syscall_get_return_value().
+	 */
+	if (compat_user_mode(regs))
+		val = sign_extend64(val, 31);
+
+	return val;
 }
 
 static inline void regs_set_return_value(struct pt_regs *regs, unsigned long rc)
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -29,22 +29,23 @@ static inline void syscall_rollback(stru
 	regs->regs[0] = regs->orig_x0;
 }
 
-
-static inline long syscall_get_error(struct task_struct *task,
-				     struct pt_regs *regs)
+static inline long syscall_get_return_value(struct task_struct *task,
+					    struct pt_regs *regs)
 {
-	unsigned long error = regs->regs[0];
+	unsigned long val = regs->regs[0];
 
 	if (is_compat_thread(task_thread_info(task)))
-		error = sign_extend64(error, 31);
+		val = sign_extend64(val, 31);
 
-	return IS_ERR_VALUE(error) ? error : 0;
+	return val;
 }
 
-static inline long syscall_get_return_value(struct task_struct *task,
-					    struct pt_regs *regs)
+static inline long syscall_get_error(struct task_struct *task,
+				     struct pt_regs *regs)
 {
-	return regs->regs[0];
+	unsigned long error = syscall_get_return_value(task, regs);
+
+	return IS_ERR_VALUE(error) ? error : 0;
 }
 
 static inline void syscall_set_return_value(struct task_struct *task,
--- a/arch/arm64/kernel/ptrace.c
+++ b/arch/arm64/kernel/ptrace.c
@@ -1862,7 +1862,7 @@ void syscall_trace_exit(struct pt_regs *
 	audit_syscall_exit(regs);
 
 	if (flags & _TIF_SYSCALL_TRACEPOINT)
-		trace_sys_exit(regs, regs_return_value(regs));
+		trace_sys_exit(regs, syscall_get_return_value(current, regs));
 
 	if (flags & (_TIF_SYSCALL_TRACE | _TIF_SINGLESTEP))
 		tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
--- a/arch/arm64/kernel/signal.c
+++ b/arch/arm64/kernel/signal.c
@@ -29,6 +29,7 @@
 #include <asm/unistd.h>
 #include <asm/fpsimd.h>
 #include <asm/ptrace.h>
+#include <asm/syscall.h>
 #include <asm/signal32.h>
 #include <asm/traps.h>
 #include <asm/vdso.h>
@@ -890,7 +891,7 @@ static void do_signal(struct pt_regs *re
 		     retval == -ERESTART_RESTARTBLOCK ||
 		     (retval == -ERESTARTSYS &&
 		      !(ksig.ka.sa.sa_flags & SA_RESTART)))) {
-			regs->regs[0] = -EINTR;
+			syscall_set_return_value(current, regs, -EINTR, 0);
 			regs->pc = continue_addr;
 		}
 
--- a/arch/arm64/kernel/syscall.c
+++ b/arch/arm64/kernel/syscall.c
@@ -54,10 +54,7 @@ static void invoke_syscall(struct pt_reg
 		ret = do_ni_syscall(regs, scno);
 	}
 
-	if (is_compat_task())
-		ret = lower_32_bits(ret);
-
-	regs->regs[0] = ret;
+	syscall_set_return_value(current, regs, 0, ret);
 
 	/*
 	 * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
@@ -115,7 +112,7 @@ static void el0_svc_common(struct pt_reg
 		 * syscall. do_notify_resume() will send a signal to userspace
 		 * before the syscall is restarted.
 		 */
-		regs->regs[0] = -ERESTARTNOINTR;
+		syscall_set_return_value(current, regs, -ERESTARTNOINTR, 0);
 		return;
 	}
 
@@ -136,7 +133,7 @@ static void el0_svc_common(struct pt_reg
 		 * anyway.
 		 */
 		if (scno == NO_SYSCALL)
-			regs->regs[0] = -ENOSYS;
+			syscall_set_return_value(current, regs, -ENOSYS, 0);
 		scno = syscall_trace_enter(regs);
 		if (scno == NO_SYSCALL)
 			goto trace_exit;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 143/175] ARM: omap2+: hwmod: fix potential NULL pointer access
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 142/175] arm64: fix compat syscall return truncation Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 144/175] md/raid10: properly indicate failure when ending a failed write request Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Murphy, Tero Kristo,
	Kevin Hilman, Tony Lindgren

From: Tero Kristo <t-kristo@ti.com>

commit b070f9ca78680486927b799cf6126b128a7c2c1b upstream.

omap_hwmod_get_pwrdm() may access a NULL clk_hw pointer in some failure
cases. Add a check for the case and bail out gracely if this happens.

Reported-by: Dan Murphy <dmurphy@ti.com>
Signed-off-by: Tero Kristo <t-kristo@ti.com>
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/mach-omap2/omap_hwmod.c |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

--- a/arch/arm/mach-omap2/omap_hwmod.c
+++ b/arch/arm/mach-omap2/omap_hwmod.c
@@ -3776,6 +3776,7 @@ struct powerdomain *omap_hwmod_get_pwrdm
 	struct omap_hwmod_ocp_if *oi;
 	struct clockdomain *clkdm;
 	struct clk_hw_omap *clk;
+	struct clk_hw *hw;
 
 	if (!oh)
 		return NULL;
@@ -3792,7 +3793,14 @@ struct powerdomain *omap_hwmod_get_pwrdm
 		c = oi->_clk;
 	}
 
-	clk = to_clk_hw_omap(__clk_get_hw(c));
+	hw = __clk_get_hw(c);
+	if (!hw)
+		return NULL;
+
+	clk = to_clk_hw_omap(hw);
+	if (!clk)
+		return NULL;
+
 	clkdm = clk->clkdm;
 	if (!clkdm)
 		return NULL;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 144/175] md/raid10: properly indicate failure when ending a failed write request
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 143/175] ARM: omap2+: hwmod: fix potential NULL pointer access Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 145/175] io-wq: fix race between worker exiting and activating free worker Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Shuyu, Guoqing Jiang, Song Liu

From: Wei Shuyu <wsy@dogben.com>

commit 5ba03936c05584b6f6f79be5ebe7e5036c1dd252 upstream.

Similar to [1], this patch fixes the same bug in raid10. Also cleanup the
comments.

[1] commit 2417b9869b81 ("md/raid1: properly indicate failure when ending
                         a failed write request")
Cc: stable@vger.kernel.org
Fixes: 7cee6d4e6035 ("md/raid10: end bio when the device faulty")
Signed-off-by: Wei Shuyu <wsy@dogben.com>
Acked-by: Guoqing Jiang <jiangguoqing@kylinos.cn>
Signed-off-by: Song Liu <song@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/raid1.c  |    2 --
 drivers/md/raid10.c |    4 ++--
 2 files changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/md/raid1.c
+++ b/drivers/md/raid1.c
@@ -472,8 +472,6 @@ static void raid1_end_write_request(stru
 		/*
 		 * When the device is faulty, it is not necessary to
 		 * handle write error.
-		 * For failfast, this is the only remaining device,
-		 * We need to retry the write without FailFast.
 		 */
 		if (!test_bit(Faulty, &rdev->flags))
 			set_bit(R1BIO_WriteError, &r1_bio->state);
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -469,12 +469,12 @@ static void raid10_end_write_request(str
 			/*
 			 * When the device is faulty, it is not necessary to
 			 * handle write error.
-			 * For failfast, this is the only remaining device,
-			 * We need to retry the write without FailFast.
 			 */
 			if (!test_bit(Faulty, &rdev->flags))
 				set_bit(R10BIO_WriteError, &r10_bio->state);
 			else {
+				/* Fail the request */
+				set_bit(R10BIO_Degraded, &r10_bio->state);
 				r10_bio->devs[slot].bio = NULL;
 				to_put = bio;
 				dec_rdev = 1;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 145/175] io-wq: fix race between worker exiting and activating free worker
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 144/175] md/raid10: properly indicate failure when ending a failed write request Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 146/175] s390/dasd: fix use after free in dasd path handling Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nadav Amit, Jens Axboe

From: Jens Axboe <axboe@kernel.dk>

commit 83d6c39310b6d11199179f6384c2b0a415389597 upstream.

Nadav correctly reports that we have a race between a worker exiting,
and new work being queued. This can lead to work being queued behind
an existing worker that could be sleeping on an event before it can
run to completion, and hence introducing potential big latency gaps
if we hit this race condition:

cpu0					cpu1
----					----
					io_wqe_worker()
					schedule_timeout()
					 // timed out
io_wqe_enqueue()
io_wqe_wake_worker()
// work_flags & IO_WQ_WORK_CONCURRENT
io_wqe_activate_free_worker()
					 io_worker_exit()

Fix this by having the exiting worker go through the normal decrement
of a running worker, which will spawn a new one if needed.

The free worker activation is modified to only return success if we
were able to find a sleeping worker - if not, we keep looking through
the list. If we fail, we create a new worker as per usual.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/io-uring/BFF746C0-FEDE-4646-A253-3021C57C26C9@gmail.com/
Reported-by: Nadav Amit <nadav.amit@gmail.com>
Tested-by: Nadav Amit <nadav.amit@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io-wq.c |   38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -131,6 +131,7 @@ struct io_cb_cancel_data {
 };
 
 static void create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index);
+static void io_wqe_dec_running(struct io_worker *worker);
 
 static bool io_worker_get(struct io_worker *worker)
 {
@@ -169,26 +170,21 @@ static void io_worker_exit(struct io_wor
 {
 	struct io_wqe *wqe = worker->wqe;
 	struct io_wqe_acct *acct = io_wqe_get_acct(worker);
-	unsigned flags;
 
 	if (refcount_dec_and_test(&worker->ref))
 		complete(&worker->ref_done);
 	wait_for_completion(&worker->ref_done);
 
-	preempt_disable();
-	current->flags &= ~PF_IO_WORKER;
-	flags = worker->flags;
-	worker->flags = 0;
-	if (flags & IO_WORKER_F_RUNNING)
-		atomic_dec(&acct->nr_running);
-	worker->flags = 0;
-	preempt_enable();
-
 	raw_spin_lock_irq(&wqe->lock);
-	if (flags & IO_WORKER_F_FREE)
+	if (worker->flags & IO_WORKER_F_FREE)
 		hlist_nulls_del_rcu(&worker->nulls_node);
 	list_del_rcu(&worker->all_list);
 	acct->nr_workers--;
+	preempt_disable();
+	io_wqe_dec_running(worker);
+	worker->flags = 0;
+	current->flags &= ~PF_IO_WORKER;
+	preempt_enable();
 	raw_spin_unlock_irq(&wqe->lock);
 
 	kfree_rcu(worker, rcu);
@@ -215,15 +211,19 @@ static bool io_wqe_activate_free_worker(
 	struct hlist_nulls_node *n;
 	struct io_worker *worker;
 
-	n = rcu_dereference(hlist_nulls_first_rcu(&wqe->free_list));
-	if (is_a_nulls(n))
-		return false;
-
-	worker = hlist_nulls_entry(n, struct io_worker, nulls_node);
-	if (io_worker_get(worker)) {
-		wake_up_process(worker->task);
+	/*
+	 * Iterate free_list and see if we can find an idle worker to
+	 * activate. If a given worker is on the free_list but in the process
+	 * of exiting, keep trying.
+	 */
+	hlist_nulls_for_each_entry_rcu(worker, n, &wqe->free_list, nulls_node) {
+		if (!io_worker_get(worker))
+			continue;
+		if (wake_up_process(worker->task)) {
+			io_worker_release(worker);
+			return true;
+		}
 		io_worker_release(worker);
-		return true;
 	}
 
 	return false;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 146/175] s390/dasd: fix use after free in dasd path handling
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 145/175] io-wq: fix race between worker exiting and activating free worker Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 147/175] KVM: x86: accept userspace interrupt only if no event is injected Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Haberland, Jan Hoeppner, Jens Axboe

From: Stefan Haberland <sth@linux.ibm.com>

commit 952835edb4fdad49361d5330da918be8b765b787 upstream.

When new configuration data is obtained after a path event it is stored
in the per path array. The old data needs to be freed.
The first valid configuration data is also referenced in the device
private structure to identify the device.
When the old per path configuration data was freed the device still
pointed to the already freed data leading to a use after free.

Fix by replacing also the device configuration data with the newly
obtained one before the old data gets freed.

Fixes: 460181217a24 ("s390/dasd: Store path configuration data during path handling")
Cc: stable@vger.kernel.org # 5.11+
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Link: https://lore.kernel.org/r/20210804151800.4031761-2-sth@linux.ibm.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/s390/block/dasd_eckd.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/s390/block/dasd_eckd.c
+++ b/drivers/s390/block/dasd_eckd.c
@@ -1004,15 +1004,23 @@ static unsigned char dasd_eckd_path_acce
 static void dasd_eckd_store_conf_data(struct dasd_device *device,
 				      struct dasd_conf_data *conf_data, int chp)
 {
+	struct dasd_eckd_private *private = device->private;
 	struct channel_path_desc_fmt0 *chp_desc;
 	struct subchannel_id sch_id;
+	void *cdp;
 
-	ccw_device_get_schid(device->cdev, &sch_id);
 	/*
 	 * path handling and read_conf allocate data
 	 * free it before replacing the pointer
+	 * also replace the old private->conf_data pointer
+	 * with the new one if this points to the same data
 	 */
-	kfree(device->path[chp].conf_data);
+	cdp = device->path[chp].conf_data;
+	if (private->conf_data == cdp) {
+		private->conf_data = (void *)conf_data;
+		dasd_eckd_identify_conf_parts(private);
+	}
+	ccw_device_get_schid(device->cdev, &sch_id);
 	device->path[chp].conf_data = conf_data;
 	device->path[chp].cssid = sch_id.cssid;
 	device->path[chp].ssid = sch_id.ssid;
@@ -1020,6 +1028,7 @@ static void dasd_eckd_store_conf_data(st
 	if (chp_desc)
 		device->path[chp].chpid = chp_desc->chpid;
 	kfree(chp_desc);
+	kfree(cdp);
 }
 
 static void dasd_eckd_clear_conf_data(struct dasd_device *device)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 147/175] KVM: x86: accept userspace interrupt only if no event is injected
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 146/175] s390/dasd: fix use after free in dasd path handling Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 148/175] KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stas Sergeev, Sean Christopherson,
	Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit fa7a549d321a4189677b0cea86e58d9db7977f7b upstream.

