From dd6caa8da1ace4e2e4f02eb5284addebf4c5c2bb Mon Sep 17 00:00:00 2001 From: Tzung-Bi Shih Date: Tue, 11 Jun 2024 11:31:10 +0000 Subject: [PATCH 001/173] platform/chrome: cros_ec_debugfs: fix wrong EC message version [ Upstream commit c2a28647bbb4e0894e8824362410f72b06ac57a4 ] ec_read_version_supported() uses ec_params_get_cmd_versions_v1 but it wrongly uses message version 0. Fix it. Fixes: e86264595225 ("mfd: cros_ec: add debugfs, console log file") Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20240611113110.16955-1-tzungbi@kernel.org Signed-off-by: Tzung-Bi Shih Signed-off-by: Sasha Levin (cherry picked from commit c0e53e36452d1b2a3ec71bf0586251245a5686c0) Signed-off-by: Vegard Nossum --- drivers/platform/chrome/cros_ec_debugfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/platform/chrome/cros_ec_debugfs.c b/drivers/platform/chrome/cros_ec_debugfs.c index 4cc66f405760..d15c2f9df3c0 100644 --- a/drivers/platform/chrome/cros_ec_debugfs.c +++ b/drivers/platform/chrome/cros_ec_debugfs.c @@ -236,6 +236,7 @@ static int ec_read_version_supported(struct cros_ec_dev *ec) if (!msg) return 0; + msg->version = 1; msg->command = EC_CMD_GET_CMD_VERSIONS + ec->cmd_offset; msg->outsize = sizeof(*params); msg->insize = sizeof(*response); From 78659ded3dbb7237c1582e91776e86a6b3247515 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Mon, 27 May 2024 15:55:35 +0300 Subject: [PATCH 002/173] x86/of: Return consistent error type from x86_of_pci_irq_enable() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit ec0b4c4d45cf7cf9a6c9626a494a89cb1ae7c645 ] x86_of_pci_irq_enable() returns PCIBIOS_* code received from pci_read_config_byte() directly and also -EINVAL which are not compatible error types. x86_of_pci_irq_enable() is used as (*pcibios_enable_irq) function which should not return PCIBIOS_* codes. Convert the PCIBIOS_* return code from pci_read_config_byte() into normal errno using pcibios_err_to_errno(). Fixes: 96e0a0797eba ("x86: dtb: Add support for PCI devices backed by dtb nodes") Signed-off-by: Ilpo Järvinen Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20240527125538.13620-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Sasha Levin (cherry picked from commit 56d64c36b2aac95c9c24e303fb746591ecfa096a) Signed-off-by: Vegard Nossum --- arch/x86/kernel/devicetree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/devicetree.c b/arch/x86/kernel/devicetree.c index 7fa0855e4b9a..717ba4b2e8d0 100644 --- a/arch/x86/kernel/devicetree.c +++ b/arch/x86/kernel/devicetree.c @@ -96,7 +96,7 @@ static int x86_of_pci_irq_enable(struct pci_dev *dev) ret = pci_read_config_byte(dev, PCI_INTERRUPT_PIN, &pin); if (ret) - return ret; + return pcibios_err_to_errno(ret); if (!pin) return 0; From 5f1342ecebaf8161a43bcc1b8958c280452c8171 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Mon, 27 May 2024 15:55:36 +0300 Subject: [PATCH 003/173] x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 724852059e97c48557151b3aa4af424614819752 ] intel_mid_pci_irq_enable() uses pci_read_config_byte() that returns PCIBIOS_* codes. The error handling, however, assumes the codes are normal errnos because it checks for < 0. intel_mid_pci_irq_enable() also returns the PCIBIOS_* code back to the caller but the function is used as the (*pcibios_enable_irq) function which should return normal errnos. Convert the error check to plain non-zero check which works for PCIBIOS_* return codes and convert the PCIBIOS_* return code using pcibios_err_to_errno() into normal errno before returning it. Fixes: 5b395e2be6c4 ("x86/platform/intel-mid: Make IRQ allocation a bit more flexible") Signed-off-by: Ilpo Järvinen Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240527125538.13620-2-ilpo.jarvinen@linux.intel.com Signed-off-by: Sasha Levin (cherry picked from commit 600a520cc4e661aa712415e4a733924e9d22777d) Signed-off-by: Vegard Nossum --- arch/x86/pci/intel_mid_pci.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/pci/intel_mid_pci.c b/arch/x86/pci/intel_mid_pci.c index 1012a5f0f98d..e5042a0413fb 100644 --- a/arch/x86/pci/intel_mid_pci.c +++ b/arch/x86/pci/intel_mid_pci.c @@ -222,9 +222,9 @@ static int intel_mid_pci_irq_enable(struct pci_dev *dev) return 0; ret = pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &gsi); - if (ret < 0) { + if (ret) { dev_warn(&dev->dev, "Failed to read interrupt line: %d\n", ret); - return ret; + return pcibios_err_to_errno(ret); } switch (intel_mid_identify_cpu()) { From 125df213ac935a71782e5c091206853ff9cb5556 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Mon, 27 May 2024 15:55:37 +0300 Subject: [PATCH 004/173] x86/pci/xen: Fix PCIBIOS_* return code handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit e9d7b435dfaec58432f4106aaa632bf39f52ce9f ] xen_pcifront_enable_irq() uses pci_read_config_byte() that returns PCIBIOS_* codes. The error handling, however, assumes the codes are normal errnos because it checks for < 0. xen_pcifront_enable_irq() also returns the PCIBIOS_* code back to the caller but the function is used as the (*pcibios_enable_irq) function which should return normal errnos. Convert the error check to plain non-zero check which works for PCIBIOS_* return codes and convert the PCIBIOS_* return code using pcibios_err_to_errno() into normal errno before returning it. Fixes: 3f2a230caf21 ("xen: handled remapped IRQs when enabling a pcifront PCI device.") Signed-off-by: Ilpo Järvinen Signed-off-by: Borislav Petkov (AMD) Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20240527125538.13620-3-ilpo.jarvinen@linux.intel.com Signed-off-by: Sasha Levin (cherry picked from commit 5294b91618250c7719e4c85096cafe8f76a1bc20) Signed-off-by: Vegard Nossum --- arch/x86/pci/xen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/pci/xen.c b/arch/x86/pci/xen.c index 7135f35f9de7..a77b73ee727e 100644 --- a/arch/x86/pci/xen.c +++ b/arch/x86/pci/xen.c @@ -35,10 +35,10 @@ static int xen_pcifront_enable_irq(struct pci_dev *dev) u8 gsi; rc = pci_read_config_byte(dev, PCI_INTERRUPT_LINE, &gsi); - if (rc < 0) { + if (rc) { dev_warn(&dev->dev, "Xen PCI: failed to read interrupt line: %d\n", rc); - return rc; + return pcibios_err_to_errno(rc); } /* In PV DomU the Xen PCI backend puts the PIRQ in the interrupt line.*/ pirq = gsi; From 21be2282360c7df8b2535f9c2883674234dc7de2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Mon, 27 May 2024 15:55:38 +0300 Subject: [PATCH 005/173] x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 7821fa101eab529521aa4b724bf708149d70820c ] iosf_mbi_pci_{read,write}_mdr() use pci_{read,write}_config_dword() that return PCIBIOS_* codes but functions also return -ENODEV which are not compatible error codes. As neither of the functions are related to PCI read/write functions, they should return normal errnos. Convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal errno before returning it. Fixes: 46184415368a ("arch: x86: New MailBox support driver for Intel SOC's") Signed-off-by: Ilpo Järvinen Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20240527125538.13620-4-ilpo.jarvinen@linux.intel.com Signed-off-by: Sasha Levin (cherry picked from commit 3f4f08e59ddf359da5bc4226ba865a59177a3a50) Signed-off-by: Vegard Nossum --- arch/x86/platform/intel/iosf_mbi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/platform/intel/iosf_mbi.c b/arch/x86/platform/intel/iosf_mbi.c index a952ac199741..5e2a6ca4368c 100644 --- a/arch/x86/platform/intel/iosf_mbi.c +++ b/arch/x86/platform/intel/iosf_mbi.c @@ -68,7 +68,7 @@ static int iosf_mbi_pci_read_mdr(u32 mcrx, u32 mcr, u32 *mdr) fail_read: dev_err(&mbi_pdev->dev, "PCI config access failed with %d\n", result); - return result; + return pcibios_err_to_errno(result); } static int iosf_mbi_pci_write_mdr(u32 mcrx, u32 mcr, u32 mdr) @@ -97,7 +97,7 @@ static int iosf_mbi_pci_write_mdr(u32 mcrx, u32 mcr, u32 mdr) fail_write: dev_err(&mbi_pdev->dev, "PCI config access failed with %d\n", result); - return result; + return pcibios_err_to_errno(result); } int iosf_mbi_read(u8 port, u8 opcode, u32 offset, u32 *mdr) From 1dd63dd3a8a7617a90bc1a9068fedb6adf5f5aac Mon Sep 17 00:00:00 2001 From: Wayne Tung Date: Mon, 1 Jul 2024 15:32:52 +0800 Subject: [PATCH 006/173] hwmon: (adt7475) Fix default duty on fan is disabled [ Upstream commit 39b24cced70fdc336dbc0070f8b3bde61d8513a8 ] According to the comments on fan is disabled, we change to manual mode and set the duty cycle to 0. For setting the duty cycle part, the register is wrong. Fix it. Fixes: 1c301fc5394f ("hwmon: Add a driver for the ADT7475 hardware monitoring chip") Signed-off-by: Wayne Tung Link: https://lore.kernel.org/r/20240701073252.317397-1-chineweff@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin (cherry picked from commit d9c01877d4ba1e39bbdc43faeeceeef2768be8e7) Signed-off-by: Vegard Nossum --- drivers/hwmon/adt7475.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/hwmon/adt7475.c b/drivers/hwmon/adt7475.c index 51bc70e6ec3f..b5bfbe145da2 100644 --- a/drivers/hwmon/adt7475.c +++ b/drivers/hwmon/adt7475.c @@ -1633,7 +1633,7 @@ static void adt7475_read_pwm(struct i2c_client *client, int index) data->pwm[CONTROL][index] &= ~0xE0; data->pwm[CONTROL][index] |= (7 << 5); - i2c_smbus_write_byte_data(client, PWM_CONFIG_REG(index), + i2c_smbus_write_byte_data(client, PWM_REG(index), data->pwm[INPUT][index]); i2c_smbus_write_byte_data(client, PWM_CONFIG_REG(index), From 25d404099dccdfe51abb9f810a864ced8b9d912b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= Date: Wed, 3 Jul 2024 13:00:06 +0200 Subject: [PATCH 007/173] pwm: stm32: Always do lazy disabling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 7346e7a058a2c9aa9ff1cc699c7bf18a402d9f84 ] When the state changes from enabled to disabled, polarity, duty_cycle and period are not configured in hardware and TIM_CCER_CCxE is just cleared. However if the state changes from one disabled state to another, all parameters are written to hardware because the early exit from stm32_pwm_apply() is only taken if the pwm is currently enabled. This yields surprises like: Applying { .period = 1, .duty_cycle = 0, .enabled = false } succeeds if the pwm is initially on, but fails if it's already off because 1 is a too small period. Update the check for lazy disable to always exit early if the target state is disabled, no matter what is currently configured. Fixes: 7edf7369205b ("pwm: Add driver for STM32 plaftorm") Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20240703110010.672654-2-u.kleine-koenig@baylibre.com Signed-off-by: Uwe Kleine-König Signed-off-by: Sasha Levin (cherry picked from commit 383729f057245972e13fb0708c5ec7dd985fc50d) Signed-off-by: Vegard Nossum --- drivers/pwm/pwm-stm32.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c index 5668e3a2f0ea..81451623a246 100644 --- a/drivers/pwm/pwm-stm32.c +++ b/drivers/pwm/pwm-stm32.c @@ -198,8 +198,9 @@ static int stm32_pwm_apply(struct pwm_chip *chip, struct pwm_device *pwm, enabled = pwm->state.enabled; - if (enabled && !state->enabled) { - stm32_pwm_disable(priv, pwm->hwpwm); + if (!state->enabled) { + if (enabled) + stm32_pwm_disable(priv, pwm->hwpwm); return 0; } From 42cc04b6ae182a372082afc1c28d67f92fed5c29 Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Sat, 13 Jul 2024 14:26:19 -0700 Subject: [PATCH 008/173] hwmon: (max6697) Fix underflow when writing limit attributes [ Upstream commit cbf7467828cd4ec7ceac7a8b5b5ddb2f69f07b0e ] Using DIV_ROUND_CLOSEST() on an unbound value can result in underflows. Indeed, module test scripts report: temp1_max: Suspected underflow: [min=0, read 255000, written -9223372036854775808] temp1_crit: Suspected underflow: [min=0, read 255000, written -9223372036854775808] Fix by introducing an extra set of clamping. Fixes: 5372d2d71c46 ("hwmon: Driver for Maxim MAX6697 and compatibles") Reviewed-by: Tzung-Bi Shih Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin (cherry picked from commit 21998f2c68edd4a7922875f34b39ce2bb78fabc0) Signed-off-by: Vegard Nossum --- drivers/hwmon/max6697.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/hwmon/max6697.c b/drivers/hwmon/max6697.c index 6df28fe0577d..7e7f59c68ce6 100644 --- a/drivers/hwmon/max6697.c +++ b/drivers/hwmon/max6697.c @@ -314,6 +314,7 @@ static ssize_t set_temp(struct device *dev, return ret; mutex_lock(&data->update_lock); + temp = clamp_val(temp, -1000000, 1000000); /* prevent underflow */ temp = DIV_ROUND_CLOSEST(temp, 1000) + data->temp_offset; temp = clamp_val(temp, 0, data->type == max6581 ? 255 : 127); data->temp[nr][index] = temp; From 625dffc4eaba4191520fb296a0e55743836bab4b Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Tue, 27 Dec 2016 15:28:19 -0800 Subject: [PATCH 009/173] hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants [ Upstream commit a5c47c0d388b939dd578fd466aa804b7f2445390 ] Introduce SENSOR_DEVICE_ATTR_{RO,RW,WO} and SENSOR_DEVICE_ATTR_2_{RO,RW,WO} as simplified variants of SENSOR_DEVICE_ATTR and SENSOR_DEVICE_ATTR_2 to simplify the source code, improve readbility, and reduce the chance of inconsistencies. Signed-off-by: Guenter Roeck Stable-dep-of: 1ea3fd1eb986 ("hwmon: (max6697) Fix swapped temp{1,8} critical alarms") Signed-off-by: Sasha Levin (cherry picked from commit eb04482acd9870b84970fe1549203fedc1bbcc79) Signed-off-by: Vegard Nossum --- Documentation/hwmon/hwmon-kernel-api.txt | 24 ++++++++++----- include/linux/hwmon-sysfs.h | 39 ++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 8 deletions(-) diff --git a/Documentation/hwmon/hwmon-kernel-api.txt b/Documentation/hwmon/hwmon-kernel-api.txt index 53a806696c64..364f016fb022 100644 --- a/Documentation/hwmon/hwmon-kernel-api.txt +++ b/Documentation/hwmon/hwmon-kernel-api.txt @@ -298,17 +298,25 @@ functions is used. The header file linux/hwmon-sysfs.h provides a number of useful macros to declare and use hardware monitoring sysfs attributes. -In many cases, you can use the exsting define DEVICE_ATTR to declare such -attributes. This is feasible if an attribute has no additional context. However, -in many cases there will be additional information such as a sensor index which -will need to be passed to the sysfs attribute handling function. +In many cases, you can use the exsting define DEVICE_ATTR or its variants +DEVICE_ATTR_{RW,RO,WO} to declare such attributes. This is feasible if an +attribute has no additional context. However, in many cases there will be +additional information such as a sensor index which will need to be passed +to the sysfs attribute handling function. SENSOR_DEVICE_ATTR and SENSOR_DEVICE_ATTR_2 can be used to define attributes which need such additional context information. SENSOR_DEVICE_ATTR requires one additional argument, SENSOR_DEVICE_ATTR_2 requires two. -SENSOR_DEVICE_ATTR defines a struct sensor_device_attribute variable. -This structure has the following fields. +Simplified variants of SENSOR_DEVICE_ATTR and SENSOR_DEVICE_ATTR_2 are available +and should be used if standard attribute permissions and function names are +feasible. Standard permissions are 0644 for SENSOR_DEVICE_ATTR[_2]_RW, +0444 for SENSOR_DEVICE_ATTR[_2]_RO, and 0200 for SENSOR_DEVICE_ATTR[_2]_WO. +Standard functions, similar to DEVICE_ATTR_{RW,RO,WO}, have _show and _store +appended to the provided function name. + +SENSOR_DEVICE_ATTR and its variants define a struct sensor_device_attribute +variable. This structure has the following fields. struct sensor_device_attribute { struct device_attribute dev_attr; @@ -319,8 +327,8 @@ You can use to_sensor_dev_attr to get the pointer to this structure from the attribute read or write function. Its parameter is the device to which the attribute is attached. -SENSOR_DEVICE_ATTR_2 defines a struct sensor_device_attribute_2 variable, -which is defined as follows. +SENSOR_DEVICE_ATTR_2 and its variants define a struct sensor_device_attribute_2 +variable, which is defined as follows. struct sensor_device_attribute_2 { struct device_attribute dev_attr; diff --git a/include/linux/hwmon-sysfs.h b/include/linux/hwmon-sysfs.h index 1c7b89ae6bdc..473897bbd898 100644 --- a/include/linux/hwmon-sysfs.h +++ b/include/linux/hwmon-sysfs.h @@ -33,10 +33,28 @@ struct sensor_device_attribute{ { .dev_attr = __ATTR(_name, _mode, _show, _store), \ .index = _index } +#define SENSOR_ATTR_RO(_name, _func, _index) \ + SENSOR_ATTR(_name, 0444, _func##_show, NULL, _index) + +#define SENSOR_ATTR_RW(_name, _func, _index) \ + SENSOR_ATTR(_name, 0644, _func##_show, _func##_store, _index) + +#define SENSOR_ATTR_WO(_name, _func, _index) \ + SENSOR_ATTR(_name, 0200, NULL, _func##_store, _index) + #define SENSOR_DEVICE_ATTR(_name, _mode, _show, _store, _index) \ struct sensor_device_attribute sensor_dev_attr_##_name \ = SENSOR_ATTR(_name, _mode, _show, _store, _index) +#define SENSOR_DEVICE_ATTR_RO(_name, _func, _index) \ + SENSOR_DEVICE_ATTR(_name, 0444, _func##_show, NULL, _index) + +#define SENSOR_DEVICE_ATTR_RW(_name, _func, _index) \ + SENSOR_DEVICE_ATTR(_name, 0644, _func##_show, _func##_store, _index) + +#define SENSOR_DEVICE_ATTR_WO(_name, _func, _index) \ + SENSOR_DEVICE_ATTR(_name, 0200, NULL, _func##_store, _index) + struct sensor_device_attribute_2 { struct device_attribute dev_attr; u8 index; @@ -50,8 +68,29 @@ struct sensor_device_attribute_2 { .index = _index, \ .nr = _nr } +#define SENSOR_ATTR_2_RO(_name, _func, _nr, _index) \ + SENSOR_ATTR_2(_name, 0444, _func##_show, NULL, _nr, _index) + +#define SENSOR_ATTR_2_RW(_name, _func, _nr, _index) \ + SENSOR_ATTR_2(_name, 0644, _func##_show, _func##_store, _nr, _index) + +#define SENSOR_ATTR_2_WO(_name, _func, _nr, _index) \ + SENSOR_ATTR_2(_name, 0200, NULL, _func##_store, _nr, _index) + #define SENSOR_DEVICE_ATTR_2(_name,_mode,_show,_store,_nr,_index) \ struct sensor_device_attribute_2 sensor_dev_attr_##_name \ = SENSOR_ATTR_2(_name, _mode, _show, _store, _nr, _index) +#define SENSOR_DEVICE_ATTR_2_RO(_name, _func, _nr, _index) \ + SENSOR_DEVICE_ATTR_2(_name, 0444, _func##_show, NULL, \ + _nr, _index) + +#define SENSOR_DEVICE_ATTR_2_RW(_name, _func, _nr, _index) \ + SENSOR_DEVICE_ATTR_2(_name, 0644, _func##_show, _func##_store, \ + _nr, _index) + +#define SENSOR_DEVICE_ATTR_2_WO(_name, _func, _nr, _index) \ + SENSOR_DEVICE_ATTR_2(_name, 0200, NULL, _func##_store, \ + _nr, _index) + #endif /* _LINUX_HWMON_SYSFS_H */ From 64785dce17bc282c55ed7f21c3fbc4391cdb1ab0 Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Thu, 6 Dec 2018 10:54:38 -0800 Subject: [PATCH 010/173] hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO} [ Upstream commit 740c2f2b86a71ad673f329241ac25cfe647aacd4 ] Conversion was done done using the coccinelle script at https://github.com/groeck/coccinelle-patches/raw/master/hwmon/sensor-devattr-w6.cocci Signed-off-by: Guenter Roeck Stable-dep-of: 1ea3fd1eb986 ("hwmon: (max6697) Fix swapped temp{1,8} critical alarms") Signed-off-by: Sasha Levin (cherry picked from commit 7a72d79eef89ce242e08edb18f64106374117295) Signed-off-by: Vegard Nossum --- drivers/hwmon/max6697.c | 124 +++++++++++++++++----------------------- 1 file changed, 54 insertions(+), 70 deletions(-) diff --git a/drivers/hwmon/max6697.c b/drivers/hwmon/max6697.c index 7e7f59c68ce6..2103ba45de74 100644 --- a/drivers/hwmon/max6697.c +++ b/drivers/hwmon/max6697.c @@ -251,7 +251,7 @@ abort: return ret; } -static ssize_t show_temp_input(struct device *dev, +static ssize_t temp_input_show(struct device *dev, struct device_attribute *devattr, char *buf) { int index = to_sensor_dev_attr(devattr)->index; @@ -267,8 +267,8 @@ static ssize_t show_temp_input(struct device *dev, return sprintf(buf, "%d\n", temp * 125); } -static ssize_t show_temp(struct device *dev, - struct device_attribute *devattr, char *buf) +static ssize_t temp_show(struct device *dev, struct device_attribute *devattr, + char *buf) { int nr = to_sensor_dev_attr_2(devattr)->nr; int index = to_sensor_dev_attr_2(devattr)->index; @@ -284,7 +284,7 @@ static ssize_t show_temp(struct device *dev, return sprintf(buf, "%d\n", temp * 1000); } -static ssize_t show_alarm(struct device *dev, struct device_attribute *attr, +static ssize_t alarm_show(struct device *dev, struct device_attribute *attr, char *buf) { int index = to_sensor_dev_attr(attr)->index; @@ -299,9 +299,9 @@ static ssize_t show_alarm(struct device *dev, struct device_attribute *attr, return sprintf(buf, "%u\n", (data->alarms >> index) & 0x1); } -static ssize_t set_temp(struct device *dev, - struct device_attribute *devattr, - const char *buf, size_t count) +static ssize_t temp_store(struct device *dev, + struct device_attribute *devattr, const char *buf, + size_t count) { int nr = to_sensor_dev_attr_2(devattr)->nr; int index = to_sensor_dev_attr_2(devattr)->index; @@ -327,79 +327,63 @@ static ssize_t set_temp(struct device *dev, return ret < 0 ? ret : count; } -static SENSOR_DEVICE_ATTR(temp1_input, S_IRUGO, show_temp_input, NULL, 0); -static SENSOR_DEVICE_ATTR_2(temp1_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 0, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp1_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 0, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp1_input, temp_input, 0); +static SENSOR_DEVICE_ATTR_2_RW(temp1_max, temp, 0, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp1_crit, temp, 0, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp2_input, S_IRUGO, show_temp_input, NULL, 1); -static SENSOR_DEVICE_ATTR_2(temp2_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 1, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp2_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 1, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp2_input, temp_input, 1); +static SENSOR_DEVICE_ATTR_2_RW(temp2_max, temp, 1, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp2_crit, temp, 1, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp3_input, S_IRUGO, show_temp_input, NULL, 2); -static SENSOR_DEVICE_ATTR_2(temp3_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 2, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp3_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 2, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp3_input, temp_input, 2); +static SENSOR_DEVICE_ATTR_2_RW(temp3_max, temp, 2, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp3_crit, temp, 2, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp4_input, S_IRUGO, show_temp_input, NULL, 3); -static SENSOR_DEVICE_ATTR_2(temp4_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 3, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp4_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 3, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp4_input, temp_input, 3); +static SENSOR_DEVICE_ATTR_2_RW(temp4_max, temp, 3, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp4_crit, temp, 3, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp5_input, S_IRUGO, show_temp_input, NULL, 4); -static SENSOR_DEVICE_ATTR_2(temp5_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 4, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp5_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 4, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp5_input, temp_input, 4); +static SENSOR_DEVICE_ATTR_2_RW(temp5_max, temp, 4, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp5_crit, temp, 4, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp6_input, S_IRUGO, show_temp_input, NULL, 5); -static SENSOR_DEVICE_ATTR_2(temp6_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 5, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp6_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 5, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp6_input, temp_input, 5); +static SENSOR_DEVICE_ATTR_2_RW(temp6_max, temp, 5, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp6_crit, temp, 5, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp7_input, S_IRUGO, show_temp_input, NULL, 6); -static SENSOR_DEVICE_ATTR_2(temp7_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 6, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp7_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 6, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp7_input, temp_input, 6); +static SENSOR_DEVICE_ATTR_2_RW(temp7_max, temp, 6, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp7_crit, temp, 6, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp8_input, S_IRUGO, show_temp_input, NULL, 7); -static SENSOR_DEVICE_ATTR_2(temp8_max, S_IRUGO | S_IWUSR, show_temp, set_temp, - 7, MAX6697_TEMP_MAX); -static SENSOR_DEVICE_ATTR_2(temp8_crit, S_IRUGO | S_IWUSR, show_temp, set_temp, - 7, MAX6697_TEMP_CRIT); +static SENSOR_DEVICE_ATTR_RO(temp8_input, temp_input, 7); +static SENSOR_DEVICE_ATTR_2_RW(temp8_max, temp, 7, MAX6697_TEMP_MAX); +static SENSOR_DEVICE_ATTR_2_RW(temp8_crit, temp, 7, MAX6697_TEMP_CRIT); -static SENSOR_DEVICE_ATTR(temp1_max_alarm, S_IRUGO, show_alarm, NULL, 22); -static SENSOR_DEVICE_ATTR(temp2_max_alarm, S_IRUGO, show_alarm, NULL, 16); -static SENSOR_DEVICE_ATTR(temp3_max_alarm, S_IRUGO, show_alarm, NULL, 17); -static SENSOR_DEVICE_ATTR(temp4_max_alarm, S_IRUGO, show_alarm, NULL, 18); -static SENSOR_DEVICE_ATTR(temp5_max_alarm, S_IRUGO, show_alarm, NULL, 19); -static SENSOR_DEVICE_ATTR(temp6_max_alarm, S_IRUGO, show_alarm, NULL, 20); -static SENSOR_DEVICE_ATTR(temp7_max_alarm, S_IRUGO, show_alarm, NULL, 21); -static SENSOR_DEVICE_ATTR(temp8_max_alarm, S_IRUGO, show_alarm, NULL, 23); +static SENSOR_DEVICE_ATTR_RO(temp1_max_alarm, alarm, 22); +static SENSOR_DEVICE_ATTR_RO(temp2_max_alarm, alarm, 16); +static SENSOR_DEVICE_ATTR_RO(temp3_max_alarm, alarm, 17); +static SENSOR_DEVICE_ATTR_RO(temp4_max_alarm, alarm, 18); +static SENSOR_DEVICE_ATTR_RO(temp5_max_alarm, alarm, 19); +static SENSOR_DEVICE_ATTR_RO(temp6_max_alarm, alarm, 20); +static SENSOR_DEVICE_ATTR_RO(temp7_max_alarm, alarm, 21); +static SENSOR_DEVICE_ATTR_RO(temp8_max_alarm, alarm, 23); -static SENSOR_DEVICE_ATTR(temp1_crit_alarm, S_IRUGO, show_alarm, NULL, 14); -static SENSOR_DEVICE_ATTR(temp2_crit_alarm, S_IRUGO, show_alarm, NULL, 8); -static SENSOR_DEVICE_ATTR(temp3_crit_alarm, S_IRUGO, show_alarm, NULL, 9); -static SENSOR_DEVICE_ATTR(temp4_crit_alarm, S_IRUGO, show_alarm, NULL, 10); -static SENSOR_DEVICE_ATTR(temp5_crit_alarm, S_IRUGO, show_alarm, NULL, 11); -static SENSOR_DEVICE_ATTR(temp6_crit_alarm, S_IRUGO, show_alarm, NULL, 12); -static SENSOR_DEVICE_ATTR(temp7_crit_alarm, S_IRUGO, show_alarm, NULL, 13); -static SENSOR_DEVICE_ATTR(temp8_crit_alarm, S_IRUGO, show_alarm, NULL, 15); +static SENSOR_DEVICE_ATTR_RO(temp1_crit_alarm, alarm, 14); +static SENSOR_DEVICE_ATTR_RO(temp2_crit_alarm, alarm, 8); +static SENSOR_DEVICE_ATTR_RO(temp3_crit_alarm, alarm, 9); +static SENSOR_DEVICE_ATTR_RO(temp4_crit_alarm, alarm, 10); +static SENSOR_DEVICE_ATTR_RO(temp5_crit_alarm, alarm, 11); +static SENSOR_DEVICE_ATTR_RO(temp6_crit_alarm, alarm, 12); +static SENSOR_DEVICE_ATTR_RO(temp7_crit_alarm, alarm, 13); +static SENSOR_DEVICE_ATTR_RO(temp8_crit_alarm, alarm, 15); -static SENSOR_DEVICE_ATTR(temp2_fault, S_IRUGO, show_alarm, NULL, 1); -static SENSOR_DEVICE_ATTR(temp3_fault, S_IRUGO, show_alarm, NULL, 2); -static SENSOR_DEVICE_ATTR(temp4_fault, S_IRUGO, show_alarm, NULL, 3); -static SENSOR_DEVICE_ATTR(temp5_fault, S_IRUGO, show_alarm, NULL, 4); -static SENSOR_DEVICE_ATTR(temp6_fault, S_IRUGO, show_alarm, NULL, 5); -static SENSOR_DEVICE_ATTR(temp7_fault, S_IRUGO, show_alarm, NULL, 6); -static SENSOR_DEVICE_ATTR(temp8_fault, S_IRUGO, show_alarm, NULL, 7); +static SENSOR_DEVICE_ATTR_RO(temp2_fault, alarm, 1); +static SENSOR_DEVICE_ATTR_RO(temp3_fault, alarm, 2); +static SENSOR_DEVICE_ATTR_RO(temp4_fault, alarm, 3); +static SENSOR_DEVICE_ATTR_RO(temp5_fault, alarm, 4); +static SENSOR_DEVICE_ATTR_RO(temp6_fault, alarm, 5); +static SENSOR_DEVICE_ATTR_RO(temp7_fault, alarm, 6); +static SENSOR_DEVICE_ATTR_RO(temp8_fault, alarm, 7); static DEVICE_ATTR(dummy, 0, NULL, NULL); From cb9e33d36836000d9a79d3b0121beee91c3323b9 Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Sat, 13 Jul 2024 12:03:53 -0700 Subject: [PATCH 011/173] hwmon: (max6697) Fix swapped temp{1,8} critical alarms [ Upstream commit 1ea3fd1eb9869fcdcbc9c68f9728bfc47b9503f1 ] The critical alarm bit for the local temperature sensor (temp1) is in bit 7 of register 0x45 (not bit 6), and the critical alarm bit for remote temperature sensor 7 (temp8) is in bit 6 (not bit 7). This only affects MAX6581 since all other chips supported by this driver do not support those critical alarms. Fixes: 5372d2d71c46 ("hwmon: Driver for Maxim MAX6697 and compatibles") Reviewed-by: Tzung-Bi Shih Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin (cherry picked from commit 6b52603ed8bdcceb9b8c16d2db7abd19e024fbe2) Signed-off-by: Vegard Nossum --- drivers/hwmon/max6697.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/hwmon/max6697.c b/drivers/hwmon/max6697.c index 2103ba45de74..14c34a2d36af 100644 --- a/drivers/hwmon/max6697.c +++ b/drivers/hwmon/max6697.c @@ -368,14 +368,14 @@ static SENSOR_DEVICE_ATTR_RO(temp6_max_alarm, alarm, 20); static SENSOR_DEVICE_ATTR_RO(temp7_max_alarm, alarm, 21); static SENSOR_DEVICE_ATTR_RO(temp8_max_alarm, alarm, 23); -static SENSOR_DEVICE_ATTR_RO(temp1_crit_alarm, alarm, 14); +static SENSOR_DEVICE_ATTR_RO(temp1_crit_alarm, alarm, 15); static SENSOR_DEVICE_ATTR_RO(temp2_crit_alarm, alarm, 8); static SENSOR_DEVICE_ATTR_RO(temp3_crit_alarm, alarm, 9); static SENSOR_DEVICE_ATTR_RO(temp4_crit_alarm, alarm, 10); static SENSOR_DEVICE_ATTR_RO(temp5_crit_alarm, alarm, 11); static SENSOR_DEVICE_ATTR_RO(temp6_crit_alarm, alarm, 12); static SENSOR_DEVICE_ATTR_RO(temp7_crit_alarm, alarm, 13); -static SENSOR_DEVICE_ATTR_RO(temp8_crit_alarm, alarm, 15); +static SENSOR_DEVICE_ATTR_RO(temp8_crit_alarm, alarm, 14); static SENSOR_DEVICE_ATTR_RO(temp2_fault, alarm, 1); static SENSOR_DEVICE_ATTR_RO(temp3_fault, alarm, 2); From c731a44f2487b720039473b6255fba3ad26d7753 Mon Sep 17 00:00:00 2001 From: Jonas Karlman Date: Sat, 15 Jun 2024 17:03:52 +0000 Subject: [PATCH 012/173] arm64: dts: rockchip: Increase VOP clk rate on RK3328 [ Upstream commit 0f2ddb128fa20f8441d903285632f2c69e90fae1 ] The VOP on RK3328 needs to run at a higher rate in order to produce a proper 3840x2160 signal. Change to use 300MHz for VIO clk and 400MHz for VOP clk, same rates used by vendor 4.4 kernel. Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs") Signed-off-by: Jonas Karlman Link: https://lore.kernel.org/r/20240615170417.3134517-2-jonas@kwiboo.se Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin (cherry picked from commit 513fff3e8574d3c5b54ef71b6514cda12123879e) Signed-off-by: Vegard Nossum --- arch/arm64/boot/dts/rockchip/rk3328.dtsi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi index a3fb072f20ba..d3ce9e0010a3 100644 --- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi +++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi @@ -626,8 +626,8 @@ <0>, <24000000>, <24000000>, <24000000>, <15000000>, <15000000>, - <100000000>, <100000000>, - <100000000>, <100000000>, + <300000000>, <100000000>, + <400000000>, <100000000>, <50000000>, <100000000>, <100000000>, <100000000>, <50000000>, <50000000>, From 266d74e904f119b2251094862e9f7d56c3fb74fe Mon Sep 17 00:00:00 2001 From: Eero Tamminen Date: Mon, 24 Jun 2024 17:49:01 +0300 Subject: [PATCH 013/173] m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit f70065a9fd988983b2c693631b801f25a615fc04 ] Avoid freeze on Atari TT / MegaSTe boot with continuous messages of: unexpected interrupt from 112 Which was due to VBL interrupt being enabled in SCU sys mask, but there being no handler for that any more. (Bug and fix were first verified on real Atari TT HW by Christian, this patch later on in Hatari emulator.) Fixes: 1fa0b29f3a43f9dd ("fbdev: Kill Atari vblank cursor blinking") Reported-by: Nicolas Pomarède Closes: https://listengine.tuxfamily.org/lists.tuxfamily.org/hatari-devel/2024/06/msg00016.html Closes: https://lore.kernel.org/all/9aa793d7-82ed-4fbd-bce5-60810d8a9119@helsinkinet.fi Tested-by: Christian Zietz Signed-off-by: Eero Tamminen Reviewed-by: Michael Schmitz Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/20240624144901.5236-1-oak@helsinkinet.fi Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin (cherry picked from commit b6c2b179b6908e439b2385c25d7b3477e4be4dce) Signed-off-by: Vegard Nossum --- arch/m68k/atari/ataints.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/arch/m68k/atari/ataints.c b/arch/m68k/atari/ataints.c index 56f02ea2c248..715d1e0d973e 100644 --- a/arch/m68k/atari/ataints.c +++ b/arch/m68k/atari/ataints.c @@ -302,11 +302,7 @@ void __init atari_init_IRQ(void) if (ATARIHW_PRESENT(SCU)) { /* init the SCU if present */ - tt_scu.sys_mask = 0x10; /* enable VBL (for the cursor) and - * disable HSYNC interrupts (who - * needs them?) MFP and SCC are - * enabled in VME mask - */ + tt_scu.sys_mask = 0x0; /* disable all interrupts */ tt_scu.vme_mask = 0x60; /* enable MFP and SCC ints */ } else { /* If no SCU and no Hades, the HSYNC interrupt needs to be From 0d26a6a5f0bb7e82bfebf44b060294eec5a72b73 Mon Sep 17 00:00:00 2001 From: Chen Ni Date: Tue, 2 Jul 2024 11:10:10 +0800 Subject: [PATCH 014/173] x86/xen: Convert comma to semicolon [ Upstream commit 349d271416c61f82b853336509b1d0dc04c1fcbb ] Replace a comma between expression statements by a semicolon. Fixes: 8310b77b48c5 ("Xen/gnttab: handle p2m update errors on a per-slot basis") Signed-off-by: Chen Ni Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20240702031010.1411875-1-nichen@iscas.ac.cn Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin (cherry picked from commit cb9ad82cf270ce5bdcf5e768af48966833cc3caa) Signed-off-by: Vegard Nossum --- arch/x86/xen/p2m.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c index 0d83f25ac8ac..9043d200b97f 100644 --- a/arch/x86/xen/p2m.c +++ b/arch/x86/xen/p2m.c @@ -733,7 +733,7 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops, * immediate unmapping. */ map_ops[i].status = GNTST_general_error; - unmap[0].host_addr = map_ops[i].host_addr, + unmap[0].host_addr = map_ops[i].host_addr; unmap[0].handle = map_ops[i].handle; map_ops[i].handle = ~0; if (map_ops[i].flags & GNTMAP_device_map) @@ -743,7 +743,7 @@ int set_foreign_p2m_mapping(struct gnttab_map_grant_ref *map_ops, if (kmap_ops) { kmap_ops[i].status = GNTST_general_error; - unmap[1].host_addr = kmap_ops[i].host_addr, + unmap[1].host_addr = kmap_ops[i].host_addr; unmap[1].handle = kmap_ops[i].handle; kmap_ops[i].handle = ~0; if (kmap_ops[i].flags & GNTMAP_device_map) From 8bc40077dd7c321cc45107a639c176d317892413 Mon Sep 17 00:00:00 2001 From: Thorsten Blum Date: Tue, 2 Jul 2024 05:41:17 +0200 Subject: [PATCH 015/173] m68k: cmpxchg: Fix return value for default case in __arch_xchg() [ Upstream commit 21b9e722ad28c19c2bc83f18f540b3dbd89bf762 ] The return value of __invalid_xchg_size() is assigned to tmp instead of the return variable x. Assign it to x instead. Fixes: 2501cf768e4009a0 ("m68k: Fix xchg/cmpxchg to fail to link if given an inappropriate pointer") Signed-off-by: Thorsten Blum Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/20240702034116.140234-2-thorsten.blum@toblux.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin (cherry picked from commit 8c43fbd39500ce7bdc779a772752cc2b436a692c) Signed-off-by: Vegard Nossum --- arch/m68k/include/asm/cmpxchg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/m68k/include/asm/cmpxchg.h b/arch/m68k/include/asm/cmpxchg.h index 38e1d7acc44d..1f996713ce87 100644 --- a/arch/m68k/include/asm/cmpxchg.h +++ b/arch/m68k/include/asm/cmpxchg.h @@ -33,7 +33,7 @@ static inline unsigned long __xchg(unsigned long x, volatile void * ptr, int siz x = tmp; break; default: - tmp = __invalid_xchg_size(x, ptr, size); + x = __invalid_xchg_size(x, ptr, size); break; } From 5fa524af8685b00160e9e766bbe196804a007844 Mon Sep 17 00:00:00 2001 From: Samasth Norway Ananda Date: Thu, 9 May 2024 16:10:37 -0700 Subject: [PATCH 016/173] wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device [ Upstream commit c636fa85feb450ca414a10010ed05361a73c93a6 ] The band_idx variable in the function wlc_lcnphy_tx_iqlo_cal() will never be set to 1 as BCM4313 is the only device for which the LCN PHY code is used. This is a 2G-only device. Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") Signed-off-by: Samasth Norway Ananda Acked-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://msgid.link/20240509231037.2014109-1-samasth.norway.ananda@oracle.com Signed-off-by: Sasha Levin (cherry picked from commit f33757e8db8f33aba783b88120245ec53e5fa88a) [Harshit: Resolved minor conflicts due to missing PM commit: 6da2ec56059c ("treewide: kmalloc() -> kmalloc_array()") in 4.14.y] Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- .../broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c index c9f48ec46f4a..7086a47d91a5 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c @@ -2638,7 +2638,6 @@ wlc_lcnphy_tx_iqlo_cal(struct brcms_phy *pi, struct lcnphy_txgains cal_gains, temp_gains; u16 hash; - u8 band_idx; int j; u16 ncorr_override[5]; u16 syst_coeffs[] = { 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, @@ -2670,6 +2669,9 @@ wlc_lcnphy_tx_iqlo_cal(struct brcms_phy *pi, u16 *values_to_save; struct brcms_phy_lcnphy *pi_lcn = pi->u.pi_lcnphy; + if (WARN_ON(CHSPEC_IS5G(pi->radio_chanspec))) + return; + values_to_save = kmalloc(sizeof(u16) * 20, GFP_ATOMIC); if (NULL == values_to_save) return; @@ -2733,20 +2735,18 @@ wlc_lcnphy_tx_iqlo_cal(struct brcms_phy *pi, hash = (target_gains->gm_gain << 8) | (target_gains->pga_gain << 4) | (target_gains->pad_gain); - band_idx = (CHSPEC_IS5G(pi->radio_chanspec) ? 1 : 0); - cal_gains = *target_gains; memset(ncorr_override, 0, sizeof(ncorr_override)); - for (j = 0; j < iqcal_gainparams_numgains_lcnphy[band_idx]; j++) { - if (hash == tbl_iqcal_gainparams_lcnphy[band_idx][j][0]) { + for (j = 0; j < iqcal_gainparams_numgains_lcnphy[0]; j++) { + if (hash == tbl_iqcal_gainparams_lcnphy[0][j][0]) { cal_gains.gm_gain = - tbl_iqcal_gainparams_lcnphy[band_idx][j][1]; + tbl_iqcal_gainparams_lcnphy[0][j][1]; cal_gains.pga_gain = - tbl_iqcal_gainparams_lcnphy[band_idx][j][2]; + tbl_iqcal_gainparams_lcnphy[0][j][2]; cal_gains.pad_gain = - tbl_iqcal_gainparams_lcnphy[band_idx][j][3]; + tbl_iqcal_gainparams_lcnphy[0][j][3]; memcpy(ncorr_override, - &tbl_iqcal_gainparams_lcnphy[band_idx][j][3], + &tbl_iqcal_gainparams_lcnphy[0][j][3], sizeof(ncorr_override)); break; } From 1a85ab4b601786019135c37ec3f11927ba4a561d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cs=C3=B3k=C3=A1s=20Bence?= Date: Mon, 12 Feb 2024 16:37:17 +0100 Subject: [PATCH 017/173] net: fec: Refactor: #define magic constants MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit ff049886671ccd4e624a30ec464cb20e4c39a313 ] Add defines for bits of ECR, RCR control registers, TX watermark etc. Signed-off-by: Csókás Bence Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20240212153717.10023-1-csokas.bence@prolan.hu Signed-off-by: Jakub Kicinski Stable-dep-of: c32fe1986f27 ("net: fec: Fix FEC_ECR_EN1588 being cleared on link-down") Signed-off-by: Sasha Levin (cherry picked from commit b072c604d58b1cd1079c4e2f0d22b1f469dda347) [Vegard: fix conflict due to missing commit f9891a9eaf20f39d4191c83223dd7fd9f38a5ca7 ("net: fec: set GPR bit on suspend by DT configuration.").] Signed-off-by: Vegard Nossum --- drivers/net/ethernet/freescale/fec_main.c | 46 +++++++++++++++-------- 1 file changed, 30 insertions(+), 16 deletions(-) diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index 22cec349dead..cdd653750f13 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -183,8 +183,8 @@ MODULE_PARM_DESC(macaddr, "FEC Ethernet MAC address"); #define PKT_MINBUF_SIZE 64 /* FEC receive acceleration */ -#define FEC_RACC_IPDIS (1 << 1) -#define FEC_RACC_PRODIS (1 << 2) +#define FEC_RACC_IPDIS BIT(1) +#define FEC_RACC_PRODIS BIT(2) #define FEC_RACC_SHIFT16 BIT(7) #define FEC_RACC_OPTIONS (FEC_RACC_IPDIS | FEC_RACC_PRODIS) @@ -212,8 +212,23 @@ MODULE_PARM_DESC(macaddr, "FEC Ethernet MAC address"); #define FEC_MMFR_TA (2 << 16) #define FEC_MMFR_DATA(v) (v & 0xffff) /* FEC ECR bits definition */ -#define FEC_ECR_MAGICEN (1 << 2) -#define FEC_ECR_SLEEP (1 << 3) +#define FEC_ECR_RESET BIT(0) +#define FEC_ECR_ETHEREN BIT(1) +#define FEC_ECR_MAGICEN BIT(2) +#define FEC_ECR_SLEEP BIT(3) +#define FEC_ECR_EN1588 BIT(4) +#define FEC_ECR_BYTESWP BIT(8) +/* FEC RCR bits definition */ +#define FEC_RCR_LOOP BIT(0) +#define FEC_RCR_HALFDPX BIT(1) +#define FEC_RCR_MII BIT(2) +#define FEC_RCR_PROMISC BIT(3) +#define FEC_RCR_BC_REJ BIT(4) +#define FEC_RCR_FLOWCTL BIT(5) +#define FEC_RCR_RMII BIT(8) +#define FEC_RCR_10BASET BIT(9) +/* TX WMARK bits */ +#define FEC_TXWMRK_STRFWD BIT(8) #define FEC_MII_TIMEOUT 30000 /* us */ @@ -909,7 +924,7 @@ fec_restart(struct net_device *ndev) u32 val; u32 temp_mac[2]; u32 rcntl = OPT_FRAME_SIZE | 0x04; - u32 ecntl = 0x2; /* ETHEREN */ + u32 ecntl = FEC_ECR_ETHEREN; /* Whack a reset. We should wait for this. * For i.MX6SX SOC, enet use AXI bus, we use disable MAC @@ -985,18 +1000,18 @@ fec_restart(struct net_device *ndev) fep->phy_interface == PHY_INTERFACE_MODE_RGMII_TXID) rcntl |= (1 << 6); else if (fep->phy_interface == PHY_INTERFACE_MODE_RMII) - rcntl |= (1 << 8); + rcntl |= FEC_RCR_RMII; else - rcntl &= ~(1 << 8); + rcntl &= ~FEC_RCR_RMII; /* 1G, 100M or 10M */ if (ndev->phydev) { if (ndev->phydev->speed == SPEED_1000) ecntl |= (1 << 5); else if (ndev->phydev->speed == SPEED_100) - rcntl &= ~(1 << 9); + rcntl &= ~FEC_RCR_10BASET; else - rcntl |= (1 << 9); + rcntl |= FEC_RCR_10BASET; } } else { #ifdef FEC_MIIGSK_ENR @@ -1055,13 +1070,13 @@ fec_restart(struct net_device *ndev) if (fep->quirks & FEC_QUIRK_ENET_MAC) { /* enable ENET endian swap */ - ecntl |= (1 << 8); + ecntl |= FEC_ECR_BYTESWP; /* enable ENET store and forward mode */ - writel(1 << 8, fep->hwp + FEC_X_WMRK); + writel(FEC_TXWMRK_STRFWD, fep->hwp + FEC_X_WMRK); } if (fep->bufdesc_ex) - ecntl |= (1 << 4); + ecntl |= FEC_ECR_EN1588; #ifndef CONFIG_M5272 /* Enable the MIB statistic event counters */ @@ -1091,7 +1106,7 @@ fec_stop(struct net_device *ndev) { struct fec_enet_private *fep = netdev_priv(ndev); struct fec_platform_data *pdata = fep->pdev->dev.platform_data; - u32 rmii_mode = readl(fep->hwp + FEC_R_CNTRL) & (1 << 8); + u32 rmii_mode = readl(fep->hwp + FEC_R_CNTRL) & FEC_RCR_RMII; u32 val; /* We cannot expect a graceful transmit stop without link !!! */ @@ -1110,7 +1125,7 @@ fec_stop(struct net_device *ndev) if (fep->quirks & FEC_QUIRK_HAS_AVB) { writel(0, fep->hwp + FEC_ECNTRL); } else { - writel(1, fep->hwp + FEC_ECNTRL); + writel(FEC_ECR_RESET, fep->hwp + FEC_ECNTRL); udelay(10); } writel(FEC_DEFAULT_IMASK, fep->hwp + FEC_IMASK); @@ -1128,12 +1143,11 @@ fec_stop(struct net_device *ndev) /* We have to keep ENET enabled to have MII interrupt stay working */ if (fep->quirks & FEC_QUIRK_ENET_MAC && !(fep->wol_flag & FEC_WOL_FLAG_SLEEP_ON)) { - writel(2, fep->hwp + FEC_ECNTRL); + writel(FEC_ECR_ETHEREN, fep->hwp + FEC_ECNTRL); writel(rmii_mode, fep->hwp + FEC_R_CNTRL); } } - static void fec_timeout(struct net_device *ndev) { From c3996b8fae20c268b6c49e70ea078bceb96d0c27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cs=C3=B3k=C3=A1s=2C=20Bence?= Date: Wed, 19 Jun 2024 14:31:11 +0200 Subject: [PATCH 018/173] net: fec: Fix FEC_ECR_EN1588 being cleared on link-down MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit c32fe1986f27cac329767d3497986e306cad1d5e ] FEC_ECR_EN1588 bit gets cleared after MAC reset in `fec_stop()`, which makes all 1588 functionality shut down, and all the extended registers disappear, on link-down, making the adapter fall back to compatibility "dumb mode". However, some functionality needs to be retained (e.g. PPS) even without link. Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock") Cc: Richard Cochran Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/netdev/5fa9fadc-a89d-467a-aae9-c65469ff5fe1@lunn.ch/ Signed-off-by: Csókás, Bence Reviewed-by: Wei Fang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 18074367ad100e129d0dccdaa64af6642363680b) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/freescale/fec_main.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c index cdd653750f13..272498401dbb 100644 --- a/drivers/net/ethernet/freescale/fec_main.c +++ b/drivers/net/ethernet/freescale/fec_main.c @@ -1146,6 +1146,12 @@ fec_stop(struct net_device *ndev) writel(FEC_ECR_ETHEREN, fep->hwp + FEC_ECNTRL); writel(rmii_mode, fep->hwp + FEC_R_CNTRL); } + + if (fep->bufdesc_ex) { + val = readl(fep->hwp + FEC_ECNTRL); + val |= FEC_ECR_EN1588; + writel(val, fep->hwp + FEC_ECNTRL); + } } static void From 2a3559125bd5fc024c30b1655b626abc0c2fa3eb Mon Sep 17 00:00:00 2001 From: Ismael Luceno Date: Thu, 23 May 2024 18:54:44 +0200 Subject: [PATCH 019/173] ipvs: Avoid unnecessary calls to skb_is_gso_sctp [ Upstream commit 53796b03295cf7ab1fc8600016fa6dfbf4a494a0 ] In the context of the SCTP SNAT/DNAT handler, these calls can only return true. Fixes: e10d3ba4d434 ("ipvs: Fix checksumming on GSO of SCTP packets") Signed-off-by: Ismael Luceno Acked-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin (cherry picked from commit 9340804ea465de0509a9afaeaaccf3fb74b14f9b) Signed-off-by: Vegard Nossum --- net/netfilter/ipvs/ip_vs_proto_sctp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c index aaf04e47e06a..9f1a1fb0e98d 100644 --- a/net/netfilter/ipvs/ip_vs_proto_sctp.c +++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c @@ -123,7 +123,7 @@ sctp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, if (sctph->source != cp->vport || payload_csum || skb->ip_summed == CHECKSUM_PARTIAL) { sctph->source = cp->vport; - if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb)) + if (!skb_is_gso(skb)) sctp_nat_csum(skb, sctph, sctphoff); } else { skb->ip_summed = CHECKSUM_UNNECESSARY; @@ -172,7 +172,7 @@ sctp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp, (skb->ip_summed == CHECKSUM_PARTIAL && !(skb_dst(skb)->dev->features & NETIF_F_SCTP_CRC))) { sctph->dest = cp->dport; - if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb)) + if (!skb_is_gso(skb)) sctp_nat_csum(skb, sctph, sctphoff); } else if (skb->ip_summed != CHECKSUM_PARTIAL) { skb->ip_summed = CHECKSUM_UNNECESSARY; From 6f7bc617b3b66436641dba5329718933aea4b889 Mon Sep 17 00:00:00 2001 From: Adrian Hunter Date: Mon, 24 Jun 2024 23:10:58 +0300 Subject: [PATCH 020/173] perf: Fix perf_aux_size() for greater-than 32-bit size [ Upstream commit 3df94a5b1078dfe2b0c03f027d018800faf44c82 ] perf_buffer->aux_nr_pages uses a 32-bit type, so a cast is needed to calculate a 64-bit size. Fixes: 45bfb2e50471 ("perf: Add AUX area to ring buffer for raw data streams") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20240624201101.60186-5-adrian.hunter@intel.com Signed-off-by: Sasha Levin (cherry picked from commit 542abbf58e88f34dfc659b63476a5976acf52c0e) Signed-off-by: Vegard Nossum --- kernel/events/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/events/internal.h b/kernel/events/internal.h index 41317d04eeae..bb1c0eeca4d6 100644 --- a/kernel/events/internal.h +++ b/kernel/events/internal.h @@ -121,7 +121,7 @@ static inline unsigned long perf_data_size(struct ring_buffer *rb) static inline unsigned long perf_aux_size(struct ring_buffer *rb) { - return rb->aux_nr_pages << PAGE_SHIFT; + return (unsigned long)rb->aux_nr_pages << PAGE_SHIFT; } #define __DEFINE_OUTPUT_COPY_BODY(advance_buf, memcpy_func, ...) \ From 26864f03cc21aaa1b9f2dbed5c8ad7bf676f2df4 Mon Sep 17 00:00:00 2001 From: Adrian Hunter Date: Mon, 24 Jun 2024 23:10:59 +0300 Subject: [PATCH 021/173] perf: Prevent passing zero nr_pages to rb_alloc_aux() [ Upstream commit dbc48c8f41c208082cfa95e973560134489e3309 ] nr_pages is unsigned long but gets passed to rb_alloc_aux() as an int, and is stored as an int. Only power-of-2 values are accepted, so if nr_pages is a 64_bit value, it will be passed to rb_alloc_aux() as zero. That is not ideal because: 1. the value is incorrect 2. rb_alloc_aux() is at risk of misbehaving, although it manages to return -ENOMEM in that case, it is a result of passing zero to get_order() even though the get_order() result is documented to be undefined in that case. Fix by simply validating the maximum supported value in the first place. Use -ENOMEM error code for consistency with the current error code that is returned in that case. Fixes: 45bfb2e50471 ("perf: Add AUX area to ring buffer for raw data streams") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20240624201101.60186-6-adrian.hunter@intel.com Signed-off-by: Sasha Levin (cherry picked from commit d7b1a76f33e6fc93924725b4410126740c890c44) Signed-off-by: Vegard Nossum --- kernel/events/core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/events/core.c b/kernel/events/core.c index 10ae3622e8ca..0b38fb89814b 100644 --- a/kernel/events/core.c +++ b/kernel/events/core.c @@ -5393,6 +5393,8 @@ static int perf_mmap(struct file *file, struct vm_area_struct *vma) return -EINVAL; nr_pages = vma_size / PAGE_SIZE; + if (nr_pages > INT_MAX) + return -ENOMEM; mutex_lock(&event->mmap_mutex); ret = -EINVAL; From be35c98c5aa383407f62428c4169a79d5c243c26 Mon Sep 17 00:00:00 2001 From: Alexey Kodanev Date: Mon, 8 Jul 2024 10:50:08 +0000 Subject: [PATCH 022/173] bna: adjust 'name' buf size of bna_tcb and bna_ccb structures [ Upstream commit c9741a03dc8e491e57b95fba0058ab46b7e506da ] To have enough space to write all possible sprintf() args. Currently 'name' size is 16, but the first '%s' specifier may already need at least 16 characters, since 'bnad->netdev->name' is used there. For '%d' specifiers, assume that they require: * 1 char for 'tx_id + tx_info->tcb[i]->id' sum, BNAD_MAX_TXQ_PER_TX is 8 * 2 chars for 'rx_id + rx_info->rx_ctrl[i].ccb->id', BNAD_MAX_RXP_PER_RX is 16 And replace sprintf with snprintf. Detected using the static analysis tool - Svace. Fixes: 8b230ed8ec96 ("bna: Brocade 10Gb Ethernet device driver") Signed-off-by: Alexey Kodanev Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit f121740f69eda4da2de9a20a6687a13593e72540) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/brocade/bna/bna_types.h | 2 +- drivers/net/ethernet/brocade/bna/bnad.c | 11 ++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/ethernet/brocade/bna/bna_types.h b/drivers/net/ethernet/brocade/bna/bna_types.h index c438d032e8bf..1af883c849ad 100644 --- a/drivers/net/ethernet/brocade/bna/bna_types.h +++ b/drivers/net/ethernet/brocade/bna/bna_types.h @@ -418,7 +418,7 @@ struct bna_ib { /* Tx object */ /* Tx datapath control structure */ -#define BNA_Q_NAME_SIZE 16 +#define BNA_Q_NAME_SIZE (IFNAMSIZ + 6) struct bna_tcb { /* Fast path */ void **sw_qpt; diff --git a/drivers/net/ethernet/brocade/bna/bnad.c b/drivers/net/ethernet/brocade/bna/bnad.c index 38a77a5d9a44..dc59733ea03d 100644 --- a/drivers/net/ethernet/brocade/bna/bnad.c +++ b/drivers/net/ethernet/brocade/bna/bnad.c @@ -1543,8 +1543,9 @@ bnad_tx_msix_register(struct bnad *bnad, struct bnad_tx_info *tx_info, for (i = 0; i < num_txqs; i++) { vector_num = tx_info->tcb[i]->intr_vector; - sprintf(tx_info->tcb[i]->name, "%s TXQ %d", bnad->netdev->name, - tx_id + tx_info->tcb[i]->id); + snprintf(tx_info->tcb[i]->name, BNA_Q_NAME_SIZE, "%s TXQ %d", + bnad->netdev->name, + tx_id + tx_info->tcb[i]->id); err = request_irq(bnad->msix_table[vector_num].vector, (irq_handler_t)bnad_msix_tx, 0, tx_info->tcb[i]->name, @@ -1594,9 +1595,9 @@ bnad_rx_msix_register(struct bnad *bnad, struct bnad_rx_info *rx_info, for (i = 0; i < num_rxps; i++) { vector_num = rx_info->rx_ctrl[i].ccb->intr_vector; - sprintf(rx_info->rx_ctrl[i].ccb->name, "%s CQ %d", - bnad->netdev->name, - rx_id + rx_info->rx_ctrl[i].ccb->id); + snprintf(rx_info->rx_ctrl[i].ccb->name, BNA_Q_NAME_SIZE, + "%s CQ %d", bnad->netdev->name, + rx_id + rx_info->rx_ctrl[i].ccb->id); err = request_irq(bnad->msix_table[vector_num].vector, (irq_handler_t)bnad_msix_rx, 0, rx_info->rx_ctrl[i].ccb->name, From ce58b8f17bfc9cfad7fafb57ebb626850d4802ba Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Mon, 6 May 2024 21:10:27 +0000 Subject: [PATCH 023/173] media: imon: Fix race getting ictx->lock [ Upstream commit 24147897507cd3a7d63745d1518a638bf4132238 ] Lets fix a race between mutex_is_lock() and mutex_lock(). <-mutex is not locked if (!mutex_is_locked(&ictx->lock)) { unlock = true; <- mutex is locked externaly mutex_lock(&ictx->lock); } Let's use mutex_trylock() that does mutex_is_lock() and mutex_lock() atomically. Fix the following cocci warning: drivers/media/rc/imon.c:1167:1-7: preceding lock on line 1153 Fixes: 23ef710e1a6c ("[media] imon: add conditional locking in change_protocol") Signed-off-by: Ricardo Ribalda Signed-off-by: Sean Young Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 01b44d9e50a68ac3c645cc98a474455668dc8e70) Signed-off-by: Vegard Nossum --- drivers/media/rc/imon.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c index 50951c31ff5b..875e00e4a8a0 100644 --- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -1150,10 +1150,7 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto) memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet)); - if (!mutex_is_locked(&ictx->lock)) { - unlock = true; - mutex_lock(&ictx->lock); - } + unlock = mutex_trylock(&ictx->lock); retval = send_packet(ictx); if (retval) From e0b07e242c61e819acf0143bb2c23d4859b135db Mon Sep 17 00:00:00 2001 From: Aleksandr Burakov Date: Fri, 16 Feb 2024 15:40:06 +0300 Subject: [PATCH 024/173] saa7134: Unchecked i2c_transfer function result fixed [ Upstream commit 9d8683b3fd93f0e378f24dc3d9604e5d7d3e0a17 ] Return value of function 'i2c_transfer' is not checked that may cause undefined behaviour. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 2cf36ac44730 ("[PATCH] v4l: 656: added support for the following cards") Signed-off-by: Aleksandr Burakov Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin (cherry picked from commit 001583ad640c70987efd5af70566a69f146dc99c) Signed-off-by: Vegard Nossum --- drivers/media/pci/saa7134/saa7134-dvb.