stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 5.10 00/98] 5.10.165-rc1 review
@ 2023-01-22 15:03 Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 01/98] btrfs: fix trace event name typo for FLUSH_DELAYED_REFS Greg Kroah-Hartman
                   ` (100 more replies)
  0 siblings, 101 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
	shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, srw, rwarsow

This is the start of the stable review cycle for the 5.10.165 release.
There are 98 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Tue, 24 Jan 2023 15:02:08 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.165-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.10.165-rc1

Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
    Bluetooth: hci_qca: Fixed issue during suspend

Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
    Bluetooth: hci_qca: check for SSR triggered flag while suspend

Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
    Bluetooth: hci_qca: Wait for SSR completion during suspend

Stephan Gerhold <stephan@gerhold.net>
    soc: qcom: apr: Make qcom,protection-domain optional again

Eric Dumazet <edumazet@google.com>
    Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()"

Yang Yingliang <yangyingliang@huawei.com>
    net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work()

Paolo Abeni <pabeni@redhat.com>
    net/ulp: use consistent error code when blocking ULP

Stefan Metzmacher <metze@samba.org>
    io_uring/net: fix fast_iov assignment in io_setup_async_msg()

Jens Axboe <axboe@kernel.dk>
    io_uring: io_kiocb_update_pos() should not touch file for non -1 offset

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/vmlinux.lds: Don't discard .comment

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/vmlinux.lds: Don't discard .rela* for relocatable builds

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT

Masahiro Yamada <masahiroy@kernel.org>
    s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36

Masahiro Yamada <masahiroy@kernel.org>
    arch: fix broken BuildID for arm64 and riscv

Steven Rostedt (Google) <rostedt@goodmis.org>
    tracing: Use alignof__(struct {type b;}) instead of offsetof()

YingChi Long <me@inclyc.cn>
    x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN

Alex Deucher <alexander.deucher@amd.com>
    Revert "drm/amdgpu: make display pinning more flexible (v2)"

Ard Biesheuvel <ardb@kernel.org>
    efi: rt-wrapper: Add missing include

Ard Biesheuvel <ardb@kernel.org>
    arm64: efi: Execute runtime services from a dedicated stack

Joshua Ashton <joshua@froggi.es>
    drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix

Joshua Ashton <joshua@froggi.es>
    drm/amd/display: Calculate output_color_space after pixel encoding adjustment

hongao <hongao@uniontech.com>
    drm/amd/display: Fix set scaling doesn's work

Sasa Dragic <sasa.dragic@gmail.com>
    drm/i915: re-disable RC6p on Sandy Bridge

Alexander Usyskin <alexander.usyskin@intel.com>
    mei: me: add meteor lake point M DID

Khazhismel Kumykov <khazhy@chromium.org>
    gsmi: fix null-deref in gsmi_get_variable

Tobias Schramm <t.schramm@manjaro.org>
    serial: atmel: fix incorrect baudrate setup

Mohan Kumar <mkumard@nvidia.com>
    dmaengine: tegra210-adma: fix global intr clear

Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    serial: pch_uart: Pass correct sg to dma_unmap_sg()

Heiner Kallweit <hkallweit1@gmail.com>
    dt-bindings: phy: g12a-usb3-pcie-phy: fix compatible string documentation

Heiner Kallweit <hkallweit1@gmail.com>
    dt-bindings: phy: g12a-usb2-phy: fix compatible string documentation

Juhyung Park <qkrwngud825@gmail.com>
    usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210

Maciej Żenczykowski <maze@google.com>
    usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()

Daniel Scally <dan.scally@ideasonboard.com>
    usb: gadget: g_webcam: Send color matching descriptor per frame

Prashant Malani <pmalani@chromium.org>
    usb: typec: altmodes/displayport: Fix pin assignment calculation

Prashant Malani <pmalani@chromium.org>
    usb: typec: altmodes/displayport: Add pin assignment helper

Alexander Stein <alexander.stein@ew.tq-group.com>
    usb: host: ehci-fsl: Fix module alias

Michael Adler <michael.adler@siemens.com>
    USB: serial: cp210x: add SCALANCE LPE-9000 device id

Alan Stern <stern@rowland.harvard.edu>
    USB: gadgetfs: Fix race between mounting and unmounting

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer

Mika Westerberg <mika.westerberg@linux.intel.com>
    thunderbolt: Use correct function to calculate maximum USB3 link rate

Enzo Matsumiya <ematsumiya@suse.de>
    cifs: do not include page data when checking signature

Filipe Manana <fdmanana@suse.com>
    btrfs: fix race between quota rescan and disable leading to NULL pointer deref

Haibo Chen <haibo.chen@nxp.com>
    mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting

Samuel Holland <samuel@sholland.org>
    mmc: sunxi-mmc: Fix clock refcount imbalance during unbind

Ian Abbott <abbotti@mev.co.uk>
    comedi: adv_pci1760: Fix PWM instruction handling

Flavio Suligoi <f.suligoi@asem.it>
    usb: core: hub: disable autosuspend for TI TUSB8041

Ola Jeppsson <ola@snap.com>
    misc: fastrpc: Fix use-after-free race condition for maps

Abel Vesa <abel.vesa@linaro.org>
    misc: fastrpc: Don't remove map on creater_process and device_release

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100

Arnd Bergmann <arnd@arndb.de>
    staging: vchiq_arm: fix enum vchiq_status return types

Duke Xin(辛安文) <duke_xinanwen@163.com>
    USB: serial: option: add Quectel EM05CN modem

Duke Xin(辛安文) <duke_xinanwen@163.com>
    USB: serial: option: add Quectel EM05CN (SG) modem

Ali Mirghasemi <ali.mirghasemi1376@gmail.com>
    USB: serial: option: add Quectel EC200U modem

Duke Xin(辛安文) <duke_xinanwen@163.com>
    USB: serial: option: add Quectel EM05-G (RS) modem

Duke Xin(辛安文) <duke_xinanwen@163.com>
    USB: serial: option: add Quectel EM05-G (CS) modem

Duke Xin(辛安文) <duke_xinanwen@163.com>
    USB: serial: option: add Quectel EM05-G (GR) modem

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    prlimit: do_prlimit needs to have a speculation check

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables

Mathias Nyman <mathias.nyman@linux.intel.com>
    usb: acpi: add helper to check port lpm capability using acpi _DSM

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Add a flag to disable USB3 lpm on a xhci root port level.

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Add update_hub_device override for PCI xHCI hosts

Mathias Nyman <mathias.nyman@linux.intel.com>
    xhci: Fix null pointer dereference when host dies

Jimmy Hu <hhhuuu@google.com>
    usb: xhci: Check endpoint is valid before dereferencing it

Ricardo Ribalda <ribalda@chromium.org>
    xhci-pci: set the dma max_seg_size

Jens Axboe <axboe@kernel.dk>
    io_uring/rw: defer fsnotify calls to task context

Dylan Yudaken <dylany@fb.com>
    io_uring: do not recalculate ppos unnecessarily

Dylan Yudaken <dylany@fb.com>
    io_uring: update kiocb->ki_pos at execution time

Dylan Yudaken <dylany@fb.com>
    io_uring: remove duplicated calls to io_kiocb_ppos

Jens Axboe <axboe@kernel.dk>
    io_uring: ensure that cached task references are always put on exit

Pavel Begunkov <asml.silence@gmail.com>
    io_uring: fix CQ waiting timeout handling

Pavel Begunkov <asml.silence@gmail.com>
    io_uring: lock overflowing for IOPOLL

Jens Axboe <axboe@kernel.dk>
    io_uring: check for valid register opcode earlier

Dylan Yudaken <dylany@meta.com>
    io_uring: fix async accept on O_NONBLOCK sockets

Jens Axboe <axboe@kernel.dk>
    io_uring: allow re-poll if we made progress

Jens Axboe <axboe@kernel.dk>
    io_uring: support MSG_WAITALL for IORING_OP_SEND(MSG)

Jens Axboe <axboe@kernel.dk>
    io_uring: add flag for disabling provided buffer recycling

Jens Axboe <axboe@kernel.dk>
    io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly

Pavel Begunkov <asml.silence@gmail.com>
    io_uring: improve send/recv error handling

Jens Axboe <axboe@kernel.dk>
    io_uring: don't gate task_work run on TIF_NOTIFY_SIGNAL

Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Bluetooth: hci_qca: Fix driver shutdown on closed serdev

Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
    Bluetooth: hci_qca: Wait for timeout during suspend

Chris Wilson <chris@chris-wilson.co.uk>
    drm/i915/gt: Reset twice

Yuchi Yang <yangyuchi66@gmail.com>
    ALSA: hda/realtek - Turn on power early

Ding Hui <dinghui@sangfor.com.cn>
    efi: fix userspace infinite retry read efivars after EFI runtime services page fault

Ryusuke Konishi <konishi.ryusuke@gmail.com>
    nilfs2: fix general protection fault in nilfs_btree_insert()

Damien Le Moal <damien.lemoal@opensource.wdc.com>
    zonefs: Detect append writes at invalid locations

Shawn.Shao <shawn.shao@jaguarmicro.com>
    Add exception protection processing for vd in axi_chan_handle_err function

Alexander Wetzel <alexander@wetzel-home.de>
    wifi: mac80211: sdata can be NULL during AMPDU start

Arend van Spriel <arend.vanspriel@broadcom.com>
    wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices

Jaegeuk Kim <jaegeuk@kernel.org>
    f2fs: let's avoid panic if extent_tree is not created

Mikulas Patocka <mpatocka@redhat.com>
    x86/asm: Fix an assembler warning with current binutils

Qu Wenruo <wqu@suse.com>
    btrfs: always report error in run_one_delayed_ref()

Jiri Slaby (SUSE) <jirislaby@kernel.org>
    RDMA/srp: Move large values to a new enum for gcc13

Daniil Tatianin <d-tatianin@yandex-team.ru>
    net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats

Ricardo Cañuelo <ricardo.canuelo@collabora.com>
    tools/virtio: initialize spinlocks in vring_test.c

Hao Sun <sunhao.th@gmail.com>
    selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID

Olga Kornievskaia <olga.kornievskaia@gmail.com>
    pNFS/filelayout: Fix coalescing test for single DS

Naohiro Aota <naohiro.aota@wdc.com>
    btrfs: fix trace event name typo for FLUSH_DELAYED_REFS


-------------

Diffstat:

 ...2a-usb2-phy.yaml => amlogic,g12a-usb2-phy.yaml} |   8 +-
 ...ie-phy.yaml => amlogic,g12a-usb3-pcie-phy.yaml} |   6 +-
 Makefile                                           |   4 +-
 arch/arm64/include/asm/efi.h                       |   3 +
 arch/arm64/kernel/efi-rt-wrapper.S                 |  14 +-
 arch/arm64/kernel/efi.c                            |  27 +++
 arch/powerpc/kernel/vmlinux.lds.S                  |   6 +-
 arch/s390/kernel/vmlinux.lds.S                     |   2 +
 arch/x86/kernel/fpu/init.c                         |   7 +-
 arch/x86/lib/iomap_copy_64.S                       |   2 +-
 drivers/bluetooth/hci_qca.c                        |  68 ++++++-
 drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c     |   6 +
 drivers/dma/tegra210-adma.c                        |   2 +-
 drivers/firmware/efi/runtime-wrappers.c            |   1 +
 drivers/firmware/google/gsmi.c                     |   7 +-
 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c         |   3 +-
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c  |   8 +-
 .../gpu/drm/amd/display/dc/core/dc_hw_sequencer.c  |   4 +-
 drivers/gpu/drm/i915/gt/intel_reset.c              |  34 +++-
 drivers/gpu/drm/i915/i915_pci.c                    |   3 +-
 drivers/infiniband/ulp/srp/ib_srp.h                |   8 +-
 drivers/misc/fastrpc.c                             |  26 +--
 drivers/misc/mei/hw-me-regs.h                      |   2 +
 drivers/misc/mei/pci-me.c                          |   2 +
 drivers/mmc/host/sdhci-esdhc-imx.c                 |  22 +-
 drivers/mmc/host/sunxi-mmc.c                       |   8 +-
 drivers/net/ethernet/mellanox/mlx5/core/health.c   |   1 +
 .../wireless/broadcom/brcm80211/brcmfmac/pcie.c    |   2 +-
 drivers/soc/qcom/apr.c                             |   3 +-
 drivers/staging/comedi/drivers/adv_pci1760.c       |   2 +-
 .../include/linux/raspberrypi/vchiq.h              |   2 +-
 .../vc04_services/interface/vchiq_arm/vchiq_arm.h  |   4 +-
 drivers/thunderbolt/tunnel.c                       |   2 +-
 drivers/tty/serial/atmel_serial.c                  |   8 +-
 drivers/tty/serial/pch_uart.c                      |   2 +-
 drivers/tty/serial/qcom_geni_serial.c              |  18 +-
 drivers/usb/core/hub.c                             |  13 ++
 drivers/usb/core/usb-acpi.c                        |  65 ++++++
 drivers/usb/gadget/function/f_ncm.c                |   4 +-
 drivers/usb/gadget/legacy/inode.c                  |  28 ++-
 drivers/usb/gadget/legacy/webcam.c                 |   3 +
 drivers/usb/host/ehci-fsl.c                        |   2 +-
 drivers/usb/host/xhci-pci.c                        |  45 +++++
 drivers/usb/host/xhci-ring.c                       |   5 +-
 drivers/usb/host/xhci.c                            |  18 +-
 drivers/usb/host/xhci.h                            |   5 +
 drivers/usb/misc/iowarrior.c                       |   2 +-
 drivers/usb/serial/cp210x.c                        |   1 +
 drivers/usb/serial/option.c                        |  17 ++
 drivers/usb/storage/uas-detect.h                   |  13 ++
 drivers/usb/storage/unusual_uas.h                  |   7 -
 drivers/usb/typec/altmodes/displayport.c           |  22 +-
 fs/btrfs/extent-tree.c                             |   7 +-
 fs/btrfs/qgroup.c                                  |  25 ++-
 fs/cifs/smb2pdu.c                                  |  15 +-
 fs/f2fs/extent_cache.c                             |   3 +-
 fs/nfs/filelayout/filelayout.c                     |   8 +
 fs/nilfs2/btree.c                                  |  15 +-
 fs/zonefs/super.c                                  |  22 ++
 include/asm-generic/vmlinux.lds.h                  |   5 +
 include/linux/usb.h                                |   3 +
 include/trace/events/btrfs.h                       |   2 +-
 include/trace/trace_events.h                       |   2 +-
 io_uring/io-wq.c                                   |   2 +-
 io_uring/io_uring.c                                | 225 +++++++++++++++------
 kernel/sys.c                                       |   2 +
 net/ethtool/ioctl.c                                |   3 +-
 net/ipv4/tcp_ulp.c                                 |   2 +-
 net/mac80211/agg-tx.c                              |   6 +-
 net/mac80211/driver-ops.c                          |   3 +
 net/mac80211/iface.c                               |   1 -
 sound/pci/hda/patch_realtek.c                      |  30 +--
 .../selftests/bpf/prog_tests/jeq_infer_not_null.c  |   9 +
 .../selftests/bpf/progs/jeq_infer_not_null_fail.c  |  42 ++++
 tools/virtio/vringh_test.c                         |   2 +
 75 files changed, 799 insertions(+), 212 deletions(-)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 01/98] btrfs: fix trace event name typo for FLUSH_DELAYED_REFS
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 02/98] pNFS/filelayout: Fix coalescing test for single DS Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Naohiro Aota,
	David Sterba, Sasha Levin

From: Naohiro Aota <naohiro.aota@wdc.com>

[ Upstream commit 0a3212de8ab3e2ce5808c6265855e528d4a6767b ]

Fix a typo of printing FLUSH_DELAYED_REFS event in flush_space() as
FLUSH_ELAYED_REFS.

Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/trace/events/btrfs.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
index ecd24c719de4..041be3ce1071 100644
--- a/include/trace/events/btrfs.h
+++ b/include/trace/events/btrfs.h
@@ -95,7 +95,7 @@ struct btrfs_space_info;
 	EM( FLUSH_DELALLOC,		"FLUSH_DELALLOC")		\
 	EM( FLUSH_DELALLOC_WAIT,	"FLUSH_DELALLOC_WAIT")		\
 	EM( FLUSH_DELAYED_REFS_NR,	"FLUSH_DELAYED_REFS_NR")	\
-	EM( FLUSH_DELAYED_REFS,		"FLUSH_ELAYED_REFS")		\
+	EM( FLUSH_DELAYED_REFS,		"FLUSH_DELAYED_REFS")		\
 	EM( ALLOC_CHUNK,		"ALLOC_CHUNK")			\
 	EM( ALLOC_CHUNK_FORCE,		"ALLOC_CHUNK_FORCE")		\
 	EM( RUN_DELAYED_IPUTS,		"RUN_DELAYED_IPUTS")		\
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 02/98] pNFS/filelayout: Fix coalescing test for single DS
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 01/98] btrfs: fix trace event name typo for FLUSH_DELAYED_REFS Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 03/98] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Trond Myklebust,
	Sasha Levin

From: Olga Kornievskaia <olga.kornievskaia@gmail.com>

[ Upstream commit a6b9d2fa0024e7e399c26facd0fb466b7396e2b9 ]

When there is a single DS no striping constraints need to be placed on
the IO. When such constraint is applied then buffered reads don't
coalesce to the DS's rsize.

Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/filelayout/filelayout.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/fs/nfs/filelayout/filelayout.c b/fs/nfs/filelayout/filelayout.c
index ae5ed3a07494..deecfb50dd7e 100644
--- a/fs/nfs/filelayout/filelayout.c
+++ b/fs/nfs/filelayout/filelayout.c
@@ -783,6 +783,12 @@ filelayout_alloc_lseg(struct pnfs_layout_hdr *layoutid,
 	return &fl->generic_hdr;
 }
 
+static bool
+filelayout_lseg_is_striped(const struct nfs4_filelayout_segment *flseg)
+{
+	return flseg->num_fh > 1;
+}
+
 /*
  * filelayout_pg_test(). Called by nfs_can_coalesce_requests()
  *
@@ -803,6 +809,8 @@ filelayout_pg_test(struct nfs_pageio_descriptor *pgio, struct nfs_page *prev,
 	size = pnfs_generic_pg_test(pgio, prev, req);
 	if (!size)
 		return 0;
+	else if (!filelayout_lseg_is_striped(FILELAYOUT_LSEG(pgio->pg_lseg)))
+		return size;
 
 	/* see if req and prev are in the same stripe */
 	if (prev) {
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 03/98] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 01/98] btrfs: fix trace event name typo for FLUSH_DELAYED_REFS Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 02/98] pNFS/filelayout: Fix coalescing test for single DS Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 04/98] tools/virtio: initialize spinlocks in vring_test.c Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Hao Sun, Martin KaFai Lau, Sasha Levin

From: Hao Sun <sunhao.th@gmail.com>

[ Upstream commit cedebd74cf3883f0384af9ec26b4e6f8f1964dd4 ]

Verify that nullness information is not porpagated in the branches
of register to register JEQ and JNE operations if one of them is
PTR_TO_BTF_ID. Implement this in C level so we can use CO-RE.

Signed-off-by: Hao Sun <sunhao.th@gmail.com>
Suggested-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://lore.kernel.org/r/20221222024414.29539-2-sunhao.th@gmail.com
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../bpf/prog_tests/jeq_infer_not_null.c       |  9 ++++
 .../bpf/progs/jeq_infer_not_null_fail.c       | 42 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/jeq_infer_not_null.c
 create mode 100644 tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c

diff --git a/tools/testing/selftests/bpf/prog_tests/jeq_infer_not_null.c b/tools/testing/selftests/bpf/prog_tests/jeq_infer_not_null.c
new file mode 100644
index 000000000000..3add34df5767
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/jeq_infer_not_null.c
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include "jeq_infer_not_null_fail.skel.h"
+
+void test_jeq_infer_not_null(void)
+{
+	RUN_TESTS(jeq_infer_not_null_fail);
+}
diff --git a/tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c b/tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c
new file mode 100644
index 000000000000..f46965053acb
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/jeq_infer_not_null_fail.c
@@ -0,0 +1,42 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+char _license[] SEC("license") = "GPL";
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1);
+	__type(key, u64);
+	__type(value, u64);
+} m_hash SEC(".maps");
+
+SEC("?raw_tp")
+__failure __msg("R8 invalid mem access 'map_value_or_null")
+int jeq_infer_not_null_ptr_to_btfid(void *ctx)
+{
+	struct bpf_map *map = (struct bpf_map *)&m_hash;
+	struct bpf_map *inner_map = map->inner_map_meta;
+	u64 key = 0, ret = 0, *val;
+
+	val = bpf_map_lookup_elem(map, &key);
+	/* Do not mark ptr as non-null if one of them is
+	 * PTR_TO_BTF_ID (R9), reject because of invalid
+	 * access to map value (R8).
+	 *
+	 * Here, we need to inline those insns to access
+	 * R8 directly, since compiler may use other reg
+	 * once it figures out val==inner_map.
+	 */
+	asm volatile("r8 = %[val];\n"
+		     "r9 = %[inner_map];\n"
+		     "if r8 != r9 goto +1;\n"
+		     "%[ret] = *(u64 *)(r8 +0);\n"
+		     : [ret] "+r"(ret)
+		     : [inner_map] "r"(inner_map), [val] "r"(val)
+		     : "r8", "r9");
+
+	return ret;
+}
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 04/98] tools/virtio: initialize spinlocks in vring_test.c
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 03/98] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 05/98] net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Ricardo Cañuelo,
	Michael S. Tsirkin, Xuan Zhuo, Sasha Levin

From: Ricardo Cañuelo <ricardo.canuelo@collabora.com>

[ Upstream commit c262f75cb6bb5a63828e72ce3b8fe808e5029479 ]

The virtio_device vqs_list spinlocks must be initialized before use to
prevent functions that manipulate the device virtualqueues, such as
vring_new_virtqueue(), from blocking indefinitely.

Signed-off-by: Ricardo Cañuelo <ricardo.canuelo@collabora.com>
Message-Id: <20221012062949.1526176-1-ricardo.canuelo@collabora.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/virtio/vringh_test.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/virtio/vringh_test.c b/tools/virtio/vringh_test.c
index fa87b58bd5fa..98ff808d6f0c 100644
--- a/tools/virtio/vringh_test.c
+++ b/tools/virtio/vringh_test.c
@@ -308,6 +308,7 @@ static int parallel_test(u64 features,
 
 		gvdev.vdev.features = features;
 		INIT_LIST_HEAD(&gvdev.vdev.vqs);
+		spin_lock_init(&gvdev.vdev.vqs_list_lock);
 		gvdev.to_host_fd = to_host[1];
 		gvdev.notifies = 0;
 
@@ -455,6 +456,7 @@ int main(int argc, char *argv[])
 	getrange = getrange_iov;
 	vdev.features = 0;
 	INIT_LIST_HEAD(&vdev.vqs);
+	spin_lock_init(&vdev.vqs_list_lock);
 
 	while (argv[1]) {
 		if (strcmp(argv[1], "--indirect") == 0)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 05/98] net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 04/98] tools/virtio: initialize spinlocks in vring_test.c Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 06/98] RDMA/srp: Move large values to a new enum for gcc13 Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Daniil Tatianin, Andrew Lunn,
	David S. Miller, Sasha Levin

From: Daniil Tatianin <d-tatianin@yandex-team.ru>

[ Upstream commit 9deb1e9fb88b1120a908676fa33bdf9e2eeaefce ]

It's not very useful to copy back an empty ethtool_stats struct and
return 0 if we didn't actually have any stats. This also allows for
further simplification of this function in the future commits.

Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ethtool/ioctl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 47c2dd4a9b9f..12bf740e2fb3 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -2052,7 +2052,8 @@ static int ethtool_get_phy_stats(struct net_device *dev, void __user *useraddr)
 		return n_stats;
 	if (n_stats > S32_MAX / sizeof(u64))
 		return -ENOMEM;
-	WARN_ON_ONCE(!n_stats);
+	if (WARN_ON_ONCE(!n_stats))
+		return -EOPNOTSUPP;
 
 	if (copy_from_user(&stats, useraddr, sizeof(stats)))
 		return -EFAULT;
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 06/98] RDMA/srp: Move large values to a new enum for gcc13
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 05/98] net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 07/98] btrfs: always report error in run_one_delayed_ref() Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Jiri Slaby (SUSE),
	Bart Van Assche, Leon Romanovsky, Sasha Levin

From: Jiri Slaby (SUSE) <jirislaby@kernel.org>

[ Upstream commit 56c5dab20a6391604df9521f812c01d1e3fe1bd0 ]

Since gcc13, each member of an enum has the same type as the enum [1]. And
that is inherited from its members. Provided these two:
  SRP_TAG_NO_REQ        = ~0U,
  SRP_TAG_TSK_MGMT	= 1U << 31
all other members are unsigned ints.

Esp. with SRP_MAX_SGE and SRP_TSK_MGMT_SQ_SIZE and their use in min(),
this results in the following warnings:
  include/linux/minmax.h:20:35: error: comparison of distinct pointer types lacks a cast
  drivers/infiniband/ulp/srp/ib_srp.c:563:42: note: in expansion of macro 'min'

  include/linux/minmax.h:20:35: error: comparison of distinct pointer types lacks a cast
  drivers/infiniband/ulp/srp/ib_srp.c:2369:27: note: in expansion of macro 'min'

So move the large values away to a separate enum, so that they don't
affect other members.

[1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=36113

Link: https://lore.kernel.org/r/20221212120411.13750-1-jirislaby@kernel.org
Signed-off-by: Jiri Slaby (SUSE) <jirislaby@kernel.org>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/ulp/srp/ib_srp.h | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/infiniband/ulp/srp/ib_srp.h b/drivers/infiniband/ulp/srp/ib_srp.h
index 6818cac0a3b7..85bac20d9007 100644
--- a/drivers/infiniband/ulp/srp/ib_srp.h
+++ b/drivers/infiniband/ulp/srp/ib_srp.h
@@ -62,9 +62,6 @@ enum {
 	SRP_DEFAULT_CMD_SQ_SIZE = SRP_DEFAULT_QUEUE_SIZE - SRP_RSP_SQ_SIZE -
 				  SRP_TSK_MGMT_SQ_SIZE,
 
-	SRP_TAG_NO_REQ		= ~0U,
-	SRP_TAG_TSK_MGMT	= 1U << 31,
-
 	SRP_MAX_PAGES_PER_MR	= 512,
 
 	SRP_MAX_ADD_CDB_LEN	= 16,
@@ -79,6 +76,11 @@ enum {
 				  sizeof(struct srp_imm_buf),
 };
 
+enum {
+	SRP_TAG_NO_REQ		= ~0U,
+	SRP_TAG_TSK_MGMT	= BIT(31),
+};
+
 enum srp_target_state {
 	SRP_TARGET_SCANNING,
 	SRP_TARGET_LIVE,
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 07/98] btrfs: always report error in run_one_delayed_ref()
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 06/98] RDMA/srp: Move large values to a new enum for gcc13 Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 08/98] x86/asm: Fix an assembler warning with current binutils Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Anand Jain, Qu Wenruo, David Sterba,
	Sasha Levin

From: Qu Wenruo <wqu@suse.com>

[ Upstream commit 39f501d68ec1ed5cd5c66ac6ec2a7131c517bb92 ]

Currently we have a btrfs_debug() for run_one_delayed_ref() failure, but
if end users hit such problem, there will be no chance that
btrfs_debug() is enabled.  This can lead to very little useful info for
debugging.

This patch will:

- Add extra info for error reporting
  Including:
  * logical bytenr
  * num_bytes
  * type
  * action
  * ref_mod

- Replace the btrfs_debug() with btrfs_err()

- Move the error reporting into run_one_delayed_ref()
  This is to avoid use-after-free, the @node can be freed in the caller.

This error should only be triggered at most once.

As if run_one_delayed_ref() failed, we trigger the error message, then
causing the call chain to error out:

btrfs_run_delayed_refs()
`- btrfs_run_delayed_refs()
   `- btrfs_run_delayed_refs_for_head()
      `- run_one_delayed_ref()

And we will abort the current transaction in btrfs_run_delayed_refs().
If we have to run delayed refs for the abort transaction,
run_one_delayed_ref() will just cleanup the refs and do nothing, thus no
new error messages would be output.

Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/extent-tree.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 284294620e9f..7d9b8050b09c 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -1684,6 +1684,11 @@ static int run_one_delayed_ref(struct btrfs_trans_handle *trans,
 		BUG();
 	if (ret && insert_reserved)
 		btrfs_pin_extent(trans, node->bytenr, node->num_bytes, 1);
+	if (ret < 0)
+		btrfs_err(trans->fs_info,
+"failed to run delayed ref for logical %llu num_bytes %llu type %u action %u ref_mod %d: %d",
+			  node->bytenr, node->num_bytes, node->type,
+			  node->action, node->ref_mod, ret);
 	return ret;
 }
 
@@ -1935,8 +1940,6 @@ static int btrfs_run_delayed_refs_for_head(struct btrfs_trans_handle *trans,
 		if (ret) {
 			unselect_delayed_ref_head(delayed_refs, locked_ref);
 			btrfs_put_delayed_ref(ref);
-			btrfs_debug(fs_info, "run_one_delayed_ref returned %d",
-				    ret);
 			return ret;
 		}
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 08/98] x86/asm: Fix an assembler warning with current binutils
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 07/98] btrfs: always report error in run_one_delayed_ref() Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 09/98] f2fs: lets avoid panic if extent_tree is not created Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Mikulas Patocka, Ingo Molnar,
	linux-kernel, Sasha Levin

From: Mikulas Patocka <mpatocka@redhat.com>

[ Upstream commit 55d235361fccef573990dfa5724ab453866e7816 ]

Fix a warning: "found `movsd'; assuming `movsl' was meant"

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/lib/iomap_copy_64.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/lib/iomap_copy_64.S b/arch/x86/lib/iomap_copy_64.S
index a1f9416bf67a..6ff2f56cb0f7 100644
--- a/arch/x86/lib/iomap_copy_64.S
+++ b/arch/x86/lib/iomap_copy_64.S
@@ -10,6 +10,6 @@
  */
 SYM_FUNC_START(__iowrite32_copy)
 	movl %edx,%ecx
-	rep movsd
+	rep movsl
 	RET
 SYM_FUNC_END(__iowrite32_copy)
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 09/98] f2fs: lets avoid panic if extent_tree is not created
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 08/98] x86/asm: Fix an assembler warning with current binutils Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 10/98] wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jaegeuk Kim, Sasha Levin

From: Jaegeuk Kim <jaegeuk@kernel.org>

[ Upstream commit df9d44b645b83fffccfb4e28c1f93376585fdec8 ]

This patch avoids the below panic.

pc : __lookup_extent_tree+0xd8/0x760
lr : f2fs_do_write_data_page+0x104/0x87c
sp : ffffffc010cbb3c0
x29: ffffffc010cbb3e0 x28: 0000000000000000
x27: ffffff8803e7f020 x26: ffffff8803e7ed40
x25: ffffff8803e7f020 x24: ffffffc010cbb460
x23: ffffffc010cbb480 x22: 0000000000000000
x21: 0000000000000000 x20: ffffffff22e90900
x19: 0000000000000000 x18: ffffffc010c5d080
x17: 0000000000000000 x16: 0000000000000020
x15: ffffffdb1acdbb88 x14: ffffff888759e2b0
x13: 0000000000000000 x12: ffffff802da49000
x11: 000000000a001200 x10: ffffff8803e7ed40
x9 : ffffff8023195800 x8 : ffffff802da49078
x7 : 0000000000000001 x6 : 0000000000000000
x5 : 0000000000000006 x4 : ffffffc010cbba28
x3 : 0000000000000000 x2 : ffffffc010cbb480
x1 : 0000000000000000 x0 : ffffff8803e7ed40
Call trace:
 __lookup_extent_tree+0xd8/0x760
 f2fs_do_write_data_page+0x104/0x87c
 f2fs_write_single_data_page+0x420/0xb60
 f2fs_write_cache_pages+0x418/0xb1c
 __f2fs_write_data_pages+0x428/0x58c
 f2fs_write_data_pages+0x30/0x40
 do_writepages+0x88/0x190
 __writeback_single_inode+0x48/0x448
 writeback_sb_inodes+0x468/0x9e8
 __writeback_inodes_wb+0xb8/0x2a4
 wb_writeback+0x33c/0x740
 wb_do_writeback+0x2b4/0x400
 wb_workfn+0xe4/0x34c
 process_one_work+0x24c/0x5bc
 worker_thread+0x3e8/0xa50
 kthread+0x150/0x1b4

Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/extent_cache.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c
index bd16c78b5bf2..ad0b83a41226 100644
--- a/fs/f2fs/extent_cache.c
+++ b/fs/f2fs/extent_cache.c
@@ -414,7 +414,8 @@ static bool f2fs_lookup_extent_tree(struct inode *inode, pgoff_t pgofs,
 	struct extent_node *en;
 	bool ret = false;
 
-	f2fs_bug_on(sbi, !et);
+	if (!et)
+		return false;
 
 	trace_f2fs_lookup_extent_tree_start(inode, pgofs);
 
-- 
2.35.1




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 10/98] wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 09/98] f2fs: lets avoid panic if extent_tree is not created Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 11/98] wifi: mac80211: sdata can be NULL during AMPDU start Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, chainofflowers, Christian Marillat,
	Arend van Spriel, Kalle Valo

From: Arend van Spriel <arend.vanspriel@broadcom.com>

commit ed05cb177ae5cd7f02f1d6e7706ba627d30f1696 upstream.

A sanity check was introduced considering maximum flowrings above
256 as insane and effectively aborting the device probe. This
resulted in regression for number of users as the value turns out
to be sane after all.