Once an exception has been injected, any side effects related to
the exception (such as setting CR2 or DR6) have been taked place.
Therefore, once KVM sets the VM-entry interruption information
field or the AMD EVENTINJ field, the next VM-entry must deliver that
exception.

Pending interrupts are processed after injected exceptions, so
in theory it would not be a problem to use KVM_INTERRUPT when
an injected exception is present.  However, DOSEMU is using
run->ready_for_interrupt_injection to detect interrupt windows
and then using KVM_SET_SREGS/KVM_SET_REGS to inject the
interrupt manually.  For this to work, the interrupt window
must be delayed after the completion of the previous event
injection.

Cc: stable@vger.kernel.org
Reported-by: Stas Sergeev <stsp2@yandex.ru>
Tested-by: Stas Sergeev <stsp2@yandex.ru>
Fixes: 71cc849b7093 ("KVM: x86: Fix split-irqchip vs interrupt injection window request")
Reviewed-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/x86.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4252,8 +4252,17 @@ static int kvm_cpu_accept_dm_intr(struct
 
 static int kvm_vcpu_ready_for_interrupt_injection(struct kvm_vcpu *vcpu)
 {
-	return kvm_arch_interrupt_allowed(vcpu) &&
-		kvm_cpu_accept_dm_intr(vcpu);
+	/*
+	 * Do not cause an interrupt window exit if an exception
+	 * is pending or an event needs reinjection; userspace
+	 * might want to inject the interrupt manually using KVM_SET_REGS
+	 * or KVM_SET_SREGS.  For that to work, we must be at an
+	 * instruction boundary and with no events half-injected.
+	 */
+	return (kvm_arch_interrupt_allowed(vcpu) &&
+		kvm_cpu_accept_dm_intr(vcpu) &&
+		!kvm_event_needs_reinjection(vcpu) &&
+		!vcpu->arch.exception.pending);
 }
 
 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 148/175] KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 147/175] KVM: x86: accept userspace interrupt only if no event is injected Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 149/175] KVM: Do not leak memory for duplicate debugfs directories Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Brijesh Singh,
	Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 179c6c27bf487273652efc99acd3ba512a23c137 upstream.

Use the raw ASID, not ASID-1, when nullifying the last used VMCB when
freeing an SEV ASID.  The consumer, pre_sev_run(), indexes the array by
the raw ASID, thus KVM could get a false negative when checking for a
different VMCB if KVM manages to reallocate the same ASID+VMCB combo for
a new VM.

Note, this cannot cause a functional issue _in the current code_, as
pre_sev_run() also checks which pCPU last did VMRUN for the vCPU, and
last_vmentry_cpu is initialized to -1 during vCPU creation, i.e. is
guaranteed to mismatch on the first VMRUN.  However, prior to commit
8a14fe4f0c54 ("kvm: x86: Move last_cpu into kvm_vcpu_arch as
last_vmentry_cpu"), SVM tracked pCPU on its own and zero-initialized the
last_cpu variable.  Thus it's theoretically possible that older versions
of KVM could miss a TLB flush if the first VMRUN is on pCPU0 and the ASID
and VMCB exactly match those of a prior VM.

Fixes: 70cd94e60c73 ("KVM: SVM: VMRUN should use associated ASID when SEV is enabled")
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/svm/sev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -188,7 +188,7 @@ static void sev_asid_free(struct kvm_sev
 
 	for_each_possible_cpu(cpu) {
 		sd = per_cpu(svm_data, cpu);
-		sd->sev_vmcbs[pos] = NULL;
+		sd->sev_vmcbs[sev->asid] = NULL;
 	}
 
 	mutex_unlock(&sev_bitmap_lock);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 149/175] KVM: Do not leak memory for duplicate debugfs directories
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 148/175] KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 150/175] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Kardashevskiy, Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit 85cd39af14f498f791d8aab3fbd64cd175787f1a upstream.

KVM creates a debugfs directory for each VM in order to store statistics
about the virtual machine.  The directory name is built from the process
pid and a VM fd.  While generally unique, it is possible to keep a
file descriptor alive in a way that causes duplicate directories, which
manifests as these messages:

  [  471.846235] debugfs: Directory '20245-4' with parent 'kvm' already present!

Even though this should not happen in practice, it is more or less
expected in the case of KVM for testcases that call KVM_CREATE_VM and
close the resulting file descriptor repeatedly and in parallel.

When this happens, debugfs_create_dir() returns an error but
kvm_create_vm_debugfs() goes on to allocate stat data structs which are
later leaked.  The slow memory leak was spotted by syzkaller, where it
caused OOM reports.

Since the issue only affects debugfs, do a lookup before calling
debugfs_create_dir, so that the message is downgraded and rate-limited.
While at it, ensure kvm->debugfs_dentry is NULL rather than an error
if it is not created.  This fixes kvm_destroy_vm_debugfs, which was not
checking IS_ERR_OR_NULL correctly.

Cc: stable@vger.kernel.org
Fixes: 536a6f88c49d ("KVM: Create debugfs dir and stat files for each VM")
Reported-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 virt/kvm/kvm_main.c |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -845,6 +845,8 @@ static void kvm_destroy_vm_debugfs(struc
 
 static int kvm_create_vm_debugfs(struct kvm *kvm, int fd)
 {
+	static DEFINE_MUTEX(kvm_debugfs_lock);
+	struct dentry *dent;
 	char dir_name[ITOA_MAX_LEN * 2];
 	struct kvm_stat_data *stat_data;
 	struct kvm_stats_debugfs_item *p;
@@ -853,8 +855,20 @@ static int kvm_create_vm_debugfs(struct
 		return 0;
 
 	snprintf(dir_name, sizeof(dir_name), "%d-%d", task_pid_nr(current), fd);
-	kvm->debugfs_dentry = debugfs_create_dir(dir_name, kvm_debugfs_dir);
+	mutex_lock(&kvm_debugfs_lock);
+	dent = debugfs_lookup(dir_name, kvm_debugfs_dir);
+	if (dent) {
+		pr_warn_ratelimited("KVM: debugfs: duplicate directory %s\n", dir_name);
+		dput(dent);
+		mutex_unlock(&kvm_debugfs_lock);
+		return 0;
+	}
+	dent = debugfs_create_dir(dir_name, kvm_debugfs_dir);
+	mutex_unlock(&kvm_debugfs_lock);
+	if (IS_ERR(dent))
+		return 0;
 
+	kvm->debugfs_dentry = dent;
 	kvm->debugfs_stat_data = kcalloc(kvm_debugfs_num_entries,
 					 sizeof(*kvm->debugfs_stat_data),
 					 GFP_KERNEL_ACCOUNT);
@@ -4993,7 +5007,7 @@ static void kvm_uevent_notify_change(uns
 	}
 	add_uevent_var(env, "PID=%d", kvm->userspace_pid);
 
-	if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
+	if (kvm->debugfs_dentry) {
 		char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL_ACCOUNT);
 
 		if (p) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 150/175] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 149/175] KVM: Do not leak memory for duplicate debugfs directories Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:30 ` [PATCH 5.13 151/175] soc: ixp4xx: fix printing resources Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ben Gardon, Sean Christopherson,
	Jim Mattson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit d5aaad6f83420efb8357ac8e11c868708b22d0a9 upstream.

Take a signed 'long' instead of an 'unsigned long' for the number of
pages to add/subtract to the total number of pages used by the MMU.  This
fixes a zero-extension bug on 32-bit kernels that effectively corrupts
the per-cpu counter used by the shrinker.

Per-cpu counters take a signed 64-bit value on both 32-bit and 64-bit
kernels, whereas kvm_mod_used_mmu_pages() takes an unsigned long and thus
an unsigned 32-bit value on 32-bit kernels.  As a result, the value used
to adjust the per-cpu counter is zero-extended (unsigned -> signed), not
sign-extended (signed -> signed), and so KVM's intended -1 gets morphed to
4294967295 and effectively corrupts the counter.

This was found by a staggering amount of sheer dumb luck when running
kvm-unit-tests on a 32-bit KVM build.  The shrinker just happened to kick
in while running tests and do_shrink_slab() logged an error about trying
to free a negative number of objects.  The truly lucky part is that the
kernel just happened to be a slightly stale build, as the shrinker no
longer yells about negative objects as of commit 18bb473e5031 ("mm:
vmscan: shrink deferred objects proportional to priority").

 vmscan: shrink_slab: mmu_shrink_scan+0x0/0x210 [kvm] negative objects to delete nr=-858993460

Fixes: bc8a3d8925a8 ("kvm: mmu: Fix overflow on kvm mmu page limit calculation")
Cc: stable@vger.kernel.org
Cc: Ben Gardon <bgardon@google.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210804214609.1096003-1-seanjc@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/mmu/mmu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/kvm/mmu/mmu.c
+++ b/arch/x86/kvm/mmu/mmu.c
@@ -1546,7 +1546,7 @@ static int is_empty_shadow_page(u64 *spt
  * aggregate version in order to make the slab shrinker
  * faster
  */
-static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, unsigned long nr)
+static inline void kvm_mod_used_mmu_pages(struct kvm *kvm, long nr)
 {
 	kvm->arch.n_used_mmu_pages += nr;
 	percpu_counter_add(&kvm_total_used_mmu_pages, nr);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 151/175] soc: ixp4xx: fix printing resources
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 150/175] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds Greg Kroah-Hartman
@ 2021-08-10 17:30 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 152/175] interconnect: Fix undersized devress_alloc allocation Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:30 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann

From: Arnd Bergmann <arnd@arndb.de>

commit 8861452b2097bb0b5d0081a1c137fb3870b0a31f upstream.

When compile-testing with 64-bit resource_size_t, gcc reports an invalid
printk format string:

In file included from include/linux/dma-mapping.h:7,
                 from drivers/soc/ixp4xx/ixp4xx-npe.c:15:
drivers/soc/ixp4xx/ixp4xx-npe.c: In function 'ixp4xx_npe_probe':
drivers/soc/ixp4xx/ixp4xx-npe.c:694:18: error: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Werror=format=]
    dev_info(dev, "NPE%d at 0x%08x-0x%08x not available\n",

Use the special %pR format string to print the resources.

Fixes: 0b458d7b10f8 ("soc: ixp4xx: npe: Pass addresses as resources")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/soc/ixp4xx/ixp4xx-npe.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/drivers/soc/ixp4xx/ixp4xx-npe.c
+++ b/drivers/soc/ixp4xx/ixp4xx-npe.c
@@ -690,8 +690,8 @@ static int ixp4xx_npe_probe(struct platf
 
 		if (!(ixp4xx_read_feature_bits() &
 		      (IXP4XX_FEATURE_RESET_NPEA << i))) {
-			dev_info(dev, "NPE%d at 0x%08x-0x%08x not available\n",
-				 i, res->start, res->end);
+			dev_info(dev, "NPE%d at %pR not available\n",
+				 i, res);
 			continue; /* NPE already disabled or not present */
 		}
 		npe->regs = devm_ioremap_resource(dev, res);
@@ -699,13 +699,12 @@ static int ixp4xx_npe_probe(struct platf
 			return PTR_ERR(npe->regs);
 
 		if (npe_reset(npe)) {
-			dev_info(dev, "NPE%d at 0x%08x-0x%08x does not reset\n",
-				 i, res->start, res->end);
+			dev_info(dev, "NPE%d at %pR does not reset\n",
+				 i, res);
 			continue;
 		}
 		npe->valid = 1;
-		dev_info(dev, "NPE%d at 0x%08x-0x%08x registered\n",
-			 i, res->start, res->end);
+		dev_info(dev, "NPE%d at %pR registered\n", i, res);
 		found++;
 	}
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 152/175] interconnect: Fix undersized devress_alloc allocation
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2021-08-10 17:30 ` [PATCH 5.13 151/175] soc: ixp4xx: fix printing resources Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 153/175] usb: cdnsp: Fix the IMAN_IE_SET and IMAN_IE_CLEAR macro Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, Georgi Djakov

From: Colin Ian King <colin.king@canonical.com>

commit 85b1ebfea2b0d8797266bcc6f04b6cc87e38290a upstream.

The expression sizeof(**ptr) for the void **ptr is just 1 rather than
the size of a pointer. Fix this by using sizeof(*ptr).

Addresses-Coverity: ("Wrong sizeof argument")
Fixes: e145d9a184f2 ("interconnect: Add devm_of_icc_get() as exported API for users")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20210730075408.19945-1-colin.king@canonical.com
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/interconnect/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/interconnect/core.c
+++ b/drivers/interconnect/core.c
@@ -403,7 +403,7 @@ struct icc_path *devm_of_icc_get(struct
 {
 	struct icc_path **ptr, *path;
 
-	ptr = devres_alloc(devm_icc_release, sizeof(**ptr), GFP_KERNEL);
+	ptr = devres_alloc(devm_icc_release, sizeof(*ptr), GFP_KERNEL);
 	if (!ptr)
 		return ERR_PTR(-ENOMEM);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 153/175] usb: cdnsp: Fix the IMAN_IE_SET and IMAN_IE_CLEAR macro
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 152/175] interconnect: Fix undersized devress_alloc allocation Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 154/175] usb: cdnsp: Fix incorrect supported maximum speed Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pawel Laszczak, Christophe JAILLET,
	Peter Chen

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit 5df09c15bab98463203c83ecab88b9321466e626 upstream.