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/media/pci/saa7134/saa7134-dvb.c b/drivers/media/pci/saa7134/saa7134-dvb.c index 731dee0a66e7..b41d747d42ba 100644 --- a/drivers/media/pci/saa7134/saa7134-dvb.c +++ b/drivers/media/pci/saa7134/saa7134-dvb.c @@ -475,7 +475,9 @@ static int philips_europa_tuner_sleep(struct dvb_frontend *fe) /* switch the board to analog mode */ if (fe->ops.i2c_gate_ctrl) fe->ops.i2c_gate_ctrl(fe, 1); - i2c_transfer(&dev->i2c_adap, &analog_msg, 1); + if (i2c_transfer(&dev->i2c_adap, &analog_msg, 1) != 1) + return -EIO; + return 0; } @@ -1027,7 +1029,9 @@ static int md8800_set_voltage2(struct dvb_frontend *fe, else wbuf[1] = rbuf & 0xef; msg[0].len = 2; - i2c_transfer(&dev->i2c_adap, msg, 1); + if (i2c_transfer(&dev->i2c_adap, msg, 1) != 1) + return -EIO; + return 0; } From 0ae6e736f858e4c42ecf27fd1e8ecae18988ad81 Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Thu, 22 Feb 2018 17:22:43 -0500 Subject: [PATCH 025/173] media: v4l: vsp1: Store pipeline pointer in vsp1_entity Various types of objects subclassing vsp1_entity currently store a pointer to the pipeline. Move the pointer to vsp1_entity to simplify the code and avoid storing the pipeline in more entity subclasses later. Signed-off-by: Laurent Pinchart Reviewed-by: Kieran Bingham Signed-off-by: Mauro Carvalho Chehab (cherry picked from commit 1ccbb32cb8b4b0445d4281a37752e54e0fcade4c) Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- drivers/media/platform/vsp1/vsp1_drm.c | 22 ++++++++++----- drivers/media/platform/vsp1/vsp1_drv.c | 2 +- drivers/media/platform/vsp1/vsp1_entity.h | 2 ++ drivers/media/platform/vsp1/vsp1_histo.c | 2 +- drivers/media/platform/vsp1/vsp1_histo.h | 3 --- drivers/media/platform/vsp1/vsp1_pipe.c | 33 +++++++---------------- drivers/media/platform/vsp1/vsp1_rwpf.h | 2 -- drivers/media/platform/vsp1/vsp1_video.c | 17 +++++------- 8 files changed, 35 insertions(+), 48 deletions(-) diff --git a/drivers/media/platform/vsp1/vsp1_drm.c b/drivers/media/platform/vsp1/vsp1_drm.c index d3cd57f6ba52..037b694f469f 100644 --- a/drivers/media/platform/vsp1/vsp1_drm.c +++ b/drivers/media/platform/vsp1/vsp1_drm.c @@ -119,6 +119,7 @@ int vsp1_du_setup_lif(struct device *dev, unsigned int pipe_index, * inputs. */ WARN_ON(list_empty(&rpf->entity.list_pipe)); + rpf->entity.pipe = NULL; list_del_init(&rpf->entity.list_pipe); pipe->inputs[i] = NULL; @@ -535,8 +536,10 @@ void vsp1_du_atomic_flush(struct device *dev, unsigned int pipe_index) continue; } - if (list_empty(&rpf->entity.list_pipe)) + if (list_empty(&rpf->entity.list_pipe)) { + rpf->entity.pipe = pipe; list_add_tail(&rpf->entity.list_pipe, &pipe->entities); + } bru->inputs[i].rpf = rpf; rpf->bru_input = i; @@ -561,6 +564,7 @@ void vsp1_du_atomic_flush(struct device *dev, unsigned int pipe_index) vsp1_dl_list_write(dl, entity->route->reg, VI6_DPR_NODE_UNUSED); + entity->pipe = NULL; list_del_init(&entity->list_pipe); continue; @@ -633,24 +637,28 @@ int vsp1_drm_init(struct vsp1_device *vsp1) vsp1_pipeline_init(pipe); + pipe->frame_end = vsp1_du_pipeline_frame_end; + /* * The DRM pipeline is static, add entities manually. The first * pipeline uses the BRU and the second pipeline the BRS. */ pipe->bru = i == 0 ? &vsp1->bru->entity : &vsp1->brs->entity; - pipe->lif = &vsp1->lif[i]->entity; pipe->output = vsp1->wpf[i]; - pipe->output->pipe = pipe; - pipe->frame_end = vsp1_du_pipeline_frame_end; + pipe->lif = &vsp1->lif[i]->entity; + pipe->bru->pipe = pipe; pipe->bru->sink = &pipe->output->entity; pipe->bru->sink_pad = 0; + list_add_tail(&pipe->bru->list_pipe, &pipe->entities); + + pipe->output->entity.pipe = pipe; pipe->output->entity.sink = pipe->lif; pipe->output->entity.sink_pad = 0; - - list_add_tail(&pipe->bru->list_pipe, &pipe->entities); - list_add_tail(&pipe->lif->list_pipe, &pipe->entities); list_add_tail(&pipe->output->entity.list_pipe, &pipe->entities); + + pipe->lif->pipe = pipe; + list_add_tail(&pipe->lif->list_pipe, &pipe->entities); } /* Disable all RPFs initially. */ diff --git a/drivers/media/platform/vsp1/vsp1_drv.c b/drivers/media/platform/vsp1/vsp1_drv.c index 1b0c236e70fd..bd46d3203fbd 100644 --- a/drivers/media/platform/vsp1/vsp1_drv.c +++ b/drivers/media/platform/vsp1/vsp1_drv.c @@ -63,7 +63,7 @@ static irqreturn_t vsp1_irq_handler(int irq, void *data) vsp1_write(vsp1, VI6_WPF_IRQ_STA(i), ~status & mask); if (status & VI6_WFP_IRQ_STA_DFE) { - vsp1_pipeline_frame_end(wpf->pipe); + vsp1_pipeline_frame_end(wpf->entity.pipe); ret = IRQ_HANDLED; } } diff --git a/drivers/media/platform/vsp1/vsp1_entity.h b/drivers/media/platform/vsp1/vsp1_entity.h index 408602ebeb97..c26523c56c05 100644 --- a/drivers/media/platform/vsp1/vsp1_entity.h +++ b/drivers/media/platform/vsp1/vsp1_entity.h @@ -106,6 +106,8 @@ struct vsp1_entity { unsigned int index; const struct vsp1_route *route; + struct vsp1_pipeline *pipe; + struct list_head list_dev; struct list_head list_pipe; diff --git a/drivers/media/platform/vsp1/vsp1_histo.c b/drivers/media/platform/vsp1/vsp1_histo.c index afab77cf4fa5..8638ebc514b4 100644 --- a/drivers/media/platform/vsp1/vsp1_histo.c +++ b/drivers/media/platform/vsp1/vsp1_histo.c @@ -61,7 +61,7 @@ void vsp1_histogram_buffer_complete(struct vsp1_histogram *histo, struct vsp1_histogram_buffer *buf, size_t size) { - struct vsp1_pipeline *pipe = histo->pipe; + struct vsp1_pipeline *pipe = histo->entity.pipe; unsigned long flags; /* diff --git a/drivers/media/platform/vsp1/vsp1_histo.h b/drivers/media/platform/vsp1/vsp1_histo.h index af2874f6031d..e774adbf251f 100644 --- a/drivers/media/platform/vsp1/vsp1_histo.h +++ b/drivers/media/platform/vsp1/vsp1_histo.h @@ -25,7 +25,6 @@ #include "vsp1_entity.h" struct vsp1_device; -struct vsp1_pipeline; #define HISTO_PAD_SINK 0 #define HISTO_PAD_SOURCE 1 @@ -37,8 +36,6 @@ struct vsp1_histogram_buffer { }; struct vsp1_histogram { - struct vsp1_pipeline *pipe; - struct vsp1_entity entity; struct video_device video; struct media_pad pad; diff --git a/drivers/media/platform/vsp1/vsp1_pipe.c b/drivers/media/platform/vsp1/vsp1_pipe.c index 44944ac86d9b..99ccbac3256a 100644 --- a/drivers/media/platform/vsp1/vsp1_pipe.c +++ b/drivers/media/platform/vsp1/vsp1_pipe.c @@ -185,6 +185,7 @@ const struct vsp1_format_info *vsp1_get_format_info(struct vsp1_device *vsp1, void vsp1_pipeline_reset(struct vsp1_pipeline *pipe) { + struct vsp1_entity *entity; unsigned int i; if (pipe->bru) { @@ -194,29 +195,13 @@ void vsp1_pipeline_reset(struct vsp1_pipeline *pipe) bru->inputs[i].rpf = NULL; } - for (i = 0; i < ARRAY_SIZE(pipe->inputs); ++i) { - if (pipe->inputs[i]) { - pipe->inputs[i]->pipe = NULL; - pipe->inputs[i] = NULL; - } - } + for (i = 0; i < ARRAY_SIZE(pipe->inputs); ++i) + pipe->inputs[i] = NULL; - if (pipe->output) { - pipe->output->pipe = NULL; - pipe->output = NULL; - } + pipe->output = NULL; - if (pipe->hgo) { - struct vsp1_hgo *hgo = to_hgo(&pipe->hgo->subdev); - - hgo->histo.pipe = NULL; - } - - if (pipe->hgt) { - struct vsp1_hgt *hgt = to_hgt(&pipe->hgt->subdev); - - hgt->histo.pipe = NULL; - } + list_for_each_entry(entity, &pipe->entities, list_pipe) + entity->pipe = NULL; INIT_LIST_HEAD(&pipe->entities); pipe->state = VSP1_PIPELINE_STOPPED; @@ -423,7 +408,7 @@ void vsp1_pipelines_suspend(struct vsp1_device *vsp1) if (wpf == NULL) continue; - pipe = wpf->pipe; + pipe = wpf->entity.pipe; if (pipe == NULL) continue; @@ -440,7 +425,7 @@ void vsp1_pipelines_suspend(struct vsp1_device *vsp1) if (wpf == NULL) continue; - pipe = wpf->pipe; + pipe = wpf->entity.pipe; if (pipe == NULL) continue; @@ -465,7 +450,7 @@ void vsp1_pipelines_resume(struct vsp1_device *vsp1) if (wpf == NULL) continue; - pipe = wpf->pipe; + pipe = wpf->entity.pipe; if (pipe == NULL) continue; diff --git a/drivers/media/platform/vsp1/vsp1_rwpf.h b/drivers/media/platform/vsp1/vsp1_rwpf.h index 58215a7ab631..c94ac89abfa7 100644 --- a/drivers/media/platform/vsp1/vsp1_rwpf.h +++ b/drivers/media/platform/vsp1/vsp1_rwpf.h @@ -27,7 +27,6 @@ struct v4l2_ctrl; struct vsp1_dl_manager; -struct vsp1_pipeline; struct vsp1_rwpf; struct vsp1_video; @@ -39,7 +38,6 @@ struct vsp1_rwpf { struct vsp1_entity entity; struct v4l2_ctrl_handler ctrls; - struct vsp1_pipeline *pipe; struct vsp1_video *video; unsigned int max_width; diff --git a/drivers/media/platform/vsp1/vsp1_video.c b/drivers/media/platform/vsp1/vsp1_video.c index 93f69b3ac911..e88be9cd2a0f 100644 --- a/drivers/media/platform/vsp1/vsp1_video.c +++ b/drivers/media/platform/vsp1/vsp1_video.c @@ -324,7 +324,7 @@ static int vsp1_video_pipeline_setup_partitions(struct vsp1_pipeline *pipe) static struct vsp1_vb2_buffer * vsp1_video_complete_buffer(struct vsp1_video *video) { - struct vsp1_pipeline *pipe = video->rwpf->pipe; + struct vsp1_pipeline *pipe = video->rwpf->entity.pipe; struct vsp1_vb2_buffer *next = NULL; struct vsp1_vb2_buffer *done; unsigned long flags; @@ -598,20 +598,19 @@ static int vsp1_video_pipeline_build(struct vsp1_pipeline *pipe, subdev = media_entity_to_v4l2_subdev(entity); e = to_vsp1_entity(subdev); list_add_tail(&e->list_pipe, &pipe->entities); + e->pipe = pipe; switch (e->type) { case VSP1_ENTITY_RPF: rwpf = to_rwpf(subdev); pipe->inputs[rwpf->entity.index] = rwpf; rwpf->video->pipe_index = ++pipe->num_inputs; - rwpf->pipe = pipe; break; case VSP1_ENTITY_WPF: rwpf = to_rwpf(subdev); pipe->output = rwpf; rwpf->video->pipe_index = 0; - rwpf->pipe = pipe; break; case VSP1_ENTITY_LIF: @@ -625,12 +624,10 @@ static int vsp1_video_pipeline_build(struct vsp1_pipeline *pipe, case VSP1_ENTITY_HGO: pipe->hgo = e; - to_hgo(subdev)->histo.pipe = pipe; break; case VSP1_ENTITY_HGT: pipe->hgt = e; - to_hgt(subdev)->histo.pipe = pipe; break; default: @@ -682,7 +679,7 @@ static struct vsp1_pipeline *vsp1_video_pipeline_get(struct vsp1_video *video) * Otherwise allocate a new pipeline and initialize it, it will be freed * when the last reference is released. */ - if (!video->rwpf->pipe) { + if (!video->rwpf->entity.pipe) { pipe = kzalloc(sizeof(*pipe), GFP_KERNEL); if (!pipe) return ERR_PTR(-ENOMEM); @@ -694,7 +691,7 @@ static struct vsp1_pipeline *vsp1_video_pipeline_get(struct vsp1_video *video) return ERR_PTR(ret); } } else { - pipe = video->rwpf->pipe; + pipe = video->rwpf->entity.pipe; kref_get(&pipe->kref); } @@ -777,7 +774,7 @@ static void vsp1_video_buffer_queue(struct vb2_buffer *vb) { struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); struct vsp1_video *video = vb2_get_drv_priv(vb->vb2_queue); - struct vsp1_pipeline *pipe = video->rwpf->pipe; + struct vsp1_pipeline *pipe = video->rwpf->entity.pipe; struct vsp1_vb2_buffer *buf = to_vsp1_vb2_buffer(vbuf); unsigned long flags; bool empty; @@ -877,7 +874,7 @@ static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe) static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count) { struct vsp1_video *video = vb2_get_drv_priv(vq); - struct vsp1_pipeline *pipe = video->rwpf->pipe; + struct vsp1_pipeline *pipe = video->rwpf->entity.pipe; bool start_pipeline = false; unsigned long flags; int ret; @@ -919,7 +916,7 @@ static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count) static void vsp1_video_stop_streaming(struct vb2_queue *vq) { struct vsp1_video *video = vb2_get_drv_priv(vq); - struct vsp1_pipeline *pipe = video->rwpf->pipe; + struct vsp1_pipeline *pipe = video->rwpf->entity.pipe; unsigned long flags; int ret; From f0a224ecf4ca80033edee705bd34405dae4ea20a Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Sun, 5 May 2024 20:22:27 +0300 Subject: [PATCH 026/173] media: renesas: vsp1: Fix _irqsave and _irq mix [ Upstream commit 57edbbcf5258c378a9b9d0c80d33b03a010b22c8 ] The histogram support mixes _irqsave and _irq, causing the following smatch warning: drivers/media/platform/renesas/vsp1/vsp1_histo.c:153 histo_stop_streaming() warn: mixing irqsave and irq The histo_stop_streaming() calls spin_lock_irqsave() followed by wait_event_lock_irq(). The former hints that interrupts may be disabled by the caller, while the latter reenables interrupts unconditionally. This doesn't cause any real bug, as the function is always called with interrupts enabled, but the pattern is still incorrect. Fix the problem by using spin_lock_irq() instead of spin_lock_irqsave() in histo_stop_streaming(). While at it, switch to spin_lock_irq() and spin_lock() as appropriate elsewhere. Fixes: 99362e32332b ("[media] v4l: vsp1: Add histogram support") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/linux-renesas-soc/164d74ff-312c-468f-be64-afa7182cd2f4@moroto.mountain/ Reviewed-by: Kieran Bingham Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin (cherry picked from commit ab1325f1074da2cfa1259417fb6c93a0886e74c8) Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- drivers/media/platform/vsp1/vsp1_histo.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/drivers/media/platform/vsp1/vsp1_histo.c b/drivers/media/platform/vsp1/vsp1_histo.c index 8638ebc514b4..142a55298a44 100644 --- a/drivers/media/platform/vsp1/vsp1_histo.c +++ b/drivers/media/platform/vsp1/vsp1_histo.c @@ -40,9 +40,8 @@ struct vsp1_histogram_buffer * vsp1_histogram_buffer_get(struct vsp1_histogram *histo) { struct vsp1_histogram_buffer *buf = NULL; - unsigned long flags; - spin_lock_irqsave(&histo->irqlock, flags); + spin_lock(&histo->irqlock); if (list_empty(&histo->irqqueue)) goto done; @@ -53,7 +52,7 @@ vsp1_histogram_buffer_get(struct vsp1_histogram *histo) histo->readout = true; done: - spin_unlock_irqrestore(&histo->irqlock, flags); + spin_unlock(&histo->irqlock); return buf; } @@ -62,7 +61,6 @@ void vsp1_histogram_buffer_complete(struct vsp1_histogram *histo, size_t size) { struct vsp1_pipeline *pipe = histo->entity.pipe; - unsigned long flags; /* * The pipeline pointer is guaranteed to be valid as this function is @@ -74,10 +72,10 @@ void vsp1_histogram_buffer_complete(struct vsp1_histogram *histo, vb2_set_plane_payload(&buf->buf.vb2_buf, 0, size); vb2_buffer_done(&buf->buf.vb2_buf, VB2_BUF_STATE_DONE); - spin_lock_irqsave(&histo->irqlock, flags); + spin_lock(&histo->irqlock); histo->readout = false; wake_up(&histo->wait_queue); - spin_unlock_irqrestore(&histo->irqlock, flags); + spin_unlock(&histo->irqlock); } /* ----------------------------------------------------------------------------- @@ -128,11 +126,10 @@ static void histo_buffer_queue(struct vb2_buffer *vb) struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); struct vsp1_histogram *histo = vb2_get_drv_priv(vb->vb2_queue); struct vsp1_histogram_buffer *buf = to_vsp1_histogram_buffer(vbuf); - unsigned long flags; - spin_lock_irqsave(&histo->irqlock, flags); + spin_lock_irq(&histo->irqlock); list_add_tail(&buf->queue, &histo->irqqueue); - spin_unlock_irqrestore(&histo->irqlock, flags); + spin_unlock_irq(&histo->irqlock); } static int histo_start_streaming(struct vb2_queue *vq, unsigned int count) @@ -144,9 +141,8 @@ static void histo_stop_streaming(struct vb2_queue *vq) { struct vsp1_histogram *histo = vb2_get_drv_priv(vq); struct vsp1_histogram_buffer *buffer; - unsigned long flags; - spin_lock_irqsave(&histo->irqlock, flags); + spin_lock_irq(&histo->irqlock); /* Remove all buffers from the IRQ queue. */ list_for_each_entry(buffer, &histo->irqqueue, queue) @@ -156,7 +152,7 @@ static void histo_stop_streaming(struct vb2_queue *vq) /* Wait for the buffer being read out (if any) to complete. */ wait_event_lock_irq(histo->wait_queue, !histo->readout, histo->irqlock); - spin_unlock_irqrestore(&histo->irqlock, flags); + spin_unlock_irq(&histo->irqlock); } static const struct vb2_ops histo_video_queue_qops = { From 49db8c90eba2da9ddc6f9a203a6d20984d1658a7 Mon Sep 17 00:00:00 2001 From: Laurent Pinchart Date: Sun, 19 Nov 2023 03:11:51 +0200 Subject: [PATCH 027/173] media: renesas: vsp1: Store RPF partition configuration per RPF instance [ Upstream commit a213bc09b1025c771ee722ee341af1d84375db8a ] The vsp1_partition structure stores the RPF partition configuration in a single field for all RPF instances, while each RPF can have its own configuration. Fix it by storing the configuration separately for each RPF instance. Signed-off-by: Laurent Pinchart Fixes: ab45e8585182 ("media: v4l: vsp1: Allow entities to participate in the partition algorithm") Reviewed-by: Jacopo Mondi Signed-off-by: Sasha Levin (cherry picked from commit ae16866626ecae26a7317e0372224d5480211ff7) [Vegard: fix conflict due to missing commit 46ce3639a579c29dc3166a9a66522f72f11f560c ("media: vsp1: Refactor display list configure operations").] Signed-off-by: Vegard Nossum --- drivers/media/platform/vsp1/vsp1_pipe.h | 2 +- drivers/media/platform/vsp1/vsp1_rpf.c | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/media/platform/vsp1/vsp1_pipe.h b/drivers/media/platform/vsp1/vsp1_pipe.h index dfff9b5685fe..5361b0ba3164 100644 --- a/drivers/media/platform/vsp1/vsp1_pipe.h +++ b/drivers/media/platform/vsp1/vsp1_pipe.h @@ -77,7 +77,7 @@ struct vsp1_partition_window { * @wpf: The WPF partition window configuration */ struct vsp1_partition { - struct vsp1_partition_window rpf; + struct vsp1_partition_window rpf[VSP1_MAX_RPF]; struct vsp1_partition_window uds_sink; struct vsp1_partition_window uds_source; struct vsp1_partition_window sru; diff --git a/drivers/media/platform/vsp1/vsp1_rpf.c b/drivers/media/platform/vsp1/vsp1_rpf.c index fe0633da5a5f..f586b5726bdd 100644 --- a/drivers/media/platform/vsp1/vsp1_rpf.c +++ b/drivers/media/platform/vsp1/vsp1_rpf.c @@ -97,8 +97,8 @@ static void rpf_configure(struct vsp1_entity *entity, * 'width' need to be adjusted. */ if (pipe->partitions > 1) { - crop.width = pipe->partition->rpf.width; - crop.left += pipe->partition->rpf.left; + crop.width = pipe->partition->rpf[rpf->entity.index].width; + crop.left += pipe->partition->rpf[rpf->entity.index].left; } vsp1_rpf_write(rpf, dl, VI6_RPF_SRC_BSIZE, @@ -253,7 +253,9 @@ static void rpf_partition(struct vsp1_entity *entity, unsigned int partition_idx, struct vsp1_partition_window *window) { - partition->rpf = *window; + struct vsp1_rwpf *rpf = to_rwpf(&entity->subdev); + + partition->rpf[rpf->entity.index] = *window; } static const struct vsp1_entity_operations rpf_entity_ops = { From 39632d1c383813e9ddb20088f6e9a3b44ee70569 Mon Sep 17 00:00:00 2001 From: Namhyung Kim Date: Fri, 21 Jun 2024 10:05:25 -0700 Subject: [PATCH 028/173] perf report: Fix condition in sort__sym_cmp() [ Upstream commit cb39d05e67dc24985ff9f5150e71040fa4d60ab8 ] It's expected that both hist entries are in the same hists when comparing two. But the current code in the function checks one without dso sort key and other with the key. This would make the condition true in any case. I guess the intention of the original commit was to add '!' for the right side too. But as it should be the same, let's just remove it. Fixes: 69849fc5d2119 ("perf hists: Move sort__has_dso into struct perf_hpp_list") Reviewed-by: Kan Liang Signed-off-by: Namhyung Kim Link: https://lore.kernel.org/r/20240621170528.608772-2-namhyung@kernel.org Signed-off-by: Sasha Levin (cherry picked from commit 2e6abffcb52a36c89c0a70499b86e0a99df15d1e) Signed-off-by: Vegard Nossum --- tools/perf/util/sort.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c index 4fe2f3f92ab1..199c400779e2 100644 --- a/tools/perf/util/sort.c +++ b/tools/perf/util/sort.c @@ -244,7 +244,7 @@ sort__sym_cmp(struct hist_entry *left, struct hist_entry *right) * comparing symbol address alone is not enough since it's a * relative address within a dso. */ - if (!hists__has(left->hists, dso) || hists__has(right->hists, dso)) { + if (!hists__has(left->hists, dso)) { ret = sort__dso_cmp(left, right); if (ret != 0) return ret; From fa7e07d7ebb21ec8b937faeb3254a608c4d2eea2 Mon Sep 17 00:00:00 2001 From: Lucas Stach Date: Fri, 21 Jun 2024 19:11:06 +0200 Subject: [PATCH 029/173] drm/etnaviv: fix DMA direction handling for cached RW buffers [ Upstream commit 58979ad6330a70450ed78837be3095107d022ea9 ] The dma sync operation needs to be done with DMA_BIDIRECTIONAL when the BO is prepared for both read and write operations. Fixes: a8c21a5451d8 ("drm/etnaviv: add initial etnaviv DRM driver") Signed-off-by: Lucas Stach Reviewed-by: Philipp Zabel Reviewed-by: Christian Gmeiner Signed-off-by: Sasha Levin (cherry picked from commit c7c74c8256206ffc27212ada1f998f5a05b8c54f) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/etnaviv/etnaviv_gem.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem.c b/drivers/gpu/drm/etnaviv/etnaviv_gem.c index 57881167ccd2..d0bc792038b5 100644 --- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c @@ -397,9 +397,11 @@ static void *etnaviv_gem_vmap_impl(struct etnaviv_gem_object *obj) static inline enum dma_data_direction etnaviv_op_to_dma_dir(u32 op) { - if (op & ETNA_PREP_READ) + op &= ETNA_PREP_READ | ETNA_PREP_WRITE; + + if (op == ETNA_PREP_READ) return DMA_FROM_DEVICE; - else if (op & ETNA_PREP_WRITE) + else if (op == ETNA_PREP_WRITE) return DMA_TO_DEVICE; else return DMA_BIDIRECTIONAL; From 5e8bf661518b825696c6ee219e62292e6bc8df93 Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Thu, 13 Jun 2024 17:02:34 +0200 Subject: [PATCH 030/173] ext4: avoid writing unitialized memory to disk in EA inodes [ Upstream commit 65121eff3e4c8c90f8126debf3c369228691c591 ] If the extended attribute size is not a multiple of block size, the last block in the EA inode will have uninitialized tail which will get written to disk. We will never expose the data to userspace but still this is not a good practice so just zero out the tail of the block as it isn't going to cause a noticeable performance overhead. Fixes: e50e5129f384 ("ext4: xattr-in-inode support") Reported-by: syzbot+9c1fe13fcb51574b249b@syzkaller.appspotmail.com Reported-by: Hugh Dickins Signed-off-by: Jan Kara Link: https://patch.msgid.link/20240613150234.25176-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin (cherry picked from commit 282e8d4e9d33182a5ca25fe6333beafdc5282946) Signed-off-by: Vegard Nossum --- fs/ext4/xattr.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c index f529ced0b692..80cc5bef1a65 100644 --- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -1410,6 +1410,12 @@ retry: goto out; memcpy(bh->b_data, buf, csize); + /* + * Zero out block tail to avoid writing uninitialized memory + * to disk. + */ + if (csize < blocksize) + memset(bh->b_data + csize, 0, blocksize - csize); set_buffer_uptodate(bh); ext4_handle_dirty_metadata(handle, ea_inode, bh); From 0549d286c615b284448fa4d449c322f3ae2aa55f Mon Sep 17 00:00:00 2001 From: Andreas Larsson Date: Wed, 10 Jul 2024 11:41:53 +0200 Subject: [PATCH 031/173] sparc64: Fix incorrect function signature and add prototype for prom_cif_init MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit a6c3ea1ec96307dbfbb2f16d96c674c5cc80f445 ] Remove the unused cif_stack argument and add a protype in oplib_64.h Commit ef3e035c3a9b ("sparc64: Fix register corruption in top-most kernel stack frame during boot.") removed the cif_stack argument to prom_cif init in the declaration at the caller site and the usage of it within prom_cif_init, but not in the function signature of the function itself. This also fixes the following warning: arch/sparc/prom/p1275.c:52:6: warning: no previous prototype for ‘prom_cif_init’ Fixes: ef3e035c3a9b ("sparc64: Fix register corruption in top-most kernel stack frame during boot.") Link: https://lore.kernel.org/r/20240710094155.458731-3-andreas@gaisler.com Signed-off-by: Andreas Larsson Signed-off-by: Sasha Levin (cherry picked from commit 6b4f676006a390edffd6a00f2ebc23276dd05031) Signed-off-by: Vegard Nossum --- arch/sparc/include/asm/oplib_64.h | 1 + arch/sparc/prom/init_64.c | 3 --- arch/sparc/prom/p1275.c | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/arch/sparc/include/asm/oplib_64.h b/arch/sparc/include/asm/oplib_64.h index a67abebd4359..1b86d02a8455 100644 --- a/arch/sparc/include/asm/oplib_64.h +++ b/arch/sparc/include/asm/oplib_64.h @@ -247,6 +247,7 @@ void prom_sun4v_guest_soft_state(void); int prom_ihandle2path(int handle, char *buffer, int bufsize); /* Client interface level routines. */ +void prom_cif_init(void *cif_handler); void p1275_cmd_direct(unsigned long *); #endif /* !(__SPARC64_OPLIB_H) */ diff --git a/arch/sparc/prom/init_64.c b/arch/sparc/prom/init_64.c index 103aa9104318..f7b8a1a865b8 100644 --- a/arch/sparc/prom/init_64.c +++ b/arch/sparc/prom/init_64.c @@ -26,9 +26,6 @@ phandle prom_chosen_node; * routines in the prom library. * It gets passed the pointer to the PROM vector. */ - -extern void prom_cif_init(void *); - void __init prom_init(void *cif_handler) { phandle node; diff --git a/arch/sparc/prom/p1275.c b/arch/sparc/prom/p1275.c index 889aa602f8d8..51c3f984bbf7 100644 --- a/arch/sparc/prom/p1275.c +++ b/arch/sparc/prom/p1275.c @@ -49,7 +49,7 @@ void p1275_cmd_direct(unsigned long *args) local_irq_restore(flags); } -void prom_cif_init(void *cif_handler, void *cif_stack) +void prom_cif_init(void *cif_handler) { p1275buf.prom_cif_handler = (void (*)(long *))cif_handler; } From 02a0104454d95405c65536870fdc426e8663512d Mon Sep 17 00:00:00 2001 From: Jon Derrick Date: Tue, 25 Sep 2018 12:39:06 -0600 Subject: [PATCH 032/173] PCI: Equalize hotplug memory and io for occupied and empty slots [ Upstream commit de3ffa301142bf8802a7b0de17f9985acde5c223 ] Currently, a hotplug bridge will be given hpmemsize additional memory and hpiosize additional io if available, in order to satisfy any future hotplug allocation requirements. These calculations don't consider the current memory/io size of the hotplug bridge/slot, so hotplug bridges/slots which have downstream devices will be allocated their current allocation in addition to the hpmemsize value. This makes for possibly undesirable results with a mix of unoccupied and occupied slots (ex, with hpmemsize=2M): 02:03.0 PCI bridge: <-- Occupied Memory behind bridge: d6200000-d64fffff [size=3M] 02:04.0 PCI bridge: <-- Unoccupied Memory behind bridge: d6500000-d66fffff [size=2M] This change considers the current allocation size when using the hpmemsize/hpiosize parameters to make the reservations predictable for the mix of unoccupied and occupied slots: 02:03.0 PCI bridge: <-- Occupied Memory behind bridge: d6200000-d63fffff [size=2M] 02:04.0 PCI bridge: <-- Unoccupied Memory behind bridge: d6400000-d65fffff [size=2M] Signed-off-by: Jon Derrick Signed-off-by: Bjorn Helgaas Stable-dep-of: 903534fa7d30 ("PCI: Fix resource double counting on remove & rescan") Signed-off-by: Sasha Levin (cherry picked from commit 0012438a122c56d727712169df42fd0e297a42b0) Signed-off-by: Vegard Nossum --- drivers/pci/setup-bus.c | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c index fb73e975d22b..774edb227a3e 100644 --- a/drivers/pci/setup-bus.c +++ b/drivers/pci/setup-bus.c @@ -816,6 +816,8 @@ static struct resource *find_free_bus_resource(struct pci_bus *bus, static resource_size_t calculate_iosize(resource_size_t size, resource_size_t min_size, resource_size_t size1, + resource_size_t add_size, + resource_size_t children_add_size, resource_size_t old_size, resource_size_t align) { @@ -828,15 +830,18 @@ static resource_size_t calculate_iosize(resource_size_t size, #if defined(CONFIG_ISA) || defined(CONFIG_EISA) size = (size & 0xff) + ((size & ~0xffUL) << 2); #endif - size = ALIGN(size + size1, align); + size = size + size1; if (size < old_size) size = old_size; + + size = ALIGN(max(size, add_size) + children_add_size, align); return size; } static resource_size_t calculate_memsize(resource_size_t size, resource_size_t min_size, - resource_size_t size1, + resource_size_t add_size, + resource_size_t children_add_size, resource_size_t old_size, resource_size_t align) { @@ -846,7 +851,8 @@ static resource_size_t calculate_memsize(resource_size_t size, old_size = 0; if (size < old_size) size = old_size; - size = ALIGN(size + size1, align); + + size = ALIGN(max(size, add_size) + children_add_size, align); return size; } @@ -935,12 +941,10 @@ static void pbus_size_io(struct pci_bus *bus, resource_size_t min_size, } } - size0 = calculate_iosize(size, min_size, size1, + size0 = calculate_iosize(size, min_size, size1, 0, 0, resource_size(b_res), min_align); - if (children_add_size > add_size) - add_size = children_add_size; - size1 = (!realloc_head || (realloc_head && !add_size)) ? size0 : - calculate_iosize(size, min_size, add_size + size1, + size1 = (!realloc_head || (realloc_head && !add_size && !children_add_size)) ? size0 : + calculate_iosize(size, min_size, size1, add_size, children_add_size, resource_size(b_res), min_align); if (!size0 && !size1) { if (b_res->start || b_res->end) @@ -1084,12 +1088,10 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask, min_align = calculate_mem_align(aligns, max_order); min_align = max(min_align, window_alignment(bus, b_res->flags)); - size0 = calculate_memsize(size, min_size, 0, resource_size(b_res), min_align); + size0 = calculate_memsize(size, min_size, 0, 0, resource_size(b_res), min_align); add_align = max(min_align, add_align); - if (children_add_size > add_size) - add_size = children_add_size; - size1 = (!realloc_head || (realloc_head && !add_size)) ? size0 : - calculate_memsize(size, min_size, add_size, + size1 = (!realloc_head || (realloc_head && !add_size && !children_add_size)) ? size0 : + calculate_memsize(size, min_size, add_size, children_add_size, resource_size(b_res), add_align); if (!size0 && !size1) { if (b_res->start || b_res->end) From 0a5d6964e9374945dfef1227972e8cc1a2a6d5ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Tue, 7 May 2024 13:25:16 +0300 Subject: [PATCH 033/173] PCI: Fix resource double counting on remove & rescan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 903534fa7d30214d8ba840ab1cd9e917e0c88e41 ] pbus_size_mem() keeps the size of the optional resources in children_add_size. When calculating the PCI bridge window size, calculate_memsize() lower bounds size by old_size before adding children_add_size and performing the window size alignment. This results in double counting for the resources in children_add_size because old_size may be based on the previous size of the bridge window after it has already included children_add_size (that is, size1 in pbus_size_mem() from an earlier invocation of that function). As a result, on repeated remove of the bus & rescan cycles the resource size keeps increasing when children_add_size is non-zero as can be seen from this extract: iomem0: 23fffd00000-23fffdfffff : PCI Bus 0000:03 # 1MiB iomem1: 20000000000-200001fffff : PCI Bus 0000:03 # 2MiB iomem2: 20000000000-200002fffff : PCI Bus 0000:03 # 3MiB iomem3: 20000000000-200003fffff : PCI Bus 0000:03 # 4MiB iomem4: 20000000000-200004fffff : PCI Bus 0000:03 # 5MiB Solve the double counting by moving old_size check later in calculate_memsize() so that children_add_size is already accounted for. After the patch, the bridge window retains its size as expected: iomem0: 23fffd00000-23fffdfffff : PCI Bus 0000:03 # 1MiB iomem1: 20000000000-200000fffff : PCI Bus 0000:03 # 1MiB iomem2: 20000000000-200000fffff : PCI Bus 0000:03 # 1MiB Fixes: a4ac9fea016f ("PCI : Calculate right add_size") Link: https://lore.kernel.org/r/20240507102523.57320-2-ilpo.jarvinen@linux.intel.com Tested-by: Lidong Wang Signed-off-by: Ilpo Järvinen Signed-off-by: Bjorn Helgaas Reviewed-by: Mika Westerberg Signed-off-by: Sasha Levin (cherry picked from commit 2044071c6e42d041e3656bad105be5879f6b70f1) Signed-off-by: Vegard Nossum --- drivers/pci/setup-bus.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c index 774edb227a3e..28af1a14e0eb 100644 --- a/drivers/pci/setup-bus.c +++ b/drivers/pci/setup-bus.c @@ -849,11 +849,9 @@ static resource_size_t calculate_memsize(resource_size_t size, size = min_size; if (old_size == 1) old_size = 0; - if (size < old_size) - size = old_size; - size = ALIGN(max(size, add_size) + children_add_size, align); - return size; + size = max(size, add_size) + children_add_size; + return ALIGN(max(size, old_size), align); } resource_size_t __weak pcibios_window_alignment(struct pci_bus *bus, From 8e50a9f8175582f34a709024496217f3fca864e5 Mon Sep 17 00:00:00 2001 From: Leon Romanovsky Date: Sun, 16 Jun 2024 19:16:33 +0300 Subject: [PATCH 034/173] RDMA/mlx4: Fix truncated output warning in mad.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 0d2e6992fc956e3308cd5376c18567def4cb3967 ] Increase size of the name array to avoid truncated output warning. drivers/infiniband/hw/mlx4/mad.c: In function ‘mlx4_ib_alloc_demux_ctx’: drivers/infiniband/hw/mlx4/mad.c:2197:47: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 4 [-Werror=format-truncation=] 2197 | snprintf(name, sizeof(name), "mlx4_ibt%d", port); | ^~ drivers/infiniband/hw/mlx4/mad.c:2197:38: note: directive argument in the range [-2147483645, 2147483647] 2197 | snprintf(name, sizeof(name), "mlx4_ibt%d", port); | ^~~~~~~~~~~~ drivers/infiniband/hw/mlx4/mad.c:2197:9: note: ‘snprintf’ output between 10 and 20 bytes into a destination of size 12 2197 | snprintf(name, sizeof(name), "mlx4_ibt%d", port); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/infiniband/hw/mlx4/mad.c:2205:48: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 3 [-Werror=format-truncation=] 2205 | snprintf(name, sizeof(name), "mlx4_ibwi%d", port); | ^~ drivers/infiniband/hw/mlx4/mad.c:2205:38: note: directive argument in the range [-2147483645, 2147483647] 2205 | snprintf(name, sizeof(name), "mlx4_ibwi%d", port); | ^~~~~~~~~~~~~ drivers/infiniband/hw/mlx4/mad.c:2205:9: note: ‘snprintf’ output between 11 and 21 bytes into a destination of size 12 2205 | snprintf(name, sizeof(name), "mlx4_ibwi%d", port); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/infiniband/hw/mlx4/mad.c:2213:48: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 3 [-Werror=format-truncation=] 2213 | snprintf(name, sizeof(name), "mlx4_ibud%d", port); | ^~ drivers/infiniband/hw/mlx4/mad.c:2213:38: note: directive argument in the range [-2147483645, 2147483647] 2213 | snprintf(name, sizeof(name), "mlx4_ibud%d", port); | ^~~~~~~~~~~~~ drivers/infiniband/hw/mlx4/mad.c:2213:9: note: ‘snprintf’ output between 11 and 21 bytes into a destination of size 12 2213 | snprintf(name, sizeof(name), "mlx4_ibud%d", port); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[6]: *** [scripts/Makefile.build:244: drivers/infiniband/hw/mlx4/mad.o] Error 1 Fixes: fc06573dfaf8 ("IB/mlx4: Initialize SR-IOV IB support for slaves in master context") Link: https://lore.kernel.org/r/f3798b3ce9a410257d7e1ec7c9e285f1352e256a.1718554569.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin (cherry picked from commit c4eaaf28068a99d8363bf02a20a32bf207be13e1) Signed-off-by: Vegard Nossum --- drivers/infiniband/hw/mlx4/mad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c index 60d4f2c9c24d..46b33244f0bc 100644 --- a/drivers/infiniband/hw/mlx4/mad.c +++ b/drivers/infiniband/hw/mlx4/mad.c @@ -2170,7 +2170,7 @@ static int mlx4_ib_alloc_demux_ctx(struct mlx4_ib_dev *dev, struct mlx4_ib_demux_ctx *ctx, int port) { - char name[12]; + char name[21]; int ret = 0; int i; From e9d4656f8f0c014de2ffcf8d4903c4630c43c72b Mon Sep 17 00:00:00 2001 From: Leon Romanovsky Date: Sun, 16 Jun 2024 19:17:30 +0300 Subject: [PATCH 035/173] RDMA/mlx4: Fix truncated output warning in alias_GUID.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 5953e0647cec703ef436ead37fed48943507b433 ] drivers/infiniband/hw/mlx4/alias_GUID.c: In function ‘mlx4_ib_init_alias_guid_service’: drivers/infiniband/hw/mlx4/alias_GUID.c:878:74: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 5 [-Werror=format-truncation=] 878 | snprintf(alias_wq_name, sizeof alias_wq_name, "alias_guid%d", i); | ^~ drivers/infiniband/hw/mlx4/alias_GUID.c:878:63: note: directive argument in the range [-2147483641, 2147483646] 878 | snprintf(alias_wq_name, sizeof alias_wq_name, "alias_guid%d", i); | ^~~~~~~~~~~~~~ drivers/infiniband/hw/mlx4/alias_GUID.c:878:17: note: ‘snprintf’ output between 12 and 22 bytes into a destination of size 15 878 | snprintf(alias_wq_name, sizeof alias_wq_name, "alias_guid%d", i); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Fixes: a0c64a17aba8 ("mlx4: Add alias_guid mechanism") Link: https://lore.kernel.org/r/1951c9500109ca7e36dcd523f8a5f2d0d2a608d1.1718554641.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin (cherry picked from commit 087abc7e244700f741c0431af59b28e910a82dc1) Signed-off-by: Vegard Nossum --- drivers/infiniband/hw/mlx4/alias_GUID.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/hw/mlx4/alias_GUID.c b/drivers/infiniband/hw/mlx4/alias_GUID.c index baab9afa9174..f2d975c2659d 100644 --- a/drivers/infiniband/hw/mlx4/alias_GUID.c +++ b/drivers/infiniband/hw/mlx4/alias_GUID.c @@ -832,7 +832,7 @@ void mlx4_ib_destroy_alias_guid_service(struct mlx4_ib_dev *dev) int mlx4_ib_init_alias_guid_service(struct mlx4_ib_dev *dev) { - char alias_wq_name[15]; + char alias_wq_name[22]; int ret = 0; int i, j; union ib_gid gid; From 117e5c14bbbb75364fabcb7d2e70e19167efc931 Mon Sep 17 00:00:00 2001 From: Honggang LI Date: Mon, 24 Jun 2024 10:03:48 +0800 Subject: [PATCH 036/173] RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs [ Upstream commit 4adcaf969d77d3d3aa3871bbadc196258a38aec6 ] BTH_ACK_MASK bit is used to indicate that an acknowledge (for this packet) should be scheduled by the responder. Both UC and UD QPs are unacknowledged, so don't set BTH_ACK_MASK for UC or UD QPs. Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Honggang LI Link: https://lore.kernel.org/r/20240624020348.494338-1-honggangli@163.com Reviewed-by: Zhu Yanjun Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin (cherry picked from commit 796c0f32fc956b88c345195472e2d74823be0d03) Signed-off-by: Vegard Nossum --- drivers/infiniband/sw/rxe/rxe_req.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/sw/rxe/rxe_req.c b/drivers/infiniband/sw/rxe/rxe_req.c index 5d0f4c0120ac..3543c1bf048f 100644 --- a/drivers/infiniband/sw/rxe/rxe_req.c +++ b/drivers/infiniband/sw/rxe/rxe_req.c @@ -390,7 +390,7 @@ static struct sk_buff *init_req_packet(struct rxe_qp *qp, int solicited; u16 pkey; u32 qp_num; - int ack_req; + int ack_req = 0; /* length from start of bth to end of icrc */ paylen = rxe_opcode[opcode].length + payload + pad + RXE_ICRC_SIZE; @@ -426,8 +426,9 @@ static struct sk_buff *init_req_packet(struct rxe_qp *qp, qp_num = (pkt->mask & RXE_DETH_MASK) ? ibwr->wr.ud.remote_qpn : qp->attr.dest_qp_num; - ack_req = ((pkt->mask & RXE_END_MASK) || - (qp->req.noack_pkts++ > RXE_MAX_PKT_PER_ACK)); + if (qp_type(qp) != IB_QPT_UD && qp_type(qp) != IB_QPT_UC) + ack_req = ((pkt->mask & RXE_END_MASK) || + (qp->req.noack_pkts++ > RXE_MAX_PKT_PER_ACK)); if (ack_req) qp->req.noack_pkts = 0; From 550d6bbd2dedbc88697932ddbe5f930b20a4d7c1 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Wed, 29 May 2024 11:50:39 +0200 Subject: [PATCH 037/173] mtd: make mtd_test.c a separate module [ Upstream commit a5cf054d325e6f362e82fe6d124a1871a4af8174 ] This file gets linked into nine different modules, which causes a warning: scripts/Makefile.build:236: drivers/mtd/tests/Makefile: mtd_test.o is added to multiple modules: mtd_nandbiterrs mtd_oobtest mtd_pagetest mtd_readtest mtd_speedtest mtd_stresstest mtd_subpagetest mtd_torturetest Make it a separate module instead. Fixes: a995c792280d ("mtd: tests: rename sources in order to link a helper object") Signed-off-by: Arnd Bergmann Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20240529095049.1915393-1-arnd@kernel.org Signed-off-by: Sasha Levin (cherry picked from commit 17b016971c27ee1e884da3ce502801cb95f84ff1) Signed-off-by: Vegard Nossum --- drivers/mtd/tests/Makefile | 34 +++++++++++++++++----------------- drivers/mtd/tests/mtd_test.c | 9 +++++++++ 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/drivers/mtd/tests/Makefile b/drivers/mtd/tests/Makefile index 5de0378f90db..7dae831ee8b6 100644 --- a/drivers/mtd/tests/Makefile +++ b/drivers/mtd/tests/Makefile @@ -1,19 +1,19 @@ # SPDX-License-Identifier: GPL-2.0 -obj-$(CONFIG_MTD_TESTS) += mtd_oobtest.o -obj-$(CONFIG_MTD_TESTS) += mtd_pagetest.o -obj-$(CONFIG_MTD_TESTS) += mtd_readtest.o -obj-$(CONFIG_MTD_TESTS) += mtd_speedtest.o -obj-$(CONFIG_MTD_TESTS) += mtd_stresstest.o -obj-$(CONFIG_MTD_TESTS) += mtd_subpagetest.o -obj-$(CONFIG_MTD_TESTS) += mtd_torturetest.o -obj-$(CONFIG_MTD_TESTS) += mtd_nandecctest.o -obj-$(CONFIG_MTD_TESTS) += mtd_nandbiterrs.o +obj-$(CONFIG_MTD_TESTS) += mtd_oobtest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_pagetest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_readtest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_speedtest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_stresstest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_subpagetest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_torturetest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_nandecctest.o mtd_test.o +obj-$(CONFIG_MTD_TESTS) += mtd_nandbiterrs.o mtd_test.o -mtd_oobtest-objs := oobtest.o mtd_test.o -mtd_pagetest-objs := pagetest.o mtd_test.o -mtd_readtest-objs := readtest.o mtd_test.o -mtd_speedtest-objs := speedtest.o mtd_test.o -mtd_stresstest-objs := stresstest.o mtd_test.o -mtd_subpagetest-objs := subpagetest.o mtd_test.o -mtd_torturetest-objs := torturetest.o mtd_test.o -mtd_nandbiterrs-objs := nandbiterrs.o mtd_test.o +mtd_oobtest-objs := oobtest.o +mtd_pagetest-objs := pagetest.o +mtd_readtest-objs := readtest.o +mtd_speedtest-objs := speedtest.o +mtd_stresstest-objs := stresstest.o +mtd_subpagetest-objs := subpagetest.o +mtd_torturetest-objs := torturetest.o +mtd_nandbiterrs-objs := nandbiterrs.o diff --git a/drivers/mtd/tests/mtd_test.c b/drivers/mtd/tests/mtd_test.c index 3d0b8b5c1a53..ab508a224b49 100644 --- a/drivers/mtd/tests/mtd_test.c +++ b/drivers/mtd/tests/mtd_test.c @@ -30,6 +30,7 @@ int mtdtest_erase_eraseblock(struct mtd_info *mtd, unsigned int ebnum) } return 0; } +EXPORT_SYMBOL_GPL(mtdtest_erase_eraseblock); static int is_block_bad(struct mtd_info *mtd, unsigned int ebnum) { @@ -62,6 +63,7 @@ int mtdtest_scan_for_bad_eraseblocks(struct mtd_info *mtd, unsigned char *bbt, return 0; } +EXPORT_SYMBOL_GPL(mtdtest_scan_for_bad_eraseblocks); int mtdtest_erase_good_eraseblocks(struct mtd_info *mtd, unsigned char *bbt, unsigned int eb, int ebcnt) @@ -80,6 +82,7 @@ int mtdtest_erase_good_eraseblocks(struct mtd_info *mtd, unsigned char *bbt, return 0; } +EXPORT_SYMBOL_GPL(mtdtest_erase_good_eraseblocks); int mtdtest_read(struct mtd_info *mtd, loff_t addr, size_t size, void *buf) { @@ -97,6 +100,7 @@ int mtdtest_read(struct mtd_info *mtd, loff_t addr, size_t size, void *buf) return err; } +EXPORT_SYMBOL_GPL(mtdtest_read); int mtdtest_write(struct mtd_info *mtd, loff_t addr, size_t size, const void *buf) @@ -112,3 +116,8 @@ int mtdtest_write(struct mtd_info *mtd, loff_t addr, size_t size, return err; } +EXPORT_SYMBOL_GPL(mtdtest_write); + +MODULE_LICENSE("GPL"); +MODULE_DESCRIPTION("MTD function test helpers"); +MODULE_AUTHOR("Akinobu Mita"); From e547f41337badd93753b4fe3ae3817ed8400abd6 Mon Sep 17 00:00:00 2001 From: Dmitry Torokhov Date: Thu, 6 Jun 2024 23:02:48 -0700 Subject: [PATCH 038/173] Input: elan_i2c - do not leave interrupt disabled on suspend failure [ Upstream commit 5f82c1e04721e7cd98e604eb4e58f0724d8e5a65 ] Make sure interrupts are not left disabled when we fail to suspend the touch controller. Fixes: 6696777c6506 ("Input: add driver for Elan I2C/SMbus touchpad") Link: https://lore.kernel.org/r/ZmKiiL-1wzKrhqBj@google.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin (cherry picked from commit 2ee59e846895b6b061defbc6cde83126f91b7abd) Signed-off-by: Vegard Nossum --- drivers/input/mouse/elan_i2c_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c index 3c7281248432..ec610e81e724 100644 --- a/drivers/input/mouse/elan_i2c_core.c +++ b/drivers/input/mouse/elan_i2c_core.c @@ -1185,6 +1185,8 @@ static int __maybe_unused elan_suspend(struct device *dev) } err: + if (ret) + enable_irq(client->irq); mutex_unlock(&data->sysfs_mutex); return ret; } From fd5b433d1390c5586bc367f3e10fbb226ad9e2ac Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Fri, 5 Jul 2024 16:48:30 +0900 Subject: [PATCH 039/173] MIPS: Octeron: remove source file executable bit [ Upstream commit 89c7f5078935872cf47a713a645affb5037be694 ] This does not matter the least, but there is no other .[ch] file in the repo that is executable, so clean this up. Fixes: 29b83a64df3b ("MIPS: Octeon: Add PCIe link status check") Signed-off-by: Dominique Martinet Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin (cherry picked from commit 12bc3aca7d100a8f749c2a6fcdb6be08ad41c105) Signed-off-by: Vegard Nossum --- arch/mips/pci/pcie-octeon.c | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 arch/mips/pci/pcie-octeon.c diff --git a/arch/mips/pci/pcie-octeon.c b/arch/mips/pci/pcie-octeon.c old mode 100755 new mode 100644 From 971a6101e844da8bcbdd4bd046a826c6cc44d861 Mon Sep 17 00:00:00 2001 From: Michael Ellerman Date: Thu, 9 May 2024 22:12:47 +1000 Subject: [PATCH 040/173] powerpc/xmon: Fix disassembly CPU feature checks [ Upstream commit 14196e47c5ffe32af7ed5a51c9e421c5ea5bccce ] In the xmon disassembly code there are several CPU feature checks to determine what dialects should be passed to the disassembler. The dialect controls which instructions the disassembler will recognise. Unfortunately the checks are incorrect, because instead of passing a single CPU feature they are passing a mask of feature bits. For example the code: if (cpu_has_feature(CPU_FTRS_POWER5)) dialect |= PPC_OPCODE_POWER5; Is trying to check if the system is running on a Power5 CPU. But CPU_FTRS_POWER5 is a mask of *all* the feature bits that are enabled on a Power5. In practice the test will always return true for any 64-bit CPU, because at least one bit in the mask will be present in the CPU_FTRS_ALWAYS mask. Similarly for all the other checks against CPU_FTRS_xx masks. Rather than trying to match the disassembly behaviour exactly to the current CPU, just differentiate between 32-bit and 64-bit, and Altivec, VSX and HTM. That will cause some instructions to be shown in disassembly even on a CPU that doesn't support them, but that's OK, objdump -d output has the same behaviour, and if anything it's less confusing than some instructions not being disassembled. Fixes: 897f112bb42e ("[POWERPC] Import updated version of ppc disassembly code for xmon") Signed-off-by: Michael Ellerman Link: https://msgid.link/20240509121248.270878-2-mpe@ellerman.id.au Signed-off-by: Sasha Levin (cherry picked from commit 5b84d47a0baee13434fadb3b9506c39f51f9ab98) Signed-off-by: Vegard Nossum --- arch/powerpc/xmon/ppc-dis.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/arch/powerpc/xmon/ppc-dis.c b/arch/powerpc/xmon/ppc-dis.c index 006c7f864f65..32c03f7d4412 100644 --- a/arch/powerpc/xmon/ppc-dis.c +++ b/arch/powerpc/xmon/ppc-dis.c @@ -137,32 +137,21 @@ int print_insn_powerpc (unsigned long insn, unsigned long memaddr) bool insn_is_short; ppc_cpu_t dialect; - dialect = PPC_OPCODE_PPC | PPC_OPCODE_COMMON - | PPC_OPCODE_64 | PPC_OPCODE_POWER4 | PPC_OPCODE_ALTIVEC; + dialect = PPC_OPCODE_PPC | PPC_OPCODE_COMMON; - if (cpu_has_feature(CPU_FTRS_POWER5)) - dialect |= PPC_OPCODE_POWER5; + if (IS_ENABLED(CONFIG_PPC64)) + dialect |= PPC_OPCODE_64 | PPC_OPCODE_POWER4 | PPC_OPCODE_CELL | + PPC_OPCODE_POWER5 | PPC_OPCODE_POWER6 | PPC_OPCODE_POWER7 | PPC_OPCODE_POWER8 | + PPC_OPCODE_POWER9; - if (cpu_has_feature(CPU_FTRS_CELL)) - dialect |= (PPC_OPCODE_CELL | PPC_OPCODE_ALTIVEC); + if (cpu_has_feature(CPU_FTR_TM)) + dialect |= PPC_OPCODE_HTM; - if (cpu_has_feature(CPU_FTRS_POWER6)) - dialect |= (PPC_OPCODE_POWER5 | PPC_OPCODE_POWER6 | PPC_OPCODE_ALTIVEC); + if (cpu_has_feature(CPU_FTR_ALTIVEC)) + dialect |= PPC_OPCODE_ALTIVEC | PPC_OPCODE_ALTIVEC2; - if (cpu_has_feature(CPU_FTRS_POWER7)) - dialect |= (PPC_OPCODE_POWER5 | PPC_OPCODE_POWER6 | PPC_OPCODE_POWER7 - | PPC_OPCODE_ALTIVEC | PPC_OPCODE_VSX); - - if (cpu_has_feature(CPU_FTRS_POWER8)) - dialect |= (PPC_OPCODE_POWER5 | PPC_OPCODE_POWER6 | PPC_OPCODE_POWER7 - | PPC_OPCODE_POWER8 | PPC_OPCODE_HTM - | PPC_OPCODE_ALTIVEC | PPC_OPCODE_ALTIVEC2 | PPC_OPCODE_VSX); - - if (cpu_has_feature(CPU_FTRS_POWER9)) - dialect |= (PPC_OPCODE_POWER5 | PPC_OPCODE_POWER6 | PPC_OPCODE_POWER7 - | PPC_OPCODE_POWER8 | PPC_OPCODE_POWER9 | PPC_OPCODE_HTM - | PPC_OPCODE_ALTIVEC | PPC_OPCODE_ALTIVEC2 - | PPC_OPCODE_VSX | PPC_OPCODE_VSX3); + if (cpu_has_feature(CPU_FTR_VSX)) + dialect |= PPC_OPCODE_VSX | PPC_OPCODE_VSX3; /* Get the major opcode of the insn. */ opcode = NULL; From 20b6b7a306d9487bb507af81df8e926b8141d902 Mon Sep 17 00:00:00 2001 From: Nick Bowler Date: Wed, 10 Jul 2024 23:54:17 -0400 Subject: [PATCH 041/173] macintosh/therm_windtunnel: fix module unload. [ Upstream commit fd748e177194ebcbbaf98df75152a30e08230cc6 ] The of_device_unregister call in therm_windtunnel's module_exit procedure does not fully reverse the effects of of_platform_device_create in the module_init prodedure. Once you unload this module, it is impossible to load it ever again since only the first of_platform_device_create call on the fan node succeeds. This driver predates first git commit, and it turns out back then of_platform_device_create worked differently than it does today. So this is actually an old regression. The appropriate function to undo of_platform_device_create now appears to be of_platform_device_destroy, and switching to use this makes it possible to unload and load the module as expected. Signed-off-by: Nick Bowler Fixes: c6e126de43e7 ("of: Keep track of populated platform devices") Signed-off-by: Michael Ellerman Link: https://msgid.link/20240711035428.16696-1-nbowler@draconx.ca Signed-off-by: Sasha Levin (cherry picked from commit eeb9a0f79d8e4ea27b4f85a73f3765dc0046ab01) Signed-off-by: Vegard Nossum --- drivers/macintosh/therm_windtunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/macintosh/therm_windtunnel.c b/drivers/macintosh/therm_windtunnel.c index 68dcbcb4fc5b..d4cb53e65186 100644 --- a/drivers/macintosh/therm_windtunnel.c +++ b/drivers/macintosh/therm_windtunnel.c @@ -518,7 +518,7 @@ g4fan_exit( void ) platform_driver_unregister( &therm_of_driver ); if( x.of_dev ) - of_device_unregister( x.of_dev ); + of_platform_device_destroy(&x.of_dev->dev, NULL); } module_init(g4fan_init); From 4f51eb5763820de8cf9bc32b26b20d19f7ccfc5d Mon Sep 17 00:00:00 2001 From: Jack Wang Date: Wed, 10 Jul 2024 14:21:02 +0200 Subject: [PATCH 042/173] bnxt_re: Fix imm_data endianness [ Upstream commit 95b087f87b780daafad1dbb2c84e81b729d5d33f ] When map a device between servers with MLX and BCM RoCE nics, RTRS server complain about unknown imm type, and can't map the device, After more debug, it seems bnxt_re wrongly handle the imm_data, this patch fixed the compat issue with MLX for us. In off list discussion, Selvin confirmed HW is working in little endian format and all data needs to be converted to LE while providing. This patch fix the endianness for imm_data Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") Signed-off-by: Jack Wang Link: https://lore.kernel.org/r/20240710122102.37569-1-jinpu.wang@ionos.com Acked-by: Selvin Xavier Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin (cherry picked from commit dfb40b2535b298b34b37780fe8eced6d38e28c5c) Signed-off-by: Vegard Nossum --- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 8 ++++---- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/infiniband/hw/bnxt_re/ib_verbs.c b/drivers/infiniband/hw/bnxt_re/ib_verbs.c index ab218767bf05..489a404aa8ce 100644 --- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c +++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c @@ -1878,7 +1878,7 @@ static int bnxt_re_build_send_wqe(struct bnxt_re_qp *qp, break; case IB_WR_SEND_WITH_IMM: wqe->type = BNXT_QPLIB_SWQE_TYPE_SEND_WITH_IMM; - wqe->send.imm_data = wr->ex.imm_data; + wqe->send.imm_data = be32_to_cpu(wr->ex.imm_data); break; case IB_WR_SEND_WITH_INV: wqe->type = BNXT_QPLIB_SWQE_TYPE_SEND_WITH_INV; @@ -1908,7 +1908,7 @@ static int bnxt_re_build_rdma_wqe(struct ib_send_wr *wr, break; case IB_WR_RDMA_WRITE_WITH_IMM: wqe->type = BNXT_QPLIB_SWQE_TYPE_RDMA_WRITE_WITH_IMM; - wqe->rdma.imm_data = wr->ex.imm_data; + wqe->rdma.imm_data = be32_to_cpu(wr->ex.imm_data); break; case IB_WR_RDMA_READ: wqe->type = BNXT_QPLIB_SWQE_TYPE_RDMA_READ; @@ -2833,7 +2833,7 @@ static void bnxt_re_process_res_shadow_qp_wc(struct bnxt_re_qp *qp, wc->byte_len = orig_cqe->length; wc->qp = &qp1_qp->ib_qp; - wc->ex.imm_data = orig_cqe->immdata; + wc->ex.imm_data = cpu_to_be32(le32_to_cpu(orig_cqe->immdata)); wc->src_qp = orig_cqe->src_qp; memcpy(wc->smac, orig_cqe->smac, ETH_ALEN); wc->port_num = 1; @@ -2947,7 +2947,7 @@ int bnxt_re_poll_cq(struct ib_cq *ib_cq, int num_entries, struct ib_wc *wc) continue; } wc->qp = &qp->ib_qp; - wc->ex.imm_data = cqe->immdata; + wc->ex.imm_data = cpu_to_be32(le32_to_cpu(cqe->immdata)); wc->src_qp = cqe->src_qp; memcpy(wc->smac, cqe->smac, ETH_ALEN); wc->port_num = 1; diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h index 8ead70ca1c1d..30e0af39a1ee 100644 --- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h +++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h @@ -123,7 +123,7 @@ struct bnxt_qplib_swqe { /* Send, with imm, inval key */ struct { union { - __be32 imm_data; + u32 imm_data; u32 inv_key; }; u32 q_key; @@ -141,7 +141,7 @@ struct bnxt_qplib_swqe { /* RDMA write, with imm, read */ struct { union { - __be32 imm_data; + u32 imm_data; u32 inv_key; }; u64 remote_va; @@ -327,7 +327,7 @@ struct bnxt_qplib_cqe { u32 length; u64 wr_id; union { - __be32 immdata; + __le32 immdata; u32 invrkey; }; u64 qp_handle; From ccfb620ebf3085fca54472461544c796cbd7db5d Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 13 Jul 2024 16:47:38 +0200 Subject: [PATCH 043/173] netfilter: ctnetlink: use helper function to calculate expect ID [ Upstream commit 782161895eb4ac45cf7cfa8db375bd4766cb8299 ] Delete expectation path is missing a call to the nf_expect_get_id() helper function to calculate the expectation ID, otherwise LSB of the expectation object address is leaked to userspace. Fixes: 3c79107631db ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id") Reported-by: zdi-disclosures@trendmicro.com Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin (cherry picked from commit 66e7650dbbb8e236e781c670b167edc81e771450) Signed-off-by: Vegard Nossum --- net/netfilter/nf_conntrack_netlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 1d0abd8529e6..56ed7f9bcef6 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -2986,7 +2986,8 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, if (cda[CTA_EXPECT_ID]) { __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); - if (ntohl(id) != (u32)(unsigned long)exp) { + + if (id != nf_expect_get_id(exp)) { nf_ct_expect_put(exp); return -ENOENT; } From ee8bf45248bc530e2dc9a0a7f833febbe89fd2e1 Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Thu, 6 Jun 2024 10:37:02 +0800 Subject: [PATCH 044/173] pinctrl: core: fix possible memory leak when pinctrl_enable() fails [ Upstream commit ae1cf4759972c5fe665ee4c5e0c29de66fe3cf4a ] In devm_pinctrl_register(), if pinctrl_enable() fails in pinctrl_register(), the "pctldev" has not been added to dev resources, so devm_pinctrl_dev_release() can not be called, it leads memory leak. Introduce pinctrl_uninit_controller(), call it in the error path to free memory. Fixes: 5038a66dad01 ("pinctrl: core: delete incorrect free in pinctrl_enable()") Signed-off-by: Yang Yingliang Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20240606023704.3931561-2-yangyingliang@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin (cherry picked from commit 636f8fe03a14b0994a3dbdc05c8fa8c8296c1357) Signed-off-by: Vegard Nossum --- drivers/pinctrl/core.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/pinctrl/core.c b/drivers/pinctrl/core.c index 5a6e23c74c22..4433ce25e623 100644 --- a/drivers/pinctrl/core.c +++ b/drivers/pinctrl/core.c @@ -2015,6 +2015,14 @@ out_err: return ERR_PTR(ret); } +static void pinctrl_uninit_controller(struct pinctrl_dev *pctldev, struct pinctrl_desc *pctldesc) +{ + pinctrl_free_pindescs(pctldev, pctldesc->pins, + pctldesc->npins); + mutex_destroy(&pctldev->mutex); + kfree(pctldev); +} + static int pinctrl_claim_hogs(struct pinctrl_dev *pctldev) { pctldev->p = create_pinctrl(pctldev->dev, pctldev); @@ -2095,8 +2103,10 @@ struct pinctrl_dev *pinctrl_register(struct pinctrl_desc *pctldesc, return pctldev; error = pinctrl_enable(pctldev); - if (error) + if (error) { + pinctrl_uninit_controller(pctldev, pctldesc); return ERR_PTR(error); + } return pctldev; From fbd206c9e544f6e8fbb844534d05817ab6ed637a Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Thu, 6 Jun 2024 10:37:03 +0800 Subject: [PATCH 045/173] pinctrl: single: fix possible memory leak when pinctrl_enable() fails [ Upstream commit 8f773bfbdd428819328a2d185976cfc6ae811cd3 ] This driver calls pinctrl_register_and_init() which is not devm_ managed, it will leads memory leak if pinctrl_enable() fails. Replace it with devm_pinctrl_register_and_init(). And call pcs_free_resources() if pinctrl_enable() fails. Fixes: 5038a66dad01 ("pinctrl: core: delete incorrect free in pinctrl_enable()") Signed-off-by: Yang Yingliang Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20240606023704.3931561-3-yangyingliang@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin (cherry picked from commit 9dad82c7c7424c240db65f10ad999266f2967479) Signed-off-by: Vegard Nossum --- drivers/pinctrl/pinctrl-single.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c index 44936fca576e..4deb20d8291c 100644 --- a/drivers/pinctrl/pinctrl-single.c +++ b/drivers/pinctrl/pinctrl-single.c @@ -1268,7 +1268,6 @@ static void pcs_irq_free(struct pcs_device *pcs) static void pcs_free_resources(struct pcs_device *pcs) { pcs_irq_free(pcs); - pinctrl_unregister(pcs->pctl); #if IS_BUILTIN(CONFIG_PINCTRL_SINGLE) if (pcs->missing_nr_pinctrl_cells) @@ -1749,7 +1748,7 @@ static int pcs_probe(struct platform_device *pdev) if (ret < 0) goto free; - ret = pinctrl_register_and_init(&pcs->desc, pcs->dev, pcs, &pcs->pctl); + ret = devm_pinctrl_register_and_init(pcs->dev, &pcs->desc, pcs, &pcs->pctl); if (ret) { dev_err(pcs->dev, "could not register single pinctrl driver\n"); goto free; @@ -1783,8 +1782,10 @@ static int pcs_probe(struct platform_device *pdev) dev_info(pcs->dev, "%i pins at pa %p size %u\n", pcs->desc.npins, pcs->base, pcs->size); - return pinctrl_enable(pcs->pctl); + if (pinctrl_enable(pcs->pctl)) + goto free; + return 0; free: pcs_free_resources(pcs); From 9521c0b13c94c6ad389f9a5d7f8213891d8924a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= Date: Mon, 9 Oct 2023 10:38:39 +0200 Subject: [PATCH 046/173] pinctrl: ti: ti-iodelay: Drop if block with always false condition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 88b3f108502bc45e6ebd005702add46759f3f45a ] ti_iodelay_remove() is only called after ti_iodelay_probe() completed successfully. In this case platform_set_drvdata() was called with a non-NULL argument and so platform_get_drvdata() won't return NULL. Simplify by removing the if block with the always false condition. Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20231009083856.222030-4-u.kleine-koenig@pengutronix.de Signed-off-by: Linus Walleij Stable-dep-of: 9b401f4a7170 ("pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails") Signed-off-by: Sasha Levin (cherry picked from commit 268b3ff414ae8942af9d6c981b5df8667c2b76b6) Signed-off-by: Vegard Nossum --- drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c index 8ac1f1ce4442..b58d56b72eb8 100644 --- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c @@ -910,9 +910,6 @@ static int ti_iodelay_remove(struct platform_device *pdev) { struct ti_iodelay_device *iod = platform_get_drvdata(pdev); - if (!iod) - return 0; - if (iod->pctl) pinctrl_unregister(iod->pctl); From 78e3f7ec45416b8b0a25ef8fcbf85b653f49d5bb Mon Sep 17 00:00:00 2001 From: Yang Yingliang Date: Thu, 6 Jun 2024 10:37:04 +0800 Subject: [PATCH 047/173] pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails [ Upstream commit 9b401f4a7170125365160c9af267a41ff6b39001 ] This driver calls pinctrl_register_and_init() which is not devm_ managed, it will leads memory leak if pinctrl_enable() fails. Replace it with devm_pinctrl_register_and_init(). And add missing of_node_put() in the error path. Fixes: 5038a66dad01 ("pinctrl: core: delete incorrect free in pinctrl_enable()") Signed-off-by: Yang Yingliang Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20240606023704.3931561-4-yangyingliang@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin (cherry picked from commit 7d720f351714dcbeb578af67bb7e66326504826c) Signed-off-by: Vegard Nossum --- drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c index b58d56b72eb8..eb3d7a02fcf6 100644 --- a/drivers/pinctrl/ti/pinctrl-ti-iodelay.c +++ b/drivers/pinctrl/ti/pinctrl-ti-iodelay.c @@ -885,7 +885,7 @@ static int ti_iodelay_probe(struct platform_device *pdev) iod->desc.name = dev_name(dev); iod->desc.owner = THIS_MODULE; - ret = pinctrl_register_and_init(&iod->desc, dev, iod, &iod->pctl); + ret = devm_pinctrl_register_and_init(dev, &iod->desc, iod, &iod->pctl); if (ret) { dev_err(dev, "Failed to register pinctrl\n"); goto exit_out; @@ -893,7 +893,11 @@ static int ti_iodelay_probe(struct platform_device *pdev) platform_set_drvdata(pdev, iod); - return pinctrl_enable(iod->pctl); + ret = pinctrl_enable(iod->pctl); + if (ret) + goto exit_out; + + return 0; exit_out: of_node_put(np); @@ -910,9 +914,6 @@ static int ti_iodelay_remove(struct platform_device *pdev) { struct ti_iodelay_device *iod = platform_get_drvdata(pdev); - if (iod->pctl) - pinctrl_unregister(iod->pctl); - ti_iodelay_pinconf_deinit_dev(iod); /* Expect other allocations to be freed by devm */ From 251acaffa0bd813f67f7a92082bdbd101c395f4d Mon Sep 17 00:00:00 2001 From: Peng Fan Date: Sat, 4 May 2024 21:20:16 +0800 Subject: [PATCH 048/173] pinctrl: freescale: mxs: Fix refcount of child [ Upstream commit 7f500f2011c0bbb6e1cacab74b4c99222e60248e ] of_get_next_child() will increase refcount of the returned node, need use of_node_put() on it when done. Per current implementation, 'child' will be override by for_each_child_of_node(np, child), so use of_get_child_count to avoid refcount leakage. Fixes: 17723111e64f ("pinctrl: add pinctrl-mxs support") Signed-off-by: Peng Fan Link: https://lore.kernel.org/20240504-pinctrl-cleanup-v2-18-26c5f2dc1181@nxp.