Fixes: 2aca4f3734bd ("brcmfmac: return error when getting invalid max_flowrings from dongle")
Reported-by: chainofflowers <chainofflowers@posteo.net>
Link: https://lore.kernel.org/all/4781984.GXAFRqVoOG@luna/
Reported-by: Christian Marillat <marillat@debian.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216894
Cc: stable@vger.kernel.org
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230111112419.24185-1-arend.vanspriel@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
@@ -1109,7 +1109,7 @@ static int brcmf_pcie_init_ringbuffers(s
 				BRCMF_NROF_H2D_COMMON_MSGRINGS;
 		max_completionrings = BRCMF_NROF_D2H_COMMON_MSGRINGS;
 	}
-	if (max_flowrings > 256) {
+	if (max_flowrings > 512) {
 		brcmf_err(bus, "invalid max_flowrings(%d)\n", max_flowrings);
 		return -EIO;
 	}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 11/98] wifi: mac80211: sdata can be NULL during AMPDU start
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 10/98] wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 12/98] Add exception protection processing for vd in axi_chan_handle_err function Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Wetzel, Johannes Berg

From: Alexander Wetzel <alexander@wetzel-home.de>

commit 69403bad97aa0162e3d7911b27e25abe774093df upstream.

ieee80211_tx_ba_session_handle_start() may get NULL for sdata when a
deauthentication is ongoing.

Here a trace triggering the race with the hostapd test
multi_ap_fronthaul_on_ap:

(gdb) list *drv_ampdu_action+0x46
0x8b16 is in drv_ampdu_action (net/mac80211/driver-ops.c:396).
391             int ret = -EOPNOTSUPP;
392
393             might_sleep();
394
395             sdata = get_bss_sdata(sdata);
396             if (!check_sdata_in_driver(sdata))
397                     return -EIO;
398
399             trace_drv_ampdu_action(local, sdata, params);
400

wlan0: moving STA 02:00:00:00:03:00 to state 3
wlan0: associated
wlan0: deauthenticating from 02:00:00:00:03:00 by local choice (Reason: 3=DEAUTH_LEAVING)
wlan3.sta1: Open BA session requested for 02:00:00:00:00:00 tid 0
wlan3.sta1: dropped frame to 02:00:00:00:00:00 (unauthorized port)
wlan0: moving STA 02:00:00:00:03:00 to state 2
wlan0: moving STA 02:00:00:00:03:00 to state 1
wlan0: Removed STA 02:00:00:00:03:00
wlan0: Destroyed STA 02:00:00:00:03:00
BUG: unable to handle page fault for address: fffffffffffffb48
PGD 11814067 P4D 11814067 PUD 11816067 PMD 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 2 PID: 133397 Comm: kworker/u16:1 Tainted: G        W          6.1.0-rc8-wt+ #59
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
Workqueue: phy3 ieee80211_ba_session_work [mac80211]
RIP: 0010:drv_ampdu_action+0x46/0x280 [mac80211]
Code: 53 48 89 f3 be 89 01 00 00 e8 d6 43 bf ef e8 21 46 81 f0 83 bb a0 1b 00 00 04 75 0e 48 8b 9b 28 0d 00 00 48 81 eb 10 0e 00 00 <8b> 93 58 09 00 00 f6 c2 20 0f 84 3b 01 00 00 8b 05 dd 1c 0f 00 85
RSP: 0018:ffffc900025ebd20 EFLAGS: 00010287
RAX: 0000000000000000 RBX: fffffffffffff1f0 RCX: ffff888102228240
RDX: 0000000080000000 RSI: ffffffff918c5de0 RDI: ffff888102228b40
RBP: ffffc900025ebd40 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: ffff888118c18ec0
R13: 0000000000000000 R14: ffffc900025ebd60 R15: ffff888018b7efb8
FS:  0000000000000000(0000) GS:ffff88817a600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffffffffb48 CR3: 0000000105228006 CR4: 0000000000170ee0
Call Trace:
 <TASK>
 ieee80211_tx_ba_session_handle_start+0xd0/0x190 [mac80211]
 ieee80211_ba_session_work+0xff/0x2e0 [mac80211]
 process_one_work+0x29f/0x620
 worker_thread+0x4d/0x3d0
 ? process_one_work+0x620/0x620
 kthread+0xfb/0x120
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x22/0x30
 </TASK>

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Link: https://lore.kernel.org/r/20221230121850.218810-2-alexander@wetzel-home.de
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/agg-tx.c     |    6 +++++-
 net/mac80211/driver-ops.c |    3 +++
 2 files changed, 8 insertions(+), 1 deletion(-)

--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -491,7 +491,7 @@ void ieee80211_tx_ba_session_handle_star
 {
 	struct tid_ampdu_tx *tid_tx;
 	struct ieee80211_local *local = sta->local;
-	struct ieee80211_sub_if_data *sdata = sta->sdata;
+	struct ieee80211_sub_if_data *sdata;
 	struct ieee80211_ampdu_params params = {
 		.sta = &sta->sta,
 		.action = IEEE80211_AMPDU_TX_START,
@@ -521,6 +521,7 @@ void ieee80211_tx_ba_session_handle_star
 	 */
 	synchronize_net();
 
+	sdata = sta->sdata;
 	params.ssn = sta->tid_seq[tid] >> 4;
 	ret = drv_ampdu_action(local, sdata, &params);
 	tid_tx->ssn = params.ssn;
@@ -534,6 +535,9 @@ void ieee80211_tx_ba_session_handle_star
 		 */
 		set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state);
 	} else if (ret) {
+		if (!sdata)
+			return;
+
 		ht_dbg(sdata,
 		       "BA request denied - HW unavailable for %pM tid %d\n",
 		       sta->sta.addr, tid);
--- a/net/mac80211/driver-ops.c
+++ b/net/mac80211/driver-ops.c
@@ -331,6 +331,9 @@ int drv_ampdu_action(struct ieee80211_lo
 
 	might_sleep();
 
+	if (!sdata)
+		return -EIO;
+
 	sdata = get_bss_sdata(sdata);
 	if (!check_sdata_in_driver(sdata))
 		return -EIO;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 12/98] Add exception protection processing for vd in axi_chan_handle_err function
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 11/98] wifi: mac80211: sdata can be NULL during AMPDU start Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 13/98] zonefs: Detect append writes at invalid locations Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Shawn.Shao, Vinod Koul

From: Shawn.Shao <shawn.shao@jaguarmicro.com>

commit 57054fe516d59d03a7bcf1888e82479ccc244f87 upstream.

Since there is no protection for vd, a kernel panic will be
triggered here in exceptional cases.

You can refer to the processing of axi_chan_block_xfer_complete function

The triggered kernel panic is as follows:

[   67.848444] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
[   67.848447] Mem abort info:
[   67.848449]   ESR = 0x96000004
[   67.848451]   EC = 0x25: DABT (current EL), IL = 32 bits
[   67.848454]   SET = 0, FnV = 0
[   67.848456]   EA = 0, S1PTW = 0
[   67.848458] Data abort info:
[   67.848460]   ISV = 0, ISS = 0x00000004
[   67.848462]   CM = 0, WnR = 0
[   67.848465] user pgtable: 4k pages, 48-bit VAs, pgdp=00000800c4c0b000
[   67.848468] [0000000000000060] pgd=0000000000000000, p4d=0000000000000000
[   67.848472] Internal error: Oops: 96000004 [#1] SMP
[   67.848475] Modules linked in: dmatest
[   67.848479] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.100-emu_x2rc+ #11
[   67.848483] pstate: 62000085 (nZCv daIf -PAN -UAO +TCO BTYPE=--)
[   67.848487] pc : axi_chan_handle_err+0xc4/0x230
[   67.848491] lr : axi_chan_handle_err+0x30/0x230
[   67.848493] sp : ffff0803fe55ae50
[   67.848495] x29: ffff0803fe55ae50 x28: ffff800011212200
[   67.848500] x27: ffff0800c42c0080 x26: ffff0800c097c080
[   67.848504] x25: ffff800010d33880 x24: ffff80001139d850
[   67.848508] x23: ffff0800c097c168 x22: 0000000000000000
[   67.848512] x21: 0000000000000080 x20: 0000000000002000
[   67.848517] x19: ffff0800c097c080 x18: 0000000000000000
[   67.848521] x17: 0000000000000000 x16: 0000000000000000
[   67.848525] x15: 0000000000000000 x14: 0000000000000000
[   67.848529] x13: 0000000000000000 x12: 0000000000000040
[   67.848533] x11: ffff0800c0400248 x10: ffff0800c040024a
[   67.848538] x9 : ffff800010576cd4 x8 : ffff0800c0400270
[   67.848542] x7 : 0000000000000000 x6 : ffff0800c04003e0
[   67.848546] x5 : ffff0800c0400248 x4 : ffff0800c4294480
[   67.848550] x3 : dead000000000100 x2 : dead000000000122
[   67.848555] x1 : 0000000000000100 x0 : ffff0800c097c168
[   67.848559] Call trace:
[   67.848562]  axi_chan_handle_err+0xc4/0x230
[   67.848566]  dw_axi_dma_interrupt+0xf4/0x590
[   67.848569]  __handle_irq_event_percpu+0x60/0x220
[   67.848573]  handle_irq_event+0x64/0x120
[   67.848576]  handle_fasteoi_irq+0xc4/0x220
[   67.848580]  __handle_domain_irq+0x80/0xe0
[   67.848583]  gic_handle_irq+0xc0/0x138
[   67.848585]  el1_irq+0xc8/0x180
[   67.848588]  arch_cpu_idle+0x14/0x2c
[   67.848591]  default_idle_call+0x40/0x16c
[   67.848594]  do_idle+0x1f0/0x250
[   67.848597]  cpu_startup_entry+0x2c/0x60
[   67.848600]  rest_init+0xc0/0xcc
[   67.848603]  arch_call_rest_init+0x14/0x1c
[   67.848606]  start_kernel+0x4cc/0x500
[   67.848610] Code: eb0002ff 9a9f12d6 f2fbd5a2 f2fbd5a3 (a94602c1)
[   67.848613] ---[ end trace 585a97036f88203a ]---

Signed-off-by: Shawn.Shao <shawn.shao@jaguarmicro.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230112055802.1764-1-shawn.shao@jaguarmicro.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
@@ -551,6 +551,11 @@ static noinline void axi_chan_handle_err
 
 	/* The bad descriptor currently is in the head of vc list */
 	vd = vchan_next_desc(&chan->vc);
+	if (!vd) {
+		dev_err(chan2dev(chan), "BUG: %s, IRQ with no descriptors\n",
+			axi_chan_name(chan));
+		goto out;
+	}
 	/* Remove the completed descriptor from issued list */
 	list_del(&vd->node);
 
@@ -565,6 +570,7 @@ static noinline void axi_chan_handle_err
 	/* Try to restart the controller */
 	axi_chan_start_first_queued(chan);
 
+out:
 	spin_unlock_irqrestore(&chan->vc.lock, flags);
 }
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 13/98] zonefs: Detect append writes at invalid locations
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 12/98] Add exception protection processing for vd in axi_chan_handle_err function Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 14/98] nilfs2: fix general protection fault in nilfs_btree_insert() Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Johannes Thumshirn

From: Damien Le Moal <damien.lemoal@opensource.wdc.com>

commit a608da3bd730d718f2d3ebec1c26f9865f8f17ce upstream.

Using REQ_OP_ZONE_APPEND operations for synchronous writes to sequential
files succeeds regardless of the zone write pointer position, as long as
the target zone is not full. This means that if an external (buggy)
application writes to the zone of a sequential file underneath the file
system, subsequent file write() operation will succeed but the file size
will not be correct and the file will contain invalid data written by
another application.

Modify zonefs_file_dio_append() to check the written sector of an append
write (returned in bio->bi_iter.bi_sector) and return -EIO if there is a
mismatch with the file zone wp offset field. This change triggers a call
to zonefs_io_error() and a zone check. Modify zonefs_io_error_cb() to
not expose the unexpected data after the current inode size when the
errors=remount-ro mode is used. Other error modes are correctly handled
already.

Fixes: 02ef12a663c7 ("zonefs: use REQ_OP_ZONE_APPEND for sync DIO")
Cc: stable@vger.kernel.org
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/zonefs/super.c |   22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

--- a/fs/zonefs/super.c
+++ b/fs/zonefs/super.c
@@ -394,6 +394,10 @@ static int zonefs_io_error_cb(struct blk
 			data_size = zonefs_check_zone_condition(inode, zone,
 								false, false);
 		}
+	} else if (sbi->s_mount_opts & ZONEFS_MNTOPT_ERRORS_RO &&
+		   data_size > isize) {
+		/* Do not expose garbage data */
+		data_size = isize;
 	}
 
 	/*
@@ -772,6 +776,24 @@ static ssize_t zonefs_file_dio_append(st
 
 	ret = submit_bio_wait(bio);
 
+	/*
+	 * If the file zone was written underneath the file system, the zone
+	 * write pointer may not be where we expect it to be, but the zone
+	 * append write can still succeed. So check manually that we wrote where
+	 * we intended to, that is, at zi->i_wpoffset.
+	 */
+	if (!ret) {
+		sector_t wpsector =
+			zi->i_zsector + (zi->i_wpoffset >> SECTOR_SHIFT);
+
+		if (bio->bi_iter.bi_sector != wpsector) {
+			zonefs_warn(inode->i_sb,
+				"Corrupted write pointer %llu for zone at %llu\n",
+				wpsector, zi->i_zsector);
+			ret = -EIO;
+		}
+	}
+
 	zonefs_file_write_dio_end_io(iocb, size, ret, 0);
 
 out_release:



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 14/98] nilfs2: fix general protection fault in nilfs_btree_insert()
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 13/98] zonefs: Detect append writes at invalid locations Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 15/98] efi: fix userspace infinite retry read efivars after EFI runtime services page fault Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
	syzbot+ede796cecd5296353515, Andrew Morton

From: Ryusuke Konishi <konishi.ryusuke@gmail.com>

commit 7633355e5c7f29c049a9048e461427d1d8ed3051 upstream.

If nilfs2 reads a corrupted disk image and tries to reads a b-tree node
block by calling __nilfs_btree_get_block() against an invalid virtual
block address, it returns -ENOENT because conversion of the virtual block
address to a disk block address fails.  However, this return value is the
same as the internal code that b-tree lookup routines return to indicate
that the block being searched does not exist, so functions that operate on
that b-tree may misbehave.

When nilfs_btree_insert() receives this spurious 'not found' code from
nilfs_btree_do_lookup(), it misunderstands that the 'not found' check was
successful and continues the insert operation using incomplete lookup path
data, causing the following crash:

 general protection fault, probably for non-canonical address
 0xdffffc0000000005: 0000 [#1] PREEMPT SMP KASAN
 KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
 ...
 RIP: 0010:nilfs_btree_get_nonroot_node fs/nilfs2/btree.c:418 [inline]
 RIP: 0010:nilfs_btree_prepare_insert fs/nilfs2/btree.c:1077 [inline]
 RIP: 0010:nilfs_btree_insert+0x6d3/0x1c10 fs/nilfs2/btree.c:1238
 Code: bc 24 80 00 00 00 4c 89 f8 48 c1 e8 03 42 80 3c 28 00 74 08 4c 89
 ff e8 4b 02 92 fe 4d 8b 3f 49 83 c7 28 4c 89 f8 48 c1 e8 03 <42> 80 3c
 28 00 74 08 4c 89 ff e8 2e 02 92 fe 4d 8b 3f 49 83 c7 02
 ...
 Call Trace:
 <TASK>
  nilfs_bmap_do_insert fs/nilfs2/bmap.c:121 [inline]
  nilfs_bmap_insert+0x20d/0x360 fs/nilfs2/bmap.c:147
  nilfs_get_block+0x414/0x8d0 fs/nilfs2/inode.c:101
  __block_write_begin_int+0x54c/0x1a80 fs/buffer.c:1991
  __block_write_begin fs/buffer.c:2041 [inline]
  block_write_begin+0x93/0x1e0 fs/buffer.c:2102
  nilfs_write_begin+0x9c/0x110 fs/nilfs2/inode.c:261
  generic_perform_write+0x2e4/0x5e0 mm/filemap.c:3772
  __generic_file_write_iter+0x176/0x400 mm/filemap.c:3900
  generic_file_write_iter+0xab/0x310 mm/filemap.c:3932
  call_write_iter include/linux/fs.h:2186 [inline]
  new_sync_write fs/read_write.c:491 [inline]
  vfs_write+0x7dc/0xc50 fs/read_write.c:584
  ksys_write+0x177/0x2a0 fs/read_write.c:637
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0xcd
 ...
 </TASK>

This patch fixes the root cause of this problem by replacing the error
code that __nilfs_btree_get_block() returns on block address conversion
failure from -ENOENT to another internal code -EINVAL which means that the
b-tree metadata is corrupted.

By returning -EINVAL, it propagates without glitches, and for all relevant
b-tree operations, functions in the upper bmap layer output an error
message indicating corrupted b-tree metadata via
nilfs_bmap_convert_error(), and code -EIO will be eventually returned as
it should be.

Link: https://lkml.kernel.org/r/000000000000bd89e205f0e38355@google.com
Link: https://lkml.kernel.org/r/20230105055356.8811-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+ede796cecd5296353515@syzkaller.appspotmail.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nilfs2/btree.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/fs/nilfs2/btree.c
+++ b/fs/nilfs2/btree.c
@@ -480,9 +480,18 @@ static int __nilfs_btree_get_block(const
 	ret = nilfs_btnode_submit_block(btnc, ptr, 0, REQ_OP_READ, 0, &bh,
 					&submit_ptr);
 	if (ret) {
-		if (ret != -EEXIST)
-			return ret;
-		goto out_check;
+		if (likely(ret == -EEXIST))
+			goto out_check;
+		if (ret == -ENOENT) {
+			/*
+			 * Block address translation failed due to invalid
+			 * value of 'ptr'.  In this case, return internal code
+			 * -EINVAL (broken bmap) to notify bmap layer of fatal
+			 * metadata corruption.
+			 */
+			ret = -EINVAL;
+		}
+		return ret;
 	}
 
 	if (ra) {



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 15/98] efi: fix userspace infinite retry read efivars after EFI runtime services page fault
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 14/98] nilfs2: fix general protection fault in nilfs_btree_insert() Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 16/98] ALSA: hda/realtek - Turn on power early Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Ding Hui, Ard Biesheuvel, Sasha Levin

From: Ding Hui <dinghui@sangfor.com.cn>

[ Upstream commit e006ac3003080177cf0b673441a4241f77aaecce ]

After [1][2], if we catch exceptions due to EFI runtime service, we will
clear EFI_RUNTIME_SERVICES bit to disable EFI runtime service, then the
subsequent routine which invoke the EFI runtime service should fail.

But the userspace cat efivars through /sys/firmware/efi/efivars/ will stuck
and infinite loop calling read() due to efivarfs_file_read() return -EINTR.

The -EINTR is converted from EFI_ABORTED by efi_status_to_err(), and is
an improper return value in this situation, so let virt_efi_xxx() return
EFI_DEVICE_ERROR and converted to -EIO to invoker.

Cc: <stable@vger.kernel.org>
Fixes: 3425d934fc03 ("efi/x86: Handle page faults occurring while running EFI runtime services")
Fixes: 23715a26c8d8 ("arm64: efi: Recover from synchronous exceptions occurring in firmware")
Signed-off-by: Ding Hui <dinghui@sangfor.com.cn>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/efi/runtime-wrappers.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/firmware/efi/runtime-wrappers.c b/drivers/firmware/efi/runtime-wrappers.c
index f3e54f6616f0..60075e0e4943 100644
--- a/drivers/firmware/efi/runtime-wrappers.c
+++ b/drivers/firmware/efi/runtime-wrappers.c
@@ -62,6 +62,7 @@ struct efi_runtime_work efi_rts_work;
 									\
 	if (!efi_enabled(EFI_RUNTIME_SERVICES)) {			\
 		pr_warn_once("EFI Runtime Services are disabled!\n");	\
+		efi_rts_work.status = EFI_DEVICE_ERROR;			\
 		goto exit;						\
 	}								\
 									\
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 16/98] ALSA: hda/realtek - Turn on power early
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 15/98] efi: fix userspace infinite retry read efivars after EFI runtime services page fault Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 17/98] drm/i915/gt: Reset twice Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Yuchi Yang, Takashi Iwai, Sasha Levin

From: Yuchi Yang <yangyuchi66@gmail.com>

[ Upstream commit 1f680609bf1beac20e2a31ddcb1b88874123c39f ]

Turn on power early to avoid wrong state for power relation register.
This can earlier update JD state when resume back.

Signed-off-by: Yuchi Yang <yangyuchi66@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/e35d8f4fa18f4448a2315cc7d4a3715f@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/hda/patch_realtek.c | 30 ++++++++++++++++--------------
 1 file changed, 16 insertions(+), 14 deletions(-)

diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index eb7dd457ef5a..cfd86389d37f 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -3561,6 +3561,15 @@ static void alc256_init(struct hda_codec *codec)
 	hda_nid_t hp_pin = alc_get_hp_pin(spec);
 	bool hp_pin_sense;
 
+	if (spec->ultra_low_power) {
+		alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1);
+		alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2);
+		alc_update_coef_idx(codec, 0x08, 7<<4, 0);
+		alc_update_coef_idx(codec, 0x3b, 1<<15, 0);
+		alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
+		msleep(30);
+	}
+
 	if (!hp_pin)
 		hp_pin = 0x21;
 
@@ -3572,14 +3581,6 @@ static void alc256_init(struct hda_codec *codec)
 		msleep(2);
 
 	alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
-	if (spec->ultra_low_power) {
-		alc_update_coef_idx(codec, 0x03, 1<<1, 1<<1);
-		alc_update_coef_idx(codec, 0x08, 3<<2, 3<<2);
-		alc_update_coef_idx(codec, 0x08, 7<<4, 0);
-		alc_update_coef_idx(codec, 0x3b, 1<<15, 0);
-		alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
-		msleep(30);
-	}
 
 	snd_hda_codec_write(codec, hp_pin, 0,
 			    AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
@@ -3661,6 +3662,13 @@ static void alc225_init(struct hda_codec *codec)
 	hda_nid_t hp_pin = alc_get_hp_pin(spec);
 	bool hp1_pin_sense, hp2_pin_sense;
 
+	if (spec->ultra_low_power) {
+		alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2);
+		alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
+		alc_update_coef_idx(codec, 0x33, 1<<11, 0);
+		msleep(30);
+	}
+
 	if (!hp_pin)
 		hp_pin = 0x21;
 	msleep(30);
@@ -3672,12 +3680,6 @@ static void alc225_init(struct hda_codec *codec)
 		msleep(2);
 
 	alc_update_coefex_idx(codec, 0x57, 0x04, 0x0007, 0x1); /* Low power */
-	if (spec->ultra_low_power) {
-		alc_update_coef_idx(codec, 0x08, 0x0f << 2, 3<<2);
-		alc_update_coef_idx(codec, 0x0e, 7<<6, 7<<6);
-		alc_update_coef_idx(codec, 0x33, 1<<11, 0);
-		msleep(30);
-	}
 
 	if (hp1_pin_sense || spec->ultra_low_power)
 		snd_hda_codec_write(codec, hp_pin, 0,
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 17/98] drm/i915/gt: Reset twice
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 16/98] ALSA: hda/realtek - Turn on power early Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 18/98] Bluetooth: hci_qca: Wait for timeout during suspend Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Chris Wilson, Mika Kuoppala,
	Andi Shyti, Gwan-gyeong Mun, Rodrigo Vivi, Sasha Levin

From: Chris Wilson <chris@chris-wilson.co.uk>

[ Upstream commit d3de5616d36462a646f5b360ba82d3b09ff668eb ]

After applying an engine reset, on some platforms like Jasperlake, we
occasionally detect that the engine state is not cleared until shortly
after the resume. As we try to resume the engine with volatile internal
state, the first request fails with a spurious CS event (it looks like
it reports a lite-restore to the hung context, instead of the expected
idle->active context switch).

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221212161338.1007659-1-andi.shyti@linux.intel.com
(cherry picked from commit 3db9d590557da3aa2c952f2fecd3e9b703dad790)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/i915/gt/intel_reset.c | 34 ++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/i915/gt/intel_reset.c b/drivers/gpu/drm/i915/gt/intel_reset.c
index ac36b67fb46b..00b5912a88b8 100644
--- a/drivers/gpu/drm/i915/gt/intel_reset.c
+++ b/drivers/gpu/drm/i915/gt/intel_reset.c
@@ -289,6 +289,7 @@ static int ilk_do_reset(struct intel_gt *gt, intel_engine_mask_t engine_mask,
 static int gen6_hw_domain_reset(struct intel_gt *gt, u32 hw_domain_mask)
 {
 	struct intel_uncore *uncore = gt->uncore;
+	int loops = 2;
 	int err;
 
 	/*
@@ -296,18 +297,39 @@ static int gen6_hw_domain_reset(struct intel_gt *gt, u32 hw_domain_mask)
 	 * for fifo space for the write or forcewake the chip for
 	 * the read
 	 */
-	intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask);
+	do {
+		intel_uncore_write_fw(uncore, GEN6_GDRST, hw_domain_mask);
 
-	/* Wait for the device to ack the reset requests */
-	err = __intel_wait_for_register_fw(uncore,
-					   GEN6_GDRST, hw_domain_mask, 0,
-					   500, 0,
-					   NULL);
+		/*
+		 * Wait for the device to ack the reset requests.
+		 *
+		 * On some platforms, e.g. Jasperlake, we see that the
+		 * engine register state is not cleared until shortly after
+		 * GDRST reports completion, causing a failure as we try
+		 * to immediately resume while the internal state is still
+		 * in flux. If we immediately repeat the reset, the second
+		 * reset appears to serialise with the first, and since
+		 * it is a no-op, the registers should retain their reset
+		 * value. However, there is still a concern that upon
+		 * leaving the second reset, the internal engine state
+		 * is still in flux and not ready for resuming.
+		 */
+		err = __intel_wait_for_register_fw(uncore, GEN6_GDRST,
+						   hw_domain_mask, 0,
+						   2000, 0,
+						   NULL);
+	} while (err == 0 && --loops);
 	if (err)
 		drm_dbg(&gt->i915->drm,
 			"Wait for 0x%08x engines reset failed\n",
 			hw_domain_mask);
 
+	/*
+	 * As we have observed that the engine state is still volatile
+	 * after GDRST is acked, impose a small delay to let everything settle.
+	 */
+	udelay(50);
+
 	return err;
 }
 
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 18/98] Bluetooth: hci_qca: Wait for timeout during suspend
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 17/98] drm/i915/gt: Reset twice Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 19/98] Bluetooth: hci_qca: Fix driver shutdown on closed serdev Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Venkata Lakshmi Narayana Gubba,
	Balakrishna Godavarthi, Abhishek Pandit-Subedi, Marcel Holtmann,
	Sasha Levin

From: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>

[ Upstream commit 2be43abac5a839d44bf9d14716573ae0ac920f2b ]

Currently qca_suspend() is relied on IBS mechanism. During
FW download and memory dump collections, IBS will be disabled.
In those cases, driver will allow suspend and still uses the
serdev port, which results to errors. Now added a wait timeout
if suspend is triggered during FW download and memory collections.

Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
Signed-off-by: Balakrishna Godavarthi <bgodavar@codeaurora.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Stable-dep-of: 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed serdev")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bluetooth/hci_qca.c | 48 ++++++++++++++++++++++++++++++-------
 1 file changed, 39 insertions(+), 9 deletions(-)

diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 60b0e13bb9fc..652290425028 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -50,6 +50,8 @@
 #define IBS_HOST_TX_IDLE_TIMEOUT_MS	2000
 #define CMD_TRANS_TIMEOUT_MS		100
 #define MEMDUMP_TIMEOUT_MS		8000
+#define IBS_DISABLE_SSR_TIMEOUT_MS	(MEMDUMP_TIMEOUT_MS + 1000)
+#define FW_DOWNLOAD_TIMEOUT_MS		3000
 
 /* susclk rate */
 #define SUSCLK_RATE_32KHZ	32768
@@ -68,12 +70,13 @@
 #define QCA_MEMDUMP_BYTE		0xFB
 
 enum qca_flags {
-	QCA_IBS_ENABLED,
+	QCA_IBS_DISABLED,
 	QCA_DROP_VENDOR_EVENT,
 	QCA_SUSPENDING,
 	QCA_MEMDUMP_COLLECTION,
 	QCA_HW_ERROR_EVENT,
-	QCA_SSR_TRIGGERED
+	QCA_SSR_TRIGGERED,
+	QCA_BT_OFF
 };
 
 enum qca_capabilities {
@@ -870,7 +873,7 @@ static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb)
 	 * Out-Of-Band(GPIOs control) sleep is selected.
 	 * Don't wake the device up when suspending.
 	 */
-	if (!test_bit(QCA_IBS_ENABLED, &qca->flags) ||
+	if (test_bit(QCA_IBS_DISABLED, &qca->flags) ||
 	    test_bit(QCA_SUSPENDING, &qca->flags)) {
 		skb_queue_tail(&qca->txq, skb);
 		spin_unlock_irqrestore(&qca->hci_ibs_lock, flags);
@@ -1015,7 +1018,7 @@ static void qca_controller_memdump(struct work_struct *work)
 			 * the controller to send the dump is 8 seconds. let us
 			 * start timer to handle this asynchronous activity.
 			 */
-			clear_bit(QCA_IBS_ENABLED, &qca->flags);
+			set_bit(QCA_IBS_DISABLED, &qca->flags);
 			set_bit(QCA_MEMDUMP_COLLECTION, &qca->flags);
 			dump = (void *) skb->data;
 			dump_size = __le32_to_cpu(dump->dump_size);
@@ -1621,6 +1624,7 @@ static int qca_power_on(struct hci_dev *hdev)
 	struct hci_uart *hu = hci_get_drvdata(hdev);
 	enum qca_btsoc_type soc_type = qca_soc_type(hu);
 	struct qca_serdev *qcadev;
+	struct qca_data *qca = hu->priv;
 	int ret = 0;
 
 	/* Non-serdev device usually is powered by external power
@@ -1640,6 +1644,7 @@ static int qca_power_on(struct hci_dev *hdev)
 		}
 	}
 
+	clear_bit(QCA_BT_OFF, &qca->flags);
 	return ret;
 }
 
@@ -1659,7 +1664,7 @@ static int qca_setup(struct hci_uart *hu)
 		return ret;
 
 	/* Patch downloading has to be done without IBS mode */
-	clear_bit(QCA_IBS_ENABLED, &qca->flags);
+	set_bit(QCA_IBS_DISABLED, &qca->flags);
 
 	/* Enable controller to do both LE scan and BR/EDR inquiry
 	 * simultaneously.
@@ -1710,7 +1715,7 @@ static int qca_setup(struct hci_uart *hu)
 	ret = qca_uart_setup(hdev, qca_baudrate, soc_type, soc_ver,
 			firmware_name);
 	if (!ret) {
-		set_bit(QCA_IBS_ENABLED, &qca->flags);
+		clear_bit(QCA_IBS_DISABLED, &qca->flags);
 		qca_debugfs_init(hdev);
 		hu->hdev->hw_error = qca_hw_error;
 		hu->hdev->cmd_timeout = qca_cmd_timeout;
@@ -1814,7 +1819,7 @@ static void qca_power_shutdown(struct hci_uart *hu)
 	 * data in skb's.
 	 */
 	spin_lock_irqsave(&qca->hci_ibs_lock, flags);
-	clear_bit(QCA_IBS_ENABLED, &qca->flags);
+	set_bit(QCA_IBS_DISABLED, &qca->flags);
 	qca_flush(hu);
 	spin_unlock_irqrestore(&qca->hci_ibs_lock, flags);
 
@@ -1833,6 +1838,8 @@ static void qca_power_shutdown(struct hci_uart *hu)
 	} else if (qcadev->bt_en) {
 		gpiod_set_value_cansleep(qcadev->bt_en, 0);
 	}
+
+	set_bit(QCA_BT_OFF, &qca->flags);
 }
 
 static int qca_power_off(struct hci_dev *hdev)
@@ -2093,11 +2100,34 @@ static int __maybe_unused qca_suspend(struct device *dev)
 	bool tx_pending = false;
 	int ret = 0;
 	u8 cmd;
+	u32 wait_timeout = 0;
 
 	set_bit(QCA_SUSPENDING, &qca->flags);
 
-	/* Device is downloading patch or doesn't support in-band sleep. */
-	if (!test_bit(QCA_IBS_ENABLED, &qca->flags))
+	if (test_bit(QCA_BT_OFF, &qca->flags))
+		return 0;
+
+	if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
+		wait_timeout = test_bit(QCA_SSR_TRIGGERED, &qca->flags) ?
+					IBS_DISABLE_SSR_TIMEOUT_MS :
+					FW_DOWNLOAD_TIMEOUT_MS;
+
+		/* QCA_IBS_DISABLED flag is set to true, During FW download
+		 * and during memory dump collection. It is reset to false,
+		 * After FW download complete and after memory dump collections.
+		 */
+		wait_on_bit_timeout(&qca->flags, QCA_IBS_DISABLED,
+			    TASK_UNINTERRUPTIBLE, msecs_to_jiffies(wait_timeout));
+
+		if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
+			bt_dev_err(hu->hdev, "SSR or FW download time out");
+			ret = -ETIMEDOUT;
+			goto error;
+		}
+	}
+
+	/* After memory dump collection, Controller is powered off.*/
+	if (test_bit(QCA_BT_OFF, &qca->flags))
 		return 0;
 
 	cancel_work_sync(&qca->ws_awake_device);
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 19/98] Bluetooth: hci_qca: Fix driver shutdown on closed serdev
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 18/98] Bluetooth: hci_qca: Wait for timeout during suspend Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 20/98] io_uring: dont gate task_work run on TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
	Luiz Augusto von Dentz, Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

[ Upstream commit 272970be3dabd24cbe50e393ffee8f04aec3b9a8 ]

The driver shutdown callback (which sends EDL_SOC_RESET to the device
over serdev) should not be invoked when HCI device is not open (e.g. if
hci_dev_open_sync() failed), because the serdev and its TTY are not open
either.  Also skip this step if device is powered off
(qca_power_shutdown()).