IMAN_IE is BIT(1), so these macro are respectively equivalent to BIT(1)
and 0, whatever the value of 'p'.

The purpose was to set and reset a single bit in 'p'.
Fix these macros to do that correctly.

Acked-by: Pawel Laszczak <pawell@cadence.com>
Fixes: e93e58d27402 ("usb: cdnsp: Device side header file for CDNSP driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/d12bfcc9cbffb89e27b120668821b3c4f09b6755.1624390584.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-gadget.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/cdns3/cdnsp-gadget.h
+++ b/drivers/usb/cdns3/cdnsp-gadget.h
@@ -383,8 +383,8 @@ struct cdnsp_intr_reg {
 #define IMAN_IE			BIT(1)
 #define IMAN_IP			BIT(0)
 /* bits 2:31 need to be preserved */
-#define IMAN_IE_SET(p)		(((p) & IMAN_IE) | 0x2)
-#define IMAN_IE_CLEAR(p)	(((p) & IMAN_IE) & ~(0x2))
+#define IMAN_IE_SET(p)		((p) | IMAN_IE)
+#define IMAN_IE_CLEAR(p)	((p) & ~IMAN_IE)
 
 /* IMOD - Interrupter Moderation Register - irq_control bitmasks. */
 /*



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 154/175] usb: cdnsp: Fix incorrect supported maximum speed
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 153/175] usb: cdnsp: Fix the IMAN_IE_SET and IMAN_IE_CLEAR macro Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 155/175] spi: meson-spicc: fix memory leak in meson_spicc_remove Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pawel Laszczak, Peter Chen

From: Pawel Laszczak <pawell@cadence.com>

commit aa82f94e869edd72f4fadb08c6ffca8927e4934e upstream.

Driver had hardcoded in initialization maximum supported speed
to USB_SPEED_SUPER_PLUS but it should consider the speed
returned from usb_get_maximum_speed function.

Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20210625102502.26336-1-pawell@gli-login.cadence.com
Signed-off-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-gadget.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/cdns3/cdnsp-gadget.c
+++ b/drivers/usb/cdns3/cdnsp-gadget.c
@@ -1881,7 +1881,7 @@ static int __cdnsp_gadget_init(struct cd
 	pdev->gadget.name = "cdnsp-gadget";
 	pdev->gadget.speed = USB_SPEED_UNKNOWN;
 	pdev->gadget.sg_supported = 1;
-	pdev->gadget.max_speed = USB_SPEED_SUPER_PLUS;
+	pdev->gadget.max_speed = max_speed;
 	pdev->gadget.lpm_capable = 1;
 
 	pdev->setup_buf = kzalloc(CDNSP_EP0_SETUP_SIZE, GFP_KERNEL);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 155/175] spi: meson-spicc: fix memory leak in meson_spicc_remove
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 154/175] usb: cdnsp: Fix incorrect supported maximum speed Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 156/175] interconnect: Zero initial BW after sync-state Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dongliang Mu, Mark Brown

From: Dongliang Mu <mudongliangabcd@gmail.com>

commit 8311ee2164c5cd1b63a601ea366f540eae89f10e upstream.

In meson_spicc_probe, the error handling code needs to clean up master
by calling spi_master_put, but the remove function does not have this
function call. This will lead to memory leak of spicc->master.

Reported-by: Dongliang Mu <mudongliangabcd@gmail.com>
Fixes: 454fa271bc4e("spi: Add Meson SPICC driver")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Link: https://lore.kernel.org/r/20210720100116.1438974-1-mudongliangabcd@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/spi/spi-meson-spicc.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/spi/spi-meson-spicc.c
+++ b/drivers/spi/spi-meson-spicc.c
@@ -785,6 +785,8 @@ static int meson_spicc_remove(struct pla
 	clk_disable_unprepare(spicc->core);
 	clk_disable_unprepare(spicc->pclk);
 
+	spi_master_put(spicc->master);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 156/175] interconnect: Zero initial BW after sync-state
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 155/175] spi: meson-spicc: fix memory leak in meson_spicc_remove Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 157/175] interconnect: Always call pre_aggregate before aggregate Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Tipton, Georgi Djakov

From: Mike Tipton <mdtipton@codeaurora.org>

commit 456a9dace42ecfcec7ce6e17c18d1985d628dcd0 upstream.

The initial BW values may be used by providers to enforce floors. Zero
these values after sync-state so that providers know when to stop
enforcing them.

Fixes: b1d681d8d324 ("interconnect: Add sync state support")
Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
Link: https://lore.kernel.org/r/20210721175432.2119-2-mdtipton@codeaurora.org
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/interconnect/core.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/interconnect/core.c
+++ b/drivers/interconnect/core.c
@@ -1106,6 +1106,8 @@ void icc_sync_state(struct device *dev)
 		dev_dbg(p->dev, "interconnect provider is in synced state\n");
 		list_for_each_entry(n, &p->nodes, node_list) {
 			if (n->init_avg || n->init_peak) {
+				n->init_avg = 0;
+				n->init_peak = 0;
 				aggregate_requests(n);
 				p->set(n, n);
 			}



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 157/175] interconnect: Always call pre_aggregate before aggregate
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 156/175] interconnect: Zero initial BW after sync-state Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 158/175] interconnect: qcom: icc-rpmh: Ensure floor BW is enforced for all nodes Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Tipton, Georgi Djakov

From: Mike Tipton <mdtipton@codeaurora.org>

commit 73606ba9242f8e32023699b500b7922b4cf2993c upstream.

The pre_aggregate callback isn't called in all cases before calling
aggregate. Add the missing calls so providers can rely on consistent
framework behavior.

Fixes: d3703b3e255f ("interconnect: Aggregate before setting initial bandwidth")
Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
Link: https://lore.kernel.org/r/20210721175432.2119-3-mdtipton@codeaurora.org
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/interconnect/core.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/interconnect/core.c
+++ b/drivers/interconnect/core.c
@@ -973,9 +973,14 @@ void icc_node_add(struct icc_node *node,
 	}
 	node->avg_bw = node->init_avg;
 	node->peak_bw = node->init_peak;
+
+	if (provider->pre_aggregate)
+		provider->pre_aggregate(node);
+
 	if (provider->aggregate)
 		provider->aggregate(node, 0, node->init_avg, node->init_peak,
 				    &node->avg_bw, &node->peak_bw);
+
 	provider->set(node, node);
 	node->avg_bw = 0;
 	node->peak_bw = 0;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 158/175] interconnect: qcom: icc-rpmh: Ensure floor BW is enforced for all nodes
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 157/175] interconnect: Always call pre_aggregate before aggregate Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 159/175] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Tipton, Georgi Djakov

From: Mike Tipton <mdtipton@codeaurora.org>

commit ce5a595744126be4f1327e29e3c5ae9aac6b38d5 upstream.

We currently only enforce BW floors for a subset of nodes in a path.
All BCMs that need updating are queued in the pre_aggregate/aggregate
phase. The first set() commits all queued BCMs and subsequent set()
calls short-circuit without committing anything. Since the floor BW
isn't set in sum_avg/max_peak until set(), then some BCMs are committed
before their associated nodes reflect the floor.

Set the floor as each node is being aggregated. This ensures that all
all relevant floors are set before the BCMs are committed.

Fixes: 266cd33b5913 ("interconnect: qcom: Ensure that the floor bandwidth value is enforced")
Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
Link: https://lore.kernel.org/r/20210721175432.2119-4-mdtipton@codeaurora.org
[georgi: Removed unused variable]
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/interconnect/qcom/icc-rpmh.c |   12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

--- a/drivers/interconnect/qcom/icc-rpmh.c
+++ b/drivers/interconnect/qcom/icc-rpmh.c
@@ -57,6 +57,11 @@ int qcom_icc_aggregate(struct icc_node *
 			qn->sum_avg[i] += avg_bw;
 			qn->max_peak[i] = max_t(u32, qn->max_peak[i], peak_bw);
 		}
+
+		if (node->init_avg || node->init_peak) {
+			qn->sum_avg[i] = max_t(u64, qn->sum_avg[i], node->init_avg);
+			qn->max_peak[i] = max_t(u64, qn->max_peak[i], node->init_peak);
+		}
 	}
 
 	*agg_avg += avg_bw;
@@ -79,7 +84,6 @@ EXPORT_SYMBOL_GPL(qcom_icc_aggregate);
 int qcom_icc_set(struct icc_node *src, struct icc_node *dst)
 {
 	struct qcom_icc_provider *qp;
-	struct qcom_icc_node *qn;
 	struct icc_node *node;
 
 	if (!src)
@@ -88,12 +92,6 @@ int qcom_icc_set(struct icc_node *src, s
 		node = src;
 
 	qp = to_qcom_provider(node->provider);
-	qn = node->data;
-
-	qn->sum_avg[QCOM_ICC_BUCKET_AMC] = max_t(u64, qn->sum_avg[QCOM_ICC_BUCKET_AMC],
-						 node->avg_bw);
-	qn->max_peak[QCOM_ICC_BUCKET_AMC] = max_t(u64, qn->max_peak[QCOM_ICC_BUCKET_AMC],
-						  node->peak_bw);
 
 	qcom_icc_bcm_voter_commit(qp->voter);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 159/175] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 158/175] interconnect: qcom: icc-rpmh: Ensure floor BW is enforced for all nodes Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-11 15:50   ` Georgi Djakov
  2021-08-10 17:31 ` [PATCH 5.13 160/175] drm/i915: Correct SFC_DONE register offset Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  179 siblings, 1 reply; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mike Tipton, Georgi Djakov

From: Mike Tipton <mdtipton@codeaurora.org>

commit f84f5b6f72e68bbaeb850b58ac167e4a3a47532a upstream.

We're only adding BCMs to the commit list in aggregate(), but there are
cases where pre_aggregate() is called without subsequently calling
aggregate(). In particular, in icc_sync_state() when a node with initial
BW has zero requests. Since BCMs aren't added to the commit list in
these cases, we don't actually send the zero BW request to HW. So the
resources remain on unnecessarily.

Add BCMs to the commit list in pre_aggregate() instead, which is always
called even when there are no requests.

Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support")
Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
Link: https://lore.kernel.org/r/20210721175432.2119-5-mdtipton@codeaurora.org
Signed-off-by: Georgi Djakov <djakov@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/interconnect/qcom/icc-rpmh.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/drivers/interconnect/qcom/icc-rpmh.c
+++ b/drivers/interconnect/qcom/icc-rpmh.c
@@ -20,13 +20,18 @@ void qcom_icc_pre_aggregate(struct icc_n
 {
 	size_t i;
 	struct qcom_icc_node *qn;
+	struct qcom_icc_provider *qp;
 
 	qn = node->data;
+	qp = to_qcom_provider(node->provider);
 
 	for (i = 0; i < QCOM_ICC_NUM_BUCKETS; i++) {
 		qn->sum_avg[i] = 0;
 		qn->max_peak[i] = 0;
 	}
+
+	for (i = 0; i < qn->num_bcms; i++)
+		qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
 }
 EXPORT_SYMBOL_GPL(qcom_icc_pre_aggregate);
 
@@ -44,10 +49,8 @@ int qcom_icc_aggregate(struct icc_node *
 {
 	size_t i;
 	struct qcom_icc_node *qn;
-	struct qcom_icc_provider *qp;
 
 	qn = node->data;
-	qp = to_qcom_provider(node->provider);
 
 	if (!tag)
 		tag = QCOM_ICC_TAG_ALWAYS;
@@ -67,9 +70,6 @@ int qcom_icc_aggregate(struct icc_node *
 	*agg_avg += avg_bw;
 	*agg_peak = max_t(u32, *agg_peak, peak_bw);
 
-	for (i = 0; i < qn->num_bcms; i++)
-		qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
-
 	return 0;
 }
 EXPORT_SYMBOL_GPL(qcom_icc_aggregate);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 160/175] drm/i915: Correct SFC_DONE register offset
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 159/175] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 161/175] soc: ixp4xx/qmgr: fix invalid __iomem access Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mika Kuoppala, Matt Roper, Rodrigo Vivi

From: Matt Roper <matthew.d.roper@intel.com>

commit 9c9c6d0ab08acfe41c9f7efa72c4ad3f133a266b upstream.

The register offset for SFC_DONE was missing a '0' at the end, causing
us to read from a non-existent register address.  We only use this
register in error state dumps so the mistake hasn't caused any real
problems, but fixing it will hopefully make the error state dumps a bit
more useful for debugging.

Fixes: e50dbdbfd9fb ("drm/i915/tgl: Add SFC instdone to error state")
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210728233411.2365788-1-matthew.d.roper@intel.com
Reviewed-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
(cherry picked from commit 82929a2140eb99f1f1d21855f3f580e70d7abdd8)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/i915_reg.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/i915_reg.h
+++ b/drivers/gpu/drm/i915/i915_reg.h
@@ -416,7 +416,7 @@ static inline bool i915_mmio_reg_valid(i
 #define GEN11_VECS_SFC_USAGE(engine)		_MMIO((engine)->mmio_base + 0x2014)
 #define   GEN11_VECS_SFC_USAGE_BIT		(1 << 0)
 
-#define GEN12_SFC_DONE(n)		_MMIO(0x1cc00 + (n) * 0x100)
+#define GEN12_SFC_DONE(n)		_MMIO(0x1cc000 + (n) * 0x1000)
 #define GEN12_SFC_DONE_MAX		4
 
 #define RING_PP_DIR_BASE(base)		_MMIO((base) + 0x228)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 161/175] soc: ixp4xx/qmgr: fix invalid __iomem access
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 160/175] drm/i915: Correct SFC_DONE register offset Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 162/175] perf/x86/amd: Dont touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, kernel test robot, Arnd Bergmann

From: Arnd Bergmann <arnd@arndb.de>

commit a8eee86317f11e97990d755d4615c1c0db203d08 upstream.