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin (cherry picked from commit c90d81a6e1f3daab4c06f7f8aba346abc76ae07a) Signed-off-by: Vegard Nossum --- drivers/pinctrl/freescale/pinctrl-mxs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/pinctrl/freescale/pinctrl-mxs.c b/drivers/pinctrl/freescale/pinctrl-mxs.c index 6852010a6d70..244a0c78f7a4 100644 --- a/drivers/pinctrl/freescale/pinctrl-mxs.c +++ b/drivers/pinctrl/freescale/pinctrl-mxs.c @@ -412,8 +412,8 @@ static int mxs_pinctrl_probe_dt(struct platform_device *pdev, int ret; u32 val; - child = of_get_next_child(np, NULL); - if (!child) { + val = of_get_child_count(np); + if (val == 0) { dev_err(&pdev->dev, "no group is defined\n"); return -ENOENT; } From 2891e08c6f20e3c7b4b09dac8e949a195b46ff8c Mon Sep 17 00:00:00 2001 From: Alex Shi Date: Tue, 15 Dec 2020 20:45:27 -0800 Subject: [PATCH 049/173] fs/nilfs2: remove some unused macros to tame gcc [ Upstream commit e7920b3e9d9f5470d5ff7d883e72a47addc0a137 ] There some macros are unused and cause gcc warning. Remove them. fs/nilfs2/segment.c:137:0: warning: macro "nilfs_cnt32_gt" is not used [-Wunused-macros] fs/nilfs2/segment.c:144:0: warning: macro "nilfs_cnt32_le" is not used [-Wunused-macros] fs/nilfs2/segment.c:143:0: warning: macro "nilfs_cnt32_lt" is not used [-Wunused-macros] Link: https://lkml.kernel.org/r/1607552733-24292-1-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Signed-off-by: Alex Shi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Stable-dep-of: 0f3819e8c483 ("nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro") Signed-off-by: Sasha Levin (cherry picked from commit 175ac70d8af52bc0f5b100901702fdb2bc662885) Signed-off-by: Vegard Nossum --- fs/nilfs2/segment.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index 5cc7218be3f7..e4f478cadd04 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -143,14 +143,9 @@ static void nilfs_segctor_do_flush(struct nilfs_sc_info *, int); static void nilfs_segctor_do_immediate_flush(struct nilfs_sc_info *); static void nilfs_dispose_list(struct the_nilfs *, struct list_head *, int); -#define nilfs_cnt32_gt(a, b) \ - (typecheck(__u32, a) && typecheck(__u32, b) && \ - ((__s32)(b) - (__s32)(a) < 0)) #define nilfs_cnt32_ge(a, b) \ (typecheck(__u32, a) && typecheck(__u32, b) && \ ((__s32)(a) - (__s32)(b) >= 0)) -#define nilfs_cnt32_lt(a, b) nilfs_cnt32_gt(b, a) -#define nilfs_cnt32_le(a, b) nilfs_cnt32_ge(b, a) static int nilfs_prepare_segment_lock(struct super_block *sb, struct nilfs_transaction_info *ti) From 440e5d6b0d782ee0786d780761f57a117c904288 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Wed, 3 Jul 2024 03:35:12 +0900 Subject: [PATCH 050/173] nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro [ Upstream commit 0f3819e8c483771a59cf9d3190cd68a7a990083c ] According to the C standard 3.4.3p3, the result of signed integer overflow is undefined. The macro nilfs_cnt32_ge(), which compares two sequence numbers, uses signed integer subtraction that can overflow, and therefore the result of the calculation may differ from what is expected due to undefined behavior in different environments. Similar to an earlier change to the jiffies-related comparison macros in commit 5a581b367b5d ("jiffies: Avoid undefined behavior from signed overflow"), avoid this potential issue by changing the definition of the macro to perform the subtraction as unsigned integers, then cast the result to a signed integer for comparison. Link: https://lkml.kernel.org/r/20130727225828.GA11864@linux.vnet.ibm.com Link: https://lkml.kernel.org/r/20240702183512.6390-1-konishi.ryusuke@gmail.com Fixes: 9ff05123e3bf ("nilfs2: segment constructor") Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin (cherry picked from commit d2b9bc7dfd6b0fa1a37eb91e68bca3175cb5ef50) Signed-off-by: Vegard Nossum --- fs/nilfs2/segment.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nilfs2/segment.c b/fs/nilfs2/segment.c index e4f478cadd04..d4b2405581d6 100644 --- a/fs/nilfs2/segment.c +++ b/fs/nilfs2/segment.c @@ -145,7 +145,7 @@ static void nilfs_dispose_list(struct the_nilfs *, struct list_head *, int); #define nilfs_cnt32_ge(a, b) \ (typecheck(__u32, a) && typecheck(__u32, b) && \ - ((__s32)(a) - (__s32)(b) >= 0)) + ((__s32)((a) - (b)) >= 0)) static int nilfs_prepare_segment_lock(struct super_block *sb, struct nilfs_transaction_info *ti) From 3065612975c688a1ea3f759a23856a4b9eefdc12 Mon Sep 17 00:00:00 2001 From: Yu Liao Date: Thu, 11 Jul 2024 20:48:43 +0800 Subject: [PATCH 051/173] tick/broadcast: Make takeover of broadcast hrtimer reliable commit f7d43dd206e7e18c182f200e67a8db8c209907fa upstream. Running the LTP hotplug stress test on a aarch64 machine results in rcu_sched stall warnings when the broadcast hrtimer was owned by the un-plugged CPU. The issue is the following: CPU1 (owns the broadcast hrtimer) CPU2 tick_broadcast_enter() // shutdown local timer device broadcast_shutdown_local() ... tick_broadcast_exit() clockevents_switch_state(dev, CLOCK_EVT_STATE_ONESHOT) // timer device is not programmed cpumask_set_cpu(cpu, tick_broadcast_force_mask) initiates offlining of CPU1 take_cpu_down() /* * CPU1 shuts down and does not * send broadcast IPI anymore */ takedown_cpu() hotplug_cpu__broadcast_tick_pull() // move broadcast hrtimer to this CPU clockevents_program_event() bc_set_next() hrtimer_start() /* * timer device is not programmed * because only the first expiring * timer will trigger clockevent * device reprogramming */ What happens is that CPU2 exits broadcast mode with force bit set, then the local timer device is not reprogrammed and CPU2 expects to receive the expired event by the broadcast IPI. But this does not happen because CPU1 is offlined by CPU2. CPU switches the clockevent device to ONESHOT state, but does not reprogram the device. The subsequent reprogramming of the hrtimer broadcast device does not program the clockevent device of CPU2 either because the pending expiry time is already in the past and the CPU expects the event to be delivered. As a consequence all CPUs which wait for a broadcast event to be delivered are stuck forever. Fix this issue by reprogramming the local timer device if the broadcast force bit of the CPU is set so that the broadcast hrtimer is delivered. [ tglx: Massage comment and change log. Add Fixes tag ] Fixes: 989dcb645ca7 ("tick: Handle broadcast wakeup of multiple cpus") Signed-off-by: Yu Liao Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240711124843.64167-1-liaoyu15@huawei.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit dfe19aa91378972f10530635ad83b2d77f481044) Signed-off-by: Vegard Nossum --- kernel/time/tick-broadcast.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c index aa2094d5dd27..285c185b90aa 100644 --- a/kernel/time/tick-broadcast.c +++ b/kernel/time/tick-broadcast.c @@ -941,6 +941,7 @@ void tick_broadcast_switch_to_oneshot(void) #ifdef CONFIG_HOTPLUG_CPU void hotplug_cpu__broadcast_tick_pull(int deadcpu) { + struct tick_device *td = this_cpu_ptr(&tick_cpu_device); struct clock_event_device *bc; unsigned long flags; @@ -948,6 +949,28 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) bc = tick_broadcast_device.evtdev; if (bc && broadcast_needs_cpu(bc, deadcpu)) { + /* + * If the broadcast force bit of the current CPU is set, + * then the current CPU has not yet reprogrammed the local + * timer device to avoid a ping-pong race. See + * ___tick_broadcast_oneshot_control(). + * + * If the broadcast device is hrtimer based then + * programming the broadcast event below does not have any + * effect because the local clockevent device is not + * running and not programmed because the broadcast event + * is not earlier than the pending event of the local clock + * event device. As a consequence all CPUs waiting for a + * broadcast event are stuck forever. + * + * Detect this condition and reprogram the cpu local timer + * device to avoid the starvation. + */ + if (tick_check_broadcast_expired()) { + cpumask_clear_cpu(smp_processor_id(), tick_broadcast_force_mask); + tick_program_event(td->evtdev->next_event, 1); + } + /* This moves the broadcast assignment to this CPU: */ clockevents_program_event(bc, bc->next_event, 1); } From d5744057122276d5d9c9b33a8e567e963897d502 Mon Sep 17 00:00:00 2001 From: Breno Leitao Date: Fri, 12 Jul 2024 07:34:15 -0700 Subject: [PATCH 052/173] net: netconsole: Disable target before netpoll cleanup commit 97d9fba9a812cada5484667a46e14a4c976ca330 upstream. Currently, netconsole cleans up the netpoll structure before disabling the target. This approach can lead to race conditions, as message senders (write_ext_msg() and write_msg()) check if the target is enabled before using netpoll. The sender can validate that the target is enabled, but, the netpoll might be de-allocated already, causing undesired behaviours. This patch reverses the order of operations: 1. Disable the target 2. Clean up the netpoll structure This change eliminates the potential race condition, ensuring that no messages are sent through a partially cleaned-up netpoll structure. Fixes: 2382b15bcc39 ("netconsole: take care of NETDEV_UNREGISTER event") Cc: stable@vger.kernel.org Signed-off-by: Breno Leitao Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20240712143415.1141039-1-leitao@debian.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 608a07143563a2a0d1edd57b2f4e95b0199fb497) Signed-off-by: Vegard Nossum --- drivers/net/netconsole.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/netconsole.c b/drivers/net/netconsole.c index 0e27920c2b6b..db45b7a51716 100644 --- a/drivers/net/netconsole.c +++ b/drivers/net/netconsole.c @@ -727,6 +727,7 @@ restart: /* rtnl_lock already held * we might sleep in __netpoll_cleanup() */ + nt->enabled = false; spin_unlock_irqrestore(&target_list_lock, flags); __netpoll_cleanup(&nt->np); @@ -734,7 +735,6 @@ restart: spin_lock_irqsave(&target_list_lock, flags); dev_put(nt->np.dev); nt->np.dev = NULL; - nt->enabled = false; stopped = true; netconsole_target_put(nt); goto restart; From 6d8fa691e6733006d5c061a297fe601d126d748b Mon Sep 17 00:00:00 2001 From: Chengen Du Date: Sat, 13 Jul 2024 19:47:35 +0800 Subject: [PATCH 053/173] af_packet: Handle outgoing VLAN packets without hardware offloading commit 79eecf631c14e7f4057186570ac20e2cfac3802e upstream. The issue initially stems from libpcap. The ethertype will be overwritten as the VLAN TPID if the network interface lacks hardware VLAN offloading. In the outbound packet path, if hardware VLAN offloading is unavailable, the VLAN tag is inserted into the payload but then cleared from the sk_buff struct. Consequently, this can lead to a false negative when checking for the presence of a VLAN tag, causing the packet sniffing outcome to lack VLAN tag information (i.e., TCI-TPID). As a result, the packet capturing tool may be unable to parse packets as expected. The TCI-TPID is missing because the prb_fill_vlan_info() function does not modify the tp_vlan_tci/tp_vlan_tpid values, as the information is in the payload and not in the sk_buff struct. The skb_vlan_tag_present() function only checks vlan_all in the sk_buff struct. In cooked mode, the L2 header is stripped, preventing the packet capturing tool from determining the correct TCI-TPID value. Additionally, the protocol in SLL is incorrect, which means the packet capturing tool cannot parse the L3 header correctly. Link: https://github.com/the-tcpdump-group/libpcap/issues/1105 Link: https://lore.kernel.org/netdev/20240520070348.26725-1-chengen.du@canonical.com/T/#u Fixes: 393e52e33c6c ("packet: deliver VLAN TCI to userspace") Cc: stable@vger.kernel.org Signed-off-by: Chengen Du Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20240713114735.62360-1-chengen.du@canonical.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 3dfd84aa72fa7329ed4a257c8f40e0c9aff4dc8f) Signed-off-by: Vegard Nossum --- net/packet/af_packet.c | 86 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 84 insertions(+), 2 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 0cc0a0002584..62bc43421c67 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -532,6 +532,61 @@ static void *packet_current_frame(struct packet_sock *po, return packet_lookup_frame(po, rb, rb->head, status); } +static u16 vlan_get_tci(struct sk_buff *skb, struct net_device *dev) +{ + u8 *skb_orig_data = skb->data; + int skb_orig_len = skb->len; + struct vlan_hdr vhdr, *vh; + unsigned int header_len; + + if (!dev) + return 0; + + /* In the SOCK_DGRAM scenario, skb data starts at the network + * protocol, which is after the VLAN headers. The outer VLAN + * header is at the hard_header_len offset in non-variable + * length link layer headers. If it's a VLAN device, the + * min_header_len should be used to exclude the VLAN header + * size. + */ + if (dev->min_header_len == dev->hard_header_len) + header_len = dev->hard_header_len; + else if (is_vlan_dev(dev)) + header_len = dev->min_header_len; + else + return 0; + + skb_push(skb, skb->data - skb_mac_header(skb)); + vh = skb_header_pointer(skb, header_len, sizeof(vhdr), &vhdr); + if (skb_orig_data != skb->data) { + skb->data = skb_orig_data; + skb->len = skb_orig_len; + } + if (unlikely(!vh)) + return 0; + + return ntohs(vh->h_vlan_TCI); +} + +static __be16 vlan_get_protocol_dgram(struct sk_buff *skb) +{ + __be16 proto = skb->protocol; + + if (unlikely(eth_type_vlan(proto))) { + u8 *skb_orig_data = skb->data; + int skb_orig_len = skb->len; + + skb_push(skb, skb->data - skb_mac_header(skb)); + proto = __vlan_get_protocol(skb, proto, NULL); + if (skb_orig_data != skb->data) { + skb->data = skb_orig_data; + skb->len = skb_orig_len; + } + } + + return proto; +} + static void prb_del_retire_blk_timer(struct tpacket_kbdq_core *pkc) { del_timer_sync(&pkc->retire_blk_timer); @@ -1014,10 +1069,16 @@ static void prb_clear_rxhash(struct tpacket_kbdq_core *pkc, static void prb_fill_vlan_info(struct tpacket_kbdq_core *pkc, struct tpacket3_hdr *ppd) { + struct packet_sock *po = container_of(pkc, struct packet_sock, rx_ring.prb_bdqc); + if (skb_vlan_tag_present(pkc->skb)) { ppd->hv1.tp_vlan_tci = skb_vlan_tag_get(pkc->skb); ppd->hv1.tp_vlan_tpid = ntohs(pkc->skb->vlan_proto); ppd->tp_status = TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; + } else if (unlikely(po->sk.sk_type == SOCK_DGRAM && eth_type_vlan(pkc->skb->protocol))) { + ppd->hv1.tp_vlan_tci = vlan_get_tci(pkc->skb, pkc->skb->dev); + ppd->hv1.tp_vlan_tpid = ntohs(pkc->skb->protocol); + ppd->tp_status = TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; } else { ppd->hv1.tp_vlan_tci = 0; ppd->hv1.tp_vlan_tpid = 0; @@ -2383,6 +2444,10 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, h.h2->tp_vlan_tci = skb_vlan_tag_get(skb); h.h2->tp_vlan_tpid = ntohs(skb->vlan_proto); status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; + } else if (unlikely(sk->sk_type == SOCK_DGRAM && eth_type_vlan(skb->protocol))) { + h.h2->tp_vlan_tci = vlan_get_tci(skb, skb->dev); + h.h2->tp_vlan_tpid = ntohs(skb->protocol); + status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; } else { h.h2->tp_vlan_tci = 0; h.h2->tp_vlan_tpid = 0; @@ -2412,7 +2477,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, sll->sll_halen = dev_parse_header(skb, sll->sll_addr); sll->sll_family = AF_PACKET; sll->sll_hatype = dev->type; - sll->sll_protocol = skb->protocol; + sll->sll_protocol = (sk->sk_type == SOCK_DGRAM) ? + vlan_get_protocol_dgram(skb) : skb->protocol; sll->sll_pkttype = skb->pkt_type; if (unlikely(packet_sock_flag(po, PACKET_SOCK_ORIGDEV))) sll->sll_ifindex = orig_dev->ifindex; @@ -3448,7 +3514,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, /* Original length was stored in sockaddr_ll fields */ origlen = PACKET_SKB_CB(skb)->sa.origlen; sll->sll_family = AF_PACKET; - sll->sll_protocol = skb->protocol; + sll->sll_protocol = (sock->type == SOCK_DGRAM) ? + vlan_get_protocol_dgram(skb) : skb->protocol; } sock_recv_ts_and_drops(msg, sk, skb); @@ -3503,6 +3570,21 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, aux.tp_vlan_tci = skb_vlan_tag_get(skb); aux.tp_vlan_tpid = ntohs(skb->vlan_proto); aux.tp_status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; + } else if (unlikely(sock->type == SOCK_DGRAM && eth_type_vlan(skb->protocol))) { + struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; + struct net_device *dev; + + rcu_read_lock(); + dev = dev_get_by_index_rcu(sock_net(sk), sll->sll_ifindex); + if (dev) { + aux.tp_vlan_tci = vlan_get_tci(skb, dev); + aux.tp_vlan_tpid = ntohs(skb->protocol); + aux.tp_status |= TP_STATUS_VLAN_VALID | TP_STATUS_VLAN_TPID_VALID; + } else { + aux.tp_vlan_tci = 0; + aux.tp_vlan_tpid = 0; + } + rcu_read_unlock(); } else { aux.tp_vlan_tci = 0; aux.tp_vlan_tpid = 0; From f58439a91781f888dce8463243b4d83be380d21c Mon Sep 17 00:00:00 2001 From: Nicolas Dichtel Date: Wed, 10 Jul 2024 10:14:29 +0200 Subject: [PATCH 054/173] ipv6: take care of scope when choosing the src addr commit abb9a68d2c64dd9b128ae1f2e635e4d805e7ce64 upstream. When the source address is selected, the scope must be checked. For example, if a loopback address is assigned to the vrf device, it must not be chosen for packets sent outside. CC: stable@vger.kernel.org Fixes: afbac6010aec ("net: ipv6: Address selection needs to consider L3 domains") Signed-off-by: Nicolas Dichtel Reviewed-by: David Ahern Link: https://patch.msgid.link/20240710081521.3809742-4-nicolas.dichtel@6wind.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b4f67f09287392e0a2f7422199a193e37f2737af) Signed-off-by: Vegard Nossum --- net/ipv6/addrconf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 2cf23aa68ec4..71da95dfd17a 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1720,7 +1720,8 @@ int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev, master, &dst, scores, hiscore_idx); - if (scores[hiscore_idx].ifa) + if (scores[hiscore_idx].ifa && + scores[hiscore_idx].scopedist >= 0) goto out; } From 058c66e9aa0cd80581ff06b9294521e05ea1d0dd Mon Sep 17 00:00:00 2001 From: Dikshita Agarwal Date: Thu, 9 May 2024 10:44:29 +0530 Subject: [PATCH 055/173] media: venus: fix use after free in vdec_close commit a0157b5aa34eb43ec4c5510f9c260bbb03be937e upstream. There appears to be a possible use after free with vdec_close(). The firmware will add buffer release work to the work queue through HFI callbacks as a normal part of decoding. Randomly closing the decoder device from userspace during normal decoding can incur a read after free for inst. Fix it by cancelling the work in vdec_close. Cc: stable@vger.kernel.org Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions") Signed-off-by: Dikshita Agarwal Acked-by: Vikash Garodia Signed-off-by: Stanimir Varbanov Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman (cherry picked from commit ad8cf035baf29467158e0550c7a42b7bb43d1db6) Signed-off-by: Vegard Nossum --- drivers/media/platform/qcom/venus/vdec.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/platform/qcom/venus/vdec.c b/drivers/media/platform/qcom/venus/vdec.c index 5f0965593a0d..c97f60588361 100644 --- a/drivers/media/platform/qcom/venus/vdec.c +++ b/drivers/media/platform/qcom/venus/vdec.c @@ -1039,6 +1039,7 @@ static int vdec_close(struct file *file) { struct venus_inst *inst = to_inst(file); + cancel_work_sync(&inst->delayed_process_work); v4l2_m2m_ctx_release(inst->m2m_ctx); v4l2_m2m_release(inst->m2m_dev); vdec_ctrl_deinit(inst); From 26722f11717342d8f7deeb0c23fa6814bc31a48c Mon Sep 17 00:00:00 2001 From: Chao Yu Date: Sun, 16 Jun 2024 09:38:41 +0800 Subject: [PATCH 056/173] hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() commit 26a2ed107929a855155429b11e1293b83e6b2a8b upstream. Syzbot reports uninitialized value access issue as below: loop0: detected capacity change from 0 to 64 ===================================================== BUG: KMSAN: uninit-value in hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 hfs_revalidate_dentry+0x307/0x3f0 fs/hfs/sysdep.c:30 d_revalidate fs/namei.c:862 [inline] lookup_fast+0x89e/0x8e0 fs/namei.c:1649 walk_component fs/namei.c:2001 [inline] link_path_walk+0x817/0x1480 fs/namei.c:2332 path_lookupat+0xd9/0x6f0 fs/namei.c:2485 filename_lookup+0x22e/0x740 fs/namei.c:2515 user_path_at_empty+0x8b/0x390 fs/namei.c:2924 user_path_at include/linux/namei.h:57 [inline] do_mount fs/namespace.c:3689 [inline] __do_sys_mount fs/namespace.c:3898 [inline] __se_sys_mount+0x66b/0x810 fs/namespace.c:3875 __x64_sys_mount+0xe4/0x140 fs/namespace.c:3875 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b BUG: KMSAN: uninit-value in hfs_ext_read_extent fs/hfs/extent.c:196 [inline] BUG: KMSAN: uninit-value in hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 hfs_ext_read_extent fs/hfs/extent.c:196 [inline] hfs_get_block+0x92d/0x1620 fs/hfs/extent.c:366 block_read_full_folio+0x4ff/0x11b0 fs/buffer.c:2271 hfs_read_folio+0x55/0x60 fs/hfs/inode.c:39 filemap_read_folio+0x148/0x4f0 mm/filemap.c:2426 do_read_cache_folio+0x7c8/0xd90 mm/filemap.c:3553 do_read_cache_page mm/filemap.c:3595 [inline] read_cache_page+0xfb/0x2f0 mm/filemap.c:3604 read_mapping_page include/linux/pagemap.h:755 [inline] hfs_btree_open+0x928/0x1ae0 fs/hfs/btree.c:78 hfs_mdb_get+0x260c/0x3000 fs/hfs/mdb.c:204 hfs_fill_super+0x1fb1/0x2790 fs/hfs/super.c:406 mount_bdev+0x628/0x920 fs/super.c:1359 hfs_mount+0xcd/0xe0 fs/hfs/super.c:456 legacy_get_tree+0x167/0x2e0 fs/fs_context.c:610 vfs_get_tree+0xdc/0x5d0 fs/super.c:1489 do_new_mount+0x7a9/0x16f0 fs/namespace.c:3145 path_mount+0xf98/0x26a0 fs/namespace.c:3475 do_mount fs/namespace.c:3488 [inline] __do_sys_mount fs/namespace.c:3697 [inline] __se_sys_mount+0x919/0x9e0 fs/namespace.c:3674 __ia32_sys_mount+0x15b/0x1b0 fs/namespace.c:3674 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0xa2/0x100 arch/x86/entry/common.c:178 do_fast_syscall_32+0x37/0x80 arch/x86/entry/common.c:203 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:246 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Uninit was created at: __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2190 [inline] allocate_slab mm/slub.c:2354 [inline] new_slab+0x2d7/0x1400 mm/slub.c:2407 ___slab_alloc+0x16b5/0x3970 mm/slub.c:3540 __slab_alloc mm/slub.c:3625 [inline] __slab_alloc_node mm/slub.c:3678 [inline] slab_alloc_node mm/slub.c:3850 [inline] kmem_cache_alloc_lru+0x64d/0xb30 mm/slub.c:3879 alloc_inode_sb include/linux/fs.h:3018 [inline] hfs_alloc_inode+0x5a/0xc0 fs/hfs/super.c:165 alloc_inode+0x83/0x440 fs/inode.c:260 new_inode_pseudo fs/inode.c:1005 [inline] new_inode+0x38/0x4f0 fs/inode.c:1031 hfs_new_inode+0x61/0x1010 fs/hfs/inode.c:186 hfs_mkdir+0x54/0x250 fs/hfs/dir.c:228 vfs_mkdir+0x49a/0x700 fs/namei.c:4126 do_mkdirat+0x529/0x810 fs/namei.c:4149 __do_sys_mkdirat fs/namei.c:4164 [inline] __se_sys_mkdirat fs/namei.c:4162 [inline] __x64_sys_mkdirat+0xc8/0x120 fs/namei.c:4162 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b It missed to initialize .tz_secondswest, .cached_start and .cached_blocks fields in struct hfs_inode_info after hfs_alloc_inode(), fix it. Cc: stable@vger.kernel.org Reported-by: syzbot+3ae6be33a50b5aae4dab@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-fsdevel/0000000000005ad04005ee48897f@google.com Signed-off-by: Chao Yu Link: https://lore.kernel.org/r/20240616013841.2217-1-chao@kernel.org Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f7316b2b2f11cf0c6de917beee8d3de728be24db) Signed-off-by: Vegard Nossum --- fs/hfs/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c index 9718e7409c2b..fb416af35896 100644 --- a/fs/hfs/inode.c +++ b/fs/hfs/inode.c @@ -199,6 +199,7 @@ struct inode *hfs_new_inode(struct inode *dir, const struct qstr *name, umode_t HFS_I(inode)->flags = 0; HFS_I(inode)->rsrc_inode = NULL; HFS_I(inode)->fs_blocks = 0; + HFS_I(inode)->tz_secondswest = sys_tz.tz_minuteswest * 60; if (S_ISDIR(mode)) { inode->i_size = 2; HFS_SB(sb)->folder_count++; @@ -274,6 +275,8 @@ void hfs_inode_read_fork(struct inode *inode, struct hfs_extent *ext, for (count = 0, i = 0; i < 3; i++) count += be16_to_cpu(ext[i].count); HFS_I(inode)->first_blocks = count; + HFS_I(inode)->cached_start = 0; + HFS_I(inode)->cached_blocks = 0; inode->i_size = HFS_I(inode)->phys_size = log_size; HFS_I(inode)->fs_blocks = (log_size + sb->s_blocksize - 1) >> sb->s_blocksize_bits; From d92238c8b1116bff1babca839d923d345128c202 Mon Sep 17 00:00:00 2001 From: Ma Ke Date: Tue, 9 Jul 2024 19:33:11 +0800 Subject: [PATCH 057/173] drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes commit cb520c3f366c77e8d69e4e2e2781a8ce48d98e79 upstream. In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable@vger.kernel.org Fixes: 6a227d5fd6c4 ("gma500: Add support for Cedarview") Signed-off-by: Ma Ke Signed-off-by: Patrik Jakobsson Link: https://patchwork.freedesktop.org/patch/msgid/20240709113311.37168-1-make24@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f392c36cebf4c1d6997a4cc2c0f205254acef42a) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c index e022951894e3..2f71382c300a 100644 --- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c +++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c @@ -404,6 +404,9 @@ static int cdv_intel_lvds_get_modes(struct drm_connector *connector) if (mode_dev->panel_fixed_mode != NULL) { struct drm_display_mode *mode = drm_mode_duplicate(dev, mode_dev->panel_fixed_mode); + if (!mode) + return 0; + drm_mode_probed_add(connector, mode); return 1; } From 2c7d6f35aea17924ebb60002a151c8e4909cb226 Mon Sep 17 00:00:00 2001 From: Ma Ke Date: Tue, 9 Jul 2024 17:20:11 +0800 Subject: [PATCH 058/173] drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes commit 2df7aac81070987b0f052985856aa325a38debf6 upstream. In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate() is assigned to mode, which will lead to a possible NULL pointer dereference on failure of drm_mode_duplicate(). Add a check to avoid npd. Cc: stable@vger.kernel.org Fixes: 89c78134cc54 ("gma500: Add Poulsbo support") Signed-off-by: Ma Ke Signed-off-by: Patrik Jakobsson Link: https://patchwork.freedesktop.org/patch/msgid/20240709092011.3204970-1-make24@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 13b5f3ee94bdbdc4b5f40582aab62977905aedee) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/gma500/psb_intel_lvds.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c index 8baf6325c6e4..5e5b05cde0f4 100644 --- a/drivers/gpu/drm/gma500/psb_intel_lvds.c +++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c @@ -519,6 +519,9 @@ static int psb_intel_lvds_get_modes(struct drm_connector *connector) if (mode_dev->panel_fixed_mode != NULL) { struct drm_display_mode *mode = drm_mode_duplicate(dev, mode_dev->panel_fixed_mode); + if (!mode) + return 0; + drm_mode_probed_add(connector, mode); return 1; } From 1ac49c559cf87bd78734f326ef6db4c2d876d804 Mon Sep 17 00:00:00 2001 From: Paolo Pisati Date: Sat, 1 Jun 2024 17:32:54 +0200 Subject: [PATCH 059/173] m68k: amiga: Turn off Warp1260 interrupts during boot commit 1d8491d3e726984343dd8c3cdbe2f2b47cfdd928 upstream. On an Amiga 1200 equipped with a Warp1260 accelerator, an interrupt storm coming from the accelerator board causes the machine to crash in local_irq_enable() or auto_irq_enable(). Disabling interrupts for the Warp1260 in amiga_parse_bootinfo() fixes the problem. Link: https://lore.kernel.org/r/ZkjwzVwYeQtyAPrL@amaterasu.local Cc: stable Signed-off-by: Paolo Pisati Reviewed-by: Michael Schmitz Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20240601153254.186225-1-p.pisati@gmail.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 296185ef87e6184e364bd9e7c983089b8e606a55) Signed-off-by: Vegard Nossum --- arch/m68k/amiga/config.c | 9 +++++++++ include/uapi/linux/zorro_ids.h | 3 +++ 2 files changed, 12 insertions(+) diff --git a/arch/m68k/amiga/config.c b/arch/m68k/amiga/config.c index 65f63a457130..52dec92614e8 100644 --- a/arch/m68k/amiga/config.c +++ b/arch/m68k/amiga/config.c @@ -181,6 +181,15 @@ int __init amiga_parse_bootinfo(const struct bi_record *record) dev->slotsize = be16_to_cpu(cd->cd_SlotSize); dev->boardaddr = be32_to_cpu(cd->cd_BoardAddr); dev->boardsize = be32_to_cpu(cd->cd_BoardSize); + + /* CS-LAB Warp 1260 workaround */ + if (be16_to_cpu(dev->rom.er_Manufacturer) == ZORRO_MANUF(ZORRO_PROD_CSLAB_WARP_1260) && + dev->rom.er_Product == ZORRO_PROD(ZORRO_PROD_CSLAB_WARP_1260)) { + + /* turn off all interrupts */ + pr_info("Warp 1260 card detected: applying interrupt storm workaround\n"); + *(uint32_t *)(dev->boardaddr + 0x1000) = 0xfff; + } } else pr_warn("amiga_parse_bootinfo: too many AutoConfig devices\n"); #endif /* CONFIG_ZORRO */ diff --git a/include/uapi/linux/zorro_ids.h b/include/uapi/linux/zorro_ids.h index 6e574d7b7d79..393f2ee9c042 100644 --- a/include/uapi/linux/zorro_ids.h +++ b/include/uapi/linux/zorro_ids.h @@ -449,6 +449,9 @@ #define ZORRO_PROD_VMC_ISDN_BLASTER_Z2 ZORRO_ID(VMC, 0x01, 0) #define ZORRO_PROD_VMC_HYPERCOM_4 ZORRO_ID(VMC, 0x02, 0) +#define ZORRO_MANUF_CSLAB 0x1400 +#define ZORRO_PROD_CSLAB_WARP_1260 ZORRO_ID(CSLAB, 0x65, 0) + #define ZORRO_MANUF_INFORMATION 0x157C #define ZORRO_PROD_INFORMATION_ISDN_ENGINE_I ZORRO_ID(INFORMATION, 0x64, 0) From 4ed99f550b6316ae9cfa1ffdb6c4f053631117e6 Mon Sep 17 00:00:00 2001 From: Baokun Li Date: Tue, 2 Jul 2024 21:23:48 +0800 Subject: [PATCH 060/173] ext4: check dot and dotdot of dx_root before making dir indexed commit 50ea741def587a64e08879ce6c6a30131f7111e7 upstream. Syzbot reports a issue as follows: ============================================ BUG: unable to handle page fault for address: ffffed11022e24fe PGD 23ffee067 P4D 23ffee067 PUD 0 Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 5079 Comm: syz-executor306 Not tainted 6.10.0-rc5-g55027e689933 #0 Call Trace: make_indexed_dir+0xdaf/0x13c0 fs/ext4/namei.c:2341 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2451 ext4_rename fs/ext4/namei.c:3936 [inline] ext4_rename2+0x26e5/0x4370 fs/ext4/namei.c:4214 [...] ============================================ The immediate cause of this problem is that there is only one valid dentry for the block to be split during do_split, so split==0 results in out of bounds accesses to the map triggering the issue. do_split unsigned split dx_make_map count = 1 split = count/2 = 0; continued = hash2 == map[split - 1].hash; ---> map[4294967295] The maximum length of a filename is 255 and the minimum block size is 1024, so it is always guaranteed that the number of entries is greater than or equal to 2 when do_split() is called. But syzbot's crafted image has no dot and dotdot in dir, and the dentry distribution in dirblock is as follows: bus dentry1 hole dentry2 free |xx--|xx-------------|...............|xx-------------|...............| 0 12 (8+248)=256 268 256 524 (8+256)=264 788 236 1024 So when renaming dentry1 increases its name_len length by 1, neither hole nor free is sufficient to hold the new dentry, and make_indexed_dir() is called. In make_indexed_dir() it is assumed that the first two entries of the dirblock must be dot and dotdot, so bus and dentry1 are left in dx_root because they are treated as dot and dotdot, and only dentry2 is moved to the new leaf block. That's why count is equal to 1. Therefore add the ext4_check_dx_root() helper function to add more sanity checks to dot and dotdot before starting the conversion to avoid the above issue. Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0 Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3") Cc: stable@kernel.org Signed-off-by: Baokun Li Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240702132349.2600605-2-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db) Signed-off-by: Vegard Nossum --- fs/ext4/namei.c | 56 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 51 insertions(+), 5 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 76744b42f989..5daeebc695f3 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -1978,6 +1978,52 @@ static int add_dirent_to_buf(handle_t *handle, struct ext4_filename *fname, return 0; } +static bool ext4_check_dx_root(struct inode *dir, struct dx_root *root) +{ + struct fake_dirent *fde; + const char *error_msg; + unsigned int rlen; + unsigned int blocksize = dir->i_sb->s_blocksize; + char *blockend = (char *)root + dir->i_sb->s_blocksize; + + fde = &root->dot; + if (unlikely(fde->name_len != 1)) { + error_msg = "invalid name_len for '.'"; + goto corrupted; + } + if (unlikely(strncmp(root->dot_name, ".", fde->name_len))) { + error_msg = "invalid name for '.'"; + goto corrupted; + } + rlen = ext4_rec_len_from_disk(fde->rec_len, blocksize); + if (unlikely((char *)fde + rlen >= blockend)) { + error_msg = "invalid rec_len for '.'"; + goto corrupted; + } + + fde = &root->dotdot; + if (unlikely(fde->name_len != 2)) { + error_msg = "invalid name_len for '..'"; + goto corrupted; + } + if (unlikely(strncmp(root->dotdot_name, "..", fde->name_len))) { + error_msg = "invalid name for '..'"; + goto corrupted; + } + rlen = ext4_rec_len_from_disk(fde->rec_len, blocksize); + if (unlikely((char *)fde + rlen >= blockend)) { + error_msg = "invalid rec_len for '..'"; + goto corrupted; + } + + return true; + +corrupted: + EXT4_ERROR_INODE(dir, "Corrupt dir, %s, running e2fsck is recommended", + error_msg); + return false; +} + /* * This converts a one block unindexed directory to a 3 block indexed * directory, and adds the dentry to the indexed directory. @@ -2012,17 +2058,17 @@ static int make_indexed_dir(handle_t *handle, struct ext4_filename *fname, brelse(bh); return retval; } + root = (struct dx_root *) bh->b_data; + if (!ext4_check_dx_root(dir, root)) { + brelse(bh); + return -EFSCORRUPTED; + } /* The 0th block becomes the root, move the dirents out */ fde = &root->dotdot; de = (struct ext4_dir_entry_2 *)((char *)fde + ext4_rec_len_from_disk(fde->rec_len, blocksize)); - if ((char *) de >= (((char *) root) + blocksize)) { - EXT4_ERROR_INODE(dir, "invalid rec_len for '..'"); - brelse(bh); - return -EFSCORRUPTED; - } len = ((char *) root) + (blocksize - csum_size) - (char *) de; /* Allocate new block for the 0th block's dirents */ From 839f30000100e2b3fb252f1755c4434cad12da0c Mon Sep 17 00:00:00 2001 From: Baokun Li Date: Tue, 2 Jul 2024 21:23:49 +0800 Subject: [PATCH 061/173] ext4: make sure the first directory block is not a hole commit f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6 upstream. The syzbot constructs a directory that has no dirblock but is non-inline, i.e. the first directory block is a hole. And no errors are reported when creating files in this directory in the following flow. ext4_mknod ... ext4_add_entry // Read block 0 ext4_read_dirblock(dir, block, DIRENT) bh = ext4_bread(NULL, inode, block, 0) if (!bh && (type == INDEX || type == DIRENT_HTREE)) // The first directory block is a hole // But type == DIRENT, so no error is reported. After that, we get a directory block without '.' and '..' but with a valid dentry. This may cause some code that relies on dot or dotdot (such as make_indexed_dir()) to crash. Therefore when ext4_read_dirblock() finds that the first directory block is a hole report that the filesystem is corrupted and return an error to avoid loading corrupted data from disk causing something bad. Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0 Fixes: 4e19d6b65fb4 ("ext4: allow directory holes") Cc: stable@kernel.org Signed-off-by: Baokun Li Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240702132349.2600605-3-libaokun@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d81d7e347d1f1f48a5634607d39eb90c161c8afe) Signed-off-by: Vegard Nossum --- fs/ext4/namei.c | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 5daeebc695f3..b67c742eda4e 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -133,10 +133,11 @@ static struct buffer_head *__ext4_read_dirblock(struct inode *inode, return bh; } - if (!bh && (type == INDEX || type == DIRENT_HTREE)) { + /* The first directory block must not be a hole. */ + if (!bh && (type == INDEX || type == DIRENT_HTREE || block == 0)) { ext4_error_inode(inode, func, line, block, - "Directory hole found for htree %s block", - (type == INDEX) ? "index" : "leaf"); + "Directory hole found for htree %s block %u", + (type == INDEX) ? "index" : "leaf", block); return ERR_PTR(-EFSCORRUPTED); } if (!bh) @@ -2828,10 +2829,7 @@ bool ext4_empty_dir(struct inode *inode) EXT4_ERROR_INODE(inode, "invalid size"); return true; } - /* The first directory block must not be a hole, - * so treat it as DIRENT_HTREE - */ - bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE); + bh = ext4_read_dirblock(inode, 0, EITHER); if (IS_ERR(bh)) return true; @@ -3430,10 +3428,7 @@ static struct buffer_head *ext4_get_first_dir_block(handle_t *handle, struct ext4_dir_entry_2 *de; unsigned int offset; - /* The first directory block must not be a hole, so - * treat it as DIRENT_HTREE - */ - bh = ext4_read_dirblock(inode, 0, DIRENT_HTREE); + bh = ext4_read_dirblock(inode, 0, EITHER); if (IS_ERR(bh)) { *retval = PTR_ERR(bh); return NULL; From b9bb3e4e90d4b44dc0667e7e5e24a8c4cd9eb9f5 Mon Sep 17 00:00:00 2001 From: Rafael Beims Date: Fri, 10 May 2024 13:04:58 +0200 Subject: [PATCH 062/173] wifi: mwifiex: Fix interface type change commit a17b9f590f6ec2b9f1b12b1db3bf1d181de6b272 upstream. When changing the interface type we also need to update the bss_num, the driver private data is searched based on a unique (bss_type, bss_num) tuple, therefore every time bss_type changes, bss_num must also change. This fixes for example an issue in which, after the mode changed, a wireless scan on the changed interface would not finish, leading to repeated -EBUSY messages to userspace when other scan requests were sent. Fixes: c606008b7062 ("mwifiex: Properly initialize private structure on interface type changes") Cc: stable@vger.kernel.org Signed-off-by: Rafael Beims Signed-off-by: Francesco Dolcini Signed-off-by: Kalle Valo Link: https://msgid.link/20240510110458.15475-1-francesco@dolcini.it Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 98cf9959a20dc374b7bba4b9357203e54484be58) Signed-off-by: Vegard Nossum --- drivers/net/wireless/marvell/mwifiex/cfg80211.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c index 76205d6b2f9c..aa5d1a5cbd52 100644 --- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c +++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c @@ -920,6 +920,8 @@ mwifiex_init_new_priv_params(struct mwifiex_private *priv, return -EOPNOTSUPP; } + priv->bss_num = mwifiex_get_unused_bss_num(adapter, priv->bss_type); + spin_lock_irqsave(&adapter->main_proc_lock, flags); adapter->main_locked = false; spin_unlock_irqrestore(&adapter->main_proc_lock, flags); From 4e71b875b885df71c21f8f1fa380064b59fdd414 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Mon, 27 May 2024 16:27:00 +0300 Subject: [PATCH 063/173] leds: ss4200: Convert PCIBIOS_* return codes to errnos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit ce068e83976140badb19c7f1307926b4b562fac4 upstream. ich7_lpc_probe() uses pci_read_config_dword() that returns PCIBIOS_* codes. The error handling code assumes incorrectly it's a normal errno and checks for < 0. The return code is returned from the probe function as is but probe functions should return normal errnos. Remove < 0 from the check and convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal errno before returning it. Fixes: a328e95b82c1 ("leds: LED driver for Intel NAS SS4200 series (v5)") Cc: Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20240527132700.14260-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Lee Jones Signed-off-by: Greg Kroah-Hartman (cherry picked from commit db1871789f3018c5b0788318d3b1c685f2decceb) Signed-off-by: Vegard Nossum --- drivers/leds/leds-ss4200.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/leds/leds-ss4200.c b/drivers/leds/leds-ss4200.c index a9db8674cd02..0e19fceb3769 100644 --- a/drivers/leds/leds-ss4200.c +++ b/drivers/leds/leds-ss4200.c @@ -368,8 +368,10 @@ static int ich7_lpc_probe(struct pci_dev *dev, nas_gpio_pci_dev = dev; status = pci_read_config_dword(dev, PMBASE, &g_pm_io_base); - if (status) + if (status) { + status = pcibios_err_to_errno(status); goto out; + } g_pm_io_base &= 0x00000ff80; status = pci_read_config_dword(dev, GPIO_CTRL, &gc); @@ -381,8 +383,9 @@ static int ich7_lpc_probe(struct pci_dev *dev, } status = pci_read_config_dword(dev, GPIO_BASE, &nas_gpio_io_base); - if (0 > status) { + if (status) { dev_info(&dev->dev, "Unable to read GPIOBASE.\n"); + status = pcibios_err_to_errno(status); goto out; } dev_dbg(&dev->dev, ": GPIOBASE = 0x%08x\n", nas_gpio_io_base); From 63576e19060aa3b515c02583870bde5d75260ed8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= Date: Mon, 27 May 2024 16:26:15 +0300 Subject: [PATCH 064/173] hwrng: amd - Convert PCIBIOS_* return codes to errnos MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 14cba6ace79627a57fb9058582b03f0ed3832390 upstream. amd_rng_mod_init() uses pci_read_config_dword() that returns PCIBIOS_* codes. The return code is then returned as is but amd_rng_mod_init() is a module_init() function that should return normal errnos. Convert PCIBIOS_* returns code using pcibios_err_to_errno() into normal errno before returning it. Fixes: 96d63c0297cc ("[PATCH] Add AMD HW RNG driver") Cc: stable@vger.kernel.org Signed-off-by: Ilpo Järvinen Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d48e11483e3eb8ade86c57f4145644725cd33eed) Signed-off-by: Vegard Nossum --- drivers/char/hw_random/amd-rng.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/char/hw_random/amd-rng.c b/drivers/char/hw_random/amd-rng.c index db3dd467194c..3f3fdf6ee3d5 100644 --- a/drivers/char/hw_random/amd-rng.c +++ b/drivers/char/hw_random/amd-rng.c @@ -142,8 +142,10 @@ static int __init mod_init(void) found: err = pci_read_config_dword(pdev, 0x58, &pmbase); - if (err) + if (err) { + err = pcibios_err_to_errno(err); goto put_dev; + } pmbase &= 0x0000FF00; if (pmbase == 0) { From 31754844f0fd1fbfd0a6fd857ec7021240b6d3a3 Mon Sep 17 00:00:00 2001 From: Wei Liu Date: Mon, 1 Jul 2024 20:26:05 +0000 Subject: [PATCH 065/173] PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit fea93a3e5d5e6a09eb153866d2ce60ea3287a70d upstream. The intent of the code snippet is to always return 0 for both PCI_INTERRUPT_LINE and PCI_INTERRUPT_PIN. The check misses PCI_INTERRUPT_PIN. This patch fixes that. This is discovered by this call in VFIO: pci_read_config_byte(vdev->pdev, PCI_INTERRUPT_PIN, &pin); The old code does not set *val to 0 because it misses the check for PCI_INTERRUPT_PIN. Garbage is returned in that case. Fixes: 4daace0d8ce8 ("PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs") Link: https://lore.kernel.org/linux-pci/20240701202606.129606-1-wei.liu@kernel.org Signed-off-by: Wei Liu Signed-off-by: Krzysztof Wilczyński Reviewed-by: Michael Kelley Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman (cherry picked from commit e9cafb31aa498558d6ff7b28baed894db7d801f3) Signed-off-by: Vegard Nossum --- drivers/pci/host/pci-hyperv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/pci/host/pci-hyperv.c b/drivers/pci/host/pci-hyperv.c index 7c872f71459c..602cf05a8e3f 100644 --- a/drivers/pci/host/pci-hyperv.c +++ b/drivers/pci/host/pci-hyperv.c @@ -665,8 +665,8 @@ static void _hv_pcifront_read_config(struct hv_pci_dev *hpdev, int where, PCI_CAPABILITY_LIST) { /* ROM BARs are unimplemented */ *val = 0; - } else if (where >= PCI_INTERRUPT_LINE && where + size <= - PCI_INTERRUPT_PIN) { + } else if ((where >= PCI_INTERRUPT_LINE && where + size <= PCI_INTERRUPT_PIN) || + (where >= PCI_INTERRUPT_PIN && where + size <= PCI_MIN_GNT)) { /* * Interrupt Line and Interrupt PIN are hard-wired to zero * because this front-end only supports message-signaled From 080400d0031e6b30ae84fa1722d55cb6a3376f8c Mon Sep 17 00:00:00 2001 From: Carlos Llamas Date: Thu, 11 Jul 2024 20:14:51 +0000 Subject: [PATCH 066/173] binder: fix hang of unregistered readers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 31643d84b8c3d9c846aa0e20bc033e46c68c7e7d upstream. With the introduction of binder_available_for_proc_work_ilocked() in commit 1b77e9dcc3da ("ANDROID: binder: remove proc waitqueue") a binder thread can only "wait_for_proc_work" after its thread->looper has been marked as BINDER_LOOPER_STATE_{ENTERED|REGISTERED}. This means an unregistered reader risks waiting indefinitely for work since it never gets added to the proc->waiting_threads. If there are no further references to its waitqueue either the task will hang. The same applies to readers using the (e)poll interface. I couldn't find the rationale behind this restriction. So this patch restores the previous behavior of allowing unregistered threads to "wait_for_proc_work". Note that an error message for this scenario, which had previously become unreachable, is now re-enabled. Fixes: 1b77e9dcc3da ("ANDROID: binder: remove proc waitqueue") Cc: stable@vger.kernel.org Cc: Martijn Coenen Cc: Arve Hjønnevåg Signed-off-by: Carlos Llamas Link: https://lore.kernel.org/r/20240711201452.2017543-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 229670361c29381b0e1677763590e4dbc209ecbe) Signed-off-by: Vegard Nossum --- drivers/android/binder.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index e85a1fe2039d..bdf8729d133f 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1000,9 +1000,7 @@ static bool binder_has_work(struct binder_thread *thread, bool do_proc_work) static bool binder_available_for_proc_work_ilocked(struct binder_thread *thread) { return !thread->transaction_stack && - binder_worklist_empty_ilocked(&thread->todo) && - (thread->looper & (BINDER_LOOPER_STATE_ENTERED | - BINDER_LOOPER_STATE_REGISTERED)); + binder_worklist_empty_ilocked(&thread->todo); } static void binder_wakeup_poll_threads_ilocked(struct binder_proc *proc, From 0900cd07eb9119e80a55a97784e8cc1ca6390402 Mon Sep 17 00:00:00 2001 From: Saurav Kashyap Date: Wed, 10 Jul 2024 22:40:50 +0530 Subject: [PATCH 067/173] scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds commit ce2065c4cc4f05635413f63f6dc038d7d4842e31 upstream. Firmware only supports single DSDs in ELS Pass-through IOCB (0x53h), sg cnt is decided by the SCSI ML. User is not aware of the cause of an acutal error. Return the appropriate return code that will be decoded by API and application and proper error message will be displayed to user. Fixes: 6e98016ca077 ("[SCSI] qla2xxx: Re-organized BSG interface specific code.") Cc: stable@vger.kernel.org Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20240710171057.35066-5-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 5c9d1ac649469feaab4240c0c1b5920ea8649b50) Signed-off-by: Vegard Nossum --- drivers/scsi/qla2xxx/qla_bsg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_bsg.c b/drivers/scsi/qla2xxx/qla_bsg.c index f051da3288c3..4f8e7602e050 100644 --- a/drivers/scsi/qla2xxx/qla_bsg.c +++ b/drivers/scsi/qla2xxx/qla_bsg.c @@ -302,7 +302,7 @@ qla2x00_process_els(struct bsg_job *bsg_job) "request_sg_cnt=%x reply_sg_cnt=%x.\n", bsg_job->request_payload.sg_cnt, bsg_job->reply_payload.sg_cnt); - rval = -EPERM; + rval = -ENOBUFS; goto done; } From 24eb54283c4effe2b0c2d94401d19e0ff004e357 Mon Sep 17 00:00:00 2001 From: Daeho Jeong Date: Thu, 11 Jan 2018 11:26:19 +0900 Subject: [PATCH 068/173] f2fs: prevent newly created inode from being dirtied incorrectly Now, we invoke f2fs_mark_inode_dirty_sync() to make an inode dirty in advance of creating a new node page for the inode. By this, some inodes whose node page is not created yet can be linked into the global dirty list. If the checkpoint is executed at this moment, the inode will be written back by writeback_single_inode() and finally update_inode_page() will fail to detach the inode from the global dirty list because the inode doesn't have a node page. The problem is that the inode's state in VFS layer will become clean after execution of writeback_single_inode() and it's still linked in the global dirty list of f2fs and this will cause a kernel panic. So, we will prevent the newly created inode from being dirtied during the FI_NEW_INODE flag of the inode is set. We will make it dirty right after the flag is cleared. Signed-off-by: Daeho Jeong Signed-off-by: Youngjin Gil Tested-by: Hobin Woo Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim (cherry picked from commit 9ac1e2d88d076aa1ae9e33d44a9bbc8ae3bfa791) Signed-off-by: Vegard Nossum --- fs/f2fs/f2fs.h | 1 + fs/f2fs/inode.c | 3 +++ fs/f2fs/namei.c | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 268409cee1c3..371150161fb7 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -2032,6 +2032,7 @@ static inline void __mark_inode_dirty_flag(struct inode *inode, case FI_INLINE_XATTR: case FI_INLINE_DATA: case FI_INLINE_DENTRY: + case FI_NEW_INODE: if (set) return; case FI_DATA_EXIST: diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index c6d0687f00fe..84c74e5f943e 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -22,6 +22,9 @@ void f2fs_mark_inode_dirty_sync(struct inode *inode, bool sync) { + if (is_inode_flag_set(inode, FI_NEW_INODE)) + return; + if (f2fs_inode_dirtied(inode, sync)) return; diff --git a/fs/f2fs/namei.c b/fs/f2fs/namei.c index eb9db586c01d..525143d98015 100644 --- a/fs/f2fs/namei.c +++ b/fs/f2fs/namei.c @@ -73,12 +73,12 @@ static struct inode *f2fs_new_inode(struct inode *dir, umode_t mode) if (err) goto fail_drop; + set_inode_flag(inode, FI_NEW_INODE); + /* If the directory encrypted, then we should encrypt the inode. */ if (f2fs_encrypted_inode(dir) && f2fs_may_encrypt(inode)) f2fs_set_encrypted_inode(inode); - set_inode_flag(inode, FI_NEW_INODE); - if (f2fs_sb_has_extra_attr(sbi->sb)) { set_inode_flag(inode, FI_EXTRA_ATTR); F2FS_I(inode)->i_extra_isize = F2FS_TOTAL_EXTRA_ATTR_SIZE; From 27f9505abcdef5527ce43c5c21ecf89bc76f2278 Mon Sep 17 00:00:00 2001 From: Chao Yu Date: Tue, 4 Jun 2024 15:56:36 +0800 Subject: [PATCH 069/173] f2fs: fix to don't dirty inode for readonly filesystem commit 192b8fb8d1c8ca3c87366ebbef599fa80bb626b8 upstream. syzbot reports f2fs bug as below: kernel BUG at fs/f2fs/inode.c:933! RIP: 0010:f2fs_evict_inode+0x1576/0x1590 fs/f2fs/inode.c:933 Call Trace: evict+0x2a4/0x620 fs/inode.c:664 dispose_list fs/inode.c:697 [inline] evict_inodes+0x5f8/0x690 fs/inode.c:747 generic_shutdown_super+0x9d/0x2c0 fs/super.c:675 kill_block_super+0x44/0x90 fs/super.c:1667 kill_f2fs_super+0x303/0x3b0 fs/f2fs/super.c:4894 deactivate_locked_super+0xc1/0x130 fs/super.c:484 cleanup_mnt+0x426/0x4c0 fs/namespace.c:1256 task_work_run+0x24a/0x300 kernel/task_work.c:180 ptrace_notify+0x2cd/0x380 kernel/signal.c:2399 ptrace_report_syscall include/linux/ptrace.h:411 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:473 [inline] syscall_exit_work kernel/entry/common.c:251 [inline] syscall_exit_to_user_mode_prepare kernel/entry/common.c:278 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x15c/0x280 kernel/entry/common.c:296 do_syscall_64+0x50/0x110 arch/x86/entry/common.c:88 entry_SYSCALL_64_after_hwframe+0x63/0x6b The root cause is: - do_sys_open - f2fs_lookup - __f2fs_find_entry - f2fs_i_depth_write - f2fs_mark_inode_dirty_sync - f2fs_dirty_inode - set_inode_flag(inode, FI_DIRTY_INODE) - umount - kill_f2fs_super - kill_block_super - generic_shutdown_super - sync_filesystem : sb is readonly, skip sync_filesystem() - evict_inodes - iput - f2fs_evict_inode - f2fs_bug_on(sbi, is_inode_flag_set(inode, FI_DIRTY_INODE)) : trigger kernel panic When we try to repair i_current_depth in readonly filesystem, let's skip dirty inode to avoid panic in later f2fs_evict_inode(). Cc: stable@vger.kernel.org Reported-by: syzbot+31e4659a3fe953aec2f4@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/000000000000e890bc0609a55cff@google.com Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 2d2916516577f2239b3377d9e8d12da5e6ccdfcf) Signed-off-by: Vegard Nossum --- fs/f2fs/inode.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c index 84c74e5f943e..4e4cf8970274 100644 --- a/fs/f2fs/inode.c +++ b/fs/f2fs/inode.c @@ -25,6 +25,9 @@ void f2fs_mark_inode_dirty_sync(struct inode *inode, bool sync) if (is_inode_flag_set(inode, FI_NEW_INODE)) return; + if (f2fs_readonly(F2FS_I_SB(inode)->sb)) + return; + if (f2fs_inode_dirtied(inode, sync)) return; From e38af31723db1861d58b71410895872b72abc272 Mon Sep 17 00:00:00 2001 From: Fedor Pchelkin Date: Thu, 29 Feb 2024 23:42:36 +0300 Subject: [PATCH 070/173] ubi: eba: properly rollback inside self_check_eba commit 745d9f4a31defec731119ee8aad8ba9f2536dd9a upstream. In case of a memory allocation failure in the volumes loop we can only process the already allocated scan_eba and fm_eba array elements on the error path - others are still uninitialized. Found by Linux Verification Center (linuxtesting.org). Fixes: 00abf3041590 ("UBI: Add self_check_eba()") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 29f2c831822fde87b78c73e5db6ecfb106473cff) Signed-off-by: Vegard Nossum --- drivers/mtd/ubi/eba.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c index b7aa8cf2c3d7..489fc36fe8cb 100644 --- a/drivers/mtd/ubi/eba.c +++ b/drivers/mtd/ubi/eba.c @@ -1554,6 +1554,7 @@ int self_check_eba(struct ubi_device *ubi, struct ubi_attach_info *ai_fastmap, GFP_KERNEL); if (!fm_eba[i]) { ret = -ENOMEM; + kfree(scan_eba[i]); goto out_free; } @@ -1589,7 +1590,7 @@ int self_check_eba(struct ubi_device *ubi, struct ubi_attach_info *ai_fastmap, } out_free: - for (i = 0; i < num_volumes; i++) { + while (--i >= 0) { if (!ubi->volumes[i]) continue; From a01900bb7d4f831a50f19c58b1b9e3c9aa9dd9d9 Mon Sep 17 00:00:00 2001 From: Ross Lagerwall Date: Wed, 17 Jul 2024 17:20:16 +0100 Subject: [PATCH 071/173] decompress_bunzip2: fix rare decompression failure commit bf6acd5d16057d7accbbb1bf7dc6d8c56eeb4ecc upstream. The decompression code parses a huffman tree and counts the number of symbols for a given bit length. In rare cases, there may be >= 256 symbols with a given bit length, causing the unsigned char to overflow. This causes a decompression failure later when the code tries and fails to find the bit length for a given symbol. Since the maximum number of symbols is 258, use unsigned short instead. Link: https://lkml.kernel.org/r/20240717162016.1514077-1-ross.lagerwall@citrix.com Fixes: bc22c17e12c1 ("bzip2/lzma: library support for gzip, bzip2 and lzma decompression") Signed-off-by: Ross Lagerwall Cc: Alain Knaff Cc: "H. Peter Anvin" Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 16b92b031b4da174342bd909130731c55f20c7ea) Signed-off-by: Vegard Nossum --- lib/decompress_bunzip2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c index 0234361b24b8..992ee6388a45 100644 --- a/lib/decompress_bunzip2.c +++ b/lib/decompress_bunzip2.c @@ -231,7 +231,8 @@ static int INIT get_next_block(struct bunzip_data *bd) RUNB) */ symCount = symTotal+2; for (j = 0; j < groupCount; j++) { - unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; + unsigned char length[MAX_SYMBOLS]; + unsigned short temp[MAX_HUFCODE_BITS+1]; int minLen, maxLen, pp; /* Read Huffman code lengths for each symbol. They're stored in a way similar to mtf; record a starting From 930865dbd92b29bc57364695d561c289d693f72d Mon Sep 17 00:00:00 2001 From: Manish Rangankar Date: Wed, 10 Jul 2024 22:40:53 +0530 Subject: [PATCH 072/173] scsi: qla2xxx: During vport delete send async logout explicitly commit 76f480d7c717368f29a3870f7d64471ce0ff8fb2 upstream. During vport delete, it is observed that during unload we hit a crash because of stale entries in outstanding command array. For all these stale I/O entries, eh_abort was issued and aborted (fast_fail_io = 2009h) but I/Os could not complete while vport delete is in process of deleting. BUG: kernel NULL pointer dereference, address: 000000000000001c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI Workqueue: qla2xxx_wq qla_do_work [qla2xxx] RIP: 0010:dma_direct_unmap_sg+0x51/0x1e0 RSP: 0018:ffffa1e1e150fc68 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000021 RCX: 0000000000000001 RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff8ce208a7a0d0 RBP: ffff8ce208a7a0d0 R08: 0000000000000000 R09: ffff8ce378aac9c8 R10: ffff8ce378aac8a0 R11: ffffa1e1e150f9d8 R12: 0000000000000000 R13: 0000000000000000 R14: ffff8ce378aac9c8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8d217f000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 0000002089acc000 CR4: 0000000000350ee0 Call Trace: qla2xxx_qpair_sp_free_dma+0x417/0x4e0 ? qla2xxx_qpair_sp_compl+0x10d/0x1a0 ? qla2x00_status_entry+0x768/0x2830 ? newidle_balance+0x2f0/0x430 ? dequeue_entity+0x100/0x3c0 ? qla24xx_process_response_queue+0x6a1/0x19e0 ? __schedule+0x2d5/0x1140 ? qla_do_work+0x47/0x60 ? process_one_work+0x267/0x440 ? process_one_work+0x440/0x440 ? worker_thread+0x2d/0x3d0 ? process_one_work+0x440/0x440 ? kthread+0x156/0x180 ? set_kthread_struct+0x50/0x50 ? ret_from_fork+0x22/0x30 Send out async logout explicitly for all the ports during vport delete. Cc: stable@vger.kernel.org Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20240710171057.35066-8-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 086489256696eb774654a5410e86381c346356fe) Signed-off-by: Vegard Nossum --- drivers/scsi/qla2xxx/qla_mid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/qla2xxx/qla_mid.c b/drivers/scsi/qla2xxx/qla_mid.c index 375a88e18afe..7cff59188b9c 100644 --- a/drivers/scsi/qla2xxx/qla_mid.c +++ b/drivers/scsi/qla2xxx/qla_mid.c @@ -158,7 +158,7 @@ qla24xx_disable_vp(scsi_qla_host_t *vha) atomic_set(&vha->loop_state, LOOP_DOWN); atomic_set(&vha->loop_down_timer, LOOP_DOWN_TIME); list_for_each_entry(fcport, &vha->vp_fcports, list) - fcport->logout_on_delete = 0; + fcport->logout_on_delete = 1; qla2x00_mark_all_devices_lost(vha, 0); From b212bfa809f6d1235bbbb6c491621ce314b073a6 Mon Sep 17 00:00:00 2001 From: Marco Cavenati Date: Mon, 24 Jun 2024 23:10:55 +0300 Subject: [PATCH 073/173] perf/x86/intel/pt: Fix topa_entry base length commit 5638bd722a44bbe97c1a7b3fae5b9efddb3e70ff upstream. topa_entry->base needs to store a pfn. It obviously needs to be large enough to store the largest possible x86 pfn which is MAXPHYADDR-PAGE_SIZE (52-12). So it is 4 bits too small. Increase the size of topa_entry->base from 36 bits to 40 bits. Note, systems where physical addresses can be 256TiB or more are affected. [ Adrian: Amend commit message as suggested by Dave Hansen ] Fixes: 52ca9ced3f70 ("perf/x86/intel/pt: Add Intel PT PMU driver") Signed-off-by: Marco Cavenati Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Adrian Hunter Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240624201101.60186-2-adrian.hunter@intel.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b4030b619066aa1c20e075ce9382f103e0168145) Signed-off-by: Vegard Nossum --- arch/x86/events/intel/pt.