The shutdown callback causes use-after-free during system reboot with
Qualcomm Atheros Bluetooth:

  Unable to handle kernel paging request at virtual address
  0072662f67726fd7
  ...
  CPU: 6 PID: 1 Comm: systemd-shutdow Tainted: G        W
  6.1.0-rt5-00325-g8a5f56bcfcca #8
  Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
  Call trace:
   tty_driver_flush_buffer+0x4/0x30
   serdev_device_write_flush+0x24/0x34
   qca_serdev_shutdown+0x80/0x130 [hci_uart]
   device_shutdown+0x15c/0x260
   kernel_restart+0x48/0xac

KASAN report:

  BUG: KASAN: use-after-free in tty_driver_flush_buffer+0x1c/0x50
  Read of size 8 at addr ffff16270c2e0018 by task systemd-shutdow/1

  CPU: 7 PID: 1 Comm: systemd-shutdow Not tainted
  6.1.0-next-20221220-00014-gb85aaf97fb01-dirty #28
  Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
  Call trace:
   dump_backtrace.part.0+0xdc/0xf0
   show_stack+0x18/0x30
   dump_stack_lvl+0x68/0x84
   print_report+0x188/0x488
   kasan_report+0xa4/0xf0
   __asan_load8+0x80/0xac
   tty_driver_flush_buffer+0x1c/0x50
   ttyport_write_flush+0x34/0x44
   serdev_device_write_flush+0x48/0x60
   qca_serdev_shutdown+0x124/0x274
   device_shutdown+0x1e8/0x350
   kernel_restart+0x48/0xb0
   __do_sys_reboot+0x244/0x2d0
   __arm64_sys_reboot+0x54/0x70
   invoke_syscall+0x60/0x190
   el0_svc_common.constprop.0+0x7c/0x160
   do_el0_svc+0x44/0xf0
   el0_svc+0x2c/0x6c
   el0t_64_sync_handler+0xbc/0x140
   el0t_64_sync+0x190/0x194

Fixes: 7e7bbddd029b ("Bluetooth: hci_qca: Fix qca6390 enable failure after warm reboot")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bluetooth/hci_qca.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
index 652290425028..096a604ef47f 100644
--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -2064,10 +2064,17 @@ static void qca_serdev_shutdown(struct device *dev)
 	int timeout = msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS);
 	struct serdev_device *serdev = to_serdev_device(dev);
 	struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
+	struct hci_uart *hu = &qcadev->serdev_hu;
+	struct hci_dev *hdev = hu->hdev;
+	struct qca_data *qca = hu->priv;
 	const u8 ibs_wake_cmd[] = { 0xFD };
 	const u8 edl_reset_soc_cmd[] = { 0x01, 0x00, 0xFC, 0x01, 0x05 };
 
 	if (qcadev->btsoc_type == QCA_QCA6390) {
+		if (test_bit(QCA_BT_OFF, &qca->flags) ||
+		    !test_bit(HCI_RUNNING, &hdev->flags))
+			return;
+
 		serdev_device_write_flush(serdev);
 		ret = serdev_device_write_buf(serdev, ibs_wake_cmd,
 					      sizeof(ibs_wake_cmd));
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 20/98] io_uring: dont gate task_work run on TIF_NOTIFY_SIGNAL
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 19/98] Bluetooth: hci_qca: Fix driver shutdown on closed serdev Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 21/98] io_uring: improve send/recv error handling Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Christiano Haesbaert, Jens Axboe,
	Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

commit 46a525e199e4037516f7e498c18f065b09df32ac upstream.

This isn't a reliable mechanism to tell if we have task_work pending, we
really should be looking at whether we have any items queued. This is
problematic if forward progress is gated on running said task_work. One
such example is reading from a pipe, where the write side has been closed
right before the read is started. The fput() of the file queues TWA_RESUME
task_work, and we need that task_work to be run before ->release() is
called for the pipe. If ->release() isn't called, then the read will sit
forever waiting on data that will never arise.

Fix this by io_run_task_work() so it checks if we have task_work pending
rather than rely on TIF_NOTIFY_SIGNAL for that. The latter obviously
doesn't work for task_work that is queued without TWA_SIGNAL.

Reported-by: Christiano Haesbaert <haesbaert@haesbaert.org>
Cc: stable@vger.kernel.org
Link: https://github.com/axboe/liburing/issues/665
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io-wq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 87bc38b47103..81485c1a9879 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -513,7 +513,7 @@ static struct io_wq_work *io_get_next_work(struct io_wqe_acct *acct,
 
 static bool io_flush_signals(void)
 {
-	if (unlikely(test_thread_flag(TIF_NOTIFY_SIGNAL))) {
+	if (test_thread_flag(TIF_NOTIFY_SIGNAL) || current->task_works) {
 		__set_current_state(TASK_RUNNING);
 		tracehook_notify_signal();
 		return true;
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 21/98] io_uring: improve send/recv error handling
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 20/98] io_uring: dont gate task_work run on TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 22/98] io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe, Sasha Levin

From: Pavel Begunkov <asml.silence@gmail.com>

commit 7297ce3d59449de49d3c9e1f64ae25488750a1fc upstream.

Hide all error handling under common if block, removes two extra ifs on
the success path and keeps the handling more condensed.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/5761545158a12968f3caf30f747eea65ed75dfc1.1637524285.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 55 +++++++++++++++++++++++++--------------------
 1 file changed, 31 insertions(+), 24 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 0c4d16afb9ef..34dd6267679a 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4706,17 +4706,18 @@ static int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags)
 		min_ret = iov_iter_count(&kmsg->msg.msg_iter);
 
 	ret = __sys_sendmsg_sock(sock, &kmsg->msg, flags);
-	if ((issue_flags & IO_URING_F_NONBLOCK) && ret == -EAGAIN)
-		return io_setup_async_msg(req, kmsg);
-	if (ret == -ERESTARTSYS)
-		ret = -EINTR;
 
+	if (ret < min_ret) {
+		if (ret == -EAGAIN && (issue_flags & IO_URING_F_NONBLOCK))
+			return io_setup_async_msg(req, kmsg);
+		if (ret == -ERESTARTSYS)
+			ret = -EINTR;
+		req_set_fail(req);
+	}
 	/* fast path, check for non-NULL to avoid function call */
 	if (kmsg->free_iov)
 		kfree(kmsg->free_iov);
 	req->flags &= ~REQ_F_NEED_CLEANUP;
-	if (ret < min_ret)
-		req_set_fail(req);
 	__io_req_complete(req, issue_flags, ret, 0);
 	return 0;
 }
@@ -4752,13 +4753,13 @@ static int io_send(struct io_kiocb *req, unsigned int issue_flags)
 
 	msg.msg_flags = flags;
 	ret = sock_sendmsg(sock, &msg);
-	if ((issue_flags & IO_URING_F_NONBLOCK) && ret == -EAGAIN)
-		return -EAGAIN;
-	if (ret == -ERESTARTSYS)
-		ret = -EINTR;
-
-	if (ret < min_ret)
+	if (ret < min_ret) {
+		if (ret == -EAGAIN && (issue_flags & IO_URING_F_NONBLOCK))
+			return -EAGAIN;
+		if (ret == -ERESTARTSYS)
+			ret = -EINTR;
 		req_set_fail(req);
+	}
 	__io_req_complete(req, issue_flags, ret, 0);
 	return 0;
 }
@@ -4945,10 +4946,15 @@ static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
 
 	ret = __sys_recvmsg_sock(sock, &kmsg->msg, req->sr_msg.umsg,
 					kmsg->uaddr, flags);
-	if (force_nonblock && ret == -EAGAIN)
-		return io_setup_async_msg(req, kmsg);
-	if (ret == -ERESTARTSYS)
-		ret = -EINTR;
+	if (ret < min_ret) {
+		if (ret == -EAGAIN && force_nonblock)
+			return io_setup_async_msg(req, kmsg);
+		if (ret == -ERESTARTSYS)
+			ret = -EINTR;
+		req_set_fail(req);
+	} else if ((flags & MSG_WAITALL) && (kmsg->msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
+		req_set_fail(req);
+	}
 
 	if (req->flags & REQ_F_BUFFER_SELECTED)
 		cflags = io_put_recv_kbuf(req);
@@ -4956,8 +4962,6 @@ static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
 	if (kmsg->free_iov)
 		kfree(kmsg->free_iov);
 	req->flags &= ~REQ_F_NEED_CLEANUP;
-	if (ret < min_ret || ((flags & MSG_WAITALL) && (kmsg->msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))))
-		req_set_fail(req);
 	__io_req_complete(req, issue_flags, ret, cflags);
 	return 0;
 }
@@ -5004,15 +5008,18 @@ static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
 		min_ret = iov_iter_count(&msg.msg_iter);
 
 	ret = sock_recvmsg(sock, &msg, flags);
-	if (force_nonblock && ret == -EAGAIN)
-		return -EAGAIN;
-	if (ret == -ERESTARTSYS)
-		ret = -EINTR;
 out_free:
+	if (ret < min_ret) {
+		if (ret == -EAGAIN && force_nonblock)
+			return -EAGAIN;
+		if (ret == -ERESTARTSYS)
+			ret = -EINTR;
+		req_set_fail(req);
+	} else if ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
+		req_set_fail(req);
+	}
 	if (req->flags & REQ_F_BUFFER_SELECTED)
 		cflags = io_put_recv_kbuf(req);
-	if (ret < min_ret || ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))))
-		req_set_fail(req);
 	__io_req_complete(req, issue_flags, ret, cflags);
 	return 0;
 }
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 22/98] io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 21/98] io_uring: improve send/recv error handling Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 23/98] io_uring: add flag for disabling provided buffer recycling Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Constantine Gavrilov, Jens Axboe,
	Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

commit 7ba89d2af17aa879dda30f5d5d3f152e587fc551 upstream.

We currently don't attempt to get the full asked for length even if
MSG_WAITALL is set, if we get a partial receive. If we do see a partial
receive, then just note how many bytes we did and return -EAGAIN to
get it retried.

The iov is advanced appropriately for the vector based case, and we
manually bump the buffer and remainder for the non-vector case.

Cc: stable@vger.kernel.org
Reported-by: Constantine Gavrilov <constantine.gavrilov@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 34dd6267679a..3d67b9b4100f 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -578,6 +578,7 @@ struct io_sr_msg {
 	int				msg_flags;
 	int				bgid;
 	size_t				len;
+	size_t				done_io;
 	struct io_buffer		*kbuf;
 };
 
@@ -4903,12 +4904,21 @@ static int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	if (req->ctx->compat)
 		sr->msg_flags |= MSG_CMSG_COMPAT;
 #endif
+	sr->done_io = 0;
 	return 0;
 }
 
+static bool io_net_retry(struct socket *sock, int flags)
+{
+	if (!(flags & MSG_WAITALL))
+		return false;
+	return sock->type == SOCK_STREAM || sock->type == SOCK_SEQPACKET;
+}
+
 static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
 {
 	struct io_async_msghdr iomsg, *kmsg;
+	struct io_sr_msg *sr = &req->sr_msg;
 	struct socket *sock;
 	struct io_buffer *kbuf;
 	unsigned flags;
@@ -4951,6 +4961,10 @@ static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
 			return io_setup_async_msg(req, kmsg);
 		if (ret == -ERESTARTSYS)
 			ret = -EINTR;
+		if (ret > 0 && io_net_retry(sock, flags)) {
+			sr->done_io += ret;
+			return io_setup_async_msg(req, kmsg);
+		}
 		req_set_fail(req);
 	} else if ((flags & MSG_WAITALL) && (kmsg->msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
 		req_set_fail(req);
@@ -4962,6 +4976,10 @@ static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
 	if (kmsg->free_iov)
 		kfree(kmsg->free_iov);
 	req->flags &= ~REQ_F_NEED_CLEANUP;
+	if (ret >= 0)
+		ret += sr->done_io;
+	else if (sr->done_io)
+		ret = sr->done_io;
 	__io_req_complete(req, issue_flags, ret, cflags);
 	return 0;
 }
@@ -5014,12 +5032,22 @@ static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
 			return -EAGAIN;
 		if (ret == -ERESTARTSYS)
 			ret = -EINTR;
+		if (ret > 0 && io_net_retry(sock, flags)) {
+			sr->len -= ret;
+			sr->buf += ret;
+			sr->done_io += ret;
+			return -EAGAIN;
+		}
 		req_set_fail(req);
 	} else if ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
 		req_set_fail(req);
 	}
 	if (req->flags & REQ_F_BUFFER_SELECTED)
 		cflags = io_put_recv_kbuf(req);
+	if (ret >= 0)
+		ret += sr->done_io;
+	else if (sr->done_io)
+		ret = sr->done_io;
 	__io_req_complete(req, issue_flags, ret, cflags);
 	return 0;
 }
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 23/98] io_uring: add flag for disabling provided buffer recycling
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 22/98] io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 24/98] io_uring: support MSG_WAITALL for IORING_OP_SEND(MSG) Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

commit 8a3e8ee56417f5e0e66580d93941ed9d6f4c8274 upstream.

If we need to continue doing this IO, then we don't want a potentially
selected buffer recycled. Add a flag for that.

Set this for recv/recvmsg if they do partial IO.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 3d67b9b4100f..7f9fb0cb9230 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -740,6 +740,7 @@ enum {
 	REQ_F_CREDS_BIT,
 	REQ_F_REFCOUNT_BIT,
 	REQ_F_ARM_LTIMEOUT_BIT,
+	REQ_F_PARTIAL_IO_BIT,
 	/* keep async read/write and isreg together and in order */
 	REQ_F_NOWAIT_READ_BIT,
 	REQ_F_NOWAIT_WRITE_BIT,
@@ -795,6 +796,8 @@ enum {
 	REQ_F_REFCOUNT		= BIT(REQ_F_REFCOUNT_BIT),
 	/* there is a linked timeout that has to be armed */
 	REQ_F_ARM_LTIMEOUT	= BIT(REQ_F_ARM_LTIMEOUT_BIT),
+	/* request has already done partial IO */
+	REQ_F_PARTIAL_IO	= BIT(REQ_F_PARTIAL_IO_BIT),
 };
 
 struct async_poll {
@@ -4963,6 +4966,7 @@ static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
 			ret = -EINTR;
 		if (ret > 0 && io_net_retry(sock, flags)) {
 			sr->done_io += ret;
+			req->flags |= REQ_F_PARTIAL_IO;
 			return io_setup_async_msg(req, kmsg);
 		}
 		req_set_fail(req);
@@ -5036,6 +5040,7 @@ static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
 			sr->len -= ret;
 			sr->buf += ret;
 			sr->done_io += ret;
+			req->flags |= REQ_F_PARTIAL_IO;
 			return -EAGAIN;
 		}
 		req_set_fail(req);
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 24/98] io_uring: support MSG_WAITALL for IORING_OP_SEND(MSG)
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 23/98] io_uring: add flag for disabling provided buffer recycling Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 25/98] io_uring: allow re-poll if we made progress Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

commit 4c3c09439c08b03d9503df0ca4c7619c5842892e upstream.

Like commit 7ba89d2af17a for recv/recvmsg, support MSG_WAITALL for the
send side. If this flag is set and we do a short send, retry for a
stream of seqpacket socket.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 7f9fb0cb9230..75d833269751 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4617,6 +4617,13 @@ static int io_sync_file_range(struct io_kiocb *req, unsigned int issue_flags)
 }
 
 #if defined(CONFIG_NET)
+static bool io_net_retry(struct socket *sock, int flags)
+{
+	if (!(flags & MSG_WAITALL))
+		return false;
+	return sock->type == SOCK_STREAM || sock->type == SOCK_SEQPACKET;
+}
+
 static int io_setup_async_msg(struct io_kiocb *req,
 			      struct io_async_msghdr *kmsg)
 {
@@ -4680,12 +4687,14 @@ static int io_sendmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	if (req->ctx->compat)
 		sr->msg_flags |= MSG_CMSG_COMPAT;
 #endif
+	sr->done_io = 0;
 	return 0;
 }
 
 static int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags)
 {
 	struct io_async_msghdr iomsg, *kmsg;
+	struct io_sr_msg *sr = &req->sr_msg;
 	struct socket *sock;
 	unsigned flags;
 	int min_ret = 0;
@@ -4716,12 +4725,21 @@ static int io_sendmsg(struct io_kiocb *req, unsigned int issue_flags)
 			return io_setup_async_msg(req, kmsg);
 		if (ret == -ERESTARTSYS)
 			ret = -EINTR;
+		if (ret > 0 && io_net_retry(sock, flags)) {
+			sr->done_io += ret;
+			req->flags |= REQ_F_PARTIAL_IO;
+			return io_setup_async_msg(req, kmsg);
+		}
 		req_set_fail(req);
 	}
 	/* fast path, check for non-NULL to avoid function call */
 	if (kmsg->free_iov)
 		kfree(kmsg->free_iov);
 	req->flags &= ~REQ_F_NEED_CLEANUP;
+	if (ret >= 0)
+		ret += sr->done_io;
+	else if (sr->done_io)
+		ret = sr->done_io;
 	__io_req_complete(req, issue_flags, ret, 0);
 	return 0;
 }
@@ -4762,8 +4780,19 @@ static int io_send(struct io_kiocb *req, unsigned int issue_flags)
 			return -EAGAIN;
 		if (ret == -ERESTARTSYS)
 			ret = -EINTR;
+		if (ret > 0 && io_net_retry(sock, flags)) {
+			sr->len -= ret;
+			sr->buf += ret;
+			sr->done_io += ret;
+			req->flags |= REQ_F_PARTIAL_IO;
+			return -EAGAIN;
+		}
 		req_set_fail(req);
 	}
+	if (ret >= 0)
+		ret += sr->done_io;
+	else if (sr->done_io)
+		ret = sr->done_io;
 	__io_req_complete(req, issue_flags, ret, 0);
 	return 0;
 }
@@ -4911,13 +4940,6 @@ static int io_recvmsg_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	return 0;
 }
 
-static bool io_net_retry(struct socket *sock, int flags)
-{
-	if (!(flags & MSG_WAITALL))
-		return false;
-	return sock->type == SOCK_STREAM || sock->type == SOCK_SEQPACKET;
-}
-
 static int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
 {
 	struct io_async_msghdr iomsg, *kmsg;
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 25/98] io_uring: allow re-poll if we made progress
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 24/98] io_uring: support MSG_WAITALL for IORING_OP_SEND(MSG) Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 26/98] io_uring: fix async accept on O_NONBLOCK sockets Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

commit 10c873334febaeea9aa0c25c10b5ac0951b77a5f upstream.

We currently check REQ_F_POLLED before arming async poll for a
notification to retry. If it's set, then we don't allow poll and will
punt to io-wq instead. This is done to prevent a situation where a buggy
driver will repeatedly return that there's space/data available yet we
get -EAGAIN.

However, if we already transferred data, then it should be safe to rely
on poll again. Gate the check on whether or not REQ_F_PARTIAL_IO is
also set.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 75d833269751..cc8e13de5fa9 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -5694,7 +5694,7 @@ static int io_arm_poll_handler(struct io_kiocb *req)
 
 	if (!req->file || !file_can_poll(req->file))
 		return IO_APOLL_ABORTED;
-	if (req->flags & REQ_F_POLLED)
+	if ((req->flags & (REQ_F_POLLED|REQ_F_PARTIAL_IO)) == REQ_F_POLLED)
 		return IO_APOLL_ABORTED;
 	if (!def->pollin && !def->pollout)
 		return IO_APOLL_ABORTED;
@@ -5710,7 +5710,10 @@ static int io_arm_poll_handler(struct io_kiocb *req)
 		mask |= POLLOUT | POLLWRNORM;
 	}
 
-	apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
+	if (req->flags & REQ_F_POLLED)
+		apoll = req->apoll;
+	else
+		apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
 	if (unlikely(!apoll))
 		return IO_APOLL_ABORTED;
 	apoll->double_poll = NULL;
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 26/98] io_uring: fix async accept on O_NONBLOCK sockets
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 25/98] io_uring: allow re-poll if we made progress Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 27/98] io_uring: check for valid register opcode earlier Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Dylan Yudaken, Jens Axboe, Sasha Levin

From: Dylan Yudaken <dylany@meta.com>

commit a73825ba70c93e1eb39a845bb3d9885a787f8ffe upstream.

Do not set REQ_F_NOWAIT if the socket is non blocking. When enabled this
causes the accept to immediately post a CQE with EAGAIN, which means you
cannot perform an accept SQE on a NONBLOCK socket asynchronously.

By removing the flag if there is no pending accept then poll is armed as
usual and when a connection comes in the CQE is posted.

Signed-off-by: Dylan Yudaken <dylany@fb.com>
Link: https://lore.kernel.org/r/20220324143435.2875844-1-dylany@fb.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cc8e13de5fa9..8c8ba8c067ca 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -5112,9 +5112,6 @@ static int io_accept(struct io_kiocb *req, unsigned int issue_flags)
 	struct file *file;
 	int ret, fd;
 
-	if (req->file->f_flags & O_NONBLOCK)
-		req->flags |= REQ_F_NOWAIT;
-
 	if (!fixed) {
 		fd = __get_unused_fd_flags(accept->flags, accept->nofile);
 		if (unlikely(fd < 0))
@@ -5127,6 +5124,8 @@ static int io_accept(struct io_kiocb *req, unsigned int issue_flags)
 		if (!fixed)
 			put_unused_fd(fd);
 		ret = PTR_ERR(file);
+		/* safe to retry */
+		req->flags |= REQ_F_PARTIAL_IO;
 		if (ret == -EAGAIN && force_nonblock)
 			return -EAGAIN;
 		if (ret == -ERESTARTSYS)
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 27/98] io_uring: check for valid register opcode earlier
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 26/98] io_uring: fix async accept on O_NONBLOCK sockets Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 28/98] io_uring: lock overflowing for IOPOLL Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 343190841a1f22b96996d9f8cfab902a4d1bfd0e ]

We only check the register opcode value inside the restricted ring
section, move it into the main io_uring_register() function instead
and check it up front.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 8c8ba8c067ca..f05f033d8496 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -10805,8 +10805,6 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
 		return -ENXIO;
 
 	if (ctx->restricted) {
-		if (opcode >= IORING_REGISTER_LAST)
-			return -EINVAL;
 		opcode = array_index_nospec(opcode, IORING_REGISTER_LAST);
 		if (!test_bit(opcode, ctx->restrictions.register_op))
 			return -EACCES;
@@ -10938,6 +10936,9 @@ SYSCALL_DEFINE4(io_uring_register, unsigned int, fd, unsigned int, opcode,
 	long ret = -EBADF;
 	struct fd f;
 
+	if (opcode >= IORING_REGISTER_LAST)
+		return -EINVAL;
+
 	f = fdget(fd);
 	if (!f.file)
 		return -EBADF;
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 28/98] io_uring: lock overflowing for IOPOLL
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 27/98] io_uring: check for valid register opcode earlier Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 29/98] io_uring: fix CQ waiting timeout handling Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe,
	Sasha Levin, syzbot+6805087452d72929404e

From: Pavel Begunkov <asml.silence@gmail.com>

commit 544d163d659d45a206d8929370d5a2984e546cb7 upstream.

syzbot reports an issue with overflow filling for IOPOLL:

WARNING: CPU: 0 PID: 28 at io_uring/io_uring.c:734 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
CPU: 0 PID: 28 Comm: kworker/u4:1 Not tainted 6.2.0-rc3-syzkaller-16369-g358a161a6a9e #0
Workqueue: events_unbound io_ring_exit_work
Call trace:
 io_cqring_event_overflow+0x1c0/0x230 io_uring/io_uring.c:734
 io_req_cqe_overflow+0x5c/0x70 io_uring/io_uring.c:773
 io_fill_cqe_req io_uring/io_uring.h:168 [inline]
 io_do_iopoll+0x474/0x62c io_uring/rw.c:1065
 io_iopoll_try_reap_events+0x6c/0x108 io_uring/io_uring.c:1513
 io_uring_try_cancel_requests+0x13c/0x258 io_uring/io_uring.c:3056
 io_ring_exit_work+0xec/0x390 io_uring/io_uring.c:2869
 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
 worker_thread+0x340/0x610 kernel/workqueue.c:2436
 kthread+0x12c/0x158 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:863

There is no real problem for normal IOPOLL as flush is also called with
uring_lock taken, but it's getting more complicated for IOPOLL|SQPOLL,
for which __io_cqring_overflow_flush() happens from the CQ waiting path.

Reported-and-tested-by: syzbot+6805087452d72929404e@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org # 5.10+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index f05f033d8496..b7bd5138bdaf 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2482,12 +2482,26 @@ static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events,
 
 	io_init_req_batch(&rb);
 	while (!list_empty(done)) {
+		struct io_uring_cqe *cqe;
+		unsigned cflags;
+
 		req = list_first_entry(done, struct io_kiocb, inflight_entry);
 		list_del(&req->inflight_entry);
-
-		io_fill_cqe_req(req, req->result, io_put_rw_kbuf(req));
+		cflags = io_put_rw_kbuf(req);
 		(*nr_events)++;
 
+		cqe = io_get_cqe(ctx);
+		if (cqe) {
+			WRITE_ONCE(cqe->user_data, req->user_data);
+			WRITE_ONCE(cqe->res, req->result);
+			WRITE_ONCE(cqe->flags, cflags);
+		} else {
+			spin_lock(&ctx->completion_lock);
+			io_cqring_event_overflow(ctx, req->user_data,
+							req->result, cflags);
+			spin_unlock(&ctx->completion_lock);
+		}
+
 		if (req_ref_put_and_test(req))
 			io_req_free_batch(&rb, req, &ctx->submit_state);
 	}
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 29/98] io_uring: fix CQ waiting timeout handling
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 28/98] io_uring: lock overflowing for IOPOLL Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 30/98] io_uring: ensure that cached task references are always put on exit Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Pavel Begunkov, Jens Axboe, Sasha Levin

From: Pavel Begunkov <asml.silence@gmail.com>

commit 12521a5d5cb7ff0ad43eadfc9c135d86e1131fa8 upstream.

Jiffy to ktime CQ waiting conversion broke how we treat timeouts, in
particular we rearm it anew every time we get into
io_cqring_wait_schedule() without adjusting the timeout. Waiting for 2
CQEs and getting a task_work in the middle may double the timeout value,
or even worse in some cases task may wait indefinitely.

Cc: stable@vger.kernel.org
Fixes: 228339662b398 ("io_uring: don't convert to jiffies for waiting on timeouts")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/f7bffddd71b08f28a877d44d37ac953ddb01590d.1672915663.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index b7bd5138bdaf..e8852d56b1ec 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -7518,7 +7518,7 @@ static int io_run_task_work_sig(void)
 /* when returns >0, the caller should retry */
 static inline int io_cqring_wait_schedule(struct io_ring_ctx *ctx,
 					  struct io_wait_queue *iowq,
-					  ktime_t timeout)
+					  ktime_t *timeout)
 {
 	int ret;
 
@@ -7530,7 +7530,7 @@ static inline int io_cqring_wait_schedule(struct io_ring_ctx *ctx,
 	if (test_bit(0, &ctx->check_cq_overflow))
 		return 1;
 
-	if (!schedule_hrtimeout(&timeout, HRTIMER_MODE_ABS))
+	if (!schedule_hrtimeout(timeout, HRTIMER_MODE_ABS))
 		return -ETIME;
 	return 1;
 }
@@ -7593,7 +7593,7 @@ static int io_cqring_wait(struct io_ring_ctx *ctx, int min_events,
 		}
 		prepare_to_wait_exclusive(&ctx->cq_wait, &iowq.wq,
 						TASK_INTERRUPTIBLE);
-		ret = io_cqring_wait_schedule(ctx, &iowq, timeout);
+		ret = io_cqring_wait_schedule(ctx, &iowq, &timeout);
 		finish_wait(&ctx->cq_wait, &iowq.wq);
 		cond_resched();
 	} while (ret > 0);
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 30/98] io_uring: ensure that cached task references are always put on exit
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 29/98] io_uring: fix CQ waiting timeout handling Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 31/98] io_uring: remove duplicated calls to io_kiocb_ppos Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Homin Rhee, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

commit e775f93f2ab976a2cdb4a7b53063cbe890904f73 upstream.

io_uring caches task references to avoid doing atomics for each of them
per request. If a request is put from the same task that allocated it,
then we can maintain a per-ctx cache of them. This obviously relies
on io_uring always pruning caches in a reliable way, and there's
currently a case off io_uring fd release where we can miss that.

One example is a ring setup with IOPOLL, which relies on the task
polling for completions, which will free them. However, if such a task
submits a request and then exits or closes the ring without reaping
the completion, then ring release will reap and put. If release happens
from that very same task, the completed request task refs will get
put back into the cache pool. This is problematic, as we're now beyond
the point of pruning caches.

Manually drop these caches after doing an IOPOLL reap. This releases
references from the current task, which is enough. If another task
happens to be doing the release, then the caching will not be
triggered and there's no issue.

Cc: stable@vger.kernel.org
Fixes: e98e49b2bbf7 ("io_uring: extend task put optimisations")
Reported-by: Homin Rhee <hominlab@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index e8852d56b1ec..f8a0d228d799 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -9513,6 +9513,10 @@ static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx)
 	/* if we failed setting up the ctx, we might not have any rings */
 	io_iopoll_try_reap_events(ctx);
 
+	/* drop cached put refs after potentially doing completions */
+	if (current->io_uring)
+		io_uring_drop_tctx_refs(current);
+
 	INIT_WORK(&ctx->exit_work, io_ring_exit_work);
 	/*
 	 * Use system_unbound_wq to avoid spawning tons of event kworkers
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 31/98] io_uring: remove duplicated calls to io_kiocb_ppos
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 30/98] io_uring: ensure that cached task references are always put on exit Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 32/98] io_uring: update kiocb->ki_pos at execution time Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Dylan Yudaken, Pavel Begunkov,
	Jens Axboe, Sasha Levin

From: Dylan Yudaken <dylany@fb.com>

commit af9c45ecebaf1b428306f41421f4bcffe439f735 upstream.

io_kiocb_ppos is called in both branches, and it seems that the compiler
does not fuse this. Fusing removes a few bytes from loop_rw_iter.

Before:
$ nm -S fs/io_uring.o | grep loop_rw_iter
0000000000002430 0000000000000124 t loop_rw_iter

After:
$ nm -S fs/io_uring.o | grep loop_rw_iter
0000000000002430 000000000000010d t loop_rw_iter

Signed-off-by: Dylan Yudaken <dylany@fb.com>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index f8a0d228d799..d8926475cd88 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3300,6 +3300,7 @@ static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter)
 	struct kiocb *kiocb = &req->rw.kiocb;
 	struct file *file = req->file;
 	ssize_t ret = 0;
+	loff_t *ppos;
 
 	/*
 	 * Don't support polled IO through this interface, and we can't
@@ -3311,6 +3312,8 @@ static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter)
 	if (kiocb->ki_flags & IOCB_NOWAIT)
 		return -EAGAIN;
 
+	ppos = io_kiocb_ppos(kiocb);
+
 	while (iov_iter_count(iter)) {
 		struct iovec iovec;
 		ssize_t nr;
@@ -3324,10 +3327,10 @@ static ssize_t loop_rw_iter(int rw, struct io_kiocb *req, struct iov_iter *iter)
 
 		if (rw == READ) {
 			nr = file->f_op->read(file, iovec.iov_base,
-					      iovec.iov_len, io_kiocb_ppos(kiocb));
+					      iovec.iov_len, ppos);
 		} else {
 			nr = file->f_op->write(file, iovec.iov_base,
-					       iovec.iov_len, io_kiocb_ppos(kiocb));
+					       iovec.iov_len, ppos);
 		}
 
 		if (nr < 0) {
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 32/98] io_uring: update kiocb->ki_pos at execution time
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 31/98] io_uring: remove duplicated calls to io_kiocb_ppos Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 33/98] io_uring: do not recalculate ppos unnecessarily Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Dylan Yudaken, Pavel Begunkov,
	Jens Axboe, Sasha Levin

From: Dylan Yudaken <dylany@fb.com>

commit d34e1e5b396a0dbaa4a29b7138df662cfb9d8e8e upstream.

Update kiocb->ki_pos at execution time rather than in io_prep_rw().
io_prep_rw() happens before the job is enqueued to a worker and so the
offset might be read multiple times before being executed once.

Ensures that the file position in a set of _linked_ SQEs will be only
obtained after earlier SQEs have completed, and so will include their
incremented file position.