Sparse reports a compile time warning when dereferencing an
__iomem pointer:

drivers/soc/ixp4xx/ixp4xx-qmgr.c:149:37: warning: dereference of noderef expression
drivers/soc/ixp4xx/ixp4xx-qmgr.c:153:40: warning: dereference of noderef expression
drivers/soc/ixp4xx/ixp4xx-qmgr.c:154:40: warning: dereference of noderef expression
drivers/soc/ixp4xx/ixp4xx-qmgr.c:174:38: warning: dereference of noderef expression
drivers/soc/ixp4xx/ixp4xx-qmgr.c:174:44: warning: dereference of noderef expression

Use __raw_readl() here for consistency with the rest of the file.
This should really get converted to some proper accessor, as the
__raw functions are not meant to be used in drivers, but the driver
has used these since the start, so for the moment, let's only fix
the warning.

Reported-by: kernel test robot <lkp@intel.com>
Fixes: d4c9e9fc9751 ("IXP42x: Add QMgr support for IXP425 rev. A0 processors.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/soc/ixp4xx/ixp4xx-qmgr.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/drivers/soc/ixp4xx/ixp4xx-qmgr.c
+++ b/drivers/soc/ixp4xx/ixp4xx-qmgr.c
@@ -145,12 +145,12 @@ static irqreturn_t qmgr_irq1_a0(int irq,
 	/* ACK - it may clear any bits so don't rely on it */
 	__raw_writel(0xFFFFFFFF, &qmgr_regs->irqstat[0]);
 
-	en_bitmap = qmgr_regs->irqen[0];
+	en_bitmap = __raw_readl(&qmgr_regs->irqen[0]);
 	while (en_bitmap) {
 		i = __fls(en_bitmap); /* number of the last "low" queue */
 		en_bitmap &= ~BIT(i);
-		src = qmgr_regs->irqsrc[i >> 3];
-		stat = qmgr_regs->stat1[i >> 3];
+		src = __raw_readl(&qmgr_regs->irqsrc[i >> 3]);
+		stat = __raw_readl(&qmgr_regs->stat1[i >> 3]);
 		if (src & 4) /* the IRQ condition is inverted */
 			stat = ~stat;
 		if (stat & BIT(src & 3)) {
@@ -170,7 +170,8 @@ static irqreturn_t qmgr_irq2_a0(int irq,
 	/* ACK - it may clear any bits so don't rely on it */
 	__raw_writel(0xFFFFFFFF, &qmgr_regs->irqstat[1]);
 
-	req_bitmap = qmgr_regs->irqen[1] & qmgr_regs->statne_h;
+	req_bitmap = __raw_readl(&qmgr_regs->irqen[1]) &
+		     __raw_readl(&qmgr_regs->statne_h);
 	while (req_bitmap) {
 		i = __fls(req_bitmap); /* number of the last "high" queue */
 		req_bitmap &= ~BIT(i);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 162/175] perf/x86/amd: Dont touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 161/175] soc: ixp4xx/qmgr: fix invalid __iomem access Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 163/175] sched/rt: Fix double enqueue caused by rt_effective_prio Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Like Xu, Peter Zijlstra (Intel),
	Liam Merwick, Kim Phillips

From: Like Xu <likexu@tencent.com>

commit df51fe7ea1c1c2c3bfdb81279712fdd2e4ea6c27 upstream.

If we use "perf record" in an AMD Milan guest, dmesg reports a #GP
warning from an unchecked MSR access error on MSR_F15H_PERF_CTLx:

  [] unchecked MSR access error: WRMSR to 0xc0010200 (tried to write 0x0000020000110076) at rIP: 0xffffffff8106ddb4 (native_write_msr+0x4/0x20)
  [] Call Trace:
  []  amd_pmu_disable_event+0x22/0x90
  []  x86_pmu_stop+0x4c/0xa0
  []  x86_pmu_del+0x3a/0x140

The AMD64_EVENTSEL_HOSTONLY bit is defined and used on the host,
while the guest perf driver should avoid such use.

Fixes: 1018faa6cf23 ("perf/x86/kvm: Fix Host-Only/Guest-Only counting with SVM disabled")
Signed-off-by: Like Xu <likexu@tencent.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
Tested-by: Kim Phillips <kim.phillips@amd.com>
Tested-by: Liam Merwick <liam.merwick@oracle.com>
Link: https://lkml.kernel.org/r/20210802070850.35295-1-likexu@tencent.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/events/perf_event.h |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/x86/events/perf_event.h
+++ b/arch/x86/events/perf_event.h
@@ -1115,9 +1115,10 @@ void x86_pmu_stop(struct perf_event *eve
 
 static inline void x86_pmu_disable_event(struct perf_event *event)
 {
+	u64 disable_mask = __this_cpu_read(cpu_hw_events.perf_ctr_virt_mask);
 	struct hw_perf_event *hwc = &event->hw;
 
-	wrmsrl(hwc->config_base, hwc->config);
+	wrmsrl(hwc->config_base, hwc->config & ~disable_mask);
 
 	if (is_counter_pair(hwc))
 		wrmsrl(x86_pmu_config_addr(hwc->idx + 1), 0);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 163/175] sched/rt: Fix double enqueue caused by rt_effective_prio
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 162/175] perf/x86/amd: Dont touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 164/175] riscv: dts: fix memory size for the SiFive HiFive Unmatched Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Simmons, Juri Lelli,
	Peter Zijlstra (Intel)

From: Peter Zijlstra <peterz@infradead.org>

commit f558c2b834ec27e75d37b1c860c139e7b7c3a8e4 upstream.

Double enqueues in rt runqueues (list) have been reported while running
a simple test that spawns a number of threads doing a short sleep/run
pattern while being concurrently setscheduled between rt and fair class.

  WARNING: CPU: 3 PID: 2825 at kernel/sched/rt.c:1294 enqueue_task_rt+0x355/0x360
  CPU: 3 PID: 2825 Comm: setsched__13
  RIP: 0010:enqueue_task_rt+0x355/0x360
  Call Trace:
   __sched_setscheduler+0x581/0x9d0
   _sched_setscheduler+0x63/0xa0
   do_sched_setscheduler+0xa0/0x150
   __x64_sys_sched_setscheduler+0x1a/0x30
   do_syscall_64+0x33/0x40
   entry_SYSCALL_64_after_hwframe+0x44/0xae

  list_add double add: new=ffff9867cb629b40, prev=ffff9867cb629b40,
		       next=ffff98679fc67ca0.
  kernel BUG at lib/list_debug.c:31!
  invalid opcode: 0000 [#1] PREEMPT_RT SMP PTI
  CPU: 3 PID: 2825 Comm: setsched__13
  RIP: 0010:__list_add_valid+0x41/0x50
  Call Trace:
   enqueue_task_rt+0x291/0x360
   __sched_setscheduler+0x581/0x9d0
   _sched_setscheduler+0x63/0xa0
   do_sched_setscheduler+0xa0/0x150
   __x64_sys_sched_setscheduler+0x1a/0x30
   do_syscall_64+0x33/0x40
   entry_SYSCALL_64_after_hwframe+0x44/0xae

__sched_setscheduler() uses rt_effective_prio() to handle proper queuing
of priority boosted tasks that are setscheduled while being boosted.
rt_effective_prio() is however called twice per each
__sched_setscheduler() call: first directly by __sched_setscheduler()
before dequeuing the task and then by __setscheduler() to actually do
the priority change. If the priority of the pi_top_task is concurrently
being changed however, it might happen that the two calls return
different results. If, for example, the first call returned the same rt
priority the task was running at and the second one a fair priority, the
task won't be removed by the rt list (on_list still set) and then
enqueued in the fair runqueue. When eventually setscheduled back to rt
it will be seen as enqueued already and the WARNING/BUG be issued.

Fix this by calling rt_effective_prio() only once and then reusing the
return value. While at it refactor code as well for clarity. Concurrent
priority inheritance handling is still safe and will eventually converge
to a new state by following the inheritance chain(s).

Fixes: 0782e63bc6fe ("sched: Handle priority boosted tasks proper in setscheduler()")
[squashed Peterz changes; added changelog]
Reported-by: Mark Simmons <msimmons@redhat.com>
Signed-off-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20210803104501.38333-1-juri.lelli@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sched/core.c |   90 ++++++++++++++++++++--------------------------------
 1 file changed, 35 insertions(+), 55 deletions(-)

--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -1632,12 +1632,18 @@ void deactivate_task(struct rq *rq, stru
 	dequeue_task(rq, p, flags);
 }
 
-/*
- * __normal_prio - return the priority that is based on the static prio
- */
-static inline int __normal_prio(struct task_struct *p)
+static inline int __normal_prio(int policy, int rt_prio, int nice)
 {
-	return p->static_prio;
+	int prio;
+
+	if (dl_policy(policy))
+		prio = MAX_DL_PRIO - 1;
+	else if (rt_policy(policy))
+		prio = MAX_RT_PRIO - 1 - rt_prio;
+	else
+		prio = NICE_TO_PRIO(nice);
+
+	return prio;
 }
 
 /*
@@ -1649,15 +1655,7 @@ static inline int __normal_prio(struct t
  */
 static inline int normal_prio(struct task_struct *p)
 {
-	int prio;
-
-	if (task_has_dl_policy(p))
-		prio = MAX_DL_PRIO-1;
-	else if (task_has_rt_policy(p))
-		prio = MAX_RT_PRIO-1 - p->rt_priority;
-	else
-		prio = __normal_prio(p);
-	return prio;
+	return __normal_prio(p->policy, p->rt_priority, PRIO_TO_NICE(p->static_prio));
 }
 
 /*
@@ -3759,7 +3757,7 @@ int sched_fork(unsigned long clone_flags
 		} else if (PRIO_TO_NICE(p->static_prio) < 0)
 			p->static_prio = NICE_TO_PRIO(0);
 
-		p->prio = p->normal_prio = __normal_prio(p);
+		p->prio = p->normal_prio = p->static_prio;
 		set_load_weight(p, false);
 
 		/*
@@ -5552,6 +5550,18 @@ int default_wake_function(wait_queue_ent
 }
 EXPORT_SYMBOL(default_wake_function);
 
+static void __setscheduler_prio(struct task_struct *p, int prio)
+{
+	if (dl_prio(prio))
+		p->sched_class = &dl_sched_class;
+	else if (rt_prio(prio))
+		p->sched_class = &rt_sched_class;
+	else
+		p->sched_class = &fair_sched_class;
+
+	p->prio = prio;
+}
+
 #ifdef CONFIG_RT_MUTEXES
 
 static inline int __rt_effective_prio(struct task_struct *pi_task, int prio)
@@ -5667,22 +5677,19 @@ void rt_mutex_setprio(struct task_struct
 		} else {
 			p->dl.pi_se = &p->dl;
 		}
-		p->sched_class = &dl_sched_class;
 	} else if (rt_prio(prio)) {
 		if (dl_prio(oldprio))
 			p->dl.pi_se = &p->dl;
 		if (oldprio < prio)
 			queue_flag |= ENQUEUE_HEAD;
-		p->sched_class = &rt_sched_class;
 	} else {
 		if (dl_prio(oldprio))
 			p->dl.pi_se = &p->dl;
 		if (rt_prio(oldprio))
 			p->rt.timeout = 0;
-		p->sched_class = &fair_sched_class;
 	}
 
-	p->prio = prio;
+	__setscheduler_prio(p, prio);
 
 	if (queued)
 		enqueue_task(rq, p, queue_flag);
@@ -6035,35 +6042,6 @@ static void __setscheduler_params(struct
 	set_load_weight(p, true);
 }
 
-/* Actually do priority change: must hold pi & rq lock. */
-static void __setscheduler(struct rq *rq, struct task_struct *p,
-			   const struct sched_attr *attr, bool keep_boost)
-{
-	/*
-	 * If params can't change scheduling class changes aren't allowed
-	 * either.
-	 */
-	if (attr->sched_flags & SCHED_FLAG_KEEP_PARAMS)
-		return;
-
-	__setscheduler_params(p, attr);
-
-	/*
-	 * Keep a potential priority boosting if called from
-	 * sched_setscheduler().
-	 */
-	p->prio = normal_prio(p);
-	if (keep_boost)
-		p->prio = rt_effective_prio(p, p->prio);
-
-	if (dl_prio(p->prio))
-		p->sched_class = &dl_sched_class;
-	else if (rt_prio(p->prio))
-		p->sched_class = &rt_sched_class;
-	else
-		p->sched_class = &fair_sched_class;
-}
-
 /*
  * Check the target process has a UID that matches the current process's:
  */
@@ -6084,10 +6062,8 @@ static int __sched_setscheduler(struct t
 				const struct sched_attr *attr,
 				bool user, bool pi)
 {
-	int newprio = dl_policy(attr->sched_policy) ? MAX_DL_PRIO - 1 :
-		      MAX_RT_PRIO - 1 - attr->sched_priority;
-	int retval, oldprio, oldpolicy = -1, queued, running;
-	int new_effective_prio, policy = attr->sched_policy;
+	int oldpolicy = -1, policy = attr->sched_policy;
+	int retval, oldprio, newprio, queued, running;
 	const struct sched_class *prev_class;
 	struct callback_head *head;
 	struct rq_flags rf;
@@ -6285,6 +6261,7 @@ change:
 	p->sched_reset_on_fork = reset_on_fork;
 	oldprio = p->prio;
 
+	newprio = __normal_prio(policy, attr->sched_priority, attr->sched_nice);
 	if (pi) {
 		/*
 		 * Take priority boosted tasks into account. If the new
@@ -6293,8 +6270,8 @@ change:
 		 * the runqueue. This will be done when the task deboost
 		 * itself.
 		 */
-		new_effective_prio = rt_effective_prio(p, newprio);
-		if (new_effective_prio == oldprio)
+		newprio = rt_effective_prio(p, newprio);
+		if (newprio == oldprio)
 			queue_flags &= ~DEQUEUE_MOVE;
 	}
 
@@ -6307,7 +6284,10 @@ change:
 
 	prev_class = p->sched_class;
 
-	__setscheduler(rq, p, attr, pi);
+	if (!(attr->sched_flags & SCHED_FLAG_KEEP_PARAMS)) {
+		__setscheduler_params(p, attr);
+		__setscheduler_prio(p, newprio);
+	}
 	__setscheduler_uclamp(p, attr);
 
 	if (queued) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 164/175] riscv: dts: fix memory size for the SiFive HiFive Unmatched
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 163/175] sched/rt: Fix double enqueue caused by rt_effective_prio Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 165/175] libata: fix ata_pio_sector for CONFIG_HIGHMEM Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Qiu Wenbo, Palmer Dabbelt

From: Qiu Wenbo <qiuwenbo@kylinos.com.cn>

commit d09560435cb712c9ec1e62b8a43a79b0af69fe77 upstream.