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/events/intel/pt.h b/arch/x86/events/intel/pt.h index 0eb41d07b79a..df6ecf702a3c 100644 --- a/arch/x86/events/intel/pt.h +++ b/arch/x86/events/intel/pt.h @@ -78,8 +78,8 @@ struct topa_entry { u64 rsvd2 : 1; u64 size : 4; u64 rsvd3 : 2; - u64 base : 36; - u64 rsvd4 : 16; + u64 base : 40; + u64 rsvd4 : 12; }; #define PT_CPUID_LEAVES 2 From dbffea43e8b704e5cb23e776be21c12a3e0f0b65 Mon Sep 17 00:00:00 2001 From: Thomas Gleixner Date: Thu, 11 Jul 2024 22:25:21 +0200 Subject: [PATCH 074/173] watchdog/perf: properly initialize the turbo mode timestamp and rearm counter commit f944ffcbc2e1c759764850261670586ddf3bdabb upstream. For systems on which the performance counter can expire early due to turbo modes the watchdog handler has a safety net in place which validates that since the last watchdog event there has at least 4/5th of the watchdog period elapsed. This works reliably only after the first watchdog event because the per CPU variable which holds the timestamp of the last event is never initialized. So a first spurious event will validate against a timestamp of 0 which results in a delta which is likely to be way over the 4/5 threshold of the period. As this might happen before the first watchdog hrtimer event increments the watchdog counter, this can lead to false positives. Fix this by initializing the timestamp before enabling the hardware event. Reset the rearm counter as well, as that might be non zero after the watchdog was disabled and reenabled. Link: https://lkml.kernel.org/r/87frsfu15a.ffs@tglx Fixes: 7edaeb6841df ("kernel/watchdog: Prevent false positives with turbo modes") Signed-off-by: Thomas Gleixner Cc: Arjan van de Ven Cc: Peter Zijlstra Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 6d94ca5d571dfdb34f12dc3f63273ea275e8f40c) Signed-off-by: Vegard Nossum --- kernel/watchdog_hld.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/kernel/watchdog_hld.c b/kernel/watchdog_hld.c index 4c2cd69013a6..9e95d27093a9 100644 --- a/kernel/watchdog_hld.c +++ b/kernel/watchdog_hld.c @@ -91,11 +91,15 @@ static bool watchdog_check_timestamp(void) __this_cpu_write(last_timestamp, now); return true; } -#else -static inline bool watchdog_check_timestamp(void) + +static void watchdog_init_timestamp(void) { - return true; + __this_cpu_write(nmi_rearmed, 0); + __this_cpu_write(last_timestamp, ktime_get_mono_fast_ns()); } +#else +static inline bool watchdog_check_timestamp(void) { return true; } +static inline void watchdog_init_timestamp(void) { } #endif static struct perf_event_attr wd_hw_attr = { @@ -195,6 +199,7 @@ void hardlockup_detector_perf_enable(void) if (!atomic_fetch_inc(&watchdog_cpus)) pr_info("Enabled. Permanently consumes one hw-PMU counter.\n"); + watchdog_init_timestamp(); perf_event_enable(this_cpu_read(watchdog_ev)); } From 8e28810fed0aaf5624155ae6974d1cc95623edf2 Mon Sep 17 00:00:00 2001 From: Jiaxun Yang Date: Fri, 14 Jun 2024 16:40:15 +0100 Subject: [PATCH 075/173] platform: mips: cpu_hwmon: Disable driver on unsupported hardware commit f4d430db17b4ef4e9c3c352a04b2fe3c93011978 upstream. cpu_hwmon is unsupported on CPUs without loongson_chiptemp register and csr. Cc: stable@vger.kernel.org Signed-off-by: Jiaxun Yang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 0818a768c96a10343d08a622906adab54da6e014) Signed-off-by: Vegard Nossum --- drivers/platform/mips/cpu_hwmon.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/platform/mips/cpu_hwmon.c b/drivers/platform/mips/cpu_hwmon.c index 02484ae9a116..89249986ea00 100644 --- a/drivers/platform/mips/cpu_hwmon.c +++ b/drivers/platform/mips/cpu_hwmon.c @@ -163,6 +163,9 @@ static int __init loongson_hwmon_init(void) goto fail_hwmon_device_register; } + if (!csr_temp_enable && !loongson_chiptemp[0]) + return -ENODEV; + nr_packages = loongson_sysconf.nr_cpus / loongson_sysconf.cores_per_package; From 4a7a97d0ef008b684e246ead6e1474949cb0b579 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Wed, 11 Oct 2017 10:48:46 -0700 Subject: [PATCH 076/173] RDMA/iwcm: Remove a set-but-not-used variable Signed-off-by: Bart Van Assche Reviewed-by: Steve Wise Signed-off-by: Doug Ledford (cherry picked from commit d39dcd6a2d69ed32e56ae0224900ea2aa23a953d) Signed-off-by: Vegard Nossum --- drivers/infiniband/core/iwcm.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c index 66204e08ce5a..57aec656ab7f 100644 --- a/drivers/infiniband/core/iwcm.c +++ b/drivers/infiniband/core/iwcm.c @@ -449,9 +449,6 @@ static void destroy_cm_id(struct iw_cm_id *cm_id) */ void iw_destroy_cm_id(struct iw_cm_id *cm_id) { - struct iwcm_id_private *cm_id_priv; - - cm_id_priv = container_of(cm_id, struct iwcm_id_private, id); destroy_cm_id(cm_id); } EXPORT_SYMBOL(iw_destroy_cm_id); From b4099074459a9baa637aba3a5fa6d814f32e5eb2 Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Wed, 5 Jun 2024 08:51:01 -0600 Subject: [PATCH 077/173] RDMA/iwcm: Fix a use-after-free related to destroying CM IDs commit aee2424246f9f1dadc33faa78990c1e2eb7826e4 upstream. iw_conn_req_handler() associates a new struct rdma_id_private (conn_id) with an existing struct iw_cm_id (cm_id) as follows: conn_id->cm_id.iw = cm_id; cm_id->context = conn_id; cm_id->cm_handler = cma_iw_handler; rdma_destroy_id() frees both the cm_id and the struct rdma_id_private. Make sure that cm_work_handler() does not trigger a use-after-free by only freeing of the struct rdma_id_private after all pending work has finished. Cc: stable@vger.kernel.org Fixes: 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") Reviewed-by: Zhu Yanjun Tested-by: Shin'ichiro Kawasaki Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20240605145117.397751-6-bvanassche@acm.org Signed-off-by: Leon Romanovsky Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d91d253c87fd1efece521ff2612078a35af673c6) Signed-off-by: Vegard Nossum --- drivers/infiniband/core/iwcm.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c index 57aec656ab7f..84fa7b727a2b 100644 --- a/drivers/infiniband/core/iwcm.c +++ b/drivers/infiniband/core/iwcm.c @@ -369,8 +369,10 @@ EXPORT_SYMBOL(iw_cm_disconnect); * * Clean up all resources associated with the connection and release * the initial reference taken by iw_create_cm_id. + * + * Returns true if and only if the last cm_id_priv reference has been dropped. */ -static void destroy_cm_id(struct iw_cm_id *cm_id) +static bool destroy_cm_id(struct iw_cm_id *cm_id) { struct iwcm_id_private *cm_id_priv; unsigned long flags; @@ -438,7 +440,7 @@ static void destroy_cm_id(struct iw_cm_id *cm_id) iwpm_remove_mapping(&cm_id->local_addr, RDMA_NL_IWCM); } - (void)iwcm_deref_id(cm_id_priv); + return iwcm_deref_id(cm_id_priv); } /* @@ -449,7 +451,8 @@ static void destroy_cm_id(struct iw_cm_id *cm_id) */ void iw_destroy_cm_id(struct iw_cm_id *cm_id) { - destroy_cm_id(cm_id); + if (!destroy_cm_id(cm_id)) + flush_workqueue(iwcm_wq); } EXPORT_SYMBOL(iw_destroy_cm_id); @@ -1022,7 +1025,7 @@ static void cm_work_handler(struct work_struct *_work) if (!test_bit(IWCM_F_DROP_EVENTS, &cm_id_priv->flags)) { ret = process_event(cm_id_priv, &levent); if (ret) - destroy_cm_id(&cm_id_priv->id); + WARN_ON_ONCE(destroy_cm_id(&cm_id_priv->id)); } else pr_debug("dropping event %d\n", levent.event); if (iwcm_deref_id(cm_id_priv)) From 0a35556f0aa6435749d819919639e400943a3430 Mon Sep 17 00:00:00 2001 From: Michael Ellerman Date: Mon, 20 May 2024 16:26:47 +1000 Subject: [PATCH 078/173] selftests/sigaltstack: Fix ppc64 GCC build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 17c743b9da9e0d073ff19fd5313f521744514939 upstream. Building the sigaltstack test with GCC on 64-bit powerpc errors with: gcc -Wall sas.c -o /home/michael/linux/.build/kselftest/sigaltstack/sas In file included from sas.c:23: current_stack_pointer.h:22:2: error: #error "implement current_stack_pointer equivalent" 22 | #error "implement current_stack_pointer equivalent" | ^~~~~ sas.c: In function ‘my_usr1’: sas.c:50:13: error: ‘sp’ undeclared (first use in this function); did you mean ‘p’? 50 | if (sp < (unsigned long)sstack || | ^~ This happens because GCC doesn't define __ppc__ for 64-bit builds, only 32-bit builds. Instead use __powerpc__ to detect powerpc builds, which is defined by clang and GCC for 64-bit and 32-bit builds. Fixes: 05107edc9101 ("selftests: sigaltstack: fix -Wuninitialized") Cc: stable@vger.kernel.org # v6.3+ Signed-off-by: Michael Ellerman Link: https://msgid.link/20240520062647.688667-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 8010e0748cca059187021d194bb6d883d159e172) Signed-off-by: Vegard Nossum --- tools/testing/selftests/sigaltstack/current_stack_pointer.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/sigaltstack/current_stack_pointer.h b/tools/testing/selftests/sigaltstack/current_stack_pointer.h index ea9bdf3a90b1..09da8f1011ce 100644 --- a/tools/testing/selftests/sigaltstack/current_stack_pointer.h +++ b/tools/testing/selftests/sigaltstack/current_stack_pointer.h @@ -8,7 +8,7 @@ register unsigned long sp asm("sp"); register unsigned long sp asm("esp"); #elif __loongarch64 register unsigned long sp asm("$sp"); -#elif __ppc__ +#elif __powerpc__ register unsigned long sp asm("r1"); #elif __s390x__ register unsigned long sp asm("%15"); From 0e318baa084d870466c8cefaab8d2689e56d21e7 Mon Sep 17 00:00:00 2001 From: Ryusuke Konishi Date: Thu, 25 Jul 2024 14:20:07 +0900 Subject: [PATCH 079/173] nilfs2: handle inconsistent state in nilfs_btnode_create_block() commit 4811f7af6090e8f5a398fbdd766f903ef6c0d787 upstream. Syzbot reported that a buffer state inconsistency was detected in nilfs_btnode_create_block(), triggering a kernel bug. It is not appropriate to treat this inconsistency as a bug; it can occur if the argument block address (the buffer index of the newly created block) is a virtual block number and has been reallocated due to corruption of the bitmap used to manage its allocation state. So, modify nilfs_btnode_create_block() and its callers to treat it as a possible filesystem error, rather than triggering a kernel bug. Link: https://lkml.kernel.org/r/20240725052007.4562-1-konishi.ryusuke@gmail.com Fixes: a60be987d45d ("nilfs2: B-tree node cache") Signed-off-by: Ryusuke Konishi Reported-by: syzbot+89cc4f2324ed37988b60@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=89cc4f2324ed37988b60 Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 19cce46238ffe3546e44b9c74057103ff8b24c62) Signed-off-by: Vegard Nossum --- fs/nilfs2/btnode.c | 25 ++++++++++++++++++++----- fs/nilfs2/btree.c | 4 ++-- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/fs/nilfs2/btnode.c b/fs/nilfs2/btnode.c index f0a5e0a42ca7..4109caecf42e 100644 --- a/fs/nilfs2/btnode.c +++ b/fs/nilfs2/btnode.c @@ -60,12 +60,21 @@ nilfs_btnode_create_block(struct address_space *btnc, __u64 blocknr) bh = nilfs_grab_buffer(inode, btnc, blocknr, BIT(BH_NILFS_Node)); if (unlikely(!bh)) - return NULL; + return ERR_PTR(-ENOMEM); if (unlikely(buffer_mapped(bh) || buffer_uptodate(bh) || buffer_dirty(bh))) { - brelse(bh); - BUG(); + /* + * The block buffer at the specified new address was already + * in use. This can happen if it is a virtual block number + * and has been reallocated due to corruption of the bitmap + * used to manage its allocation state (if not, the buffer + * clearing of an abandoned b-tree node is missing somewhere). + */ + nilfs_error(inode->i_sb, + "state inconsistency probably due to duplicate use of b-tree node block address %llu (ino=%lu)", + (unsigned long long)blocknr, inode->i_ino); + goto failed; } memset(bh->b_data, 0, i_blocksize(inode)); bh->b_bdev = inode->i_sb->s_bdev; @@ -76,6 +85,12 @@ nilfs_btnode_create_block(struct address_space *btnc, __u64 blocknr) unlock_page(bh->b_page); put_page(bh->b_page); return bh; + +failed: + unlock_page(bh->b_page); + put_page(bh->b_page); + brelse(bh); + return ERR_PTR(-EIO); } int nilfs_btnode_submit_block(struct address_space *btnc, __u64 blocknr, @@ -233,8 +248,8 @@ retry: } nbh = nilfs_btnode_create_block(btnc, newkey); - if (!nbh) - return -ENOMEM; + if (IS_ERR(nbh)) + return PTR_ERR(nbh); BUG_ON(nbh == obh); ctxt->newbh = nbh; diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c index 5c08ddd50c23..87f75a07c212 100644 --- a/fs/nilfs2/btree.c +++ b/fs/nilfs2/btree.c @@ -72,8 +72,8 @@ static int nilfs_btree_get_new_block(const struct nilfs_bmap *btree, struct buffer_head *bh; bh = nilfs_btnode_create_block(btnc, ptr); - if (!bh) - return -ENOMEM; + if (IS_ERR(bh)) + return PTR_ERR(bh); set_buffer_nilfs_volatile(bh); *bhp = bh; From 2527458f09eb86ba89b673081c8a408c8a3f7591 Mon Sep 17 00:00:00 2001 From: Wenlin Kang Date: Mon, 13 May 2019 16:57:20 +0800 Subject: [PATCH 080/173] kdb: Fix bound check compiler warning [ Upstream commit ca976bfb3154c7bc67c4651ecd144fdf67ccaee7 ] The strncpy() function may leave the destination string buffer unterminated, better use strscpy() instead. This fixes the following warning with gcc 8.2: kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr': kernel/debug/kdb/kdb_io.c:449:3: warning: 'strncpy' specified bound 256 equals destination size [-Wstringop-truncation] strncpy(kdb_prompt_str, prompt, CMD_BUFLEN); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Wenlin Kang Signed-off-by: Daniel Thompson Stable-dep-of: 70867efacf43 ("kdb: address -Wformat-security warnings") Signed-off-by: Sasha Levin (cherry picked from commit b15593e2904d2ff0094b7170f806dba0eeefac75) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index acc8e13b823b..5358e8a8b6f1 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -459,7 +459,7 @@ poll_again: char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt) { if (prompt && kdb_prompt_str != prompt) - strncpy(kdb_prompt_str, prompt, CMD_BUFLEN); + strscpy(kdb_prompt_str, prompt, CMD_BUFLEN); kdb_printf(kdb_prompt_str); kdb_nextline = 1; /* Prompt and input resets line number */ return kdb_read(buffer, bufsize); From fbcf6bbfac542e249d92ce80277a03dde0699305 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Tue, 28 May 2024 14:11:48 +0200 Subject: [PATCH 081/173] kdb: address -Wformat-security warnings [ Upstream commit 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 ] When -Wformat-security is not disabled, using a string pointer as a format causes a warning: kernel/debug/kdb/kdb_io.c: In function 'kdb_read': kernel/debug/kdb/kdb_io.c:365:36: error: format not a string literal and no format arguments [-Werror=format-security] 365 | kdb_printf(kdb_prompt_str); | ^~~~~~~~~~~~~~ kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr': kernel/debug/kdb/kdb_io.c:456:20: error: format not a string literal and no format arguments [-Werror=format-security] 456 | kdb_printf(kdb_prompt_str); | ^~~~~~~~~~~~~~ Use an explcit "%s" format instead. Signed-off-by: Arnd Bergmann Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20240528121154.3662553-1-arnd@kernel.org Signed-off-by: Daniel Thompson Signed-off-by: Sasha Levin (cherry picked from commit 22a100556ceab8b906ad180788bd6bdc07390f50) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 5358e8a8b6f1..9ce4e52532b7 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -368,7 +368,7 @@ poll_again: if (i >= dtab_count) kdb_printf("..."); kdb_printf("\n"); - kdb_printf(kdb_prompt_str); + kdb_printf("%s", kdb_prompt_str); kdb_printf("%s", buffer); if (cp != lastchar) kdb_position_cursor(kdb_prompt_str, buffer, cp); @@ -460,7 +460,7 @@ char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt) { if (prompt && kdb_prompt_str != prompt) strscpy(kdb_prompt_str, prompt, CMD_BUFLEN); - kdb_printf(kdb_prompt_str); + kdb_printf("%s", kdb_prompt_str); kdb_nextline = 1; /* Prompt and input resets line number */ return kdb_read(buffer, bufsize); } From 4925aa995a5cf9f49c04fdd1257b1d8f341dd4f5 Mon Sep 17 00:00:00 2001 From: Douglas Anderson Date: Tue, 28 May 2024 07:11:48 -0700 Subject: [PATCH 082/173] kdb: Use the passed prompt in kdb_position_cursor() [ Upstream commit e2e821095949cde46256034975a90f88626a2a73 ] The function kdb_position_cursor() takes in a "prompt" parameter but never uses it. This doesn't _really_ matter since all current callers of the function pass the same value and it's a global variable, but it's a bit ugly. Let's clean it up. Found by code inspection. This patch is expected to functionally be a no-op. Fixes: 09b35989421d ("kdb: Use format-strings rather than '\0' injection in kdb_read()") Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20240528071144.1.I0feb49839c6b6f4f2c4bf34764f5e95de3f55a66@changeid Signed-off-by: Daniel Thompson Signed-off-by: Sasha Levin (cherry picked from commit 90f2409c1d552f27a2b2bf8dc598d147c4173128) Signed-off-by: Vegard Nossum --- kernel/debug/kdb/kdb_io.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c index 9ce4e52532b7..bfce77a0daac 100644 --- a/kernel/debug/kdb/kdb_io.c +++ b/kernel/debug/kdb/kdb_io.c @@ -192,7 +192,7 @@ static int kdb_read_get_key(char *buffer, size_t bufsize) */ static void kdb_position_cursor(char *prompt, char *buffer, char *cp) { - kdb_printf("\r%s", kdb_prompt_str); + kdb_printf("\r%s", prompt); if (cp > buffer) kdb_printf("%.*s", (int)(cp - buffer), buffer); } From 4c2dc9502e8728f3a9ba9029aeaa08fc01e420d1 Mon Sep 17 00:00:00 2001 From: Jeongjun Park Date: Thu, 30 May 2024 22:28:09 +0900 Subject: [PATCH 083/173] jfs: Fix array-index-out-of-bounds in diFree [ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ] Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin (cherry picked from commit 55b732c8b09b41148eaab2fa8e31b0af47671e00) Signed-off-by: Vegard Nossum --- fs/jfs/jfs_imap.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c index 5cdcf68a4803..7f66c12a7962 100644 --- a/fs/jfs/jfs_imap.c +++ b/fs/jfs/jfs_imap.c @@ -305,7 +305,7 @@ int diSync(struct inode *ipimap) int diRead(struct inode *ip) { struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb); - int iagno, ino, extno, rc; + int iagno, ino, extno, rc, agno; struct inode *ipimap; struct dinode *dp; struct iag *iagp; @@ -354,8 +354,11 @@ int diRead(struct inode *ip) /* get the ag for the iag */ agstart = le64_to_cpu(iagp->agstart); + agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb)); release_metapage(mp); + if (agno >= MAXAG || agno < 0) + return -EIO; rel_inode = (ino & (INOSPERPAGE - 1)); pageno = blkno >> sbi->l2nbperpage; From 5a9dbd8f70793aba9e12d6d5216ce45cd9597a78 Mon Sep 17 00:00:00 2001 From: Lance Richardson Date: Thu, 18 Jul 2024 14:38:24 +0000 Subject: [PATCH 084/173] dma: fix call order in dmam_free_coherent [ Upstream commit 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 ] dmam_free_coherent() frees a DMA allocation, which makes the freed vaddr available for reuse, then calls devres_destroy() to remove and free the data structure used to track the DMA allocation. Between the two calls, it is possible for a concurrent task to make an allocation with the same vaddr and add it to the devres list. If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match. Fix by destroying the devres entry before freeing the DMA allocation. Tested: kokonut //net/encryption http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03 Fixes: 9ac7849e35f7 ("devres: device resource management") Signed-off-by: Lance Richardson Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin (cherry picked from commit fe2d246080f035e0af5793cb79067ba125e4fb63) Signed-off-by: Vegard Nossum --- drivers/base/dma-mapping.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/dma-mapping.c b/drivers/base/dma-mapping.c index e584eddef0a7..b4e5bb1c39c1 100644 --- a/drivers/base/dma-mapping.c +++ b/drivers/base/dma-mapping.c @@ -98,8 +98,8 @@ void dmam_free_coherent(struct device *dev, size_t size, void *vaddr, { struct dma_devres match_data = { size, vaddr, dma_handle }; - dma_free_coherent(dev, size, vaddr, dma_handle); WARN_ON(devres_destroy(dev, dmam_release, dmam_match, &match_data)); + dma_free_coherent(dev, size, vaddr, dma_handle); } EXPORT_SYMBOL(dmam_free_coherent); From 1184f039bc84987937ac8144df7a5daaffb0795c Mon Sep 17 00:00:00 2001 From: Gregory CLEMENT Date: Mon, 22 Jul 2024 15:15:39 +0200 Subject: [PATCH 085/173] MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later [ Upstream commit a263e5f309f32301e1f3ad113293f4e68a82a646 ] When the CM block migrated from CM2.5 to CM3.0, the address offset for the Global CSR Access Privilege register was modified. We saw this in the "MIPS64 I6500 Multiprocessing System Programmer's Guide," it is stated that "the Global CSR Access Privilege register is located at offset 0x0120" in section 5.4. It is at least the same for I6400. This fix allows to use the VP cores in SMP mode if the reset values were modified by the bootloader. Based on the work of Vladimir Kondratiev and the feedback from Jiaxun Yang . Fixes: 197e89e0984a ("MIPS: mips-cm: Implement mips_cm_revision") Signed-off-by: Gregory CLEMENT Reviewed-by: Jiaxun Yang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin (cherry picked from commit 3213ac4e85945c54350ac06c09902d1c82211100) Signed-off-by: Vegard Nossum --- arch/mips/include/asm/mips-cm.h | 4 ++++ arch/mips/kernel/smp-cps.c | 5 ++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h index 890e51b159e0..11a3d5120e2b 100644 --- a/arch/mips/include/asm/mips-cm.h +++ b/arch/mips/include/asm/mips-cm.h @@ -232,6 +232,10 @@ GCR_ACCESSOR_RO(32, 0x0d0, gic_status) GCR_ACCESSOR_RO(32, 0x0f0, cpc_status) #define CM_GCR_CPC_STATUS_EX BIT(0) +/* GCR_ACCESS - Controls core/IOCU access to GCRs */ +GCR_ACCESSOR_RW(32, 0x120, access_cm3) +#define CM_GCR_ACCESS_ACCESSEN GENMASK(7, 0) + /* GCR_L2_CONFIG - Indicates L2 cache configuration when Config5.L2C=1 */ GCR_ACCESSOR_RW(32, 0x130, l2_config) #define CM_GCR_L2_CONFIG_BYPASS BIT(20) diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c index ecc1a853f48d..55b478c9af0e 100644 --- a/arch/mips/kernel/smp-cps.c +++ b/arch/mips/kernel/smp-cps.c @@ -233,7 +233,10 @@ static void boot_core(unsigned int core, unsigned int vpe_id) write_gcr_co_reset_ext_base(CM_GCR_Cx_RESET_EXT_BASE_UEB); /* Ensure the core can access the GCRs */ - set_gcr_access(1 << core); + if (mips_cm_revision() < CM_REV_CM3) + set_gcr_access(1 << core); + else + set_gcr_access_cm3(1 << core); if (mips_cpc_present()) { /* Reset the core */ From 5b3e5dc382a0cab89cea2c533a0e5b65ae4d686e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Sat, 29 Sep 2018 23:44:46 -0700 Subject: [PATCH 086/173] net: ip_rt_get_source() - use new style struct initializer instead of memset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit e351bb6227fbe2bb5da6f38a4cf5bd18810b0557 ] (allows for better compiler optimization) Signed-off-by: Maciej Żenczykowski Reviewed-by: David Ahern Signed-off-by: David S. Miller Stable-dep-of: cc73bbab4b1f ("ipv4: Fix incorrect source address in Record Route option") Signed-off-by: Sasha Levin (cherry picked from commit 0e8712254b48a7c6ebb76dce414a9539e772d406) Signed-off-by: Vegard Nossum --- net/ipv4/route.c | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 6250fddef2ad..e339e9e31bac 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1285,18 +1285,15 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt) src = ip_hdr(skb)->saddr; else { struct fib_result res; - struct flowi4 fl4; - struct iphdr *iph; - - iph = ip_hdr(skb); - - memset(&fl4, 0, sizeof(fl4)); - fl4.daddr = iph->daddr; - fl4.saddr = iph->saddr; - fl4.flowi4_tos = RT_TOS(iph->tos); - fl4.flowi4_oif = rt->dst.dev->ifindex; - fl4.flowi4_iif = skb->dev->ifindex; - fl4.flowi4_mark = skb->mark; + struct iphdr *iph = ip_hdr(skb); + struct flowi4 fl4 = { + .daddr = iph->daddr, + .saddr = iph->saddr, + .flowi4_tos = RT_TOS(iph->tos), + .flowi4_oif = rt->dst.dev->ifindex, + .flowi4_iif = skb->dev->ifindex, + .flowi4_mark = skb->mark, + }; rcu_read_lock(); if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res, 0) == 0) From ef5a6f1d6d270c55e210ed3775352ff75e2aa48e Mon Sep 17 00:00:00 2001 From: Ido Schimmel Date: Thu, 18 Jul 2024 15:34:07 +0300 Subject: [PATCH 087/173] ipv4: Fix incorrect source address in Record Route option [ Upstream commit cc73bbab4b1fb8a4f53a24645871dafa5f81266a ] The Record Route IP option records the addresses of the routers that routed the packet. In the case of forwarded packets, the kernel performs a route lookup via fib_lookup() and fills in the preferred source address of the matched route. The lookup is performed with the DS field of the forwarded packet, but using the RT_TOS() macro which only masks one of the two ECN bits. If the packet is ECT(0) or CE, the matched route might be different than the route via which the packet was forwarded as the input path masks both of the ECN bits, resulting in the wrong address being filled in the Record Route option. Fix by masking both of the ECN bits. Fixes: 8e36360ae876 ("ipv4: Remove route key identity dependencies in ip_rt_get_source().") Signed-off-by: Ido Schimmel Reviewed-by: Guillaume Nault Link: https://patch.msgid.link/20240718123407.434778-1-idosch@nvidia.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 5c65e55e41e1300c4ebf4dda22a704b2beed2423) Signed-off-by: Vegard Nossum --- net/ipv4/route.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index e339e9e31bac..2ce7fbec55ea 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1289,7 +1289,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt) struct flowi4 fl4 = { .daddr = iph->daddr, .saddr = iph->saddr, - .flowi4_tos = RT_TOS(iph->tos), + .flowi4_tos = iph->tos & IPTOS_RT_MASK, .flowi4_oif = rt->dst.dev->ifindex, .flowi4_iif = skb->dev->ifindex, .flowi4_mark = skb->mark, From f204855673caa3a17b49c8b9642edcd269a4fac7 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 19 Jul 2024 09:41:18 -0700 Subject: [PATCH 088/173] net: bonding: correctly annotate RCU in bond_should_notify_peers() [ Upstream commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684 ] RCU use in bond_should_notify_peers() looks wrong, since it does rcu_dereference(), leaves the critical section, and uses the pointer after that. Luckily, it's called either inside a nested RCU critical section or with the RTNL held. Annotate it with rcu_dereference_rtnl() instead, and remove the inner RCU critical section. Fixes: 4cb4f97b7e36 ("bonding: rebuild the lock use for bond_mii_monitor()") Reviewed-by: Jiri Pirko Signed-off-by: Johannes Berg Acked-by: Jay Vosburgh Link: https://patch.msgid.link/20240719094119.35c62455087d.I68eb9c0f02545b364b79a59f2110f2cf5682a8e2@changeid Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 6c9261a2bdf614b376dbefa01e0c6bb32d14e019) Signed-off-by: Vegard Nossum --- drivers/net/bonding/bond_main.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index 3b5518276ef0..7540340d504c 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -774,13 +774,10 @@ static struct slave *bond_find_best_slave(struct bonding *bond) return bestslave; } +/* must be called in RCU critical section or with RTNL held */ static bool bond_should_notify_peers(struct bonding *bond) { - struct slave *slave; - - rcu_read_lock(); - slave = rcu_dereference(bond->curr_active_slave); - rcu_read_unlock(); + struct slave *slave = rcu_dereference_rtnl(bond->curr_active_slave); if (!slave || !bond->send_peer_notif || !netif_carrier_ok(bond->dev) || From 1ae654c0cdf7bfcd142367568d3a1afbed7d54e8 Mon Sep 17 00:00:00 2001 From: Shigeru Yoshida Date: Tue, 16 Jul 2024 11:09:05 +0900 Subject: [PATCH 089/173] tipc: Return non-zero value from tipc_udp_addr2str() on error [ Upstream commit fa96c6baef1b5385e2f0c0677b32b3839e716076 ] tipc_udp_addr2str() should return non-zero value if the UDP media address is invalid. Otherwise, a buffer overflow access can occur in tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP media address. Fixes: d0f91938bede ("tipc: add ip/udp media type") Signed-off-by: Shigeru Yoshida Reviewed-by: Tung Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 7ec3335dd89c8d169e9650e4bac64fde71fdf15b) Signed-off-by: Vegard Nossum --- net/tipc/udp_media.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c index 4d0eb41efebe..07b3d413d5a0 100644 --- a/net/tipc/udp_media.c +++ b/net/tipc/udp_media.c @@ -125,8 +125,11 @@ static int tipc_udp_addr2str(struct tipc_media_addr *a, char *buf, int size) snprintf(buf, size, "%pI4:%u", &ua->ipv4, ntohs(ua->port)); else if (ntohs(ua->proto) == ETH_P_IPV6) snprintf(buf, size, "%pI6:%u", &ua->ipv6, ntohs(ua->port)); - else + else { pr_err("Invalid UDP media address\n"); + return 1; + } + return 0; } From 70609fe847bf6600554b6f511b10015f76834d58 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Wed, 24 Jul 2024 11:08:18 -0500 Subject: [PATCH 090/173] mISDN: Fix a use after free in hfcmulti_tx() [ Upstream commit 61ab751451f5ebd0b98e02276a44e23a10110402 ] Don't dereference *sp after calling dev_kfree_skb(*sp). Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver") Signed-off-by: Dan Carpenter Reviewed-by: Simon Horman Link: https://patch.msgid.link/8be65f5a-c2dd-4ba0-8a10-bfe5980b8cfb@stanley.mountain Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 70db2c84631f50e02e6b32b543700699dd395803) Signed-off-by: Vegard Nossum --- drivers/isdn/hardware/mISDN/hfcmulti.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c index cb86b9bd5c7c..e856f90464e1 100644 --- a/drivers/isdn/hardware/mISDN/hfcmulti.c +++ b/drivers/isdn/hardware/mISDN/hfcmulti.c @@ -1945,7 +1945,7 @@ hfcmulti_dtmf(struct hfc_multi *hc) static void hfcmulti_tx(struct hfc_multi *hc, int ch) { - int i, ii, temp, len = 0; + int i, ii, temp, tmp_len, len = 0; int Zspace, z1, z2; /* must be int for calculation */ int Fspace, f1, f2; u_char *d; @@ -2166,14 +2166,15 @@ next_frame: HFC_wait_nodebug(hc); } + tmp_len = (*sp)->len; dev_kfree_skb(*sp); /* check for next frame */ if (bch && get_next_bframe(bch)) { - len = (*sp)->len; + len = tmp_len; goto next_frame; } if (dch && get_next_dframe(dch)) { - len = (*sp)->len; + len = tmp_len; goto next_frame; } From 1967ea8b282b3b05c9da41c1e2426c3bfb04bf54 Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Fri, 21 Jun 2024 16:42:38 +0200 Subject: [PATCH 091/173] mm: avoid overflows in dirty throttling logic [ Upstream commit 385d838df280eba6c8680f9777bfa0d0bfe7e8b2 ] The dirty throttling logic is interspersed with assumptions that dirty limits in PAGE_SIZE units fit into 32-bit (so that various multiplications fit into 64-bits). If limits end up being larger, we will hit overflows, possible divisions by 0 etc. Fix these problems by never allowing so large dirty limits as they have dubious practical value anyway. For dirty_bytes / dirty_background_bytes interfaces we can just refuse to set so large limits. For dirty_ratio / dirty_background_ratio it isn't so simple as the dirty limit is computed from the amount of available memory which can change due to memory hotplug etc. So when converting dirty limits from ratios to numbers of pages, we just don't allow the result to exceed UINT_MAX. This is root-only triggerable problem which occurs when the operator sets dirty limits to >16 TB. Link: https://lkml.kernel.org/r/20240621144246.11148-2-jack@suse.cz Signed-off-by: Jan Kara Reported-by: Zach O'Keefe Reviewed-By: Zach O'Keefe Cc: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin (cherry picked from commit 2b2d2b8766db028bd827af34075f221ae9e9efff) Signed-off-by: Vegard Nossum --- mm/page-writeback.c | 30 ++++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/mm/page-writeback.c b/mm/page-writeback.c index 29f9980c13ac..0798d0a26a7a 100644 --- a/mm/page-writeback.c +++ b/mm/page-writeback.c @@ -433,13 +433,20 @@ static void domain_dirty_limits(struct dirty_throttle_control *dtc) else bg_thresh = (bg_ratio * available_memory) / PAGE_SIZE; - if (bg_thresh >= thresh) - bg_thresh = thresh / 2; tsk = current; if (tsk->flags & PF_LESS_THROTTLE || rt_task(tsk)) { bg_thresh += bg_thresh / 4 + global_wb_domain.dirty_limit / 32; thresh += thresh / 4 + global_wb_domain.dirty_limit / 32; } + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + if (thresh > UINT_MAX) + thresh = UINT_MAX; + /* This makes sure bg_thresh is within 32-bits as well */ + if (bg_thresh >= thresh) + bg_thresh = thresh / 2; dtc->thresh = thresh; dtc->bg_thresh = bg_thresh; @@ -489,7 +496,11 @@ static unsigned long node_dirty_limit(struct pglist_data *pgdat) if (tsk->flags & PF_LESS_THROTTLE || rt_task(tsk)) dirty += dirty / 4; - return dirty; + /* + * Dirty throttling logic assumes the limits in page units fit into + * 32-bits. This gives 16TB dirty limits max which is hopefully enough. + */ + return min_t(unsigned long, dirty, UINT_MAX); } /** @@ -528,10 +539,17 @@ int dirty_background_bytes_handler(struct ctl_table *table, int write, loff_t *ppos) { int ret; + unsigned long old_bytes = dirty_background_bytes; ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); - if (ret == 0 && write) + if (ret == 0 && write) { + if (DIV_ROUND_UP(dirty_background_bytes, PAGE_SIZE) > + UINT_MAX) { + dirty_background_bytes = old_bytes; + return -ERANGE; + } dirty_background_ratio = 0; + } return ret; } @@ -559,6 +577,10 @@ int dirty_bytes_handler(struct ctl_table *table, int write, ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); if (ret == 0 && write && vm_dirty_bytes != old_bytes) { + if (DIV_ROUND_UP(vm_dirty_bytes, PAGE_SIZE) > UINT_MAX) { + vm_dirty_bytes = old_bytes; + return -ERANGE; + } writeback_set_ratelimit(); vm_dirty_ratio = 0; } From aff1d3ed73ce5882235d9f42c4510c642b9e1dac Mon Sep 17 00:00:00 2001 From: Chen-Yu Tsai Date: Fri, 22 Jan 2021 00:23:18 +0800 Subject: [PATCH 092/173] PCI: rockchip: Make 'ep-gpios' DT property optional [ Upstream commit 58adbfb3ebec460e8b58875c682bafd866808e80 ] The Rockchip PCIe controller DT binding clearly states that 'ep-gpios' is an optional property. And indeed there are boards that don't require it. Make the driver follow the binding by using devm_gpiod_get_optional() instead of devm_gpiod_get(). [bhelgaas: tidy whitespace] Link: https://lore.kernel.org/r/20210121162321.4538-2-wens@kernel.org Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support") Fixes: 956cd99b35a8 ("PCI: rockchip: Separate common code from RC driver") Fixes: 964bac9455be ("PCI: rockchip: Split out rockchip_pcie_parse_dt() to parse DT") Signed-off-by: Chen-Yu Tsai Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Stable-dep-of: 840b7a5edf88 ("PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio") Signed-off-by: Sasha Levin (cherry picked from commit 11f71f0c562dbfbc3f3e2c56053bca42f7e8d71c) [Harshit: Apply the same in drivers/pci/host/pcie-rockchip.c as 4.14.y doesn't have commit: 6e0832fa432e ("PCI: Collect all native drivers under drivers/pci/controller/") and not a candidate for backporting] Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- drivers/pci/host/pcie-rockchip.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/pci/host/pcie-rockchip.c b/drivers/pci/host/pcie-rockchip.c index d3f9e7d24727..b3aa7831ef56 100644 --- a/drivers/pci/host/pcie-rockchip.c +++ b/drivers/pci/host/pcie-rockchip.c @@ -1093,10 +1093,11 @@ static int rockchip_pcie_parse_dt(struct rockchip_pcie *rockchip) return PTR_ERR(rockchip->aclk_rst); } - rockchip->ep_gpio = devm_gpiod_get(dev, "ep", GPIOD_OUT_HIGH); + rockchip->ep_gpio = devm_gpiod_get_optional(dev, "ep", + GPIOD_OUT_HIGH); if (IS_ERR(rockchip->ep_gpio)) { - dev_err(dev, "missing ep-gpios property in node\n"); - return PTR_ERR(rockchip->ep_gpio); + return dev_err_probe(dev, PTR_ERR(rockchip->ep_gpio), + "failed to get ep GPIO\n"); } rockchip->aclk_pcie = devm_clk_get(dev, "aclk"); From 5a659bbb75dd76c32388a8b4c8ea8dff2aa79c12 Mon Sep 17 00:00:00 2001 From: Manivannan Sadhasivam Date: Tue, 16 Apr 2024 11:12:35 +0530 Subject: [PATCH 093/173] PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 840b7a5edf88fe678c60dee88a135647c0ea4375 ] Rockchip platforms use 'GPIO_ACTIVE_HIGH' flag in the devicetree definition for ep_gpio. This means, whatever the logical value set by the driver for the ep_gpio, physical line will output the same logic level. For instance, gpiod_set_value_cansleep(rockchip->ep_gpio, 0); --> Level low gpiod_set_value_cansleep(rockchip->ep_gpio, 1); --> Level high But while requesting the ep_gpio, GPIOD_OUT_HIGH flag is currently used. Now, this also causes the physical line to output 'high' creating trouble for endpoint devices during host reboot. When host reboot happens, the ep_gpio will initially output 'low' due to the GPIO getting reset to its POR value. Then during host controller probe, it will output 'high' due to GPIOD_OUT_HIGH flag. Then during rockchip_pcie_host_init_port(), it will first output 'low' and then 'high' indicating the completion of controller initialization. On the endpoint side, each output 'low' of ep_gpio is accounted for PERST# assert and 'high' for PERST# deassert. With the above mentioned flow during host reboot, endpoint will witness below state changes for PERST#: (1) PERST# assert - GPIO POR state (2) PERST# deassert - GPIOD_OUT_HIGH while requesting GPIO (3) PERST# assert - rockchip_pcie_host_init_port() (4) PERST# deassert - rockchip_pcie_host_init_port() Now the time interval between (2) and (3) is very short as both happen during the driver probe(), and this results in a race in the endpoint. Because, before completing the PERST# deassertion in (2), endpoint got another PERST# assert in (3). A proper way to fix this issue is to change the GPIOD_OUT_HIGH flag in (2) to GPIOD_OUT_LOW. Because the usual convention is to request the GPIO with a state corresponding to its 'initial/default' value and let the driver change the state of the GPIO when required. As per that, the ep_gpio should be requested with GPIOD_OUT_LOW as it corresponds to the POR value of '0' (PERST# assert in the endpoint). Then the driver can change the state of the ep_gpio later in rockchip_pcie_host_init_port() as per the initialization sequence. This fixes the firmware crash issue in Qcom based modems connected to Rockpro64 based board. Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support") Closes: https://lore.kernel.org/mhi/20240402045647.GG2933@thinkpad/ Link: https://lore.kernel.org/linux-pci/20240416-pci-rockchip-perst-fix-v1-1-4800b1d4d954@linaro.org Reported-by: Slark Xiao Signed-off-by: Manivannan Sadhasivam Signed-off-by: Krzysztof Wilczyński Signed-off-by: Bjorn Helgaas Reviewed-by: Niklas Cassel Cc: stable@vger.kernel.org # v4.9 Signed-off-by: Sasha Levin (cherry picked from commit 8de378d17e5b737907c04acc2fab6d966a129f70) [Harshit: Apply the same in drivers/pci/host/pcie-rockchip.c as 4.14.y doesn't have commit: 6e0832fa432e ("PCI: Collect all native drivers under drivers/pci/controller/") and not a candidate for backporting] Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- drivers/pci/host/pcie-rockchip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/pci/host/pcie-rockchip.c b/drivers/pci/host/pcie-rockchip.c index b3aa7831ef56..1859c9721623 100644 --- a/drivers/pci/host/pcie-rockchip.c +++ b/drivers/pci/host/pcie-rockchip.c @@ -1094,7 +1094,7 @@ static int rockchip_pcie_parse_dt(struct rockchip_pcie *rockchip) } rockchip->ep_gpio = devm_gpiod_get_optional(dev, "ep", - GPIOD_OUT_HIGH); + GPIOD_OUT_LOW); if (IS_ERR(rockchip->ep_gpio)) { return dev_err_probe(dev, PTR_ERR(rockchip->ep_gpio), "failed to get ep GPIO\n"); From d34a87ca6e4c611b125d238c3a56b712a612acd6 Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Sun, 25 Nov 2018 21:48:45 +0000 Subject: [PATCH 094/173] parport: parport_pc: Mark expected switch fall-through [ Upstream commit aa1f0fa374ed23528b915a693a11b0f275a299c0 ] In preparation to enabling -Wimplicit-fallthrough, mark switch cases where we are expecting to fall through. Addresses-Coverity-ID: 114730 ("Missing break in switch") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman Stable-dep-of: ab11dac93d2d ("dev/parport: fix the array out-of-bounds risk") Signed-off-by: Sasha Levin (cherry picked from commit f1af18ba5925abb275de8bf387fceb9fbf93a096) Signed-off-by: Vegard Nossum --- drivers/parport/parport_pc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c index c34ad5dd62e3..1f9908b1d9d6 100644 --- a/drivers/parport/parport_pc.c +++ b/drivers/parport/parport_pc.c @@ -1667,7 +1667,7 @@ static int parport_ECP_supported(struct parport *pb) default: printk(KERN_WARNING "0x%lx: Unknown implementation ID\n", pb->base); - /* Assume 1 */ + /* Fall through - Assume 1 */ case 1: pword = 1; } From af0192bb58b539ec732125a76fe4d69660147cca Mon Sep 17 00:00:00 2001 From: Joe Perches Date: Fri, 3 Apr 2020 14:43:16 +0100 Subject: [PATCH 095/173] parport: Convert printk(KERN_ to pr_( [ Upstream commit decf26f6ec25dac868782dc1751623a87d147831 ] Use the more common kernel style. Miscellanea: o Coalesce formats o Realign arguments Signed-off-by: Joe Perches Reviewed-by: Randy Dunlap Signed-off-by: Sudip Mukherjee Link: https://lore.kernel.org/r/20200403134325.11523-2-sudipm.mukherjee@gmail.com Signed-off-by: Greg Kroah-Hartman Stable-dep-of: ab11dac93d2d ("dev/parport: fix the array out-of-bounds risk") Signed-off-by: Sasha Levin (cherry picked from commit cb2a998b88d173ec23423fa13ae2da463449728a) Signed-off-by: Vegard Nossum --- drivers/parport/daisy.c | 6 +- drivers/parport/ieee1284.c | 4 +- drivers/parport/ieee1284_ops.c | 3 +- drivers/parport/parport_amiga.c | 2 +- drivers/parport/parport_atari.c | 2 +- drivers/parport/parport_cs.c | 6 +- drivers/parport/parport_gsc.c | 7 +- drivers/parport/parport_ip32.c | 25 ++--- drivers/parport/parport_mfc3.c | 2 +- drivers/parport/parport_pc.c | 166 +++++++++++++------------------ drivers/parport/parport_sunbpp.c | 2 +- drivers/parport/probe.c | 7 +- drivers/parport/share.c | 24 ++--- 13 files changed, 110 insertions(+), 146 deletions(-) diff --git a/drivers/parport/daisy.c b/drivers/parport/daisy.c index 5484a46dafda..465acebd6438 100644 --- a/drivers/parport/daisy.c +++ b/drivers/parport/daisy.c @@ -109,8 +109,7 @@ again: ((num_ports = num_mux_ports(port)) == 2 || num_ports == 4)) { /* Leave original as port zero. */ port->muxport = 0; - printk(KERN_INFO - "%s: 1st (default) port of %d-way multiplexor\n", + pr_info("%s: 1st (default) port of %d-way multiplexor\n", port->name, num_ports); for (i = 1; i < num_ports; i++) { /* Clone the port. */ @@ -123,8 +122,7 @@ again: continue; } - printk(KERN_INFO - "%s: %d%s port of %d-way multiplexor on %s\n", + pr_info("%s: %d%s port of %d-way multiplexor on %s\n", extra->name, i + 1, th[i + 1], num_ports, port->name); diff --git a/drivers/parport/ieee1284.c b/drivers/parport/ieee1284.c index 74cc6dd982d2..9b5a97fb6a60 100644 --- a/drivers/parport/ieee1284.c +++ b/drivers/parport/ieee1284.c @@ -336,7 +336,7 @@ int parport_negotiate (struct parport *port, int mode) #ifndef CONFIG_PARPORT_1284 if (mode == IEEE1284_MODE_COMPAT) return 0; - printk (KERN_ERR "parport: IEEE1284 not supported in this kernel\n"); + pr_err("parport: IEEE1284 not supported in this kernel\n"); return -1; #else int m = mode & ~IEEE1284_ADDR; @@ -700,7 +700,7 @@ ssize_t parport_write (struct parport *port, const void *buffer, size_t len) ssize_t parport_read (struct parport *port, void *buffer, size_t len) { #ifndef CONFIG_PARPORT_1284 - printk (KERN_ERR "parport: IEEE1284 not supported in this kernel\n"); + pr_err("parport: IEEE1284 not supported in this kernel\n"); return -ENODEV; #else int mode = port->physport->ieee1284.mode; diff --git a/drivers/parport/ieee1284_ops.c b/drivers/parport/ieee1284_ops.c index 75daa16f38b7..58ec484c7305 100644 --- a/drivers/parport/ieee1284_ops.c +++ b/drivers/parport/ieee1284_ops.c @@ -599,8 +599,7 @@ size_t parport_ieee1284_ecp_read_data (struct parport *port, DPRINTK (KERN_DEBUG "ECP read timed out at 45\n"); if (command) - printk (KERN_WARNING - "%s: command ignored (%02x)\n", + pr_warn("%s: command ignored (%02x)\n", port->name, byte); break; diff --git a/drivers/parport/parport_amiga.c b/drivers/parport/parport_amiga.c index 9c68f2aec4ff..75779725f638 100644 --- a/drivers/parport/parport_amiga.c +++ b/drivers/parport/parport_amiga.c @@ -211,7 +211,7 @@ static int __init amiga_parallel_probe(struct platform_device *pdev) if (err) goto out_irq; - printk(KERN_INFO "%s: Amiga built-in port using irq\n", p->name); + pr_info("%s: Amiga built-in port using irq\n", p->name); /* XXX: set operating mode */ parport_announce_port(p); diff --git a/drivers/parport/parport_atari.c b/drivers/parport/parport_atari.c index 9fbf6ccd54de..2f8c7f6617d7 100644 --- a/drivers/parport/parport_atari.c +++ b/drivers/parport/parport_atari.c @@ -199,7 +199,7 @@ static int __init parport_atari_init(void) } this_port = p; - printk(KERN_INFO "%s: Atari built-in port using irq\n", p->name); + pr_info("%s: Atari built-in port using irq\n", p->name); parport_announce_port (p); return 0; diff --git a/drivers/parport/parport_cs.c b/drivers/parport/parport_cs.c index e9b52e4a4648..755207ca155f 100644 --- a/drivers/parport/parport_cs.c +++ b/drivers/parport/parport_cs.c @@ -142,10 +142,8 @@ static int parport_config(struct pcmcia_device *link) link->irq, PARPORT_DMA_NONE, &link->dev, IRQF_SHARED); if (p == NULL) { - printk(KERN_NOTICE "parport_cs: parport_pc_probe_port() at " - "0x%3x, irq %u failed\n", - (unsigned int) link->resource[0]->start, - link->irq); + pr_notice("parport_cs: parport_pc_probe_port() at 0x%3x, irq %u failed\n", + (unsigned int)link->resource[0]->start, link->irq); goto failed; } diff --git a/drivers/parport/parport_gsc.c b/drivers/parport/parport_gsc.c index 5f710aaaf3da..a0c6c2c94f2f 100644 --- a/drivers/parport/parport_gsc.c +++ b/drivers/parport/parport_gsc.c @@ -287,7 +287,7 @@ struct parport *parport_gsc_probe_port(unsigned long base, p->size = (p->modes & PARPORT_MODE_EPP)?8:3; p->private_data = priv; - printk(KERN_INFO "%s: PC-style at 0x%lx", p->name, p->base); + pr_info("%s: PC-style at 0x%lx", p->name, p->base); p->irq = irq; if (p->irq == PARPORT_IRQ_AUTO) { p->irq = PARPORT_IRQ_NONE; @@ -320,8 +320,7 @@ struct parport *parport_gsc_probe_port(unsigned long base, if (p->irq != PARPORT_IRQ_NONE) { if (request_irq (p->irq, parport_irq_handler, 0, p->name, p)) { - printk (KERN_WARNING "%s: irq %d in use, " - "resorting to polled operation\n", + pr_warn("%s: irq %d in use, resorting to polled operation\n", p->name, p->irq); p->irq = PARPORT_IRQ_NONE; p->dma = PARPORT_DMA_NONE; @@ -352,7 +351,7 @@ static int __init parport_init_chip(struct parisc_device *dev) unsigned long port; if (!dev->irq) { - printk(KERN_WARNING "IRQ not found for parallel device at 0x%llx\n", + pr_warn("IRQ not found for parallel device at 0x%llx\n", (unsigned long long)dev->hpa.start); return -ENODEV; } diff --git a/drivers/parport/parport_ip32.c b/drivers/parport/parport_ip32.c index 0186db7680d4..05436c316b39 100644 --- a/drivers/parport/parport_ip32.c +++ b/drivers/parport/parport_ip32.c @@ -1348,9 +1348,8 @@ static unsigned int parport_ip32_fwp_wait_interrupt(struct parport *p) ecr = parport_ip32_read_econtrol(p); if ((ecr & ECR_F_EMPTY) && !(ecr & ECR_SERVINTR) && !lost_interrupt) { - printk(KERN_WARNING PPIP32 - "%s: lost interrupt in %s\n", - p->name, __func__); + pr_warn(PPIP32 "%s: lost interrupt in %s\n", + p->name, __func__); lost_interrupt = 1; } } @@ -1654,8 +1653,8 @@ static size_t parport_ip32_compat_write_data(struct parport *p, DSR_nBUSY | DSR_nFAULT)) { /* Avoid to flood the logs */ if (ready_before) - printk(KERN_INFO PPIP32 "%s: not ready in %s\n", - p->name, __func__); + pr_info(PPIP32 "%s: not ready in %s\n", + p->name, __func__); ready_before = 0; goto stop; } @@ -1735,8 +1734,8 @@ static size_t parport_ip32_ecp_write_data(struct parport *p, DSR_nBUSY | DSR_nFAULT)) { /* Avoid to flood the logs */ if (ready_before) - printk(KERN_INFO PPIP32 "%s: not ready in %s\n", - p->name, __func__); + pr_info(PPIP32 "%s: not ready in %s\n", + p->name, __func__); ready_before = 0; goto stop; } @@ -2075,8 +2074,7 @@ static __init struct parport *parport_ip32_probe_port(void) p->modes |= PARPORT_MODE_TRISTATE; if (!parport_ip32_fifo_supported(p)) { - printk(KERN_WARNING PPIP32 - "%s: error: FIFO disabled\n", p->name); + pr_warn(PPIP32 "%s: error: FIFO disabled\n", p->name); /* Disable hardware modes depending on a working FIFO. */ features &= ~PARPORT_IP32_ENABLE_SPP; features &= ~PARPORT_IP32_ENABLE_ECP; @@ -2088,8 +2086,7 @@ static __init struct parport *parport_ip32_probe_port(void) if (features & PARPORT_IP32_ENABLE_IRQ) { int irq = MACEISA_PARALLEL_IRQ; if (request_irq(irq, parport_ip32_interrupt, 0, p->name, p)) { - printk(KERN_WARNING PPIP32 - "%s: error: IRQ disabled\n", p->name); + pr_warn(PPIP32 "%s: error: IRQ disabled\n", p->name); /* DMA cannot work without interrupts. */ features &= ~PARPORT_IP32_ENABLE_DMA; } else { @@ -2102,8 +2099,7 @@ static __init struct parport *parport_ip32_probe_port(void) /* Allocate DMA resources */ if (features & PARPORT_IP32_ENABLE_DMA) { if (parport_ip32_dma_register()) - printk(KERN_WARNING PPIP32 - "%s: error: DMA disabled\n", p->name); + pr_warn(PPIP32 "%s: error: DMA disabled\n", p->name); else { pr_probe(p, "DMA support enabled\n"); p->dma = 0; /* arbitrary value != PARPORT_DMA_NONE */ @@ -2145,8 +2141,7 @@ static __init struct parport *parport_ip32_probe_port(void) parport_ip32_dump_state(p, "end init", 0); /* Print out what we found */ - printk(KERN_INFO "%s: SGI IP32 at 0x%lx (0x%lx)", - p->name, p->base, p->base_hi); + pr_info("%s: SGI IP32 at 0x%lx (0x%lx)", p->name, p->base, p->base_hi); if (p->irq != PARPORT_IRQ_NONE) printk(", irq %d", p->irq); printk(" ["); diff --git a/drivers/parport/parport_mfc3.c b/drivers/parport/parport_mfc3.c index 7f4be0e484c7..378b6bce3ae7 100644 --- a/drivers/parport/parport_mfc3.c +++ b/drivers/parport/parport_mfc3.c @@ -324,7 +324,7 @@ static int __init parport_mfc3_init(void) p->dev = &z->dev; this_port[pias++] = p; - printk(KERN_INFO "%s: Multiface III port using irq\n", p->name); + pr_info("%s: Multiface III port using irq\n", p->name); /* XXX: set operating mode */ p->private_data = (void *)piabase; diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c index 1f9908b1d9d6..2bc5593b7606 100644 --- a/drivers/parport/parport_pc.c +++ b/drivers/parport/parport_pc.c @@ -981,28 +981,24 @@ static void show_parconfig_smsc37c669(int io, int key) outb(0xaa, io); if (verbose_probing) { - printk(KERN_INFO - "SMSC 37c669 LPT Config: cr_1=0x%02x, 4=0x%02x, " - "A=0x%2x, 23=0x%02x, 26=0x%02x, 27=0x%02x\n", + pr_info("SMSC 37c669 LPT Config: cr_1=0x%02x, 4=0x%02x, A=0x%2x, 23=0x%02x, 26=0x%02x, 27=0x%02x\n", cr1, cr4, cra, cr23, cr26, cr27); /* The documentation calls DMA and IRQ-Lines by letters, so the board maker can/will wire them appropriately/randomly... G=reserved H=IDE-irq, */ - printk(KERN_INFO - "SMSC LPT Config: io=0x%04x, irq=%c, dma=%c, fifo threshold=%d\n", - cr23 * 4, - (cr27 & 0x0f) ? 'A' - 1 + (cr27 & 0x0f) : '-', - (cr26 & 0x0f) ? 'A' - 1 + (cr26 & 0x0f) : '-', - cra & 0x0f); - printk(KERN_INFO "SMSC LPT Config: enabled=%s power=%s\n", - (cr23 * 4 >= 0x100) ? "yes" : "no", - (cr1 & 4) ? "yes" : "no"); - printk(KERN_INFO - "SMSC LPT Config: Port mode=%s, EPP version =%s\n", - (cr1 & 0x08) ? "Standard mode only (SPP)" - : modes[cr4 & 0x03], - (cr4 & 0x40) ? "1.7" : "1.9"); + pr_info("SMSC LPT Config: io=0x%04x, irq=%c, dma=%c, fifo threshold=%d\n", + cr23 * 4, + (cr27 & 0x0f) ? 'A' - 1 + (cr27 & 0x0f) : '-', + (cr26 & 0x0f) ? 'A' - 1 + (cr26 & 0x0f) : '-', + cra & 0x0f); + pr_info("SMSC LPT Config: enabled=%s power=%s\n", + (cr23 * 4 >= 0x100) ? "yes" : "no", + (cr1 & 4) ? "yes" : "no"); + pr_info("SMSC LPT Config: Port mode=%s, EPP version =%s\n", + (cr1 & 0x08) ? "Standard mode only (SPP)" + : modes[cr4 & 0x03], + (cr4 & 0x40) ? "1.7" : "1.9"); } /* Heuristics ! BIOS setup for this mainboard device limits @@ -1012,7 +1008,7 @@ static void show_parconfig_smsc37c669(int io, int key) if (cr23 * 4 >= 0x100) { /* if active */ s = find_free_superio(); if (s == NULL) - printk(KERN_INFO "Super-IO: too many chips!\n"); + pr_info("Super-IO: too many chips!\n"); else { int d; switch (cr23 * 4) { @@ -1077,26 +1073,24 @@ static void show_parconfig_winbond(int io, int key) outb(0xaa, io); if (verbose_probing) { - printk(KERN_INFO - "Winbond LPT Config: cr_30=%02x 60,61=%02x%02x 70=%02x 74=%02x, f0=%02x\n", - cr30, cr60, cr61, cr70, cr74, crf0); - printk(KERN_INFO "Winbond LPT Config: active=%s, io=0x%02x%02x irq=%d, ", - (cr30 & 0x01) ? "yes" : "no", cr60, cr61, cr70 & 0x0f); + pr_info("Winbond LPT Config: cr_30=%02x 60,61=%02x%02x 70=%02x 74=%02x, f0=%02x\n", + cr30, cr60, cr61, cr70, cr74, crf0); + pr_info("Winbond LPT Config: active=%s, io=0x%02x%02x irq=%d, ", + (cr30 & 0x01) ? "yes" : "no", cr60, cr61, cr70 & 0x0f); if ((cr74 & 0x07) > 3) pr_cont("dma=none\n"); else pr_cont("dma=%d\n", cr74 & 0x07); - printk(KERN_INFO - "Winbond LPT Config: irqtype=%s, ECP fifo threshold=%d\n", - irqtypes[crf0>>7], (crf0>>3)&0x0f); - printk(KERN_INFO "Winbond LPT Config: Port mode=%s\n", - modes[crf0 & 0x07]); + pr_info("Winbond LPT Config: irqtype=%s, ECP fifo threshold=%d\n", + irqtypes[crf0 >> 7], (crf0 >> 3) & 0x0f); + pr_info("Winbond LPT Config: Port mode=%s\n", + modes[crf0 & 0x07]); } if (cr30 & 0x01) { /* the settings can be interrogated later ... */ s = find_free_superio(); if (s == NULL) - printk(KERN_INFO "Super-IO: too many chips!\n"); + pr_info("Super-IO: too many chips!\n"); else { s->io = (cr60 << 8) | cr61; s->irq = cr70 & 0x0f; @@ -1150,9 +1144,8 @@ static void decode_winbond(int efer, int key, int devid, int devrev, int oldid) progif = 0; if (verbose_probing) - printk(KERN_INFO "Winbond chip at EFER=0x%x key=0x%02x " - "devid=%02x devrev=%02x oldid=%02x type=%s\n", - efer, key, devid, devrev, oldid, type); + pr_info("Winbond chip at EFER=0x%x key=0x%02x devid=%02x devrev=%02x oldid=%02x type=%s\n", + efer, key, devid, devrev, oldid, type); if (progif == 2) show_parconfig_winbond(efer, key); @@ -1183,9 +1176,8 @@ static void decode_smsc(int efer, int key, int devid, int devrev) type = "37c666GT"; if (verbose_probing) - printk(KERN_INFO "SMSC chip at EFER=0x%x " - "key=0x%02x devid=%02x devrev=%02x type=%s\n", - efer, key, devid, devrev, type); + pr_info("SMSC chip at EFER=0x%x key=0x%02x devid=%02x devrev=%02x type=%s\n", + efer, key, devid, devrev, type); if (func) func(efer, key); @@ -1357,7 +1349,7 @@ static void detect_and_report_it87(void) dev |= inb(0x2f); if (dev == 0x8712 || dev == 0x8705 || dev == 0x8715 || dev == 0x8716 || dev == 0x8718 || dev == 0x8726) { - printk(KERN_INFO "IT%04X SuperIO detected.\n", dev); + pr_info("IT%04X SuperIO detected\n", dev); outb(0x07, 0x2E); /* Parallel Port */ outb(0x03, 0x2F); outb(0xF0, 0x2E); /* BOOT 0x80 off */ @@ -1444,8 +1436,8 @@ static int parport_SPP_supported(struct parport *pb) if (user_specified) /* That didn't work, but the user thinks there's a * port here. */ - printk(KERN_INFO "parport 0x%lx (WARNING): CTR: " - "wrote 0x%02x, read 0x%02x\n", pb->base, w, r); + pr_info("parport 0x%lx (WARNING): CTR: wrote 0x%02x, read 0x%02x\n", + pb->base, w, r); /* Try the data register. The data lines aren't tri-stated at * this stage, so we expect back what we wrote. */ @@ -1463,10 +1455,9 @@ static int parport_SPP_supported(struct parport *pb) if (user_specified) { /* Didn't work, but the user is convinced this is the * place. */ - printk(KERN_INFO "parport 0x%lx (WARNING): DATA: " - "wrote 0x%02x, read 0x%02x\n", pb->base, w, r); - printk(KERN_INFO "parport 0x%lx: You gave this address, " - "but there is probably no parallel port there!\n", + pr_info("parport 0x%lx (WARNING): DATA: wrote 0x%02x, read 0x%02x\n", + pb->base, w, r); + pr_info("parport 0x%lx: You gave this address, but there is probably no parallel port there!\n", pb->base); } @@ -1641,7 +1632,7 @@ static int parport_ECP_supported(struct parport *pb) if (i <= priv->fifo_depth) { if (verbose_probing) - printk(KERN_INFO "0x%lx: readIntrThreshold is %d\n", + pr_info("0x%lx: readIntrThreshold is %d\n", pb->base, i); } else /* Number of bytes we can read if we get an interrupt. */ @@ -1656,17 +1647,14 @@ static int parport_ECP_supported(struct parport *pb) switch (pword) { case 0: pword = 2; - printk(KERN_WARNING "0x%lx: Unsupported pword size!\n", - pb->base); + pr_warn("0x%lx: Unsupported pword size!\n", pb->base); break; case 2: pword = 4; - printk(KERN_WARNING "0x%lx: Unsupported pword size!\n", - pb->base); + pr_warn("0x%lx: Unsupported pword size!\n", pb->base); break; default: - printk(KERN_WARNING "0x%lx: Unknown implementation ID\n", - pb->base); + pr_warn("0x%lx: Unknown implementation ID\n", pb->base); /* Fall through - Assume 1 */ case 1: pword = 1; @@ -2106,9 +2094,9 @@ struct parport *parport_pc_probe_port(unsigned long int base, p->size = (p->modes & PARPORT_MODE_EPP) ? 