Signed-off-by: Dylan Yudaken <dylany@fb.com>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index d8926475cd88..eaf8463c9b14 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2919,14 +2919,6 @@ static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe,
 		req->flags |= REQ_F_ISREG;
 
 	kiocb->ki_pos = READ_ONCE(sqe->off);
-	if (kiocb->ki_pos == -1) {
-		if (!(file->f_mode & FMODE_STREAM)) {
-			req->flags |= REQ_F_CUR_POS;
-			kiocb->ki_pos = file->f_pos;
-		} else {
-			kiocb->ki_pos = 0;
-		}
-	}
 	kiocb->ki_hint = ki_hint_validate(file_write_hint(kiocb->ki_filp));
 	kiocb->ki_flags = iocb_flags(kiocb->ki_filp);
 	ret = kiocb_set_rw_flags(kiocb, READ_ONCE(sqe->rw_flags));
@@ -3008,6 +3000,20 @@ static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
 	}
 }
 
+static inline void io_kiocb_update_pos(struct io_kiocb *req)
+{
+	struct kiocb *kiocb = &req->rw.kiocb;
+
+	if (kiocb->ki_pos == -1) {
+		if (!(req->file->f_mode & FMODE_STREAM)) {
+			req->flags |= REQ_F_CUR_POS;
+			kiocb->ki_pos = req->file->f_pos;
+		} else {
+			kiocb->ki_pos = 0;
+		}
+	}
+}
+
 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
 		       unsigned int issue_flags)
 {
@@ -3563,6 +3569,8 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags)
 		return ret ?: -EAGAIN;
 	}
 
+	io_kiocb_update_pos(req);
+
 	ret = rw_verify_area(READ, req->file, io_kiocb_ppos(kiocb), req->result);
 	if (unlikely(ret)) {
 		kfree(iovec);
@@ -3697,6 +3705,8 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 	    (req->flags & REQ_F_ISREG))
 		goto copy_iov;
 
+	io_kiocb_update_pos(req);
+
 	ret = rw_verify_area(WRITE, req->file, io_kiocb_ppos(kiocb), req->result);
 	if (unlikely(ret))
 		goto out_free;
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 33/98] io_uring: do not recalculate ppos unnecessarily
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 32/98] io_uring: update kiocb->ki_pos at execution time Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 34/98] io_uring/rw: defer fsnotify calls to task context Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Dylan Yudaken, Pavel Begunkov,
	Jens Axboe, Sasha Levin

From: Dylan Yudaken <dylany@fb.com>

commit b4aec40015953b65f2f114641e7fd7714c8df8e6 upstream.

There is a slight optimisation to be had by calculating the correct pos
pointer inside io_kiocb_update_pos and then using that later.

It seems code size drops by a bit:
000000000000a1b0 0000000000000400 t io_read
000000000000a5b0 0000000000000319 t io_write

vs
000000000000a1b0 00000000000003f6 t io_read
000000000000a5b0 0000000000000310 t io_write

Signed-off-by: Dylan Yudaken <dylany@fb.com>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index eaf8463c9b14..d4e017b07371 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3000,18 +3000,22 @@ static inline void io_rw_done(struct kiocb *kiocb, ssize_t ret)
 	}
 }
 
-static inline void io_kiocb_update_pos(struct io_kiocb *req)
+static inline loff_t *io_kiocb_update_pos(struct io_kiocb *req)
 {
 	struct kiocb *kiocb = &req->rw.kiocb;
+	bool is_stream = req->file->f_mode & FMODE_STREAM;
 
 	if (kiocb->ki_pos == -1) {
-		if (!(req->file->f_mode & FMODE_STREAM)) {
+		if (!is_stream) {
 			req->flags |= REQ_F_CUR_POS;
 			kiocb->ki_pos = req->file->f_pos;
+			return &kiocb->ki_pos;
 		} else {
 			kiocb->ki_pos = 0;
+			return NULL;
 		}
 	}
+	return is_stream ? NULL : &kiocb->ki_pos;
 }
 
 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
@@ -3537,6 +3541,7 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags)
 	bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
 	struct iov_iter_state __state, *state;
 	ssize_t ret, ret2;
+	loff_t *ppos;
 
 	if (rw) {
 		iter = &rw->iter;
@@ -3569,9 +3574,9 @@ static int io_read(struct io_kiocb *req, unsigned int issue_flags)
 		return ret ?: -EAGAIN;
 	}
 
-	io_kiocb_update_pos(req);
+	ppos = io_kiocb_update_pos(req);
 
-	ret = rw_verify_area(READ, req->file, io_kiocb_ppos(kiocb), req->result);
+	ret = rw_verify_area(READ, req->file, ppos, req->result);
 	if (unlikely(ret)) {
 		kfree(iovec);
 		return ret;
@@ -3675,6 +3680,7 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 	bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
 	struct iov_iter_state __state, *state;
 	ssize_t ret, ret2;
+	loff_t *ppos;
 
 	if (rw) {
 		iter = &rw->iter;
@@ -3705,9 +3711,9 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags)
 	    (req->flags & REQ_F_ISREG))
 		goto copy_iov;
 
-	io_kiocb_update_pos(req);
+	ppos = io_kiocb_update_pos(req);
 
-	ret = rw_verify_area(WRITE, req->file, io_kiocb_ppos(kiocb), req->result);
+	ret = rw_verify_area(WRITE, req->file, ppos, req->result);
 	if (unlikely(ret))
 		goto out_free;
 
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 34/98] io_uring/rw: defer fsnotify calls to task context
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 33/98] io_uring: do not recalculate ppos unnecessarily Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 35/98] xhci-pci: set the dma max_seg_size Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, syzbot+dfcc5f4da15868df7d4d,
	Jan Kara, Jens Axboe, Sasha Levin

From: Jens Axboe <axboe@kernel.dk>

commit b000145e9907809406d8164c3b2b8861d95aecd1 upstream.

We can't call these off the kiocb completion as that might be off
soft/hard irq context. Defer the calls to when we process the
task_work for this request. That avoids valid complaints like:

stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_usage_bug kernel/locking/lockdep.c:3961 [inline]
 valid_state kernel/locking/lockdep.c:3973 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4176 [inline]
 mark_lock.part.0.cold+0x18/0xd8 kernel/locking/lockdep.c:4632
 mark_lock kernel/locking/lockdep.c:4596 [inline]
 mark_usage kernel/locking/lockdep.c:4527 [inline]
 __lock_acquire+0x11d9/0x56d0 kernel/locking/lockdep.c:5007
 lock_acquire kernel/locking/lockdep.c:5666 [inline]
 lock_acquire+0x1ab/0x570 kernel/locking/lockdep.c:5631
 __fs_reclaim_acquire mm/page_alloc.c:4674 [inline]
 fs_reclaim_acquire+0x115/0x160 mm/page_alloc.c:4688
 might_alloc include/linux/sched/mm.h:271 [inline]
 slab_pre_alloc_hook mm/slab.h:700 [inline]
 slab_alloc mm/slab.c:3278 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3471 [inline]
 kmem_cache_alloc+0x39/0x520 mm/slab.c:3491
 fanotify_alloc_fid_event fs/notify/fanotify/fanotify.c:580 [inline]
 fanotify_alloc_event fs/notify/fanotify/fanotify.c:813 [inline]
 fanotify_handle_event+0x1130/0x3f40 fs/notify/fanotify/fanotify.c:948
 send_to_group fs/notify/fsnotify.c:360 [inline]
 fsnotify+0xafb/0x1680 fs/notify/fsnotify.c:570
 __fsnotify_parent+0x62f/0xa60 fs/notify/fsnotify.c:230
 fsnotify_parent include/linux/fsnotify.h:77 [inline]
 fsnotify_file include/linux/fsnotify.h:99 [inline]
 fsnotify_access include/linux/fsnotify.h:309 [inline]
 __io_complete_rw_common+0x485/0x720 io_uring/rw.c:195
 io_complete_rw+0x1a/0x1f0 io_uring/rw.c:228
 iomap_dio_complete_work fs/iomap/direct-io.c:144 [inline]
 iomap_dio_bio_end_io+0x438/0x5e0 fs/iomap/direct-io.c:178
 bio_endio+0x5f9/0x780 block/bio.c:1564
 req_bio_endio block/blk-mq.c:695 [inline]
 blk_update_request+0x3fc/0x1300 block/blk-mq.c:825
 scsi_end_request+0x7a/0x9a0 drivers/scsi/scsi_lib.c:541
 scsi_io_completion+0x173/0x1f70 drivers/scsi/scsi_lib.c:971
 scsi_complete+0x122/0x3b0 drivers/scsi/scsi_lib.c:1438
 blk_complete_reqs+0xad/0xe0 block/blk-mq.c:1022
 __do_softirq+0x1d3/0x9c6 kernel/softirq.c:571
 invoke_softirq kernel/softirq.c:445 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
 common_interrupt+0xa9/0xc0 arch/x86/kernel/irq.c:240

Fixes: f63cf5192fe3 ("io_uring: ensure that fsnotify is always called")
Link: https://lore.kernel.org/all/20220929135627.ykivmdks2w5vzrwg@quack3/
Reported-by: syzbot+dfcc5f4da15868df7d4d@syzkaller.appspotmail.com
Reported-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 io_uring/io_uring.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index d4e017b07371..33e6e1011105 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2702,12 +2702,6 @@ static bool io_rw_should_reissue(struct io_kiocb *req)
 
 static bool __io_complete_rw_common(struct io_kiocb *req, long res)
 {
-	if (req->rw.kiocb.ki_flags & IOCB_WRITE) {
-		kiocb_end_write(req);
-		fsnotify_modify(req->file);
-	} else {
-		fsnotify_access(req->file);
-	}
 	if (res != req->result) {
 		if ((res == -EAGAIN || res == -EOPNOTSUPP) &&
 		    io_rw_should_reissue(req)) {
@@ -2760,6 +2754,20 @@ static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
 	__io_req_complete(req, issue_flags, io_fixup_rw_res(req, res), io_put_rw_kbuf(req));
 }
 
+static void io_req_rw_complete(struct io_kiocb *req, bool *locked)
+{
+	struct io_rw *rw = &req->rw;
+
+	if (rw->kiocb.ki_flags & IOCB_WRITE) {
+		kiocb_end_write(req);
+		fsnotify_modify(req->file);
+	} else {
+		fsnotify_access(req->file);
+	}
+
+	io_req_task_complete(req, locked);
+}
+
 static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
 {
 	struct io_kiocb *req = container_of(kiocb, struct io_kiocb, rw.kiocb);
@@ -2767,7 +2775,7 @@ static void io_complete_rw(struct kiocb *kiocb, long res, long res2)
 	if (__io_complete_rw_common(req, res))
 		return;
 	req->result = io_fixup_rw_res(req, res);
-	req->io_task_work.func = io_req_task_complete;
+	req->io_task_work.func = io_req_rw_complete;
 	io_req_task_work_add(req);
 }
 
-- 
2.39.0




^ permalink raw reply related	[flat|nested] 103+ messages in thread

* [PATCH 5.10 35/98] xhci-pci: set the dma max_seg_size
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 34/98] io_uring/rw: defer fsnotify calls to task context Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 36/98] usb: xhci: Check endpoint is valid before dereferencing it Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Ricardo Ribalda,
	Mathias Nyman

From: Ricardo Ribalda <ribalda@chromium.org>

commit 93915a4170e9defd56a767a18e6c4076f3d18609 upstream.

Allow devices to have dma operations beyond 64K, and avoid warnings such
as:

xhci_hcd 0000:00:14.0: mapping sg segment longer than device claims to support [len=98304] [max=65536]

Cc: stable@vger.kernel.org
Cc: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-2-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-pci.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -451,6 +451,8 @@ static int xhci_pci_probe(struct pci_dev
 	if (xhci->quirks & XHCI_DEFAULT_PM_RUNTIME_ALLOW)
 		pm_runtime_allow(&dev->dev);
 
+	dma_set_max_seg_size(&dev->dev, UINT_MAX);
+
 	return 0;
 
 put_usb3_hcd:



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 36/98] usb: xhci: Check endpoint is valid before dereferencing it
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 35/98] xhci-pci: set the dma max_seg_size Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 37/98] xhci: Fix null pointer dereference when host dies Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jimmy Hu, Mathias Nyman

From: Jimmy Hu <hhhuuu@google.com>

commit e8fb5bc76eb86437ab87002d4a36d6da02165654 upstream.

When the host controller is not responding, all URBs queued to all
endpoints need to be killed. This can cause a kernel panic if we
dereference an invalid endpoint.

Fix this by using xhci_get_virt_ep() helper to find the endpoint and
checking if the endpoint is valid before dereferencing it.

[233311.853271] xhci-hcd xhci-hcd.1.auto: xHCI host controller not responding, assume dead
[233311.853393] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000e8

[233311.853964] pc : xhci_hc_died+0x10c/0x270
[233311.853971] lr : xhci_hc_died+0x1ac/0x270

[233311.854077] Call trace:
[233311.854085]  xhci_hc_died+0x10c/0x270
[233311.854093]  xhci_stop_endpoint_command_watchdog+0x100/0x1a4
[233311.854105]  call_timer_fn+0x50/0x2d4
[233311.854112]  expire_timers+0xac/0x2e4
[233311.854118]  run_timer_softirq+0x300/0xabc
[233311.854127]  __do_softirq+0x148/0x528
[233311.854135]  irq_exit+0x194/0x1a8
[233311.854143]  __handle_domain_irq+0x164/0x1d0
[233311.854149]  gic_handle_irq.22273+0x10c/0x188
[233311.854156]  el1_irq+0xfc/0x1a8
[233311.854175]  lpm_cpuidle_enter+0x25c/0x418 [msm_pm]
[233311.854185]  cpuidle_enter_state+0x1f0/0x764
[233311.854194]  do_idle+0x594/0x6ac
[233311.854201]  cpu_startup_entry+0x7c/0x80
[233311.854209]  secondary_start_kernel+0x170/0x198

Fixes: 50e8725e7c42 ("xhci: Refactor command watchdog and fix split string.")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Message-ID: <0fe978ed-8269-9774-1c40-f8a98c17e838@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-ring.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1044,7 +1044,10 @@ static void xhci_kill_endpoint_urbs(stru
 	struct xhci_virt_ep *ep;
 	struct xhci_ring *ring;
 
-	ep = &xhci->devs[slot_id]->eps[ep_index];
+	ep = xhci_get_virt_ep(xhci, slot_id, ep_index);
+	if (!ep)
+		return;
+
 	if ((ep->ep_state & EP_HAS_STREAMS) ||
 			(ep->ep_state & EP_GETTING_NO_STREAMS)) {
 		int stream_id;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 37/98] xhci: Fix null pointer dereference when host dies
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 36/98] usb: xhci: Check endpoint is valid before dereferencing it Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 38/98] xhci: Add update_hub_device override for PCI xHCI hosts Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit a2bc47c43e70cf904b1af49f76d572326c08bca7 upstream.

Make sure xhci_free_dev() and xhci_kill_endpoint_urbs() do not race
and cause null pointer dereference when host suddenly dies.

Usb core may call xhci_free_dev() which frees the xhci->devs[slot_id]
virt device at the same time that xhci_kill_endpoint_urbs() tries to
loop through all the device's endpoints, checking if there are any
cancelled urbs left to give back.

hold the xhci spinlock while freeing the virt device

Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3919,6 +3919,7 @@ static void xhci_free_dev(struct usb_hcd
 	struct xhci_hcd *xhci = hcd_to_xhci(hcd);
 	struct xhci_virt_device *virt_dev;
 	struct xhci_slot_ctx *slot_ctx;
+	unsigned long flags;
 	int i, ret;
 
 	/*
@@ -3947,7 +3948,11 @@ static void xhci_free_dev(struct usb_hcd
 	}
 	virt_dev->udev = NULL;
 	xhci_disable_slot(xhci, udev->slot_id);
+
+	spin_lock_irqsave(&xhci->lock, flags);
 	xhci_free_virt_device(xhci, udev->slot_id);
+	spin_unlock_irqrestore(&xhci->lock, flags);
+
 }
 
 int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 38/98] xhci: Add update_hub_device override for PCI xHCI hosts
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 37/98] xhci: Fix null pointer dereference when host dies Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 39/98] xhci: Add a flag to disable USB3 lpm on a xhci root port level Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 23a3b8d5a2365653fd9bc5a9454d1e7f4facbf85 upstream.

Allow PCI hosts to check and tune roothub and port settings
before the hub is up and running.

This override is needed to turn off U1 and U2 LPM for some ports
based on per port ACPI _DSM, _UPC, or possibly vendor specific mmio
values for Intel xHC hosts.

Usb core calls the host update_hub_device once it creates a hub.

Entering U1 or U2 link power save state on ports with this limitation
will cause link to fail, turning the usb device unusable in that setup.

Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-pci.c |    9 +++++++++
 drivers/usb/host/xhci.c     |    5 ++++-
 drivers/usb/host/xhci.h     |    4 ++++
 3 files changed, 17 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -77,9 +77,12 @@ static const char hcd_name[] = "xhci_hcd
 static struct hc_driver __read_mostly xhci_pci_hc_driver;
 
 static int xhci_pci_setup(struct usb_hcd *hcd);
+static int xhci_pci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
+				      struct usb_tt *tt, gfp_t mem_flags);
 
 static const struct xhci_driver_overrides xhci_pci_overrides __initconst = {
 	.reset = xhci_pci_setup,
+	.update_hub_device = xhci_pci_update_hub_device,
 };
 
 /* called after powerup, by probe or system-pm "wakeup" */
@@ -382,6 +385,12 @@ static int xhci_pci_setup(struct usb_hcd
 	return xhci_pci_reinit(xhci, pdev);
 }
 
+static int xhci_pci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
+				      struct usb_tt *tt, gfp_t mem_flags)
+{
+	return xhci_update_hub_device(hcd, hdev, tt, mem_flags);
+}
+
 /*
  * We need to register our own PCI probe function (instead of the USB core's
  * function) in order to create a second roothub under xHCI.
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -5081,7 +5081,7 @@ static int xhci_disable_usb3_lpm_timeout
 /* Once a hub descriptor is fetched for a device, we need to update the xHC's
  * internal data structures for the device.
  */
-static int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
+int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
 			struct usb_tt *tt, gfp_t mem_flags)
 {
 	struct xhci_hcd *xhci = hcd_to_xhci(hcd);
@@ -5181,6 +5181,7 @@ static int xhci_update_hub_device(struct
 	xhci_free_command(xhci, config_cmd);
 	return ret;
 }
+EXPORT_SYMBOL_GPL(xhci_update_hub_device);
 
 static int xhci_get_frame(struct usb_hcd *hcd)
 {
@@ -5451,6 +5452,8 @@ void xhci_init_driver(struct hc_driver *
 			drv->check_bandwidth = over->check_bandwidth;
 		if (over->reset_bandwidth)
 			drv->reset_bandwidth = over->reset_bandwidth;
+		if (over->update_hub_device)
+			drv->update_hub_device = over->update_hub_device;
 	}
 }
 EXPORT_SYMBOL_GPL(xhci_init_driver);
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1933,6 +1933,8 @@ struct xhci_driver_overrides {
 	int (*start)(struct usb_hcd *hcd);
 	int (*check_bandwidth)(struct usb_hcd *, struct usb_device *);
 	void (*reset_bandwidth)(struct usb_hcd *, struct usb_device *);
+	int (*update_hub_device)(struct usb_hcd *hcd, struct usb_device *hdev,
+			    struct usb_tt *tt, gfp_t mem_flags);
 };
 
 #define	XHCI_CFC_DELAY		10
@@ -2089,6 +2091,8 @@ void xhci_init_driver(struct hc_driver *
 		      const struct xhci_driver_overrides *over);
 int xhci_check_bandwidth(struct usb_hcd *hcd, struct usb_device *udev);
 void xhci_reset_bandwidth(struct usb_hcd *hcd, struct usb_device *udev);
+int xhci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
+			   struct usb_tt *tt, gfp_t mem_flags);
 int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id);
 int xhci_ext_cap_init(struct xhci_hcd *xhci);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 39/98] xhci: Add a flag to disable USB3 lpm on a xhci root port level.
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 38/98] xhci: Add update_hub_device override for PCI xHCI hosts Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 40/98] usb: acpi: add helper to check port lpm capability using acpi _DSM Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 0522b9a1653048440da5f21747f21e498b9220d1 upstream.

One USB3 roothub port may support link power management, while another
root port on the same xHC can't due to different retimers used for
the ports.

This is the case with Intel Alder Lake, and possible future platforms
where retimers used for USB4 ports cause too long exit latecy to
enable native USB3 lpm U1 and U2 states.

Add a flag in the xhci port structure to indicate if the port is
lpm_incapable, and check it while calculating exit latency.

Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-6-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci.c |    8 ++++++++
 drivers/usb/host/xhci.h |    1 +
 2 files changed, 9 insertions(+)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -5009,6 +5009,7 @@ static int xhci_enable_usb3_lpm_timeout(
 			struct usb_device *udev, enum usb3_link_state state)
 {
 	struct xhci_hcd	*xhci;
+	struct xhci_port *port;
 	u16 hub_encoded_timeout;
 	int mel;
 	int ret;
@@ -5022,6 +5023,13 @@ static int xhci_enable_usb3_lpm_timeout(
 			!xhci->devs[udev->slot_id])
 		return USB3_LPM_DISABLED;
 
+	/* If connected to root port then check port can handle lpm */
+	if (udev->parent && !udev->parent->parent) {
+		port = xhci->usb3_rhub.ports[udev->portnum - 1];
+		if (port->lpm_incapable)
+			return USB3_LPM_DISABLED;
+	}
+
 	hub_encoded_timeout = xhci_calculate_lpm_timeout(hcd, udev, state);
 	mel = calculate_max_exit_latency(udev, state, hub_encoded_timeout);
 	if (mel < 0) {
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1728,6 +1728,7 @@ struct xhci_port {
 	int			hcd_portnum;
 	struct xhci_hub		*rhub;
 	struct xhci_port_cap	*port_cap;
+	unsigned int		lpm_incapable:1;
 };
 
 struct xhci_hub {



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 40/98] usb: acpi: add helper to check port lpm capability using acpi _DSM
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 39/98] xhci: Add a flag to disable USB3 lpm on a xhci root port level Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 41/98] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Ron Lee, Mathias Nyman

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit cd702d18c882d5a4ea44bbdb38edd5d5577ef640 upstream.

Add a helper to evaluate ACPI usb device specific method (_DSM) provided
in case the USB3 port shouldn't enter U1 and U2 link states.

This _DSM was added as port specific retimer configuration may lead to
exit latencies growing beyond U1/U2 exit limits, and OS needs a way to
find which ports can't support U1/U2 link power management states.

This _DSM is also used by windows:
Link: https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/usb-device-specific-method---dsm-

Some patch issues found in testing resolved by Ron Lee

Cc: stable@vger.kernel.org
Tested-by: Ron Lee <ron.lee@intel.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-7-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/usb-acpi.c |   65 ++++++++++++++++++++++++++++++++++++++++++++
 include/linux/usb.h         |    3 ++
 2 files changed, 68 insertions(+)

--- a/drivers/usb/core/usb-acpi.c
+++ b/drivers/usb/core/usb-acpi.c
@@ -37,6 +37,71 @@ bool usb_acpi_power_manageable(struct us
 }
 EXPORT_SYMBOL_GPL(usb_acpi_power_manageable);
 
+#define UUID_USB_CONTROLLER_DSM "ce2ee385-00e6-48cb-9f05-2edb927c4899"
+#define USB_DSM_DISABLE_U1_U2_FOR_PORT	5
+
+/**
+ * usb_acpi_port_lpm_incapable - check if lpm should be disabled for a port.
+ * @hdev: USB device belonging to the usb hub
+ * @index: zero based port index
+ *
+ * Some USB3 ports may not support USB3 link power management U1/U2 states
+ * due to different retimer setup. ACPI provides _DSM method which returns 0x01
+ * if U1 and U2 states should be disabled. Evaluate _DSM with:
+ * Arg0: UUID = ce2ee385-00e6-48cb-9f05-2edb927c4899
+ * Arg1: Revision ID = 0
+ * Arg2: Function Index = 5
+ * Arg3: (empty)
+ *
+ * Return 1 if USB3 port is LPM incapable, negative on error, otherwise 0
+ */
+
+int usb_acpi_port_lpm_incapable(struct usb_device *hdev, int index)
+{
+	union acpi_object *obj;
+	acpi_handle port_handle;
+	int port1 = index + 1;
+	guid_t guid;
+	int ret;
+
+	ret = guid_parse(UUID_USB_CONTROLLER_DSM, &guid);
+	if (ret)
+		return ret;
+
+	port_handle = usb_get_hub_port_acpi_handle(hdev, port1);
+	if (!port_handle) {
+		dev_dbg(&hdev->dev, "port-%d no acpi handle\n", port1);
+		return -ENODEV;
+	}
+
+	if (!acpi_check_dsm(port_handle, &guid, 0,
+			    BIT(USB_DSM_DISABLE_U1_U2_FOR_PORT))) {
+		dev_dbg(&hdev->dev, "port-%d no _DSM function %d\n",
+			port1, USB_DSM_DISABLE_U1_U2_FOR_PORT);
+		return -ENODEV;
+	}
+
+	obj = acpi_evaluate_dsm(port_handle, &guid, 0,
+				USB_DSM_DISABLE_U1_U2_FOR_PORT, NULL);
+
+	if (!obj)
+		return -ENODEV;
+
+	if (obj->type != ACPI_TYPE_INTEGER) {
+		dev_dbg(&hdev->dev, "evaluate port-%d _DSM failed\n", port1);
+		ACPI_FREE(obj);
+		return -EINVAL;
+	}
+
+	if (obj->integer.value == 0x01)
+		ret = 1;
+
+	ACPI_FREE(obj);
+
+	return ret;
+}
+EXPORT_SYMBOL_GPL(usb_acpi_port_lpm_incapable);
+
 /**
  * usb_acpi_set_power_state - control usb port's power via acpi power
  * resource
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -754,11 +754,14 @@ extern struct device *usb_intf_get_dma_d
 extern int usb_acpi_set_power_state(struct usb_device *hdev, int index,
 	bool enable);
 extern bool usb_acpi_power_manageable(struct usb_device *hdev, int index);
+extern int usb_acpi_port_lpm_incapable(struct usb_device *hdev, int index);
 #else
 static inline int usb_acpi_set_power_state(struct usb_device *hdev, int index,
 	bool enable) { return 0; }
 static inline bool usb_acpi_power_manageable(struct usb_device *hdev, int index)
 	{ return true; }
+static inline int usb_acpi_port_lpm_incapable(struct usb_device *hdev, int index)
+	{ return 0; }
 #endif
 
 /* USB autosuspend and autoresume */



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 41/98] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 40/98] usb: acpi: add helper to check port lpm capability using acpi _DSM Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 42/98] prlimit: do_prlimit needs to have a speculation check Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Mathias Nyman

From: Mathias Nyman <mathias.nyman@linux.intel.com>

commit 74622f0a81d0c2bcfc39f9192b788124e8c7f0af upstream.

USB3 ports on xHC hosts may have retimers that cause too long
exit latency to work with native USB3 U1/U2 link power management states.

For now only use usb_acpi_port_lpm_incapable() to evaluate if port lpm
should be disabled while setting up the USB3 roothub.

Other ways to identify lpm incapable ports can be added here later if
ACPI _DSM does not exist.

Limit this to Intel hosts for now, this is to my knowledge only
an Intel issue.

Cc: stable@vger.kernel.org
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20230116142216.1141605-8-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-pci.c |   34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -351,8 +351,38 @@ static void xhci_pme_acpi_rtd3_enable(st
 				NULL);
 	ACPI_FREE(obj);
 }
+
+static void xhci_find_lpm_incapable_ports(struct usb_hcd *hcd, struct usb_device *hdev)
+{
+	struct xhci_hcd	*xhci = hcd_to_xhci(hcd);
+	struct xhci_hub *rhub = &xhci->usb3_rhub;
+	int ret;
+	int i;
+
+	/* This is not the usb3 roothub we are looking for */
+	if (hcd != rhub->hcd)
+		return;
+
+	if (hdev->maxchild > rhub->num_ports) {
+		dev_err(&hdev->dev, "USB3 roothub port number mismatch\n");
+		return;
+	}
+
+	for (i = 0; i < hdev->maxchild; i++) {
+		ret = usb_acpi_port_lpm_incapable(hdev, i);
+
+		dev_dbg(&hdev->dev, "port-%d disable U1/U2 _DSM: %d\n", i + 1, ret);
+
+		if (ret >= 0) {
+			rhub->ports[i]->lpm_incapable = ret;
+			continue;
+		}
+	}
+}
+
 #else
 static void xhci_pme_acpi_rtd3_enable(struct pci_dev *dev) { }
+static void xhci_find_lpm_incapable_ports(struct usb_hcd *hcd, struct usb_device *hdev) { }
 #endif /* CONFIG_ACPI */
 
 /* called during probe() after chip reset completes */
@@ -388,6 +418,10 @@ static int xhci_pci_setup(struct usb_hcd
 static int xhci_pci_update_hub_device(struct usb_hcd *hcd, struct usb_device *hdev,
 				      struct usb_tt *tt, gfp_t mem_flags)
 {
+	/* Check if acpi claims some USB3 roothub ports are lpm incapable */
+	if (!hdev->parent)
+		xhci_find_lpm_incapable_ports(hcd, hdev);
+
 	return xhci_update_hub_device(hcd, hdev, tt, mem_flags);
 }
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 42/98] prlimit: do_prlimit needs to have a speculation check
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 41/98] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:03 ` [PATCH 5.10 43/98] USB: serial: option: add Quectel EM05-G (GR) modem Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jordy Zomer, Linus Torvalds

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 739790605705ddcf18f21782b9c99ad7d53a8c11 upstream.

do_prlimit() adds the user-controlled resource value to a pointer that
will subsequently be dereferenced.  In order to help prevent this
codepath from being used as a spectre "gadget" a barrier needs to be
added after checking the range.

Reported-by: Jordy Zomer <jordyzomer@google.com>
Tested-by: Jordy Zomer <jordyzomer@google.com>
Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/sys.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1548,6 +1548,8 @@ int do_prlimit(struct task_struct *tsk,
 
 	if (resource >= RLIM_NLIMITS)
 		return -EINVAL;
+	resource = array_index_nospec(resource, RLIM_NLIMITS);
+
 	if (new_rlim) {
 		if (new_rlim->rlim_cur > new_rlim->rlim_max)
 			return -EINVAL;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 43/98] USB: serial: option: add Quectel EM05-G (GR) modem
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 42/98] prlimit: do_prlimit needs to have a speculation check Greg Kroah-Hartman
@ 2023-01-22 15:03 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 44/98] USB: serial: option: add Quectel EM05-G (CS) modem Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:03 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Duke Xin , Johan Hovold

From: Duke Xin(辛安文) <duke_xinanwen@163.com>

commit 6c331f32e32ac71eb3e8b93fceda2802d7ecb889 upstream.

The EM05-G (GR) modem has 2 USB configurations that are configurable via
the AT command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate
with the following interfaces, respectively:

"RMNET" : AT + DIAG + NMEA + Modem + QMI
"MBIM"  : MBIM + AT + DIAG + NMEA + Modem

The detailed description of the USB configuration for each mode as follows:

RMNET Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0313 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-G
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

MBIM Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0313 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-G
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A:  FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
I:  If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -256,6 +256,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_EM05G			0x030a
 #define QUECTEL_PRODUCT_EM060K			0x030b
 #define QUECTEL_PRODUCT_EM05G_SG		0x0311
+#define QUECTEL_PRODUCT_EM05G_GR		0x0313
 #define QUECTEL_PRODUCT_EM12			0x0512
 #define QUECTEL_PRODUCT_RM500Q			0x0800
 #define QUECTEL_PRODUCT_RM520N			0x0801
@@ -1161,6 +1162,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0, 0) },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
+	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_GR, 0xff),
+	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_SG, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0x00, 0x40) },



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 44/98] USB: serial: option: add Quectel EM05-G (CS) modem
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2023-01-22 15:03 ` [PATCH 5.10 43/98] USB: serial: option: add Quectel EM05-G (GR) modem Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 45/98] USB: serial: option: add Quectel EM05-G (RS) modem Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Duke Xin , Johan Hovold

From: Duke Xin(辛安文) <duke_xinanwen@163.com>

commit bb78654b0b46316dac687fd4b7dc7cce636f46cd upstream.

The EM05-G (CS) modem has 2 USB configurations that are configurable via
the AT command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate
with the following interfaces, respectively:

"RMNET" : AT + DIAG + NMEA + Modem + QMI
"MBIM"  : MBIM + AT + DIAG + NMEA + Modem

The detailed description of the USB configuration for each mode as follows:

RMNET Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=030C Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-G
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

MBIM Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=030C Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-G
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A:  FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
I:  If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -255,6 +255,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_EP06			0x0306
 #define QUECTEL_PRODUCT_EM05G			0x030a
 #define QUECTEL_PRODUCT_EM060K			0x030b
+#define QUECTEL_PRODUCT_EM05G_CS		0x030c
 #define QUECTEL_PRODUCT_EM05G_SG		0x0311
 #define QUECTEL_PRODUCT_EM05G_GR		0x0313
 #define QUECTEL_PRODUCT_EM12			0x0512
@@ -1164,6 +1165,8 @@ static const struct usb_device_id option
 	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_GR, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
+	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_CS, 0xff),
+	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_SG, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0x00, 0x40) },



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 45/98] USB: serial: option: add Quectel EM05-G (RS) modem
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 44/98] USB: serial: option: add Quectel EM05-G (CS) modem Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 46/98] USB: serial: option: add Quectel EC200U modem Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Duke Xin , Johan Hovold

From: Duke Xin(辛安文) <duke_xinanwen@163.com>

commit b72d13977689f0c717444010e108c4f20658dfee upstream.

The EM05-G (RS) modem has 2 USB configurations that are configurable via
the AT command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate
with the following interfaces, respectively:

"RMNET" : AT + DIAG + NMEA + Modem + QMI
"MBIM"  : MBIM + AT + DIAG + NMEA + Modem

The detailed description of the USB configuration for each mode as follows:

RMNET Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0314 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-G
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

MBIM Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0314 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-G
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A:  FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
I:  If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -258,6 +258,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_EM05G_CS		0x030c
 #define QUECTEL_PRODUCT_EM05G_SG		0x0311
 #define QUECTEL_PRODUCT_EM05G_GR		0x0313
+#define QUECTEL_PRODUCT_EM05G_RS		0x0314
 #define QUECTEL_PRODUCT_EM12			0x0512
 #define QUECTEL_PRODUCT_RM500Q			0x0800
 #define QUECTEL_PRODUCT_RM520N			0x0801
@@ -1167,6 +1168,8 @@ static const struct usb_device_id option
 	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_CS, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
+	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_RS, 0xff),
+	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_SG, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM060K, 0xff, 0x00, 0x40) },



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 46/98] USB: serial: option: add Quectel EC200U modem
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 45/98] USB: serial: option: add Quectel EM05-G (RS) modem Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 47/98] USB: serial: option: add Quectel EM05CN (SG) modem Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Ali Mirghasemi, Johan Hovold

From: Ali Mirghasemi <ali.mirghasemi1376@gmail.com>

commit d9bbb15881046bd76f8710c76e26a740eee997ef upstream.