The production version of HiFive Unmatched have 16GB memory.

Signed-off-by: Qiu Wenbo <qiuwenbo@kylinos.com.cn>
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts
+++ b/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts
@@ -24,7 +24,7 @@
 
 	memory@80000000 {
 		device_type = "memory";
-		reg = <0x0 0x80000000 0x2 0x00000000>;
+		reg = <0x0 0x80000000 0x4 0x00000000>;
 	};
 
 	soc {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.13 165/175] libata: fix ata_pio_sector for CONFIG_HIGHMEM
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 164/175] riscv: dts: fix memory size for the SiFive HiFive Unmatched Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 166/175] reiserfs: add check for root_inode in reiserfs_fill_super Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Christoph Hellwig,
	Jens Axboe, Sasha Levin

From: Christoph Hellwig <hch@lst.de>

[ Upstream commit ecef6a9effe49e8e2635c839020b9833b71e934c ]

Data transfers are not required to be block aligned in memory, so they
span two pages.  Fix this by splitting the call to >sff_data_xfer into
two for that case.

This has been broken since the initial libata import before the damn
of git, but was uncovered by the legacy ide driver removal.

Reported-by: kernel test robot <oliver.sang@intel.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210709130237.3730959-1-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++++++--------
 1 file changed, 27 insertions(+), 8 deletions(-)

diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c
index ae7189d1a568..b71ea4a680b0 100644
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -637,6 +637,20 @@ unsigned int ata_sff_data_xfer32(struct ata_queued_cmd *qc, unsigned char *buf,
 }
 EXPORT_SYMBOL_GPL(ata_sff_data_xfer32);
 
+static void ata_pio_xfer(struct ata_queued_cmd *qc, struct page *page,
+		unsigned int offset, size_t xfer_size)
+{
+	bool do_write = (qc->tf.flags & ATA_TFLAG_WRITE);
+	unsigned char *buf;
+
+	buf = kmap_atomic(page);
+	qc->ap->ops->sff_data_xfer(qc, buf + offset, xfer_size, do_write);
+	kunmap_atomic(buf);
+
+	if (!do_write && !PageSlab(page))
+		flush_dcache_page(page);
+}
+
 /**
  *	ata_pio_sector - Transfer a sector of data.
  *	@qc: Command on going
@@ -648,11 +662,9 @@ EXPORT_SYMBOL_GPL(ata_sff_data_xfer32);
  */
 static void ata_pio_sector(struct ata_queued_cmd *qc)
 {
-	int do_write = (qc->tf.flags & ATA_TFLAG_WRITE);
 	struct ata_port *ap = qc->ap;
 	struct page *page;
 	unsigned int offset;
-	unsigned char *buf;
 
 	if (!qc->cursg) {
 		qc->curbytes = qc->nbytes;
@@ -670,13 +682,20 @@ static void ata_pio_sector(struct ata_queued_cmd *qc)
 
 	DPRINTK("data %s\n", qc->tf.flags & ATA_TFLAG_WRITE ? "write" : "read");
 
-	/* do the actual data transfer */
-	buf = kmap_atomic(page);
-	ap->ops->sff_data_xfer(qc, buf + offset, qc->sect_size, do_write);
-	kunmap_atomic(buf);
+	/*
+	 * Split the transfer when it splits a page boundary.  Note that the
+	 * split still has to be dword aligned like all ATA data transfers.
+	 */
+	WARN_ON_ONCE(offset % 4);
+	if (offset + qc->sect_size > PAGE_SIZE) {
+		unsigned int split_len = PAGE_SIZE - offset;
 
-	if (!do_write && !PageSlab(page))
-		flush_dcache_page(page);
+		ata_pio_xfer(qc, page, offset, split_len);
+		ata_pio_xfer(qc, nth_page(page, 1), 0,
+			     qc->sect_size - split_len);
+	} else {
+		ata_pio_xfer(qc, page, offset, qc->sect_size);
+	}
 
 	qc->curbytes += qc->sect_size;
 	qc->cursg_ofs += qc->sect_size;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 166/175] reiserfs: add check for root_inode in reiserfs_fill_super
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 165/175] libata: fix ata_pio_sector for CONFIG_HIGHMEM Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 167/175] reiserfs: check directory items on read from disk Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yu Kuai, Jan Kara, Sasha Levin

From: Yu Kuai <yukuai3@huawei.com>

[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ]

Our syzcaller report a NULL pointer dereference:

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0
Oops: 0010 [#1] SMP KASAN
CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4
RIP: 0010:0x0
Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
RSP: 0018:ffff888114e779b8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa
RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0
RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001
R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00
R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0
FS:  00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __lookup_slow+0x116/0x2d0
 ? page_put_link+0x120/0x120
 ? __d_lookup+0xfc/0x320
 ? d_lookup+0x49/0x90
 lookup_one_len+0x13c/0x170
 ? __lookup_slow+0x2d0/0x2d0
 ? reiserfs_schedule_old_flush+0x31/0x130
 reiserfs_lookup_privroot+0x64/0x150
 reiserfs_fill_super+0x158c/0x1b90
 ? finish_unfinished+0xb10/0xb10
 ? bprintf+0xe0/0xe0
 ? __mutex_lock_slowpath+0x30/0x30
 ? __kasan_check_write+0x20/0x30
 ? up_write+0x51/0xb0
 ? set_blocksize+0x9f/0x1f0
 mount_bdev+0x27c/0x2d0
 ? finish_unfinished+0xb10/0xb10
 ? reiserfs_kill_sb+0x120/0x120
 get_super_block+0x19/0x30
 legacy_get_tree+0x76/0xf0
 vfs_get_tree+0x49/0x160
 ? capable+0x1d/0x30
 path_mount+0xacc/0x1380
 ? putname+0x97/0xd0
 ? finish_automount+0x450/0x450
 ? kmem_cache_free+0xf8/0x5a0
 ? putname+0x97/0xd0
 do_mount+0xe2/0x110
 ? path_mount+0x1380/0x1380
 ? copy_mount_options+0x69/0x140
 __x64_sys_mount+0xf0/0x190
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

This is because 'root_inode' is initialized with wrong mode, and
it's i_op is set to 'reiserfs_special_inode_operations'. Thus add
check for 'root_inode' to fix the problem.

Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/reiserfs/super.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
index 3ffafc73acf0..58481f8d63d5 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -2082,6 +2082,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
 		unlock_new_inode(root_inode);
 	}
 
+	if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) ||
+	    !root_inode->i_size) {
+		SWARN(silent, s, "", "corrupt root inode, run fsck");
+		iput(root_inode);
+		errval = -EUCLEAN;
+		goto error;
+	}
+
 	s->s_root = d_make_root(root_inode);
 	if (!s->s_root)
 		goto error;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 167/175] reiserfs: check directory items on read from disk
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 166/175] reiserfs: add check for root_inode in reiserfs_fill_super Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 168/175] virt_wifi: fix error on connect Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+c31a48e6702ccb3d64c9,
	Shreyansh Chouhan, Jan Kara, Sasha Levin

From: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>

[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ]

While verifying the leaf item that we read from the disk, reiserfs
doesn't check the directory items, this could cause a crash when we
read a directory item from the disk that has an invalid deh_location.

This patch adds a check to the directory items read from the disk that
does a bounds check on deh_location for the directory entries. Any
directory entry header with a directory entry offset greater than the
item length is considered invalid.

Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com
Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c
index 476a7ff49482..ef42729216d1 100644
--- a/fs/reiserfs/stree.c
+++ b/fs/reiserfs/stree.c
@@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path)
 	search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET;
 }
 
+static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih)
+{
+	struct reiserfs_de_head *deh;
+	int i;
+
+	deh = B_I_DEH(bh, ih);
+	for (i = 0; i < ih_entry_count(ih); i++) {
+		if (deh_location(&deh[i]) > ih_item_len(ih)) {
+			reiserfs_warning(NULL, "reiserfs-5094",
+					 "directory entry location seems wrong %h",
+					 &deh[i]);
+			return 0;
+		}
+	}
+
+	return 1;
+}
+
 static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
 {
 	struct block_head *blkh;
@@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh)
 					 "(second one): %h", ih);
 			return 0;
 		}
-		if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
-			reiserfs_warning(NULL, "reiserfs-5093",
-					 "item entry count seems wrong %h",
-					 ih);
-			return 0;
+		if (is_direntry_le_ih(ih)) {
+			if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) {
+				reiserfs_warning(NULL, "reiserfs-5093",
+						 "item entry count seems wrong %h",
+						 ih);
+				return 0;
+			}
+			return has_valid_deh_location(bh, ih);
 		}
 		prev_location = ih_location(ih);
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 168/175] virt_wifi: fix error on connect
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 167/175] reiserfs: check directory items on read from disk Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 169/175] net: qede: Fix end of loop tests for list_for_each_entry Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matteo Croce, Johannes Berg, Sasha Levin

From: Matteo Croce <mcroce@microsoft.com>

[ Upstream commit 17109e9783799be2a063b2bd861a508194b0a487 ]

When connecting without first doing a scan, the BSS list is empty
and __cfg80211_connect_result() generates this warning:

$ iw dev wlan0 connect -w VirtWifi
[   15.371989] ------------[ cut here ]------------
[   15.372179] WARNING: CPU: 0 PID: 92 at net/wireless/sme.c:756 __cfg80211_connect_result+0x402/0x440
[   15.372383] CPU: 0 PID: 92 Comm: kworker/u2:2 Not tainted 5.13.0-kvm #444
[   15.372512] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-3.fc34 04/01/2014
[   15.372597] Workqueue: cfg80211 cfg80211_event_work
[   15.372756] RIP: 0010:__cfg80211_connect_result+0x402/0x440
[   15.372818] Code: 48 2b 04 25 28 00 00 00 75 59 48 8b 3b 48 8b 76 10 48 8d 65 e0 5b 41 5c 41 5d 41 5e 5d 49 8d 65 f0 41 5d e9 d0 d4 fd ff 0f 0b <0f> 0b e9 f6 fd ff ff e8 f2 4a b4 ff e9 ec fd ff ff 0f 0b e9 19 fd
[   15.372966] RSP: 0018:ffffc900005cbdc0 EFLAGS: 00010246
[   15.373022] RAX: 0000000000000000 RBX: ffff8880028e2400 RCX: ffff8880028e2472
[   15.373088] RDX: 0000000000000002 RSI: 00000000fffffe01 RDI: ffffffff815335ba
[   15.373149] RBP: ffffc900005cbe00 R08: 0000000000000008 R09: ffff888002bdf8b8
[   15.373209] R10: ffff88803ec208f0 R11: ffffffffffffe9ae R12: ffff88801d687d98
[   15.373280] R13: ffff88801b5fe000 R14: ffffc900005cbdc0 R15: dead000000000100
[   15.373330] FS:  0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000
[   15.373382] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.373425] CR2: 000056421c468958 CR3: 000000001b458001 CR4: 0000000000170eb0
[   15.373478] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   15.373529] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   15.373580] Call Trace:
[   15.373611]  ? cfg80211_process_wdev_events+0x10e/0x170
[   15.373743]  cfg80211_process_wdev_events+0x10e/0x170
[   15.373783]  cfg80211_process_rdev_events+0x21/0x40
[   15.373846]  cfg80211_event_work+0x20/0x30
[   15.373892]  process_one_work+0x1e9/0x340
[   15.373956]  worker_thread+0x4b/0x3f0
[   15.374017]  ? process_one_work+0x340/0x340
[   15.374053]  kthread+0x11f/0x140
[   15.374089]  ? set_kthread_struct+0x30/0x30
[   15.374153]  ret_from_fork+0x1f/0x30
[   15.374187] ---[ end trace 321ef0cb7e9c0be1 ]---
wlan0 (phy #0): connected to 00:00:00:00:00:00

Add the fake bss just before the connect so that cfg80211_get_bss()
finds the virtual network.
As some code was duplicated, move it in a common function.