8 : 3; - printk(KERN_INFO "%s: PC-style at 0x%lx", p->name, p->base); + pr_info("%s: PC-style at 0x%lx", p->name, p->base); if (p->base_hi && priv->ecr) - printk(KERN_CONT " (0x%lx)", p->base_hi); + pr_cont(" (0x%lx)", p->base_hi); if (p->irq == PARPORT_IRQ_AUTO) { p->irq = PARPORT_IRQ_NONE; parport_irq_probe(p); @@ -2119,7 +2107,7 @@ struct parport *parport_pc_probe_port(unsigned long int base, p->irq = PARPORT_IRQ_NONE; } if (p->irq != PARPORT_IRQ_NONE) { - printk(KERN_CONT ", irq %d", p->irq); + pr_cont(", irq %d", p->irq); priv->ctr_writable |= 0x10; if (p->dma == PARPORT_DMA_AUTO) { @@ -2143,21 +2131,21 @@ struct parport *parport_pc_probe_port(unsigned long int base, /* p->ops->ecp_read_data = parport_pc_ecp_read_block_pio; */ #endif /* IEEE 1284 support */ if (p->dma != PARPORT_DMA_NONE) { - printk(KERN_CONT ", dma %d", p->dma); + pr_cont(", dma %d", p->dma); p->modes |= PARPORT_MODE_DMA; } else - printk(KERN_CONT ", using FIFO"); + pr_cont(", using FIFO"); } else /* We can't use the DMA channel after all. */ p->dma = PARPORT_DMA_NONE; #endif /* Allowed to use FIFO/DMA */ - printk(KERN_CONT " ["); + pr_cont(" ["); #define printmode(x) \ {\ if (p->modes & PARPORT_MODE_##x) {\ - printk(KERN_CONT "%s%s", f ? "," : "", #x);\ + pr_cont("%s%s", f ? "," : "", #x); \ f++;\ } \ } @@ -2173,11 +2161,11 @@ struct parport *parport_pc_probe_port(unsigned long int base, } #undef printmode #ifndef CONFIG_PARPORT_1284 - printk(KERN_CONT "(,...)"); + pr_cont("(,...)"); #endif /* CONFIG_PARPORT_1284 */ - printk(KERN_CONT "]\n"); + pr_cont("]\n"); if (probedirq != PARPORT_IRQ_NONE) - printk(KERN_INFO "%s: irq %d detected\n", p->name, probedirq); + pr_info("%s: irq %d detected\n", p->name, probedirq); /* If No ECP release the ports grabbed above. */ if (ECR_res && (p->modes & PARPORT_MODE_ECP) == 0) { @@ -2192,8 +2180,7 @@ struct parport *parport_pc_probe_port(unsigned long int base, if (p->irq != PARPORT_IRQ_NONE) { if (request_irq(p->irq, parport_irq_handler, irqflags, p->name, p)) { - printk(KERN_WARNING "%s: irq %d in use, " - "resorting to polled operation\n", + pr_warn("%s: irq %d in use, resorting to polled operation\n", p->name, p->irq); p->irq = PARPORT_IRQ_NONE; p->dma = PARPORT_DMA_NONE; @@ -2203,8 +2190,7 @@ struct parport *parport_pc_probe_port(unsigned long int base, #ifdef HAS_DMA if (p->dma != PARPORT_DMA_NONE) { if (request_dma(p->dma, p->name)) { - printk(KERN_WARNING "%s: dma %d in use, " - "resorting to PIO operation\n", + pr_warn("%s: dma %d in use, resorting to PIO operation\n", p->name, p->dma); p->dma = PARPORT_DMA_NONE; } else { @@ -2214,9 +2200,7 @@ struct parport *parport_pc_probe_port(unsigned long int base, &priv->dma_handle, GFP_KERNEL); if (!priv->dma_buf) { - printk(KERN_WARNING "%s: " - "cannot get buffer for DMA, " - "resorting to PIO operation\n", + pr_warn("%s: cannot get buffer for DMA, resorting to PIO operation\n", p->name); free_dma(p->dma); p->dma = PARPORT_DMA_NONE; @@ -2329,7 +2313,7 @@ static int sio_ite_8872_probe(struct pci_dev *pdev, int autoirq, int autodma, } } if (i >= 5) { - printk(KERN_INFO "parport_pc: cannot find ITE8872 INTA\n"); + pr_info("parport_pc: cannot find ITE8872 INTA\n"); return 0; } @@ -2338,29 +2322,28 @@ static int sio_ite_8872_probe(struct pci_dev *pdev, int autoirq, int autodma, switch (type) { case 0x2: - printk(KERN_INFO "parport_pc: ITE8871 found (1P)\n"); + pr_info("parport_pc: ITE8871 found (1P)\n"); ite8872set = 0x64200000; break; case 0xa: - printk(KERN_INFO "parport_pc: ITE8875 found (1P)\n"); + pr_info("parport_pc: ITE8875 found (1P)\n"); ite8872set = 0x64200000; break; case 0xe: - printk(KERN_INFO "parport_pc: ITE8872 found (2S1P)\n"); + pr_info("parport_pc: ITE8872 found (2S1P)\n"); ite8872set = 0x64e00000; break; case 0x6: - printk(KERN_INFO "parport_pc: ITE8873 found (1S)\n"); + pr_info("parport_pc: ITE8873 found (1S)\n"); release_region(inta_addr[i], 32); return 0; case 0x8: - printk(KERN_INFO "parport_pc: ITE8874 found (2S)\n"); + pr_info("parport_pc: ITE8874 found (2S)\n"); release_region(inta_addr[i], 32); return 0; default: - printk(KERN_INFO "parport_pc: unknown ITE887x\n"); - printk(KERN_INFO "parport_pc: please mail 'lspci -nvv' " - "output to Rich.Liu@ite.com.tw\n"); + pr_info("parport_pc: unknown ITE887x\n"); + pr_info("parport_pc: please mail 'lspci -nvv' output to Rich.Liu@ite.com.tw\n"); release_region(inta_addr[i], 32); return 0; } @@ -2395,9 +2378,8 @@ static int sio_ite_8872_probe(struct pci_dev *pdev, int autoirq, int autodma, release_region(inta_addr[i], 32); if (parport_pc_probe_port(ite8872_lpt, ite8872_lpthi, irq, PARPORT_DMA_NONE, &pdev->dev, 0)) { - printk(KERN_INFO - "parport_pc: ITE 8872 parallel port: io=0x%X", - ite8872_lpt); + pr_info("parport_pc: ITE 8872 parallel port: io=0x%X", + ite8872_lpt); if (irq != PARPORT_IRQ_NONE) pr_cont(", irq=%d", irq); pr_cont("\n"); @@ -2524,7 +2506,7 @@ static int sio_via_probe(struct pci_dev *pdev, int autoirq, int autodma, pci_write_config_byte(pdev, via->via_pci_superio_config_reg, tmp); if (siofunc == VIA_FUNCTION_PARPORT_DISABLE) { - printk(KERN_INFO "parport_pc: VIA parallel port disabled in BIOS\n"); + pr_info("parport_pc: VIA parallel port disabled in BIOS\n"); return 0; } @@ -2557,9 +2539,8 @@ static int sio_via_probe(struct pci_dev *pdev, int autoirq, int autodma, case 0x278: port2 = 0x678; break; default: - printk(KERN_INFO - "parport_pc: Weird VIA parport base 0x%X, ignoring\n", - port1); + pr_info("parport_pc: Weird VIA parport base 0x%X, ignoring\n", + port1); return 0; } @@ -2578,8 +2559,7 @@ static int sio_via_probe(struct pci_dev *pdev, int autoirq, int autodma, /* finally, do the probe with values obtained */ if (parport_pc_probe_port(port1, port2, irq, dma, &pdev->dev, 0)) { - printk(KERN_INFO - "parport_pc: VIA parallel port: io=0x%X", port1); + pr_info("parport_pc: VIA parallel port: io=0x%X", port1); if (irq != PARPORT_IRQ_NONE) pr_cont(", irq=%d", irq); if (dma != PARPORT_DMA_NONE) @@ -2588,7 +2568,7 @@ static int sio_via_probe(struct pci_dev *pdev, int autoirq, int autodma, return 1; } - printk(KERN_WARNING "parport_pc: Strange, can't probe VIA parallel port: io=0x%X, irq=%d, dma=%d\n", + pr_warn("parport_pc: Strange, can't probe VIA parallel port: io=0x%X, irq=%d, dma=%d\n", port1, irq, dma); return 0; } @@ -3131,7 +3111,7 @@ static int __init parport_parse_param(const char *s, int *val, if (ep != s) *val = r; else { - printk(KERN_ERR "parport: bad specifier `%s'\n", s); + pr_err("parport: bad specifier `%s'\n", s); return -1; } } @@ -3221,10 +3201,7 @@ static int __init parse_parport_params(void) irqval[0] = val; break; default: - printk(KERN_WARNING - "parport_pc: irq specified " - "without base address. Use 'io=' " - "to specify one\n"); + pr_warn("parport_pc: irq specified without base address. Use 'io=' to specify one\n"); } if (dma[0] && !parport_parse_dma(dma[0], &val)) @@ -3234,10 +3211,7 @@ static int __init parse_parport_params(void) dmaval[0] = val; break; default: - printk(KERN_WARNING - "parport_pc: dma specified " - "without base address. Use 'io=' " - "to specify one\n"); + pr_warn("parport_pc: dma specified without base address. Use 'io=' to specify one\n"); } } return 0; @@ -3276,12 +3250,12 @@ static int __init parport_setup(char *str) val = simple_strtoul(str, &endptr, 0); if (endptr == str) { - printk(KERN_WARNING "parport=%s not understood\n", str); + pr_warn("parport=%s not understood\n", str); return 1; } if (parport_setup_ptr == PARPORT_PC_MAX_PORTS) { - printk(KERN_ERR "parport=%s ignored, too many ports\n", str); + pr_err("parport=%s ignored, too many ports\n", str); return 1; } diff --git a/drivers/parport/parport_sunbpp.c b/drivers/parport/parport_sunbpp.c index 8de329546b82..77671b7ad421 100644 --- a/drivers/parport/parport_sunbpp.c +++ b/drivers/parport/parport_sunbpp.c @@ -313,7 +313,7 @@ static int bpp_probe(struct platform_device *op) value_tcr &= ~P_TCR_DIR; sbus_writeb(value_tcr, ®s->p_tcr); - printk(KERN_INFO "%s: sunbpp at 0x%lx\n", p->name, p->base); + pr_info("%s: sunbpp at 0x%lx\n", p->name, p->base); dev_set_drvdata(&op->dev, p); diff --git a/drivers/parport/probe.c b/drivers/parport/probe.c index e035174ba205..650206c71875 100644 --- a/drivers/parport/probe.c +++ b/drivers/parport/probe.c @@ -38,7 +38,7 @@ static void pretty_print(struct parport *port, int device) { struct parport_device_info *info = &port->probe_info[device + 1]; - printk(KERN_INFO "%s", port->name); + pr_info("%s", port->name); if (device >= 0) printk (" (addr %d)", device); @@ -58,7 +58,7 @@ static void parse_data(struct parport *port, int device, char *str) struct parport_device_info *info = &port->probe_info[device + 1]; if (!txt) { - printk(KERN_WARNING "%s probe: memory squeeze\n", port->name); + pr_warn("%s probe: memory squeeze\n", port->name); return; } strcpy(txt, str); @@ -98,7 +98,8 @@ static void parse_data(struct parport *port, int device, char *str) goto rock_on; } } - printk(KERN_WARNING "%s probe: warning, class '%s' not understood.\n", port->name, sep); + pr_warn("%s probe: warning, class '%s' not understood\n", + port->name, sep); info->class = PARPORT_CLASS_OTHER; } else if (!strcmp(p, "CMD") || !strcmp(p, "COMMAND SET")) { diff --git a/drivers/parport/share.c b/drivers/parport/share.c index 15c81cffd2de..fc2930fb9bee 100644 --- a/drivers/parport/share.c +++ b/drivers/parport/share.c @@ -555,8 +555,8 @@ void parport_announce_port(struct parport *port) #endif if (!port->dev) - printk(KERN_WARNING "%s: fix this legacy no-device port driver!\n", - port->name); + pr_warn("%s: fix this legacy no-device port driver!\n", + port->name); parport_proc_register(port); mutex_lock(®istration_lock); @@ -728,7 +728,8 @@ parport_register_device(struct parport *port, const char *name, if (flags & PARPORT_DEV_LURK) { if (!pf || !kf) { - printk(KERN_INFO "%s: refused to register lurking device (%s) without callbacks\n", port->name, name); + pr_info("%s: refused to register lurking device (%s) without callbacks\n", + port->name, name); return NULL; } } @@ -997,7 +998,7 @@ void parport_unregister_device(struct pardevice *dev) #ifdef PARPORT_PARANOID if (!dev) { - printk(KERN_ERR "parport_unregister_device: passed NULL\n"); + pr_err("%s: passed NULL\n", __func__); return; } #endif @@ -1138,8 +1139,7 @@ int parport_claim(struct pardevice *dev) unsigned long flags; if (port->cad == dev) { - printk(KERN_INFO "%s: %s already owner\n", - dev->port->name,dev->name); + pr_info("%s: %s already owner\n", dev->port->name, dev->name); return 0; } @@ -1159,9 +1159,8 @@ int parport_claim(struct pardevice *dev) * I think we'll actually deadlock rather than * get here, but just in case.. */ - printk(KERN_WARNING - "%s: %s released port when preempted!\n", - port->name, oldcad->name); + pr_warn("%s: %s released port when preempted!\n", + port->name, oldcad->name); if (port->cad) goto blocked; } @@ -1321,8 +1320,8 @@ void parport_release(struct pardevice *dev) write_lock_irqsave(&port->cad_lock, flags); if (port->cad != dev) { write_unlock_irqrestore(&port->cad_lock, flags); - printk(KERN_WARNING "%s: %s tried to release parport when not owner\n", - port->name, dev->name); + pr_warn("%s: %s tried to release parport when not owner\n", + port->name, dev->name); return; } @@ -1362,7 +1361,8 @@ void parport_release(struct pardevice *dev) if (dev->port->cad) /* racy but no matter */ return; } else { - printk(KERN_ERR "%s: don't know how to wake %s\n", port->name, pd->name); + pr_err("%s: don't know how to wake %s\n", + port->name, pd->name); } } From 4582fe6f2d5fddcf7a63b59b666e8837f2cecf9a Mon Sep 17 00:00:00 2001 From: Joe Perches Date: Fri, 3 Apr 2020 14:43:22 +0100 Subject: [PATCH 096/173] parport: Standardize use of printmode [ Upstream commit a6abfdff4fe5dd19d1f1b37d72ba34cd4492fd4d ] Standardize the define and the uses of printmode. Miscellanea: o Add missing statement termination ; where necessary Signed-off-by: Joe Perches Reviewed-by: Randy Dunlap Signed-off-by: Sudip Mukherjee Link: https://lore.kernel.org/r/20200403134325.11523-8-sudipm.mukherjee@gmail.com Signed-off-by: Greg Kroah-Hartman Stable-dep-of: ab11dac93d2d ("dev/parport: fix the array out-of-bounds risk") Signed-off-by: Sasha Levin (cherry picked from commit 884ab25dbf115938facb91be85ffed9266e26f8b) Signed-off-by: Vegard Nossum --- drivers/parport/parport_gsc.c | 8 ++++++-- drivers/parport/parport_pc.c | 14 ++++++-------- drivers/parport/procfs.c | 6 +++++- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/drivers/parport/parport_gsc.c b/drivers/parport/parport_gsc.c index a0c6c2c94f2f..b9cab25343aa 100644 --- a/drivers/parport/parport_gsc.c +++ b/drivers/parport/parport_gsc.c @@ -304,12 +304,16 @@ struct parport *parport_gsc_probe_port(unsigned long base, p->dma = PARPORT_DMA_NONE; pr_cont(" ["); -#define printmode(x) {if(p->modes&PARPORT_MODE_##x){pr_cont("%s%s",f?",":"",#x);f++;}} +#define printmode(x) \ +do { \ + if (p->modes & PARPORT_MODE_##x) \ + pr_cont("%s%s", f++ ? "," : "", #x); \ +} while (0) { int f = 0; printmode(PCSPP); printmode(TRISTATE); - printmode(COMPAT) + printmode(COMPAT); printmode(EPP); // printmode(ECP); // printmode(DMA); diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c index 2bc5593b7606..ad2acafb6850 100644 --- a/drivers/parport/parport_pc.c +++ b/drivers/parport/parport_pc.c @@ -2142,19 +2142,17 @@ struct parport *parport_pc_probe_port(unsigned long int base, pr_cont(" ["); -#define printmode(x) \ - {\ - if (p->modes & PARPORT_MODE_##x) {\ - pr_cont("%s%s", f ? "," : "", #x); \ - f++;\ - } \ - } +#define printmode(x) \ +do { \ + if (p->modes & PARPORT_MODE_##x) \ + pr_cont("%s%s", f++ ? "," : "", #x); \ +} while (0) { int f = 0; printmode(PCSPP); printmode(TRISTATE); - printmode(COMPAT) + printmode(COMPAT); printmode(EPP); printmode(ECP); printmode(DMA); diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c index 48804049d697..e957beb94f14 100644 --- a/drivers/parport/procfs.c +++ b/drivers/parport/procfs.c @@ -213,7 +213,11 @@ static int do_hardware_modes(struct ctl_table *table, int write, return -EACCES; { -#define printmode(x) {if(port->modes&PARPORT_MODE_##x){len+=sprintf(buffer+len,"%s%s",f?",":"",#x);f++;}} +#define printmode(x) \ +do { \ + if (port->modes & PARPORT_MODE_##x) \ + len += sprintf(buffer + len, "%s%s", f++ ? "," : "", #x); \ +} while (0) int f = 0; printmode(PCSPP); printmode(TRISTATE); From 598e7acd167941653c0a54d5732bad40db488504 Mon Sep 17 00:00:00 2001 From: tuhaowen Date: Mon, 8 Jul 2024 16:04:30 +0800 Subject: [PATCH 097/173] dev/parport: fix the array out-of-bounds risk [ Upstream commit ab11dac93d2d568d151b1918d7b84c2d02bacbd5 ] Fixed array out-of-bounds issues caused by sprintf by replacing it with snprintf for safer data copying, ensuring the destination buffer is not overflowed. Below is the stack trace I encountered during the actual issue: [ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport] [ 66.575408s] [pid:5118,cpu4,QThread,5]CPU: 4 PID: 5118 Comm: QThread Tainted: G S W O 5.10.97-arm64-desktop #7100.57021.2 [ 66.575439s] [pid:5118,cpu4,QThread,6]TGID: 5087 Comm: EFileApp [ 66.575439s] [pid:5118,cpu4,QThread,7]Hardware name: HUAWEI HUAWEI QingYun PGUX-W515x-B081/SP1PANGUXM, BIOS 1.00.07 04/29/2024 [ 66.575439s] [pid:5118,cpu4,QThread,8]Call trace: [ 66.575469s] [pid:5118,cpu4,QThread,9] dump_backtrace+0x0/0x1c0 [ 66.575469s] [pid:5118,cpu4,QThread,0] show_stack+0x14/0x20 [ 66.575469s] [pid:5118,cpu4,QThread,1] dump_stack+0xd4/0x10c [ 66.575500s] [pid:5118,cpu4,QThread,2] panic+0x1d8/0x3bc [ 66.575500s] [pid:5118,cpu4,QThread,3] __stack_chk_fail+0x2c/0x38 [ 66.575500s] [pid:5118,cpu4,QThread,4] do_hardware_base_addr+0xcc/0xd0 [parport] Signed-off-by: tuhaowen Cc: stable Link: https://lore.kernel.org/r/20240708080430.8221-1-tuhaowen@uniontech.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 166a0bddcc27de41fe13f861c8348e8e53e988c8) Signed-off-by: Vegard Nossum --- drivers/parport/procfs.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c index e957beb94f14..595e23e6859b 100644 --- a/drivers/parport/procfs.c +++ b/drivers/parport/procfs.c @@ -51,12 +51,12 @@ static int do_active_device(struct ctl_table *table, int write, for (dev = port->devices; dev ; dev = dev->next) { if(dev == port->cad) { - len += sprintf(buffer, "%s\n", dev->name); + len += snprintf(buffer, sizeof(buffer), "%s\n", dev->name); } } if(!len) { - len += sprintf(buffer, "%s\n", "none"); + len += snprintf(buffer, sizeof(buffer), "%s\n", "none"); } if (len > *lenp) @@ -87,19 +87,19 @@ static int do_autoprobe(struct ctl_table *table, int write, } if ((str = info->class_name) != NULL) - len += sprintf (buffer + len, "CLASS:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "CLASS:%s;\n", str); if ((str = info->model) != NULL) - len += sprintf (buffer + len, "MODEL:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "MODEL:%s;\n", str); if ((str = info->mfr) != NULL) - len += sprintf (buffer + len, "MANUFACTURER:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "MANUFACTURER:%s;\n", str); if ((str = info->description) != NULL) - len += sprintf (buffer + len, "DESCRIPTION:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "DESCRIPTION:%s;\n", str); if ((str = info->cmdset) != NULL) - len += sprintf (buffer + len, "COMMAND SET:%s;\n", str); + len += snprintf (buffer + len, sizeof(buffer) - len, "COMMAND SET:%s;\n", str); if (len > *lenp) len = *lenp; @@ -117,7 +117,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write, size_t *lenp, loff_t *ppos) { struct parport *port = (struct parport *)table->extra1; - char buffer[20]; + char buffer[64]; int len = 0; if (*ppos) { @@ -128,7 +128,7 @@ static int do_hardware_base_addr(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%lu\t%lu\n", port->base, port->base_hi); + len += snprintf (buffer, sizeof(buffer), "%lu\t%lu\n", port->base, port->base_hi); if (len > *lenp) len = *lenp; @@ -156,7 +156,7 @@ static int do_hardware_irq(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%d\n", port->irq); + len += snprintf (buffer, sizeof(buffer), "%d\n", port->irq); if (len > *lenp) len = *lenp; @@ -184,7 +184,7 @@ static int do_hardware_dma(struct ctl_table *table, int write, if (write) /* permissions prevent this anyway */ return -EACCES; - len += sprintf (buffer, "%d\n", port->dma); + len += snprintf (buffer, sizeof(buffer), "%d\n", port->dma); if (len > *lenp) len = *lenp; @@ -216,7 +216,7 @@ static int do_hardware_modes(struct ctl_table *table, int write, #define printmode(x) \ do { \ if (port->modes & PARPORT_MODE_##x) \ - len += sprintf(buffer + len, "%s%s", f++ ? "," : "", #x); \ + len += snprintf(buffer + len, sizeof(buffer) - len, "%s%s", f++ ? "," : "", #x); \ } while (0) int f = 0; printmode(PCSPP); From bdec7b3d4ccbcbd78fd4b6a2c6fe7a849754af52 Mon Sep 17 00:00:00 2001 From: Andy Shevchenko Date: Thu, 1 Apr 2021 20:10:30 +0300 Subject: [PATCH 098/173] driver core: Cast to (void *) with __force for __percpu pointer [ Upstream commit d7aa44f5a1f86cb40659eef06035d8d92604b9d5 ] Sparse is not happy: drivers/base/devres.c:1230:9: warning: cast removes address space '__percpu' of expression Use __force attribute to make it happy. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210401171030.60527-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Stable-dep-of: bd50a974097b ("devres: Fix memory leakage caused by driver API devm_free_percpu()") Signed-off-by: Sasha Levin (cherry picked from commit b9c258b2a02ba8d6d004f45a1eafa23fd810746b) Signed-off-by: Vegard Nossum --- drivers/base/devres.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/base/devres.c b/drivers/base/devres.c index e43a04a495a3..c4470b639167 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -1054,6 +1054,6 @@ EXPORT_SYMBOL_GPL(__devm_alloc_percpu); void devm_free_percpu(struct device *dev, void __percpu *pdata) { WARN_ON(devres_destroy(dev, devm_percpu_release, devm_percpu_match, - (void *)pdata)); + (__force void *)pdata)); } EXPORT_SYMBOL_GPL(devm_free_percpu); From 9b6f7f34aae733309a35d9990d4a0cdf2d2eea3b Mon Sep 17 00:00:00 2001 From: Zijun Hu Date: Tue, 2 Jul 2024 22:51:51 +0800 Subject: [PATCH 099/173] devres: Fix memory leakage caused by driver API devm_free_percpu() [ Upstream commit bd50a974097bb82d52a458bd3ee39fb723129a0c ] It will cause memory leakage when use driver API devm_free_percpu() to free memory allocated by devm_alloc_percpu(), fixed by using devres_release() instead of devres_destroy() within devm_free_percpu(). Fixes: ff86aae3b411 ("devres: add devm_alloc_percpu()") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/1719931914-19035-3-git-send-email-quic_zijuhu@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin (cherry picked from commit 700e8abd65b10792b2f179ce4e858f2ca2880f85) Signed-off-by: Vegard Nossum --- drivers/base/devres.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/base/devres.c b/drivers/base/devres.c index c4470b639167..f6b54161aeea 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -1053,7 +1053,11 @@ EXPORT_SYMBOL_GPL(__devm_alloc_percpu); */ void devm_free_percpu(struct device *dev, void __percpu *pdata) { - WARN_ON(devres_destroy(dev, devm_percpu_release, devm_percpu_match, + /* + * Use devres_release() to prevent memory leakage as + * devm_free_pages() does. + */ + WARN_ON(devres_release(dev, devm_percpu_release, devm_percpu_match, (__force void *)pdata)); } EXPORT_SYMBOL_GPL(devm_free_percpu); From 9ce7856eccc159df29f62b1e5ff0c6239422bf63 Mon Sep 17 00:00:00 2001 From: Chao Peng Date: Wed, 24 Oct 2018 16:05:06 +0800 Subject: [PATCH 100/173] perf/x86/intel/pt: Export pt_cap_get() [ Upstream commit f6d079ce867d679e4dffef5b3112c7634215fd88 ] pt_cap_get() is required by the upcoming PT support in KVM guests. Export it and move the capabilites enum to a global header. As a global functions, "pt_*" is already used for ptrace and other things, so it makes sense to use "intel_pt_*" as a prefix. Acked-by: Song Liu Signed-off-by: Chao Peng Signed-off-by: Luwei Kang Signed-off-by: Paolo Bonzini Stable-dep-of: ad97196379d0 ("perf/x86/intel/pt: Fix a topa_entry base address calculation") Signed-off-by: Sasha Levin (cherry picked from commit bea2d4588e90f56da62b0dd9099484a42498b08a) Signed-off-by: Vegard Nossum --- arch/x86/events/intel/pt.c | 49 +++++++++++++++++---------------- arch/x86/events/intel/pt.h | 21 -------------- arch/x86/include/asm/intel_pt.h | 23 ++++++++++++++++ 3 files changed, 49 insertions(+), 44 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index ad273bba5126..e3219289e097 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -75,7 +75,7 @@ static struct pt_cap_desc { PT_CAP(psb_periods, 1, CPUID_EBX, 0xffff0000), }; -static u32 pt_cap_get(enum pt_capabilities cap) +u32 intel_pt_validate_hw_cap(enum pt_capabilities cap) { struct pt_cap_desc *cd = &pt_caps[cap]; u32 c = pt_pmu.caps[cd->leaf * PT_CPUID_REGS_NUM + cd->reg]; @@ -83,6 +83,7 @@ static u32 pt_cap_get(enum pt_capabilities cap) return (c & cd->mask) >> shift; } +EXPORT_SYMBOL_GPL(intel_pt_validate_hw_cap); static ssize_t pt_cap_show(struct device *cdev, struct device_attribute *attr, @@ -92,7 +93,7 @@ static ssize_t pt_cap_show(struct device *cdev, container_of(attr, struct dev_ext_attribute, attr); enum pt_capabilities cap = (long)ea->var; - return snprintf(buf, PAGE_SIZE, "%x\n", pt_cap_get(cap)); + return snprintf(buf, PAGE_SIZE, "%x\n", intel_pt_validate_hw_cap(cap)); } static struct attribute_group pt_cap_group = { @@ -310,16 +311,16 @@ static bool pt_event_valid(struct perf_event *event) return false; if (config & RTIT_CTL_CYC_PSB) { - if (!pt_cap_get(PT_CAP_psb_cyc)) + if (!intel_pt_validate_hw_cap(PT_CAP_psb_cyc)) return false; - allowed = pt_cap_get(PT_CAP_psb_periods); + allowed = intel_pt_validate_hw_cap(PT_CAP_psb_periods); requested = (config & RTIT_CTL_PSB_FREQ) >> RTIT_CTL_PSB_FREQ_OFFSET; if (requested && (!(allowed & BIT(requested)))) return false; - allowed = pt_cap_get(PT_CAP_cycle_thresholds); + allowed = intel_pt_validate_hw_cap(PT_CAP_cycle_thresholds); requested = (config & RTIT_CTL_CYC_THRESH) >> RTIT_CTL_CYC_THRESH_OFFSET; if (requested && (!(allowed & BIT(requested)))) @@ -334,10 +335,10 @@ static bool pt_event_valid(struct perf_event *event) * Spec says that setting mtc period bits while mtc bit in * CPUID is 0 will #GP, so better safe than sorry. */ - if (!pt_cap_get(PT_CAP_mtc)) + if (!intel_pt_validate_hw_cap(PT_CAP_mtc)) return false; - allowed = pt_cap_get(PT_CAP_mtc_periods); + allowed = intel_pt_validate_hw_cap(PT_CAP_mtc_periods); if (!allowed) return false; @@ -349,11 +350,11 @@ static bool pt_event_valid(struct perf_event *event) } if (config & RTIT_CTL_PWR_EVT_EN && - !pt_cap_get(PT_CAP_power_event_trace)) + !intel_pt_validate_hw_cap(PT_CAP_power_event_trace)) return false; if (config & RTIT_CTL_PTW) { - if (!pt_cap_get(PT_CAP_ptwrite)) + if (!intel_pt_validate_hw_cap(PT_CAP_ptwrite)) return false; /* FUPonPTW without PTW doesn't make sense */ @@ -598,7 +599,7 @@ static struct topa *topa_alloc(int cpu, gfp_t gfp) * In case of singe-entry ToPA, always put the self-referencing END * link as the 2nd entry in the table */ - if (!pt_cap_get(PT_CAP_topa_multiple_entries)) { + if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) { TOPA_ENTRY(topa, 1)->base = topa->phys >> TOPA_SHIFT; TOPA_ENTRY(topa, 1)->end = 1; } @@ -638,7 +639,7 @@ static void topa_insert_table(struct pt_buffer *buf, struct topa *topa) topa->offset = last->offset + last->size; buf->last = topa; - if (!pt_cap_get(PT_CAP_topa_multiple_entries)) + if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) return; BUG_ON(last->last != TENTS_PER_PAGE - 1); @@ -654,7 +655,7 @@ static void topa_insert_table(struct pt_buffer *buf, struct topa *topa) static bool topa_table_full(struct topa *topa) { /* single-entry ToPA is a special case */ - if (!pt_cap_get(PT_CAP_topa_multiple_entries)) + if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) return !!topa->last; return topa->last == TENTS_PER_PAGE - 1; @@ -690,7 +691,8 @@ static int topa_insert_pages(struct pt_buffer *buf, gfp_t gfp) TOPA_ENTRY(topa, -1)->base = page_to_phys(p) >> TOPA_SHIFT; TOPA_ENTRY(topa, -1)->size = order; - if (!buf->snapshot && !pt_cap_get(PT_CAP_topa_multiple_entries)) { + if (!buf->snapshot && + !intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) { TOPA_ENTRY(topa, -1)->intr = 1; TOPA_ENTRY(topa, -1)->stop = 1; } @@ -725,7 +727,7 @@ static void pt_topa_dump(struct pt_buffer *buf) topa->table[i].intr ? 'I' : ' ', topa->table[i].stop ? 'S' : ' ', *(u64 *)&topa->table[i]); - if ((pt_cap_get(PT_CAP_topa_multiple_entries) && + if ((intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries) && topa->table[i].stop) || topa->table[i].end) break; @@ -828,7 +830,7 @@ static void pt_handle_status(struct pt *pt) * means we are already losing data; need to let the decoder * know. */ - if (!pt_cap_get(PT_CAP_topa_multiple_entries) || + if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries) || buf->output_off == sizes(TOPA_ENTRY(buf->cur, buf->cur_idx)->size)) { perf_aux_output_flag(&pt->handle, PERF_AUX_FLAG_TRUNCATED); @@ -840,7 +842,8 @@ static void pt_handle_status(struct pt *pt) * Also on single-entry ToPA implementations, interrupt will come * before the output reaches its output region's boundary. */ - if (!pt_cap_get(PT_CAP_topa_multiple_entries) && !buf->snapshot && + if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries) && + !buf->snapshot && pt_buffer_region_size(buf) - buf->output_off <= TOPA_PMI_MARGIN) { void *head = pt_buffer_region(buf); @@ -931,7 +934,7 @@ static int pt_buffer_reset_markers(struct pt_buffer *buf, /* single entry ToPA is handled by marking all regions STOP=1 INT=1 */ - if (!pt_cap_get(PT_CAP_topa_multiple_entries)) + if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) return 0; /* clear STOP and INT from current entry */ @@ -1082,7 +1085,7 @@ static int pt_buffer_init_topa(struct pt_buffer *buf, unsigned long nr_pages, pt_buffer_setup_topa_index(buf); /* link last table to the first one, unless we're double buffering */ - if (pt_cap_get(PT_CAP_topa_multiple_entries)) { + if (intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) { TOPA_ENTRY(buf->last, -1)->base = buf->first->phys >> TOPA_SHIFT; TOPA_ENTRY(buf->last, -1)->end = 1; } @@ -1153,7 +1156,7 @@ static int pt_addr_filters_init(struct perf_event *event) struct pt_filters *filters; int node = event->cpu == -1 ? -1 : cpu_to_node(event->cpu); - if (!pt_cap_get(PT_CAP_num_address_ranges)) + if (!intel_pt_validate_hw_cap(PT_CAP_num_address_ranges)) return 0; filters = kzalloc_node(sizeof(struct pt_filters), GFP_KERNEL, node); @@ -1198,7 +1201,7 @@ static int pt_event_addr_filters_validate(struct list_head *filters) return -EINVAL; } - if (++range > pt_cap_get(PT_CAP_num_address_ranges)) + if (++range > intel_pt_validate_hw_cap(PT_CAP_num_address_ranges)) return -EOPNOTSUPP; } @@ -1500,12 +1503,12 @@ static __init int pt_init(void) if (ret) return ret; - if (!pt_cap_get(PT_CAP_topa_output)) { + if (!intel_pt_validate_hw_cap(PT_CAP_topa_output)) { pr_warn("ToPA output is not supported on this CPU\n"); return -ENODEV; } - if (!pt_cap_get(PT_CAP_topa_multiple_entries)) + if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) pt_pmu.pmu.capabilities = PERF_PMU_CAP_AUX_NO_SG | PERF_PMU_CAP_AUX_SW_DOUBLEBUF; @@ -1523,7 +1526,7 @@ static __init int pt_init(void) pt_pmu.pmu.addr_filters_sync = pt_event_addr_filters_sync; pt_pmu.pmu.addr_filters_validate = pt_event_addr_filters_validate; pt_pmu.pmu.nr_addr_filters = - pt_cap_get(PT_CAP_num_address_ranges); + intel_pt_validate_hw_cap(PT_CAP_num_address_ranges); ret = perf_pmu_register(&pt_pmu.pmu, "intel_pt", -1); diff --git a/arch/x86/events/intel/pt.h b/arch/x86/events/intel/pt.h index df6ecf702a3c..ad4ac27f0468 100644 --- a/arch/x86/events/intel/pt.h +++ b/arch/x86/events/intel/pt.h @@ -82,30 +82,9 @@ struct topa_entry { u64 rsvd4 : 12; }; -#define PT_CPUID_LEAVES 2 -#define PT_CPUID_REGS_NUM 4 /* number of regsters (eax, ebx, ecx, edx) */ - /* TSC to Core Crystal Clock Ratio */ #define CPUID_TSC_LEAF 0x15 -enum pt_capabilities { - PT_CAP_max_subleaf = 0, - PT_CAP_cr3_filtering, - PT_CAP_psb_cyc, - PT_CAP_ip_filtering, - PT_CAP_mtc, - PT_CAP_ptwrite, - PT_CAP_power_event_trace, - PT_CAP_topa_output, - PT_CAP_topa_multiple_entries, - PT_CAP_single_range_output, - PT_CAP_payloads_lip, - PT_CAP_num_address_ranges, - PT_CAP_mtc_periods, - PT_CAP_cycle_thresholds, - PT_CAP_psb_periods, -}; - struct pt_pmu { struct pmu pmu; u32 caps[PT_CPUID_REGS_NUM * PT_CPUID_LEAVES]; diff --git a/arch/x86/include/asm/intel_pt.h b/arch/x86/include/asm/intel_pt.h index b523f51c5400..fa4b4fd2dbed 100644 --- a/arch/x86/include/asm/intel_pt.h +++ b/arch/x86/include/asm/intel_pt.h @@ -2,10 +2,33 @@ #ifndef _ASM_X86_INTEL_PT_H #define _ASM_X86_INTEL_PT_H +#define PT_CPUID_LEAVES 2 +#define PT_CPUID_REGS_NUM 4 /* number of regsters (eax, ebx, ecx, edx) */ + +enum pt_capabilities { + PT_CAP_max_subleaf = 0, + PT_CAP_cr3_filtering, + PT_CAP_psb_cyc, + PT_CAP_ip_filtering, + PT_CAP_mtc, + PT_CAP_ptwrite, + PT_CAP_power_event_trace, + PT_CAP_topa_output, + PT_CAP_topa_multiple_entries, + PT_CAP_single_range_output, + PT_CAP_payloads_lip, + PT_CAP_num_address_ranges, + PT_CAP_mtc_periods, + PT_CAP_cycle_thresholds, + PT_CAP_psb_periods, +}; + #if defined(CONFIG_PERF_EVENTS) && defined(CONFIG_CPU_SUP_INTEL) void cpu_emergency_stop_pt(void); +extern u32 intel_pt_validate_hw_cap(enum pt_capabilities cap); #else static inline void cpu_emergency_stop_pt(void) {} +static inline u32 intel_pt_validate_hw_cap(enum pt_capabilities cap) { return 0; } #endif #endif /* _ASM_X86_INTEL_PT_H */ From 2de7be6b1893e070e92da91bbaa35ce22950b189 Mon Sep 17 00:00:00 2001 From: Alexander Shishkin Date: Wed, 21 Aug 2019 15:47:23 +0300 Subject: [PATCH 101/173] perf/x86/intel/pt: Use helpers to obtain ToPA entry size [ Upstream commit fffec50f541ace292383c0cbe9a2a97d16d201c6 ] There are a few places in the PT driver that need to obtain the size of a ToPA entry, some of them for the current ToPA entry in the buffer. Use helpers for those, to make the lines shorter and more readable. Signed-off-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/20190821124727.73310-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar Stable-dep-of: ad97196379d0 ("perf/x86/intel/pt: Fix a topa_entry base address calculation") Signed-off-by: Sasha Levin (cherry picked from commit e3fb71f7ecbf87228148c3287eac965927ef49be) Signed-off-by: Vegard Nossum --- arch/x86/events/intel/pt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index e3219289e097..f7aa049712aa 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -573,6 +573,7 @@ struct topa { /* make -1 stand for the last table entry */ #define TOPA_ENTRY(t, i) ((i) == -1 ? &(t)->table[(t)->last] : &(t)->table[(i)]) +#define TOPA_ENTRY_SIZE(t, i) (sizes(TOPA_ENTRY((t), (i))->size)) /** * topa_alloc() - allocate page-sized ToPA table @@ -772,7 +773,7 @@ static void pt_update_head(struct pt *pt) /* offset of the current output region within this table */ for (topa_idx = 0; topa_idx < buf->cur_idx; topa_idx++) - base += sizes(buf->cur->table[topa_idx].size); + base += TOPA_ENTRY_SIZE(buf->cur, topa_idx); if (buf->snapshot) { local_set(&buf->data_size, base); @@ -801,7 +802,7 @@ static void *pt_buffer_region(struct pt_buffer *buf) */ static size_t pt_buffer_region_size(struct pt_buffer *buf) { - return sizes(buf->cur->table[buf->cur_idx].size); + return TOPA_ENTRY_SIZE(buf->cur, buf->cur_idx); } /** @@ -831,7 +832,7 @@ static void pt_handle_status(struct pt *pt) * know. */ if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries) || - buf->output_off == sizes(TOPA_ENTRY(buf->cur, buf->cur_idx)->size)) { + buf->output_off == pt_buffer_region_size(buf)) { perf_aux_output_flag(&pt->handle, PERF_AUX_FLAG_TRUNCATED); advance++; @@ -926,8 +927,7 @@ static int pt_buffer_reset_markers(struct pt_buffer *buf, unsigned long idx, npages, wakeup; /* can't stop in the middle of an output region */ - if (buf->output_off + handle->size + 1 < - sizes(TOPA_ENTRY(buf->cur, buf->cur_idx)->size)) { + if (buf->output_off + handle->size + 1 < pt_buffer_region_size(buf)) { perf_aux_output_flag(handle, PERF_AUX_FLAG_TRUNCATED); return -EINVAL; } @@ -1033,7 +1033,7 @@ static void pt_buffer_reset_offsets(struct pt_buffer *buf, unsigned long head) buf->cur = (struct topa *)((unsigned long)buf->topa_index[pg] & PAGE_MASK); buf->cur_idx = ((unsigned long)buf->topa_index[pg] - (unsigned long)buf->cur) / sizeof(struct topa_entry); - buf->output_off = head & (sizes(buf->cur->table[buf->cur_idx].size) - 1); + buf->output_off = head & (pt_buffer_region_size(buf) - 1); local64_set(&buf->head, head); local_set(&buf->data_size, 0); From ab03429ae696126f00509dac54b632bfb2282240 Mon Sep 17 00:00:00 2001 From: Alexander Shishkin Date: Wed, 21 Aug 2019 15:47:24 +0300 Subject: [PATCH 102/173] perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation [ Upstream commit 539f7c26b41d4ed7d88dd9756de3966ae7ca07b4 ] Currently, pt_buffer_reset_offsets() calculates the current ToPA entry by casting pointers to addresses and performing ungainly subtractions and divisions instead of a simpler pointer arithmetic, which would be perfectly applicable in that case. Fix that. Signed-off-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/20190821124727.73310-4-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar Stable-dep-of: ad97196379d0 ("perf/x86/intel/pt: Fix a topa_entry base address calculation") Signed-off-by: Sasha Levin (cherry picked from commit 67968b8c7603007751f140f3f9f8aa8e64fc26b2) Signed-off-by: Vegard Nossum --- arch/x86/events/intel/pt.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index f7aa049712aa..d5a7153f0613 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -1031,8 +1031,7 @@ static void pt_buffer_reset_offsets(struct pt_buffer *buf, unsigned long head) pg = pt_topa_next_entry(buf, pg); buf->cur = (struct topa *)((unsigned long)buf->topa_index[pg] & PAGE_MASK); - buf->cur_idx = ((unsigned long)buf->topa_index[pg] - - (unsigned long)buf->cur) / sizeof(struct topa_entry); + buf->cur_idx = buf->topa_index[pg] - TOPA_ENTRY(buf->cur, 0); buf->output_off = head & (pt_buffer_region_size(buf) - 1); local64_set(&buf->head, head); From a87ac310cc99adff1aa8315d829ce984dfc0cda6 Mon Sep 17 00:00:00 2001 From: Alexander Shishkin Date: Wed, 21 Aug 2019 15:47:25 +0300 Subject: [PATCH 103/173] perf/x86/intel/pt: Split ToPA metadata and page layout [ Upstream commit 38bb8d77d0b932a0773b5de2ef42479409314f96 ] PT uses page sized ToPA tables, where the ToPA table resides at the bottom and its driver-specific metadata taking up a few words at the top of the page. The split is currently calculated manually and needs to be redone every time a field is added to or removed from the metadata structure. Also, the 32-bit version can be made smaller. By splitting the table and metadata into separate structures, we are making the compiler figure out the division of the page. Signed-off-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/20190821124727.73310-5-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar Stable-dep-of: ad97196379d0 ("perf/x86/intel/pt: Fix a topa_entry base address calculation") Signed-off-by: Sasha Levin (cherry picked from commit e9d9ec1019a90aafdb54765a3b46f36f402b481a) Signed-off-by: Vegard Nossum --- arch/x86/events/intel/pt.c | 93 ++++++++++++++++++++++++-------------- 1 file changed, 60 insertions(+), 33 deletions(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index d5a7153f0613..b7c1ac07b0c5 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -546,16 +546,8 @@ static void pt_config_buffer(void *buf, unsigned int topa_idx, wrmsrl(MSR_IA32_RTIT_OUTPUT_MASK, reg); } -/* - * Keep ToPA table-related metadata on the same page as the actual table, - * taking up a few words from the top - */ - -#define TENTS_PER_PAGE (((PAGE_SIZE - 40) / sizeof(struct topa_entry)) - 1) - /** - * struct topa - page-sized ToPA table with metadata at the top - * @table: actual ToPA table entries, as understood by PT hardware + * struct topa - ToPA metadata * @list: linkage to struct pt_buffer's list of tables * @phys: physical address of this page * @offset: offset of the first entry in this table in the buffer @@ -563,7 +555,6 @@ static void pt_config_buffer(void *buf, unsigned int topa_idx, * @last: index of the last initialized entry in this table */ struct topa { - struct topa_entry table[TENTS_PER_PAGE]; struct list_head list; u64 phys; u64 offset; @@ -571,8 +562,39 @@ struct topa { int last; }; +/* + * Keep ToPA table-related metadata on the same page as the actual table, + * taking up a few words from the top + */ + +#define TENTS_PER_PAGE \ + ((PAGE_SIZE - sizeof(struct topa)) / sizeof(struct topa_entry)) + +/** + * struct topa_page - page-sized ToPA table with metadata at the top + * @table: actual ToPA table entries, as understood by PT hardware + * @topa: metadata + */ +struct topa_page { + struct topa_entry table[TENTS_PER_PAGE]; + struct topa topa; +}; + +static inline struct topa_page *topa_to_page(struct topa *topa) +{ + return container_of(topa, struct topa_page, topa); +} + +static inline struct topa_page *topa_entry_to_page(struct topa_entry *te) +{ + return (struct topa_page *)((unsigned long)te & PAGE_MASK); +} + /* make -1 stand for the last table entry */ -#define TOPA_ENTRY(t, i) ((i) == -1 ? &(t)->table[(t)->last] : &(t)->table[(i)]) +#define TOPA_ENTRY(t, i) \ + ((i) == -1 \ + ? &topa_to_page(t)->table[(t)->last] \ + : &topa_to_page(t)->table[(i)]) #define TOPA_ENTRY_SIZE(t, i) (sizes(TOPA_ENTRY((t), (i))->size)) /** @@ -585,27 +607,27 @@ struct topa { static struct topa *topa_alloc(int cpu, gfp_t gfp) { int node = cpu_to_node(cpu); - struct topa *topa; + struct topa_page *tp; struct page *p; p = alloc_pages_node(node, gfp | __GFP_ZERO, 0); if (!p) return NULL; - topa = page_address(p); - topa->last = 0; - topa->phys = page_to_phys(p); + tp = page_address(p); + tp->topa.last = 0; + tp->topa.phys = page_to_phys(p); /* * In case of singe-entry ToPA, always put the self-referencing END * link as the 2nd entry in the table */ if (!intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries)) { - TOPA_ENTRY(topa, 1)->base = topa->phys >> TOPA_SHIFT; - TOPA_ENTRY(topa, 1)->end = 1; + TOPA_ENTRY(&tp->topa, 1)->base = tp->topa.phys; + TOPA_ENTRY(&tp->topa, 1)->end = 1; } - return topa; + return &tp->topa; } /** @@ -715,22 +737,23 @@ static void pt_topa_dump(struct pt_buffer *buf) struct topa *topa; list_for_each_entry(topa, &buf->tables, list) { + struct topa_page *tp = topa_to_page(topa); int i; - pr_debug("# table @%p (%016Lx), off %llx size %zx\n", topa->table, + pr_debug("# table @%p (%016Lx), off %llx size %zx\n", tp->table, topa->phys, topa->offset, topa->size); for (i = 0; i < TENTS_PER_PAGE; i++) { pr_debug("# entry @%p (%lx sz %u %c%c%c) raw=%16llx\n", - &topa->table[i], - (unsigned long)topa->table[i].base << TOPA_SHIFT, - sizes(topa->table[i].size), - topa->table[i].end ? 'E' : ' ', - topa->table[i].intr ? 'I' : ' ', - topa->table[i].stop ? 'S' : ' ', - *(u64 *)&topa->table[i]); + &tp->table[i], + (unsigned long)tp->table[i].base << TOPA_SHIFT, + sizes(tp->table[i].size), + tp->table[i].end ? 'E' : ' ', + tp->table[i].intr ? 'I' : ' ', + tp->table[i].stop ? 'S' : ' ', + *(u64 *)&tp->table[i]); if ((intel_pt_validate_hw_cap(PT_CAP_topa_multiple_entries) && - topa->table[i].stop) || - topa->table[i].end) + tp->table[i].stop) || + tp->table[i].end) break; } } @@ -793,7 +816,7 @@ static void pt_update_head(struct pt *pt) */ static void *pt_buffer_region(struct pt_buffer *buf) { - return phys_to_virt(buf->cur->table[buf->cur_idx].base << TOPA_SHIFT); + return phys_to_virt(TOPA_ENTRY(buf->cur, buf->cur_idx)->base << TOPA_SHIFT); } /** @@ -870,9 +893,11 @@ static void pt_handle_status(struct pt *pt) static void pt_read_offset(struct pt_buffer *buf) { u64 offset, base_topa; + struct topa_page *tp; rdmsrl(MSR_IA32_RTIT_OUTPUT_BASE, base_topa); - buf->cur = phys_to_virt(base_topa); + tp = phys_to_virt(base_topa); + buf->cur = &tp->topa; rdmsrl(MSR_IA32_RTIT_OUTPUT_MASK, offset); /* offset within current output region */ @@ -1022,6 +1047,7 @@ static void pt_buffer_setup_topa_index(struct pt_buffer *buf) */ static void pt_buffer_reset_offsets(struct pt_buffer *buf, unsigned long head) { + struct topa_page *cur_tp; int pg; if (buf->snapshot) @@ -1030,7 +1056,8 @@ static void pt_buffer_reset_offsets(struct pt_buffer *buf, unsigned long head) pg = (head >> PAGE_SHIFT) & (buf->nr_pages - 1); pg = pt_topa_next_entry(buf, pg); - buf->cur = (struct topa *)((unsigned long)buf->topa_index[pg] & PAGE_MASK); + cur_tp = topa_entry_to_page(buf->topa_index[pg]); + buf->cur = &cur_tp->topa; buf->cur_idx = buf->topa_index[pg] - TOPA_ENTRY(buf->cur, 0); buf->output_off = head & (pt_buffer_region_size(buf) - 1); @@ -1287,7 +1314,7 @@ void intel_pt_interrupt(void) return; } - pt_config_buffer(buf->cur->table, buf->cur_idx, + pt_config_buffer(topa_to_page(buf->cur)->table, buf->cur_idx, buf->output_off); pt_config(event); } @@ -1352,7 +1379,7 @@ static void pt_event_start(struct perf_event *event, int mode) WRITE_ONCE(pt->handle_nmi, 1); hwc->state = 0; - pt_config_buffer(buf->cur->table, buf->cur_idx, + pt_config_buffer(topa_to_page(buf->cur)->table, buf->cur_idx, buf->output_off); pt_config(event); From d6c356954a61ce5a5f851b9aa858f9d906e4228d Mon Sep 17 00:00:00 2001 From: Adrian Hunter Date: Mon, 24 Jun 2024 23:10:56 +0300 Subject: [PATCH 104/173] perf/x86/intel/pt: Fix a topa_entry base address calculation [ Upstream commit ad97196379d0b8cb24ef3d5006978a6554e6467f ] topa_entry->base is a bit-field. Bit-fields are not promoted to a 64-bit type, even if the underlying type is 64-bit, and so, if necessary, must be cast to a larger type when calculations are done. Fix a topa_entry->base address calculation by adding a cast. Without the cast, the address was limited to 36-bits i.e. 64GiB. The address calculation is used on systems that do not support Multiple Entry ToPA (only Broadwell), and affects physical addresses on or above 64GiB. Instead of writing to the correct address, the address comprising the first 36 bits would be written to. Intel PT snapshot and sampling modes are not affected. Fixes: 52ca9ced3f70 ("perf/x86/intel/pt: Add Intel PT PMU driver") Reported-by: Dave Hansen Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240624201101.60186-3-adrian.hunter@intel.com Signed-off-by: Sasha Levin (cherry picked from commit 418f7db13405953c2d9223275d365d9828169076) Signed-off-by: Vegard Nossum --- arch/x86/events/intel/pt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/events/intel/pt.c b/arch/x86/events/intel/pt.c index b7c1ac07b0c5..56e0164b2fa0 100644 --- a/arch/x86/events/intel/pt.c +++ b/arch/x86/events/intel/pt.c @@ -816,7 +816,7 @@ static void pt_update_head(struct pt *pt) */ static void *pt_buffer_region(struct pt_buffer *buf) { - return phys_to_virt(TOPA_ENTRY(buf->cur, buf->cur_idx)->base << TOPA_SHIFT); + return phys_to_virt((phys_addr_t)TOPA_ENTRY(buf->cur, buf->cur_idx)->base << TOPA_SHIFT); } /** From 5d99fd6160cb1a1ecd0163220164b8d1fe2cecf6 Mon Sep 17 00:00:00 2001 From: Peng Fan Date: Sat, 6 Mar 2021 19:24:24 +0800 Subject: [PATCH 105/173] remoteproc: imx_rproc: ignore mapping vdev regions [ Upstream commit 8f2d8961640f0346cbe892273c3260a0d30c1931 ] vdev regions are vdev0vring0, vdev0vring1, vdevbuffer and similar. They are handled by remoteproc common code, no need to map in imx rproc driver. Signed-off-by: Peng Fan Reviewed-by: Mathieu Poirier Link: https://lore.kernel.org/r/1615029865-23312-10-git-send-email-peng.fan@oss.nxp.com Signed-off-by: Bjorn Andersson Stable-dep-of: 2fa26ca8b786 ("remoteproc: imx_rproc: Skip over memory region when node value is NULL") Signed-off-by: Sasha Levin (cherry picked from commit 35df377f38fb516111933f132b51a386b4d4892f) Signed-off-by: Vegard Nossum --- drivers/remoteproc/imx_rproc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c index 05bcbce2013a..ec9d0a01efca 100644 --- a/drivers/remoteproc/imx_rproc.c +++ b/drivers/remoteproc/imx_rproc.c @@ -289,6 +289,9 @@ static int imx_rproc_addr_init(struct imx_rproc *priv, struct resource res; node = of_parse_phandle(np, "memory-region", a); + /* Not map vdev region */ + if (!strcmp(node->name, "vdev")) + continue; err = of_address_to_resource(node, 0, &res); if (err) { dev_err(dev, "unable to resolve memory region\n"); From c1239a005bbf4c6b43aec1155ac3d8466b640051 Mon Sep 17 00:00:00 2001 From: Dong Aisheng Date: Fri, 10 Sep 2021 17:06:19 +0800 Subject: [PATCH 106/173] remoteproc: imx_rproc: Fix ignoring mapping vdev regions [ Upstream commit afe670e23af91d8a74a8d7049f6e0984bbf6ea11 ] vdev regions are typically named vdev0buffer, vdev0ring0, vdev0ring1 and etc. Change to strncmp to cover them all. Fixes: 8f2d8961640f ("remoteproc: imx_rproc: ignore mapping vdev regions") Reviewed-and-tested-by: Peng Fan Signed-off-by: Dong Aisheng Signed-off-by: Peng Fan Cc: stable Link: https://lore.kernel.org/r/20210910090621.3073540-5-peng.fan@oss.nxp.com Signed-off-by: Mathieu Poirier Signed-off-by: Bjorn Andersson Stable-dep-of: 2fa26ca8b786 ("remoteproc: imx_rproc: Skip over memory region when node value is NULL") Signed-off-by: Sasha Levin (cherry picked from commit a80423f6566bc5085d6bbdd2acdb80aa20c0e915) Signed-off-by: Vegard Nossum --- drivers/remoteproc/imx_rproc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c index ec9d0a01efca..084bac2951bf 100644 --- a/drivers/remoteproc/imx_rproc.c +++ b/drivers/remoteproc/imx_rproc.c @@ -289,8 +289,8 @@ static int imx_rproc_addr_init(struct imx_rproc *priv, struct resource res; node = of_parse_phandle(np, "memory-region", a); - /* Not map vdev region */ - if (!strcmp(node->name, "vdev")) + /* Not map vdevbuffer, vdevring region */ + if (!strncmp(node->name, "vdev", strlen("vdev"))) continue; err = of_address_to_resource(node, 0, &res); if (err) { From 3e1715ba7291483690f92608e08aba0d12c5ef70 Mon Sep 17 00:00:00 2001 From: Aleksandr Mishin Date: Thu, 6 Jun 2024 10:52:04 +0300 Subject: [PATCH 107/173] remoteproc: imx_rproc: Skip over memory region when node value is NULL [ Upstream commit 2fa26ca8b786888673689ccc9da6094150939982 ] In imx_rproc_addr_init() "nph = of_count_phandle_with_args()" just counts number of phandles. But phandles may be empty. So of_parse_phandle() in the parsing loop (0 < a < nph) may return NULL which is later dereferenced. Adjust this issue by adding NULL-return check. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver") Signed-off-by: Aleksandr Mishin Reviewed-by: Peng Fan Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240606075204.12354-1-amishin@t-argos.ru [Fixed title to fit within the prescribed 70-75 charcters] Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin (cherry picked from commit 6884fd0283e0831be153fb8d82d9eda8a55acaaa) Signed-off-by: Vegard Nossum --- drivers/remoteproc/imx_rproc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/remoteproc/imx_rproc.c b/drivers/remoteproc/imx_rproc.c index 084bac2951bf..358cfe7be20a 100644 --- a/drivers/remoteproc/imx_rproc.c +++ b/drivers/remoteproc/imx_rproc.c @@ -289,6 +289,8 @@ static int imx_rproc_addr_init(struct imx_rproc *priv, struct resource res; node = of_parse_phandle(np, "memory-region", a); + if (!node) + continue; /* Not map vdevbuffer, vdevring region */ if (!strncmp(node->name, "vdev", strlen("vdev"))) continue; From 4aff76137ef2fa40ec1f424eb8e743673ffe5434 Mon Sep 17 00:00:00 2001 From: Ian Forbes Date: Fri, 19 Jul 2024 11:36:27 -0500 Subject: [PATCH 108/173] drm/vmwgfx: Fix overlay when using Screen Targets [ Upstream commit cb372a505a994cb39aa75acfb8b3bcf94787cf94 ] This code was never updated to support Screen Targets. Fixes a bug where Xv playback displays a green screen instead of actual video contents when 3D acceleration is disabled in the guest. Fixes: c8261a961ece ("vmwgfx: Major KMS refactoring / cleanup in preparation of screen targets") Reported-by: Doug Brown Closes: https://lore.kernel.org/all/bd9cb3c7-90e8-435d-bc28-0e38fee58977@schmorgal.com Signed-off-by: Ian Forbes Tested-by: Doug Brown Signed-off-by: Zack Rusin Link: https://patchwork.freedesktop.org/patch/msgid/20240719163627.20888-1-ian.forbes@broadcom.com Signed-off-by: Sasha Levin (cherry picked from commit 6f4bc8b021d3436e5dda88350d8e0ac3c8df400f) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c index 222c9c2123a1..ed15d795906d 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_overlay.c @@ -100,7 +100,7 @@ static int vmw_overlay_send_put(struct vmw_private *dev_priv, { struct vmw_escape_video_flush *flush; size_t fifo_size; - bool have_so = (dev_priv->active_display_unit == vmw_du_screen_object); + bool have_so = (dev_priv->active_display_unit != vmw_du_legacy); int i, num_items; SVGAGuestPtr ptr; From 582d87d965d3600b178bbaf8947523e5478da1d1 Mon Sep 17 00:00:00 2001 From: Alexandra Winter Date: Mon, 29 Jul 2024 14:28:16 +0200 Subject: [PATCH 109/173] net/iucv: fix use after free in iucv_sock_close() [ Upstream commit f558120cd709682b739207b48cf7479fd9568431 ] iucv_sever_path() is called from process context and from bh context. iucv->path is used as indicator whether somebody else is taking care of severing the path (or it is already removed / never existed). This needs to be done with atomic compare and swap, otherwise there is a small window where iucv_sock_close() will try to work with a path that has already been severed and freed by iucv_callback_connrej() called by iucv_tasklet_fn(). Example: [452744.123844] Call Trace: [452744.123845] ([<0000001e87f03880>] 0x1e87f03880) [452744.123966] [<00000000d593001e>] iucv_path_sever+0x96/0x138 [452744.124330] [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv] [452744.124336] [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv] [452744.124341] [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv] [452744.124345] [<00000000d574794e>] __sock_release+0x5e/0xe8 [452744.124815] [<00000000d5747a0c>] sock_close+0x34/0x48 [452744.124820] [<00000000d5421642>] __fput+0xba/0x268 [452744.124826] [<00000000d51b382c>] task_work_run+0xbc/0xf0 [452744.124832] [<00000000d5145710>] do_notify_resume+0x88/0x90 [452744.124841] [<00000000d5978096>] system_call+0xe2/0x2c8 [452744.125319] Last Breaking-Event-Address: [452744.125321] [<00000000d5930018>] iucv_path_sever+0x90/0x138 [452744.125324] [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt Note that bh_lock_sock() is not serializing the tasklet context against process context, because the check for sock_owned_by_user() and corresponding handling is missing. Ideas for a future clean-up patch: A) Correct usage of bh_lock_sock() in tasklet context, as described in Link: https://lore.kernel.org/netdev/1280155406.2899.407.camel@edumazet-laptop/ Re-enqueue, if needed. This may require adding return values to the tasklet functions and thus changes to all users of iucv. B) Change iucv tasklet into worker and use only lock_sock() in af_iucv. Fixes: 7d316b945352 ("af_iucv: remove IUCV-pathes completely") Reviewed-by: Halil Pasic Signed-off-by: Alexandra Winter Link: https://patch.msgid.link/20240729122818.947756-1-wintera@linux.ibm.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 84f40b46787ecb67c7ad08a5bb1376141fa10c01) Signed-off-by: Vegard Nossum --- net/iucv/af_iucv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c index d7dd92274957..fc8a86ca7596 100644 --- a/net/iucv/af_iucv.c +++ b/net/iucv/af_iucv.c @@ -439,8 +439,8 @@ static void iucv_sever_path(struct sock *sk, int with_user_data) struct iucv_sock *iucv = iucv_sk(sk); struct iucv_path *path = iucv->path; - if (iucv->path) { - iucv->path = NULL; + /* Whoever resets the path pointer, must sever and free it. */ + if (xchg(&iucv->path, NULL)) { if (with_user_data) { low_nmcpy(user_data, iucv->src_name); high_nmcpy(user_data, iucv->dst_name); From c04add3c9adf1402f47ff8f51dd2ee533e863a00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= Date: Mon, 29 Jul 2024 17:17:48 -0700 Subject: [PATCH 110/173] ipv6: fix ndisc_is_useropt() handling for PIO MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit a46c68debf3be3a477a69ccbf0a1d050df841676 ] The current logic only works if the PIO is between two other ND user options. This fixes it so that the PIO can also be either before or after other ND user options (for example the first or last option in the RA). side note: there's actually Android tests verifying a portion of the old broken behaviour, so: https://android-review.googlesource.com/c/kernel/tests/+/3196704 fixes those up. Cc: Jen Linkova Cc: Lorenzo Colitti Cc: Patrick Rohr Cc: David Ahern Cc: YOSHIFUJI Hideaki / 吉藤英明 Cc: Jakub Kicinski Signed-off-by: Maciej Żenczykowski Fixes: 048c796beb6e ("ipv6: adjust ndisc_is_useropt() to also return true for PIO") Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin (cherry picked from commit 97a4f78feadc431a050cc26355f95ac3d73a4d4c) Signed-off-by: Vegard Nossum --- net/ipv6/ndisc.c | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index b54e964dff3a..38e3a421d068 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -222,6 +222,7 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, return NULL; memset(ndopts, 0, sizeof(*ndopts)); while (opt_len) { + bool unknown = false; int l; if (opt_len < sizeof(struct nd_opt_hdr)) return NULL; @@ -257,22 +258,23 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev, break; #endif default: - if (ndisc_is_useropt(dev, nd_opt)) { - ndopts->nd_useropts_end = nd_opt; - if (!ndopts->nd_useropts) - ndopts->nd_useropts = nd_opt; - } else { - /* - * Unknown options must be silently ignored, - * to accommodate future extension to the - * protocol. - */ - ND_PRINTK(2, notice, - "%s: ignored unsupported option; type=%d, len=%d\n", - __func__, - nd_opt->nd_opt_type, - nd_opt->nd_opt_len); - } + unknown = true; + } + if (ndisc_is_useropt(dev, nd_opt)) { + ndopts->nd_useropts_end = nd_opt; + if (!ndopts->nd_useropts) + ndopts->nd_useropts = nd_opt; + } else if (unknown) { + /* + * Unknown options must be silently ignored, + * to accommodate future extension to the + * protocol. + */ + ND_PRINTK(2, notice, + "%s: ignored unsupported option; type=%d, len=%d\n", + __func__, + nd_opt->nd_opt_type, + nd_opt->nd_opt_len); } next_opt: opt_len -= l; From f4c005cc381764f082f66825073bb6c43f54fe14 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 1 Aug 2024 15:22:22 -0400 Subject: [PATCH 111/173] protect the fetch of ->fd[fd] in do_dup2() from mispredictions commit 8aa37bde1a7b645816cda8b80df4753ecf172bf1 upstream. both callers have verified that fd is not greater than ->max_fds; however, misprediction might end up with tofree = fdt->fd[fd]; being speculatively executed. That's wrong for the same reasons why it's wrong in close_fd()/file_close_fd_locked(); the same solution applies - array_index_nospec(fd, fdt->max_fds) could differ from fd only in case of speculative execution on mispredicted path. Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman (cherry picked from commit ed42e8ff509d2a61c6642d1825032072dab79f26) Signed-off-by: Vegard Nossum --- fs/file.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/file.c b/fs/file.c index 281c34963b2b..5d3fe555cfb1 100644 --- a/fs/file.c +++ b/fs/file.c @@ -881,6 +881,7 @@ __releases(&files->file_lock) * tables and this condition does not arise without those. */ fdt = files_fdtable(files); + fd = array_index_nospec(fd, fdt->max_fds); tofree = fdt->fd[fd]; if (!tofree && fd_is_open(fd, fdt)) goto Ebusy; From 71a0712ba842211e6dc1a4f7e91dd6c7502eebe5 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 31 Jul 2024 16:19:41 +0200 Subject: [PATCH 112/173] ALSA: usb-audio: Correct surround channels in UAC1 channel map commit b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d upstream. USB-audio driver puts SNDRV_CHMAP_SL and _SR as left and right surround channels for UAC1 channel map, respectively. But they should have been SNDRV_CHMAP_RL and _RR; the current value *_SL and _SR are rather "side" channels, not "surround". I guess I took those mistakenly when I read the spec mentioning "surround left". This patch corrects those entries to be the right channels. Suggested-by: Sylvain BERTRAND Closes: https://lore.kernel.orgZ/qIyJD8lhd8hFhlC@freedom Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support") Cc: Link: https://patch.msgid.link/20240731142018.24750-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f4eb853103674698416ba66d41317b1d869d4bdc) Signed-off-by: Vegard Nossum --- sound/usb/stream.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/usb/stream.c b/sound/usb/stream.c index ccaead5319ed..c9f9845c0284 100644 --- a/sound/usb/stream.c +++ b/sound/usb/stream.c @@ -237,8 +237,8 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits, SNDRV_CHMAP_FR, /* right front */ SNDRV_CHMAP_FC, /* center front */ SNDRV_CHMAP_LFE, /* LFE */ - SNDRV_CHMAP_SL, /* left surround */ - SNDRV_CHMAP_SR, /* right surround */ + SNDRV_CHMAP_RL, /* left surround */ + SNDRV_CHMAP_RR, /* right surround */ SNDRV_CHMAP_FLC, /* left of center */ SNDRV_CHMAP_FRC, /* right of center */ SNDRV_CHMAP_RC, /* surround */ From 3f465b02b4b919181c45ef14fe5ca3638b87ac5c Mon Sep 17 00:00:00 2001 From: Ma Ke Date: Thu, 25 Jul 2024 10:29:42 +0800 Subject: [PATCH 113/173] net: usb: sr9700: fix uninitialized variable use in sr_mdio_read commit 08f3a5c38087d1569e982a121aad1e6acbf145ce upstream. It could lead to error happen because the variable res is not updated if the call to sr_share_read_word returns an error. In this particular case error code was returned and res stayed uninitialized. Same issue also applies to sr_read_reg. This can be avoided by checking the return value of sr_share_read_word and sr_read_reg, and propagating the error if the read operation failed. Found by code review. Cc: stable@vger.kernel.org Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support") Signed-off-by: Ma Ke Reviewed-by: Shigeru Yoshida Reviewed-by: Hariprasad Kelam Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9f04dbd139aa1988fc8b7984ffbce7849be73f21) Signed-off-by: Vegard Nossum --- drivers/net/usb/sr9700.