Add support for EC200U modem

0x0901: EC200U - AT + AP + CP + NMEA + DIAG + MOS

usb-device output:
T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2c7c ProdID=0901 Rev= 3.18
S: Manufacturer=Android
S: Product=Android
C:* #Ifs= 9 Cfg#= 1 Atr=e0 MxPwr=400mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 512 Ivl=4096ms
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 7 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=89(I) Atr=03(Int.) MxPS= 512 Ivl=4096ms
I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Ali Mirghasemi <ali.mirghasemi1376@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -262,6 +262,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_EM12			0x0512
 #define QUECTEL_PRODUCT_RM500Q			0x0800
 #define QUECTEL_PRODUCT_RM520N			0x0801
+#define QUECTEL_PRODUCT_EC200U			0x0901
 #define QUECTEL_PRODUCT_EC200S_CN		0x6002
 #define QUECTEL_PRODUCT_EC200T			0x6026
 #define QUECTEL_PRODUCT_RM500K			0x7001
@@ -1189,6 +1190,7 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0xff, 0x30) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0x40) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM520N, 0xff, 0, 0) },
+	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200U, 0xff, 0, 0) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500K, 0xff, 0x00, 0x00) },



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 47/98] USB: serial: option: add Quectel EM05CN (SG) modem
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 46/98] USB: serial: option: add Quectel EC200U modem Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 48/98] USB: serial: option: add Quectel EM05CN modem Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Duke Xin , Johan Hovold

From: Duke Xin(辛安文) <duke_xinanwen@163.com>

commit 1541dd0097c0f8f470e76eddf5120fc55a7e3101 upstream.

The EM05CN (SG) modem has 2 USB configurations that are configurable via the AT
command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate with
the following interfaces, respectively:

"MBIM"  : AT + MBIM + DIAG + NMEA  + MODEM
"RMNET" : AT + DIAG + NMEA + Modem + QMI

The detailed description of the USB configuration for each mode as follows:

MBIM Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0310 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-CN
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A:  FirstIf#= 1 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
I:  If#= 2 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 2 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

RMNET Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0310 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-CN
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -256,6 +256,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_EM05G			0x030a
 #define QUECTEL_PRODUCT_EM060K			0x030b
 #define QUECTEL_PRODUCT_EM05G_CS		0x030c
+#define QUECTEL_PRODUCT_EM05CN_SG		0x0310
 #define QUECTEL_PRODUCT_EM05G_SG		0x0311
 #define QUECTEL_PRODUCT_EM05G_GR		0x0313
 #define QUECTEL_PRODUCT_EM05G_RS		0x0314
@@ -1163,6 +1164,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0xff, 0xff),
 	  .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0, 0) },
+	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05CN_SG, 0xff),
+	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G_GR, 0xff),



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 48/98] USB: serial: option: add Quectel EM05CN modem
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 47/98] USB: serial: option: add Quectel EM05CN (SG) modem Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 49/98] staging: vchiq_arm: fix enum vchiq_status return types Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Duke Xin , Johan Hovold

From: Duke Xin(辛安文) <duke_xinanwen@163.com>

commit 71dfd381a7c051f16a61f82fbd38a4cca563bdca upstream.

The EM05CN modem has 2 USB configurations that are configurable via the AT
command AT+QCFG="usbnet",[ 0 | 2 ] which make the modem enumerate with
the following interfaces, respectively:

"MBIM"  : AT + MBIM + DIAG + NMEA  + MODEM
"RMNET" : AT + DIAG + NMEA + Modem + QMI

The detailed description of the USB configuration for each mode as follows:

MBIM Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0312 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-CN
C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
A:  FirstIf#= 1 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
I:  If#= 2 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 2 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

RMNET Mode
--------------
T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=2c7c ProdID=0312 Rev= 3.18
S:  Manufacturer=Quectel
S:  Product=Quectel EM05-CN
C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I:* If#= 6 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Duke Xin(辛安文) <duke_xinanwen@163.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -258,6 +258,7 @@ static void option_instat_callback(struc
 #define QUECTEL_PRODUCT_EM05G_CS		0x030c
 #define QUECTEL_PRODUCT_EM05CN_SG		0x0310
 #define QUECTEL_PRODUCT_EM05G_SG		0x0311
+#define QUECTEL_PRODUCT_EM05CN			0x0312
 #define QUECTEL_PRODUCT_EM05G_GR		0x0313
 #define QUECTEL_PRODUCT_EM05G_RS		0x0314
 #define QUECTEL_PRODUCT_EM12			0x0512
@@ -1164,6 +1165,8 @@ static const struct usb_device_id option
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0xff, 0xff),
 	  .driver_info = RSVD(1) | RSVD(2) | RSVD(3) | RSVD(4) | NUMEP2 },
 	{ USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EP06, 0xff, 0, 0) },
+	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05CN, 0xff),
+	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05CN_SG, 0xff),
 	  .driver_info = RSVD(6) | ZLP },
 	{ USB_DEVICE_INTERFACE_CLASS(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EM05G, 0xff),



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 49/98] staging: vchiq_arm: fix enum vchiq_status return types
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 48/98] USB: serial: option: add Quectel EM05CN modem Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 50/98] USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Arnd Bergmann

From: Arnd Bergmann <arnd@arndb.de>

commit 7d83299351fe7c812c529f5e39fe63b5312e4233 upstream.

gcc-13 notices a type mismatch between function declaration
and definition for a few functions that have been converted
from returning vchiq specific status values to regular error
codes:

drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c:662:5: error: conflicting types for 'vchiq_initialise' due to enum/integer mismatch; have 'int(struct vchiq_instance **)' [-Werror=enum-int-mismatch]
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c:1411:1: error: conflicting types for 'vchiq_use_internal' due to enum/integer mismatch; have 'int(struct vchiq_state *, struct vchiq_service *, enum USE_TYPE_E)' [-Werror=enum-int-mismatch]
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c:1468:1: error: conflicting types for 'vchiq_release_internal' due to enum/integer mismatch; have 'int(struct vchiq_state *, struct vchiq_service *)' [-Werror=enum-int-mismatch]

Change the declarations to match the actual function definition.

Fixes: a9fbd828be7f ("staging: vchiq_arm: drop enum vchiq_status from vchiq_*_internal")
Cc: stable <stable@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20230117163957.1109872-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/vc04_services/include/linux/raspberrypi/vchiq.h |    2 +-
 drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.h   |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/staging/vc04_services/include/linux/raspberrypi/vchiq.h
+++ b/drivers/staging/vc04_services/include/linux/raspberrypi/vchiq.h
@@ -82,7 +82,7 @@ struct vchiq_service_params_kernel {
 
 struct vchiq_instance;
 
-extern enum vchiq_status vchiq_initialise(struct vchiq_instance **pinstance);
+extern int vchiq_initialise(struct vchiq_instance **pinstance);
 extern enum vchiq_status vchiq_shutdown(struct vchiq_instance *instance);
 extern enum vchiq_status vchiq_connect(struct vchiq_instance *instance);
 extern enum vchiq_status vchiq_open_service(struct vchiq_instance *instance,
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.h
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.h
@@ -89,10 +89,10 @@ extern struct vchiq_arm_state*
 vchiq_platform_get_arm_state(struct vchiq_state *state);
 
 
-extern enum vchiq_status
+extern int
 vchiq_use_internal(struct vchiq_state *state, struct vchiq_service *service,
 		   enum USE_TYPE_E use_type);
-extern enum vchiq_status
+extern int
 vchiq_release_internal(struct vchiq_state *state,
 		       struct vchiq_service *service);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 50/98] USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 49/98] staging: vchiq_arm: fix enum vchiq_status return types Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 51/98] misc: fastrpc: Dont remove map on creater_process and device_release Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Christoph Jung

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 14ff7460bb58662d86aa50298943cc7d25532e28 upstream.

The USB_DEVICE_ID_CODEMERCS_IOW100 header size was incorrect, it should
be 12, not 13.

Cc: stable <stable@kernel.org>
Fixes: 17a82716587e ("USB: iowarrior: fix up report size handling for some devices")
Reported-by: Christoph Jung <jung@codemercs.com>
Link: https://lore.kernel.org/r/20230120135330.3842518-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/misc/iowarrior.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -817,7 +817,7 @@ static int iowarrior_probe(struct usb_in
 			break;
 
 		case USB_DEVICE_ID_CODEMERCS_IOW100:
-			dev->report_size = 13;
+			dev->report_size = 12;
 			break;
 		}
 	}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 51/98] misc: fastrpc: Dont remove map on creater_process and device_release
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 50/98] USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 52/98] misc: fastrpc: Fix use-after-free race condition for maps Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, stable, Ola Jeppsson, Abel Vesa,
	Srinivas Kandagatla

From: Abel Vesa <abel.vesa@linaro.org>

commit 5bb96c8f9268e2fdb0e5321cbc358ee5941efc15 upstream.

Do not remove the map from the list on error path in
fastrpc_init_create_process, instead call fastrpc_map_put, to avoid
use-after-free. Do not remove it on fastrpc_device_release either,
call fastrpc_map_put instead.

The fastrpc_free_map is the only proper place to remove the map.
This is called only after the reference count is 0.

Fixes: b49f6d83e290 ("misc: fastrpc: Fix a possible double free")
Cc: stable <stable@kernel.org>
Co-developed-by: Ola Jeppsson <ola@snap.com>
Signed-off-by: Ola Jeppsson <ola@snap.com>
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20221124174941.418450-3-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/fastrpc.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -247,6 +247,13 @@ static void fastrpc_free_map(struct kref
 		dma_buf_put(map->buf);
 	}
 
+	if (map->fl) {
+		spin_lock(&map->fl->lock);
+		list_del(&map->node);
+		spin_unlock(&map->fl->lock);
+		map->fl = NULL;
+	}
+
 	kfree(map);
 }
 
@@ -1112,12 +1119,7 @@ err_invoke:
 	fl->init_mem = NULL;
 	fastrpc_buf_free(imem);
 err_alloc:
-	if (map) {
-		spin_lock(&fl->lock);
-		list_del(&map->node);
-		spin_unlock(&fl->lock);
-		fastrpc_map_put(map);
-	}
+	fastrpc_map_put(map);
 err:
 	kfree(args);
 
@@ -1194,10 +1196,8 @@ static int fastrpc_device_release(struct
 		fastrpc_context_put(ctx);
 	}
 
-	list_for_each_entry_safe(map, m, &fl->maps, node) {
-		list_del(&map->node);
+	list_for_each_entry_safe(map, m, &fl->maps, node)
 		fastrpc_map_put(map);
-	}
 
 	list_for_each_entry_safe(buf, b, &fl->mmaps, node) {
 		list_del(&buf->node);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 52/98] misc: fastrpc: Fix use-after-free race condition for maps
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 51/98] misc: fastrpc: Dont remove map on creater_process and device_release Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 53/98] usb: core: hub: disable autosuspend for TI TUSB8041 Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, stable, Ola Jeppsson, Abel Vesa,
	Srinivas Kandagatla

From: Ola Jeppsson <ola@snap.com>

commit 96b328d119eca7563c1edcc4e1039a62e6370ecb upstream.

It is possible that in between calling fastrpc_map_get() until
map->fl->lock is taken in fastrpc_free_map(), another thread can call
fastrpc_map_lookup() and get a reference to a map that is about to be
deleted.

Rewrite fastrpc_map_get() to only increase the reference count of a map
if it's non-zero. Propagate this to callers so they can know if a map is
about to be deleted.

Fixes this warning:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate
...
Call trace:
 refcount_warn_saturate
 [fastrpc_map_get inlined]
 [fastrpc_map_lookup inlined]
 fastrpc_map_create
 fastrpc_internal_invoke
 fastrpc_device_ioctl
 __arm64_sys_ioctl
 invoke_syscall

Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method")
Cc: stable <stable@kernel.org>
Signed-off-by: Ola Jeppsson <ola@snap.com>
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20221124174941.418450-4-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/fastrpc.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/misc/fastrpc.c
+++ b/drivers/misc/fastrpc.c
@@ -263,10 +263,12 @@ static void fastrpc_map_put(struct fastr
 		kref_put(&map->refcount, fastrpc_free_map);
 }
 
-static void fastrpc_map_get(struct fastrpc_map *map)
+static int fastrpc_map_get(struct fastrpc_map *map)
 {
-	if (map)
-		kref_get(&map->refcount);
+	if (!map)
+		return -ENOENT;
+
+	return kref_get_unless_zero(&map->refcount) ? 0 : -ENOENT;
 }
 
 static int fastrpc_map_find(struct fastrpc_user *fl, int fd,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 53/98] usb: core: hub: disable autosuspend for TI TUSB8041
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 52/98] misc: fastrpc: Fix use-after-free race condition for maps Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 54/98] comedi: adv_pci1760: Fix PWM instruction handling Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Flavio Suligoi, stable, Alan Stern

From: Flavio Suligoi <f.suligoi@asem.it>

commit 7171b0e261b17de96490adf053b8bb4b00061bcf upstream.

The Texas Instruments TUSB8041 has an autosuspend problem at high
temperature.

If there is not USB traffic, after a couple of ms, the device enters in
autosuspend mode. In this condition the external clock stops working, to
save energy. When the USB activity turns on, ther hub exits the
autosuspend state, the clock starts running again and all works fine.

At ambient temperature all works correctly, but at high temperature,
when the USB activity turns on, the external clock doesn't restart and
the hub disappears from the USB bus.

Disabling the autosuspend mode for this hub solves the issue.

Signed-off-by: Flavio Suligoi <f.suligoi@asem.it>
Cc: stable <stable@kernel.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20221219124759.3207032-1-f.suligoi@asem.it
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -42,6 +42,9 @@
 #define USB_PRODUCT_USB5534B			0x5534
 #define USB_VENDOR_CYPRESS			0x04b4
 #define USB_PRODUCT_CY7C65632			0x6570
+#define USB_VENDOR_TEXAS_INSTRUMENTS		0x0451
+#define USB_PRODUCT_TUSB8041_USB3		0x8140
+#define USB_PRODUCT_TUSB8041_USB2		0x8142
 #define HUB_QUIRK_CHECK_PORT_AUTOSUSPEND	0x01
 #define HUB_QUIRK_DISABLE_AUTOSUSPEND		0x02
 
@@ -5715,6 +5718,16 @@ static const struct usb_device_id hub_id
       .idVendor = USB_VENDOR_GENESYS_LOGIC,
       .bInterfaceClass = USB_CLASS_HUB,
       .driver_info = HUB_QUIRK_CHECK_PORT_AUTOSUSPEND},
+    { .match_flags = USB_DEVICE_ID_MATCH_VENDOR
+			| USB_DEVICE_ID_MATCH_PRODUCT,
+      .idVendor = USB_VENDOR_TEXAS_INSTRUMENTS,
+      .idProduct = USB_PRODUCT_TUSB8041_USB2,
+      .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND},
+    { .match_flags = USB_DEVICE_ID_MATCH_VENDOR
+			| USB_DEVICE_ID_MATCH_PRODUCT,
+      .idVendor = USB_VENDOR_TEXAS_INSTRUMENTS,
+      .idProduct = USB_PRODUCT_TUSB8041_USB3,
+      .driver_info = HUB_QUIRK_DISABLE_AUTOSUSPEND},
     { .match_flags = USB_DEVICE_ID_MATCH_DEV_CLASS,
       .bDeviceClass = USB_CLASS_HUB},
     { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 54/98] comedi: adv_pci1760: Fix PWM instruction handling
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 53/98] usb: core: hub: disable autosuspend for TI TUSB8041 Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 55/98] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Abbott

From: Ian Abbott <abbotti@mev.co.uk>

commit 2efb6edd52dc50273f5e68ad863dd1b1fb2f2d1c upstream.

(Actually, this is fixing the "Read the Current Status" command sent to
the device's outgoing mailbox, but it is only currently used for the PWM
instructions.)

The PCI-1760 is operated mostly by sending commands to a set of Outgoing
Mailbox registers, waiting for the command to complete, and reading the
result from the Incoming Mailbox registers.  One of these commands is
the "Read the Current Status" command.  The number of this command is
0x07 (see the User's Manual for the PCI-1760 at
<https://advdownload.advantech.com/productfile/Downloadfile2/1-11P6653/PCI-1760.pdf>.
The `PCI1760_CMD_GET_STATUS` macro defined in the driver should expand
to this command number 0x07, but unfortunately it currently expands to
0x03.  (Command number 0x03 is not defined in the User's Manual.)
Correct the definition of the `PCI1760_CMD_GET_STATUS` macro to fix it.

This is used by all the PWM subdevice related instructions handled by
`pci1760_pwm_insn_config()` which are probably all broken.  The effect
of sending the undefined command number 0x03 is not known.

Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support")
Cc: <stable@vger.kernel.org> # v4.5+
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20230103143754.17564-1-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/staging/comedi/drivers/adv_pci1760.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/staging/comedi/drivers/adv_pci1760.c
+++ b/drivers/staging/comedi/drivers/adv_pci1760.c
@@ -59,7 +59,7 @@
 #define PCI1760_CMD_CLR_IMB2		0x00	/* Clears IMB2 */
 #define PCI1760_CMD_SET_DO		0x01	/* Set output state */
 #define PCI1760_CMD_GET_DO		0x02	/* Read output status */
-#define PCI1760_CMD_GET_STATUS		0x03	/* Read current status */
+#define PCI1760_CMD_GET_STATUS		0x07	/* Read current status */
 #define PCI1760_CMD_GET_FW_VER		0x0e	/* Read firmware version */
 #define PCI1760_CMD_GET_HW_VER		0x0f	/* Read hardware version */
 #define PCI1760_CMD_SET_PWM_HI(x)	(0x10 + (x) * 2) /* Set "hi" period */



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 55/98] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 54/98] comedi: adv_pci1760: Fix PWM instruction handling Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 56/98] mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Samuel Holland, Jernej Skrabec, Ulf Hansson

From: Samuel Holland <samuel@sholland.org>

commit 8509419758f2cc28dd05370385af0d91573b76b4 upstream.

If the controller is suspended by runtime PM, the clock is already
disabled, so do not try to disable it again during removal. Use
pm_runtime_disable() to flush any pending runtime PM transitions.

Fixes: 9a8e1e8cc2c0 ("mmc: sunxi: Add runtime_pm support")
Signed-off-by: Samuel Holland <samuel@sholland.org>
Acked-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220810022509.43743-1-samuel@sholland.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/sunxi-mmc.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/mmc/host/sunxi-mmc.c
+++ b/drivers/mmc/host/sunxi-mmc.c
@@ -1459,9 +1459,11 @@ static int sunxi_mmc_remove(struct platf
 	struct sunxi_mmc_host *host = mmc_priv(mmc);
 
 	mmc_remove_host(mmc);
-	pm_runtime_force_suspend(&pdev->dev);
-	disable_irq(host->irq);
-	sunxi_mmc_disable(host);
+	pm_runtime_disable(&pdev->dev);
+	if (!pm_runtime_status_suspended(&pdev->dev)) {
+		disable_irq(host->irq);
+		sunxi_mmc_disable(host);
+	}
 	dma_free_coherent(&pdev->dev, PAGE_SIZE, host->sg_cpu, host->sg_dma);
 	mmc_free_host(mmc);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 56/98] mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 55/98] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 57/98] btrfs: fix race between quota rescan and disable leading to NULL pointer deref Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Haibo Chen, Adrian Hunter, Ulf Hansson

From: Haibo Chen <haibo.chen@nxp.com>

commit 1e336aa0c0250ec84c6f16efac40c9f0138e367d upstream.

Current code logic may be impacted by the setting of ROM/Bootloader,
so unmask these bits first, then setting these bits accordingly.

Fixes: 2b16cf326b70 ("mmc: sdhci-esdhc-imx: move tuning static configuration into hwinit function")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20221207112315.1812222-1-haibo.chen@nxp.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/sdhci-esdhc-imx.c |   22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

--- a/drivers/mmc/host/sdhci-esdhc-imx.c
+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
@@ -103,6 +103,7 @@
 #define ESDHC_TUNING_START_TAP_DEFAULT	0x1
 #define ESDHC_TUNING_START_TAP_MASK	0x7f
 #define ESDHC_TUNING_CMD_CRC_CHECK_DISABLE	(1 << 7)
+#define ESDHC_TUNING_STEP_DEFAULT	0x1
 #define ESDHC_TUNING_STEP_MASK		0x00070000
 #define ESDHC_TUNING_STEP_SHIFT		16
 
@@ -1300,7 +1301,7 @@ static void sdhci_esdhc_imx_hwinit(struc
 	struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
 	struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host);
 	struct cqhci_host *cq_host = host->mmc->cqe_private;
-	int tmp;
+	u32 tmp;
 
 	if (esdhc_is_usdhc(imx_data)) {
 		/*
@@ -1353,17 +1354,24 @@ static void sdhci_esdhc_imx_hwinit(struc
 
 		if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) {
 			tmp = readl(host->ioaddr + ESDHC_TUNING_CTRL);
-			tmp |= ESDHC_STD_TUNING_EN |
-				ESDHC_TUNING_START_TAP_DEFAULT;
-			if (imx_data->boarddata.tuning_start_tap) {
-				tmp &= ~ESDHC_TUNING_START_TAP_MASK;
+			tmp |= ESDHC_STD_TUNING_EN;
+
+			/*
+			 * ROM code or bootloader may config the start tap
+			 * and step, unmask them first.
+			 */
+			tmp &= ~(ESDHC_TUNING_START_TAP_MASK | ESDHC_TUNING_STEP_MASK);
+			if (imx_data->boarddata.tuning_start_tap)
 				tmp |= imx_data->boarddata.tuning_start_tap;
-			}
+			else
+				tmp |= ESDHC_TUNING_START_TAP_DEFAULT;
 
 			if (imx_data->boarddata.tuning_step) {
-				tmp &= ~ESDHC_TUNING_STEP_MASK;
 				tmp |= imx_data->boarddata.tuning_step
 					<< ESDHC_TUNING_STEP_SHIFT;
+			} else {
+				tmp |= ESDHC_TUNING_STEP_DEFAULT
+					<< ESDHC_TUNING_STEP_SHIFT;
 			}
 
 			/* Disable the CMD CRC check for tuning, if not, need to



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 57/98] btrfs: fix race between quota rescan and disable leading to NULL pointer deref
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 56/98] mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 58/98] cifs: do not include page data when checking signature Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, syzbot+96977faa68092ad382c4,
	Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit b7adbf9ada3513d2092362c8eac5cddc5b651f5c upstream.

If we have one task trying to start the quota rescan worker while another
one is trying to disable quotas, we can end up hitting a race that results
in the quota rescan worker doing a NULL pointer dereference. The steps for
this are the following:

1) Quotas are enabled;

2) Task A calls the quota rescan ioctl and enters btrfs_qgroup_rescan().
   It calls qgroup_rescan_init() which returns 0 (success) and then joins a
   transaction and commits it;

3) Task B calls the quota disable ioctl and enters btrfs_quota_disable().
   It clears the bit BTRFS_FS_QUOTA_ENABLED from fs_info->flags and calls
   btrfs_qgroup_wait_for_completion(), which returns immediately since the
   rescan worker is not yet running.
   Then it starts a transaction and locks fs_info->qgroup_ioctl_lock;

4) Task A queues the rescan worker, by calling btrfs_queue_work();

5) The rescan worker starts, and calls rescan_should_stop() at the start
   of its while loop, which results in 0 iterations of the loop, since
   the flag BTRFS_FS_QUOTA_ENABLED was cleared from fs_info->flags by
   task B at step 3);

6) Task B sets fs_info->quota_root to NULL;

7) The rescan worker tries to start a transaction and uses
   fs_info->quota_root as the root argument for btrfs_start_transaction().
   This results in a NULL pointer dereference down the call chain of
   btrfs_start_transaction(). The stack trace is something like the one
   reported in Link tag below:

   general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] PREEMPT SMP KASAN
   KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f]
   CPU: 1 PID: 34 Comm: kworker/u4:2 Not tainted 6.1.0-syzkaller-13872-gb6bb9676f216 #0
   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
   Workqueue: btrfs-qgroup-rescan btrfs_work_helper
   RIP: 0010:start_transaction+0x48/0x10f0 fs/btrfs/transaction.c:564
   Code: 48 89 fb 48 (...)
   RSP: 0018:ffffc90000ab7ab0 EFLAGS: 00010206
   RAX: 0000000000000041 RBX: 0000000000000208 RCX: ffff88801779ba80
   RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
   RBP: dffffc0000000000 R08: 0000000000000001 R09: fffff52000156f5d
   R10: fffff52000156f5d R11: 1ffff92000156f5c R12: 0000000000000000
   R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000003
   FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
   CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
   CR2: 00007f2bea75b718 CR3: 000000001d0cc000 CR4: 00000000003506e0
   DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
   DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
   Call Trace:
    <TASK>
    btrfs_qgroup_rescan_worker+0x3bb/0x6a0 fs/btrfs/qgroup.c:3402
    btrfs_work_helper+0x312/0x850 fs/btrfs/async-thread.c:280
    process_one_work+0x877/0xdb0 kernel/workqueue.c:2289
    worker_thread+0xb14/0x1330 kernel/workqueue.c:2436
    kthread+0x266/0x300 kernel/kthread.c:376
    ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
    </TASK>
   Modules linked in:

So fix this by having the rescan worker function not attempt to start a
transaction if it didn't do any rescan work.

Reported-by: syzbot+96977faa68092ad382c4@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/000000000000e5454b05f065a803@google.com/
Fixes: e804861bd4e6 ("btrfs: fix deadlock between quota disable and qgroup rescan worker")
CC: stable@vger.kernel.org # 5.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/qgroup.c |   25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -3296,6 +3296,7 @@ static void btrfs_qgroup_rescan_worker(s
 	int err = -ENOMEM;
 	int ret = 0;
 	bool stopped = false;
+	bool did_leaf_rescans = false;
 
 	path = btrfs_alloc_path();
 	if (!path)
@@ -3316,6 +3317,7 @@ static void btrfs_qgroup_rescan_worker(s
 		}
 
 		err = qgroup_rescan_leaf(trans, path);
+		did_leaf_rescans = true;
 
 		if (err > 0)
 			btrfs_commit_transaction(trans);
@@ -3336,16 +3338,23 @@ out:
 	mutex_unlock(&fs_info->qgroup_rescan_lock);
 
 	/*
-	 * only update status, since the previous part has already updated the
-	 * qgroup info.
+	 * Only update status, since the previous part has already updated the
+	 * qgroup info, and only if we did any actual work. This also prevents
+	 * race with a concurrent quota disable, which has already set
+	 * fs_info->quota_root to NULL and cleared BTRFS_FS_QUOTA_ENABLED at
+	 * btrfs_quota_disable().
 	 */
-	trans = btrfs_start_transaction(fs_info->quota_root, 1);
-	if (IS_ERR(trans)) {
-		err = PTR_ERR(trans);
+	if (did_leaf_rescans) {
+		trans = btrfs_start_transaction(fs_info->quota_root, 1);
+		if (IS_ERR(trans)) {
+			err = PTR_ERR(trans);
+			trans = NULL;
+			btrfs_err(fs_info,
+				  "fail to start transaction for status update: %d",
+				  err);
+		}
+	} else {
 		trans = NULL;
-		btrfs_err(fs_info,
-			  "fail to start transaction for status update: %d",
-			  err);
 	}
 
 	mutex_lock(&fs_info->qgroup_rescan_lock);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 58/98] cifs: do not include page data when checking signature
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 57/98] btrfs: fix race between quota rescan and disable leading to NULL pointer deref Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 59/98] thunderbolt: Use correct function to calculate maximum USB3 link rate Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Enzo Matsumiya,
	Paulo Alcantara (SUSE),
	Steve French

From: Enzo Matsumiya <ematsumiya@suse.de>

commit 30b2b2196d6e4cc24cbec633535a2404f258ce69 upstream.

On async reads, page data is allocated before sending.  When the
response is received but it has no data to fill (e.g.
STATUS_END_OF_FILE), __calc_signature() will still include the pages in
its computation, leading to an invalid signature check.

This patch fixes this by not setting the async read smb_rqst page data
(zeroed by default) if its got_bytes is 0.

This can be reproduced/verified with xfstests generic/465.

Cc: <stable@vger.kernel.org>
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/smb2pdu.c |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -3925,12 +3925,15 @@ smb2_readv_callback(struct mid_q_entry *
 				(struct smb2_sync_hdr *)rdata->iov[0].iov_base;
 	struct cifs_credits credits = { .value = 0, .instance = 0 };
 	struct smb_rqst rqst = { .rq_iov = &rdata->iov[1],
-				 .rq_nvec = 1,
-				 .rq_pages = rdata->pages,
-				 .rq_offset = rdata->page_offset,
-				 .rq_npages = rdata->nr_pages,
-				 .rq_pagesz = rdata->pagesz,
-				 .rq_tailsz = rdata->tailsz };
+				 .rq_nvec = 1, };
+
+	if (rdata->got_bytes) {
+		rqst.rq_pages = rdata->pages;
+		rqst.rq_offset = rdata->page_offset;
+		rqst.rq_npages = rdata->nr_pages;
+		rqst.rq_pagesz = rdata->pagesz;
+		rqst.rq_tailsz = rdata->tailsz;
+	}
 
 	WARN_ONCE(rdata->server != mid->server,
 		  "rdata server %p != mid server %p",



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 59/98] thunderbolt: Use correct function to calculate maximum USB3 link rate
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 58/98] cifs: do not include page data when checking signature Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 60/98] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Yehezkel Bernat, Mika Westerberg

From: Mika Westerberg <mika.westerberg@linux.intel.com>

commit e8ff07fb33026c5c1bb5b81293496faba5d68059 upstream.

We need to take minimum of both sides of the USB3 link into consideration,
not just the downstream port. Fix this by calling tb_usb3_max_link_rate()
instead.

Fixes: 0bd680cd900c ("thunderbolt: Add USB3 bandwidth management")
Cc: stable@vger.kernel.org
Acked-by: Yehezkel Bernat <YehezkelShB@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/thunderbolt/tunnel.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/thunderbolt/tunnel.c
+++ b/drivers/thunderbolt/tunnel.c
@@ -956,7 +956,7 @@ static void tb_usb3_reclaim_available_ba
 		return;
 	} else if (!ret) {
 		/* Use maximum link rate if the link valid is not set */
-		ret = usb4_usb3_port_max_link_rate(tunnel->src_port);
+		ret = tb_usb3_max_link_rate(tunnel->dst_port, tunnel->src_port);
 		if (ret < 0) {
 			tb_tunnel_warn(tunnel, "failed to read maximum link rate\n");
 			return;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 60/98] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 59/98] thunderbolt: Use correct function to calculate maximum USB3 link rate Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 61/98] USB: gadgetfs: Fix race between mounting and unmounting Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Jiri Slaby

From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>

commit b8caf69a6946e18ffebad49847e258f5b6d52ac2 upstream.

Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
default RX FIFO depth, e.g. 16.  Later during serial startup the
qcom_geni_serial_port_setup() updates the RX FIFO depth
(port->rx_fifo_depth) to match real device capabilities, e.g. to 32.

The RX UART handle code will read "port->rx_fifo_depth" number of words
into "port->rx_fifo" buffer, thus exceeding the bounds.  This can be
observed in certain configurations with Qualcomm Bluetooth HCI UART
device and KASAN:

  Bluetooth: hci0: QCA Product ID   :0x00000010
  Bluetooth: hci0: QCA SOC Version  :0x400a0200
  Bluetooth: hci0: QCA ROM Version  :0x00000200
  Bluetooth: hci0: QCA Patch Version:0x00000d2b
  Bluetooth: hci0: QCA controller version 0x02000200
  Bluetooth: hci0: QCA Downloading qca/htbtfw20.tlv
  bluetooth hci0: Direct firmware load for qca/htbtfw20.tlv failed with error -2
  Bluetooth: hci0: QCA Failed to request file: qca/htbtfw20.tlv (-2)
  Bluetooth: hci0: QCA Failed to download patch (-2)
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in handle_rx_uart+0xa8/0x18c
  Write of size 4 at addr ffff279347d578c0 by task swapper/0/0

  CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rt5-00350-gb2450b7e00be-dirty #26
  Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT)
  Call trace:
   dump_backtrace.part.0+0xe0/0xf0
   show_stack+0x18/0x40
   dump_stack_lvl+0x8c/0xb8
   print_report+0x188/0x488
   kasan_report+0xb4/0x100
   __asan_store4+0x80/0xa4
   handle_rx_uart+0xa8/0x18c
   qcom_geni_serial_handle_rx+0x84/0x9c
   qcom_geni_serial_isr+0x24c/0x760
   __handle_irq_event_percpu+0x108/0x500
   handle_irq_event+0x6c/0x110
   handle_fasteoi_irq+0x138/0x2cc
   generic_handle_domain_irq+0x48/0x64

If the RX FIFO depth changes after probe, be sure to resize the buffer.