Signed-off-by: Matteo Croce <mcroce@microsoft.com>
Link: https://lore.kernel.org/r/20210706154423.11065-1-mcroce@linux.microsoft.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/virt_wifi.c | 52 ++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 20 deletions(-)

diff --git a/drivers/net/wireless/virt_wifi.c b/drivers/net/wireless/virt_wifi.c
index 1df959532c7d..514f2c1124b6 100644
--- a/drivers/net/wireless/virt_wifi.c
+++ b/drivers/net/wireless/virt_wifi.c
@@ -136,6 +136,29 @@ static struct ieee80211_supported_band band_5ghz = {
 /* Assigned at module init. Guaranteed locally-administered and unicast. */
 static u8 fake_router_bssid[ETH_ALEN] __ro_after_init = {};
 
+static void virt_wifi_inform_bss(struct wiphy *wiphy)
+{
+	u64 tsf = div_u64(ktime_get_boottime_ns(), 1000);
+	struct cfg80211_bss *informed_bss;
+	static const struct {
+		u8 tag;
+		u8 len;
+		u8 ssid[8];
+	} __packed ssid = {
+		.tag = WLAN_EID_SSID,
+		.len = 8,
+		.ssid = "VirtWifi",
+	};
+
+	informed_bss = cfg80211_inform_bss(wiphy, &channel_5ghz,
+					   CFG80211_BSS_FTYPE_PRESP,
+					   fake_router_bssid, tsf,
+					   WLAN_CAPABILITY_ESS, 0,
+					   (void *)&ssid, sizeof(ssid),
+					   DBM_TO_MBM(-50), GFP_KERNEL);
+	cfg80211_put_bss(wiphy, informed_bss);
+}
+
 /* Called with the rtnl lock held. */
 static int virt_wifi_scan(struct wiphy *wiphy,
 			  struct cfg80211_scan_request *request)
@@ -156,28 +179,13 @@ static int virt_wifi_scan(struct wiphy *wiphy,
 /* Acquires and releases the rdev BSS lock. */
 static void virt_wifi_scan_result(struct work_struct *work)
 {
-	struct {
-		u8 tag;
-		u8 len;
-		u8 ssid[8];
-	} __packed ssid = {
-		.tag = WLAN_EID_SSID, .len = 8, .ssid = "VirtWifi",
-	};
-	struct cfg80211_bss *informed_bss;
 	struct virt_wifi_wiphy_priv *priv =
 		container_of(work, struct virt_wifi_wiphy_priv,
 			     scan_result.work);
 	struct wiphy *wiphy = priv_to_wiphy(priv);
 	struct cfg80211_scan_info scan_info = { .aborted = false };
-	u64 tsf = div_u64(ktime_get_boottime_ns(), 1000);
 
-	informed_bss = cfg80211_inform_bss(wiphy, &channel_5ghz,
-					   CFG80211_BSS_FTYPE_PRESP,
-					   fake_router_bssid, tsf,
-					   WLAN_CAPABILITY_ESS, 0,
-					   (void *)&ssid, sizeof(ssid),
-					   DBM_TO_MBM(-50), GFP_KERNEL);
-	cfg80211_put_bss(wiphy, informed_bss);
+	virt_wifi_inform_bss(wiphy);
 
 	/* Schedules work which acquires and releases the rtnl lock. */
 	cfg80211_scan_done(priv->scan_request, &scan_info);
@@ -225,10 +233,12 @@ static int virt_wifi_connect(struct wiphy *wiphy, struct net_device *netdev,
 	if (!could_schedule)
 		return -EBUSY;
 
-	if (sme->bssid)
+	if (sme->bssid) {
 		ether_addr_copy(priv->connect_requested_bss, sme->bssid);
-	else
+	} else {
+		virt_wifi_inform_bss(wiphy);
 		eth_zero_addr(priv->connect_requested_bss);
+	}
 
 	wiphy_debug(wiphy, "connect\n");
 
@@ -241,11 +251,13 @@ static void virt_wifi_connect_complete(struct work_struct *work)
 	struct virt_wifi_netdev_priv *priv =
 		container_of(work, struct virt_wifi_netdev_priv, connect.work);
 	u8 *requested_bss = priv->connect_requested_bss;
-	bool has_addr = !is_zero_ether_addr(requested_bss);
 	bool right_addr = ether_addr_equal(requested_bss, fake_router_bssid);
 	u16 status = WLAN_STATUS_SUCCESS;
 
-	if (!priv->is_up || (has_addr && !right_addr))
+	if (is_zero_ether_addr(requested_bss))
+		requested_bss = NULL;
+
+	if (!priv->is_up || (requested_bss && !right_addr))
 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
 	else
 		priv->is_connected = true;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 169/175] net: qede: Fix end of loop tests for list_for_each_entry
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 168/175] virt_wifi: fix error on connect Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 170/175] alpha: Send stop IPI to send to online CPUs Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harshvardhan Jha, David S. Miller,
	Sasha Levin

From: Harshvardhan Jha <harshvardhan.jha@oracle.com>

[ Upstream commit 795e3d2ea68e489ee7039ac29e98bfea0e34a96c ]

The list_for_each_entry() iterator, "vlan" in this code, can never be
NULL so the warning will never be printed.

Signed-off-by: Harshvardhan Jha <harshvardhan.jha@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qede/qede_filter.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qede/qede_filter.c b/drivers/net/ethernet/qlogic/qede/qede_filter.c
index c59b72c90293..a2e4dfb5cb44 100644
--- a/drivers/net/ethernet/qlogic/qede/qede_filter.c
+++ b/drivers/net/ethernet/qlogic/qede/qede_filter.c
@@ -831,7 +831,7 @@ int qede_configure_vlan_filters(struct qede_dev *edev)
 int qede_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid)
 {
 	struct qede_dev *edev = netdev_priv(dev);
-	struct qede_vlan *vlan = NULL;
+	struct qede_vlan *vlan;
 	int rc = 0;
 
 	DP_VERBOSE(edev, NETIF_MSG_IFDOWN, "Removing vlan 0x%04x\n", vid);
@@ -842,7 +842,7 @@ int qede_vlan_rx_kill_vid(struct net_device *dev, __be16 proto, u16 vid)
 		if (vlan->vid == vid)
 			break;
 
-	if (!vlan || (vlan->vid != vid)) {
+	if (list_entry_is_head(vlan, &edev->vlan_list, list)) {
 		DP_VERBOSE(edev, (NETIF_MSG_IFUP | NETIF_MSG_IFDOWN),
 			   "Vlan isn't configured\n");
 		goto out;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 170/175] alpha: Send stop IPI to send to online CPUs
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 169/175] net: qede: Fix end of loop tests for list_for_each_entry Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 171/175] net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Prarit Bhargava, Richard Henderson,
	Ivan Kokshaysky, Matt Turner, Sasha Levin

From: Prarit Bhargava <prarit@redhat.com>

[ Upstream commit caace6ca4e06f09413fb8f8a63319594cfb7d47d ]

This issue was noticed while debugging a shutdown issue where some
secondary CPUs are not being shutdown correctly.  A fix for that [1] requires
that secondary cpus be offlined using the cpu_online_mask so that the
stop operation is a no-op if CPU HOTPLUG is disabled.  I, like the author in
[1] looked at the architectures and found that alpha is one of two
architectures that executes smp_send_stop() on all possible CPUs.

On alpha, smp_send_stop() sends an IPI to all possible CPUs but only needs
to send them to online CPUs.

Send the stop IPI to only the online CPUs.

[1] https://lkml.org/lkml/2020/1/10/250

Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/alpha/kernel/smp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c
index 4b2575f936d4..cb64e4797d2a 100644
--- a/arch/alpha/kernel/smp.c
+++ b/arch/alpha/kernel/smp.c
@@ -582,7 +582,7 @@ void
 smp_send_stop(void)
 {
 	cpumask_t to_whom;
-	cpumask_copy(&to_whom, cpu_possible_mask);
+	cpumask_copy(&to_whom, cpu_online_mask);
 	cpumask_clear_cpu(smp_processor_id(), &to_whom);
 #ifdef DEBUG_IPI_MSG
 	if (hard_smp_processor_id() != boot_cpu_id)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 171/175] net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 170/175] alpha: Send stop IPI to send to online CPUs Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 172/175] smb3: rc uninitialized in one fallocate path Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Letu Ren, David S. Miller, Sasha Levin

From: Letu Ren <fantasquex@gmail.com>

[ Upstream commit 92766c4628ea349c8ddab0cd7bd0488f36e5c4ce ]

When calling the 'ql_wait_for_drvr_lock' and 'ql_adapter_reset', the driver
has already acquired the spin lock, so the driver should not call 'ssleep'
in atomic context.

This bug can be fixed by using 'mdelay' instead of 'ssleep'.

Reported-by: Letu Ren <fantasquex@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/qlogic/qla3xxx.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c
index 2376b2729633..c00ad57575ea 100644
--- a/drivers/net/ethernet/qlogic/qla3xxx.c
+++ b/drivers/net/ethernet/qlogic/qla3xxx.c
@@ -154,7 +154,7 @@ static int ql_wait_for_drvr_lock(struct ql3_adapter *qdev)
 				      "driver lock acquired\n");
 			return 1;
 		}
-		ssleep(1);
+		mdelay(1000);
 	} while (++i < 10);
 
 	netdev_err(qdev->ndev, "Timed out waiting for driver lock...\n");
@@ -3274,7 +3274,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev)
 		if ((value & ISP_CONTROL_SR) == 0)
 			break;
 
-		ssleep(1);
+		mdelay(1000);
 	} while ((--max_wait_time));
 
 	/*
@@ -3310,7 +3310,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev)
 						   ispControlStatus);
 			if ((value & ISP_CONTROL_FSR) == 0)
 				break;
-			ssleep(1);
+			mdelay(1000);
 		} while ((--max_wait_time));
 	}
 	if (max_wait_time == 0)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 172/175] smb3: rc uninitialized in one fallocate path
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 171/175] net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 173/175] drm/amdgpu/display: only enable aux backlight control for OLED panels Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Paulo Alcantara (SUSE),
	Steve French, Sasha Levin

From: Steve French <stfrench@microsoft.com>

[ Upstream commit 5ad4df56cd2158965f73416d41fce37906724822 ]

Clang detected a problem with rc possibly being unitialized
(when length is zero) in a recently added fallocate code path.

Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/cifs/smb2ops.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 398c941e3897..f77156187a0a 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -3613,7 +3613,8 @@ static int smb3_simple_fallocate_write_range(unsigned int xid,
 					     char *buf)
 {
 	struct cifs_io_parms io_parms = {0};
-	int rc, nbytes;
+	int nbytes;
+	int rc = 0;
 	struct kvec iov[2];
 
 	io_parms.netfid = cfile->fid.netfid;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 173/175] drm/amdgpu/display: only enable aux backlight control for OLED panels
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 172/175] smb3: rc uninitialized in one fallocate path Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 174/175] platform/x86: gigabyte-wmi: add support for B550 Aorus Elite V2 Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roman Li, Alex Deucher, Sasha Levin

From: Alex Deucher <alexander.deucher@amd.com>

[ Upstream commit f2ad3accefc63e72e9932e141c21875cc04beec8 ]

We've gotten a number of reports about backlight control not
working on panels which indicate that they use aux backlight
control.  A recent patch:

commit 2d73eabe2984a435737498ab39bb1500a9ffe9a9
Author: Camille Cho <Camille.Cho@amd.com>
Date:   Thu Jul 8 18:28:37 2021 +0800

    drm/amd/display: Only set default brightness for OLED

    [Why]
    We used to unconditionally set backlight path as AUX for panels capable
    of backlight adjustment via DPCD in set default brightness.

    [How]
    This should be limited to OLED panel only since we control backlight via
    PWM path for SDR mode in LCD HDR panel.

    Reviewed-by: Krunoslav Kovac <krunoslav.kovac@amd.com>
    Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
    Signed-off-by: Camille Cho <Camille.Cho@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>

Changes some other code to only use aux for backlight control on
OLED panels.  The commit message seems to indicate that PWM should
be used for SDR mode on HDR panels.  Do something similar for
backlight control in general.  This may need to be revisited if and
when HDR started to get used.

Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1438
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=213715
Reviewed-by: Roman Li <Roman.Li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index f44038f8e563..0894cd505361 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -2367,9 +2367,9 @@ static void update_connector_ext_caps(struct amdgpu_dm_connector *aconnector)
 	max_cll = conn_base->hdr_sink_metadata.hdmi_type1.max_cll;
 	min_cll = conn_base->hdr_sink_metadata.hdmi_type1.min_cll;
 
-	if (caps->ext_caps->bits.oled == 1 ||
+	if (caps->ext_caps->bits.oled == 1 /*||
 	    caps->ext_caps->bits.sdr_aux_backlight_control == 1 ||
-	    caps->ext_caps->bits.hdr_aux_backlight_control == 1)
+	    caps->ext_caps->bits.hdr_aux_backlight_control == 1*/)
 		caps->aux_support = true;
 
 	if (amdgpu_backlight == 0)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 174/175] platform/x86: gigabyte-wmi: add support for B550 Aorus Elite V2
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 173/175] drm/amdgpu/display: only enable aux backlight control for OLED panels Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 17:31 ` [PATCH 5.13 175/175] HID: ft260: fix device removal due to USB disconnect Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Weißschuh, Hans de Goede,
	Sasha Levin

From: Thomas Weißschuh <linux@weissschuh.net>

[ Upstream commit 2b2c66f607d00d17f879c0d946d44340bfbdc501 ]

Reported as working here:
https://github.com/t-8ch/linux-gigabyte-wmi-driver/issues/1#issuecomment-879398883

Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/20210726153630.65213-1-linux@weissschuh.net
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/gigabyte-wmi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/platform/x86/gigabyte-wmi.c b/drivers/platform/x86/gigabyte-wmi.c
index 5529d7b0abea..fbb224a82e34 100644
--- a/drivers/platform/x86/gigabyte-wmi.c
+++ b/drivers/platform/x86/gigabyte-wmi.c
@@ -141,6 +141,7 @@ static u8 gigabyte_wmi_detect_sensor_usability(struct wmi_device *wdev)
 
 static const struct dmi_system_id gigabyte_wmi_known_working_platforms[] = {
 	DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 AORUS ELITE"),
+	DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 AORUS ELITE V2"),
 	DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550 GAMING X V2"),
 	DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550M AORUS PRO-P"),
 	DMI_EXACT_MATCH_GIGABYTE_BOARD_NAME("B550M DS3H"),
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.13 175/175] HID: ft260: fix device removal due to USB disconnect
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 174/175] platform/x86: gigabyte-wmi: add support for B550 Aorus Elite V2 Greg Kroah-Hartman
@ 2021-08-10 17:31 ` Greg Kroah-Hartman
  2021-08-10 20:31 ` [PATCH 5.13 000/175] 5.13.10-rc1 review Fox Chen
                   ` (4 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-10 17:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Zaidman,
	Aaron Jones (FTDI-UK),
	Jiri Kosina, Sasha Levin

From: Michael Zaidman <michael.zaidman@gmail.com>

[ Upstream commit db8d3a21275c807a4047a21bde3b57d49ca55d82 ]

This commit fixes a functional regression introduced by the commit 82f09a637dd3
("HID: ft260: improve error handling of ft260_hid_feature_report_get()")
when upon USB disconnect, the FTDI FT260 i2c device is still available within
the /dev folder.