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c index 4a723696103b..7ca6911b2c83 100644 --- a/drivers/net/usb/sr9700.c +++ b/drivers/net/usb/sr9700.c @@ -178,6 +178,7 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc) struct usbnet *dev = netdev_priv(netdev); __le16 res; int rc = 0; + int err; if (phy_id) { netdev_dbg(netdev, "Only internal phy supported\n"); @@ -188,11 +189,17 @@ static int sr_mdio_read(struct net_device *netdev, int phy_id, int loc) if (loc == MII_BMSR) { u8 value; - sr_read_reg(dev, SR_NSR, &value); + err = sr_read_reg(dev, SR_NSR, &value); + if (err < 0) + return err; + if (value & NSR_LINKST) rc = 1; } - sr_share_read_word(dev, 1, loc, &res); + err = sr_share_read_word(dev, 1, loc, &res); + if (err < 0) + return err; + if (rc == 1) res = le16_to_cpu(res) | BMSR_LSTATUS; else From 6f4e6f1f7e5d27fa977d9900aba67c9cc3c15d4e Mon Sep 17 00:00:00 2001 From: Yipeng Zou Date: Tue, 30 Jul 2024 09:44:00 +0800 Subject: [PATCH 114/173] irqchip/mbigen: Fix mbigen node address layout [ Upstream commit 6be6cba9c4371d27f78d900ccfe34bb880d9ee20 ] The mbigen interrupt chip has its per node registers located in a contiguous region of page sized chunks. The code maps them into virtual address space as a contiguous region and determines the address of a node by using the node ID as index. mbigen chip |-----------------|------------|--------------| mgn_node_0 mgn_node_1 ... mgn_node_i |--------------| |--------------| |----------------------| [0x0000, 0x0x0FFF] [0x1000, 0x1FFF] [i*0x1000, (i+1)*0x1000 - 1] This works correctly up to 10 nodes, but then fails because the 11th's array slot is used for the MGN_CLEAR registers. mbigen chip |-----------|--------|--------|---------------|--------| mgn_node_0 mgn_node_1 ... mgn_clear_register ... mgn_node_i |-----------------| [0xA000, 0xAFFF] Skip the MGN_CLEAR register space when calculating the offset for node IDs greater than or equal to ten. Fixes: a6c2f87b8820 ("irqchip/mbigen: Implement the mbigen irq chip operation functions") Signed-off-by: Yipeng Zou Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20240730014400.1751530-1-zouyipeng@huawei.com Signed-off-by: Sasha Levin (cherry picked from commit 2f61f0c6b7411212acd6490c5629b0049e8eaefa) Signed-off-by: Vegard Nossum --- drivers/irqchip/irq-mbigen.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/drivers/irqchip/irq-mbigen.c b/drivers/irqchip/irq-mbigen.c index c98358be0bc8..19cf1239c7d3 100644 --- a/drivers/irqchip/irq-mbigen.c +++ b/drivers/irqchip/irq-mbigen.c @@ -75,6 +75,20 @@ struct mbigen_device { void __iomem *base; }; +static inline unsigned int get_mbigen_node_offset(unsigned int nid) +{ + unsigned int offset = nid * MBIGEN_NODE_OFFSET; + + /* + * To avoid touched clear register in unexpected way, we need to directly + * skip clear register when access to more than 10 mbigen nodes. + */ + if (nid >= (REG_MBIGEN_CLEAR_OFFSET / MBIGEN_NODE_OFFSET)) + offset += MBIGEN_NODE_OFFSET; + + return offset; +} + static inline unsigned int get_mbigen_vec_reg(irq_hw_number_t hwirq) { unsigned int nid, pin; @@ -83,8 +97,7 @@ static inline unsigned int get_mbigen_vec_reg(irq_hw_number_t hwirq) nid = hwirq / IRQS_PER_MBIGEN_NODE + 1; pin = hwirq % IRQS_PER_MBIGEN_NODE; - return pin * 4 + nid * MBIGEN_NODE_OFFSET - + REG_MBIGEN_VEC_OFFSET; + return pin * 4 + get_mbigen_node_offset(nid) + REG_MBIGEN_VEC_OFFSET; } static inline void get_mbigen_type_reg(irq_hw_number_t hwirq, @@ -99,8 +112,7 @@ static inline void get_mbigen_type_reg(irq_hw_number_t hwirq, *mask = 1 << (irq_ofst % 32); ofst = irq_ofst / 32 * 4; - *addr = ofst + nid * MBIGEN_NODE_OFFSET - + REG_MBIGEN_TYPE_OFFSET; + *addr = ofst + get_mbigen_node_offset(nid) + REG_MBIGEN_TYPE_OFFSET; } static inline void get_mbigen_clear_reg(irq_hw_number_t hwirq, From 193653bb5bb78ddaa2698760912db0248833cccc Mon Sep 17 00:00:00 2001 From: Daniele Palmas Date: Thu, 1 Aug 2024 15:55:12 +0200 Subject: [PATCH 115/173] net: usb: qmi_wwan: fix memory leak for not ip packets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 7ab107544b777c3bd7feb9fe447367d8edd5b202 ] Free the unused skb when not ip packets arrive. Fixes: c6adf77953bc ("net: usb: qmi_wwan: add qmap mux protocol support") Signed-off-by: Daniele Palmas Acked-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Sasha Levin (cherry picked from commit 3c90a69533b5bba73401ef884d033ea49ee99662) Signed-off-by: Vegard Nossum --- drivers/net/usb/qmi_wwan.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c index facd37cae259..489cc388d9bf 100644 --- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -241,6 +241,7 @@ static int qmimux_rx_fixup(struct usbnet *dev, struct sk_buff *skb) break; default: /* not ip - do not know what to do */ + kfree_skb(skbn); goto skip; } From 928a0513e3f0353f456c9734695c47a94f423c54 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Mon, 5 Aug 2024 08:58:21 +0000 Subject: [PATCH 116/173] net: linkwatch: use system_unbound_wq [ Upstream commit 3e7917c0cdad835a5121520fc5686d954b7a61ab ] linkwatch_event() grabs possibly very contended RTNL mutex. system_wq is not suitable for such work. Inspired by many noisy syzbot reports. 3 locks held by kworker/0:7/5266: #0: ffff888015480948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline] #0: ffff888015480948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312 #1: ffffc90003f6fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline] , at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312 #2: ffffffff8fa6f208 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276 Reported-by: syzbot Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reviewed-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20240805085821.1616528-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 3840189e4619af11f558e6faff80813f008246a6) Signed-off-by: Vegard Nossum --- net/core/link_watch.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/link_watch.c b/net/core/link_watch.c index 982861607f88..e1973c0a12c5 100644 --- a/net/core/link_watch.c +++ b/net/core/link_watch.c @@ -135,9 +135,9 @@ static void linkwatch_schedule_work(int urgent) * override the existing timer. */ if (test_bit(LW_URGENT, &linkwatch_flags)) - mod_delayed_work(system_wq, &linkwatch_work, 0); + mod_delayed_work(system_unbound_wq, &linkwatch_work, 0); else - schedule_delayed_work(&linkwatch_work, delay); + queue_delayed_work(system_unbound_wq, &linkwatch_work, delay); } From 0c7df8f6eff3aa1044d3f97dd249112dc4301778 Mon Sep 17 00:00:00 2001 From: Dmitry Antipov Date: Wed, 31 Jul 2024 12:19:36 +0300 Subject: [PATCH 117/173] Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() [ Upstream commit c531e63871c0b50c8c4e62c048535a08886fba3e ] Add missing call to 'l2cap_chan_unlock()' on receive error handling path in 'l2cap_conless_channel()'. Fixes: a24cce144b98 ("Bluetooth: Fix reference counting of global L2CAP channels") Reported-by: syzbot+45ac74737e866894acb0@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=45ac74737e866894acb0 Signed-off-by: Dmitry Antipov Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin (cherry picked from commit 64f4938368f4be563b7652d6b18d37b317913b47) Signed-off-by: Vegard Nossum --- net/bluetooth/l2cap_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 4886a37a4811..c438fc8bf624 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -7055,6 +7055,7 @@ static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, bt_cb(skb)->l2cap.psm = psm; if (!chan->ops->recv(chan, skb)) { + l2cap_chan_unlock(chan); l2cap_chan_put(chan); return; } From 20cb64898909ba7ccad47d1e52e980ba859c29c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cs=C3=B3k=C3=A1s=2C=20Bence?= Date: Wed, 7 Aug 2024 10:09:56 +0200 Subject: [PATCH 118/173] net: fec: Stop PPS on driver remove MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit 8fee6d5ad5fa18c270eedb2a2cdf58dbadefb94b ] PPS was not stopped in `fec_ptp_stop()`, called when the adapter was removed. Consequentially, you couldn't safely reload the driver with the PPS signal on. Fixes: 32cba57ba74b ("net: fec: introduce fec_ptp_stop and use in probe fail path") Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/netdev/CAOMZO5BzcZR8PwKKwBssQq_wAGzVgf1ffwe_nhpQJjviTdxy-w@mail.gmail.com/T/#m01dcb810bfc451a492140f6797ca77443d0cb79f Signed-off-by: Csókás, Bence Reviewed-by: Andrew Lunn Reviewed-by: Frank Li Link: https://patch.msgid.link/20240807080956.2556602-1-csokas.bence@prolan.hu Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit 7762f5317db83b70099ed1b2c100df54abddaec1) Signed-off-by: Vegard Nossum --- drivers/net/ethernet/freescale/fec_ptp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c index b42c68833292..53b9ce4af965 100644 --- a/drivers/net/ethernet/freescale/fec_ptp.c +++ b/drivers/net/ethernet/freescale/fec_ptp.c @@ -608,6 +608,9 @@ void fec_ptp_stop(struct platform_device *pdev) struct net_device *ndev = platform_get_drvdata(pdev); struct fec_enet_private *fep = netdev_priv(ndev); + if (fep->pps_enable) + fec_ptp_enable_pps(fep, 0); + cancel_delayed_work_sync(&fep->time_keep); if (fep->ptp_clock) ptp_clock_unregister(fep->ptp_clock); From a10b1779aca24535b14edba941cb59fbd35ce7c9 Mon Sep 17 00:00:00 2001 From: Yu Kuai Date: Tue, 11 Jun 2024 21:22:51 +0800 Subject: [PATCH 119/173] md/raid5: avoid BUG_ON() while continue reshape after reassembling [ Upstream commit 305a5170dc5cf3d395bb4c4e9239bca6d0b54b49 ] Currently, mdadm support --revert-reshape to abort the reshape while reassembling, as the test 07revert-grow. However, following BUG_ON() can be triggerred by the test: kernel BUG at drivers/md/raid5.c:6278! invalid opcode: 0000 [#1] PREEMPT SMP PTI irq event stamp: 158985 CPU: 6 PID: 891 Comm: md0_reshape Not tainted 6.9.0-03335-g7592a0b0049a #94 RIP: 0010:reshape_request+0x3f1/0xe60 Call Trace: raid5_sync_request+0x43d/0x550 md_do_sync+0xb7a/0x2110 md_thread+0x294/0x2b0 kthread+0x147/0x1c0 ret_from_fork+0x59/0x70 ret_from_fork_asm+0x1a/0x30 Root cause is that --revert-reshape update the raid_disks from 5 to 4, while reshape position is still set, and after reassembling the array, reshape position will be read from super block, then during reshape the checking of 'writepos' that is caculated by old reshape position will fail. Fix this panic the easy way first, by converting the BUG_ON() to WARN_ON(), and stop the reshape if checkings fail. Noted that mdadm must fix --revert-shape as well, and probably md/raid should enhance metadata validation as well, however this means reassemble will fail and there must be user tools to fix the wrong metadata. Signed-off-by: Yu Kuai Signed-off-by: Song Liu Link: https://lore.kernel.org/r/20240611132251.1967786-13-yukuai1@huaweicloud.com Signed-off-by: Sasha Levin (cherry picked from commit 2c92f8c1c456d556f15cbf51667b385026b2e6a0) Signed-off-by: Vegard Nossum --- drivers/md/raid5.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c index a8b3beb0aa3a..f38c87ea435c 100644 --- a/drivers/md/raid5.c +++ b/drivers/md/raid5.c @@ -5814,7 +5814,9 @@ static sector_t reshape_request(struct mddev *mddev, sector_t sector_nr, int *sk safepos = conf->reshape_safe; sector_div(safepos, data_disks); if (mddev->reshape_backwards) { - BUG_ON(writepos < reshape_sectors); + if (WARN_ON(writepos < reshape_sectors)) + return MaxSector; + writepos -= reshape_sectors; readpos += reshape_sectors; safepos += reshape_sectors; @@ -5832,14 +5834,18 @@ static sector_t reshape_request(struct mddev *mddev, sector_t sector_nr, int *sk * to set 'stripe_addr' which is where we will write to. */ if (mddev->reshape_backwards) { - BUG_ON(conf->reshape_progress == 0); + if (WARN_ON(conf->reshape_progress == 0)) + return MaxSector; + stripe_addr = writepos; - BUG_ON((mddev->dev_sectors & - ~((sector_t)reshape_sectors - 1)) - - reshape_sectors - stripe_addr - != sector_nr); + if (WARN_ON((mddev->dev_sectors & + ~((sector_t)reshape_sectors - 1)) - + reshape_sectors - stripe_addr != sector_nr)) + return MaxSector; } else { - BUG_ON(writepos != sector_nr + reshape_sectors); + if (WARN_ON(writepos != sector_nr + reshape_sectors)) + return MaxSector; + stripe_addr = sector_nr; } From f9ec6971715991696e49430547551697f1153be6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niklas=20S=C3=B6derlund?= Date: Tue, 2 Jul 2024 21:02:30 +0200 Subject: [PATCH 120/173] clocksource/drivers/sh_cmt: Address race condition for clock events MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [ Upstream commit db19d3aa77612983a02bd223b3f273f896b243cf ] There is a race condition in the CMT interrupt handler. In the interrupt handler the driver sets a driver private flag, FLAG_IRQCONTEXT. This flag is used to indicate any call to set_next_event() should not be directly propagated to the device, but instead cached. This is done as the interrupt handler itself reprograms the device when needed before it completes and this avoids this operation to take place twice. It is unclear why this design was chosen, my suspicion is to allow the struct clock_event_device.event_handler callback, which is called while the FLAG_IRQCONTEXT is set, can update the next event without having to write to the device twice. Unfortunately there is a race between when the FLAG_IRQCONTEXT flag is set and later cleared where the interrupt handler have already started to write the next event to the device. If set_next_event() is called in this window the value is only cached in the driver but not written. This leads to the board to misbehave, or worse lockup and produce a splat. rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: 0-...!: (0 ticks this GP) idle=f5e0/0/0x0 softirq=519/519 fqs=0 (false positive?) rcu: (detected by 1, t=6502 jiffies, g=-595, q=77 ncpus=2) Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0-rc5-arm64-renesas-00019-g74a6f86eaf1c-dirty #20 Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : tick_check_broadcast_expired+0xc/0x40 lr : cpu_idle_poll.isra.0+0x8c/0x168 sp : ffff800081c63d70 x29: ffff800081c63d70 x28: 00000000580000c8 x27: 00000000bfee5610 x26: 0000000000000027 x25: 0000000000000000 x24: 0000000000000000 x23: ffff00007fbb9100 x22: ffff8000818f1008 x21: ffff8000800ef07c x20: ffff800081c79ec0 x19: ffff800081c70c28 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffc2c717d8 x14: 0000000000000000 x13: ffff000009c18080 x12: ffff8000825f7fc0 x11: 0000000000000000 x10: ffff8000818f3cd4 x9 : 0000000000000028 x8 : ffff800081c79ec0 x7 : ffff800081c73000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : ffff7ffffe286000 x3 : 0000000000000000 x2 : ffff7ffffe286000 x1 : ffff800082972900 x0 : ffff8000818f1008 Call trace: tick_check_broadcast_expired+0xc/0x40 do_idle+0x9c/0x280 cpu_startup_entry+0x34/0x40 kernel_init+0x0/0x11c do_one_initcall+0x0/0x260 __primary_switched+0x80/0x88 rcu: rcu_preempt kthread timer wakeup didn't happen for 6501 jiffies! g-595 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 rcu: Possible timer handling issue on cpu=0 timer-softirq=262 rcu: rcu_preempt kthread starved for 6502 jiffies! g-595 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=0 rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcu_preempt state:I stack:0 pid:15 tgid:15 ppid:2 flags:0x00000008 Call trace: __switch_to+0xbc/0x100 __schedule+0x358/0xbe0 schedule+0x48/0x148 schedule_timeout+0xc4/0x138 rcu_gp_fqs_loop+0x12c/0x764 rcu_gp_kthread+0x208/0x298 kthread+0x10c/0x110 ret_from_fork+0x10/0x20 The design have been part of the driver since it was first merged in early 2009. It becomes increasingly harder to trigger the issue the older kernel version one tries. It only takes a few boots on v6.10-rc5, while hundreds of boots are needed to trigger it on v5.10. Close the race condition by using the CMT channel lock for the two competing sections. The channel lock was added to the driver after its initial design. Signed-off-by: Niklas Söderlund Link: https://lore.kernel.org/r/20240702190230.3825292-1-niklas.soderlund+renesas@ragnatech.se Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin (cherry picked from commit 026befb502ce41384e5119df12c9f2d4067cb23c) Signed-off-by: Vegard Nossum --- drivers/clocksource/sh_cmt.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers/clocksource/sh_cmt.c b/drivers/clocksource/sh_cmt.c index 48eeee53a586..fea5749240ce 100644 --- a/drivers/clocksource/sh_cmt.c +++ b/drivers/clocksource/sh_cmt.c @@ -510,6 +510,7 @@ static void sh_cmt_set_next(struct sh_cmt_channel *ch, unsigned long delta) static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id) { struct sh_cmt_channel *ch = dev_id; + unsigned long flags; /* clear flags */ sh_cmt_write_cmcsr(ch, sh_cmt_read_cmcsr(ch) & @@ -540,6 +541,8 @@ static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id) ch->flags &= ~FLAG_SKIPEVENT; + raw_spin_lock_irqsave(&ch->lock, flags); + if (ch->flags & FLAG_REPROGRAM) { ch->flags &= ~FLAG_REPROGRAM; sh_cmt_clock_event_program_verify(ch, 1); @@ -552,6 +555,8 @@ static irqreturn_t sh_cmt_interrupt(int irq, void *dev_id) ch->flags &= ~FLAG_IRQCONTEXT; + raw_spin_unlock_irqrestore(&ch->lock, flags); + return IRQ_HANDLED; } @@ -750,12 +755,18 @@ static int sh_cmt_clock_event_next(unsigned long delta, struct clock_event_device *ced) { struct sh_cmt_channel *ch = ced_to_sh_cmt(ced); + unsigned long flags; BUG_ON(!clockevent_state_oneshot(ced)); + + raw_spin_lock_irqsave(&ch->lock, flags); + if (likely(ch->flags & FLAG_IRQCONTEXT)) ch->next_match_value = delta - 1; else - sh_cmt_set_next(ch, delta - 1); + __sh_cmt_set_next(ch, delta - 1); + + raw_spin_unlock_irqrestore(&ch->lock, flags); return 0; } From ca0a3431163788b838bdccff1eac2b84a30bee91 Mon Sep 17 00:00:00 2001 From: FUJITA Tomonori Date: Mon, 24 Jun 2024 08:55:01 +0900 Subject: [PATCH 121/173] PCI: Add Edimax Vendor ID to pci_ids.h [ Upstream commit eee5528890d54b22b46f833002355a5ee94c3bb4 ] Add the Edimax Vendor ID (0x1432) for an ethernet driver for Tehuti Networks TN40xx chips. This ID can be used for Realtek 8180 and Ralink rt28xx wireless drivers. Signed-off-by: FUJITA Tomonori Acked-by: Bjorn Helgaas Link: https://patch.msgid.link/20240623235507.108147-2-fujita.tomonori@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit a35a163cd56b583ef698eadef9b856b0fe6e2727) Signed-off-by: Vegard Nossum --- include/linux/pci_ids.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/linux/pci_ids.h b/include/linux/pci_ids.h index c977e636a1dd..aca9f670230d 100644 --- a/include/linux/pci_ids.h +++ b/include/linux/pci_ids.h @@ -2108,6 +2108,8 @@ #define PCI_VENDOR_ID_CHELSIO 0x1425 +#define PCI_VENDOR_ID_EDIMAX 0x1432 + #define PCI_VENDOR_ID_ADLINK 0x144a #define PCI_VENDOR_ID_SAMSUNG 0x144d From ed09bb9292ca0c02ada12cd5f17ef9e976cb5f8c Mon Sep 17 00:00:00 2001 From: Steve Magnani Date: Thu, 12 Oct 2017 08:48:41 -0500 Subject: [PATCH 122/173] udf: Fix signed/unsigned format specifiers Fix problems noted in compilion with -Wformat=2 -Wformat-signedness. In particular, a mismatch between the signedness of a value and the signedness of its format specifier can result in unsigned values being printed as negative numbers, e.g.: Partition (0 type 1511) starts at physical 460, block length -1779968542 ...which occurs when mounting a large (> 1 TiB) UDF partition. Changes since V1: * Fixed additional issues noted in udf_bitmap_free_blocks(), udf_get_fileident(), udf_show_options() Signed-off-by: Steven J. Magnani Signed-off-by: Jan Kara (cherry picked from commit fcbf7637e6647e00de04d4b2e05ece2484bb3062) Signed-off-by: Vegard Nossum --- fs/udf/balloc.c | 12 +++++------ fs/udf/directory.c | 2 +- fs/udf/inode.c | 16 +++++++------- fs/udf/misc.c | 4 ++-- fs/udf/namei.c | 4 ++-- fs/udf/partition.c | 6 +++--- fs/udf/super.c | 52 +++++++++++++++++++++++----------------------- fs/udf/unicode.c | 2 +- 8 files changed, 49 insertions(+), 49 deletions(-) diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c index 6aaca99dcc9d..0e410869e7be 100644 --- a/fs/udf/balloc.c +++ b/fs/udf/balloc.c @@ -81,7 +81,7 @@ static int __load_block_bitmap(struct super_block *sb, int nr_groups = bitmap->s_nr_groups; if (block_group >= nr_groups) { - udf_debug("block_group (%d) > nr_groups (%d)\n", + udf_debug("block_group (%u) > nr_groups (%d)\n", block_group, nr_groups); } @@ -145,7 +145,7 @@ static void udf_bitmap_free_blocks(struct super_block *sb, partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; if (bloc->logicalBlockNum + count < count || (bloc->logicalBlockNum + count) > partmap->s_partition_len) { - udf_debug("%d < %d || %d + %d > %d\n", + udf_debug("%u < %d || %u + %u > %u\n", bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count, partmap->s_partition_len); @@ -174,9 +174,9 @@ static void udf_bitmap_free_blocks(struct super_block *sb, bh = bitmap->s_block_bitmap[bitmap_nr]; for (i = 0; i < count; i++) { if (udf_set_bit(bit + i, bh->b_data)) { - udf_debug("bit %ld already set\n", bit + i); + udf_debug("bit %lu already set\n", bit + i); udf_debug("byte=%2x\n", - ((char *)bh->b_data)[(bit + i) >> 3]); + ((__u8 *)bh->b_data)[(bit + i) >> 3]); } } udf_add_free_space(sb, sbi->s_partition, count); @@ -385,7 +385,7 @@ static void udf_table_free_blocks(struct super_block *sb, partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; if (bloc->logicalBlockNum + count < count || (bloc->logicalBlockNum + count) > partmap->s_partition_len) { - udf_debug("%d < %d || %d + %d > %d\n", + udf_debug("%u < %d || %u + %u > %u\n", bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count, partmap->s_partition_len); @@ -538,7 +538,7 @@ static int udf_table_prealloc_blocks(struct super_block *sb, while (first_block != eloc.logicalBlockNum && (etype = udf_next_aext(table, &epos, &eloc, &elen, 1)) != -1) { - udf_debug("eloc=%d, elen=%d, first_block=%d\n", + udf_debug("eloc=%u, elen=%u, first_block=%u\n", eloc.logicalBlockNum, elen, first_block); ; /* empty loop body */ } diff --git a/fs/udf/directory.c b/fs/udf/directory.c index a636b3b17219..12cffe417cfd 100644 --- a/fs/udf/directory.c +++ b/fs/udf/directory.c @@ -178,7 +178,7 @@ struct fileIdentDesc *udf_get_fileident(void *buffer, int bufsize, int *offset) if (fi->descTag.tagIdent != cpu_to_le16(TAG_IDENT_FID)) { udf_debug("0x%x != TAG_IDENT_FID\n", le16_to_cpu(fi->descTag.tagIdent)); - udf_debug("offset: %u sizeof: %lu bufsize: %u\n", + udf_debug("offset: %d sizeof: %lu bufsize: %d\n", *offset, (unsigned long)sizeof(struct fileIdentDesc), bufsize); return NULL; diff --git a/fs/udf/inode.c b/fs/udf/inode.c index f402189909d2..b2564517e348 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1303,14 +1303,14 @@ static int udf_read_inode(struct inode *inode, bool hidden_inode) reread: if (iloc->partitionReferenceNum >= sbi->s_partitions) { - udf_debug("partition reference: %d > logical volume partitions: %d\n", + udf_debug("partition reference: %u > logical volume partitions: %u\n", iloc->partitionReferenceNum, sbi->s_partitions); return -EIO; } if (iloc->logicalBlockNum >= sbi->s_partmaps[iloc->partitionReferenceNum].s_partition_len) { - udf_debug("block=%d, partition=%d out of range\n", + udf_debug("block=%u, partition=%u out of range\n", iloc->logicalBlockNum, iloc->partitionReferenceNum); return -EIO; } @@ -1329,13 +1329,13 @@ reread: */ bh = udf_read_ptagged(inode->i_sb, iloc, 0, &ident); if (!bh) { - udf_err(inode->i_sb, "(ino %ld) failed !bh\n", inode->i_ino); + udf_err(inode->i_sb, "(ino %lu) failed !bh\n", inode->i_ino); return -EIO; } if (ident != TAG_IDENT_FE && ident != TAG_IDENT_EFE && ident != TAG_IDENT_USE) { - udf_err(inode->i_sb, "(ino %ld) failed ident=%d\n", + udf_err(inode->i_sb, "(ino %lu) failed ident=%u\n", inode->i_ino, ident); goto out; } @@ -1371,7 +1371,7 @@ reread: } brelse(ibh); } else if (fe->icbTag.strategyType != cpu_to_le16(4)) { - udf_err(inode->i_sb, "unsupported strategy type: %d\n", + udf_err(inode->i_sb, "unsupported strategy type: %u\n", le16_to_cpu(fe->icbTag.strategyType)); goto out; } @@ -1564,7 +1564,7 @@ reread: udf_debug("METADATA BITMAP FILE-----\n"); break; default: - udf_err(inode->i_sb, "(ino %ld) failed unknown file type=%d\n", + udf_err(inode->i_sb, "(ino %lu) failed unknown file type=%u\n", inode->i_ino, fe->icbTag.fileType); goto out; } @@ -2108,7 +2108,7 @@ int8_t udf_next_aext(struct inode *inode, struct extent_position *epos, block = udf_get_lb_pblock(inode->i_sb, &epos->block, 0); epos->bh = udf_tread(inode->i_sb, block); if (!epos->bh) { - udf_debug("reading block %d failed!\n", block); + udf_debug("reading block %u failed!\n", block); return -1; } } @@ -2163,7 +2163,7 @@ int8_t udf_current_aext(struct inode *inode, struct extent_position *epos, *elen = le32_to_cpu(lad->extLength) & UDF_EXTENT_LENGTH_MASK; break; default: - udf_debug("alloc_type = %d unsupported\n", iinfo->i_alloc_type); + udf_debug("alloc_type = %u unsupported\n", iinfo->i_alloc_type); return -1; } diff --git a/fs/udf/misc.c b/fs/udf/misc.c index e5f4dcde309f..277ce94fe370 100644 --- a/fs/udf/misc.c +++ b/fs/udf/misc.c @@ -218,7 +218,7 @@ struct buffer_head *udf_read_tagged(struct super_block *sb, uint32_t block, bh = udf_tread(sb, block); if (!bh) { - udf_err(sb, "read failed, block=%u, location=%d\n", + udf_err(sb, "read failed, block=%u, location=%u\n", block, location); return NULL; } @@ -256,7 +256,7 @@ struct buffer_head *udf_read_tagged(struct super_block *sb, uint32_t block, le16_to_cpu(tag_p->descCRCLength))) return bh; - udf_debug("Crc failure block %d: crc = %d, crclen = %d\n", block, + udf_debug("Crc failure block %u: crc = %u, crclen = %u\n", block, le16_to_cpu(tag_p->descCRC), le16_to_cpu(tag_p->descCRCLength)); error_out: diff --git a/fs/udf/namei.c b/fs/udf/namei.c index 72957b1acb1a..da67b8123de3 100644 --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -837,7 +837,7 @@ static int udf_rmdir(struct inode *dir, struct dentry *dentry) if (retval) goto end_rmdir; if (inode->i_nlink != 2) - udf_warn(inode->i_sb, "empty directory has nlink != 2 (%d)\n", + udf_warn(inode->i_sb, "empty directory has nlink != 2 (%u)\n", inode->i_nlink); clear_nlink(inode); inode->i_size = 0; @@ -879,7 +879,7 @@ static int udf_unlink(struct inode *dir, struct dentry *dentry) goto end_unlink; if (!inode->i_nlink) { - udf_debug("Deleting nonexistent file (%lu), %d\n", + udf_debug("Deleting nonexistent file (%lu), %u\n", inode->i_ino, inode->i_nlink); set_nlink(inode, 1); } diff --git a/fs/udf/partition.c b/fs/udf/partition.c index 888c364b2fe9..090baff83990 100644 --- a/fs/udf/partition.c +++ b/fs/udf/partition.c @@ -32,7 +32,7 @@ uint32_t udf_get_pblock(struct super_block *sb, uint32_t block, struct udf_sb_info *sbi = UDF_SB(sb); struct udf_part_map *map; if (partition >= sbi->s_partitions) { - udf_debug("block=%d, partition=%d, offset=%d: invalid partition\n", + udf_debug("block=%u, partition=%u, offset=%u: invalid partition\n", block, partition, offset); return 0xFFFFFFFF; } @@ -59,7 +59,7 @@ uint32_t udf_get_pblock_virt15(struct super_block *sb, uint32_t block, vdata = &map->s_type_specific.s_virtual; if (block > vdata->s_num_entries) { - udf_debug("Trying to access block beyond end of VAT (%d max %d)\n", + udf_debug("Trying to access block beyond end of VAT (%u max %u)\n", block, vdata->s_num_entries); return 0xFFFFFFFF; } @@ -83,7 +83,7 @@ uint32_t udf_get_pblock_virt15(struct super_block *sb, uint32_t block, bh = sb_bread(sb, loc); if (!bh) { - udf_debug("get_pblock(UDF_VIRTUAL_MAP:%p,%d,%d) VAT: %d[%d]\n", + udf_debug("get_pblock(UDF_VIRTUAL_MAP:%p,%u,%u) VAT: %u[%u]\n", sb, block, partition, loc, index); return 0xFFFFFFFF; } diff --git a/fs/udf/super.c b/fs/udf/super.c index 236bf6f14f62..59569b3c62e4 100644 --- a/fs/udf/super.c +++ b/fs/udf/super.c @@ -360,7 +360,7 @@ static int udf_show_options(struct seq_file *seq, struct dentry *root) if (sbi->s_dmode != UDF_INVALID_MODE) seq_printf(seq, ",dmode=%ho", sbi->s_dmode); if (UDF_QUERY_FLAG(sb, UDF_FLAG_SESSION_SET)) - seq_printf(seq, ",session=%u", sbi->s_session); + seq_printf(seq, ",session=%d", sbi->s_session); if (UDF_QUERY_FLAG(sb, UDF_FLAG_LASTBLOCK_SET)) seq_printf(seq, ",lastblock=%u", sbi->s_last_block); if (sbi->s_anchor != 0) @@ -699,7 +699,7 @@ static loff_t udf_check_vsd(struct super_block *sb) sector += (((loff_t)sbi->s_session) << sb->s_blocksize_bits); - udf_debug("Starting at sector %u (%ld byte sectors)\n", + udf_debug("Starting at sector %u (%lu byte sectors)\n", (unsigned int)(sector >> sb->s_blocksize_bits), sb->s_blocksize); /* Process the sequence (if applicable). The hard limit on the sector @@ -862,7 +862,7 @@ static int udf_find_fileset(struct super_block *sb, if ((fileset->logicalBlockNum != 0xFFFFFFFF || fileset->partitionReferenceNum != 0xFFFF) && bh) { - udf_debug("Fileset at block=%d, partition=%d\n", + udf_debug("Fileset at block=%u, partition=%u\n", fileset->logicalBlockNum, fileset->partitionReferenceNum); @@ -982,14 +982,14 @@ static int udf_load_metadata_files(struct super_block *sb, int partition, mdata->s_phys_partition_ref = type1_index; /* metadata address */ - udf_debug("Metadata file location: block = %d part = %d\n", + udf_debug("Metadata file location: block = %u part = %u\n", mdata->s_meta_file_loc, mdata->s_phys_partition_ref); fe = udf_find_metadata_inode_efe(sb, mdata->s_meta_file_loc, mdata->s_phys_partition_ref); if (IS_ERR(fe)) { /* mirror file entry */ - udf_debug("Mirror metadata file location: block = %d part = %d\n", + udf_debug("Mirror metadata file location: block = %u part = %u\n", mdata->s_mirror_file_loc, mdata->s_phys_partition_ref); fe = udf_find_metadata_inode_efe(sb, mdata->s_mirror_file_loc, @@ -1013,7 +1013,7 @@ static int udf_load_metadata_files(struct super_block *sb, int partition, addr.logicalBlockNum = mdata->s_bitmap_file_loc; addr.partitionReferenceNum = mdata->s_phys_partition_ref; - udf_debug("Bitmap file location: block = %d part = %d\n", + udf_debug("Bitmap file location: block = %u part = %u\n", addr.logicalBlockNum, addr.partitionReferenceNum); fe = udf_iget_special(sb, &addr); @@ -1043,7 +1043,7 @@ static void udf_load_fileset(struct super_block *sb, struct buffer_head *bh, UDF_SB(sb)->s_serial_number = le16_to_cpu(fset->descTag.tagSerialNum); - udf_debug("Rootdir at block=%d, partition=%d\n", + udf_debug("Rootdir at block=%u, partition=%u\n", root->logicalBlockNum, root->partitionReferenceNum); } @@ -1098,7 +1098,7 @@ static int udf_fill_partdesc_info(struct super_block *sb, if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_OVERWRITABLE)) map->s_partition_flags |= UDF_PART_FLAG_OVERWRITABLE; - udf_debug("Partition (%d type %x) starts at physical %d, block length %d\n", + udf_debug("Partition (%d type %x) starts at physical %u, block length %u\n", p_index, map->s_partition_type, map->s_partition_root, map->s_partition_len); @@ -1123,7 +1123,7 @@ static int udf_fill_partdesc_info(struct super_block *sb, } map->s_uspace.s_table = inode; map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_TABLE; - udf_debug("unallocSpaceTable (part %d) @ %ld\n", + udf_debug("unallocSpaceTable (part %d) @ %lu\n", p_index, map->s_uspace.s_table->i_ino); } @@ -1135,7 +1135,7 @@ static int udf_fill_partdesc_info(struct super_block *sb, bitmap->s_extPosition = le32_to_cpu( phd->unallocSpaceBitmap.extPosition); map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP; - udf_debug("unallocSpaceBitmap (part %d) @ %d\n", + udf_debug("unallocSpaceBitmap (part %d) @ %u\n", p_index, bitmap->s_extPosition); } @@ -1158,7 +1158,7 @@ static int udf_fill_partdesc_info(struct super_block *sb, } map->s_fspace.s_table = inode; map->s_partition_flags |= UDF_PART_FLAG_FREED_TABLE; - udf_debug("freedSpaceTable (part %d) @ %ld\n", + udf_debug("freedSpaceTable (part %d) @ %lu\n", p_index, map->s_fspace.s_table->i_ino); } @@ -1170,7 +1170,7 @@ static int udf_fill_partdesc_info(struct super_block *sb, bitmap->s_extPosition = le32_to_cpu( phd->freedSpaceBitmap.extPosition); map->s_partition_flags |= UDF_PART_FLAG_FREED_BITMAP; - udf_debug("freedSpaceBitmap (part %d) @ %d\n", + udf_debug("freedSpaceBitmap (part %d) @ %u\n", p_index, bitmap->s_extPosition); } return 0; @@ -1283,7 +1283,7 @@ static int udf_load_partdesc(struct super_block *sb, sector_t block) /* First scan for TYPE1 and SPARABLE partitions */ for (i = 0; i < sbi->s_partitions; i++) { map = &sbi->s_partmaps[i]; - udf_debug("Searching map: (%d == %d)\n", + udf_debug("Searching map: (%u == %u)\n", map->s_partition_num, partitionNumber); if (map->s_partition_num == partitionNumber && (map->s_partition_type == UDF_TYPE1_MAP15 || @@ -1292,7 +1292,7 @@ static int udf_load_partdesc(struct super_block *sb, sector_t block) } if (i >= sbi->s_partitions) { - udf_debug("Partition (%d) not found in partition map\n", + udf_debug("Partition (%u) not found in partition map\n", partitionNumber); ret = 0; goto out_bh; @@ -1490,7 +1490,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, struct metadataPartitionMap *mdm = (struct metadataPartitionMap *) &(lvd->partitionMaps[offset]); - udf_debug("Parsing Logical vol part %d type %d id=%s\n", + udf_debug("Parsing Logical vol part %d type %u id=%s\n", i, type, UDF_ID_METADATA); map->s_partition_type = UDF_METADATA_MAP25; @@ -1512,17 +1512,17 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, udf_debug("Metadata Ident suffix=0x%x\n", le16_to_cpu(*(__le16 *) mdm->partIdent.identSuffix)); - udf_debug("Metadata part num=%d\n", + udf_debug("Metadata part num=%u\n", le16_to_cpu(mdm->partitionNum)); - udf_debug("Metadata part alloc unit size=%d\n", + udf_debug("Metadata part alloc unit size=%u\n", le32_to_cpu(mdm->allocUnitSize)); - udf_debug("Metadata file loc=%d\n", + udf_debug("Metadata file loc=%u\n", le32_to_cpu(mdm->metadataFileLoc)); - udf_debug("Mirror file loc=%d\n", + udf_debug("Mirror file loc=%u\n", le32_to_cpu(mdm->metadataMirrorFileLoc)); - udf_debug("Bitmap file loc=%d\n", + udf_debug("Bitmap file loc=%u\n", le32_to_cpu(mdm->metadataBitmapFileLoc)); - udf_debug("Flags: %d %d\n", + udf_debug("Flags: %d %u\n", mdata->s_flags, mdm->flags); } else { udf_debug("Unknown ident: %s\n", @@ -1532,7 +1532,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, map->s_volumeseqnum = le16_to_cpu(upm2->volSeqNum); map->s_partition_num = le16_to_cpu(upm2->partitionNum); } - udf_debug("Partition (%d:%d) type %d on volume %d\n", + udf_debug("Partition (%d:%u) type %u on volume %u\n", i, map->s_partition_num, type, map->s_volumeseqnum); } @@ -1540,7 +1540,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, struct long_ad *la = (struct long_ad *)&(lvd->logicalVolContentsUse[0]); *fileset = lelb_to_cpu(la->extLocation); - udf_debug("FileSet found in LogicalVolDesc at block=%d, partition=%d\n", + udf_debug("FileSet found in LogicalVolDesc at block=%u, partition=%u\n", fileset->logicalBlockNum, fileset->partitionReferenceNum); } @@ -2180,7 +2180,7 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent) ret = udf_load_vrs(sb, &uopt, silent, &fileset); if (ret < 0) { if (!silent && ret != -EACCES) { - pr_notice("Scanning with blocksize %d failed\n", + pr_notice("Scanning with blocksize %u failed\n", uopt.blocksize); } brelse(sbi->s_lvid_bh); @@ -2205,7 +2205,7 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent) goto error_out; } - udf_debug("Lastblock=%d\n", sbi->s_last_block); + udf_debug("Lastblock=%u\n", sbi->s_last_block); if (sbi->s_lvid_bh) { struct logicalVolIntegrityDescImpUse *lvidiu = @@ -2276,7 +2276,7 @@ static int udf_fill_super(struct super_block *sb, void *options, int silent) /* perhaps it's not extensible enough, but for now ... */ inode = udf_iget(sb, &rootdir); if (IS_ERR(inode)) { - udf_err(sb, "Error in udf_iget, block=%d, partition=%d\n", + udf_err(sb, "Error in udf_iget, block=%u, partition=%u\n", rootdir.logicalBlockNum, rootdir.partitionReferenceNum); ret = PTR_ERR(inode); goto error_out; diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c index ad04dc227833..b52df1dbb3b3 100644 --- a/fs/udf/unicode.c +++ b/fs/udf/unicode.c @@ -206,7 +206,7 @@ static int udf_name_from_CS0(uint8_t *str_o, int str_max_len, cmp_id = ocu[0]; if (cmp_id != 8 && cmp_id != 16) { memset(str_o, 0, str_max_len); - pr_err("unknown compression code (%d)\n", cmp_id); + pr_err("unknown compression code (%u)\n", cmp_id); return -EINVAL; } u_ch = cmp_id >> 3; From 12ce9c96b15650623040f0d999b91b5d12f9936f Mon Sep 17 00:00:00 2001 From: Roman Smirnov Date: Thu, 20 Jun 2024 10:24:13 +0300 Subject: [PATCH 123/173] udf: prevent integer overflow in udf_bitmap_free_blocks() [ Upstream commit 56e69e59751d20993f243fb7dd6991c4e522424c ] An overflow may occur if the function is called with the last block and an offset greater than zero. It is necessary to add a check to avoid this. Found by Linux Verification Center (linuxtesting.org) with Svace. [JK: Make test cover also unalloc table freeing] Link: https://patch.msgid.link/20240620072413.7448-1-r.smirnov@omp.ru Suggested-by: Jan Kara Signed-off-by: Roman Smirnov Signed-off-by: Jan Kara Signed-off-by: Sasha Levin (cherry picked from commit 097420e48e30f51e8f4f650b5c946f5af63ec1a3) Signed-off-by: Vegard Nossum --- fs/udf/balloc.c | 36 +++++++++++++----------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c index 0e410869e7be..97c9047bb3dc 100644 --- a/fs/udf/balloc.c +++ b/fs/udf/balloc.c @@ -22,6 +22,7 @@ #include "udfdecl.h" #include +#include #include "udf_i.h" #include "udf_sb.h" @@ -133,7 +134,6 @@ static void udf_bitmap_free_blocks(struct super_block *sb, { struct udf_sb_info *sbi = UDF_SB(sb); struct buffer_head *bh = NULL; - struct udf_part_map *partmap; unsigned long block; unsigned long block_group; unsigned long bit; @@ -142,19 +142,9 @@ static void udf_bitmap_free_blocks(struct super_block *sb, unsigned long overflow; mutex_lock(&sbi->s_alloc_mutex); - partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; - if (bloc->logicalBlockNum + count < count || - (bloc->logicalBlockNum + count) > partmap->s_partition_len) { - udf_debug("%u < %d || %u + %u > %u\n", - bloc->logicalBlockNum, 0, - bloc->logicalBlockNum, count, - partmap->s_partition_len); - goto error_return; - } - + /* We make sure this cannot overflow when mounting the filesystem */ block = bloc->logicalBlockNum + offset + (sizeof(struct spaceBitmapDesc) << 3); - do { overflow = 0; block_group = block >> (sb->s_blocksize_bits + 3); @@ -373,7 +363,6 @@ static void udf_table_free_blocks(struct super_block *sb, uint32_t count) { struct udf_sb_info *sbi = UDF_SB(sb); - struct udf_part_map *partmap; uint32_t start, end; uint32_t elen; struct kernel_lb_addr eloc; @@ -382,16 +371,6 @@ static void udf_table_free_blocks(struct super_block *sb, struct udf_inode_info *iinfo; mutex_lock(&sbi->s_alloc_mutex); - partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; - if (bloc->logicalBlockNum + count < count || - (bloc->logicalBlockNum + count) > partmap->s_partition_len) { - udf_debug("%u < %d || %u + %u > %u\n", - bloc->logicalBlockNum, 0, - bloc->logicalBlockNum, count, - partmap->s_partition_len); - goto error_return; - } - iinfo = UDF_I(table); udf_add_free_space(sb, sbi->s_partition, count); @@ -665,6 +644,17 @@ void udf_free_blocks(struct super_block *sb, struct inode *inode, { uint16_t partition = bloc->partitionReferenceNum; struct udf_part_map *map = &UDF_SB(sb)->s_partmaps[partition]; + uint32_t blk; + + if (check_add_overflow(bloc->logicalBlockNum, offset, &blk) || + check_add_overflow(blk, count, &blk) || + bloc->logicalBlockNum + count > map->s_partition_len) { + udf_debug("Invalid request to free blocks: (%d, %u), off %u, " + "len %u, partition len %u\n", + partition, bloc->logicalBlockNum, offset, count, + map->s_partition_len); + return; + } if (map->s_partition_flags & UDF_PART_FLAG_UNALLOC_BITMAP) { udf_bitmap_free_blocks(sb, map->s_uspace.s_bitmap, From a253db7576fd90aaa15b1dabec335f2f9df7c21e Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 27 Jun 2024 10:44:11 +0200 Subject: [PATCH 124/173] wifi: nl80211: don't give key data to userspace [ Upstream commit a7e5793035792cc46a1a4b0a783655ffa897dfe9 ] When a key is requested by userspace, there's really no need to include the key data, the sequence counter is really what userspace needs in this case. The fact that it's included is just a historic quirk. Remove the key data. Reviewed-by: Miriam Rachel Korenblit Link: https://patch.msgid.link/20240627104411.b6a4f097e4ea.I7e6cc976cb9e8a80ef25a3351330f313373b4578@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin (cherry picked from commit f4d99b55dca90ca703bdd57ee8d557cd8d6c1639) Signed-off-by: Vegard Nossum --- net/wireless/nl80211.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index d92ca49ab32a..388aaa4687a6 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -3104,10 +3104,7 @@ static void get_key_callback(void *c, struct key_params *params) struct nlattr *key; struct get_key_cookie *cookie = c; - if ((params->key && - nla_put(cookie->msg, NL80211_ATTR_KEY_DATA, - params->key_len, params->key)) || - (params->seq && + if ((params->seq && nla_put(cookie->msg, NL80211_ATTR_KEY_SEQ, params->seq_len, params->seq)) || (params->cipher && @@ -3119,10 +3116,7 @@ static void get_key_callback(void *c, struct key_params *params) if (!key) goto nla_put_failure; - if ((params->key && - nla_put(cookie->msg, NL80211_KEY_DATA, - params->key_len, params->key)) || - (params->seq && + if ((params->seq && nla_put(cookie->msg, NL80211_KEY_SEQ, params->seq_len, params->seq)) || (params->cipher && From dd102bb94b5dba7e5376f09504503f3bc2cf16da Mon Sep 17 00:00:00 2001 From: Filipe Manana Date: Wed, 3 Jul 2024 15:40:59 +0100 Subject: [PATCH 125/173] btrfs: fix bitmap leak when loading free space cache on duplicate entry [ Upstream commit 320d8dc612660da84c3b70a28658bb38069e5a9a ] If we failed to link a free space entry because there's already a conflicting entry for the same offset, we free the free space entry but we don't free the associated bitmap that we had just allocated before. Fix that by freeing the bitmap before freeing the entry. Reviewed-by: Johannes Thumshirn Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin (cherry picked from commit fad0bb34cfcea693903409356693988f04715b8e) [Vegard: use kfree() due to missing commit 4874c6fe1c9efe704bf155afab268ead7c364c9b ("btrfs: fix allocation of free space cache v1 bitmap pages").] Signed-off-by: Vegard Nossum --- fs/btrfs/free-space-cache.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c index b272299afb67..d8395431a2f4 100644 --- a/fs/btrfs/free-space-cache.c +++ b/fs/btrfs/free-space-cache.c @@ -804,6 +804,7 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode, if (ret) { btrfs_err(fs_info, "Duplicate entries in free space cache, dumping"); + kfree(e->bitmap); kmem_cache_free(btrfs_free_space_cachep, e); goto free_cache; } From feddc92ee4859f5e6c5a69135f94547740b292a9 Mon Sep 17 00:00:00 2001 From: Ricardo Ribalda Date: Sat, 23 Mar 2024 10:48:03 +0000 Subject: [PATCH 126/173] media: uvcvideo: Ignore empty TS packets [ Upstream commit 5cd7c25f6f0576073b3d03bc4cfb1e8ca63a1195 ] Some SunplusIT cameras took a borderline interpretation of the UVC 1.5 standard, and fill the PTS and SCR fields with invalid data if the package does not contain data. "STC must be captured when the first video data of a video frame is put on the USB bus." Some SunplusIT devices send, e.g., buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000 buffer: 0xa7755c00 len 000012 header:0x8c stc 00000000 sof 0000 pts 00000000 buffer: 0xa7755c00 len 000668 header:0x8c stc 73779dba sof 070c pts 7376d37a While the UVC specification meant that the first two packets shouldn't have had the SCR bit set in the header. This borderline/buggy interpretation has been implemented in a variety of devices, from directly SunplusIT and from other OEMs that rebrand SunplusIT products. So quirking based on VID:PID will be problematic. All the affected modules have the following extension unit: VideoControl Interface Descriptor: guidExtensionCode {82066163-7050-ab49-b8cc-b3855e8d221d} But the vendor plans to use that GUID in the future and fix the bug, this means that we should use heuristic to figure out the broken packets. This patch takes care of this. lsusb of one of the affected cameras: Bus 001 Device 003: ID 1bcf:2a01 Sunplus Innovation Technology Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.01 bDeviceClass 239 Miscellaneous Device bDeviceSubClass 2 ? bDeviceProtocol 1 Interface Association bMaxPacketSize0 64 idVendor 0x1bcf Sunplus Innovation Technology Inc. idProduct 0x2a01 bcdDevice 0.02 iManufacturer 1 SunplusIT Inc iProduct 2 HanChen Wise Camera iSerial 3 01.00.00 bNumConfigurations 1 Tested-by: HungNien Chen Reviewed-by: Sergey Senozhatsky Reviewed-by: Laurent Pinchart Signed-off-by: Ricardo Ribalda Reviewed-by: Tomasz Figa Link: https://lore.kernel.org/r/20240323-resend-hwtimestamp-v10-2-b08e590d97c7@chromium.org Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin (cherry picked from commit 019f538f9fe0b48bb436135edba69aa3a5156cdb) Signed-off-by: Vegard Nossum --- drivers/media/usb/uvc/uvc_video.c | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index a0440f095515..95abf96bc476 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -428,6 +428,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf, struct timespec ts; u16 host_sof; u16 dev_sof; + u32 dev_stc; switch (data[1] & (UVC_STREAM_PTS | UVC_STREAM_SCR)) { case UVC_STREAM_PTS | UVC_STREAM_SCR: @@ -472,6 +473,34 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf, if (dev_sof == stream->clock.last_sof) return; + dev_stc = get_unaligned_le32(&data[header_size - 6]); + + /* + * STC (Source Time Clock) is the clock used by the camera. The UVC 1.5 + * standard states that it "must be captured when the first video data + * of a video frame is put on the USB bus". This is generally understood + * as requiring devices to clear the payload header's SCR bit before + * the first packet containing video data. + * + * Most vendors follow that interpretation, but some (namely SunplusIT + * on some devices) always set the `UVC_STREAM_SCR` bit, fill the SCR + * field with 0's,and expect that the driver only processes the SCR if + * there is data in the packet. + * + * Ignore all the hardware timestamp information if we haven't received + * any data for this frame yet, the packet contains no data, and both + * STC and SOF are zero. This heuristics should be safe on compliant + * devices. This should be safe with compliant devices, as in the very + * unlikely case where a UVC 1.1 device would send timing information + * only before the first packet containing data, and both STC and SOF + * happen to be zero for a particular frame, we would only miss one + * clock sample from many and the clock recovery algorithm wouldn't + * suffer from this condition. + */ + if (buf && buf->bytesused == 0 && len == header_size && + dev_stc == 0 && dev_sof == 0) + return; + stream->clock.last_sof = dev_sof; host_sof = usb_get_current_frame_number(stream->dev->udev); @@ -509,7 +538,7 @@ uvc_video_clock_decode(struct uvc_streaming *stream, struct uvc_buffer *buf, spin_lock_irqsave(&stream->clock.lock, flags); sample = &stream->clock.samples[stream->clock.head]; - sample->dev_stc = get_unaligned_le32(&data[header_size - 6]); + sample->dev_stc = dev_stc; sample->dev_sof = dev_sof; sample->host_sof = host_sof; sample->host_ts = ts; From 00a39f4e0adbb1b194e0a1ba2219e26c57042dc7 Mon Sep 17 00:00:00 2001 From: Michal Pecio Date: Sun, 14 Apr 2024 19:00:40 +0200 Subject: [PATCH 127/173] media: uvcvideo: Fix the bandwdith quirk on USB 3.x [ Upstream commit 9e3d55fbd160b3ca376599a68b4cddfdc67d4153 ] The bandwidth fixup quirk doesn't know that SuperSpeed exists and has the same 8 service intervals per millisecond as High Speed, hence its calculations are wrong. Assume that all speeds from HS up use 8 intervals per millisecond. No further changes are needed, updated code has been confirmed to work with all speeds from FS to SS. Signed-off-by: Michal Pecio Reviewed-by: Ricardo Ribalda Reviewed-by: Laurent Pinchart Link: https://lore.kernel.org/r/20240414190040.2255a0bc@foxbook Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin (cherry picked from commit eada6212c055089962ca3ee7b8ab11d8f4d0e4f5) Signed-off-by: Vegard Nossum --- drivers/media/usb/uvc/uvc_video.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c index 95abf96bc476..9703b76a77b8 100644 --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -167,13 +167,13 @@ static void uvc_fixup_video_ctrl(struct uvc_streaming *stream, /* Compute a bandwidth estimation by multiplying the frame * size by the number of video frames per second, divide the * result by the number of USB frames (or micro-frames for - * high-speed devices) per second and add the UVC header size - * (assumed to be 12 bytes long). + * high- and super-speed devices) per second and add the UVC + * header size (assumed to be 12 bytes long). */ bandwidth = frame->wWidth * frame->wHeight / 8 * format->bpp; bandwidth *= 10000000 / interval + 1; bandwidth /= 1000; - if (stream->dev->udev->speed == USB_SPEED_HIGH) + if (stream->dev->udev->speed >= USB_SPEED_HIGH) bandwidth /= 8; bandwidth += 12; From 82f1f40db08d606f0538e4a88e06a919b8656645 Mon Sep 17 00:00:00 2001 From: Kemeng Shi Date: Tue, 14 May 2024 19:24:30 +0800 Subject: [PATCH 128/173] jbd2: avoid memleak in jbd2_journal_write_metadata_buffer [ Upstream commit cc102aa24638b90e04364d64e4f58a1fa91a1976 ] The new_bh is from alloc_buffer_head, we should call free_buffer_head to free it in error case. Signed-off-by: Kemeng Shi Reviewed-by: Zhang Yi Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240514112438.1269037-2-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin (cherry picked from commit 831db95409cc12589c14a71b9bf6c3e7f70bf5a0) Signed-off-by: Vegard Nossum --- fs/jbd2/journal.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c index ee114f0b625a..dcacd635e81d 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -434,6 +434,7 @@ repeat: tmp = jbd2_alloc(bh_in->b_size, GFP_NOFS); if (!tmp) { brelse(new_bh); + free_buffer_head(new_bh); return -ENOMEM; } jbd_lock_bh_state(bh_in); From 6062fd1ee48c6cb081cbc525e31fd43fa9632dbc Mon Sep 17 00:00:00 2001 From: Benjamin Coddington Date: Wed, 17 Jul 2024 10:49:33 -0400 Subject: [PATCH 129/173] SUNRPC: Fix a race to wake a sync task [ Upstream commit ed0172af5d6fc07d1b40ca82f5ca3979300369f7 ] We've observed NFS clients with sync tasks sleeping in __rpc_execute waiting on RPC_TASK_QUEUED that have not responded to a wake-up from rpc_make_runnable(). I suspect this problem usually goes unnoticed, because on a busy client the task will eventually be re-awoken by another task completion or xprt event. However, if the state manager is draining the slot table, a sync task missing a wake-up can result in a hung client. We've been able to prove that the waker in rpc_make_runnable() successfully calls wake_up_bit() (ie- there's no race to tk_runstate), but the wake_up_bit() call fails to wake the waiter. I suspect the waker is missing the load of the bit's wait_queue_head, so waitqueue_active() is false. There are some very helpful comments about this problem above wake_up_bit(), prepare_to_wait(), and waitqueue_active(). Fix this by inserting smp_mb__after_atomic() before the wake_up_bit(), which pairs with prepare_to_wait() calling set_current_state(). Signed-off-by: Benjamin Coddington Reviewed-by: Jeff Layton Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin (cherry picked from commit 06d281f0ad7504e9f250c6a9ef78d9e48cea5717) Signed-off-by: Vegard Nossum --- net/sunrpc/sched.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c index b368f5aabe29..47ebd4839d47 100644 --- a/net/sunrpc/sched.c +++ b/net/sunrpc/sched.c @@ -349,8 +349,10 @@ static void rpc_make_runnable(struct workqueue_struct *wq, if (RPC_IS_ASYNC(task)) { INIT_WORK(&task->u.tk_work, rpc_async_schedule); queue_work(wq, &task->u.tk_work); - } else + } else { + smp_mb__after_atomic(); wake_up_bit(&task->tk_runstate, RPC_TASK_QUEUED); + } } /* From fb37e57b6e2f8217b201737f10af809289674469 Mon Sep 17 00:00:00 2001 From: Kemeng Shi Date: Sat, 3 Jun 2023 23:03:11 +0800 Subject: [PATCH 130/173] ext4: fix wrong unit use in ext4_mb_find_by_goal [ Upstream commit 99c515e3a860576ba90c11acbc1d6488dfca6463 ] We need start in block unit while fe_start is in cluster unit. Use ext4_grp_offs_to_block helper to convert fe_start to get start in block unit. Signed-off-by: Kemeng Shi Reviewed-by: Ojaswin Mujoo Link: https://lore.kernel.org/r/20230603150327.3596033-4-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin (cherry picked from commit 585b8d86c39882425f737b800e7552fb42a4785f) Signed-off-by: Vegard Nossum --- fs/ext4/mballoc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 316d508473c9..cc15c995b4e9 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -1865,8 +1865,7 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac, if (max >= ac->ac_g_ex.fe_len && ac->ac_g_ex.fe_len == sbi->s_stripe) { ext4_fsblk_t start; - start = ext4_group_first_block_no(ac->ac_sb, e4b->bd_group) + - ex.fe_start; + start = ext4_grp_offs_to_block(ac->ac_sb, &ex); /* use do_div to get remainder (would be 64-bit modulo) */ if (do_div(start, sbi->s_stripe) == 0) { ac->ac_found++; From 7a346f1ce3ab37134f2365ab6a74422747285fdb Mon Sep 17 00:00:00 2001 From: Corey Minyard Date: Thu, 21 Nov 2019 10:10:51 +0100 Subject: [PATCH 131/173] i2c: smbus: Don't filter out duplicate alerts [ Upstream commit dca0dd28fa5e0a1ec41a623dbaf667601fc62331 ] Getting the same alert twice in a row is legal and normal, especially on a fast device (like running in qemu). Kind of like interrupts. So don't report duplicate alerts, and deliver them normally. [JD: Fixed subject] Signed-off-by: Corey Minyard Signed-off-by: Jean Delvare Reviewed-by: Benjamin Tissoires Signed-off-by: Wolfram Sang Stable-dep-of: f6c29f710c1f ("i2c: smbus: Send alert notifications to all devices if source not found") Signed-off-by: Sasha Levin (cherry picked from commit 6adca954fc039151ef4f9c1ea1f201e12a24593d) Signed-off-by: Vegard Nossum --- drivers/i2c/i2c-smbus.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/drivers/i2c/i2c-smbus.c b/drivers/i2c/i2c-smbus.c index f9271c713d20..42a0d08637fb 100644 --- a/drivers/i2c/i2c-smbus.c +++ b/drivers/i2c/i2c-smbus.c @@ -76,7 +76,6 @@ static void smbus_alert(struct work_struct *work) { struct i2c_smbus_alert *alert; struct i2c_client *ara; - unsigned short prev_addr = 0; /* Not a valid address */ alert = container_of(work, struct i2c_smbus_alert, alert); ara = alert->ara; @@ -101,18 +100,12 @@ static void smbus_alert(struct work_struct *work) data.addr = status >> 1; data.type = I2C_PROTOCOL_SMBUS_ALERT; - if (data.addr == prev_addr) { - dev_warn(&ara->dev, "Duplicate SMBALERT# from dev " - "0x%02x, skipping\n", data.addr); - break; - } dev_dbg(&ara->dev, "SMBALERT# from dev 0x%02x, flag %d\n", data.addr, data.data); /* Notify driver for the device which issued the alert */ device_for_each_child(&ara->adapter->dev, &data, smbus_do_alert); - prev_addr = data.addr; } /* We handled all alerts; re-enable level-triggered IRQs */ From c364d250ada36665ea06f204449d1162cb5e1432 Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Mon, 10 Jan 2022 09:28:56 -0800 Subject: [PATCH 132/173] i2c: smbus: Improve handling of stuck alerts [ Upstream commit 37c526f00bc1c4f847fc800085f8f009d2e11be6 ] The following messages were observed while testing alert functionality on systems with multiple I2C devices on a single bus if alert was active on more than one chip. smbus_alert 3-000c: SMBALERT# from dev 0x0c, flag 0 smbus_alert 3-000c: no driver alert()! and: smbus_alert 3-000c: SMBALERT# from dev 0x28, flag 0 Once it starts, this message repeats forever at high rate. There is no device at any of the reported addresses. Analysis shows that this is seen if multiple devices have the alert pin active. Apparently some devices do not support SMBus arbitration correctly. They keep sending address bits after detecting an address collision and handle the collision not at all or too late. Specifically, address 0x0c is seen with ADT7461A at address 0x4c and ADM1021 at address 0x18 if alert is active on both chips. Address 0x28 is seen with ADT7483 at address 0x2a and ADT7461 at address 0x4c if alert is active on both chips. Once the system is in bad state (alert is set by more than one chip), it often only recovers by power cycling. To reduce the impact of this problem, abort the endless loop in smbus_alert() if the same address is read more than once and not handled by a driver. Fixes: b5527a7766f0 ("i2c: Add SMBus alert support") Signed-off-by: Guenter Roeck [wsa: it also fixed an interrupt storm in one of my experiments] Tested-by: Wolfram Sang [wsa: rebased, moved a comment as well, improved the 'invalid' value] Signed-off-by: Wolfram Sang Stable-dep-of: f6c29f710c1f ("i2c: smbus: Send alert notifications to all devices if source not found") Signed-off-by: Sasha Levin (cherry picked from commit 9540badee607a99cc07bddbd0a7d4a01fd3b9661) Signed-off-by: Vegard Nossum --- drivers/i2c/i2c-smbus.c | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/drivers/i2c/i2c-smbus.c b/drivers/i2c/i2c-smbus.c index 42a0d08637fb..bc6bde0f25f0 100644 --- a/drivers/i2c/i2c-smbus.c +++ b/drivers/i2c/i2c-smbus.c @@ -43,6 +43,7 @@ static int smbus_do_alert(struct device *dev, void *addrp) struct i2c_client *client = i2c_verify_client(dev); struct alert_data *data = addrp; struct i2c_driver *driver; + int ret; if (!client || client->addr != data->addr) return 0; @@ -56,16 +57,21 @@ static int smbus_do_alert(struct device *dev, void *addrp) device_lock(dev); if (client->dev.driver) { driver = to_i2c_driver(client->dev.driver); - if (driver->alert) + if (driver->alert) { + /* Stop iterating after we find the device */ driver->alert(client, data->type, data->data); - else + ret = -EBUSY; + } else { dev_warn(&client->dev, "no driver alert()!