Fixes: f9d690b6ece7 ("tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Link: https://lore.kernel.org/r/20221221164022.1087814-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/qcom_geni_serial.c |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

--- a/drivers/tty/serial/qcom_geni_serial.c
+++ b/drivers/tty/serial/qcom_geni_serial.c
@@ -866,9 +866,10 @@ out_unlock:
 	return IRQ_HANDLED;
 }
 
-static void get_tx_fifo_size(struct qcom_geni_serial_port *port)
+static int setup_fifos(struct qcom_geni_serial_port *port)
 {
 	struct uart_port *uport;
+	u32 old_rx_fifo_depth = port->rx_fifo_depth;
 
 	uport = &port->uport;
 	port->tx_fifo_depth = geni_se_get_tx_fifo_depth(&port->se);
@@ -876,6 +877,16 @@ static void get_tx_fifo_size(struct qcom
 	port->rx_fifo_depth = geni_se_get_rx_fifo_depth(&port->se);
 	uport->fifosize =
 		(port->tx_fifo_depth * port->tx_fifo_width) / BITS_PER_BYTE;
+
+	if (port->rx_fifo && (old_rx_fifo_depth != port->rx_fifo_depth) && port->rx_fifo_depth) {
+		port->rx_fifo = devm_krealloc(uport->dev, port->rx_fifo,
+					      port->rx_fifo_depth * sizeof(u32),
+					      GFP_KERNEL);
+		if (!port->rx_fifo)
+			return -ENOMEM;
+	}
+
+	return 0;
 }
 
 
@@ -890,6 +901,7 @@ static int qcom_geni_serial_port_setup(s
 	u32 rxstale = DEFAULT_BITS_PER_CHAR * STALE_TIMEOUT;
 	u32 proto;
 	u32 pin_swap;
+	int ret;
 
 	proto = geni_se_read_proto(&port->se);
 	if (proto != GENI_SE_UART) {
@@ -899,7 +911,9 @@ static int qcom_geni_serial_port_setup(s
 
 	qcom_geni_serial_stop_rx(uport);
 
-	get_tx_fifo_size(port);
+	ret = setup_fifos(port);
+	if (ret)
+		return ret;
 
 	writel(rxstale, uport->membase + SE_UART_RX_STALE_CNT);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 61/98] USB: gadgetfs: Fix race between mounting and unmounting
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 60/98] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 62/98] USB: serial: cp210x: add SCALANCE LPE-9000 device id Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Alan Stern,
	syzbot+33d7ad66d65044b93f16, Gerald Lee

From: Alan Stern <stern@rowland.harvard.edu>

commit d18dcfe9860e842f394e37ba01ca9440ab2178f4 upstream.

The syzbot fuzzer and Gerald Lee have identified a use-after-free bug
in the gadgetfs driver, involving processes concurrently mounting and
unmounting the gadgetfs filesystem.  In particular, gadgetfs_fill_super()
can race with gadgetfs_kill_sb(), causing the latter to deallocate
the_device while the former is using it.  The output from KASAN says,
in part:

BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
BUG: KASAN: use-after-free in __refcount_sub_and_test include/linux/refcount.h:272 [inline]
BUG: KASAN: use-after-free in __refcount_dec_and_test include/linux/refcount.h:315 [inline]
BUG: KASAN: use-after-free in refcount_dec_and_test include/linux/refcount.h:333 [inline]
BUG: KASAN: use-after-free in put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
BUG: KASAN: use-after-free in gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
Write of size 4 at addr ffff8880276d7840 by task syz-executor126/18689

CPU: 0 PID: 18689 Comm: syz-executor126 Not tainted 6.1.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
...
 atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:176 [inline]
 __refcount_sub_and_test include/linux/refcount.h:272 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 put_dev drivers/usb/gadget/legacy/inode.c:159 [inline]
 gadgetfs_kill_sb+0x33/0x100 drivers/usb/gadget/legacy/inode.c:2086
 deactivate_locked_super+0xa7/0xf0 fs/super.c:332
 vfs_get_super fs/super.c:1190 [inline]
 get_tree_single+0xd0/0x160 fs/super.c:1207
 vfs_get_tree+0x88/0x270 fs/super.c:1531
 vfs_fsconfig_locked fs/fsopen.c:232 [inline]

The simplest solution is to ensure that gadgetfs_fill_super() and
gadgetfs_kill_sb() are serialized by making them both acquire a new
mutex.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+33d7ad66d65044b93f16@syzkaller.appspotmail.com
Reported-and-tested-by: Gerald Lee <sundaywind2004@gmail.com>
Link: https://lore.kernel.org/linux-usb/CAO3qeMVzXDP-JU6v1u5Ags6Q-bb35kg3=C6d04DjzA9ffa5x1g@mail.gmail.com/
Fixes: e5d82a7360d1 ("vfs: Convert gadgetfs to use the new mount API")
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Y6XCPXBpn3tmjdCC@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/legacy/inode.c |   28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -229,6 +229,7 @@ static void put_ep (struct ep_data *data
  */
 
 static const char *CHIP;
+static DEFINE_MUTEX(sb_mutex);		/* Serialize superblock operations */
 
 /*----------------------------------------------------------------------*/
 
@@ -2012,13 +2013,20 @@ gadgetfs_fill_super (struct super_block
 {
 	struct inode	*inode;
 	struct dev_data	*dev;
+	int		rc;
 
-	if (the_device)
-		return -ESRCH;
+	mutex_lock(&sb_mutex);
+
+	if (the_device) {
+		rc = -ESRCH;
+		goto Done;
+	}
 
 	CHIP = usb_get_gadget_udc_name();
-	if (!CHIP)
-		return -ENODEV;
+	if (!CHIP) {
+		rc = -ENODEV;
+		goto Done;
+	}
 
 	/* superblock */
 	sb->s_blocksize = PAGE_SIZE;
@@ -2055,13 +2063,17 @@ gadgetfs_fill_super (struct super_block
 	 * from binding to a controller.
 	 */
 	the_device = dev;
-	return 0;
+	rc = 0;
+	goto Done;
 
-Enomem:
+ Enomem:
 	kfree(CHIP);
 	CHIP = NULL;
+	rc = -ENOMEM;
 
-	return -ENOMEM;
+ Done:
+	mutex_unlock(&sb_mutex);
+	return rc;
 }
 
 /* "mount -t gadgetfs path /dev/gadget" ends up here */
@@ -2083,6 +2095,7 @@ static int gadgetfs_init_fs_context(stru
 static void
 gadgetfs_kill_sb (struct super_block *sb)
 {
+	mutex_lock(&sb_mutex);
 	kill_litter_super (sb);
 	if (the_device) {
 		put_dev (the_device);
@@ -2090,6 +2103,7 @@ gadgetfs_kill_sb (struct super_block *sb
 	}
 	kfree(CHIP);
 	CHIP = NULL;
+	mutex_unlock(&sb_mutex);
 }
 
 /*----------------------------------------------------------------------*/



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 62/98] USB: serial: cp210x: add SCALANCE LPE-9000 device id
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 61/98] USB: gadgetfs: Fix race between mounting and unmounting Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 63/98] usb: host: ehci-fsl: Fix module alias Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Adler, Johan Hovold

From: Michael Adler <michael.adler@siemens.com>

commit 3f9e76e31704a325170e5aec2243c8d084d74854 upstream.

Add the USB serial console device ID for Siemens SCALANCE LPE-9000
which have a USB port for their serial console.

Signed-off-by: Michael Adler <michael.adler@siemens.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/cp210x.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -64,6 +64,7 @@ static const struct usb_device_id id_tab
 	{ USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */
 	{ USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */
 	{ USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */
+	{ USB_DEVICE(0x0908, 0x0070) }, /* Siemens SCALANCE LPE-9000 USB Serial Console */
 	{ USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */
 	{ USB_DEVICE(0x0988, 0x0578) }, /* Teraoka AD2000 */
 	{ USB_DEVICE(0x0B00, 0x3070) }, /* Ingenico 3070 */



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 63/98] usb: host: ehci-fsl: Fix module alias
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 62/98] USB: serial: cp210x: add SCALANCE LPE-9000 device id Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 64/98] usb: typec: altmodes/displayport: Add pin assignment helper Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Alexander Stein

From: Alexander Stein <alexander.stein@ew.tq-group.com>

commit 5d3d01ae15d2f37ed0325c99ab47ef0ae5d05f3c upstream.

Commit ca07e1c1e4a6 ("drivers:usb:fsl:Make fsl ehci drv an independent
driver module") changed DRV_NAME which was used for MODULE_ALIAS as well.
Starting from this the module alias didn't match the platform device
name created in fsl-mph-dr-of.c
Change DRV_NAME to match the driver name for host mode in fsl-mph-dr-of.
This is needed for module autoloading on ls1021a.

Fixes: ca07e1c1e4a6 ("drivers:usb:fsl:Make fsl ehci drv an independent driver module")
Cc: stable <stable@kernel.org>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://lore.kernel.org/r/20230120122714.3848784-1-alexander.stein@ew.tq-group.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/ehci-fsl.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/ehci-fsl.c
+++ b/drivers/usb/host/ehci-fsl.c
@@ -29,7 +29,7 @@
 #include "ehci-fsl.h"
 
 #define DRIVER_DESC "Freescale EHCI Host controller driver"
-#define DRV_NAME "ehci-fsl"
+#define DRV_NAME "fsl-ehci"
 
 static struct hc_driver __read_mostly fsl_ehci_hc_driver;
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 64/98] usb: typec: altmodes/displayport: Add pin assignment helper
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 63/98] usb: host: ehci-fsl: Fix module alias Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 65/98] usb: typec: altmodes/displayport: Fix pin assignment calculation Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Prashant Malani,
	Benson Leung

From: Prashant Malani <pmalani@chromium.org>

commit 582836e3cfab4faafbdc93bbec96fce036a08ee1 upstream.

The code to extract a peripheral's currently supported Pin Assignments
is repeated in a couple of locations. Factor it out into a separate
function.

This will also make it easier to add fixes (we only need to update 1
location instead of 2).

Fixes: c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles")
Cc: stable@vger.kernel.org
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Prashant Malani <pmalani@chromium.org>
Reviewed-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20230111020546.3384569-1-pmalani@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/altmodes/displayport.c |   22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -409,6 +409,18 @@ static const char * const pin_assignment
 	[DP_PIN_ASSIGN_F] = "F",
 };
 
+/*
+ * Helper function to extract a peripheral's currently supported
+ * Pin Assignments from its DisplayPort alternate mode state.
+ */
+static u8 get_current_pin_assignments(struct dp_altmode *dp)
+{
+	if (DP_CONF_CURRENTLY(dp->data.conf) == DP_CONF_DFP_D)
+		return DP_CAP_UFP_D_PIN_ASSIGN(dp->alt->vdo);
+	else
+		return DP_CAP_DFP_D_PIN_ASSIGN(dp->alt->vdo);
+}
+
 static ssize_t
 pin_assignment_store(struct device *dev, struct device_attribute *attr,
 		     const char *buf, size_t size)
@@ -435,10 +447,7 @@ pin_assignment_store(struct device *dev,
 		goto out_unlock;
 	}
 
-	if (DP_CONF_CURRENTLY(dp->data.conf) == DP_CONF_DFP_D)
-		assignments = DP_CAP_UFP_D_PIN_ASSIGN(dp->alt->vdo);
-	else
-		assignments = DP_CAP_DFP_D_PIN_ASSIGN(dp->alt->vdo);
+	assignments = get_current_pin_assignments(dp);
 
 	if (!(DP_CONF_GET_PIN_ASSIGN(conf) & assignments)) {
 		ret = -EINVAL;
@@ -475,10 +484,7 @@ static ssize_t pin_assignment_show(struc
 
 	cur = get_count_order(DP_CONF_GET_PIN_ASSIGN(dp->data.conf));
 
-	if (DP_CONF_CURRENTLY(dp->data.conf) == DP_CONF_DFP_D)
-		assignments = DP_CAP_UFP_D_PIN_ASSIGN(dp->alt->vdo);
-	else
-		assignments = DP_CAP_DFP_D_PIN_ASSIGN(dp->alt->vdo);
+	assignments = get_current_pin_assignments(dp);
 
 	for (i = 0; assignments; assignments >>= 1, i++) {
 		if (assignments & 1) {



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 65/98] usb: typec: altmodes/displayport: Fix pin assignment calculation
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 64/98] usb: typec: altmodes/displayport: Add pin assignment helper Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 66/98] usb: gadget: g_webcam: Send color matching descriptor per frame Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Prashant Malani,
	Benson Leung

From: Prashant Malani <pmalani@chromium.org>

commit 9682b41e52cc9f42f5c33caf410464392adaef04 upstream.

Commit c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin
assignment for UFP receptacles") fixed the pin assignment calculation
to take into account whether the peripheral was a plug or a receptacle.

But the "pin_assignments" sysfs logic was not updated. Address this by
using the macros introduced in the aforementioned commit in the sysfs
logic too.

Fixes: c1e5c2f0cb8a ("usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles")
Cc: stable@vger.kernel.org
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Prashant Malani <pmalani@chromium.org>
Reviewed-by: Benson Leung <bleung@chromium.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20230111020546.3384569-2-pmalani@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/altmodes/displayport.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -416,9 +416,9 @@ static const char * const pin_assignment
 static u8 get_current_pin_assignments(struct dp_altmode *dp)
 {
 	if (DP_CONF_CURRENTLY(dp->data.conf) == DP_CONF_DFP_D)
-		return DP_CAP_UFP_D_PIN_ASSIGN(dp->alt->vdo);
+		return DP_CAP_PIN_ASSIGN_DFP_D(dp->alt->vdo);
 	else
-		return DP_CAP_DFP_D_PIN_ASSIGN(dp->alt->vdo);
+		return DP_CAP_PIN_ASSIGN_UFP_D(dp->alt->vdo);
 }
 
 static ssize_t



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 66/98] usb: gadget: g_webcam: Send color matching descriptor per frame
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 65/98] usb: typec: altmodes/displayport: Fix pin assignment calculation Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 67/98] usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, stable, Daniel Scally,
	Laurent Pinchart, Kieran Bingham

From: Daniel Scally <dan.scally@ideasonboard.com>

commit e95765e97d9cb93258a4840440d410fa6ff7e819 upstream.

Currently the color matching descriptor is only sent across the wire
a single time, following the descriptors for each format and frame.
According to the UVC 1.5 Specification 3.9.2.6 ("Color Matching
Descriptors"):

"Only one instance is allowed for a given format and if present,
the Color Matching descriptor shall be placed following the Video
and Still Image Frame descriptors for that format".

Add another reference to the color matching descriptor after the
yuyv frames so that it's correctly transmitted for that format
too.

Fixes: a9914127e834 ("USB gadget: Webcam device")
Cc: stable <stable@kernel.org>
Signed-off-by: Daniel Scally <dan.scally@ideasonboard.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Link: https://lore.kernel.org/r/20221216160528.479094-1-dan.scally@ideasonboard.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/legacy/webcam.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/gadget/legacy/webcam.c
+++ b/drivers/usb/gadget/legacy/webcam.c
@@ -293,6 +293,7 @@ static const struct uvc_descriptor_heade
 	(const struct uvc_descriptor_header *) &uvc_format_yuv,
 	(const struct uvc_descriptor_header *) &uvc_frame_yuv_360p,
 	(const struct uvc_descriptor_header *) &uvc_frame_yuv_720p,
+	(const struct uvc_descriptor_header *) &uvc_color_matching,
 	(const struct uvc_descriptor_header *) &uvc_format_mjpg,
 	(const struct uvc_descriptor_header *) &uvc_frame_mjpg_360p,
 	(const struct uvc_descriptor_header *) &uvc_frame_mjpg_720p,
@@ -305,6 +306,7 @@ static const struct uvc_descriptor_heade
 	(const struct uvc_descriptor_header *) &uvc_format_yuv,
 	(const struct uvc_descriptor_header *) &uvc_frame_yuv_360p,
 	(const struct uvc_descriptor_header *) &uvc_frame_yuv_720p,
+	(const struct uvc_descriptor_header *) &uvc_color_matching,
 	(const struct uvc_descriptor_header *) &uvc_format_mjpg,
 	(const struct uvc_descriptor_header *) &uvc_frame_mjpg_360p,
 	(const struct uvc_descriptor_header *) &uvc_frame_mjpg_720p,
@@ -317,6 +319,7 @@ static const struct uvc_descriptor_heade
 	(const struct uvc_descriptor_header *) &uvc_format_yuv,
 	(const struct uvc_descriptor_header *) &uvc_frame_yuv_360p,
 	(const struct uvc_descriptor_header *) &uvc_frame_yuv_720p,
+	(const struct uvc_descriptor_header *) &uvc_color_matching,
 	(const struct uvc_descriptor_header *) &uvc_format_mjpg,
 	(const struct uvc_descriptor_header *) &uvc_frame_mjpg_360p,
 	(const struct uvc_descriptor_header *) &uvc_frame_mjpg_720p,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 67/98] usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 66/98] usb: gadget: g_webcam: Send color matching descriptor per frame Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 68/98] usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Felipe Balbi, Lorenzo Colitti,
	Carlos Llamas, Maciej Żenczykowski, stable

From: Maciej Żenczykowski <maze@google.com>

commit c6ec929595c7443250b2a4faea988c62019d5cd2 upstream.

In Google internal bug 265639009 we've received an (as yet) unreproducible
crash report from an aarch64 GKI 5.10.149-android13 running device.

AFAICT the source code is at:
  https://android.googlesource.com/kernel/common/+/refs/tags/ASB-2022-12-05_13-5.10

The call stack is:
  ncm_close() -> ncm_notify() -> ncm_do_notify()
with the crash at:
  ncm_do_notify+0x98/0x270
Code: 79000d0b b9000a6c f940012a f9400269 (b9405d4b)

Which I believe disassembles to (I don't know ARM assembly, but it looks sane enough to me...):

  // halfword (16-bit) store presumably to event->wLength (at offset 6 of struct usb_cdc_notification)
  0B 0D 00 79    strh w11, [x8, #6]

  // word (32-bit) store presumably to req->Length (at offset 8 of struct usb_request)
  6C 0A 00 B9    str  w12, [x19, #8]

  // x10 (NULL) was read here from offset 0 of valid pointer x9
  // IMHO we're reading 'cdev->gadget' and getting NULL
  // gadget is indeed at offset 0 of struct usb_composite_dev
  2A 01 40 F9    ldr  x10, [x9]

  // loading req->buf pointer, which is at offset 0 of struct usb_request
  69 02 40 F9    ldr  x9, [x19]

  // x10 is null, crash, appears to be attempt to read cdev->gadget->max_speed
  4B 5D 40 B9    ldr  w11, [x10, #0x5c]

which seems to line up with ncm_do_notify() case NCM_NOTIFY_SPEED code fragment:

  event->wLength = cpu_to_le16(8);
  req->length = NCM_STATUS_BYTECOUNT;

  /* SPEED_CHANGE data is up/down speeds in bits/sec */
  data = req->buf + sizeof *event;
  data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));

My analysis of registers and NULL ptr deref crash offset
  (Unable to handle kernel NULL pointer dereference at virtual address 000000000000005c)
heavily suggests that the crash is due to 'cdev->gadget' being NULL when executing:
  data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
which calls:
  ncm_bitrate(NULL)
which then calls:
  gadget_is_superspeed(NULL)
which reads
  ((struct usb_gadget *)NULL)->max_speed
and hits a panic.

AFAICT, if I'm counting right, the offset of max_speed is indeed 0x5C.
(remember there's a GKI KABI reservation of 16 bytes in struct work_struct)

It's not at all clear to me how this is all supposed to work...
but returning 0 seems much better than panic-ing...

Cc: Felipe Balbi <balbi@kernel.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Carlos Llamas <cmllamas@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20230117131839.1138208-1-maze@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/f_ncm.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/gadget/function/f_ncm.c
+++ b/drivers/usb/gadget/function/f_ncm.c
@@ -85,7 +85,9 @@ static inline struct f_ncm *func_to_ncm(
 /* peak (theoretical) bulk transfer rate in bits-per-second */
 static inline unsigned ncm_bitrate(struct usb_gadget *g)
 {
-	if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS)
+	if (!g)
+		return 0;
+	else if (gadget_is_superspeed(g) && g->speed >= USB_SPEED_SUPER_PLUS)
 		return 4250000000U;
 	else if (gadget_is_superspeed(g) && g->speed == USB_SPEED_SUPER)
 		return 3750000000U;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 68/98] usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 67/98] usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 69/98] dt-bindings: phy: g12a-usb2-phy: fix compatible string documentation Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Alan Stern, Hongling Zeng,
	Juhyung Park, Oliver Neukum

From: Juhyung Park <qkrwngud825@gmail.com>

commit dbd24ec17b85b45f4e823d1aa5607721920f2b05 upstream.

The commit e00b488e813f ("usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS")
blacklists UAS for all of RTL9210 enclosures.

The RTL9210 controller was advertised with UAS since its release back in
2019 and was shipped with a lot of enclosure products with different
firmware combinations.

Blacklist UAS only for HIKSEMI MD202.

This should hopefully be replaced with more robust method than just
comparing strings.  But with limited information [1] provided thus far
(dmesg when the device is plugged in, which includes manufacturer and
product, but no lsusb -v to compare against), this is the best we can do
for now.

[1] https://lore.kernel.org/all/20230109115550.71688-1-qkrwngud825@gmail.com

Fixes: e00b488e813f ("usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS")
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Hongling Zeng <zenghongling@kylinos.cn>
Cc: stable@vger.kernel.org
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
Acked-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20230117085154.123301-1-qkrwngud825@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/storage/uas-detect.h  |   13 +++++++++++++
 drivers/usb/storage/unusual_uas.h |    7 -------
 2 files changed, 13 insertions(+), 7 deletions(-)

--- a/drivers/usb/storage/uas-detect.h
+++ b/drivers/usb/storage/uas-detect.h
@@ -116,6 +116,19 @@ static int uas_use_uas_driver(struct usb
 	if (le16_to_cpu(udev->descriptor.idVendor) == 0x0bc2)
 		flags |= US_FL_NO_ATA_1X;
 
+	/*
+	 * RTL9210-based enclosure from HIKSEMI, MD202 reportedly have issues
+	 * with UAS.  This isn't distinguishable with just idVendor and
+	 * idProduct, use manufacturer and product too.
+	 *
+	 * Reported-by: Hongling Zeng <zenghongling@kylinos.cn>
+	 */
+	if (le16_to_cpu(udev->descriptor.idVendor) == 0x0bda &&
+			le16_to_cpu(udev->descriptor.idProduct) == 0x9210 &&
+			(udev->manufacturer && !strcmp(udev->manufacturer, "HIKSEMI")) &&
+			(udev->product && !strcmp(udev->product, "MD202")))
+		flags |= US_FL_IGNORE_UAS;
+
 	usb_stor_adjust_quirks(udev, &flags);
 
 	if (flags & US_FL_IGNORE_UAS) {
--- a/drivers/usb/storage/unusual_uas.h
+++ b/drivers/usb/storage/unusual_uas.h
@@ -83,13 +83,6 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99
 		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
 		US_FL_NO_REPORT_LUNS),
 
-/* Reported-by: Hongling Zeng <zenghongling@kylinos.cn> */
-UNUSUAL_DEV(0x0bda, 0x9210, 0x0000, 0x9999,
-		"Hiksemi",
-		"External HDD",
-		USB_SC_DEVICE, USB_PR_DEVICE, NULL,
-		US_FL_IGNORE_UAS),
-
 /* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
 UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
 		"Initio Corporation",



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 69/98] dt-bindings: phy: g12a-usb2-phy: fix compatible string documentation
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 68/98] usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 70/98] dt-bindings: phy: g12a-usb3-pcie-phy: " Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Heiner Kallweit,
	Martin Blumenstingl, Krzysztof Kozlowski, Vinod Koul

From: Heiner Kallweit <hkallweit1@gmail.com>

commit c63835bf1c750c9b3aec1d5c23d811d6375fc23d upstream.

The compatible strings in the driver don't have the meson prefix.
Fix this in the documentation and rename the file accordingly.

Fixes: da86d286cce8 ("dt-bindings: phy: meson-g12a-usb2-phy: convert to yaml")
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/8d960029-e94d-224b-911f-03e5deb47ebc@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/phy/amlogic,g12a-usb2-phy.yaml       |   78 ++++++++++
 Documentation/devicetree/bindings/phy/amlogic,meson-g12a-usb2-phy.yaml |   78 ----------
 2 files changed, 78 insertions(+), 78 deletions(-)
 rename Documentation/devicetree/bindings/phy/{amlogic,meson-g12a-usb2-phy.yaml => amlogic,g12a-usb2-phy.yaml} (85%)

--- /dev/null
+++ b/Documentation/devicetree/bindings/phy/amlogic,g12a-usb2-phy.yaml
@@ -0,0 +1,78 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+# Copyright 2019 BayLibre, SAS
+%YAML 1.2
+---
+$id: "http://devicetree.org/schemas/phy/amlogic,g12a-usb2-phy.yaml#"
+$schema: "http://devicetree.org/meta-schemas/core.yaml#"
+
+title: Amlogic G12A USB2 PHY
+
+maintainers:
+  - Neil Armstrong <narmstrong@baylibre.com>
+
+properties:
+  compatible:
+    enum:
+      - amlogic,g12a-usb2-phy
+      - amlogic,a1-usb2-phy
+
+  reg:
+    maxItems: 1
+
+  clocks:
+    maxItems: 1
+
+  clock-names:
+    items:
+      - const: xtal
+
+  resets:
+    maxItems: 1
+
+  reset-names:
+    items:
+      - const: phy
+
+  "#phy-cells":
+    const: 0
+
+  phy-supply:
+    description:
+      Phandle to a regulator that provides power to the PHY. This
+      regulator will be managed during the PHY power on/off sequence.
+
+required:
+  - compatible
+  - reg
+  - clocks
+  - clock-names
+  - resets
+  - reset-names
+  - "#phy-cells"
+
+if:
+  properties:
+    compatible:
+      enum:
+        - amlogic,meson-a1-usb-ctrl
+
+then:
+  properties:
+    power-domains:
+      maxItems: 1
+  required:
+    - power-domains
+
+additionalProperties: false
+
+examples:
+  - |
+    phy@36000 {
+          compatible = "amlogic,g12a-usb2-phy";
+          reg = <0x36000 0x2000>;
+          clocks = <&xtal>;
+          clock-names = "xtal";
+          resets = <&phy_reset>;
+          reset-names = "phy";
+          #phy-cells = <0>;
+    };
--- a/Documentation/devicetree/bindings/phy/amlogic,meson-g12a-usb2-phy.yaml
+++ /dev/null
@@ -1,78 +0,0 @@
-# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
-# Copyright 2019 BayLibre, SAS
-%YAML 1.2
----
-$id: "http://devicetree.org/schemas/phy/amlogic,meson-g12a-usb2-phy.yaml#"
-$schema: "http://devicetree.org/meta-schemas/core.yaml#"
-
-title: Amlogic G12A USB2 PHY
-
-maintainers:
-  - Neil Armstrong <narmstrong@baylibre.com>
-
-properties:
-  compatible:
-    enum:
-      - amlogic,meson-g12a-usb2-phy
-      - amlogic,meson-a1-usb2-phy
-
-  reg:
-    maxItems: 1
-
-  clocks:
-    maxItems: 1
-
-  clock-names:
-    items:
-      - const: xtal
-
-  resets:
-    maxItems: 1
-
-  reset-names:
-    items:
-      - const: phy
-
-  "#phy-cells":
-    const: 0
-
-  phy-supply:
-    description:
-      Phandle to a regulator that provides power to the PHY. This
-      regulator will be managed during the PHY power on/off sequence.
-
-required:
-  - compatible
-  - reg
-  - clocks
-  - clock-names
-  - resets
-  - reset-names
-  - "#phy-cells"
-
-if:
-  properties:
-    compatible:
-      enum:
-        - amlogic,meson-a1-usb-ctrl
-
-then:
-  properties:
-    power-domains:
-      maxItems: 1
-  required:
-    - power-domains
-
-additionalProperties: false
-
-examples:
-  - |
-    phy@36000 {
-          compatible = "amlogic,meson-g12a-usb2-phy";
-          reg = <0x36000 0x2000>;
-          clocks = <&xtal>;
-          clock-names = "xtal";
-          resets = <&phy_reset>;
-          reset-names = "phy";
-          #phy-cells = <0>;
-    };



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 70/98] dt-bindings: phy: g12a-usb3-pcie-phy: fix compatible string documentation
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 69/98] dt-bindings: phy: g12a-usb2-phy: fix compatible string documentation Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 71/98] serial: pch_uart: Pass correct sg to dma_unmap_sg() Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Heiner Kallweit,
	Martin Blumenstingl, Krzysztof Kozlowski, Vinod Koul

From: Heiner Kallweit <hkallweit1@gmail.com>

commit e181119046a0ec16126b682163040e8e33f310c1 upstream.

The compatible string in the driver doesn't have the meson prefix.
Fix this in the documentation and rename the file accordingly.

Fixes: 87a55485f2fc ("dt-bindings: phy: meson-g12a-usb3-pcie-phy: convert to yaml")
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/0a82be92-ce85-da34-9d6f-4b33034473e5@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/devicetree/bindings/phy/amlogic,g12a-usb3-pcie-phy.yaml       |   59 ++++++++++
 Documentation/devicetree/bindings/phy/amlogic,meson-g12a-usb3-pcie-phy.yaml |   59 ----------
 2 files changed, 59 insertions(+), 59 deletions(-)
 rename Documentation/devicetree/bindings/phy/{amlogic,meson-g12a-usb3-pcie-phy.yaml => amlogic,g12a-usb3-pcie-phy.yaml} (82%)

--- /dev/null
+++ b/Documentation/devicetree/bindings/phy/amlogic,g12a-usb3-pcie-phy.yaml
@@ -0,0 +1,59 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+# Copyright 2019 BayLibre, SAS
+%YAML 1.2
+---
+$id: "http://devicetree.org/schemas/phy/amlogic,g12a-usb3-pcie-phy.yaml#"
+$schema: "http://devicetree.org/meta-schemas/core.yaml#"
+
+title: Amlogic G12A USB3 + PCIE Combo PHY
+
+maintainers:
+  - Neil Armstrong <narmstrong@baylibre.com>
+
+properties:
+  compatible:
+    enum:
+      - amlogic,g12a-usb3-pcie-phy
+
+  reg:
+    maxItems: 1
+
+  clocks:
+    maxItems: 1
+
+  clock-names:
+    items:
+      - const: ref_clk
+
+  resets:
+    maxItems: 1
+
+  reset-names:
+    items:
+      - const: phy
+
+  "#phy-cells":
+    const: 1
+
+required:
+  - compatible
+  - reg
+  - clocks
+  - clock-names
+  - resets
+  - reset-names
+  - "#phy-cells"
+
+additionalProperties: false
+
+examples:
+  - |
+    phy@46000 {
+          compatible = "amlogic,g12a-usb3-pcie-phy";
+          reg = <0x46000 0x2000>;
+          clocks = <&ref_clk>;
+          clock-names = "ref_clk";
+          resets = <&phy_reset>;
+          reset-names = "phy";
+          #phy-cells = <1>;
+    };
--- a/Documentation/devicetree/bindings/phy/amlogic,meson-g12a-usb3-pcie-phy.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
-# Copyright 2019 BayLibre, SAS
-%YAML 1.2
----
-$id: "http://devicetree.org/schemas/phy/amlogic,meson-g12a-usb3-pcie-phy.yaml#"
-$schema: "http://devicetree.org/meta-schemas/core.yaml#"
-
-title: Amlogic G12A USB3 + PCIE Combo PHY
-
-maintainers:
-  - Neil Armstrong <narmstrong@baylibre.com>
-
-properties:
-  compatible:
-    enum:
-      - amlogic,meson-g12a-usb3-pcie-phy
-
-  reg:
-    maxItems: 1
-
-  clocks:
-    maxItems: 1
-
-  clock-names:
-    items:
-      - const: ref_clk
-
-  resets:
-    maxItems: 1
-
-  reset-names:
-    items:
-      - const: phy
-
-  "#phy-cells":
-    const: 1
-
-required:
-  - compatible
-  - reg
-  - clocks
-  - clock-names
-  - resets
-  - reset-names
-  - "#phy-cells"
-
-additionalProperties: false
-
-examples:
-  - |
-    phy@46000 {
-          compatible = "amlogic,meson-g12a-usb3-pcie-phy";
-          reg = <0x46000 0x2000>;
-          clocks = <&ref_clk>;
-          clock-names = "ref_clk";
-          resets = <&phy_reset>;
-          reset-names = "phy";
-          #phy-cells = <1>;
-    };



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 71/98] serial: pch_uart: Pass correct sg to dma_unmap_sg()
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 70/98] dt-bindings: phy: g12a-usb3-pcie-phy: " Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 72/98] dmaengine: tegra210-adma: fix global intr clear Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen

From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>

commit e8914b52e5b024e4af3d810a935fe0805eee8a36 upstream.

A local variable sg is used to store scatterlist pointer in
pch_dma_tx_complete(). The for loop doing Tx byte accounting before
dma_unmap_sg() alters sg in its increment statement. Therefore, the
pointer passed into dma_unmap_sg() won't match to the one given to
dma_map_sg().

To fix the problem, use priv->sg_tx_p directly in dma_unmap_sg()
instead of the local variable.

Fixes: da3564ee027e ("pch_uart: add multi-scatter processing")
Cc: stable@vger.kernel.org
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20230103093435.4396-1-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/pch_uart.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -769,7 +769,7 @@ static void pch_dma_tx_complete(void *ar
 	}
 	xmit->tail &= UART_XMIT_SIZE - 1;
 	async_tx_ack(priv->desc_tx);
-	dma_unmap_sg(port->dev, sg, priv->orig_nent, DMA_TO_DEVICE);
+	dma_unmap_sg(port->dev, priv->sg_tx_p, priv->orig_nent, DMA_TO_DEVICE);
 	priv->tx_dma_use = 0;
 	priv->nent = 0;
 	priv->orig_nent = 0;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 72/98] dmaengine: tegra210-adma: fix global intr clear
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 71/98] serial: pch_uart: Pass correct sg to dma_unmap_sg() Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 73/98] serial: atmel: fix incorrect baudrate setup Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Mohan Kumar, Vinod Koul

From: Mohan Kumar <mkumard@nvidia.com>

commit 9c7e355ccbb33d239360c876dbe49ad5ade65b47 upstream.