In my company's product, where the host USB to FT260 USB connection is
hard-wired in the PCB, the issue is not reproducible. To reproduce it, I used
the VirtualBox Ubuntu 20.04 VM and the UMFT260EV1A development module for the
FTDI FT260 chip:

Plug the UMFT260EV1A module into a USB port and attach it to VM.

The VM shows 2 i2c devices under the /dev:
    michael@michael-VirtualBox:~$ ls /dev/i2c-*
    /dev/i2c-0  /dev/i2c-1

The i2c-0 is not related to the FTDI FT260:
    michael@michael-VirtualBox:~$ cat /sys/bus/i2c/devices/i2c-0/name
    SMBus PIIX4 adapter at 4100

The i2c-1 is created by hid-ft260.ko:
    michael@michael-VirtualBox:~$ cat /sys/bus/i2c/devices/i2c-1/name
    FT260 usb-i2c bridge on hidraw1

Now, detach the FTDI FT260 USB device from VM. We expect the /dev/i2c-1
to disappear, but it's still here:
    michael@michael-VirtualBox:~$ ls /dev/i2c-*
    /dev/i2c-0  /dev/i2c-1

And the kernel log shows:
    [  +0.001202] usb 2-2: USB disconnect, device number 3
    [  +0.000109] ft260 0003:0403:6030.0002: failed to retrieve system status
    [  +0.000316] ft260 0003:0403:6030.0003: failed to retrieve system status

It happens because the commit 82f09a637dd3 changed the ft260_get_system_config()
return logic. This caused the ft260_is_interface_enabled() to exit with error
upon the FT260 device USB disconnect, which in turn, aborted the ft260_remove()
before deleting the FT260 i2c device and cleaning its sysfs stuff.

This commit restores the FT260 USB removal functionality and improves the
ft260_is_interface_enabled() code to handle correctly all chip modes defined
by the device interface configuration pins DCNF0 and DCNF1.

Signed-off-by: Michael Zaidman <michael.zaidman@gmail.com>
Acked-by: Aaron Jones (FTDI-UK) <aaron.jones@ftdichip.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-ft260.c | 23 +++++++----------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/drivers/hid/hid-ft260.c b/drivers/hid/hid-ft260.c
index f43a8406cb9a..e73776ae6976 100644
--- a/drivers/hid/hid-ft260.c
+++ b/drivers/hid/hid-ft260.c
@@ -742,7 +742,7 @@ static int ft260_is_interface_enabled(struct hid_device *hdev)
 	int ret;
 
 	ret = ft260_get_system_config(hdev, &cfg);
-	if (ret)
+	if (ret < 0)
 		return ret;
 
 	ft260_dbg("interface:  0x%02x\n", interface);
@@ -754,23 +754,16 @@ static int ft260_is_interface_enabled(struct hid_device *hdev)
 	switch (cfg.chip_mode) {
 	case FT260_MODE_ALL:
 	case FT260_MODE_BOTH:
-		if (interface == 1) {
+		if (interface == 1)
 			hid_info(hdev, "uart interface is not supported\n");
-			return 0;
-		}
-		ret = 1;
+		else
+			ret = 1;
 		break;
 	case FT260_MODE_UART:
-		if (interface == 0) {
-			hid_info(hdev, "uart is unsupported on interface 0\n");
-			ret = 0;
-		}
+		hid_info(hdev, "uart interface is not supported\n");
 		break;
 	case FT260_MODE_I2C:
-		if (interface == 1) {
-			hid_info(hdev, "i2c is unsupported on interface 1\n");
-			ret = 0;
-		}
+		ret = 1;
 		break;
 	}
 	return ret;
@@ -1004,11 +997,9 @@ static int ft260_probe(struct hid_device *hdev, const struct hid_device_id *id)
 
 static void ft260_remove(struct hid_device *hdev)
 {
-	int ret;
 	struct ft260_device *dev = hid_get_drvdata(hdev);
 
-	ret = ft260_is_interface_enabled(hdev);
-	if (ret <= 0)
+	if (!dev)
 		return;
 
 	sysfs_remove_group(&hdev->dev.kobj, &ft260_attr_group);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* RE: [PATCH 5.13 000/175] 5.13.10-rc1 review
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2021-08-10 17:31 ` [PATCH 5.13 175/175] HID: ft260: fix device removal due to USB disconnect Greg Kroah-Hartman
@ 2021-08-10 20:31 ` Fox Chen
  2021-08-11 16:21 ` Naresh Kamboju
                   ` (3 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Fox Chen @ 2021-08-10 20:31 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable, Fox Chen

On Tue, 10 Aug 2021 19:28:28 +0200, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 5.13.10 release.
> There are 175 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 12 Aug 2021 17:29:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.13.10-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.13.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

5.13.10-rc1 Successfully Compiled and booted on my Raspberry PI 4b (8g) (bcm2711)
                
Tested-by: Fox Chen <foxhlchen@gmail.com>


^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.13 159/175] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate
  2021-08-10 17:31 ` [PATCH 5.13 159/175] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate Greg Kroah-Hartman
@ 2021-08-11 15:50   ` Georgi Djakov
  2021-08-12  6:45     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 183+ messages in thread
From: Georgi Djakov @ 2021-08-11 15:50 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Mike Tipton

On 10.08.21 20:31, Greg Kroah-Hartman wrote:
> From: Mike Tipton <mdtipton@codeaurora.org>
> 
> commit f84f5b6f72e68bbaeb850b58ac167e4a3a47532a upstream.
> 
> We're only adding BCMs to the commit list in aggregate(), but there are
> cases where pre_aggregate() is called without subsequently calling
> aggregate(). In particular, in icc_sync_state() when a node with initial
> BW has zero requests. Since BCMs aren't added to the commit list in
> these cases, we don't actually send the zero BW request to HW. So the
> resources remain on unnecessarily.
> 
> Add BCMs to the commit list in pre_aggregate() instead, which is always
> called even when there are no requests.
> 
> Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support")
> Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
> Link: https://lore.kernel.org/r/20210721175432.2119-5-mdtipton@codeaurora.org
> Signed-off-by: Georgi Djakov <djakov@kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Hello Greg,

Please drop this patch, as people are reporting issues on some
platforms. So please do not apply it to any stable trees yet
(5.10 and 5.13). I will send a revert (or other fix) to you soon.

Thanks,
Georgi

> ---
>   drivers/interconnect/qcom/icc-rpmh.c |   10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
> 
> --- a/drivers/interconnect/qcom/icc-rpmh.c
> +++ b/drivers/interconnect/qcom/icc-rpmh.c
> @@ -20,13 +20,18 @@ void qcom_icc_pre_aggregate(struct icc_n
>   {
>   	size_t i;
>   	struct qcom_icc_node *qn;
> +	struct qcom_icc_provider *qp;
>   
>   	qn = node->data;
> +	qp = to_qcom_provider(node->provider);
>   
>   	for (i = 0; i < QCOM_ICC_NUM_BUCKETS; i++) {
>   		qn->sum_avg[i] = 0;
>   		qn->max_peak[i] = 0;
>   	}
> +
> +	for (i = 0; i < qn->num_bcms; i++)
> +		qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
>   }
>   EXPORT_SYMBOL_GPL(qcom_icc_pre_aggregate);
>   
> @@ -44,10 +49,8 @@ int qcom_icc_aggregate(struct icc_node *
>   {
>   	size_t i;
>   	struct qcom_icc_node *qn;
> -	struct qcom_icc_provider *qp;
>   
>   	qn = node->data;
> -	qp = to_qcom_provider(node->provider);
>   
>   	if (!tag)
>   		tag = QCOM_ICC_TAG_ALWAYS;
> @@ -67,9 +70,6 @@ int qcom_icc_aggregate(struct icc_node *
>   	*agg_avg += avg_bw;
>   	*agg_peak = max_t(u32, *agg_peak, peak_bw);
>   
> -	for (i = 0; i < qn->num_bcms; i++)
> -		qcom_icc_bcm_voter_add(qp->voter, qn->bcms[i]);
> -
>   	return 0;
>   }
>   EXPORT_SYMBOL_GPL(qcom_icc_aggregate);
> 
> 


^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.13 000/175] 5.13.10-rc1 review
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2021-08-10 20:31 ` [PATCH 5.13 000/175] 5.13.10-rc1 review Fox Chen
@ 2021-08-11 16:21 ` Naresh Kamboju
  2021-08-11 19:35 ` Justin Forbes
                   ` (2 subsequent siblings)
  179 siblings, 0 replies; 183+ messages in thread
From: Naresh Kamboju @ 2021-08-11 16:21 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Shuah Khan, Florian Fainelli, patches, lkft-triage,
	Jon Hunter, linux-stable, Pavel Machek, Andrew Morton,
	Linus Torvalds, Guenter Roeck

On Tue, 10 Aug 2021 at 23:13, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.13.10 release.
> There are 175 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 12 Aug 2021 17:29:30 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.13.10-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.13.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h


Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 5.13.10-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-5.13.y
* git commit: 97aa49c885ec4453ea3d76036935989e68a6175b
* git describe: v5.13.9-176-g97aa49c885ec
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.13.y/build/v5.13.9-176-g97aa49c885ec

## No regressions (compared to v5.13.9)


## No fixes (compared to v5.13.9)


## Test result summary
total: 86407, pass: 70850, fail: 2091, skip: 12372, xfail: 1094

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 193 total, 193 passed, 0 failed
* arm64: 27 total, 27 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 26 total, 26 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 45 total, 45 passed, 0 failed
* parisc: 9 total, 9 passed, 0 failed
* powerpc: 27 total, 27 passed, 0 failed
* riscv: 21 total, 21 passed, 0 failed
* s390: 18 total, 18 passed, 0 failed
* sh: 18 total, 18 passed, 0 failed
* sparc: 9 total, 9 passed, 0 failed
* x15: 1 total, 0 passed, 1 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 27 total, 27 passed, 0 failed

## Test suites summary
* fwts
* igt-gpu-tools
* install-android-platform-tools-r2600
* kselftest-
* kselftest-android
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-vsyscall-mode-native-
* kselftest-vsyscall-mode-none-
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.13 000/175] 5.13.10-rc1 review
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2021-08-11 16:21 ` Naresh Kamboju
@ 2021-08-11 19:35 ` Justin Forbes
  2021-08-11 20:00 ` Guenter Roeck
  2021-08-11 22:20 ` Shuah Khan
  179 siblings, 0 replies; 183+ messages in thread
From: Justin Forbes @ 2021-08-11 19:35 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, stable

On Tue, Aug 10, 2021 at 07:28:28PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.13.10 release.
> There are 175 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 12 Aug 2021 17:29:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.13.10-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.13.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Tested rc1 against the Fedora build system (aarch64, armv7, ppc64le,
s390x, x86_64), and boot tested x86_64. No regressions noted.

Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>


^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.13 000/175] 5.13.10-rc1 review
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2021-08-11 19:35 ` Justin Forbes
@ 2021-08-11 20:00 ` Guenter Roeck
  2021-08-11 22:20 ` Shuah Khan
  179 siblings, 0 replies; 183+ messages in thread
From: Guenter Roeck @ 2021-08-11 20:00 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Tue, Aug 10, 2021 at 07:28:28PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.13.10 release.
> There are 175 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 

Build results:
	total: 154 pass: 154 fail: 0
Qemu test results:
	total: 480 pass: 480 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.13 000/175] 5.13.10-rc1 review
  2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2021-08-11 20:00 ` Guenter Roeck
@ 2021-08-11 22:20 ` Shuah Khan
  179 siblings, 0 replies; 183+ messages in thread
From: Shuah Khan @ 2021-08-11 22:20 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 8/10/21 11:28 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.13.10 release.
> There are 175 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 12 Aug 2021 17:29:30 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.13.10-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.13.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 
Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.13 159/175] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate
  2021-08-11 15:50   ` Georgi Djakov
@ 2021-08-12  6:45     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-08-12  6:45 UTC (permalink / raw)
  To: Georgi Djakov; +Cc: linux-kernel, stable, Mike Tipton

On Wed, Aug 11, 2021 at 06:50:12PM +0300, Georgi Djakov wrote:
> On 10.08.21 20:31, Greg Kroah-Hartman wrote:
> > From: Mike Tipton <mdtipton@codeaurora.org>
> > 
> > commit f84f5b6f72e68bbaeb850b58ac167e4a3a47532a upstream.
> > 
> > We're only adding BCMs to the commit list in aggregate(), but there are
> > cases where pre_aggregate() is called without subsequently calling
> > aggregate(). In particular, in icc_sync_state() when a node with initial
> > BW has zero requests. Since BCMs aren't added to the commit list in
> > these cases, we don't actually send the zero BW request to HW. So the
> > resources remain on unnecessarily.
> > 
> > Add BCMs to the commit list in pre_aggregate() instead, which is always
> > called even when there are no requests.
> > 
> > Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support")
> > Signed-off-by: Mike Tipton <mdtipton@codeaurora.org>
> > Link: https://lore.kernel.org/r/20210721175432.2119-5-mdtipton@codeaurora.org
> > Signed-off-by: Georgi Djakov <djakov@kernel.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> Hello Greg,
> 
> Please drop this patch, as people are reporting issues on some
> platforms. So please do not apply it to any stable trees yet
> (5.10 and 5.13). I will send a revert (or other fix) to you soon.