\n"); - } else + ret = -EOPNOTSUPP; + } + } else { dev_dbg(&client->dev, "alert with no driver\n"); + ret = -ENODEV; + } device_unlock(dev); - /* Stop iterating after we find the device */ - return -EBUSY; + return ret; } /* @@ -76,6 +82,7 @@ static void smbus_alert(struct work_struct *work) { struct i2c_smbus_alert *alert; struct i2c_client *ara; + unsigned short prev_addr = I2C_CLIENT_END; /* Not a valid address */ alert = container_of(work, struct i2c_smbus_alert, alert); ara = alert->ara; @@ -104,8 +111,19 @@ static void smbus_alert(struct work_struct *work) data.addr, data.data); /* Notify driver for the device which issued the alert */ - device_for_each_child(&ara->adapter->dev, &data, - smbus_do_alert); + status = device_for_each_child(&ara->adapter->dev, &data, + smbus_do_alert); + /* + * If we read the same address more than once, and the alert + * was not handled by a driver, it won't do any good to repeat + * the loop because it will never terminate. + * Bail out in this case. + * Note: This assumes that a driver with alert handler handles + * the alert properly and clears it if necessary. + */ + if (data.addr == prev_addr && status != -EBUSY) + break; + prev_addr = data.addr; } /* We handled all alerts; re-enable level-triggered IRQs */ From a0bb631d7d0a1773ebbb427ac8564ae8818b4dfe Mon Sep 17 00:00:00 2001 From: Guenter Roeck Date: Tue, 30 Jul 2024 07:19:41 -0700 Subject: [PATCH 133/173] i2c: smbus: Send alert notifications to all devices if source not found [ Upstream commit f6c29f710c1ff2590109f83be3e212b86c01e0f3 ] If a SMBus alert is received and the originating device is not found, the reason may be that the address reported on the SMBus alert address is corrupted, for example because multiple devices asserted alert and do not correctly implement SMBus arbitration. If this happens, call alert handlers on all devices connected to the given I2C bus, in the hope that this cleans up the situation. This change reliably fixed the problem on a system with multiple devices on a single bus. Example log where the device on address 0x18 (ADM1021) and on address 0x4c (ADT7461A) both had the alert line asserted: smbus_alert 3-000c: SMBALERT# from dev 0x0c, flag 0 smbus_alert 3-000c: no driver alert()! smbus_alert 3-000c: SMBALERT# from dev 0x0c, flag 0 smbus_alert 3-000c: no driver alert()! lm90 3-0018: temp1 out of range, please check! lm90 3-0018: Disabling ALERT# lm90 3-0029: Everything OK lm90 3-002a: Everything OK lm90 3-004c: temp1 out of range, please check! lm90 3-004c: temp2 out of range, please check! lm90 3-004c: Disabling ALERT# Fixes: b5527a7766f0 ("i2c: Add SMBus alert support") Signed-off-by: Guenter Roeck [wsa: fixed a typo in the commit message] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin (cherry picked from commit 3b20631d0704fe4f6bf4cf9a49fd19871ebaeffb) Signed-off-by: Vegard Nossum --- drivers/i2c/i2c-smbus.c | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/drivers/i2c/i2c-smbus.c b/drivers/i2c/i2c-smbus.c index bc6bde0f25f0..2f55fb417eba 100644 --- a/drivers/i2c/i2c-smbus.c +++ b/drivers/i2c/i2c-smbus.c @@ -74,6 +74,32 @@ static int smbus_do_alert(struct device *dev, void *addrp) return ret; } +/* Same as above, but call back all drivers with alert handler */ + +static int smbus_do_alert_force(struct device *dev, void *addrp) +{ + struct i2c_client *client = i2c_verify_client(dev); + struct alert_data *data = addrp; + struct i2c_driver *driver; + + if (!client || (client->flags & I2C_CLIENT_TEN)) + return 0; + + /* + * Drivers should either disable alerts, or provide at least + * a minimal handler. Lock so the driver won't change. + */ + device_lock(dev); + if (client->dev.driver) { + driver = to_i2c_driver(client->dev.driver); + if (driver->alert) + driver->alert(client, data->type, data->data); + } + device_unlock(dev); + + return 0; +} + /* * The alert IRQ handler needs to hand work off to a task which can issue * SMBus calls, because those sleeping calls can't be made in IRQ context. @@ -116,13 +142,19 @@ static void smbus_alert(struct work_struct *work) /* * If we read the same address more than once, and the alert * was not handled by a driver, it won't do any good to repeat - * the loop because it will never terminate. - * Bail out in this case. + * the loop because it will never terminate. Try again, this + * time calling the alert handlers of all devices connected to + * the bus, and abort the loop afterwards. If this helps, we + * are all set. If it doesn't, there is nothing else we can do, + * so we might as well abort the loop. * Note: This assumes that a driver with alert handler handles * the alert properly and clears it if necessary. */ - if (data.addr == prev_addr && status != -EBUSY) + if (data.addr == prev_addr && status != -EBUSY) { + device_for_each_child(&ara->adapter->dev, &data, + smbus_do_alert_force); break; + } prev_addr = data.addr; } From 5ec8022d2f6ecf35ce105eafaf28b73c46619207 Mon Sep 17 00:00:00 2001 From: Fabio Estevam Date: Wed, 2 May 2018 16:18:29 -0300 Subject: [PATCH 134/173] spi: lpspi: Switch to SPDX identifier Adopt the SPDX license identifier headers to ease license compliance management. Signed-off-by: Fabio Estevam Signed-off-by: Mark Brown (cherry picked from commit 6126fd836586609d6292bb5bc50b2c0a3a7eec89) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 8fe51f7541bb..51670976faa3 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -1,19 +1,8 @@ -/* - * Freescale i.MX7ULP LPSPI driver - * - * Copyright 2016 Freescale Semiconductor, Inc. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - */ +// SPDX-License-Identifier: GPL-2.0+ +// +// Freescale i.MX7ULP LPSPI driver +// +// Copyright 2016 Freescale Semiconductor, Inc. #include #include From 0ef61696a9fff3915fb5aa6f7bb9f89682d10ad9 Mon Sep 17 00:00:00 2001 From: Clark Wang Date: Fri, 7 Dec 2018 02:50:34 +0000 Subject: [PATCH 135/173] spi: lpspi: Replace all "master" with "controller" [ Upstream commit 07d71557494c05b0651def1651bf6d7e7f47bbbb ] In order to enable the slave mode and make the code more readable, replace all related structure names and object names which is named "master" with "controller". Signed-off-by: Clark Wang Signed-off-by: Mark Brown Stable-dep-of: 730bbfaf7d48 ("spi: spi-fsl-lpspi: Fix scldiv calculation") Signed-off-by: Sasha Levin (cherry picked from commit bebc69b574d6a3c54e8951dd891e78a20e2a3f54) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 84 ++++++++++++++++++++----------------- 1 file changed, 46 insertions(+), 38 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 51670976faa3..725d6ac5f814 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -3,6 +3,7 @@ // Freescale i.MX7ULP LPSPI driver // // Copyright 2016 Freescale Semiconductor, Inc. +// Copyright 2018 NXP Semiconductors #include #include @@ -137,16 +138,18 @@ static void fsl_lpspi_intctrl(struct fsl_lpspi_data *fsl_lpspi, writel(enable, fsl_lpspi->base + IMX7ULP_IER); } -static int lpspi_prepare_xfer_hardware(struct spi_master *master) +static int lpspi_prepare_xfer_hardware(struct spi_controller *controller) { - struct fsl_lpspi_data *fsl_lpspi = spi_master_get_devdata(master); + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(controller); return clk_prepare_enable(fsl_lpspi->clk); } -static int lpspi_unprepare_xfer_hardware(struct spi_master *master) +static int lpspi_unprepare_xfer_hardware(struct spi_controller *controller) { - struct fsl_lpspi_data *fsl_lpspi = spi_master_get_devdata(master); + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(controller); clk_disable_unprepare(fsl_lpspi->clk); @@ -291,7 +294,8 @@ static int fsl_lpspi_config(struct fsl_lpspi_data *fsl_lpspi) static void fsl_lpspi_setup_transfer(struct spi_device *spi, struct spi_transfer *t) { - struct fsl_lpspi_data *fsl_lpspi = spi_master_get_devdata(spi->master); + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(spi->controller); fsl_lpspi->config.mode = spi->mode; fsl_lpspi->config.bpw = t ? t->bits_per_word : spi->bits_per_word; @@ -318,11 +322,12 @@ static void fsl_lpspi_setup_transfer(struct spi_device *spi, fsl_lpspi_config(fsl_lpspi); } -static int fsl_lpspi_transfer_one(struct spi_master *master, +static int fsl_lpspi_transfer_one(struct spi_controller *controller, struct spi_device *spi, struct spi_transfer *t) { - struct fsl_lpspi_data *fsl_lpspi = spi_master_get_devdata(master); + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(controller); int ret; fsl_lpspi->tx_buf = t->tx_buf; @@ -347,10 +352,11 @@ static int fsl_lpspi_transfer_one(struct spi_master *master, return 0; } -static int fsl_lpspi_transfer_one_msg(struct spi_master *master, +static int fsl_lpspi_transfer_one_msg(struct spi_controller *controller, struct spi_message *msg) { - struct fsl_lpspi_data *fsl_lpspi = spi_master_get_devdata(master); + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(controller); struct spi_device *spi = msg->spi; struct spi_transfer *xfer; bool is_first_xfer = true; @@ -366,7 +372,7 @@ static int fsl_lpspi_transfer_one_msg(struct spi_master *master, is_first_xfer = false; - ret = fsl_lpspi_transfer_one(master, spi, xfer); + ret = fsl_lpspi_transfer_one(controller, spi, xfer); if (ret < 0) goto complete; @@ -380,7 +386,7 @@ complete: writel(temp, fsl_lpspi->base + IMX7ULP_TCR); msg->status = ret; - spi_finalize_current_message(master); + spi_finalize_current_message(controller); return ret; } @@ -410,30 +416,31 @@ static irqreturn_t fsl_lpspi_isr(int irq, void *dev_id) static int fsl_lpspi_probe(struct platform_device *pdev) { struct fsl_lpspi_data *fsl_lpspi; - struct spi_master *master; + struct spi_controller *controller; struct resource *res; int ret, irq; u32 temp; - master = spi_alloc_master(&pdev->dev, sizeof(struct fsl_lpspi_data)); - if (!master) + controller = spi_alloc_master(&pdev->dev, + sizeof(struct fsl_lpspi_data)); + if (!controller) return -ENOMEM; - platform_set_drvdata(pdev, master); + platform_set_drvdata(pdev, controller); - master->bits_per_word_mask = SPI_BPW_RANGE_MASK(8, 32); - master->bus_num = pdev->id; + controller->bits_per_word_mask = SPI_BPW_RANGE_MASK(8, 32); + controller->bus_num = pdev->id; - fsl_lpspi = spi_master_get_devdata(master); + fsl_lpspi = spi_controller_get_devdata(controller); fsl_lpspi->dev = &pdev->dev; - master->transfer_one_message = fsl_lpspi_transfer_one_msg; - master->prepare_transfer_hardware = lpspi_prepare_xfer_hardware; - master->unprepare_transfer_hardware = lpspi_unprepare_xfer_hardware; - master->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH; - master->flags = SPI_MASTER_MUST_RX | SPI_MASTER_MUST_TX; - master->dev.of_node = pdev->dev.of_node; - master->bus_num = pdev->id; + controller->transfer_one_message = fsl_lpspi_transfer_one_msg; + controller->prepare_transfer_hardware = lpspi_prepare_xfer_hardware; + controller->unprepare_transfer_hardware = lpspi_unprepare_xfer_hardware; + controller->mode_bits = SPI_CPOL | SPI_CPHA | SPI_CS_HIGH; + controller->flags = SPI_MASTER_MUST_RX | SPI_MASTER_MUST_TX; + controller->dev.of_node = pdev->dev.of_node; + controller->bus_num = pdev->id; init_completion(&fsl_lpspi->xfer_done); @@ -441,32 +448,32 @@ static int fsl_lpspi_probe(struct platform_device *pdev) fsl_lpspi->base = devm_ioremap_resource(&pdev->dev, res); if (IS_ERR(fsl_lpspi->base)) { ret = PTR_ERR(fsl_lpspi->base); - goto out_master_put; + goto out_controller_put; } irq = platform_get_irq(pdev, 0); if (irq < 0) { ret = irq; - goto out_master_put; + goto out_controller_put; } ret = devm_request_irq(&pdev->dev, irq, fsl_lpspi_isr, 0, dev_name(&pdev->dev), fsl_lpspi); if (ret) { dev_err(&pdev->dev, "can't get irq%d: %d\n", irq, ret); - goto out_master_put; + goto out_controller_put; } fsl_lpspi->clk = devm_clk_get(&pdev->dev, "ipg"); if (IS_ERR(fsl_lpspi->clk)) { ret = PTR_ERR(fsl_lpspi->clk); - goto out_master_put; + goto out_controller_put; } ret = clk_prepare_enable(fsl_lpspi->clk); if (ret) { dev_err(&pdev->dev, "can't enable lpspi clock, ret=%d\n", ret); - goto out_master_put; + goto out_controller_put; } temp = readl(fsl_lpspi->base + IMX7ULP_PARAM); @@ -475,24 +482,25 @@ static int fsl_lpspi_probe(struct platform_device *pdev) clk_disable_unprepare(fsl_lpspi->clk); - ret = devm_spi_register_master(&pdev->dev, master); + ret = devm_spi_register_controller(&pdev->dev, controller); if (ret < 0) { - dev_err(&pdev->dev, "spi_register_master error.\n"); - goto out_master_put; + dev_err(&pdev->dev, "spi_register_controller error.\n"); + goto out_controller_put; } return 0; -out_master_put: - spi_master_put(master); +out_controller_put: + spi_controller_put(controller); return ret; } static int fsl_lpspi_remove(struct platform_device *pdev) { - struct spi_master *master = platform_get_drvdata(pdev); - struct fsl_lpspi_data *fsl_lpspi = spi_master_get_devdata(master); + struct spi_controller *controller = platform_get_drvdata(pdev); + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(controller); clk_disable_unprepare(fsl_lpspi->clk); @@ -509,6 +517,6 @@ static struct platform_driver fsl_lpspi_driver = { }; module_platform_driver(fsl_lpspi_driver); -MODULE_DESCRIPTION("LPSPI Master Controller driver"); +MODULE_DESCRIPTION("LPSPI Controller driver"); MODULE_AUTHOR("Gao Pan "); MODULE_LICENSE("GPL"); From 12bfab716ae4cd47449d7636a25326099daa10a9 Mon Sep 17 00:00:00 2001 From: Clark Wang Date: Fri, 7 Dec 2018 02:50:36 +0000 Subject: [PATCH 136/173] spi: lpspi: Add slave mode support [ Upstream commit bcd87317aae26b9ac497cbc1232783aaea1aeed4 ] Add slave mode support to the fsl-lpspi driver, only in PIO mode. For now, there are some limitations for slave mode transmission: 1. The stale data in RXFIFO will be dropped when the Slave does any new transfer. 2. One transfer can be finished only after all transfer->len data been transferred to master device 3. Slave device only accepts transfer->len data. Any data longer than this from master device will be dropped. Any data shorter than this from master will cause LPSPI to stuck due to mentioned limitation 2. 4. Only PIO transfer is supported in Slave Mode. Wire connection: GND, SCK, MISO(to MISO of slave), MOSI(to MOSI of slave), SCS Signed-off-by: Clark Wang Signed-off-by: Mark Brown Stable-dep-of: 730bbfaf7d48 ("spi: spi-fsl-lpspi: Fix scldiv calculation") Signed-off-by: Sasha Levin (cherry picked from commit b1b5a04eadd9b786dcd4bc82e726498a8f6fd50a) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 105 ++++++++++++++++++++++++++---------- 1 file changed, 78 insertions(+), 27 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 725d6ac5f814..cbf165e7bd17 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -55,6 +55,7 @@ #define IER_RDIE BIT(1) #define IER_TDIE BIT(0) #define CFGR1_PCSCFG BIT(27) +#define CFGR1_PINCFG (BIT(24)|BIT(25)) #define CFGR1_PCSPOL BIT(8) #define CFGR1_NOSTALL BIT(3) #define CFGR1_MASTER BIT(0) @@ -80,6 +81,7 @@ struct fsl_lpspi_data { struct device *dev; void __iomem *base; struct clk *clk; + bool is_slave; void *rx_buf; const void *tx_buf; @@ -92,6 +94,8 @@ struct fsl_lpspi_data { struct lpspi_config config; struct completion xfer_done; + + bool slave_aborted; }; static const struct of_device_id fsl_lpspi_dt_ids[] = { @@ -206,21 +210,22 @@ static void fsl_lpspi_set_cmd(struct fsl_lpspi_data *fsl_lpspi, u32 temp = 0; temp |= fsl_lpspi->config.bpw - 1; - temp |= fsl_lpspi->config.prescale << 27; temp |= (fsl_lpspi->config.mode & 0x3) << 30; - temp |= (fsl_lpspi->config.chip_select & 0x3) << 24; - - /* - * Set TCR_CONT will keep SS asserted after current transfer. - * For the first transfer, clear TCR_CONTC to assert SS. - * For subsequent transfer, set TCR_CONTC to keep SS asserted. - */ - temp |= TCR_CONT; - if (is_first_xfer) - temp &= ~TCR_CONTC; - else - temp |= TCR_CONTC; + if (!fsl_lpspi->is_slave) { + temp |= fsl_lpspi->config.prescale << 27; + temp |= (fsl_lpspi->config.chip_select & 0x3) << 24; + /* + * Set TCR_CONT will keep SS asserted after current transfer. + * For the first transfer, clear TCR_CONTC to assert SS. + * For subsequent transfer, set TCR_CONTC to keep SS asserted. + */ + temp |= TCR_CONT; + if (is_first_xfer) + temp &= ~TCR_CONTC; + else + temp |= TCR_CONTC; + } writel(temp, fsl_lpspi->base + IMX7ULP_TCR); dev_dbg(fsl_lpspi->dev, "TCR=0x%x\n", temp); @@ -273,13 +278,18 @@ static int fsl_lpspi_config(struct fsl_lpspi_data *fsl_lpspi) writel(temp, fsl_lpspi->base + IMX7ULP_CR); writel(0, fsl_lpspi->base + IMX7ULP_CR); - ret = fsl_lpspi_set_bitrate(fsl_lpspi); - if (ret) - return ret; + if (!fsl_lpspi->is_slave) { + ret = fsl_lpspi_set_bitrate(fsl_lpspi); + if (ret) + return ret; + } fsl_lpspi_set_watermark(fsl_lpspi); - temp = CFGR1_PCSCFG | CFGR1_MASTER; + if (!fsl_lpspi->is_slave) + temp = CFGR1_MASTER; + else + temp = CFGR1_PINCFG; if (fsl_lpspi->config.mode & SPI_CS_HIGH) temp |= CFGR1_PCSPOL; writel(temp, fsl_lpspi->base + IMX7ULP_CFGR1); @@ -322,6 +332,37 @@ static void fsl_lpspi_setup_transfer(struct spi_device *spi, fsl_lpspi_config(fsl_lpspi); } +static int fsl_lpspi_slave_abort(struct spi_controller *controller) +{ + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(controller); + + fsl_lpspi->slave_aborted = true; + complete(&fsl_lpspi->xfer_done); + return 0; +} + +static int fsl_lpspi_wait_for_completion(struct spi_controller *controller) +{ + struct fsl_lpspi_data *fsl_lpspi = + spi_controller_get_devdata(controller); + + if (fsl_lpspi->is_slave) { + if (wait_for_completion_interruptible(&fsl_lpspi->xfer_done) || + fsl_lpspi->slave_aborted) { + dev_dbg(fsl_lpspi->dev, "interrupted\n"); + return -EINTR; + } + } else { + if (!wait_for_completion_timeout(&fsl_lpspi->xfer_done, HZ)) { + dev_dbg(fsl_lpspi->dev, "wait for completion timeout\n"); + return -ETIMEDOUT; + } + } + + return 0; +} + static int fsl_lpspi_transfer_one(struct spi_controller *controller, struct spi_device *spi, struct spi_transfer *t) @@ -335,13 +376,13 @@ static int fsl_lpspi_transfer_one(struct spi_controller *controller, fsl_lpspi->remain = t->len; reinit_completion(&fsl_lpspi->xfer_done); + fsl_lpspi->slave_aborted = false; + fsl_lpspi_write_tx_fifo(fsl_lpspi); - ret = wait_for_completion_timeout(&fsl_lpspi->xfer_done, HZ); - if (!ret) { - dev_dbg(fsl_lpspi->dev, "wait for completion timeout\n"); - return -ETIMEDOUT; - } + ret = fsl_lpspi_wait_for_completion(controller); + if (ret) + return ret; ret = fsl_lpspi_txfifo_empty(fsl_lpspi); if (ret) @@ -380,10 +421,12 @@ static int fsl_lpspi_transfer_one_msg(struct spi_controller *controller, } complete: - /* de-assert SS, then finalize current message */ - temp = readl(fsl_lpspi->base + IMX7ULP_TCR); - temp &= ~TCR_CONTC; - writel(temp, fsl_lpspi->base + IMX7ULP_TCR); + if (!fsl_lpspi->is_slave) { + /* de-assert SS, then finalize current message */ + temp = readl(fsl_lpspi->base + IMX7ULP_TCR); + temp &= ~TCR_CONTC; + writel(temp, fsl_lpspi->base + IMX7ULP_TCR); + } msg->status = ret; spi_finalize_current_message(controller); @@ -421,8 +464,13 @@ static int fsl_lpspi_probe(struct platform_device *pdev) int ret, irq; u32 temp; - controller = spi_alloc_master(&pdev->dev, + if (of_property_read_bool((&pdev->dev)->of_node, "spi-slave")) + controller = spi_alloc_slave(&pdev->dev, sizeof(struct fsl_lpspi_data)); + else + controller = spi_alloc_master(&pdev->dev, + sizeof(struct fsl_lpspi_data)); + if (!controller) return -ENOMEM; @@ -433,6 +481,8 @@ static int fsl_lpspi_probe(struct platform_device *pdev) fsl_lpspi = spi_controller_get_devdata(controller); fsl_lpspi->dev = &pdev->dev; + fsl_lpspi->is_slave = of_property_read_bool((&pdev->dev)->of_node, + "spi-slave"); controller->transfer_one_message = fsl_lpspi_transfer_one_msg; controller->prepare_transfer_hardware = lpspi_prepare_xfer_hardware; @@ -441,6 +491,7 @@ static int fsl_lpspi_probe(struct platform_device *pdev) controller->flags = SPI_MASTER_MUST_RX | SPI_MASTER_MUST_TX; controller->dev.of_node = pdev->dev.of_node; controller->bus_num = pdev->id; + controller->slave_abort = fsl_lpspi_slave_abort; init_completion(&fsl_lpspi->xfer_done); From 6a6c19da1d3917fc8c51d2fd69b667a5e7b192ec Mon Sep 17 00:00:00 2001 From: Clark Wang Date: Fri, 7 Dec 2018 02:50:38 +0000 Subject: [PATCH 137/173] spi: lpspi: Let watermark change with send data length [ Upstream commit cf86874bb9bdb99ba3620428b59b0408fbc703d0 ] Configure watermark to change with the length of the sent data. Support LPSPI sending message shorter than tx/rxfifosize. Signed-off-by: Clark Wang Signed-off-by: Mark Brown Stable-dep-of: 730bbfaf7d48 ("spi: spi-fsl-lpspi: Fix scldiv calculation") Signed-off-by: Sasha Levin (cherry picked from commit 8f8b12339ef7cc8e15989f6445aad5a9bf8c00f5) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index cbf165e7bd17..08dcc3c22e88 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -89,6 +89,7 @@ struct fsl_lpspi_data { void (*rx)(struct fsl_lpspi_data *); u32 remain; + u8 watermark; u8 txfifosize; u8 rxfifosize; @@ -235,7 +236,7 @@ static void fsl_lpspi_set_watermark(struct fsl_lpspi_data *fsl_lpspi) { u32 temp; - temp = fsl_lpspi->txfifosize >> 1 | (fsl_lpspi->rxfifosize >> 1) << 16; + temp = fsl_lpspi->watermark >> 1 | (fsl_lpspi->watermark >> 1) << 16; writel(temp, fsl_lpspi->base + IMX7ULP_FCR); @@ -261,7 +262,8 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) if (prescale == 8 && scldiv >= 256) return -EINVAL; - writel(scldiv, fsl_lpspi->base + IMX7ULP_CCR); + writel(scldiv | (scldiv << 8) | ((scldiv >> 1) << 16), + fsl_lpspi->base + IMX7ULP_CCR); dev_dbg(fsl_lpspi->dev, "perclk=%d, speed=%d, prescale =%d, scldiv=%d\n", perclk_rate, config.speed_hz, prescale, scldiv); @@ -329,6 +331,11 @@ static void fsl_lpspi_setup_transfer(struct spi_device *spi, fsl_lpspi->tx = fsl_lpspi_buf_tx_u32; } + if (t->len <= fsl_lpspi->txfifosize) + fsl_lpspi->watermark = t->len; + else + fsl_lpspi->watermark = fsl_lpspi->txfifosize; + fsl_lpspi_config(fsl_lpspi); } From dc2d2de15c66a8e41275b4d59e6082955e477991 Mon Sep 17 00:00:00 2001 From: Clark Wang Date: Wed, 6 Mar 2019 06:30:34 +0000 Subject: [PATCH 138/173] spi: lpspi: Add i.MX8 boards support for lpspi [ Upstream commit f5e5afdb0e56e81123e02b6a64dd32adc19a90d4 ] Add both ipg and per clock for lpspi to support i.MX8QM/QXP boards. Signed-off-by: Clark Wang Signed-off-by: Mark Brown Stable-dep-of: 730bbfaf7d48 ("spi: spi-fsl-lpspi: Fix scldiv calculation") Signed-off-by: Sasha Levin (cherry picked from commit 0b536d6c52a88b6a5a7f40d1ac91ffe170b8df87) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 52 +++++++++++++++++++++++++++++-------- 1 file changed, 41 insertions(+), 11 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 08dcc3c22e88..5802f188051b 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -80,7 +80,8 @@ struct lpspi_config { struct fsl_lpspi_data { struct device *dev; void __iomem *base; - struct clk *clk; + struct clk *clk_ipg; + struct clk *clk_per; bool is_slave; void *rx_buf; @@ -147,8 +148,19 @@ static int lpspi_prepare_xfer_hardware(struct spi_controller *controller) { struct fsl_lpspi_data *fsl_lpspi = spi_controller_get_devdata(controller); + int ret; - return clk_prepare_enable(fsl_lpspi->clk); + ret = clk_prepare_enable(fsl_lpspi->clk_ipg); + if (ret) + return ret; + + ret = clk_prepare_enable(fsl_lpspi->clk_per); + if (ret) { + clk_disable_unprepare(fsl_lpspi->clk_ipg); + return ret; + } + + return 0; } static int lpspi_unprepare_xfer_hardware(struct spi_controller *controller) @@ -156,7 +168,8 @@ static int lpspi_unprepare_xfer_hardware(struct spi_controller *controller) struct fsl_lpspi_data *fsl_lpspi = spi_controller_get_devdata(controller); - clk_disable_unprepare(fsl_lpspi->clk); + clk_disable_unprepare(fsl_lpspi->clk_ipg); + clk_disable_unprepare(fsl_lpspi->clk_per); return 0; } @@ -249,7 +262,7 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) unsigned int perclk_rate, scldiv; u8 prescale; - perclk_rate = clk_get_rate(fsl_lpspi->clk); + perclk_rate = clk_get_rate(fsl_lpspi->clk_per); for (prescale = 0; prescale < 8; prescale++) { scldiv = perclk_rate / (clkdivs[prescale] * config.speed_hz) - 2; @@ -522,15 +535,30 @@ static int fsl_lpspi_probe(struct platform_device *pdev) goto out_controller_put; } - fsl_lpspi->clk = devm_clk_get(&pdev->dev, "ipg"); - if (IS_ERR(fsl_lpspi->clk)) { - ret = PTR_ERR(fsl_lpspi->clk); + fsl_lpspi->clk_per = devm_clk_get(&pdev->dev, "per"); + if (IS_ERR(fsl_lpspi->clk_per)) { + ret = PTR_ERR(fsl_lpspi->clk_per); goto out_controller_put; } - ret = clk_prepare_enable(fsl_lpspi->clk); + fsl_lpspi->clk_ipg = devm_clk_get(&pdev->dev, "ipg"); + if (IS_ERR(fsl_lpspi->clk_ipg)) { + ret = PTR_ERR(fsl_lpspi->clk_ipg); + goto out_controller_put; + } + + ret = clk_prepare_enable(fsl_lpspi->clk_ipg); if (ret) { - dev_err(&pdev->dev, "can't enable lpspi clock, ret=%d\n", ret); + dev_err(&pdev->dev, + "can't enable lpspi ipg clock, ret=%d\n", ret); + goto out_controller_put; + } + + ret = clk_prepare_enable(fsl_lpspi->clk_per); + if (ret) { + dev_err(&pdev->dev, + "can't enable lpspi per clock, ret=%d\n", ret); + clk_disable_unprepare(fsl_lpspi->clk_ipg); goto out_controller_put; } @@ -538,7 +566,8 @@ static int fsl_lpspi_probe(struct platform_device *pdev) fsl_lpspi->txfifosize = 1 << (temp & 0x0f); fsl_lpspi->rxfifosize = 1 << ((temp >> 8) & 0x0f); - clk_disable_unprepare(fsl_lpspi->clk); + clk_disable_unprepare(fsl_lpspi->clk_per); + clk_disable_unprepare(fsl_lpspi->clk_ipg); ret = devm_spi_register_controller(&pdev->dev, controller); if (ret < 0) { @@ -560,7 +589,8 @@ static int fsl_lpspi_remove(struct platform_device *pdev) struct fsl_lpspi_data *fsl_lpspi = spi_controller_get_devdata(controller); - clk_disable_unprepare(fsl_lpspi->clk); + clk_disable_unprepare(fsl_lpspi->clk_per); + clk_disable_unprepare(fsl_lpspi->clk_ipg); return 0; } From 030b58b3539d0fdccf6284113c29f60c76b60916 Mon Sep 17 00:00:00 2001 From: Clark Wang Date: Wed, 6 Mar 2019 06:30:41 +0000 Subject: [PATCH 139/173] spi: lpspi: add the error info of transfer speed setting [ Upstream commit 77736a98b859e2c64aebbd0f90b2ce4b17682396 ] Add a error info when set a speed which greater than half of per-clk of spi module. The minimum SCK period is 2 cycles(CCR[SCKDIV]). So the maximum transfer speed is half of spi per-clk. Signed-off-by: Clark Wang Signed-off-by: Mark Brown Stable-dep-of: 730bbfaf7d48 ("spi: spi-fsl-lpspi: Fix scldiv calculation") Signed-off-by: Sasha Levin (cherry picked from commit 3bb46e26783c3c86e67172f695908a066be69e12) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 5802f188051b..8e1f6ee0a799 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -263,6 +263,13 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) u8 prescale; perclk_rate = clk_get_rate(fsl_lpspi->clk_per); + + if (config.speed_hz > perclk_rate / 2) { + dev_err(fsl_lpspi->dev, + "per-clk should be at least two times of transfer speed"); + return -EINVAL; + } + for (prescale = 0; prescale < 8; prescale++) { scldiv = perclk_rate / (clkdivs[prescale] * config.speed_hz) - 2; @@ -316,7 +323,7 @@ static int fsl_lpspi_config(struct fsl_lpspi_data *fsl_lpspi) return 0; } -static void fsl_lpspi_setup_transfer(struct spi_device *spi, +static int fsl_lpspi_setup_transfer(struct spi_device *spi, struct spi_transfer *t) { struct fsl_lpspi_data *fsl_lpspi = @@ -349,7 +356,7 @@ static void fsl_lpspi_setup_transfer(struct spi_device *spi, else fsl_lpspi->watermark = fsl_lpspi->txfifosize; - fsl_lpspi_config(fsl_lpspi); + return fsl_lpspi_config(fsl_lpspi); } static int fsl_lpspi_slave_abort(struct spi_controller *controller) @@ -428,7 +435,10 @@ static int fsl_lpspi_transfer_one_msg(struct spi_controller *controller, msg->actual_length = 0; list_for_each_entry(xfer, &msg->transfers, transfer_list) { - fsl_lpspi_setup_transfer(spi, xfer); + ret = fsl_lpspi_setup_transfer(spi, xfer); + if (ret < 0) + goto complete; + fsl_lpspi_set_cmd(fsl_lpspi, is_first_xfer); is_first_xfer = false; From d859e0255cb169a2d7aa96b42defafd7c515df0c Mon Sep 17 00:00:00 2001 From: Oleksandr Suvorov Date: Thu, 20 Feb 2020 14:11:48 +0000 Subject: [PATCH 140/173] spi: fsl-lpspi: remove unneeded array [ Upstream commit 2fa98705a9289c758b6154a22174aa8d4041a285 ] - replace the array with the shift operation - remove the extra comparing operation. Signed-off-by: Oleksandr Suvorov Link: https://lore.kernel.org/r/20200220141143.3902922-2-oleksandr.suvorov@toradex.com Signed-off-by: Mark Brown Stable-dep-of: 730bbfaf7d48 ("spi: spi-fsl-lpspi: Fix scldiv calculation") Signed-off-by: Sasha Levin (cherry picked from commit da6cc32c245500f417e4b96d67722b8a0a07fd94) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 8e1f6ee0a799..21c8866ebbd1 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -67,8 +67,6 @@ #define TCR_RXMSK BIT(19) #define TCR_TXMSK BIT(18) -static int clkdivs[] = {1, 2, 4, 8, 16, 32, 64, 128}; - struct lpspi_config { u8 bpw; u8 chip_select; @@ -271,15 +269,14 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) } for (prescale = 0; prescale < 8; prescale++) { - scldiv = perclk_rate / - (clkdivs[prescale] * config.speed_hz) - 2; + scldiv = perclk_rate / config.speed_hz / (1 << prescale) - 2; if (scldiv < 256) { fsl_lpspi->config.prescale = prescale; break; } } - if (prescale == 8 && scldiv >= 256) + if (scldiv >= 256) return -EINVAL; writel(scldiv | (scldiv << 8) | ((scldiv >> 1) << 16), From dcde078eb1be234c810305963c845eaa63f20813 Mon Sep 17 00:00:00 2001 From: Stefan Wahren Date: Sun, 4 Aug 2024 13:36:11 +0200 Subject: [PATCH 141/173] spi: spi-fsl-lpspi: Fix scldiv calculation [ Upstream commit 730bbfaf7d4890bd99e637db7767dc68cfeb24e7 ] The effective SPI clock frequency should never exceed speed_hz otherwise this might result in undefined behavior of the SPI device. Currently the scldiv calculation could violate this constraint. For the example parameters perclk_rate = 24 MHz and speed_hz = 7 MHz, the function fsl_lpspi_set_bitrate will determine perscale = 0 and scldiv = 1, which is a effective SPI clock of 8 MHz. So fix this by rounding up the quotient of perclk_rate and speed_hz. While this never change within the loop, we can pull this out. Fixes: 5314987de5e5 ("spi: imx: add lpspi bus driver") Signed-off-by: Stefan Wahren Link: https://patch.msgid.link/20240804113611.83613-1-wahrenst@gmx.net Signed-off-by: Mark Brown Signed-off-by: Sasha Levin (cherry picked from commit 81964823116357a636201afa4010fa30f050446e) Signed-off-by: Vegard Nossum --- drivers/spi/spi-fsl-lpspi.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-fsl-lpspi.c b/drivers/spi/spi-fsl-lpspi.c index 21c8866ebbd1..695034e076c5 100644 --- a/drivers/spi/spi-fsl-lpspi.c +++ b/drivers/spi/spi-fsl-lpspi.c @@ -257,7 +257,7 @@ static void fsl_lpspi_set_watermark(struct fsl_lpspi_data *fsl_lpspi) static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) { struct lpspi_config config = fsl_lpspi->config; - unsigned int perclk_rate, scldiv; + unsigned int perclk_rate, scldiv, div; u8 prescale; perclk_rate = clk_get_rate(fsl_lpspi->clk_per); @@ -268,8 +268,10 @@ static int fsl_lpspi_set_bitrate(struct fsl_lpspi_data *fsl_lpspi) return -EINVAL; } + div = DIV_ROUND_UP(perclk_rate, config.speed_hz); + for (prescale = 0; prescale < 8; prescale++) { - scldiv = perclk_rate / config.speed_hz / (1 << prescale) - 2; + scldiv = div / (1 << prescale) - 2; if (scldiv < 256) { fsl_lpspi->config.prescale = prescale; break; From 9ab8902f51b8ac3c51666922a9719c1e4d81f105 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Mon, 5 Aug 2024 15:01:28 +0200 Subject: [PATCH 142/173] ALSA: line6: Fix racy access to midibuf commit 15b7a03205b31bc5623378c190d22b7ff60026f1 upstream. There can be concurrent accesses to line6 midibuf from both the URB completion callback and the rawmidi API access. This could be a cause of KMSAN warning triggered by syzkaller below (so put as reported-by here). This patch protects the midibuf call of the former code path with a spinlock for avoiding the possible races. Reported-by: syzbot+78eccfb8b3c9a85fc6c5@syzkaller.appspotmail.com Closes: https://lore.kernel.org/00000000000000949c061df288c5@google.com Cc: Link: https://patch.msgid.link/20240805130129.10872-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 643293b68fbb6c03f5e907736498da17d43f0d81) Signed-off-by: Vegard Nossum --- sound/usb/line6/driver.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c index 818fed746082..9e94c3a9072a 100644 --- a/sound/usb/line6/driver.c +++ b/sound/usb/line6/driver.c @@ -293,12 +293,14 @@ static void line6_data_received(struct urb *urb) { struct usb_line6 *line6 = (struct usb_line6 *)urb->context; struct midi_buffer *mb = &line6->line6midi->midibuf_in; + unsigned long flags; int done; if (urb->status == -ESHUTDOWN) return; if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) { + spin_lock_irqsave(&line6->line6midi->lock, flags); done = line6_midibuf_write(mb, urb->transfer_buffer, urb->actual_length); @@ -307,12 +309,15 @@ static void line6_data_received(struct urb *urb) dev_dbg(line6->ifcdev, "%d %d buffer overflow - message skipped\n", done, urb->actual_length); } + spin_unlock_irqrestore(&line6->line6midi->lock, flags); for (;;) { + spin_lock_irqsave(&line6->line6midi->lock, flags); done = line6_midibuf_read(mb, line6->buffer_message, LINE6_MIDI_MESSAGE_MAXLEN, LINE6_MIDIBUF_READ_RX); + spin_unlock_irqrestore(&line6->line6midi->lock, flags); if (done <= 0) break; From d41cf1c7bc4e9706d684d3fb2c24046f673ffb78 Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Tue, 9 Jul 2024 13:38:41 +0200 Subject: [PATCH 143/173] usb: vhci-hcd: Do not drop references before new references are gained commit afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a upstream. At a few places the driver carries stale pointers to references that can still be used. Make sure that does not happen. This strictly speaking closes ZDI-CAN-22273, though there may be similar races in the driver. Signed-off-by: Oliver Neukum Cc: stable Acked-by: Shuah Khan Link: https://lore.kernel.org/r/20240709113851.14691-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89) Signed-off-by: Vegard Nossum --- drivers/usb/usbip/vhci_hcd.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c index 22e8cda7a137..e8b120f63e92 100644 --- a/drivers/usb/usbip/vhci_hcd.c +++ b/drivers/usb/usbip/vhci_hcd.c @@ -765,6 +765,7 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag * */ if (usb_pipedevice(urb->pipe) == 0) { + struct usb_device *old; __u8 type = usb_pipetype(urb->pipe); struct usb_ctrlrequest *ctrlreq = (struct usb_ctrlrequest *) urb->setup_packet; @@ -775,14 +776,15 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag goto no_need_xmit; } + old = vdev->udev; switch (ctrlreq->bRequest) { case USB_REQ_SET_ADDRESS: /* set_address may come when a device is reset */ dev_info(dev, "SetAddress Request (%d) to port %d\n", ctrlreq->wValue, vdev->rhport); - usb_put_dev(vdev->udev); vdev->udev = usb_get_dev(urb->dev); + usb_put_dev(old); spin_lock(&vdev->ud.lock); vdev->ud.status = VDEV_ST_USED; @@ -801,8 +803,8 @@ static int vhci_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, gfp_t mem_flag usbip_dbg_vhci_hc( "Not yet?:Get_Descriptor to device 0 (get max pipe size)\n"); - usb_put_dev(vdev->udev); vdev->udev = usb_get_dev(urb->dev); + usb_put_dev(old); goto out; default: @@ -1109,6 +1111,7 @@ static void vhci_shutdown_connection(struct usbip_device *ud) static void vhci_device_reset(struct usbip_device *ud) { struct vhci_device *vdev = container_of(ud, struct vhci_device, ud); + struct usb_device *old = vdev->udev; unsigned long flags; spin_lock_irqsave(&ud->lock, flags); @@ -1116,8 +1119,8 @@ static void vhci_device_reset(struct usbip_device *ud) vdev->speed = 0; vdev->devid = 0; - usb_put_dev(vdev->udev); vdev->udev = NULL; + usb_put_dev(old); if (ud->tcp_socket) { sockfd_put(ud->tcp_socket); From 95314b1272d1d96f5737c5b1e208fabd1128db3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 15 Jul 2024 12:44:53 +0200 Subject: [PATCH 144/173] USB: serial: debug: do not echo input by default MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit commit 00af4f3dda1461ec90d892edc10bec6d3c50c554 upstream. This driver is intended as a "client" end of the console connection. When connected to a host it's supposed to receive debug logs, and possibly allow to interact with whatever debug console is available there. Feeding messages back, depending on a configuration may cause log messages be executed as shell commands (which can be really bad if one is unlucky, imagine a log message like "prevented running `rm -rf /home`"). In case of Xen, it exposes sysrq-like debug interface, and feeding it its own logs will pretty quickly hit 'R' for "instant reboot". Contrary to a classic serial console, the USB one cannot be configured ahead of time, as the device shows up only when target OS is up. And at the time device is opened to execute relevant ioctl, it's already too late, especially when logs start flowing shortly after device is initialized. Avoid the issue by changing default to no echo for this type of devices. Signed-off-by: Marek Marczykowski-Górecki [ johan: amend summary; disable also ECHONL ] Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 1907ed1be026c771086e6adc560f38dc50e82382) Signed-off-by: Vegard Nossum --- drivers/usb/serial/usb_debug.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/serial/usb_debug.c b/drivers/usb/serial/usb_debug.c index c593ca8800e5..b9d27cdf3b82 100644 --- a/drivers/usb/serial/usb_debug.c +++ b/drivers/usb/serial/usb_debug.c @@ -72,6 +72,11 @@ static void usb_debug_process_read_urb(struct urb *urb) usb_serial_generic_process_read_urb(urb); } +static void usb_debug_init_termios(struct tty_struct *tty) +{ + tty->termios.c_lflag &= ~(ECHO | ECHONL); +} + static struct usb_serial_driver debug_device = { .driver = { .owner = THIS_MODULE, @@ -81,6 +86,7 @@ static struct usb_serial_driver debug_device = { .num_ports = 1, .bulk_out_size = USB_DEBUG_MAX_PACKET_SIZE, .break_ctl = usb_debug_break_ctl, + .init_termios = usb_debug_init_termios, .process_read_urb = usb_debug_process_read_urb, }; @@ -92,6 +98,7 @@ static struct usb_serial_driver dbc_device = { .id_table = dbc_id_table, .num_ports = 1, .break_ctl = usb_debug_break_ctl, + .init_termios = usb_debug_init_termios, .process_read_urb = usb_debug_process_read_urb, }; From 551fbbddb6f5ff52bdb1c0cdb3d096e359e088da Mon Sep 17 00:00:00 2001 From: Chris Wulff Date: Wed, 24 Jul 2024 21:04:20 -0400 Subject: [PATCH 145/173] usb: gadget: core: Check for unset descriptor commit 973a57891608a98e894db2887f278777f564de18 upstream. Make sure the descriptor has been set before looking at maxpacket. This fixes a null pointer panic in this case. This may happen if the gadget doesn't properly set up the endpoint for the current speed, or the gadget descriptors are malformed and the descriptor for the speed/endpoint are not found. No current gadget driver is known to have this problem, but this may cause a hard-to-find bug during development of new gadgets. Fixes: 54f83b8c8ea9 ("USB: gadget: Reject endpoints with 0 maxpacket value") Cc: stable@vger.kernel.org Signed-off-by: Chris Wulff Link: https://lore.kernel.org/r/20240725010419.314430-2-crwulff@gmail.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a) Signed-off-by: Vegard Nossum --- drivers/usb/gadget/udc/core.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index f36788f27882..84fbc06eb157 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -108,12 +108,10 @@ int usb_ep_enable(struct usb_ep *ep) goto out; /* UDC drivers can't handle endpoints with maxpacket size 0 */ - if (usb_endpoint_maxp(ep->desc) == 0) { - /* - * We should log an error message here, but we can't call - * dev_err() because there's no way to find the gadget - * given only ep. - */ + if (!ep->desc || usb_endpoint_maxp(ep->desc) == 0) { + WARN_ONCE(1, "%s: ep%d (%s) has %s\n", __func__, ep->address, ep->name, + (!ep->desc) ? "NULL descriptor" : "maxpacket 0"); + ret = -EINVAL; goto out; } From b41af170f9ad55d4780688b92c032579655218fe Mon Sep 17 00:00:00 2001 From: Vamshi Gajjela Date: Wed, 24 Jul 2024 19:21:26 +0530 Subject: [PATCH 146/173] scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic commit ab9fd06cb8f0db0854291833fc40c789e43a361f upstream. The ufshcd_add_delay_before_dme_cmd() always introduces a delay of MIN_DELAY_BEFORE_DME_CMDS_US between DME commands even when it's not required. The delay is added when the UFS host controller supplies the quirk UFSHCD_QUIRK_DELAY_BEFORE_DME_CMDS. Fix the logic to update hba->last_dme_cmd_tstamp to ensure subsequent DME commands have the correct delay in the range of 0 to MIN_DELAY_BEFORE_DME_CMDS_US. Update the timestamp at the end of the function to ensure it captures the latest time after any necessary delay has been applied. Signed-off-by: Vamshi Gajjela Link: https://lore.kernel.org/r/20240724135126.1786126-1-vamshigajjela@google.com Fixes: cad2e03d8607 ("ufs: add support to allow non standard behaviours (quirks)") Cc: stable@vger.kernel.org Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman (cherry picked from commit c4da5b5deb343346909920c41645ad85adff4c6c) Signed-off-by: Vegard Nossum --- drivers/scsi/ufs/ufshcd.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c index e491155781e3..3570c81ab239 100644 --- a/drivers/scsi/ufs/ufshcd.c +++ b/drivers/scsi/ufs/ufshcd.c @@ -3421,11 +3421,16 @@ static inline void ufshcd_add_delay_before_dme_cmd(struct ufs_hba *hba) min_sleep_time_us = MIN_DELAY_BEFORE_DME_CMDS_US - delta; else - return; /* no more delay required */ + min_sleep_time_us = 0; /* no more delay required */ } - /* allow sleep for extra 50us if needed */ - usleep_range(min_sleep_time_us, min_sleep_time_us + 50); + if (min_sleep_time_us > 0) { + /* allow sleep for extra 50us if needed */ + usleep_range(min_sleep_time_us, min_sleep_time_us + 50); + } + + /* update the last_dme_cmd_tstamp */ + hba->last_dme_cmd_tstamp = ktime_get(); } /** From 6fad54cc7a6c8c4750209bfcff1b54dd60b086db Mon Sep 17 00:00:00 2001 From: Thomas Gleixner Date: Wed, 31 Jul 2024 12:23:51 +0200 Subject: [PATCH 147/173] tick/broadcast: Move per CPU pointer access into the atomic section commit 6881e75237a84093d0986f56223db3724619f26e upstream. The recent fix for making the take over of the broadcast timer more reliable retrieves a per CPU pointer in preemptible context. This went unnoticed as compilers hoist the access into the non-preemptible region where the pointer is actually used. But of course it's valid that the compiler keeps it at the place where the code puts it which rightfully triggers: BUG: using smp_processor_id() in preemptible [00000000] code: caller is hotplug_cpu__broadcast_tick_pull+0x1c/0xc0 Move it to the actual usage site which is in a non-preemptible region. Fixes: f7d43dd206e7 ("tick/broadcast: Make takeover of broadcast hrtimer reliable") Reported-by: David Wang <00107082@163.com> Signed-off-by: Thomas Gleixner Tested-by: Yu Liao Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/87ttg56ers.ffs@tglx Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f54abf332a2bc0413cfa8bd6a8511f7aa99faea0) Signed-off-by: Vegard Nossum --- kernel/time/tick-broadcast.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/time/tick-broadcast.c b/kernel/time/tick-broadcast.c index 285c185b90aa..e1ce02931b38 100644 --- a/kernel/time/tick-broadcast.c +++ b/kernel/time/tick-broadcast.c @@ -941,7 +941,6 @@ void tick_broadcast_switch_to_oneshot(void) #ifdef CONFIG_HOTPLUG_CPU void hotplug_cpu__broadcast_tick_pull(int deadcpu) { - struct tick_device *td = this_cpu_ptr(&tick_cpu_device); struct clock_event_device *bc; unsigned long flags; @@ -967,6 +966,8 @@ void hotplug_cpu__broadcast_tick_pull(int deadcpu) * device to avoid the starvation. */ if (tick_check_broadcast_expired()) { + struct tick_device *td = this_cpu_ptr(&tick_cpu_device); + cpumask_clear_cpu(smp_processor_id(), tick_broadcast_force_mask); tick_program_event(td->evtdev->next_event, 1); } From 07f7f40df90538c4bacb06d64ededc68b6d6e9bf Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Fri, 17 May 2024 20:22:44 +0000 Subject: [PATCH 148/173] ntp: Clamp maxerror and esterror to operating range [ Upstream commit 87d571d6fb77ec342a985afa8744bb9bb75b3622 ] Using syzkaller alongside the newly reintroduced signed integer overflow sanitizer spits out this report: UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:461:16 9223372036854775807 + 500 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 second_overflow+0x2d6/0x500 accumulate_nsecs_to_secs+0x60/0x160 timekeeping_advance+0x1fe/0x890 update_wall_time+0x10/0x30 time_maxerror is unconditionally incremented and the result is checked against NTP_PHASE_LIMIT, but the increment itself can overflow, resulting in wrap-around to negative space. Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user supplied value was sanity checked to be in the operating range. That change removed the sanity check and relied on clamping in handle_overflow() which does not work correctly when the user supplied value is in the overflow zone of the '+ 500' operation. The operation requires CAP_SYS_TIME and the side effect of the overflow is NTP getting out of sync. Miroslav confirmed that the input value should be clamped to the operating range and the same applies to time_esterror. The latter is not used by the kernel, but the value still should be in the operating range as it was before the sanity check got removed. Clamp them to the operating range. [ tglx: Changed it to clamping and included time_esterror ] Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") Signed-off-by: Justin Stitt Signed-off-by: Thomas Gleixner Cc: Miroslav Lichvar Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-usec-v2-1-d539180f2b79@google.com Closes: https://github.com/KSPP/linux/issues/354 Signed-off-by: Sasha Levin [ cast things to __kernel_long_t to fix compiler warnings - gregkh ] Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9dfe2eef1ecfbb1f29e678700247de6010784eb9) Signed-off-by: Vegard Nossum --- kernel/time/ntp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index 9288532f73c8..ce6ff1de8442 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -628,10 +628,10 @@ static inline void process_adjtimex_modes(struct timex *txc, } if (txc->modes & ADJ_MAXERROR) - time_maxerror = txc->maxerror; + time_maxerror = clamp(txc->maxerror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT); if (txc->modes & ADJ_ESTERROR) - time_esterror = txc->esterror; + time_esterror = clamp(txc->esterror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT); if (txc->modes & ADJ_TIMECONST) { time_constant = txc->constant; From c72f8e96b8386d50894df2faed9718d7cbfc312d Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Fri, 12 Jul 2024 12:42:09 -0700 Subject: [PATCH 149/173] driver core: Fix uevent_show() vs driver detach race commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c upstream. uevent_show() wants to de-reference dev->driver->name. There is no clean way for a device attribute to de-reference dev->driver unless that attribute is defined via (struct device_driver).dev_groups. Instead, the anti-pattern of taking the device_lock() in the attribute handler risks deadlocks with code paths that remove device attributes while holding the lock. This deadlock is typically invisible to lockdep given the device_lock() is marked lockdep_set_novalidate_class(), but some subsystems allocate a local lockdep key for @dev->mutex to reveal reports of the form: ====================================================== WARNING: possible circular locking dependency detected 6.10.0-rc7+ #275 Tainted: G OE N ------------------------------------------------------ modprobe/2374 is trying to acquire lock: ffff8c2270070de0 (kn->active#6){++++}-{0:0}, at: __kernfs_remove+0xde/0x220 but task is already holding lock: ffff8c22016e88f8 (&cxl_root_key){+.+.}-{3:3}, at: device_release_driver_internal+0x39/0x210 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&cxl_root_key){+.+.}-{3:3}: __mutex_lock+0x99/0xc30 uevent_show+0xac/0x130 dev_attr_show+0x18/0x40 sysfs_kf_seq_show+0xac/0xf0 seq_read_iter+0x110/0x450 vfs_read+0x25b/0x340 ksys_read+0x67/0xf0 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (kn->active#6){++++}-{0:0}: __lock_acquire+0x121a/0x1fa0 lock_acquire+0xd6/0x2e0 kernfs_drain+0x1e9/0x200 __kernfs_remove+0xde/0x220 kernfs_remove_by_name_ns+0x5e/0xa0 device_del+0x168/0x410 device_unregister+0x13/0x60 devres_release_all+0xb8/0x110 device_unbind_cleanup+0xe/0x70 device_release_driver_internal+0x1c7/0x210 driver_detach+0x47/0x90 bus_remove_driver+0x6c/0xf0 cxl_acpi_exit+0xc/0x11 [cxl_acpi] __do_sys_delete_module.isra.0+0x181/0x260 do_syscall_64+0x75/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e The observation though is that driver objects are typically much longer lived than device objects. It is reasonable to perform lockless de-reference of a @driver pointer even if it is racing detach from a device. Given the infrequency of driver unregistration, use synchronize_rcu() in module_remove_driver() to close any potential races. It is potentially overkill to suffer synchronize_rcu() just to handle the rare module removal racing uevent_show() event. Thanks to Tetsuo Handa for the debug analysis of the syzbot report [1]. Fixes: c0a40097f0bc ("drivers: core: synchronize really_probe() and dev_uevent()") Reported-by: syzbot+4762dd74e32532cda5ff@syzkaller.appspotmail.com Reported-by: Tetsuo Handa Closes: http://lore.kernel.org/5aa5558f-90a4-4864-b1b1-5d6784c5607d@I-love.SAKURA.ne.jp [1] Link: http://lore.kernel.org/669073b8ea479_5fffa294c1@dwillia2-xfh.jf.intel.com.notmuch Cc: stable@vger.kernel.org Cc: Ashish Sangwan Cc: Namjae Jeon Cc: Dirk Behme Cc: Greg Kroah-Hartman Cc: Rafael J. Wysocki Signed-off-by: Dan Williams Link: https://lore.kernel.org/r/172081332794.577428.9738802016494057132.stgit@dwillia2-xfh.jf.intel.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 49ea4e0d862632d51667da5e7a9c88a560e9c5a1) Signed-off-by: Vegard Nossum --- drivers/base/core.c | 13 ++++++++----- drivers/base/module.c | 4 ++++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/drivers/base/core.c b/drivers/base/core.c index 7b65073fd273..fa61db6b8014 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include @@ -900,6 +901,7 @@ static int dev_uevent(struct kset *kset, struct kobject *kobj, struct kobj_uevent_env *env) { struct device *dev = kobj_to_dev(kobj); + struct device_driver *driver; int retval = 0; /* add device node properties if present */ @@ -928,8 +930,12 @@ static int dev_uevent(struct kset *kset, struct kobject *kobj, if (dev->type && dev->type->name) add_uevent_var(env, "DEVTYPE=%s", dev->type->name); - if (dev->driver) - add_uevent_var(env, "DRIVER=%s", dev->driver->name); + /* Synchronize with module_remove_driver() */ + rcu_read_lock(); + driver = READ_ONCE(dev->driver); + if (driver) + add_uevent_var(env, "DRIVER=%s", driver->name); + rcu_read_unlock(); /* Add common DT information about the device */ of_device_uevent(dev, env); @@ -999,11 +1005,8 @@ static ssize_t uevent_show(struct device *dev, struct device_attribute *attr, if (!env) return -ENOMEM; - /* Synchronize with really_probe() */ - device_lock(dev); /* let the kset specific function add its keys */ retval = kset->uevent_ops->uevent(kset, &dev->kobj, env); - device_unlock(dev); if (retval) goto out; diff --git a/drivers/base/module.c b/drivers/base/module.c index 2a215780eda2..48ad0e7c1fa8 100644 --- a/drivers/base/module.c +++ b/drivers/base/module.c @@ -9,6 +9,7 @@ #include #include #include +#include #include "base.h" static char *make_driver_name(struct device_driver *drv) @@ -79,6 +80,9 @@ void module_remove_driver(struct device_driver *drv) if (!drv) return; + /* Synchronize with dev_uevent() */ + synchronize_rcu(); + sysfs_remove_link(&drv->p->kobj, "module"); if (drv->owner) From 53390d85b1f4fca100eca68612fe9ae736ef5caf Mon Sep 17 00:00:00 2001 From: Justin Stitt Date: Fri, 17 May 2024 00:47:10 +0000 Subject: [PATCH 150/173] ntp: Safeguard against time_constant overflow commit 06c03c8edce333b9ad9c6b207d93d3a5ae7c10c0 upstream. Using syzkaller with the recently reintroduced signed integer overflow sanitizer produces this UBSAN report: UBSAN: signed-integer-overflow in ../kernel/time/ntp.c:738:18 9223372036854775806 + 4 cannot be represented in type 'long' Call Trace: handle_overflow+0x171/0x1b0 __do_adjtimex+0x1236/0x1440 do_adjtimex+0x2be/0x740 The user supplied time_constant value is incremented by four and then clamped to the operating range. Before commit eea83d896e31 ("ntp: NTP4 user space bits update") the user supplied value was sanity checked to be in the operating range. That change removed the sanity check and relied on clamping after incrementing which does not work correctly when the user supplied value is in the overflow zone of the '+ 4' operation. The operation requires CAP_SYS_TIME and the side effect of the overflow is NTP getting out of sync. Similar to the fixups for time_maxerror and time_esterror, clamp the user space supplied value to the operating range. [ tglx: Switch to clamping ] Fixes: eea83d896e31 ("ntp: NTP4 user space bits update") Signed-off-by: Justin Stitt Signed-off-by: Thomas Gleixner Cc: Miroslav Lichvar Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20240517-b4-sio-ntp-c-v2-1-f3a80096f36f@google.com Closes: https://github.com/KSPP/linux/issues/352 Signed-off-by: Greg Kroah-Hartman (cherry picked from commit a13f8b269b6f4c9371ab149ecb65d2edb52e9669) Signed-off-by: Vegard Nossum --- kernel/time/ntp.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c index ce6ff1de8442..279313827008 100644 --- a/kernel/time/ntp.c +++ b/kernel/time/ntp.c @@ -634,11 +634,10 @@ static inline void process_adjtimex_modes(struct timex *txc, time_esterror = clamp(txc->esterror, (__kernel_long_t)0, (__kernel_long_t)NTP_PHASE_LIMIT); if (txc->modes & ADJ_TIMECONST) { - time_constant = txc->constant; + time_constant = clamp(txc->constant, (__kernel_long_t)0, (__kernel_long_t)MAXTC); if (!(time_status & STA_NANO)) time_constant += 4; - time_constant = min(time_constant, (long)MAXTC); - time_constant = max(time_constant, 0l); + time_constant = clamp(time_constant, (long)0, (long)MAXTC); } if (txc->modes & ADJ_TAI && From 1d33b86b2b99774eae26926b2f5f4900f826638f Mon Sep 17 00:00:00 2001 From: George Kennedy Date: Wed, 17 Jul 2024 07:24:38 -0500 Subject: [PATCH 151/173] serial: core: check uartclk for zero to avoid divide by zero commit 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 upstream. Calling ioctl TIOCSSERIAL with an invalid baud_base can result in uartclk being zero, which will result in a divide by zero error in uart_get_divisor(). The check for uartclk being zero in uart_set_info() needs to be done before other settings are made as subsequent calls to ioctl TIOCSSERIAL for the same port would be impacted if the uartclk check was done where uartclk gets set. Oops: divide error: 0000 PREEMPT SMP KASAN PTI RIP: 0010:uart_get_divisor (drivers/tty/serial/serial_core.c:580) Call Trace: serial8250_get_divisor (drivers/tty/serial/8250/8250_port.c:2576 drivers/tty/serial/8250/8250_port.c:2589) serial8250_do_set_termios (drivers/tty/serial/8250/8250_port.c:502 drivers/tty/serial/8250/8250_port.c:2741) serial8250_set_termios (drivers/tty/serial/8250/8250_port.c:2862) uart_change_line_settings (./include/linux/spinlock.h:376 ./include/linux/serial_core.h:608 drivers/tty/serial/serial_core.c:222) uart_port_startup (drivers/tty/serial/serial_core.c:342) uart_startup (drivers/tty/serial/serial_core.c:368) uart_set_info (drivers/tty/serial/serial_core.c:1034) uart_set_info_user (drivers/tty/serial/serial_core.c:1059) tty_set_serial (drivers/tty/tty_io.c:2637) tty_ioctl (drivers/tty/tty_io.c:2647 drivers/tty/tty_io.c:2791) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:907 fs/ioctl.c:893 fs/ioctl.c:893) do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Reported-by: syzkaller Cc: stable@vger.kernel.org Signed-off-by: George Kennedy Rule: add Link: https://lore.kernel.org/stable/1721148848-9784-1-git-send-email-george.kennedy%40oracle.com Link: https://lore.kernel.org/r/1721219078-3209-1-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba) Signed-off-by: Vegard Nossum --- drivers/tty/serial/serial_core.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c index 230e515b83c8..e42172eb5047 100644 --- a/drivers/tty/serial/serial_core.c +++ b/drivers/tty/serial/serial_core.c @@ -870,6 +870,14 @@ static int uart_set_info(struct tty_struct *tty, struct tty_port *port, new_flags = (__force upf_t)new_info->flags; old_custom_divisor = uport->custom_divisor; + if (!(uport->flags & UPF_FIXED_PORT)) { + unsigned int uartclk = new_info->baud_base * 16; + /* check needs to be done here before other settings made */ + if (uartclk == 0) { + retval = -EINVAL; + goto exit; + } + } if (!capable(CAP_SYS_ADMIN)) { retval = -EPERM; if (change_irq || change_port || From d9b1fa9a24e5ba3115a289421d535abf954efd7a Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Wed, 17 Jul 2024 22:03:32 +0200 Subject: [PATCH 152/173] power: supply: axp288_charger: Fix constant_charge_voltage writes commit b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 upstream. info->max_cv is in millivolts, divide the microvolt value being written to constant_charge_voltage by 1000 *before* clamping it to info->max_cv. Before this fix the code always tried to set constant_charge_voltage to max_cv / 1000 = 4 millivolt, which ends up in setting it to 4.1V which is the lowest supported value. Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver") Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20240717200333.56669-1-hdegoede@redhat.com Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f1aa9f19da35f72ce8ec3196f0a7bc06e296aaeb) Signed-off-by: Vegard Nossum --- drivers/power/supply/axp288_charger.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/power/supply/axp288_charger.c b/drivers/power/supply/axp288_charger.c index b8f7da57c78a..74ffbacf3522 100644 --- a/drivers/power/supply/axp288_charger.c +++ b/drivers/power/supply/axp288_charger.c @@ -387,8 +387,8 @@ static int axp288_charger_usb_set_property(struct power_supply *psy, dev_warn(&info->pdev->dev, "set charge current failed\n"); break; case POWER_SUPPLY_PROP_CONSTANT_CHARGE_VOLTAGE: - scaled_val = min(val->intval, info->max_cv); - scaled_val = DIV_ROUND_CLOSEST(scaled_val, 1000); + scaled_val = DIV_ROUND_CLOSEST(val->intval, 1000); + scaled_val = min(scaled_val, info->max_cv); ret = axp288_charger_set_cv(info, scaled_val); if (ret < 0) dev_warn(&info->pdev->dev, "set charge voltage failed\n"); From bd9bfbcc05c1c7af22dfa9ca8b2ff1d6395db661 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Wed, 17 Jul 2024 22:03:33 +0200 Subject: [PATCH 153/173] power: supply: axp288_charger: Round constant_charge_voltage writes down commit 81af7f2342d162e24ac820c10e68684d9f927663 upstream. Round constant_charge_voltage writes down to the first supported lower value, rather then rounding them up to the first supported higher value. This fixes e.g. writing 4250000 resulting in a value of 4350000 which might be dangerous, instead writing 4250000 will now result in a safe 4200000 value. Fixes: 843735b788a4 ("power: axp288_charger: axp288 charger driver") Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20240717200333.56669-2-hdegoede@redhat.com Signed-off-by: Sebastian Reichel Signed-off-by: Greg Kroah-Hartman (cherry picked from commit e3cb8400a72a9e5e25365d380b290cdd50ccdb5c) Signed-off-by: Vegard Nossum --- drivers/power/supply/axp288_charger.