The current global interrupt clear programming register offset
was not correct. Fix the programming with right offset

Fixes: ded1f3db4cd6 ("dmaengine: tegra210-adma: prepare for supporting newer Tegra chips")
Cc: stable@vger.kernel.org
Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
Link: https://lore.kernel.org/r/20230102064844.31306-1-mkumard@nvidia.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/dma/tegra210-adma.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/dma/tegra210-adma.c
+++ b/drivers/dma/tegra210-adma.c
@@ -224,7 +224,7 @@ static int tegra_adma_init(struct tegra_
 	int ret;
 
 	/* Clear any interrupts */
-	tdma_write(tdma, tdma->cdata->global_int_clear, 0x1);
+	tdma_write(tdma, tdma->cdata->ch_base_offset + tdma->cdata->global_int_clear, 0x1);
 
 	/* Assert soft reset */
 	tdma_write(tdma, ADMA_GLOBAL_SOFT_RESET, 0x1);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 73/98] serial: atmel: fix incorrect baudrate setup
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 72/98] dmaengine: tegra210-adma: fix global intr clear Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 74/98] gsmi: fix null-deref in gsmi_get_variable Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, stable, Tobias Schramm, Richard Genoud

From: Tobias Schramm <t.schramm@manjaro.org>

commit 5bfdd3c654bd879bff50c2e85e42f85ae698b42f upstream.

Commit ba47f97a18f2 ("serial: core: remove baud_rates when serial console
setup") changed uart_set_options to select the correct baudrate
configuration based on the absolute error between requested baudrate and
available standard baudrate settings.
Prior to that commit the baudrate was selected based on which predefined
standard baudrate did not exceed the requested baudrate.
This change of selection logic was never reflected in the atmel serial
driver. Thus the comment left in the atmel serial driver is no longer
accurate.
Additionally the manual rounding up described in that comment and applied
via (quot - 1) requests an incorrect baudrate. Since uart_set_options uses
tty_termios_encode_baud_rate to determine the appropriate baudrate flags
this can cause baudrate selection to fail entirely because
tty_termios_encode_baud_rate will only select a baudrate if relative error
between requested and selected baudrate does not exceed +/-2%.
Fix that by requesting actual, exact baudrate used by the serial.

Fixes: ba47f97a18f2 ("serial: core: remove baud_rates when serial console setup")
Cc: stable <stable@kernel.org>
Signed-off-by: Tobias Schramm <t.schramm@manjaro.org>
Acked-by: Richard Genoud <richard.genoud@gmail.com>
Link: https://lore.kernel.org/r/20230109072940.202936-1-t.schramm@manjaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/atmel_serial.c |    8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -2633,13 +2633,7 @@ static void __init atmel_console_get_opt
 	else if (mr == ATMEL_US_PAR_ODD)
 		*parity = 'o';
 
-	/*
-	 * The serial core only rounds down when matching this to a
-	 * supported baud rate. Make sure we don't end up slightly
-	 * lower than one of those, as it would make us fall through
-	 * to a much lower baud rate than we really want.
-	 */
-	*baud = port->uartclk / (16 * (quot - 1));
+	*baud = port->uartclk / (16 * quot);
 }
 
 static int __init atmel_console_setup(struct console *co, char *options)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 74/98] gsmi: fix null-deref in gsmi_get_variable
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 73/98] serial: atmel: fix incorrect baudrate setup Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 75/98] mei: me: add meteor lake point M DID Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Khazhismel Kumykov

From: Khazhismel Kumykov <khazhy@chromium.org>

commit a769b05eeed7accc4019a1ed9799dd72067f1ce8 upstream.

We can get EFI variables without fetching the attribute, so we must
allow for that in gsmi.

commit 859748255b43 ("efi: pstore: Omit efivars caching EFI varstore
access layer") added a new get_variable call with attr=NULL, which
triggers panic in gsmi.

Fixes: 74c5b31c6618 ("driver: Google EFI SMI")
Cc: stable <stable@kernel.org>
Signed-off-by: Khazhismel Kumykov <khazhy@google.com>
Link: https://lore.kernel.org/r/20230118010212.1268474-1-khazhy@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/firmware/google/gsmi.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/firmware/google/gsmi.c
+++ b/drivers/firmware/google/gsmi.c
@@ -360,9 +360,10 @@ static efi_status_t gsmi_get_variable(ef
 		memcpy(data, gsmi_dev.data_buf->start, *data_size);
 
 		/* All variables are have the following attributes */
-		*attr = EFI_VARIABLE_NON_VOLATILE |
-			EFI_VARIABLE_BOOTSERVICE_ACCESS |
-			EFI_VARIABLE_RUNTIME_ACCESS;
+		if (attr)
+			*attr = EFI_VARIABLE_NON_VOLATILE |
+				EFI_VARIABLE_BOOTSERVICE_ACCESS |
+				EFI_VARIABLE_RUNTIME_ACCESS;
 	}
 
 	spin_unlock_irqrestore(&gsmi_dev.lock, flags);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 75/98] mei: me: add meteor lake point M DID
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 74/98] gsmi: fix null-deref in gsmi_get_variable Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 76/98] drm/i915: re-disable RC6p on Sandy Bridge Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Alexander Usyskin, Tomas Winkler

From: Alexander Usyskin <alexander.usyskin@intel.com>

commit 0c4d68261717f89fa8c4f98a6967c3832fcb3ad0 upstream.

Add Meteor Lake Point M device id.

Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20221212220247.286019-2-tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/misc/mei/hw-me-regs.h |    2 ++
 drivers/misc/mei/pci-me.c     |    2 ++
 2 files changed, 4 insertions(+)

--- a/drivers/misc/mei/hw-me-regs.h
+++ b/drivers/misc/mei/hw-me-regs.h
@@ -111,6 +111,8 @@
 
 #define MEI_DEV_ID_RPL_S      0x7A68  /* Raptor Lake Point S */
 
+#define MEI_DEV_ID_MTL_M      0x7E70  /* Meteor Lake Point M */
+
 /*
  * MEI HW Section
  */
--- a/drivers/misc/mei/pci-me.c
+++ b/drivers/misc/mei/pci-me.c
@@ -117,6 +117,8 @@ static const struct pci_device_id mei_me
 
 	{MEI_PCI_DEVICE(MEI_DEV_ID_RPL_S, MEI_ME_PCH15_CFG)},
 
+	{MEI_PCI_DEVICE(MEI_DEV_ID_MTL_M, MEI_ME_PCH15_CFG)},
+
 	/* required last entry */
 	{0, }
 };



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 76/98] drm/i915: re-disable RC6p on Sandy Bridge
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 75/98] mei: me: add meteor lake point M DID Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 77/98] drm/amd/display: Fix set scaling doesns work Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Sasa Dragic, Ville Syrjälä,
	Rodrigo Vivi

From: Sasa Dragic <sasa.dragic@gmail.com>

commit 67b0b4ed259e425b7eed09da75b42c80682ca003 upstream.

RC6p on Sandy Bridge got re-enabled over time, causing visual glitches
and GPU hangs.

Disabled originally in commit 1c8ecf80fdee ("drm/i915: do not enable
RC6p on Sandy Bridge").

Signed-off-by: Sasa Dragic <sasa.dragic@gmail.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20221219172927.9603-2-sasa.dragic@gmail.com
Fixes: fb6db0f5bf1d ("drm/i915: Remove unsafe i915.enable_rc6")
Fixes: 13c5a577b342 ("drm/i915/gt: Select the deepest available parking mode for rc6")
Cc: stable@vger.kernel.org
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit 0c8a6e9ea232c221976a0670256bd861408d9917)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/i915_pci.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/i915_pci.c
+++ b/drivers/gpu/drm/i915/i915_pci.c
@@ -403,7 +403,8 @@ static const struct intel_device_info il
 	.has_coherent_ggtt = true, \
 	.has_llc = 1, \
 	.has_rc6 = 1, \
-	.has_rc6p = 1, \
+	/* snb does support rc6p, but enabling it causes various issues */ \
+	.has_rc6p = 0, \
 	.has_rps = true, \
 	.dma_mask_size = 40, \
 	.ppgtt_type = INTEL_PPGTT_ALIASING, \



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 77/98] drm/amd/display: Fix set scaling doesns work
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 76/98] drm/i915: re-disable RC6p on Sandy Bridge Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 78/98] drm/amd/display: Calculate output_color_space after pixel encoding adjustment Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Harry Wentland, Rodrigo Siqueira,
	hongao, Alex Deucher

From: hongao <hongao@uniontech.com>

commit 040625ab82ce6dca7772cb3867fe5c9eb279a344 upstream.

[Why]
Setting scaling does not correctly update CRTC state. As a result
dc stream state's src (composition area) && dest (addressable area)
was not calculated as expected. This causes set scaling doesn's work.

[How]
Correctly update CRTC state when setting scaling property.

Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Tested-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: hongao <hongao@uniontech.com>
Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -8783,8 +8783,8 @@ static int amdgpu_dm_atomic_check(struct
 			goto fail;
 		}
 
-		if (dm_old_con_state->abm_level !=
-		    dm_new_con_state->abm_level)
+		if (dm_old_con_state->abm_level != dm_new_con_state->abm_level ||
+		    dm_old_con_state->scaling != dm_new_con_state->scaling)
 			new_crtc_state->connectors_changed = true;
 	}
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 78/98] drm/amd/display: Calculate output_color_space after pixel encoding adjustment
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 77/98] drm/amd/display: Fix set scaling doesns work Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 79/98] drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Melissa Wen, Joshua Ashton, Alex Deucher

From: Joshua Ashton <joshua@froggi.es>

commit 79601b894849cb6f6d6122e6590f1887ac4a66b3 upstream.

Code in get_output_color_space depends on knowing the pixel encoding to
determine whether to pick between eg. COLOR_SPACE_SRGB or
COLOR_SPACE_YCBCR709 for transparent RGB -> YCbCr 4:4:4 in the driver.

v2: Fixed patch being accidentally based on a personal feature branch, oops!

Fixes: ea117312ea9f ("drm/amd/display: Reduce HDMI pixel encoding if max clock is exceeded")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Joshua Ashton <joshua@froggi.es>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4567,8 +4567,6 @@ static void fill_stream_properties_from_
 	timing_out->pix_clk_100hz = mode_in->crtc_clock * 10;
 	timing_out->aspect_ratio = get_aspect_ratio(mode_in);
 
-	stream->output_color_space = get_output_color_space(timing_out);
-
 	stream->out_transfer_func->type = TF_TYPE_PREDEFINED;
 	stream->out_transfer_func->tf = TRANSFER_FUNCTION_SRGB;
 	if (stream->signal == SIGNAL_TYPE_HDMI_TYPE_A) {
@@ -4579,6 +4577,8 @@ static void fill_stream_properties_from_
 			adjust_colour_depth_from_display_info(timing_out, info);
 		}
 	}
+
+	stream->output_color_space = get_output_color_space(timing_out);
 }
 
 static void fill_audio_info(struct audio_info *audio_info,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 79/98] drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 78/98] drm/amd/display: Calculate output_color_space after pixel encoding adjustment Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 80/98] arm64: efi: Execute runtime services from a dedicated stack Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Melissa Wen, Joshua Ashton, Alex Deucher

From: Joshua Ashton <joshua@froggi.es>

commit 973a9c810c785ac270a6d50d8cf862b0c1643a10 upstream.

The YCC conversion matrix for RGB -> COLOR_SPACE_YCBCR2020_TYPE is
missing the values for the fourth column of the matrix.

The fourth column of the matrix is essentially just a value that is
added given that the color is 3 components in size.
These values are needed to bias the chroma from the [-1, 1] -> [0, 1]
range.

This fixes color being very green when using Gamescope HDR on HDMI
output which prefers YCC 4:4:4.

Fixes: 40df2f809e8f ("drm/amd/display: color space ycbcr709 support")
Reviewed-by: Melissa Wen <mwen@igalia.com>
Signed-off-by: Joshua Ashton <joshua@froggi.es>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_hw_sequencer.c
@@ -92,8 +92,8 @@ static const struct out_csc_color_matrix
 		{ 0xE00, 0xF349, 0xFEB7, 0x1000, 0x6CE, 0x16E3,
 				0x24F, 0x200, 0xFCCB, 0xF535, 0xE00, 0x1000} },
 	{ COLOR_SPACE_YCBCR2020_TYPE,
-		{ 0x1000, 0xF149, 0xFEB7, 0x0000, 0x0868, 0x15B2,
-				0x01E6, 0x0000, 0xFB88, 0xF478, 0x1000, 0x0000} },
+		{ 0x1000, 0xF149, 0xFEB7, 0x1004, 0x0868, 0x15B2,
+				0x01E6, 0x201, 0xFB88, 0xF478, 0x1000, 0x1004} },
 	{ COLOR_SPACE_YCBCR709_BLACK_TYPE,
 		{ 0x0000, 0x0000, 0x0000, 0x1000, 0x0000, 0x0000,
 				0x0000, 0x0200, 0x0000, 0x0000, 0x0000, 0x1000} },



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 80/98] arm64: efi: Execute runtime services from a dedicated stack
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 79/98] drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 81/98] efi: rt-wrapper: Add missing include Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Lee Jones

From: Ard Biesheuvel <ardb@kernel.org>

commit ff7a167961d1b97e0e205f245f806e564d3505e7 upstream.

With the introduction of PRMT in the ACPI subsystem, the EFI rts
workqueue is no longer the only caller of efi_call_virt_pointer() in the
kernel. This means the EFI runtime services lock is no longer sufficient
to manage concurrent calls into firmware, but also that firmware calls
may occur that are not marshalled via the workqueue mechanism, but
originate directly from the caller context.

For added robustness, and to ensure that the runtime services have 8 KiB
of stack space available as per the EFI spec, introduce a spinlock
protected EFI runtime stack of 8 KiB, where the spinlock also ensures
serialization between the EFI rts workqueue (which itself serializes EFI
runtime calls) and other callers of efi_call_virt_pointer().

While at it, use the stack pivot to avoid reloading the shadow call
stack pointer from the ordinary stack, as doing so could produce a
gadget to defeat it.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/include/asm/efi.h       |    3 +++
 arch/arm64/kernel/efi-rt-wrapper.S |   13 ++++++++++++-
 arch/arm64/kernel/efi.c            |   27 +++++++++++++++++++++++++++
 3 files changed, 42 insertions(+), 1 deletion(-)

--- a/arch/arm64/include/asm/efi.h
+++ b/arch/arm64/include/asm/efi.h
@@ -25,6 +25,7 @@ int efi_set_mapping_permissions(struct m
 ({									\
 	efi_virtmap_load();						\
 	__efi_fpsimd_begin();						\
+	spin_lock(&efi_rt_lock);					\
 })
 
 #define arch_efi_call_virt(p, f, args...)				\
@@ -36,10 +37,12 @@ int efi_set_mapping_permissions(struct m
 
 #define arch_efi_call_virt_teardown()					\
 ({									\
+	spin_unlock(&efi_rt_lock);					\
 	__efi_fpsimd_end();						\
 	efi_virtmap_unload();						\
 })
 
+extern spinlock_t efi_rt_lock;
 efi_status_t __efi_rt_asm_wrapper(void *, const char *, ...);
 
 #define ARCH_EFI_IRQ_FLAGS_MASK (PSR_D_BIT | PSR_A_BIT | PSR_I_BIT | PSR_F_BIT)
--- a/arch/arm64/kernel/efi-rt-wrapper.S
+++ b/arch/arm64/kernel/efi-rt-wrapper.S
@@ -16,6 +16,12 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 	 */
 	stp	x1, x18, [sp, #16]
 
+	ldr_l	x16, efi_rt_stack_top
+	mov	sp, x16
+#ifdef CONFIG_SHADOW_CALL_STACK
+	str	x18, [sp, #-16]!
+#endif
+
 	/*
 	 * We are lucky enough that no EFI runtime services take more than
 	 * 5 arguments, so all are passed in registers rather than via the
@@ -29,6 +35,7 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 	mov	x4, x6
 	blr	x8
 
+	mov	sp, x29
 	ldp	x1, x2, [sp, #16]
 	cmp	x2, x18
 	ldp	x29, x30, [sp], #32
@@ -42,6 +49,10 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
 	 * called with preemption disabled and a separate shadow stack is used
 	 * for interrupts.
 	 */
-	mov	x18, x2
+#ifdef CONFIG_SHADOW_CALL_STACK
+	ldr_l	x18, efi_rt_stack_top
+	ldr	x18, [x18, #-16]
+#endif
+
 	b	efi_handle_corrupted_x18	// tail call
 SYM_FUNC_END(__efi_rt_asm_wrapper)
--- a/arch/arm64/kernel/efi.c
+++ b/arch/arm64/kernel/efi.c
@@ -143,3 +143,30 @@ asmlinkage efi_status_t efi_handle_corru
 	pr_err_ratelimited(FW_BUG "register x18 corrupted by EFI %s\n", f);
 	return s;
 }
+
+DEFINE_SPINLOCK(efi_rt_lock);
+
+asmlinkage u64 *efi_rt_stack_top __ro_after_init;
+
+/* EFI requires 8 KiB of stack space for runtime services */
+static_assert(THREAD_SIZE >= SZ_8K);
+
+static int __init arm64_efi_rt_init(void)
+{
+	void *p;
+
+	if (!efi_enabled(EFI_RUNTIME_SERVICES))
+		return 0;
+
+	p = __vmalloc_node(THREAD_SIZE, THREAD_ALIGN, GFP_KERNEL,
+			   NUMA_NO_NODE, &&l);
+l:	if (!p) {
+		pr_warn("Failed to allocate EFI runtime stack\n");
+		clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
+		return -ENOMEM;
+	}
+
+	efi_rt_stack_top = p + THREAD_SIZE;
+	return 0;
+}
+core_initcall(arm64_efi_rt_init);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 81/98] efi: rt-wrapper: Add missing include
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 80/98] arm64: efi: Execute runtime services from a dedicated stack Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 82/98] Revert "drm/amdgpu: make display pinning more flexible (v2)" Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Ard Biesheuvel, Lee Jones

From: Ard Biesheuvel <ardb@kernel.org>

commit 18bba1843fc7f264f58c9345d00827d082f9c558 upstream.

Add the missing #include of asm/assembler.h, which is where the ldr_l
macro is defined.

Fixes: ff7a167961d1b97e ("arm64: efi: Execute runtime services from a dedicated stack")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Lee Jones <lee@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/kernel/efi-rt-wrapper.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm64/kernel/efi-rt-wrapper.S
+++ b/arch/arm64/kernel/efi-rt-wrapper.S
@@ -4,6 +4,7 @@
  */
 
 #include <linux/linkage.h>
+#include <asm/assembler.h>
 
 SYM_FUNC_START(__efi_rt_asm_wrapper)
 	stp	x29, x30, [sp, #-32]!



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 82/98] Revert "drm/amdgpu: make display pinning more flexible (v2)"
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 81/98] efi: rt-wrapper: Add missing include Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 83/98] x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Alex Deucher, kolAflash, jrf,
	mario.limonciello

From: Alex Deucher <alexander.deucher@amd.com>

This reverts commit 630270978483a63dd641c1183a179437ab4900df which is
commit 81d0bcf9900932633d270d5bc4a54ff599c6ebdb upstream.

This commit causes hiberation regressions on some platforms on kernels
older than 6.1.x (6.1.x and newer kernels works fine) so let's revert it
from 5.15 and older stable kernels.  This should be reverted from 6.0.x
as well, but that kernel is no longer supported.

Bug: https://bugzilla.kernel.org/show_bug.cgi?id=216917
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: kolAflash@kolahilft.de
Cc: jrf@mailbox.org
Cc: mario.limonciello@amd.com
Cc: stable@vger.kernel.org # 5.15.x
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_object.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_object.c
@@ -1531,8 +1531,7 @@ u64 amdgpu_bo_gpu_offset_no_check(struct
 uint32_t amdgpu_bo_get_preferred_pin_domain(struct amdgpu_device *adev,
 					    uint32_t domain)
 {
-	if ((domain == (AMDGPU_GEM_DOMAIN_VRAM | AMDGPU_GEM_DOMAIN_GTT)) &&
-	    ((adev->asic_type == CHIP_CARRIZO) || (adev->asic_type == CHIP_STONEY))) {
+	if (domain == (AMDGPU_GEM_DOMAIN_VRAM | AMDGPU_GEM_DOMAIN_GTT)) {
 		domain = AMDGPU_GEM_DOMAIN_VRAM;
 		if (adev->gmc.real_vram_size <= AMDGPU_SG_THRESHOLD)
 			domain = AMDGPU_GEM_DOMAIN_GTT;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 83/98] x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 82/98] Revert "drm/amdgpu: make display pinning more flexible (v2)" Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 84/98] tracing: Use alignof__(struct {type b;}) instead of offsetof() Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, YingChi Long, Borislav Petkov,
	Nick Desaulniers, Nathan Chancellor

From: YingChi Long <me@inclyc.cn>

commit 55228db2697c09abddcb9487c3d9fa5854a932cd upstream.

WG14 N2350 specifies that it is an undefined behavior to have type
definitions within offsetof", see

  https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2350.htm

This specification is also part of C23.

Therefore, replace the TYPE_ALIGN macro with the _Alignof builtin to
avoid undefined behavior. (_Alignof itself is C11 and the kernel is
built with -gnu11).

ISO C11 _Alignof is subtly different from the GNU C extension
__alignof__. Latter is the preferred alignment and _Alignof the
minimal alignment. For long long on x86 these are 8 and 4
respectively.

The macro TYPE_ALIGN's behavior matches _Alignof rather than
__alignof__.

  [ bp: Massage commit message. ]

Signed-off-by: YingChi Long <me@inclyc.cn>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://lore.kernel.org/r/20220925153151.2467884-1-me@inclyc.cn
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/fpu/init.c |    7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

--- a/arch/x86/kernel/fpu/init.c
+++ b/arch/x86/kernel/fpu/init.c
@@ -138,9 +138,6 @@ static void __init fpu__init_system_gene
 unsigned int fpu_kernel_xstate_size;
 EXPORT_SYMBOL_GPL(fpu_kernel_xstate_size);
 
-/* Get alignment of the TYPE. */
-#define TYPE_ALIGN(TYPE) offsetof(struct { char x; TYPE test; }, test)
-
 /*
  * Enforce that 'MEMBER' is the last field of 'TYPE'.
  *
@@ -148,8 +145,8 @@ EXPORT_SYMBOL_GPL(fpu_kernel_xstate_size
  * because that's how C aligns structs.
  */
 #define CHECK_MEMBER_AT_END_OF(TYPE, MEMBER) \
-	BUILD_BUG_ON(sizeof(TYPE) != ALIGN(offsetofend(TYPE, MEMBER), \
-					   TYPE_ALIGN(TYPE)))
+	BUILD_BUG_ON(sizeof(TYPE) !=         \
+		     ALIGN(offsetofend(TYPE, MEMBER), _Alignof(TYPE)))
 
 /*
  * We append the 'struct fpu' to the task_struct:



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 84/98] tracing: Use alignof__(struct {type b;}) instead of offsetof()
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 83/98] x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 85/98] arch: fix broken BuildID for arm64 and riscv Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, David Laight,
	Steven Rostedt (Google),
	Nathan Chancellor

From: "Steven Rostedt (Google)" <rostedt@goodmis.org>

commit 09794a5a6c348f629b35fc1687071a1622ef4265 upstream.

Simplify:

  #define ALIGN_STRUCTFIELD(type) ((int)(offsetof(struct {char a; type b;}, b)))

with

  #define  ALIGN_STRUCTFIELD(type) __alignof__(struct {type b;})

Which works just the same.

Link: https://lore.kernel.org/all/a7d202457150472588df0bd3b7334b3f@AcuMS.aculab.com/
Link: https://lkml.kernel.org/r/20220802154412.513c50e3@gandalf.local.home

Suggested-by: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/trace/trace_events.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/trace/trace_events.h
+++ b/include/trace/trace_events.h
@@ -400,7 +400,7 @@ static struct trace_event_functions trac
 
 #include TRACE_INCLUDE(TRACE_INCLUDE_FILE)
 
-#define ALIGN_STRUCTFIELD(type) ((int)(offsetof(struct {char a; type b;}, b)))
+#define ALIGN_STRUCTFIELD(type) ((int)(__alignof__(struct {type b;})))
 
 #undef __field_ext
 #define __field_ext(_type, _item, _filter_type) {			\



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 85/98] arch: fix broken BuildID for arm64 and riscv
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 84/98] tracing: Use alignof__(struct {type b;}) instead of offsetof() Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 86/98] s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Tom Saeger, Dennis Gilmore,
	Ard Biesheuvel, Masahiro Yamada, Palmer Dabbelt

From: Masahiro Yamada <masahiroy@kernel.org>

commit 99cb0d917ffa1ab628bb67364ca9b162c07699b1 upstream.

Dennis Gilmore reports that the BuildID is missing in the arm64 vmlinux
since commit 994b7ac1697b ("arm64: remove special treatment for the
link order of head.o").

The issue is that the type of .notes section, which contains the BuildID,
changed from NOTES to PROGBITS.

Ard Biesheuvel figured out that whichever object gets linked first gets
to decide the type of a section. The PROGBITS type is the result of the
compiler emitting .note.GNU-stack as PROGBITS rather than NOTE.

While Ard provided a fix for arm64, I want to fix this globally because
the same issue is happening on riscv since commit 2348e6bf4421 ("riscv:
remove special treatment for the link order of head.o"). This problem
will happen in general for other architectures if they start to drop
unneeded entries from scripts/head-object-list.txt.

Discard .note.GNU-stack in include/asm-generic/vmlinux.lds.h.

Link: https://lore.kernel.org/lkml/CAABkxwuQoz1CTbyb57n0ZX65eSYiTonFCU8-LCQc=74D=xE=rA@mail.gmail.com/
Fixes: 994b7ac1697b ("arm64: remove special treatment for the link order of head.o")
Fixes: 2348e6bf4421 ("riscv: remove special treatment for the link order of head.o")
Cc: Tom Saeger <tom.saeger@oracle.com>
Reported-by: Dennis Gilmore <dennis@ausil.us>
Suggested-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Acked-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/asm-generic/vmlinux.lds.h |    5 +++++
 1 file changed, 5 insertions(+)

--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -906,7 +906,12 @@
 #define TRACEDATA
 #endif
 
+/*
+ * Discard .note.GNU-stack, which is emitted as PROGBITS by the compiler.
+ * Otherwise, the type of .notes section would become PROGBITS instead of NOTES.
+ */
 #define NOTES								\
+	/DISCARD/ : { *(.note.GNU-stack) }				\
 	.notes : AT(ADDR(.notes) - LOAD_OFFSET) {			\
 		__start_notes = .;					\
 		KEEP(*(.note.*))					\



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 86/98] s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 85/98] arch: fix broken BuildID for arm64 and riscv Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 87/98] powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Masahiro Yamada,
	Heiko Carstens

From: Masahiro Yamada <masahiroy@kernel.org>

commit a494398bde273143c2352dd373cad8211f7d94b2 upstream.

Nathan Chancellor reports that the s390 vmlinux fails to link with
GNU ld < 2.36 since commit 99cb0d917ffa ("arch: fix broken BuildID
for arm64 and riscv").

It happens for defconfig, or more specifically for CONFIG_EXPOLINE=y.

  $ s390x-linux-gnu-ld --version | head -n1
  GNU ld (GNU Binutils for Debian) 2.35.2
  $ make -s ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- allnoconfig
  $ ./scripts/config -e CONFIG_EXPOLINE
  $ make -s ARCH=s390 CROSS_COMPILE=s390x-linux-gnu- olddefconfig
  $ make -s ARCH=s390 CROSS_COMPILE=s390x-linux-gnu-
  `.exit.text' referenced in section `.s390_return_reg' of drivers/base/dd.o: defined in discarded section `.exit.text' of drivers/base/dd.o
  make[1]: *** [scripts/Makefile.vmlinux:34: vmlinux] Error 1
  make: *** [Makefile:1252: vmlinux] Error 2

arch/s390/kernel/vmlinux.lds.S wants to keep EXIT_TEXT:

        .exit.text : {
                EXIT_TEXT
        }

But, at the same time, EXIT_TEXT is thrown away by DISCARD because
s390 does not define RUNTIME_DISCARD_EXIT.

I still do not understand why the latter wins after 99cb0d917ffa,
but defining RUNTIME_DISCARD_EXIT seems correct because the comment
line in arch/s390/kernel/vmlinux.lds.S says:

        /*
         * .exit.text is discarded at runtime, not link time,
         * to deal with references from __bug_table
         */

Nathan also found that binutils commit 21401fc7bf67 ("Duplicate output
sections in scripts") cured this issue, so we cannot reproduce it with
binutils 2.36+, but it is better to not rely on it.

Fixes: 99cb0d917ffa ("arch: fix broken BuildID for arm64 and riscv")
Link: https://lore.kernel.org/all/Y7Jal56f6UBh1abE@dev-arch.thelio-3990X/
Reported-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Link: https://lore.kernel.org/r/20230105031306.1455409-1-masahiroy@kernel.org
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/s390/kernel/vmlinux.lds.S |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/s390/kernel/vmlinux.lds.S
+++ b/arch/s390/kernel/vmlinux.lds.S
@@ -15,6 +15,8 @@
 /* Handle ro_after_init data on our own. */
 #define RO_AFTER_INIT_DATA
 
+#define RUNTIME_DISCARD_EXIT
+
 #define EMITS_PT_NOTE
 
 #include <asm-generic/vmlinux.lds.h>



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 87/98] powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 86/98] s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 88/98] powerpc/vmlinux.lds: Dont discard .rela* for relocatable builds Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit 4b9880dbf3bdba3a7c56445137c3d0e30aaa0a40 upstream.

The powerpc linker script explicitly includes .exit.text, because
otherwise the link fails due to references from __bug_table and
__ex_table. The code is freed (discarded) at runtime along with
.init.text and data.

That has worked in the past despite powerpc not defining
RUNTIME_DISCARD_EXIT because DISCARDS appears late in the powerpc linker
script (line 410), and the explicit inclusion of .exit.text
earlier (line 280) supersedes the discard.

However commit 99cb0d917ffa ("arch: fix broken BuildID for arm64 and
riscv") introduced an earlier use of DISCARD as part of the RO_DATA
macro (line 136). With binutils < 2.36 that causes the DISCARD
directives later in the script to be applied earlier [1], causing
.exit.text to actually be discarded at link time, leading to build
errors:

  '.exit.text' referenced in section '__bug_table' of crypto/algboss.o: defined in
  discarded section '.exit.text' of crypto/algboss.o
  '.exit.text' referenced in section '__ex_table' of drivers/nvdimm/core.o: defined in
  discarded section '.exit.text' of drivers/nvdimm/core.o

Fix it by defining RUNTIME_DISCARD_EXIT, which causes the generic
DISCARDS macro to not include .exit.text at all.

1: https://lore.kernel.org/lkml/87fscp2v7k.fsf@igel.home/

Fixes: 99cb0d917ffa ("arch: fix broken BuildID for arm64 and riscv")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20230105132349.384666-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/vmlinux.lds.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -8,6 +8,7 @@
 #define BSS_FIRST_SECTIONS *(.bss.prominit)
 #define EMITS_PT_NOTE
 #define RO_EXCEPTION_TABLE_ALIGN	0
+#define RUNTIME_DISCARD_EXIT
 
 #include <asm/page.h>
 #include <asm-generic/vmlinux.lds.h>



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 88/98] powerpc/vmlinux.lds: Dont discard .rela* for relocatable builds
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 87/98] powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 89/98] powerpc/vmlinux.lds: Dont discard .comment Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit 07b050f9290ee012a407a0f64151db902a1520f5 upstream.

Relocatable kernels must not discard relocations, they need to be
processed at runtime. As such they are included for CONFIG_RELOCATABLE
builds in the powerpc linker script (line 340).

However they are also unconditionally discarded later in the
script (line 414). Previously that worked because the earlier inclusion
superseded the discard.

However commit 99cb0d917ffa ("arch: fix broken BuildID for arm64 and
riscv") introduced an earlier use of DISCARD as part of the RO_DATA
macro (line 137). With binutils < 2.36 that causes the DISCARD
directives later in the script to be applied earlier, causing .rela* to
actually be discarded at link time, leading to build warnings and a
kernel that doesn't boot:

  ld: warning: discarding dynamic section .rela.init.rodata

Fix it by conditionally discarding .rela* only when CONFIG_RELOCATABLE
is disabled.

Fixes: 99cb0d917ffa ("arch: fix broken BuildID for arm64 and riscv")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20230105132349.384666-2-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/vmlinux.lds.S |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -379,9 +379,12 @@ SECTIONS
 	DISCARDS
 	/DISCARD/ : {
 		*(*.EMB.apuinfo)
-		*(.glink .iplt .plt .rela* .comment)
+		*(.glink .iplt .plt .comment)
 		*(.gnu.version*)
 		*(.gnu.attributes)
 		*(.eh_frame)
+#ifndef CONFIG_RELOCATABLE
+		*(.rela*)
+#endif
 	}
 }



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 89/98] powerpc/vmlinux.lds: Dont discard .comment
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 88/98] powerpc/vmlinux.lds: Dont discard .rela* for relocatable builds Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 90/98] io_uring: io_kiocb_update_pos() should not touch file for non -1 offset Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit be5f95c8779e19779dd81927c8574fec5aaba36c upstream.