Now dropped from both queues, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 183+ messages in thread

end of thread, other threads:[~2021-08-12  6:45 UTC | newest]

Thread overview: 183+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-10 17:28 [PATCH 5.13 000/175] 5.13.10-rc1 review Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 001/175] Revert "ACPICA: Fix memory leak caused by _CID repair function" Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 002/175] ALSA: seq: Fix racy deletion of subscriber Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 003/175] bus: ti-sysc: Fix gpt12 system timer issue with reserved status Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 004/175] net: xfrm: fix memory leak in xfrm_user_rcv_msg Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 005/175] arm64: dts: ls1028a: fix node name for the sysclk Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 006/175] dmaengine: idxd: fix array index when int_handles are being used Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 007/175] dmaengine: idxd: fix setup sequence for MSIXPERM table Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 008/175] ARM: imx: add missing iounmap() Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 009/175] ARM: imx: add missing clk_disable_unprepare() Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 010/175] ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 011/175] Revert "soc: imx8m: change to use platform driver" Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 012/175] dmaengine: idxd: fix desc->vector that isnt being updated Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 013/175] dmaengine: idxd: fix sequence for pci driver remove() and shutdown() Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 014/175] dmaengine: idxd: fix submission race window Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 015/175] arm64: dts: ls1028: sl28: fix networking for variant 2 Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 016/175] ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 017/175] ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 018/175] ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out pins Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 019/175] arm64: dts: armada-3720-turris-mox: fixed indices for the SDHC controllers Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 020/175] ext4: fix potential uninitialized access to retval in kmmpd Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 021/175] arm64: dts: armada-3720-turris-mox: remove mrvl,i2c-fast-mode Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 022/175] ALSA: usb-audio: fix incorrect clock source setting Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 023/175] riscv: stacktrace: Fix NULL pointer dereference Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 024/175] clk: stm32f4: fix post divisor setup for I2S/SAI PLLs Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 025/175] ARM: dts: am437x-l4: fix typo in can@0 node Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 026/175] omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 027/175] dmaengine: uniphier-xdmac: Use readl_poll_timeout_atomic() in atomic state Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 028/175] clk: tegra: Implement disable_unused() of tegra_clk_sdmmc_mux_ops Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 029/175] dmaengine: stm32-dma: Fix PM usage counter imbalance in stm32 dma ops Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 030/175] dmaengine: stm32-dmamux: Fix PM usage counter unbalance in stm32 dmamux ops Greg Kroah-Hartman
2021-08-10 17:28 ` [PATCH 5.13 031/175] spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 032/175] spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 033/175] drm/kmb: Enable LCD DMA for low TVDDCV Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 034/175] scsi: sr: Return correct event when media event code is 3 Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 035/175] media: videobuf2-core: dequeue if start_streaming fails Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 036/175] ARM: dts: stm32: Prefer HW RTC on DHCOM SoM Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 037/175] ARM: dts: stm32: Disable LAN8710 EDPD on DHCOM Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 038/175] ARM: dts: stm32: Fix touchscreen IRQ line assignment " Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 039/175] dmaengine: imx-dma: configure the generic DMA type to make it work Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 040/175] net, gro: Set inner transport header offset in tcp/udp GRO hook Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 041/175] net: dsa: sja1105: overwrite dynamic FDB entries with static ones in .port_fdb_add Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 042/175] net: dsa: sja1105: invalidate dynamic FDB entries learned concurrently with statically added ones Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 043/175] net: dsa: sja1105: ignore the FDB entry for unknown multicast when adding a new address Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 044/175] net: dsa: sja1105: be stateless with FDB entries on SJA1105P/Q/R/S/SJA1110 too Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 045/175] net: dsa: sja1105: match FDB entries regardless of inner/outer VLAN tag Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 046/175] net: phy: micrel: Fix detection of ksz87xx switch Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 047/175] net: natsemi: Fix missing pci_disable_device() in probe and remove Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 048/175] gpio: tqmx86: really make IRQ optional Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 049/175] RDMA/mlx5: Delay emptying a cache entry when a new MR is added to it recently Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 050/175] net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 051/175] sctp: move the active_key update after sh_keys is added Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 052/175] drm/i915: Call i915_globals_exit() if pci_register_device() fails Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 053/175] nfp: update ethtool reporting of pauseframe control Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 054/175] net: ipv6: fix returned variable type in ip6_skb_dst_mtu Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 055/175] RDMA/hns: Fix the double unlock problem of poll_sem Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 056/175] net: dsa: qca: ar9331: reorder MDIO write sequence Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 057/175] riscv: Disable STACKPROTECTOR_PER_TASK if GCC_PLUGIN_RANDSTRUCT is enabled Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 058/175] net: sched: fix lockdep_set_class() typo error for sch->seqlock Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 059/175] drm/i915: fix i915_globals_exit() section mismatch error Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 060/175] MIPS: check return value of pgtable_pmd_page_ctor Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 061/175] x86/tools/relocs: Fix non-POSIX regexp Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 062/175] mips: " Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 063/175] kbuild: cancel sub_make_done for the install target to fix DKMS Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 064/175] bnx2x: fix an error code in bnx2x_nic_load() Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 065/175] net: ethernet: ti: am65-cpsw: fix crash in am65_cpsw_port_offload_fwd_mark_update() Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 066/175] net: pegasus: fix uninit-value in get_interrupt_interval Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 067/175] net: fec: fix use-after-free in fec_drv_remove Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 068/175] net: vxge: fix use-after-free in vxge_device_unregister Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 069/175] blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 070/175] Bluetooth: defer cleanup of resources in hci_unregister_dev() Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 071/175] io-wq: fix no lock protection of acct->nr_worker Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 072/175] io-wq: fix lack of acct->nr_workers < acct->max_workers judgement Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 073/175] USB: usbtmc: Fix RCU stall warning Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 074/175] USB: serial: option: add Telit FD980 composition 0x1056 Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 075/175] USB: serial: ch341: fix character loss at high transfer rates Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 076/175] USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 077/175] USB: serial: pl2303: fix HX type detection Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 078/175] USB: serial: pl2303: fix GT " Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 079/175] firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 080/175] firmware_loader: fix use-after-free in firmware_fallback_sysfs Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 081/175] drm/amdgpu: fix checking pmops when PM_SLEEP is not enabled Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 082/175] drm/amdgpu/display: fix DMUB firmware version info Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 083/175] ALSA: pcm - fix mmap capability check for the snd-dummy driver Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 084/175] ALSA: hda/realtek: add mic quirk for Acer SF314-42 Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 085/175] ALSA: hda/realtek: Fix headset mic for Acer SWIFT SF314-56 (ALC256) Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 086/175] ALSA: usb-audio: Fix superfluous autosuspend recovery Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 087/175] ALSA: usb-audio: Add registration quirk for JBL Quantum 600 Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 088/175] ALSA: usb-audio: Avoid unnecessary or invalid connector selection at resume Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 089/175] usb: dwc3: gadget: Use list_replace_init() before traversing lists Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 090/175] usb: dwc3: gadget: Avoid runtime resume if disabling pullup Greg Kroah-Hartman
2021-08-10 17:29 ` [PATCH 5.13 091/175] usb: gadget: remove leaked entry from udc driver list Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 092/175] usb: cdns3: Fixed incorrect gadget state Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 093/175] usb: cdnsp: Fixed issue with ZLP Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 094/175] usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 095/175] usb: gadget: f_hid: fixed NULL pointer dereference Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 096/175] usb: gadget: f_hid: idle uses the highest byte for duration Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 097/175] usb: host: ohci-at91: suspend/resume ports after/before OHCI accesses Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 098/175] usb: typec: tcpm: Keep other events when receiving FRS and Sourcing_vbus events Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 099/175] usb: otg-fsm: Fix hrtimer list corruption Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 100/175] clk: fix leak on devm_clk_bulk_get_all() unwind Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 101/175] scripts/tracing: fix the bug that cant parse raw_trace_func Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 102/175] tracing / histogram: Give calculation hist_fields a size Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 103/175] tracing: Reject string operand in the histogram expression Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 104/175] tracing: Fix NULL pointer dereference in start_creating Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 105/175] tracepoint: static call: Compare data on transition from 2->1 callees Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 106/175] tracepoint: Fix static call function vs data state mismatch Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 107/175] tracepoint: Use rcu get state and cond sync for static call updates Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 108/175] arm64: stacktrace: avoid tracing arch_stack_walk() Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 109/175] optee: Clear stale cache entries during initialization Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 110/175] tee: add tee_shm_alloc_kernel_buf() Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 111/175] tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 112/175] optee: Fix memory leak when failing to register shm pages Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 113/175] optee: Refuse to load the driver under the kdump kernel Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 114/175] optee: fix tee out of memory failure seen during kexec reboot Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 115/175] tpm_ftpm_tee: Free and unregister TEE shared memory during kexec Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 116/175] staging: rtl8723bs: Fix a resource leak in sd_int_dpc Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 117/175] staging: rtl8712: get rid of flush_scheduled_work Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 118/175] staging: rtl8712: error handling refactoring Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 119/175] drivers core: Fix oops when driver probe fails Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 120/175] media: rtl28xxu: fix zero-length control request Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 121/175] pipe: increase minimum default pipe size to 2 pages Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 122/175] ext4: fix potential htree corruption when growing large_dir directories Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 123/175] Revert "thunderbolt: Hide authorized attribute if router does not support PCIe tunnels" Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 124/175] serial: tegra: Only print FIFO error message when an error occurs Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 125/175] serial: 8250_mtk: fix uart corruption issue when rx power off Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 126/175] serial: 8250: Mask out floating 16/32-bit bus bits Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 127/175] serial: 8250: fix handle_irq locking Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 128/175] MIPS: Malta: Do not byte-swap accesses to the CBUS UART Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 129/175] serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 130/175] serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 131/175] fpga: dfl: fme: Fix cpu hotplug issue in performance reporting Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 132/175] timers: Move clearing of base::timer_running under base:: Lock Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 133/175] virt: acrn: Do hcall_destroy_vm() before resource release Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 134/175] perf: Fix required permissions if sigtrap is requested Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 135/175] xfrm: Fix RCU vs hash_resize_mutex lock inversion Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 136/175] net/xfrm/compat: Copy xfrm_spdattr_type_t atributes Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 137/175] pcmcia: i82092: fix a null pointer dereference bug Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 138/175] scsi: ibmvfc: Fix command state accounting and stale response detection Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 139/175] selinux: correct the return value when loads initial sids Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 140/175] bus: ti-sysc: AM3: RNG is GP only Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 141/175] Revert "gpio: mpc8xxx: change the gpio interrupt flags." Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 142/175] arm64: fix compat syscall return truncation Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 143/175] ARM: omap2+: hwmod: fix potential NULL pointer access Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 144/175] md/raid10: properly indicate failure when ending a failed write request Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 145/175] io-wq: fix race between worker exiting and activating free worker Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 146/175] s390/dasd: fix use after free in dasd path handling Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 147/175] KVM: x86: accept userspace interrupt only if no event is injected Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 148/175] KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 149/175] KVM: Do not leak memory for duplicate debugfs directories Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 150/175] KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds Greg Kroah-Hartman
2021-08-10 17:30 ` [PATCH 5.13 151/175] soc: ixp4xx: fix printing resources Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 152/175] interconnect: Fix undersized devress_alloc allocation Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 153/175] usb: cdnsp: Fix the IMAN_IE_SET and IMAN_IE_CLEAR macro Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 154/175] usb: cdnsp: Fix incorrect supported maximum speed Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 155/175] spi: meson-spicc: fix memory leak in meson_spicc_remove Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 156/175] interconnect: Zero initial BW after sync-state Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 157/175] interconnect: Always call pre_aggregate before aggregate Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 158/175] interconnect: qcom: icc-rpmh: Ensure floor BW is enforced for all nodes Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 159/175] interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate Greg Kroah-Hartman
2021-08-11 15:50   ` Georgi Djakov
2021-08-12  6:45     ` Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 160/175] drm/i915: Correct SFC_DONE register offset Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 161/175] soc: ixp4xx/qmgr: fix invalid __iomem access Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 162/175] perf/x86/amd: Dont touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 163/175] sched/rt: Fix double enqueue caused by rt_effective_prio Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 164/175] riscv: dts: fix memory size for the SiFive HiFive Unmatched Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 165/175] libata: fix ata_pio_sector for CONFIG_HIGHMEM Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 166/175] reiserfs: add check for root_inode in reiserfs_fill_super Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 167/175] reiserfs: check directory items on read from disk Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 168/175] virt_wifi: fix error on connect Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 169/175] net: qede: Fix end of loop tests for list_for_each_entry Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 170/175] alpha: Send stop IPI to send to online CPUs Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 171/175] net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 172/175] smb3: rc uninitialized in one fallocate path Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 173/175] drm/amdgpu/display: only enable aux backlight control for OLED panels Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 174/175] platform/x86: gigabyte-wmi: add support for B550 Aorus Elite V2 Greg Kroah-Hartman
2021-08-10 17:31 ` [PATCH 5.13 175/175] HID: ft260: fix device removal due to USB disconnect Greg Kroah-Hartman
2021-08-10 20:31 ` [PATCH 5.13 000/175] 5.13.10-rc1 review Fox Chen
2021-08-11 16:21 ` Naresh Kamboju
2021-08-11 19:35 ` Justin Forbes
2021-08-11 20:00 ` Guenter Roeck
2021-08-11 22:20 ` Shuah Khan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).