Although the powerpc linker script mentions .comment in the DISCARD
section, that has never actually caused it to be discarded, because the
earlier ELF_DETAILS macro (previously STABS_DEBUG) explicitly includes
.comment.

However commit 99cb0d917ffa ("arch: fix broken BuildID for arm64 and
riscv") introduced an earlier use of DISCARD as part of the RO_DATA
macro. With binutils < 2.36 that causes the DISCARD directives later in
the script to be applied earlier, causing .comment to actually be
discarded.

It's confusing to explicitly include and discard .comment, and even more
so if the behaviour depends on the toolchain version. So don't discard
.comment in order to maintain the existing behaviour in all cases.

Fixes: 83a092cf95f2 ("powerpc: Link warning for orphan sections")
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20230105132349.384666-3-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/vmlinux.lds.S |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/powerpc/kernel/vmlinux.lds.S
+++ b/arch/powerpc/kernel/vmlinux.lds.S
@@ -379,7 +379,7 @@ SECTIONS
 	DISCARDS
 	/DISCARD/ : {
 		*(*.EMB.apuinfo)
-		*(.glink .iplt .plt .comment)
+		*(.glink .iplt .plt)
 		*(.gnu.version*)
 		*(.gnu.attributes)
 		*(.eh_frame)



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 90/98] io_uring: io_kiocb_update_pos() should not touch file for non -1 offset
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 89/98] powerpc/vmlinux.lds: Dont discard .comment Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 91/98] io_uring/net: fix fast_iov assignment in io_setup_async_msg() Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe

From: Jens Axboe <axboe@kernel.dk>

commit 6f83ab22adcb77a5824d2c274dace0d99e21319f upstream.

-1 tells use to use the current position, but we check if the file is
a stream regardless of that. Fix up io_kiocb_update_pos() to only
dip into file if we need to. This is both more efficient and also drops
12 bytes of text on aarch64 and 64 bytes on x86-64.

Fixes: b4aec4001595 ("io_uring: do not recalculate ppos unnecessarily")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 io_uring/io_uring.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3011,19 +3011,18 @@ static inline void io_rw_done(struct kio
 static inline loff_t *io_kiocb_update_pos(struct io_kiocb *req)
 {
 	struct kiocb *kiocb = &req->rw.kiocb;
-	bool is_stream = req->file->f_mode & FMODE_STREAM;
 
-	if (kiocb->ki_pos == -1) {
-		if (!is_stream) {
-			req->flags |= REQ_F_CUR_POS;
-			kiocb->ki_pos = req->file->f_pos;
-			return &kiocb->ki_pos;
-		} else {
-			kiocb->ki_pos = 0;
-			return NULL;
-		}
+	if (kiocb->ki_pos != -1)
+		return &kiocb->ki_pos;
+
+	if (!(req->file->f_mode & FMODE_STREAM)) {
+		req->flags |= REQ_F_CUR_POS;
+		kiocb->ki_pos = req->file->f_pos;
+		return &kiocb->ki_pos;
 	}
-	return is_stream ? NULL : &kiocb->ki_pos;
+
+	kiocb->ki_pos = 0;
+	return NULL;
 }
 
 static void kiocb_done(struct kiocb *kiocb, ssize_t ret,



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 91/98] io_uring/net: fix fast_iov assignment in io_setup_async_msg()
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 90/98] io_uring: io_kiocb_update_pos() should not touch file for non -1 offset Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 92/98] net/ulp: use consistent error code when blocking ULP Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Stefan Metzmacher, Pavel Begunkov,
	Jens Axboe

From: Stefan Metzmacher <metze@samba.org>

commit 3e4cb6ebbb2bad201c1186bc0b7e8cf41dd7f7e6 upstream.

I hit a very bad problem during my tests of SENDMSG_ZC.
BUG(); in first_iovec_segment() triggered very easily.
The problem was io_setup_async_msg() in the partial retry case,
which seems to happen more often with _ZC.

iov_iter_iovec_advance() may change i->iov in order to have i->iov_offset
being only relative to the first element.

Which means kmsg->msg.msg_iter.iov is no longer the
same as kmsg->fast_iov.

But this would rewind the copy to be the start of
async_msg->fast_iov, which means the internal
state of sync_msg->msg.msg_iter is inconsitent.

I tested with 5 vectors with length like this 4, 0, 64, 20, 8388608
and got a short writes with:
- ret=2675244 min_ret=8388692 => remaining 5713448 sr->done_io=2675244
- ret=-EAGAIN => io_uring_poll_arm
- ret=4911225 min_ret=5713448 => remaining 802223  sr->done_io=7586469
- ret=-EAGAIN => io_uring_poll_arm
- ret=802223  min_ret=802223  => res=8388692

While this was easily triggered with SENDMSG_ZC (queued for 6.1),
it was a potential problem starting with 7ba89d2af17aa879dda30f5d5d3f152e587fc551
in 5.18 for IORING_OP_RECVMSG.
And also with 4c3c09439c08b03d9503df0ca4c7619c5842892e in 5.19
for IORING_OP_SENDMSG.

However 257e84a5377fbbc336ff563833a8712619acce56 introduced the critical
code into io_setup_async_msg() in 5.11.

Fixes: 7ba89d2af17aa ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly")
Fixes: 257e84a5377fb ("io_uring: refactor sendmsg/recvmsg iov managing")
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/b2e7be246e2fb173520862b0c7098e55767567a2.1664436949.git.metze@samba.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 io_uring/io_uring.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -4681,8 +4681,10 @@ static int io_setup_async_msg(struct io_
 	if (async_msg->msg.msg_name)
 		async_msg->msg.msg_name = &async_msg->addr;
 	/* if were using fast_iov, set it to the new one */
-	if (!async_msg->free_iov)
-		async_msg->msg.msg_iter.iov = async_msg->fast_iov;
+	if (!kmsg->free_iov) {
+		size_t fast_idx = kmsg->msg.msg_iter.iov - kmsg->fast_iov;
+		async_msg->msg.msg_iter.iov = &async_msg->fast_iov[fast_idx];
+	}
 
 	return -EAGAIN;
 }



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 92/98] net/ulp: use consistent error code when blocking ULP
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 91/98] io_uring/net: fix fast_iov assignment in io_setup_async_msg() Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 93/98] net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work() Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Paolo Abeni,
	Jakub Kicinski

From: Paolo Abeni <pabeni@redhat.com>

commit 8ccc99362b60c6f27bb46f36fdaaccf4ef0303de upstream.

The referenced commit changed the error code returned by the kernel
when preventing a non-established socket from attaching the ktls
ULP. Before to such a commit, the user-space got ENOTCONN instead
of EINVAL.

The existing self-tests depend on such error code, and the change
caused a failure:

  RUN           global.non_established ...
 tls.c:1673:non_established:Expected errno (22) == ENOTCONN (107)
 non_established: Test failed at step #3
          FAIL  global.non_established

In the unlikely event existing applications do the same, address
the issue by restoring the prior error code in the above scenario.

Note that the only other ULP performing similar checks at init
time - smc_ulp_ops - also fails with ENOTCONN when trying to attach
the ULP to a non-established socket.

Reported-by: Sabrina Dubroca <sd@queasysnail.net>
Fixes: 2c02d41d71f9 ("net/ulp: prevent ULP without clone op from entering the LISTEN status")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Link: https://lore.kernel.org/r/7bb199e7a93317fb6f8bf8b9b2dc71c18f337cde.1674042685.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_ulp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -136,7 +136,7 @@ static int __tcp_set_ulp(struct sock *sk
 	if (icsk->icsk_ulp_ops)
 		goto out_err;
 
-	err = -EINVAL;
+	err = -ENOTCONN;
 	if (!ulp_ops->clone && sk->sk_state == TCP_LISTEN)
 		goto out_err;
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 93/98] net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work()
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 92/98] net/ulp: use consistent error code when blocking ULP Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 94/98] Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()" Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, kernel test robot, Dan Carpenter,
	Yang Yingliang, Shay Drory, Saeed Mahameed

From: Yang Yingliang <yangyingliang@huawei.com>

commit 90e7cb78b81543998217b0eb446c067ce2191a79 upstream.

Add missing mutex_unlock() before returning from
mlx5_fw_fatal_reporter_err_work().

Fixes: 9078e843efec ("net/mlx5: Avoid recovery in probe flows")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Shay Drory <shayd@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx5/core/health.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/ethernet/mellanox/mlx5/core/health.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c
@@ -621,6 +621,7 @@ static void mlx5_fw_fatal_reporter_err_w
 	mutex_lock(&dev->intf_state_mutex);
 	if (test_bit(MLX5_DROP_NEW_HEALTH_WORK, &health->flags)) {
 		mlx5_core_err(dev, "health works are not permitted at this stage\n");
+		mutex_unlock(&dev->intf_state_mutex);
 		return;
 	}
 	mutex_unlock(&dev->intf_state_mutex);



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 94/98] Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()"
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 93/98] net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work() Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 95/98] soc: qcom: apr: Make qcom,protection-domain optional again Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
	Zhengchao Shao, Johannes Berg, Kalle Valo

From: Eric Dumazet <edumazet@google.com>

commit 80f8a66dede0a4b4e9e846765a97809c6fe49ce5 upstream.

This reverts commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293.

ieee80211_if_free() is already called from free_netdev(ndev)
because ndev->priv_destructor == ieee80211_if_free

syzbot reported:

general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 0 PID: 10041 Comm: syz-executor.0 Not tainted 6.2.0-rc2-syzkaller-00388-g55b98837e37d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
RIP: 0010:pcpu_get_page_chunk mm/percpu.c:262 [inline]
RIP: 0010:pcpu_chunk_addr_search mm/percpu.c:1619 [inline]
RIP: 0010:free_percpu mm/percpu.c:2271 [inline]
RIP: 0010:free_percpu+0x186/0x10f0 mm/percpu.c:2254
Code: 80 3c 02 00 0f 85 f5 0e 00 00 48 8b 3b 48 01 ef e8 cf b3 0b 00 48 ba 00 00 00 00 00 fc ff df 48 8d 78 20 48 89 f9 48 c1 e9 03 <80> 3c 11 00 0f 85 3b 0e 00 00 48 8b 58 20 48 b8 00 00 00 00 00 fc
RSP: 0018:ffffc90004ba7068 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff88823ffe2b80 RCX: 0000000000000004
RDX: dffffc0000000000 RSI: ffffffff81c1f4e7 RDI: 0000000000000020
RBP: ffffe8fffe8fc220 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffffffff2179ab2 R12: ffff8880b983d000
R13: 0000000000000003 R14: 0000607f450fc220 R15: ffff88823ffe2988
FS: 00007fcb349de700(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32220000 CR3: 000000004914f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
netdev_run_todo+0x6bf/0x1100 net/core/dev.c:10352
ieee80211_register_hw+0x2663/0x4040 net/mac80211/main.c:1411
mac80211_hwsim_new_radio+0x2537/0x4d80 drivers/net/wireless/mac80211_hwsim.c:4583
hwsim_new_radio_nl+0xa09/0x10f0 drivers/net/wireless/mac80211_hwsim.c:5176
genl_family_rcv_msg_doit.isra.0+0x1e6/0x2d0 net/netlink/genetlink.c:968
genl_family_rcv_msg net/netlink/genetlink.c:1048 [inline]
genl_rcv_msg+0x4ff/0x7e0 net/netlink/genetlink.c:1065
netlink_rcv_skb+0x165/0x440 net/netlink/af_netlink.c:2564
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x547/0x7f0 net/netlink/af_netlink.c:1356
netlink_sendmsg+0x91b/0xe10 net/netlink/af_netlink.c:1932
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
____sys_sendmsg+0x712/0x8c0 net/socket.c:2476
___sys_sendmsg+0x110/0x1b0 net/socket.c:2530
__sys_sendmsg+0xf7/0x1c0 net/socket.c:2559
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 13e5afd3d773 ("wifi: mac80211: fix memory leak in ieee80211_if_add()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Zhengchao Shao <shaozhengchao@huawei.com>
Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230113124326.3533978-1-edumazet@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/iface.c |    1 -
 1 file changed, 1 deletion(-)

--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -2013,7 +2013,6 @@ int ieee80211_if_add(struct ieee80211_lo
 
 		ret = register_netdevice(ndev);
 		if (ret) {
-			ieee80211_if_free(ndev);
 			free_netdev(ndev);
 			return ret;
 		}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 95/98] soc: qcom: apr: Make qcom,protection-domain optional again
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 94/98] Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()" Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 96/98] Bluetooth: hci_qca: Wait for SSR completion during suspend Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Bjorn Andersson

From: Stephan Gerhold <stephan@gerhold.net>

commit 599d41fb8ea8bd2a99ca9525dd69405020e43dda upstream.

APR should not fail if the service device tree node does not have
the qcom,protection-domain property, since this functionality does
not exist on older platforms such as MSM8916 and MSM8996.

Ignore -EINVAL (returned when the property does not exist) to fix
a regression on 6.2-rc1 that prevents audio from working:

  qcom,apr remoteproc0:smd-edge.apr_audio_svc.-1.-1:
    Failed to read second value of qcom,protection-domain
  qcom,apr remoteproc0:smd-edge.apr_audio_svc.-1.-1:
    Failed to add apr 3 svc

Fixes: 6d7860f5750d ("soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20221229151648.19839-3-stephan@gerhold.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/soc/qcom/apr.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/soc/qcom/apr.c
+++ b/drivers/soc/qcom/apr.c
@@ -319,9 +319,10 @@ static int apr_add_device(struct device
 		goto out;
 	}
 
+	/* Protection domain is optional, it does not exist on older platforms */
 	ret = of_property_read_string_index(np, "qcom,protection-domain",
 					    1, &adev->service_path);
-	if (ret < 0) {
+	if (ret < 0 && ret != -EINVAL) {
 		dev_err(dev, "Failed to read second value of qcom,protection-domain\n");
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 96/98] Bluetooth: hci_qca: Wait for SSR completion during suspend
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 95/98] soc: qcom: apr: Make qcom,protection-domain optional again Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 97/98] Bluetooth: hci_qca: check for SSR triggered flag while suspend Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Venkata Lakshmi Narayana Gubba,
	Marcel Holtmann

From: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>

commit ad3a9c0ec2d2baed936cfdd05870f9d1e1f40e0e upstream.

During SSR after memory dump collection,BT controller will be powered off,
powered on and then FW will be downloaded.During suspend if BT controller
is powered off due to SSR then we should wait until SSR is completed and
then suspend.

Fixes: 2be43abac5a8 ("Bluetooth: hci_qca: Wait for timeout during suspend")
Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bluetooth/hci_qca.c |   16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -50,7 +50,8 @@
 #define IBS_HOST_TX_IDLE_TIMEOUT_MS	2000
 #define CMD_TRANS_TIMEOUT_MS		100
 #define MEMDUMP_TIMEOUT_MS		8000
-#define IBS_DISABLE_SSR_TIMEOUT_MS	(MEMDUMP_TIMEOUT_MS + 1000)
+#define IBS_DISABLE_SSR_TIMEOUT_MS \
+	(MEMDUMP_TIMEOUT_MS + FW_DOWNLOAD_TIMEOUT_MS)
 #define FW_DOWNLOAD_TIMEOUT_MS		3000
 
 /* susclk rate */
@@ -2111,7 +2112,12 @@ static int __maybe_unused qca_suspend(st
 
 	set_bit(QCA_SUSPENDING, &qca->flags);
 
-	if (test_bit(QCA_BT_OFF, &qca->flags))
+	/* During SSR after memory dump collection, controller will be
+	 * powered off and then powered on.If controller is powered off
+	 * during SSR then we should wait until SSR is completed.
+	 */
+	if (test_bit(QCA_BT_OFF, &qca->flags) &&
+	    !test_bit(QCA_SSR_TRIGGERED, &qca->flags))
 		return 0;
 
 	if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
@@ -2121,7 +2127,7 @@ static int __maybe_unused qca_suspend(st
 
 		/* QCA_IBS_DISABLED flag is set to true, During FW download
 		 * and during memory dump collection. It is reset to false,
-		 * After FW download complete and after memory dump collections.
+		 * After FW download complete.
 		 */
 		wait_on_bit_timeout(&qca->flags, QCA_IBS_DISABLED,
 			    TASK_UNINTERRUPTIBLE, msecs_to_jiffies(wait_timeout));
@@ -2133,10 +2139,6 @@ static int __maybe_unused qca_suspend(st
 		}
 	}
 
-	/* After memory dump collection, Controller is powered off.*/
-	if (test_bit(QCA_BT_OFF, &qca->flags))
-		return 0;
-
 	cancel_work_sync(&qca->ws_awake_device);
 	cancel_work_sync(&qca->ws_awake_rx);
 



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 97/98] Bluetooth: hci_qca: check for SSR triggered flag while suspend
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 96/98] Bluetooth: hci_qca: Wait for SSR completion during suspend Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-22 15:04 ` [PATCH 5.10 98/98] Bluetooth: hci_qca: Fixed issue during suspend Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Venkata Lakshmi Narayana Gubba,
	Marcel Holtmann

From: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>

commit 1bb0c66332babc5cbc4581d962da0b03af9f23e8 upstream.

QCA_IBS_DISABLED flag will be set after memorydump started from
controller.Currently qca_suspend() is waiting for SSR to complete
based on flag QCA_IBS_DISABLED.Added to check for QCA_SSR_TRIGGERED
flag too.

Fixes: 2be43abac5a8 ("Bluetooth: hci_qca: Wait for timeout during suspend")
Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bluetooth/hci_qca.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -2120,7 +2120,8 @@ static int __maybe_unused qca_suspend(st
 	    !test_bit(QCA_SSR_TRIGGERED, &qca->flags))
 		return 0;
 
-	if (test_bit(QCA_IBS_DISABLED, &qca->flags)) {
+	if (test_bit(QCA_IBS_DISABLED, &qca->flags) ||
+	    test_bit(QCA_SSR_TRIGGERED, &qca->flags)) {
 		wait_timeout = test_bit(QCA_SSR_TRIGGERED, &qca->flags) ?
 					IBS_DISABLE_SSR_TIMEOUT_MS :
 					FW_DOWNLOAD_TIMEOUT_MS;



^ permalink raw reply	[flat|nested] 103+ messages in thread

* [PATCH 5.10 98/98] Bluetooth: hci_qca: Fixed issue during suspend
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 97/98] Bluetooth: hci_qca: check for SSR triggered flag while suspend Greg Kroah-Hartman
@ 2023-01-22 15:04 ` Greg Kroah-Hartman
  2023-01-23  7:16 ` [PATCH 5.10 00/98] 5.10.165-rc1 review Naresh Kamboju
                   ` (2 subsequent siblings)
  100 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-22 15:04 UTC (permalink / raw)
  To: stable
  Cc: Greg Kroah-Hartman, patches, Venkata Lakshmi Narayana Gubba,
	Marcel Holtmann

From: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>

commit 55c0bd77479b60ea29fd390faf4545cfb3a1d79e upstream.

If BT SoC is running with ROM FW then just return in
qca_suspend function as ROM FW does not support
in-band sleep.

Fixes: 2be43abac5a8 ("Bluetooth: hci_qca: Wait for timeout during suspend")
Signed-off-by: Venkata Lakshmi Narayana Gubba <gubbaven@codeaurora.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bluetooth/hci_qca.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/bluetooth/hci_qca.c
+++ b/drivers/bluetooth/hci_qca.c
@@ -77,7 +77,8 @@ enum qca_flags {
 	QCA_MEMDUMP_COLLECTION,
 	QCA_HW_ERROR_EVENT,
 	QCA_SSR_TRIGGERED,
-	QCA_BT_OFF
+	QCA_BT_OFF,
+	QCA_ROM_FW
 };
 
 enum qca_capabilities {
@@ -1664,6 +1665,7 @@ static int qca_setup(struct hci_uart *hu
 	if (ret)
 		return ret;
 
+	clear_bit(QCA_ROM_FW, &qca->flags);
 	/* Patch downloading has to be done without IBS mode */
 	set_bit(QCA_IBS_DISABLED, &qca->flags);
 
@@ -1722,12 +1724,14 @@ retry:
 		hu->hdev->cmd_timeout = qca_cmd_timeout;
 	} else if (ret == -ENOENT) {
 		/* No patch/nvm-config found, run with original fw/config */
+		set_bit(QCA_ROM_FW, &qca->flags);
 		ret = 0;
 	} else if (ret == -EAGAIN) {
 		/*
 		 * Userspace firmware loader will return -EAGAIN in case no
 		 * patch/nvm-config is found, so run with original fw/config.
 		 */
+		set_bit(QCA_ROM_FW, &qca->flags);
 		ret = 0;
 	} else {
 		if (retries < MAX_INIT_RETRIES) {
@@ -2112,6 +2116,12 @@ static int __maybe_unused qca_suspend(st
 
 	set_bit(QCA_SUSPENDING, &qca->flags);
 
+	/* if BT SoC is running with default firmware then it does not
+	 * support in-band sleep
+	 */
+	if (test_bit(QCA_ROM_FW, &qca->flags))
+		return 0;
+
 	/* During SSR after memory dump collection, controller will be
 	 * powered off and then powered on.If controller is powered off
 	 * during SSR then we should wait until SSR is completed.



^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.10 00/98] 5.10.165-rc1 review
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2023-01-22 15:04 ` [PATCH 5.10 98/98] Bluetooth: hci_qca: Fixed issue during suspend Greg Kroah-Hartman
@ 2023-01-23  7:16 ` Naresh Kamboju
  2023-01-23 11:18 ` Sudip Mukherjee
  2023-01-23 11:31 ` Pavel Machek
  100 siblings, 0 replies; 103+ messages in thread
From: Naresh Kamboju @ 2023-01-23  7:16 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, srw, rwarsow, Masahiro Yamada, Ard Biesheuvel,
	Nathan Chancellor, Dennis Gilmore, Palmer Dabbelt, Arnd Bergmann

On Sun, 22 Jan 2023 at 20:41, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.10.165 release.
> There are 98 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 24 Jan 2023 15:02:08 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.165-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.

Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>

Build regressions found on sh:
   - build/gcc-8-dreamcast_defconfig
   - build/gcc-8-microdev_defconfig


Build error logs:

`.exit.text' referenced in section `__bug_table' of crypto/algboss.o:
defined in discarded section `.exit.text' of crypto/algboss.o
`.exit.text' referenced in section `__bug_table' of
drivers/char/hw_random/core.o: defined in discarded section
`.exit.text' of drivers/char/hw_random/core.o
make[1]: *** [/builds/linux/Makefile:1194: vmlinux] Error 1

Bisection points to this commit,
    arch: fix broken BuildID for arm64 and riscv
    commit 99cb0d917ffa1ab628bb67364ca9b162c07699b1 upstream.

Ref:
upstream discussion thread,
https://lore.kernel.org/all/Y7Jal56f6UBh1abE@dev-arch.thelio-3990X/

Steps to reproduce:
# To install tuxmake on your system globally:
# sudo pip3 install -U tuxmake
#
# See https://docs.tuxmake.org/ for complete documentation.
# Original tuxmake command with fragments listed below.

tuxmake --runtime podman --target-arch sh --toolchain gcc-8 --kconfig
microdev_defconfig


Build log links,
https://storage.tuxsuite.com/public/linaro/lkft/builds/2Kgdn5w5X9wlz0EVgtSZbTFuRYy/

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.10 00/98] 5.10.165-rc1 review
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2023-01-23  7:16 ` [PATCH 5.10 00/98] 5.10.165-rc1 review Naresh Kamboju
@ 2023-01-23 11:18 ` Sudip Mukherjee
  2023-01-23 11:31 ` Pavel Machek
  100 siblings, 0 replies; 103+ messages in thread
From: Sudip Mukherjee @ 2023-01-23 11:18 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli, srw, rwarsow

Hi Greg,

On Sun, Jan 22, 2023 at 04:03:16PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.165 release.
> There are 98 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Tue, 24 Jan 2023 15:02:08 +0000.
> Anything received after that time might be too late.

Build test (gcc version 11.3.1 20230113):
mips: 63 configs -> no failure
arm: 104 configs -> no failure
arm64: 3 configs -> no failure
x86_64: 4 configs -> no failure
alpha allmodconfig -> no failure
powerpc allmodconfig -> no failure
riscv allmodconfig -> no failure
s390 allmodconfig -> no failure
xtensa allmodconfig -> no failure

Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]
arm64: Booted on rpi4b (4GB model). No regression. [2]

[1]. https://openqa.qa.codethink.co.uk/tests/2696
[2]. https://openqa.qa.codethink.co.uk/tests/2704


Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>

-- 
Regards
Sudip

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.10 00/98] 5.10.165-rc1 review
  2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2023-01-23 11:18 ` Sudip Mukherjee
@ 2023-01-23 11:31 ` Pavel Machek
  2023-01-23 11:46   ` Greg Kroah-Hartman
  100 siblings, 1 reply; 103+ messages in thread
From: Pavel Machek @ 2023-01-23 11:31 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
	patches, lkft-triage, pavel, jonathanh, f.fainelli,
	sudipm.mukherjee, srw, rwarsow

[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

Hi!

> This is the start of the stable review cycle for the 5.10.165 release.
> There are 98 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.

Hmm. Interesting.

We tested

commit 9096aabfe9e099a5af5d13bb0fb36e98bb623398
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Mon Jan 23 10:49:12 2023 +0100

    Linux 5.10.165-rc2

and found no problems there, but that is -rc2 and you announced -rc1.

https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-5.10.y

Best regards,
                                                                Pavel


-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 103+ messages in thread

* Re: [PATCH 5.10 00/98] 5.10.165-rc1 review
  2023-01-23 11:31 ` Pavel Machek
@ 2023-01-23 11:46   ` Greg Kroah-Hartman
  0 siblings, 0 replies; 103+ messages in thread
From: Greg Kroah-Hartman @ 2023-01-23 11:46 UTC (permalink / raw)
  To: Pavel Machek
  Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
	patches, lkft-triage, jonathanh, f.fainelli, sudipm.mukherjee,
	srw, rwarsow

On Mon, Jan 23, 2023 at 12:31:31PM +0100, Pavel Machek wrote:
> Hi!
> 
> > This is the start of the stable review cycle for the 5.10.165 release.
> > There are 98 patches in this series, all will be posted as a response
> > to this one.  If anyone has any issues with these being applied, please
> > let me know.
> 
> Hmm. Interesting.
> 
> We tested
> 
> commit 9096aabfe9e099a5af5d13bb0fb36e98bb623398
> Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Date:   Mon Jan 23 10:49:12 2023 +0100
> 
>     Linux 5.10.165-rc2
> 
> and found no problems there, but that is -rc2 and you announced -rc1.

https://lore.kernel.org/r/20230123094914.748265495@linuxfoundation.org


^ permalink raw reply	[flat|nested] 103+ messages in thread

end of thread, other threads:[~2023-01-23 11:46 UTC | newest]

Thread overview: 103+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-01-22 15:03 [PATCH 5.10 00/98] 5.10.165-rc1 review Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 01/98] btrfs: fix trace event name typo for FLUSH_DELAYED_REFS Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 02/98] pNFS/filelayout: Fix coalescing test for single DS Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 03/98] selftests/bpf: check null propagation only neither reg is PTR_TO_BTF_ID Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 04/98] tools/virtio: initialize spinlocks in vring_test.c Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 05/98] net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 06/98] RDMA/srp: Move large values to a new enum for gcc13 Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 07/98] btrfs: always report error in run_one_delayed_ref() Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 08/98] x86/asm: Fix an assembler warning with current binutils Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 09/98] f2fs: lets avoid panic if extent_tree is not created Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 10/98] wifi: brcmfmac: fix regression for Broadcom PCIe wifi devices Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 11/98] wifi: mac80211: sdata can be NULL during AMPDU start Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 12/98] Add exception protection processing for vd in axi_chan_handle_err function Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 13/98] zonefs: Detect append writes at invalid locations Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 14/98] nilfs2: fix general protection fault in nilfs_btree_insert() Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 15/98] efi: fix userspace infinite retry read efivars after EFI runtime services page fault Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 16/98] ALSA: hda/realtek - Turn on power early Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 17/98] drm/i915/gt: Reset twice Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 18/98] Bluetooth: hci_qca: Wait for timeout during suspend Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 19/98] Bluetooth: hci_qca: Fix driver shutdown on closed serdev Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 20/98] io_uring: dont gate task_work run on TIF_NOTIFY_SIGNAL Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 21/98] io_uring: improve send/recv error handling Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 22/98] io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 23/98] io_uring: add flag for disabling provided buffer recycling Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 24/98] io_uring: support MSG_WAITALL for IORING_OP_SEND(MSG) Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 25/98] io_uring: allow re-poll if we made progress Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 26/98] io_uring: fix async accept on O_NONBLOCK sockets Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 27/98] io_uring: check for valid register opcode earlier Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 28/98] io_uring: lock overflowing for IOPOLL Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 29/98] io_uring: fix CQ waiting timeout handling Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 30/98] io_uring: ensure that cached task references are always put on exit Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 31/98] io_uring: remove duplicated calls to io_kiocb_ppos Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 32/98] io_uring: update kiocb->ki_pos at execution time Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 33/98] io_uring: do not recalculate ppos unnecessarily Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 34/98] io_uring/rw: defer fsnotify calls to task context Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 35/98] xhci-pci: set the dma max_seg_size Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 36/98] usb: xhci: Check endpoint is valid before dereferencing it Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 37/98] xhci: Fix null pointer dereference when host dies Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 38/98] xhci: Add update_hub_device override for PCI xHCI hosts Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 39/98] xhci: Add a flag to disable USB3 lpm on a xhci root port level Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 40/98] usb: acpi: add helper to check port lpm capability using acpi _DSM Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 41/98] xhci: Detect lpm incapable xHC USB3 roothub ports from ACPI tables Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 42/98] prlimit: do_prlimit needs to have a speculation check Greg Kroah-Hartman
2023-01-22 15:03 ` [PATCH 5.10 43/98] USB: serial: option: add Quectel EM05-G (GR) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 44/98] USB: serial: option: add Quectel EM05-G (CS) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 45/98] USB: serial: option: add Quectel EM05-G (RS) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 46/98] USB: serial: option: add Quectel EC200U modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 47/98] USB: serial: option: add Quectel EM05CN (SG) modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 48/98] USB: serial: option: add Quectel EM05CN modem Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 49/98] staging: vchiq_arm: fix enum vchiq_status return types Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 50/98] USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 51/98] misc: fastrpc: Dont remove map on creater_process and device_release Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 52/98] misc: fastrpc: Fix use-after-free race condition for maps Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 53/98] usb: core: hub: disable autosuspend for TI TUSB8041 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 54/98] comedi: adv_pci1760: Fix PWM instruction handling Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 55/98] mmc: sunxi-mmc: Fix clock refcount imbalance during unbind Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 56/98] mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 57/98] btrfs: fix race between quota rescan and disable leading to NULL pointer deref Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 58/98] cifs: do not include page data when checking signature Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 59/98] thunderbolt: Use correct function to calculate maximum USB3 link rate Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 60/98] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on RX FIFO buffer Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 61/98] USB: gadgetfs: Fix race between mounting and unmounting Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 62/98] USB: serial: cp210x: add SCALANCE LPE-9000 device id Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 63/98] usb: host: ehci-fsl: Fix module alias Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 64/98] usb: typec: altmodes/displayport: Add pin assignment helper Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 65/98] usb: typec: altmodes/displayport: Fix pin assignment calculation Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 66/98] usb: gadget: g_webcam: Send color matching descriptor per frame Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 67/98] usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 68/98] usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 69/98] dt-bindings: phy: g12a-usb2-phy: fix compatible string documentation Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 70/98] dt-bindings: phy: g12a-usb3-pcie-phy: " Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 71/98] serial: pch_uart: Pass correct sg to dma_unmap_sg() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 72/98] dmaengine: tegra210-adma: fix global intr clear Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 73/98] serial: atmel: fix incorrect baudrate setup Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 74/98] gsmi: fix null-deref in gsmi_get_variable Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 75/98] mei: me: add meteor lake point M DID Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 76/98] drm/i915: re-disable RC6p on Sandy Bridge Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 77/98] drm/amd/display: Fix set scaling doesns work Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 78/98] drm/amd/display: Calculate output_color_space after pixel encoding adjustment Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 79/98] drm/amd/display: Fix COLOR_SPACE_YCBCR2020_TYPE matrix Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 80/98] arm64: efi: Execute runtime services from a dedicated stack Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 81/98] efi: rt-wrapper: Add missing include Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 82/98] Revert "drm/amdgpu: make display pinning more flexible (v2)" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 83/98] x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 84/98] tracing: Use alignof__(struct {type b;}) instead of offsetof() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 85/98] arch: fix broken BuildID for arm64 and riscv Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 86/98] s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 87/98] powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 88/98] powerpc/vmlinux.lds: Dont discard .rela* for relocatable builds Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 89/98] powerpc/vmlinux.lds: Dont discard .comment Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 90/98] io_uring: io_kiocb_update_pos() should not touch file for non -1 offset Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 91/98] io_uring/net: fix fast_iov assignment in io_setup_async_msg() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 92/98] net/ulp: use consistent error code when blocking ULP Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 93/98] net/mlx5: fix missing mutex_unlock in mlx5_fw_fatal_reporter_err_work() Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 94/98] Revert "wifi: mac80211: fix memory leak in ieee80211_if_add()" Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 95/98] soc: qcom: apr: Make qcom,protection-domain optional again Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 96/98] Bluetooth: hci_qca: Wait for SSR completion during suspend Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 97/98] Bluetooth: hci_qca: check for SSR triggered flag while suspend Greg Kroah-Hartman
2023-01-22 15:04 ` [PATCH 5.10 98/98] Bluetooth: hci_qca: Fixed issue during suspend Greg Kroah-Hartman
2023-01-23  7:16 ` [PATCH 5.10 00/98] 5.10.165-rc1 review Naresh Kamboju
2023-01-23 11:18 ` Sudip Mukherjee
2023-01-23 11:31 ` Pavel Machek
2023-01-23 11:46   ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).