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/power/supply/axp288_charger.c b/drivers/power/supply/axp288_charger.c index 74ffbacf3522..32c5408cd6aa 100644 --- a/drivers/power/supply/axp288_charger.c +++ b/drivers/power/supply/axp288_charger.c @@ -194,18 +194,18 @@ static inline int axp288_charger_set_cv(struct axp288_chrg_info *info, int cv) u8 reg_val; int ret; - if (cv <= CV_4100MV) { - reg_val = CHRG_CCCV_CV_4100MV; - cv = CV_4100MV; - } else if (cv <= CV_4150MV) { - reg_val = CHRG_CCCV_CV_4150MV; - cv = CV_4150MV; - } else if (cv <= CV_4200MV) { - reg_val = CHRG_CCCV_CV_4200MV; - cv = CV_4200MV; - } else { + if (cv >= CV_4350MV) { reg_val = CHRG_CCCV_CV_4350MV; cv = CV_4350MV; + } else if (cv >= CV_4200MV) { + reg_val = CHRG_CCCV_CV_4200MV; + cv = CV_4200MV; + } else if (cv >= CV_4150MV) { + reg_val = CHRG_CCCV_CV_4150MV; + cv = CV_4150MV; + } else { + reg_val = CHRG_CCCV_CV_4100MV; + cv = CV_4100MV; } reg_val = reg_val << CHRG_CCCV_CV_BIT_POS; From b28271a4428daf3c20b71a8e7cf218a4c38c698b Mon Sep 17 00:00:00 2001 From: Tze-nan Wu Date: Mon, 5 Aug 2024 13:59:22 +0800 Subject: [PATCH 154/173] tracing: Fix overflow in get_free_elt() commit bcf86c01ca4676316557dd482c8416ece8c2e143 upstream. "tracing_map->next_elt" in get_free_elt() is at risk of overflowing. Once it overflows, new elements can still be inserted into the tracing_map even though the maximum number of elements (`max_elts`) has been reached. Continuing to insert elements after the overflow could result in the tracing_map containing "tracing_map->max_size" elements, leaving no empty entries. If any attempt is made to insert an element into a full tracing_map using `__tracing_map_insert()`, it will cause an infinite loop with preemption disabled, leading to a CPU hang problem. Fix this by preventing any further increments to "tracing_map->next_elt" once it reaches "tracing_map->max_elt". Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Fixes: 08d43a5fa063e ("tracing: Add lock-free tracing_map") Co-developed-by: Cheng-Jui Wang Link: https://lore.kernel.org/20240805055922.6277-1-Tze-nan.Wu@mediatek.com Signed-off-by: Cheng-Jui Wang Signed-off-by: Tze-nan Wu Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 302ceb625d7b990db205a15e371f9a71238de91c) [Vegard: s/atomic_fetch_add_unless/__atomic_add_unless/ due to missing commit bfc18e389c7a09fbbbed6bf4032396685b14246e ("atomics/treewide: Rename __atomic_add_unless() => atomic_fetch_add_unless()".] Signed-off-by: Vegard Nossum --- kernel/trace/tracing_map.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/trace/tracing_map.c b/kernel/trace/tracing_map.c index 572c0854d631..6354c5f24c7e 100644 --- a/kernel/trace/tracing_map.c +++ b/kernel/trace/tracing_map.c @@ -355,7 +355,7 @@ static struct tracing_map_elt *get_free_elt(struct tracing_map *map) struct tracing_map_elt *elt = NULL; int idx; - idx = atomic_inc_return(&map->next_elt); + idx = __atomic_add_unless(&map->next_elt, 1, map->max_elts); if (idx < map->max_elts) { elt = *(TRACING_MAP_ELT(map->elts, idx)); if (map->ops && map->ops->elt_init) @@ -563,7 +563,7 @@ void tracing_map_clear(struct tracing_map *map) { unsigned int i; - atomic_set(&map->next_elt, -1); + atomic_set(&map->next_elt, 0); atomic64_set(&map->hits, 0); atomic64_set(&map->drops, 0); @@ -647,7 +647,7 @@ struct tracing_map *tracing_map_create(unsigned int map_bits, map->map_bits = map_bits; map->max_elts = (1 << map_bits); - atomic_set(&map->next_elt, -1); + atomic_set(&map->next_elt, 0); map->map_size = (1 << (map_bits + 1)); map->ops = ops; From 4f0b886693fe2a82d8896cd431eb529777e1bbdc Mon Sep 17 00:00:00 2001 From: Andi Kleen Date: Wed, 7 Aug 2024 17:02:44 -0700 Subject: [PATCH 155/173] x86/mtrr: Check if fixed MTRRs exist before saving them commit 919f18f961c03d6694aa726c514184f2311a4614 upstream. MTRRs have an obsolete fixed variant for fine grained caching control of the 640K-1MB region that uses separate MSRs. This fixed variant has a separate capability bit in the MTRR capability MSR. So far all x86 CPUs which support MTRR have this separate bit set, so it went unnoticed that mtrr_save_state() does not check the capability bit before accessing the fixed MTRR MSRs. Though on a CPU that does not support the fixed MTRR capability this results in a #GP. The #GP itself is harmless because the RDMSR fault is handled gracefully, but results in a WARN_ON(). Add the missing capability check to prevent this. Fixes: 2b1f6278d77c ("[PATCH] x86: Save the MTRRs of the BSP before booting an AP") Signed-off-by: Andi Kleen Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20240808000244.946864-1-ak@linux.intel.com Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 34f36e6ee5bd7eff8b2adcd9fcaef369f752d82e) Signed-off-by: Vegard Nossum --- arch/x86/kernel/cpu/mtrr/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c index 7468de429087..41da59446ef8 100644 --- a/arch/x86/kernel/cpu/mtrr/main.c +++ b/arch/x86/kernel/cpu/mtrr/main.c @@ -816,7 +816,7 @@ void mtrr_save_state(void) { int first_cpu; - if (!mtrr_enabled()) + if (!mtrr_enabled() || !mtrr_state.have_fixed) return; first_cpu = cpumask_first(cpu_online_mask); From d5775da332c5377cc22a6e497a9b324c1f2fe2a1 Mon Sep 17 00:00:00 2001 From: Lin Huang Date: Mon, 23 Apr 2018 12:49:38 +0200 Subject: [PATCH 156/173] drm/bridge: analogix_dp: Check AUX_EN status when doing AUX transfer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We should check AUX_EN bit to confirm the AUX CH operation is completed. Cc: Stéphane Marchesin Signed-off-by: Lin Huang Signed-off-by: zain wang Signed-off-by: Sean Paul Signed-off-by: Thierry Escande Signed-off-by: Enric Balletbo i Serra Tested-by: Marek Szyprowski Reviewed-by: Archit Taneja Signed-off-by: Andrzej Hajda Link: https://patchwork.freedesktop.org/patch/msgid/20180423105003.9004-3-enric.balletbo@collabora.com (cherry picked from commit c2021db1905ed5b4480882836d8d3631ca786869) [Vegard: added #include .] Signed-off-by: Vegard Nossum --- .../gpu/drm/bridge/analogix/analogix_dp_reg.c | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c index 303083ad28e3..05d2887e92e2 100644 --- a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c +++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c @@ -14,6 +14,7 @@ #include #include #include +#include #include @@ -1043,9 +1044,9 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, { u32 reg; u8 *buffer = msg->buffer; - int timeout_loop = 0; unsigned int i; int num_transferred = 0; + int ret; /* Buffer size of AUX CH is 16 bytes */ if (WARN_ON(msg->size > 16)) @@ -1109,17 +1110,20 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, writel(reg, dp->reg_base + ANALOGIX_DP_AUX_CH_CTL_2); - /* Is AUX CH command reply received? */ + ret = readx_poll_timeout(readl, dp->reg_base + ANALOGIX_DP_AUX_CH_CTL_2, + reg, !(reg & AUX_EN), 25, 500 * 1000); + if (ret) { + dev_err(dp->dev, "AUX CH enable timeout!\n"); + return -ETIMEDOUT; + } + /* TODO: Wait for an interrupt instead of looping? */ - reg = readl(dp->reg_base + ANALOGIX_DP_INT_STA); - while (!(reg & RPLY_RECEIV)) { - timeout_loop++; - if (timeout_loop > DP_TIMEOUT_LOOP_COUNT) { - dev_err(dp->dev, "AUX CH command reply failed!\n"); - return -ETIMEDOUT; - } - reg = readl(dp->reg_base + ANALOGIX_DP_INT_STA); - usleep_range(10, 11); + /* Is AUX CH command reply received? */ + ret = readx_poll_timeout(readl, dp->reg_base + ANALOGIX_DP_INT_STA, + reg, reg & RPLY_RECEIV, 10, 20 * 1000); + if (ret) { + dev_err(dp->dev, "AUX CH cmd reply timeout!\n"); + return -ETIMEDOUT; } /* Clear interrupt source for AUX CH command reply */ From a413584fad9b551cb6e15f5e8a05f94d16871585 Mon Sep 17 00:00:00 2001 From: Lin Huang Date: Mon, 23 Apr 2018 12:49:48 +0200 Subject: [PATCH 157/173] drm/bridge: analogix_dp: Reset aux channel if an error occurred MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AUX errors are caused by many different reasons. We may not know what happened in aux channel on failure, so let's reset aux channel if some errors occurred. Cc: 征增 王 Cc: Douglas Anderson Signed-off-by: Lin Huang Signed-off-by: Sean Paul Signed-off-by: Thierry Escande Reviewed-by: Andrzej Hajda Tested-by: Marek Szyprowski Reviewed-by: Archit Taneja Signed-off-by: Enric Balletbo i Serra Signed-off-by: Andrzej Hajda Link: https://patchwork.freedesktop.org/patch/msgid/20180423105003.9004-13-enric.balletbo@collabora.com (cherry picked from commit d44ba84433a2e42aa14fc5b9cc228050f0783e5c) Signed-off-by: Vegard Nossum --- .../gpu/drm/bridge/analogix/analogix_dp_reg.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c index 05d2887e92e2..56f61cf6bff6 100644 --- a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c +++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c @@ -450,6 +450,10 @@ void analogix_dp_init_aux(struct analogix_dp_device *dp) reg = RPLY_RECEIV | AUX_ERR; writel(reg, dp->reg_base + ANALOGIX_DP_INT_STA); + analogix_dp_set_analog_power_down(dp, AUX_BLOCK, true); + usleep_range(10, 11); + analogix_dp_set_analog_power_down(dp, AUX_BLOCK, false); + analogix_dp_reset_aux(dp); /* Disable AUX transaction H/W retry */ @@ -1114,7 +1118,7 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, reg, !(reg & AUX_EN), 25, 500 * 1000); if (ret) { dev_err(dp->dev, "AUX CH enable timeout!\n"); - return -ETIMEDOUT; + goto aux_error; } /* TODO: Wait for an interrupt instead of looping? */ @@ -1123,7 +1127,7 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, reg, reg & RPLY_RECEIV, 10, 20 * 1000); if (ret) { dev_err(dp->dev, "AUX CH cmd reply timeout!\n"); - return -ETIMEDOUT; + goto aux_error; } /* Clear interrupt source for AUX CH command reply */ @@ -1133,7 +1137,7 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, reg = readl(dp->reg_base + ANALOGIX_DP_INT_STA); if (reg & AUX_ERR) { writel(AUX_ERR, dp->reg_base + ANALOGIX_DP_INT_STA); - return -EREMOTEIO; + goto aux_error; } /* Check AUX CH error access status */ @@ -1141,7 +1145,7 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, if ((reg & AUX_STATUS_MASK)) { dev_err(dp->dev, "AUX CH error happened: %d\n\n", reg & AUX_STATUS_MASK); - return -EREMOTEIO; + goto aux_error; } if (msg->request & DP_AUX_I2C_READ) { @@ -1167,4 +1171,10 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, msg->reply = DP_AUX_NATIVE_REPLY_ACK; return num_transferred > 0 ? num_transferred : -EBUSY; + +aux_error: + /* if aux err happen, reset aux */ + analogix_dp_init_aux(dp); + + return -EREMOTEIO; } From 9f77a8ee77d6ec538dbccfc03c463586323300d0 Mon Sep 17 00:00:00 2001 From: Douglas Anderson Date: Mon, 23 Apr 2018 12:49:55 +0200 Subject: [PATCH 158/173] drm/bridge: analogix_dp: Properly log AUX CH errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The code in analogix_dp_transfer() that was supposed to print out: AUX CH error happened Was actually dead code. That's because the previous check (whether the interrupt status indicated any errors) would have hit for all errors anyway. Let's combine the two error checks so we can actually see AUX CH errors. We'll also downgrade the message to a warning since some of these types of errors might be expected for some displays. If this gets too noisy we can downgrade again to debug. Cc: 征增 王 Signed-off-by: Douglas Anderson Signed-off-by: Sean Paul Signed-off-by: Thierry Escande Reviewed-by: Andrzej Hajda Signed-off-by: Enric Balletbo i Serra Tested-by: Marek Szyprowski Reviewed-by: Archit Taneja Signed-off-by: Andrzej Hajda Link: https://patchwork.freedesktop.org/patch/msgid/20180423105003.9004-20-enric.balletbo@collabora.com (cherry picked from commit 71cef82434640fb5d219365a568c859944fedb80) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c index 56f61cf6bff6..a9056dfaf9b4 100644 --- a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c +++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c @@ -1047,6 +1047,7 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, struct drm_dp_aux_msg *msg) { u32 reg; + u32 status_reg; u8 *buffer = msg->buffer; unsigned int i; int num_transferred = 0; @@ -1135,16 +1136,12 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, /* Clear interrupt source for AUX CH access error */ reg = readl(dp->reg_base + ANALOGIX_DP_INT_STA); - if (reg & AUX_ERR) { + status_reg = readl(dp->reg_base + ANALOGIX_DP_AUX_CH_STA); + if ((reg & AUX_ERR) || (status_reg & AUX_STATUS_MASK)) { writel(AUX_ERR, dp->reg_base + ANALOGIX_DP_INT_STA); - goto aux_error; - } - /* Check AUX CH error access status */ - reg = readl(dp->reg_base + ANALOGIX_DP_AUX_CH_STA); - if ((reg & AUX_STATUS_MASK)) { - dev_err(dp->dev, "AUX CH error happened: %d\n\n", - reg & AUX_STATUS_MASK); + dev_warn(dp->dev, "AUX CH error happened: %#x (%d)\n", + status_reg & AUX_STATUS_MASK, !!(reg & AUX_ERR)); goto aux_error; } From 5dfe0cc24eab4d1e640e3cfc7ef155216fb29f2a Mon Sep 17 00:00:00 2001 From: Lucas Stach Date: Mon, 18 Mar 2024 21:39:23 +0100 Subject: [PATCH 159/173] drm/bridge: analogix_dp: properly handle zero sized AUX transactions commit e82290a2e0e8ec5e836ecad1ca025021b3855c2d upstream. Address only transactions without any data are valid and should not be flagged as short transactions. Simply return the message size when no transaction errors occured. CC: stable@vger.kernel.org Signed-off-by: Lucas Stach Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20240318203925.2837689-1-l.stach@pengutronix.de Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 52f05898629b25fc382754d837be624205ce67f8) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c index a9056dfaf9b4..75a4aabbaebc 100644 --- a/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c +++ b/drivers/gpu/drm/bridge/analogix/analogix_dp_reg.c @@ -1050,7 +1050,6 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, u32 status_reg; u8 *buffer = msg->buffer; unsigned int i; - int num_transferred = 0; int ret; /* Buffer size of AUX CH is 16 bytes */ @@ -1102,7 +1101,6 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, reg = buffer[i]; writel(reg, dp->reg_base + ANALOGIX_DP_BUF_DATA_0 + 4 * i); - num_transferred++; } } @@ -1150,7 +1148,6 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, reg = readl(dp->reg_base + ANALOGIX_DP_BUF_DATA_0 + 4 * i); buffer[i] = (unsigned char)reg; - num_transferred++; } } @@ -1167,7 +1164,7 @@ ssize_t analogix_dp_transfer(struct analogix_dp_device *dp, (msg->request & ~DP_AUX_I2C_MOT) == DP_AUX_NATIVE_READ) msg->reply = DP_AUX_NATIVE_REPLY_ACK; - return num_transferred > 0 ? num_transferred : -EBUSY; + return msg->size; aux_error: /* if aux err happen, reset aux */ From e391c9f51faaf4a35bb29343af0d29164938363a Mon Sep 17 00:00:00 2001 From: Thomas Zimmermann Date: Mon, 13 May 2024 14:51:06 +0200 Subject: [PATCH 160/173] drm/mgag200: Set DDC timeout in milliseconds commit ecde5db1598aecab54cc392282c15114f526f05f upstream. Compute the i2c timeout in jiffies from a value in milliseconds. The original values of 2 jiffies equals 2 milliseconds if HZ has been configured to a value of 1000. This corresponds to 2.2 milliseconds used by most other DRM drivers. Update mgag200 accordingly. Signed-off-by: Thomas Zimmermann Reviewed-by: Jocelyn Falempe Fixes: 414c45310625 ("mgag200: initial g200se driver (v2)") Cc: Dave Airlie Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: Jocelyn Falempe Cc: dri-devel@lists.freedesktop.org Cc: # v3.5+ Link: https://patchwork.freedesktop.org/patch/msgid/20240513125620.6337-2-tzimmermann@suse.de Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 7db72e8e538e10afefe589d6203ffb4f5a1cbd9a) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/mgag200/mgag200_i2c.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/mgag200/mgag200_i2c.c b/drivers/gpu/drm/mgag200/mgag200_i2c.c index 77d1c4771786..0919021168e1 100644 --- a/drivers/gpu/drm/mgag200/mgag200_i2c.c +++ b/drivers/gpu/drm/mgag200/mgag200_i2c.c @@ -133,7 +133,7 @@ struct mga_i2c_chan *mgag200_i2c_create(struct drm_device *dev) i2c->adapter.algo_data = &i2c->bit; i2c->bit.udelay = 10; - i2c->bit.timeout = 2; + i2c->bit.timeout = usecs_to_jiffies(2200); i2c->bit.data = i2c; i2c->bit.setsda = mga_gpio_setsda; i2c->bit.setscl = mga_gpio_setscl; From 6bd6cf1374f27ba771760e53caf8c276e794b638 Mon Sep 17 00:00:00 2001 From: Nathan Chancellor Date: Fri, 26 Jul 2024 11:05:00 -0700 Subject: [PATCH 161/173] kbuild: Fix '-S -c' in x86 stack protector scripts commit 3415b10a03945b0da4a635e146750dfe5ce0f448 upstream. After a recent change in clang to stop consuming all instances of '-S' and '-c' [1], the stack protector scripts break due to the kernel's use of -Werror=unused-command-line-argument to catch cases where flags are not being properly consumed by the compiler driver: $ echo | clang -o - -x c - -S -c -Werror=unused-command-line-argument clang: error: argument unused during compilation: '-c' [-Werror,-Wunused-command-line-argument] This results in CONFIG_STACKPROTECTOR getting disabled because CONFIG_CC_HAS_SANE_STACKPROTECTOR is no longer set. '-c' and '-S' both instruct the compiler to stop at different stages of the pipeline ('-S' after compiling, '-c' after assembling), so having them present together in the same command makes little sense. In this case, the test wants to stop before assembling because it is looking at the textual assembly output of the compiler for either '%fs' or '%gs', so remove '-c' from the list of arguments to resolve the error. All versions of GCC continue to work after this change, along with versions of clang that do or do not contain the change mentioned above. Cc: stable@vger.kernel.org Fixes: 4f7fd4d7a791 ("[PATCH] Add the -fstack-protector option to the CFLAGS") Fixes: 60a5317ff0f4 ("x86: implement x86_32 stack protector") Link: https://github.com/llvm/llvm-project/commit/6461e537815f7fa68cef06842505353cf5600e9c [1] Signed-off-by: Nathan Chancellor Signed-off-by: Masahiro Yamada [nathan: Fixed conflict in 32-bit version due to lack of 3fb0fdb3bbe7] Signed-off-by: Nathan Chancellor Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9dd6e5296c8ad1bbb88933b8150383bc0eba9488) [Vegard: fix conflicts due to missing commits 5391e536dbf7 ("stack-protector: Fix test with 32-bit userland and CONFIG_64BIT=y") and 2a61f4747eea ("stack-protector: test compiler capability in Kconfig and drop AUTO mode").] Signed-off-by: Vegard Nossum --- scripts/gcc-x86_32-has-stack-protector.sh | 2 +- scripts/gcc-x86_64-has-stack-protector.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/gcc-x86_32-has-stack-protector.sh b/scripts/gcc-x86_32-has-stack-protector.sh index 6b2aeefb9cd3..e714e7f7cf9b 100755 --- a/scripts/gcc-x86_32-has-stack-protector.sh +++ b/scripts/gcc-x86_32-has-stack-protector.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 -echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs" +echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -O0 -fstack-protector - -o - 2> /dev/null | grep -q "%gs" if [ "$?" -eq "0" ] ; then echo y else diff --git a/scripts/gcc-x86_64-has-stack-protector.sh b/scripts/gcc-x86_64-has-stack-protector.sh index 4a48bdcd4d6b..c1428d7723ca 100755 --- a/scripts/gcc-x86_64-has-stack-protector.sh +++ b/scripts/gcc-x86_64-has-stack-protector.sh @@ -1,7 +1,7 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 -echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -c -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs" +echo "int foo(void) { char X[200]; return 3; }" | $* -S -x c -O0 -mcmodel=kernel -fno-PIE -fstack-protector - -o - 2> /dev/null | grep -q "%gs" if [ "$?" -eq "0" ] ; then echo y else From 9aee9974b20b6907210221aba005ec36135348a4 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 12 Aug 2024 12:29:23 +0200 Subject: [PATCH 162/173] netfilter: nf_tables: set element extended ACK reporting support commit b53c116642502b0c85ecef78bff4f826a7dd4145 upstream. Report the element that causes problems via netlink extended ACK for set element commands. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 61fbbac22c8ce73d0c492caf45a286c3f021c0fd) [Vegard: fix conflict in nf_tables_getsetelem() due to missing commit ba0e4d9917b43dfa746cbbcb4477da59aae73bd6 ("netfilter: nf_tables: get set elements via netlink") from v4.15] Signed-off-by: Vegard Nossum --- net/netfilter/nf_tables_api.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 0d71f607a4c6..aa4ab5cb7c32 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4394,8 +4394,10 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk, nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { err = nft_add_set_elem(&ctx, set, attr, nlh->nlmsg_flags); - if (err < 0) + if (err < 0) { + NL_SET_BAD_ATTR(extack, attr); break; + } } return err; } @@ -4588,9 +4590,10 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { err = nft_del_setelem(&ctx, set, attr); - if (err < 0) + if (err < 0) { + NL_SET_BAD_ATTR(extack, attr); break; - + } set->ndeact++; } return err; From 827a69923a6dddeb669678005299af5144147452 Mon Sep 17 00:00:00 2001 From: Chris Wilson Date: Sat, 30 Jun 2018 10:05:09 +0100 Subject: [PATCH 163/173] drm/i915: Try GGTT mmapping whole object as partial If the whole object is already pinned by HW for use as scanout, we will fail to move it to the mappable region and so must resort to using a partial VMA covering the whole object. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=104513 Fixes: aa136d9d72c2 ("drm/i915: Convert partial ggtt vma to full ggtt if it spans the entire object") Signed-off-by: Chris Wilson Cc: Joonas Lahtinen Cc: Matthew Auld Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20180630090509.469-1-chris@chris-wilson.co.uk (cherry picked from commit 7e7367d3bc6cf27dd7e007e7897fcebfeff1ee8b) Signed-off-by: Vegard Nossum --- drivers/gpu/drm/i915/i915_gem.c | 28 +++++++++++++++++----------- drivers/gpu/drm/i915/i915_vma.c | 2 +- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index 08d31744e2d9..dcc7d968ed16 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1831,7 +1831,6 @@ int i915_gem_fault(struct vm_fault *vmf) bool write = !!(vmf->flags & FAULT_FLAG_WRITE); struct i915_vma *vma; pgoff_t page_offset; - unsigned int flags; int ret; /* Sanity check that we allow writing into this object */ @@ -1871,27 +1870,34 @@ int i915_gem_fault(struct vm_fault *vmf) goto err_unlock; } - /* If the object is smaller than a couple of partial vma, it is - * not worth only creating a single partial vma - we may as well - * clear enough space for the full object. - */ - flags = PIN_MAPPABLE; - if (obj->base.size > 2 * MIN_CHUNK_PAGES << PAGE_SHIFT) - flags |= PIN_NONBLOCK | PIN_NONFAULT; /* Now pin it into the GTT as needed */ - vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0, flags); + vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0, + PIN_MAPPABLE | + PIN_NONBLOCK | + PIN_NONFAULT); if (IS_ERR(vma)) { /* Use a partial view if it is bigger than available space */ struct i915_ggtt_view view = compute_partial_view(obj, page_offset, MIN_CHUNK_PAGES); + unsigned int flags; - /* Userspace is now writing through an untracked VMA, abandon + flags = PIN_MAPPABLE; + if (view.type == I915_GGTT_VIEW_NORMAL) + flags |= PIN_NONBLOCK; /* avoid warnings for pinned */ + + /* + * Userspace is now writing through an untracked VMA, abandon * all hope that the hardware is able to track future writes. */ obj->frontbuffer_ggtt_origin = ORIGIN_CPU; - vma = i915_gem_object_ggtt_pin(obj, &view, 0, 0, PIN_MAPPABLE); + vma = i915_gem_object_ggtt_pin(obj, &view, 0, 0, flags); + if (IS_ERR(vma) && !view.type) { + flags = PIN_MAPPABLE; + view.type = I915_GGTT_VIEW_PARTIAL; + vma = i915_gem_object_ggtt_pin(obj, &view, 0, 0, flags); + } } if (IS_ERR(vma)) { ret = PTR_ERR(vma); diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers/gpu/drm/i915/i915_vma.c index 5653e7bac914..fe61e8ff7764 100644 --- a/drivers/gpu/drm/i915/i915_vma.c +++ b/drivers/gpu/drm/i915/i915_vma.c @@ -103,7 +103,7 @@ vma_create(struct drm_i915_gem_object *obj, obj->base.size >> PAGE_SHIFT)); vma->size = view->partial.size; vma->size <<= PAGE_SHIFT; - GEM_BUG_ON(vma->size >= obj->base.size); + GEM_BUG_ON(vma->size > obj->base.size); } else if (view->type == I915_GGTT_VIEW_ROTATED) { vma->size = intel_rotation_info_size(&view->rotated); vma->size <<= PAGE_SHIFT; From 3ccfe379cab98c308e84733885655b1c7c956b80 Mon Sep 17 00:00:00 2001 From: Andi Shyti Date: Fri, 2 Aug 2024 10:38:50 +0200 Subject: [PATCH 164/173] drm/i915/gem: Fix Virtual Memory mapping boundaries calculation commit 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 upstream. Calculating the size of the mapped area as the lesser value between the requested size and the actual size does not consider the partial mapping offset. This can cause page fault access. Fix the calculation of the starting and ending addresses, the total size is now deduced from the difference between the end and start addresses. Additionally, the calculations have been rewritten in a clearer and more understandable form. Fixes: c58305af1835 ("drm/i915: Use remap_io_mapping() to prefault all PTE in a single pass") Reported-by: Jann Horn Co-developed-by: Chris Wilson Signed-off-by: Chris Wilson Signed-off-by: Andi Shyti Cc: Joonas Lahtinen Cc: Matthew Auld Cc: Rodrigo Vivi Cc: # v4.9+ Reviewed-by: Jann Horn Reviewed-by: Jonathan Cavitt [Joonas: Add Requires: tag] Requires: 60a2066c5005 ("drm/i915/gem: Adjust vma offset for framebuffer mmap offset") Signed-off-by: Joonas Lahtinen Link: https://patchwork.freedesktop.org/patch/msgid/20240802083850.103694-3-andi.shyti@linux.intel.com (cherry picked from commit 97b6784753da06d9d40232328efc5c5367e53417) Signed-off-by: Joonas Lahtinen Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 3e06073d24807f04b4694108a8474decb7b99e60) [Vegard: resolve conflict due to missing commit a65adaf8a834504a4acdc0deca7fa790771add8a ("drm/i915: Track user GTT faulting per-vma") from v4.15 and commit 73ebd503034c1abe ("drm/i915: make mappable struct resource centric") which motivates the start -> mappable_base and iomap -> mappable changes. Remove 'goto err_fence' as we have nothing else to do on failure; it should be OK to leave the GEM object on the mm's userfaultfd list.] Signed-off-by: Vegard Nossum --- drivers/gpu/drm/i915/i915_gem.c | 47 +++++++++++++++++++++++++++++---- 1 file changed, 42 insertions(+), 5 deletions(-) diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c index dcc7d968ed16..6dca9b4ecb92 100644 --- a/drivers/gpu/drm/i915/i915_gem.c +++ b/drivers/gpu/drm/i915/i915_gem.c @@ -1802,6 +1802,39 @@ compute_partial_view(struct drm_i915_gem_object *obj, return view; } +static void set_address_limits(struct vm_area_struct *area, + struct i915_vma *vma, + unsigned long *start_vaddr, + unsigned long *end_vaddr) +{ + unsigned long vm_start, vm_end, vma_size; /* user's memory parameters */ + long start, end; /* memory boundaries */ + + /* + * Let's move into the ">> PAGE_SHIFT" + * domain to be sure not to lose bits + */ + vm_start = area->vm_start >> PAGE_SHIFT; + vm_end = area->vm_end >> PAGE_SHIFT; + vma_size = vma->size >> PAGE_SHIFT; + + /* + * Calculate the memory boundaries by considering the offset + * provided by the user during memory mapping and the offset + * provided for the partial mapping. + */ + start = vm_start; + start += vma->ggtt_view.partial.offset; + end = start + vma_size; + + start = max_t(long, start, vm_start); + end = min_t(long, end, vm_end); + + /* Let's move back into the "<< PAGE_SHIFT" domain */ + *start_vaddr = (unsigned long)start << PAGE_SHIFT; + *end_vaddr = (unsigned long)end << PAGE_SHIFT; +} + /** * i915_gem_fault - fault a page into the GTT * @vmf: fault info @@ -1829,8 +1862,10 @@ int i915_gem_fault(struct vm_fault *vmf) struct drm_i915_private *dev_priv = to_i915(dev); struct i915_ggtt *ggtt = &dev_priv->ggtt; bool write = !!(vmf->flags & FAULT_FLAG_WRITE); + unsigned long start, end; /* memory boundaries */ struct i915_vma *vma; pgoff_t page_offset; + unsigned long pfn; int ret; /* Sanity check that we allow writing into this object */ @@ -1917,12 +1952,14 @@ int i915_gem_fault(struct vm_fault *vmf) if (list_empty(&obj->userfault_link)) list_add(&obj->userfault_link, &dev_priv->mm.userfault_list); + set_address_limits(area, vma, &start, &end); + + pfn = (ggtt->mappable_base + i915_ggtt_offset(vma)) >> PAGE_SHIFT; + pfn += (start - area->vm_start) >> PAGE_SHIFT; + pfn -= vma->ggtt_view.partial.offset; + /* Finally, remap it using the new GTT offset */ - ret = remap_io_mapping(area, - area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT), - (ggtt->mappable_base + vma->node.start) >> PAGE_SHIFT, - min_t(u64, vma->size, area->vm_end - area->vm_start), - &ggtt->mappable); + ret = remap_io_mapping(area, start, pfn, end - start, &ggtt->mappable); err_unpin: __i915_vma_unpin(vma); From 02acb3b20db4e8372b854be6ce9846446def401c Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 8 Aug 2024 11:39:08 -0700 Subject: [PATCH 165/173] exec: Fix ToCToU between perm check and set-uid/gid usage commit f50733b45d865f91db90919f8311e2127ce5a0cb upstream. When opening a file for exec via do_filp_open(), permission checking is done against the file's metadata at that moment, and on success, a file pointer is passed back. Much later in the execve() code path, the file metadata (specifically mode, uid, and gid) is used to determine if/how to set the uid and gid. However, those values may have changed since the permissions check, meaning the execution may gain unintended privileges. For example, if a file could change permissions from executable and not set-id: ---------x 1 root root 16048 Aug 7 13:16 target to set-id and non-executable: ---S------ 1 root root 16048 Aug 7 13:16 target it is possible to gain root privileges when execution should have been disallowed. While this race condition is rare in real-world scenarios, it has been observed (and proven exploitable) when package managers are updating the setuid bits of installed programs. Such files start with being world-executable but then are adjusted to be group-exec with a set-uid bit. For example, "chmod o-x,u+s target" makes "target" executable only by uid "root" and gid "cdrom", while also becoming setuid-root: -rwxr-xr-x 1 root cdrom 16048 Aug 7 13:16 target becomes: -rwsr-xr-- 1 root cdrom 16048 Aug 7 13:16 target But racing the chmod means users without group "cdrom" membership can get the permission to execute "target" just before the chmod, and when the chmod finishes, the exec reaches brpm_fill_uid(), and performs the setuid to root, violating the expressed authorization of "only cdrom group members can setuid to root". Re-check that we still have execute permissions in case the metadata has changed. It would be better to keep a copy from the perm-check time, but until we can do that refactoring, the least-bad option is to do a full inode_permission() call (under inode lock). It is understood that this is safe against dead-locks, but hardly optimal. Reported-by: Marco Vanotti Tested-by: Marco Vanotti Suggested-by: Linus Torvalds Cc: stable@vger.kernel.org Cc: Eric Biederman Cc: Alexander Viro Cc: Christian Brauner Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman (cherry picked from commit d5c3c7e26275a2d83b894d30f7582a42853a958f) Signed-off-by: Vegard Nossum --- fs/exec.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index d68b4d44efc2..ce1b3d022b84 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1513,6 +1513,7 @@ static void bprm_fill_uid(struct linux_binprm *bprm) unsigned int mode; kuid_t uid; kgid_t gid; + int err; /* * Since this can be called multiple times (via prepare_binprm), @@ -1537,12 +1538,17 @@ static void bprm_fill_uid(struct linux_binprm *bprm) /* Be careful if suid/sgid is set */ inode_lock(inode); - /* reload atomically mode/uid/gid now that lock held */ + /* Atomically reload and check mode/uid/gid now that lock held. */ mode = inode->i_mode; uid = inode->i_uid; gid = inode->i_gid; + err = inode_permission(inode, MAY_EXEC); inode_unlock(inode); + /* Did the exec bit vanish out from under us? Give up. */ + if (err) + return; + /* We ignore suid/sgid if there are no mappings for them in the ns */ if (!kuid_has_mapping(bprm->cred->user_ns, uid) || !kgid_has_mapping(bprm->cred->user_ns, gid)) From 92af3424a5a42e8014f39c82996fe01a8ba6aaf0 Mon Sep 17 00:00:00 2001 From: WangYuli Date: Mon, 15 Jul 2024 17:31:44 +0800 Subject: [PATCH 166/173] nvme/pci: Add APST quirk for Lenovo N60z laptop commit ab091ec536cb7b271983c0c063b17f62f3591583 upstream. There is a hardware power-saving problem with the Lenovo N60z board. When turn it on and leave it for 10 hours, there is a 20% chance that a nvme disk will not wake up until reboot. Link: https://lore.kernel.org/all/2B5581C46AC6E335+9c7a81f1-05fb-4fd0-9fbb-108757c21628@uniontech.com Signed-off-by: hmy Signed-off-by: Wentao Guan Signed-off-by: WangYuli Signed-off-by: Keith Busch Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9cc0878c7d7f12c10b3cc40197668816c918b465) Signed-off-by: Vegard Nossum --- drivers/nvme/host/pci.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index de23f2814877..8aedd107ef84 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -2349,6 +2349,13 @@ static unsigned long check_vendor_combination_bug(struct pci_dev *pdev) return NVME_QUIRK_NO_APST; } + /* + * NVMe SSD drops off the PCIe bus after system idle + * for 10 hours on a Lenovo N60z board. + */ + if (dmi_match(DMI_BOARD_NAME, "LXKT-ZXEG-N6")) + return NVME_QUIRK_NO_APST; + return 0; } From af183b69eaca031e9e4833d356ba1ef6c2adbaba Mon Sep 17 00:00:00 2001 From: Harshit Mogalapalli Date: Wed, 9 Oct 2024 11:53:28 +0000 Subject: [PATCH 167/173] Revert "selftests: make order checking verbose in msg_zerocopy selftest" This reverts commit 3688bfa238e9ea94bff46c0dc030f412f239a08c. Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- tools/testing/selftests/net/msg_zerocopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index 7cfc7713ca7f..2323a9e60f54 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -400,7 +400,7 @@ static bool do_recv_completion(int fd, int domain) /* Detect notification gaps. These should not happen often, if at all. * Gaps can occur due to drops, reordering and retransmissions. */ - if (cfg_verbose && lo != next_completion) + if (lo != next_completion) fprintf(stderr, "gap: %u..%u does not append to %u\n", lo, hi, next_completion); next_completion = hi + 1; From 2cb49c145133dc3d8b38832afe4be57ffc94836a Mon Sep 17 00:00:00 2001 From: Harshit Mogalapalli Date: Wed, 9 Oct 2024 11:54:12 +0000 Subject: [PATCH 168/173] Revert "selftests: fix OOM in msg_zerocopy selftest" This reverts commit c75d2712b73df3ce9a145395882cee0d56f8916f. Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- tools/testing/selftests/net/msg_zerocopy.c | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index 2323a9e60f54..ab7e4beca8df 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -81,7 +81,6 @@ static bool cfg_rx; static int cfg_runtime_ms = 4200; static int cfg_verbose; static int cfg_waittime_ms = 500; -static int cfg_notification_limit = 32; static bool cfg_zerocopy; static socklen_t cfg_alen; @@ -92,7 +91,6 @@ static char payload[IP_MAXPACKET]; static long packets, bytes, completions, expected_completions; static int zerocopied = -1; static uint32_t next_completion; -static uint32_t sends_since_notify; static unsigned long gettimeofday_ms(void) { @@ -184,7 +182,6 @@ static bool do_sendmsg(int fd, struct msghdr *msg, bool do_zerocopy) error(1, errno, "send"); if (cfg_verbose && ret != len) fprintf(stderr, "send: ret=%u != %u\n", ret, len); - sends_since_notify++; if (len) { packets++; @@ -425,7 +422,6 @@ static bool do_recv_completion(int fd, int domain) static void do_recv_completions(int fd, int domain) { while (do_recv_completion(fd, domain)) {} - sends_since_notify = 0; } /* Wait for all remaining completions on the errqueue */ @@ -508,9 +504,6 @@ static void do_tx(int domain, int type, int protocol) else do_sendmsg(fd, &msg, cfg_zerocopy); - if (cfg_zerocopy && sends_since_notify >= cfg_notification_limit) - do_recv_completions(fd, domain); - while (!do_poll(fd, POLLOUT)) { if (cfg_zerocopy) do_recv_completions(fd, domain); @@ -668,7 +661,7 @@ static void parse_opts(int argc, char **argv) cfg_payload_len = max_payload_len; - while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vz")) != -1) { + while ((c = getopt(argc, argv, "46c:C:D:i:mp:rs:S:t:vz")) != -1) { switch (c) { case '4': if (cfg_family != PF_UNSPEC) @@ -696,9 +689,6 @@ static void parse_opts(int argc, char **argv) if (cfg_ifindex == 0) error(1, errno, "invalid iface: %s", optarg); break; - case 'l': - cfg_notification_limit = strtoul(optarg, NULL, 0); - break; case 'm': cfg_cork_mixed = true; break; From d110d6dd927f5a2911fc5e697a14026eacc5da69 Mon Sep 17 00:00:00 2001 From: Harshit Mogalapalli Date: Wed, 9 Oct 2024 11:54:14 +0000 Subject: [PATCH 169/173] Revert "selftests/net: reap zerocopy completions passed up as ancillary data." This reverts commit a8987b87ffb8455fddf7b29734f043256d589a34. Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- tools/testing/selftests/net/msg_zerocopy.c | 65 +++------------------- 1 file changed, 8 insertions(+), 57 deletions(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index ab7e4beca8df..6184d2a4c4a6 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -306,53 +306,7 @@ static int do_setup_tx(int domain, int type, int protocol) return fd; } -static uint32_t do_process_zerocopy_cookies(struct rds_zcopy_cookies *ck) -{ - int i; - - if (ck->num > RDS_MAX_ZCOOKIES) - error(1, 0, "Returned %d cookies, max expected %d\n", - ck->num, RDS_MAX_ZCOOKIES); - for (i = 0; i < ck->num; i++) - if (cfg_verbose >= 2) - fprintf(stderr, "%d\n", ck->cookies[i]); - return ck->num; -} - -static bool do_recvmsg_completion(int fd) -{ - char cmsgbuf[CMSG_SPACE(sizeof(struct rds_zcopy_cookies))]; - struct rds_zcopy_cookies *ck; - struct cmsghdr *cmsg; - struct msghdr msg; - bool ret = false; - - memset(&msg, 0, sizeof(msg)); - msg.msg_control = cmsgbuf; - msg.msg_controllen = sizeof(cmsgbuf); - - if (recvmsg(fd, &msg, MSG_DONTWAIT)) - return ret; - - if (msg.msg_flags & MSG_CTRUNC) - error(1, errno, "recvmsg notification: truncated"); - - for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { - if (cmsg->cmsg_level == SOL_RDS && - cmsg->cmsg_type == RDS_CMSG_ZCOPY_COMPLETION) { - - ck = (struct rds_zcopy_cookies *)CMSG_DATA(cmsg); - completions += do_process_zerocopy_cookies(ck); - ret = true; - break; - } - error(0, 0, "ignoring cmsg at level %d type %d\n", - cmsg->cmsg_level, cmsg->cmsg_type); - } - return ret; -} - -static bool do_recv_completion(int fd, int domain) +static bool do_recv_completion(int fd) { struct sock_extended_err *serr; struct msghdr msg = {}; @@ -361,9 +315,6 @@ static bool do_recv_completion(int fd, int domain) int ret, zerocopy; char control[100]; - if (domain == PF_RDS) - return do_recvmsg_completion(fd); - msg.msg_control = control; msg.msg_controllen = sizeof(control); @@ -419,20 +370,20 @@ static bool do_recv_completion(int fd, int domain) } /* Read all outstanding messages on the errqueue */ -static void do_recv_completions(int fd, int domain) +static void do_recv_completions(int fd) { - while (do_recv_completion(fd, domain)) {} + while (do_recv_completion(fd)) {} } /* Wait for all remaining completions on the errqueue */ -static void do_recv_remaining_completions(int fd, int domain) +static void do_recv_remaining_completions(int fd) { int64_t tstop = gettimeofday_ms() + cfg_waittime_ms; while (completions < expected_completions && gettimeofday_ms() < tstop) { - if (do_poll(fd, domain == PF_RDS ? POLLIN : POLLERR)) - do_recv_completions(fd, domain); + if (do_poll(fd, POLLERR)) + do_recv_completions(fd); } if (completions < expected_completions) @@ -506,13 +457,13 @@ static void do_tx(int domain, int type, int protocol) while (!do_poll(fd, POLLOUT)) { if (cfg_zerocopy) - do_recv_completions(fd, domain); + do_recv_completions(fd); } } while (gettimeofday_ms() < tstop); if (cfg_zerocopy) - do_recv_remaining_completions(fd, domain); + do_recv_remaining_completions(fd); if (close(fd)) error(1, errno, "close"); From 2d49c59f9120bc00d0cf6f055311d8f9ab7bb90d Mon Sep 17 00:00:00 2001 From: Zijian Zhang Date: Mon, 1 Jul 2024 22:53:48 +0000 Subject: [PATCH 170/173] selftests: fix OOM in msg_zerocopy selftest [ Upstream commit af2b7e5b741aaae9ffbba2c660def434e07aa241 ] In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg on a socket with MSG_ZEROCOPY flag, and it will recv the notifications until the socket is not writable. Typically, it will start the receiving process after around 30+ sendmsgs. However, as the introduction of commit dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is always writable and does not get any chance to run recv notifications. The selftest always exits with OUT_OF_MEMORY because the memory used by opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a different value to trigger OOM on older kernels too. Thus, we introduce "cfg_notification_limit" to force sender to receive notifications after some number of sendmsgs. Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") Signed-off-by: Zijian Zhang Signed-off-by: Xiaochun Lu Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20240701225349.3395580-2-zijianzhang@bytedance.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit d6ab0198fb470e1a9948d08c610a94601a1fdb2c) [Harshit: Fix conflict due to missing commit: a8987b87ffb8 ("selftests/net: reap zerocopy completions passed up as ancillary data.") in 4.14.y, we had to revert this due to selftests compilation failures, minor conflicts resolved due to do_recv_completions() definition, used do_recv_completions(fd) instead of do_recv_completions(fd, domain);] Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- tools/testing/selftests/net/msg_zerocopy.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index 6184d2a4c4a6..9f007b91a558 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -81,6 +81,7 @@ static bool cfg_rx; static int cfg_runtime_ms = 4200; static int cfg_verbose; static int cfg_waittime_ms = 500; +static int cfg_notification_limit = 32; static bool cfg_zerocopy; static socklen_t cfg_alen; @@ -91,6 +92,7 @@ static char payload[IP_MAXPACKET]; static long packets, bytes, completions, expected_completions; static int zerocopied = -1; static uint32_t next_completion; +static uint32_t sends_since_notify; static unsigned long gettimeofday_ms(void) { @@ -182,6 +184,7 @@ static bool do_sendmsg(int fd, struct msghdr *msg, bool do_zerocopy) error(1, errno, "send"); if (cfg_verbose && ret != len) fprintf(stderr, "send: ret=%u != %u\n", ret, len); + sends_since_notify++; if (len) { packets++; @@ -373,6 +376,7 @@ static bool do_recv_completion(int fd) static void do_recv_completions(int fd) { while (do_recv_completion(fd)) {} + sends_since_notify = 0; } /* Wait for all remaining completions on the errqueue */ @@ -455,6 +459,9 @@ static void do_tx(int domain, int type, int protocol) else do_sendmsg(fd, &msg, cfg_zerocopy); + if (cfg_zerocopy && sends_since_notify >= cfg_notification_limit) + do_recv_completions(fd); + while (!do_poll(fd, POLLOUT)) { if (cfg_zerocopy) do_recv_completions(fd); @@ -612,7 +619,7 @@ static void parse_opts(int argc, char **argv) cfg_payload_len = max_payload_len; - while ((c = getopt(argc, argv, "46c:C:D:i:mp:rs:S:t:vz")) != -1) { + while ((c = getopt(argc, argv, "46c:C:D:i:l:mp:rs:S:t:vz")) != -1) { switch (c) { case '4': if (cfg_family != PF_UNSPEC) @@ -640,6 +647,9 @@ static void parse_opts(int argc, char **argv) if (cfg_ifindex == 0) error(1, errno, "invalid iface: %s", optarg); break; + case 'l': + cfg_notification_limit = strtoul(optarg, NULL, 0); + break; case 'm': cfg_cork_mixed = true; break; From 144aa689351646efa81ec2ad9f0ba41599d9ffc8 Mon Sep 17 00:00:00 2001 From: Zijian Zhang Date: Mon, 1 Jul 2024 22:53:49 +0000 Subject: [PATCH 171/173] selftests: make order checking verbose in msg_zerocopy selftest [ Upstream commit 7d6d8f0c8b700c9493f2839abccb6d29028b4219 ] We find that when lock debugging is on, notifications may not come in order. Thus, we have order checking outputs managed by cfg_verbose, to avoid too many outputs in this case. Fixes: 07b65c5b31ce ("test: add msg_zerocopy test") Signed-off-by: Zijian Zhang Signed-off-by: Xiaochun Lu Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/20240701225349.3395580-3-zijianzhang@bytedance.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin (cherry picked from commit b1cb48187a6edc2ab72f5b3e6b4af7a232730d64) Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- tools/testing/selftests/net/msg_zerocopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/net/msg_zerocopy.c b/tools/testing/selftests/net/msg_zerocopy.c index 9f007b91a558..8e1d1bab697a 100644 --- a/tools/testing/selftests/net/msg_zerocopy.c +++ b/tools/testing/selftests/net/msg_zerocopy.c @@ -351,7 +351,7 @@ static bool do_recv_completion(int fd) /* Detect notification gaps. These should not happen often, if at all. * Gaps can occur due to drops, reordering and retransmissions. */ - if (lo != next_completion) + if (cfg_verbose && lo != next_completion) fprintf(stderr, "gap: %u..%u does not append to %u\n", lo, hi, next_completion); next_completion = hi + 1; From 795faf9727a66039c7c80e011fe0bad5bd88dd83 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Tue, 28 May 2024 11:43:53 +0000 Subject: [PATCH 172/173] net: fix __dst_negative_advice() race commit 92f1655aa2b2294d0b49925f3b875a634bd3b59e upstream. __dst_negative_advice() does not enforce proper RCU rules when sk->dst_cache must be cleared, leading to possible UAF. RCU rules are that we must first clear sk->sk_dst_cache, then call dst_release(old_dst). Note that sk_dst_reset(sk) is implementing this protocol correctly, while __dst_negative_advice() uses the wrong order. Given that ip6_negative_advice() has special logic against RTF_CACHE, this means each of the three ->negative_advice() existing methods must perform the sk_dst_reset() themselves. Note the check against NULL dst is centralized in __dst_negative_advice(), there is no need to duplicate it in various callbacks. Many thanks to Clement Lecigne for tracking this issue. This old bug became visible after the blamed commit, using UDP sockets. Fixes: a87cb3e48ee8 ("net: Facility to report route quality of connected sockets") Reported-by: Clement Lecigne Diagnosed-by: Clement Lecigne Signed-off-by: Eric Dumazet Cc: Tom Herbert Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20240528114353.1794151-1-edumazet@google.com Signed-off-by: Jakub Kicinski [mheyne: contextual conflict in ip6_negative_advice due to missing commit c3c14da0288d ("net/ipv6: add rcu locking to ip6_negative_advice") and commit 93531c674315 ("net/ipv6: separate handling of FIB entries from dst based routes")] Signed-off-by: Maximilian Heyne Signed-off-by: Harshit Mogalapalli Signed-off-by: Vegard Nossum --- include/net/dst_ops.h | 2 +- include/net/sock.h | 13 +++---------- net/ipv4/route.c | 22 ++++++++-------------- net/ipv6/route.c | 25 +++++++++++++------------ net/xfrm/xfrm_policy.c | 11 +++-------- 5 files changed, 28 insertions(+), 45 deletions(-) diff --git a/include/net/dst_ops.h b/include/net/dst_ops.h index 632086b2f644..3ae2fda29507 100644 --- a/include/net/dst_ops.h +++ b/include/net/dst_ops.h @@ -24,7 +24,7 @@ struct dst_ops { void (*destroy)(struct dst_entry *); void (*ifdown)(struct dst_entry *, struct net_device *dev, int how); - struct dst_entry * (*negative_advice)(struct dst_entry *); + void (*negative_advice)(struct sock *sk, struct dst_entry *); void (*link_failure)(struct sk_buff *); void (*update_pmtu)(struct dst_entry *dst, struct sock *sk, struct sk_buff *skb, u32 mtu, diff --git a/include/net/sock.h b/include/net/sock.h index 3d8370b7dcb7..b6844b2430c1 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1802,19 +1802,12 @@ sk_dst_get(struct sock *sk) static inline void dst_negative_advice(struct sock *sk) { - struct dst_entry *ndst, *dst = __sk_dst_get(sk); + struct dst_entry *dst = __sk_dst_get(sk); sk_rethink_txhash(sk); - if (dst && dst->ops->negative_advice) { - ndst = dst->ops->negative_advice(dst); - - if (ndst != dst) { - rcu_assign_pointer(sk->sk_dst_cache, ndst); - sk_tx_queue_clear(sk); - WRITE_ONCE(sk->sk_dst_pending_confirm, 0); - } - } + if (dst && dst->ops->negative_advice) + dst->ops->negative_advice(sk, dst); } static inline void diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 2ce7fbec55ea..c4d628d72b90 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -141,7 +141,8 @@ static int ip_rt_gc_timeout __read_mostly = RT_GC_TIMEOUT; static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie); static unsigned int ipv4_default_advmss(const struct dst_entry *dst); static unsigned int ipv4_mtu(const struct dst_entry *dst); -static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst); +static void ipv4_negative_advice(struct sock *sk, + struct dst_entry *dst); static void ipv4_link_failure(struct sk_buff *skb); static void ip_rt_update_pmtu(struct dst_entry *dst, struct sock *sk, struct sk_buff *skb, u32 mtu, @@ -863,22 +864,15 @@ static void ip_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_buf __ip_do_redirect(rt, skb, &fl4, true); } -static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst) +static void ipv4_negative_advice(struct sock *sk, + struct dst_entry *dst) { struct rtable *rt = (struct rtable *)dst; - struct dst_entry *ret = dst; - if (rt) { - if (dst->obsolete > 0) { - ip_rt_put(rt); - ret = NULL; - } else if ((rt->rt_flags & RTCF_REDIRECTED) || - rt->dst.expires) { - ip_rt_put(rt); - ret = NULL; - } - } - return ret; + if ((dst->obsolete > 0) || + (rt->rt_flags & RTCF_REDIRECTED) || + rt->dst.expires) + sk_dst_reset(sk); } /* diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 464902a22216..844179ccccc4 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -81,7 +81,8 @@ static void ip6_rt_copy_init(struct rt6_info *rt, struct rt6_info *ort); static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie); static unsigned int ip6_default_advmss(const struct dst_entry *dst); static unsigned int ip6_mtu(const struct dst_entry *dst); -static struct dst_entry *ip6_negative_advice(struct dst_entry *); +static void ip6_negative_advice(struct sock *sk, + struct dst_entry *dst); static void ip6_dst_destroy(struct dst_entry *); static void ip6_dst_ifdown(struct dst_entry *, struct net_device *dev, int how); @@ -1415,22 +1416,22 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie) return rt6_check(rt, cookie); } -static struct dst_entry *ip6_negative_advice(struct dst_entry *dst) +static void ip6_negative_advice(struct sock *sk, + struct dst_entry *dst) { struct rt6_info *rt = (struct rt6_info *) dst; - if (rt) { - if (rt->rt6i_flags & RTF_CACHE) { - if (rt6_check_expired(rt)) { - ip6_del_rt(rt); - dst = NULL; - } - } else { - dst_release(dst); - dst = NULL; + if (rt->rt6i_flags & RTF_CACHE) { + if (rt6_check_expired(rt)) { + /* counteract the dst_release() in sk_dst_reset() */ + dst_hold(dst); + sk_dst_reset(sk); + + ip6_del_rt(rt); } + return; } - return dst; + sk_dst_reset(sk); } static void ip6_link_failure(struct sk_buff *skb) diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 05844a0f6df5..ea1a24282a7c 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -2484,15 +2484,10 @@ static void xfrm_link_failure(struct sk_buff *skb) /* Impossible. Such dst must be popped before reaches point of failure. */ } -static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst) +static void xfrm_negative_advice(struct sock *sk, struct dst_entry *dst) { - if (dst) { - if (dst->obsolete) { - dst_release(dst); - dst = NULL; - } - } - return dst; + if (dst->obsolete) + sk_dst_reset(sk); } static void xfrm_init_pmtu(struct dst_entry *dst) From d6891be5771f3f4e5afba41bc34cf7c8aac7993a Mon Sep 17 00:00:00 2001 From: Vegard Nossum Date: Thu, 10 Oct 2024 10:29:02 +0000 Subject: [PATCH 173/173] LTS: Update to 4.14.353 This corresponds to 4.19.320 upstream (v4.19.319..v4.19.320). Signed-off-by: Vegard Nossum --- .elts/config.yaml | 4 +- .elts/meta/4.14.353.yaml | 661 +++++++++++++++++++++++++++++ .elts/upstream/4.19.320.yaml | 784 +++++++++++++++++++++++++++++++++++ Makefile | 2 +- 4 files changed, 1448 insertions(+), 3 deletions(-) create mode 100644 .elts/meta/4.14.353.yaml create mode 100644 .elts/upstream/4.19.320.yaml diff --git a/.elts/config.yaml b/.elts/config.yaml index 43a7d46ea912..b8e21a3286c0 100644 --- a/.elts/config.yaml +++ b/.elts/config.yaml @@ -1,5 +1,5 @@ upstream_repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git upstream_base: 4.19.304 base: 4.14.336 -upstream_version: 4.19.319 -version: 4.14.352 +upstream_version: 4.19.320 +version: 4.14.353 diff --git a/.elts/meta/4.14.353.yaml b/.elts/meta/4.14.353.yaml new file mode 100644 index 000000000000..0a1c8d23affd --- /dev/null +++ b/.elts/meta/4.14.353.yaml @@ -0,0 +1,661 @@ +dd6caa8da1ace4e2e4f02eb5284addebf4c5c2bb: + title: 'platform/chrome: cros_ec_debugfs: fix wrong EC message version' + mainline: c2a28647bbb4e0894e8824362410f72b06ac57a4 + upstream: c0e53e36452d1b2a3ec71bf0586251245a5686c0 +78659ded3dbb7237c1582e91776e86a6b3247515: + title: 'x86/of: Return consistent error type from x86_of_pci_irq_enable()' + mainline: ec0b4c4d45cf7cf9a6c9626a494a89cb1ae7c645 + upstream: 56d64c36b2aac95c9c24e303fb746591ecfa096a +5f1342ecebaf8161a43bcc1b8958c280452c8171: + title: 'x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling' + mainline: 724852059e97c48557151b3aa4af424614819752 + upstream: 600a520cc4e661aa712415e4a733924e9d22777d +125df213ac935a71782e5c091206853ff9cb5556: + title: 'x86/pci/xen: Fix PCIBIOS_* return code handling' + mainline: e9d7b435dfaec58432f4106aaa632bf39f52ce9f + upstream: 5294b91618250c7719e4c85096cafe8f76a1bc20 +21be2282360c7df8b2535f9c2883674234dc7de2: + title: 'x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos' + mainline: 7821fa101eab529521aa4b724bf708149d70820c + upstream: 3f4f08e59ddf359da5bc4226ba865a59177a3a50 +1dd63dd3a8a7617a90bc1a9068fedb6adf5f5aac: + title: 'hwmon: (adt7475) Fix default duty on fan is disabled' + mainline: 39b24cced70fdc336dbc0070f8b3bde61d8513a8 + upstream: d9c01877d4ba1e39bbdc43faeeceeef2768be8e7 +25d404099dccdfe51abb9f810a864ced8b9d912b: + title: 'pwm: stm32: Always do lazy disabling' + mainline: 7346e7a058a2c9aa9ff1cc699c7bf18a402d9f84 + upstream: 383729f057245972e13fb0708c5ec7dd985fc50d +42cc04b6ae182a372082afc1c28d67f92fed5c29: + title: 'hwmon: (max6697) Fix underflow when writing limit attributes' + mainline: cbf7467828cd4ec7ceac7a8b5b5ddb2f69f07b0e + upstream: 21998f2c68edd4a7922875f34b39ce2bb78fabc0 +625dffc4eaba4191520fb296a0e55743836bab4b: + title: 'hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants' + mainline: a5c47c0d388b939dd578fd466aa804b7f2445390 + upstream: eb04482acd9870b84970fe1549203fedc1bbcc79 +64785dce17bc282c55ed7f21c3fbc4391cdb1ab0: + title: 'hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO}' + mainline: 740c2f2b86a71ad673f329241ac25cfe647aacd4 + upstream: 7a72d79eef89ce242e08edb18f64106374117295 +cb9e33d36836000d9a79d3b0121beee91c3323b9: + title: 'hwmon: (max6697) Fix swapped temp{1,8} critical alarms' + mainline: 1ea3fd1eb9869fcdcbc9c68f9728bfc47b9503f1 + upstream: 6b52603ed8bdcceb9b8c16d2db7abd19e024fbe2 +c731a44f2487b720039473b6255fba3ad26d7753: + title: 'arm64: dts: rockchip: Increase VOP clk rate on RK3328' + mainline: 0f2ddb128fa20f8441d903285632f2c69e90fae1 + upstream: 513fff3e8574d3c5b54ef71b6514cda12123879e +266d74e904f119b2251094862e9f7d56c3fb74fe: + title: 'm68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages' + mainline: f70065a9fd988983b2c693631b801f25a615fc04 + upstream: b6c2b179b6908e439b2385c25d7b3477e4be4dce +0d26a6a5f0bb7e82bfebf44b060294eec5a72b73: + title: 'x86/xen: Convert comma to semicolon' + mainline: 349d271416c61f82b853336509b1d0dc04c1fcbb + upstream: cb9ad82cf270ce5bdcf5e768af48966833cc3caa +8bc40077dd7c321cc45107a639c176d317892413: + title: 'm68k: cmpxchg: Fix return value for default case in __arch_xchg()' + mainline: 21b9e722ad28c19c2bc83f18f540b3dbd89bf762 + upstream: 8c43fbd39500ce7bdc779a772752cc2b436a692c +5fa524af8685b00160e9e766bbe196804a007844: + title: 'wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device' + mainline: c636fa85feb450ca414a10010ed05361a73c93a6 + upstream: f33757e8db8f33aba783b88120245ec53e5fa88a +1a85ab4b601786019135c37ec3f11927ba4a561d: + title: 'net: fec: Refactor: #define magic constants' + mainline: ff049886671ccd4e624a30ec464cb20e4c39a313 + upstream: b072c604d58b1cd1079c4e2f0d22b1f469dda347 +c3996b8fae20c268b6c49e70ea078bceb96d0c27: + title: 'net: fec: Fix FEC_ECR_EN1588 being cleared on link-down' + mainline: c32fe1986f27cac329767d3497986e306cad1d5e + upstream: 18074367ad100e129d0dccdaa64af6642363680b +2a3559125bd5fc024c30b1655b626abc0c2fa3eb: + title: 'ipvs: Avoid unnecessary calls to skb_is_gso_sctp' + mainline: 53796b03295cf7ab1fc8600016fa6dfbf4a494a0 + upstream: 9340804ea465de0509a9afaeaaccf3fb74b14f9b +6f7bc617b3b66436641dba5329718933aea4b889: + title: 'perf: Fix perf_aux_size() for greater-than 32-bit size' + mainline: 3df94a5b1078dfe2b0c03f027d018800faf44c82 + upstream: 542abbf58e88f34dfc659b63476a5976acf52c0e +26864f03cc21aaa1b9f2dbed5c8ad7bf676f2df4: + title: 'perf: Prevent passing zero nr_pages to rb_alloc_aux()' + mainline: dbc48c8f41c208082cfa95e973560134489e3309 + upstream: d7b1a76f33e6fc93924725b4410126740c890c44 +be35c98c5aa383407f62428c4169a79d5c243c26: + title: 'bna: adjust ''name'' buf size of bna_tcb and bna_ccb structures' + mainline: c9741a03dc8e491e57b95fba0058ab46b7e506da + upstream: f121740f69eda4da2de9a20a6687a13593e72540 +ce58b8f17bfc9cfad7fafb57ebb626850d4802ba: + title: 'media: imon: Fix race getting ictx->lock' + mainline: 24147897507cd3a7d63745d1518a638bf4132238 + upstream: 01b44d9e50a68ac3c645cc98a474455668dc8e70 +e0b07e242c61e819acf0143bb2c23d4859b135db: + title: 'saa7134: Unchecked i2c_transfer function result fixed' + mainline: 9d8683b3fd93f0e378f24dc3d9604e5d7d3e0a17 + upstream: 001583ad640c70987efd5af70566a69f146dc99c +0ae6e736f858e4c42ecf27fd1e8ecae18988ad81: + title: 'media: v4l: vsp1: Store pipeline pointer in vsp1_entity' +f0a224ecf4ca80033edee705bd34405dae4ea20a: + title: 'media: renesas: vsp1: Fix _irqsave and _irq mix' + mainline: 57edbbcf5258c378a9b9d0c80d33b03a010b22c8 + upstream: ab1325f1074da2cfa1259417fb6c93a0886e74c8 +49db8c90eba2da9ddc6f9a203a6d20984d1658a7: + title: 'media: renesas: vsp1: Store RPF partition configuration per RPF instance' + mainline: a213bc09b1025c771ee722ee341af1d84375db8a + upstream: ae16866626ecae26a7317e0372224d5480211ff7 +39632d1c383813e9ddb20088f6e9a3b44ee70569: + title: 'perf report: Fix condition in sort__sym_cmp()' + mainline: cb39d05e67dc24985ff9f5150e71040fa4d60ab8 + upstream: 2e6abffcb52a36c89c0a70499b86e0a99df15d1e +fa7e07d7ebb21ec8b937faeb3254a608c4d2eea2: + title: 'drm/etnaviv: fix DMA direction handling for cached RW buffers' + mainline: 58979ad6330a70450ed78837be3095107d022ea9 + upstream: c7c74c8256206ffc27212ada1f998f5a05b8c54f +5e8bf661518b825696c6ee219e62292e6bc8df93: + title: 'ext4: avoid writing unitialized memory to disk in EA inodes' + mainline: 65121eff3e4c8c90f8126debf3c369228691c591 + upstream: 282e8d4e9d33182a5ca25fe6333beafdc5282946 +0549d286c615b284448fa4d449c322f3ae2aa55f: + title: 'sparc64: Fix incorrect function signature and add prototype for prom_cif_init' + mainline: a6c3ea1ec96307dbfbb2f16d96c674c5cc80f445 + upstream: 6b4f676006a390edffd6a00f2ebc23276dd05031 +02a0104454d95405c65536870fdc426e8663512d: + title: 'PCI: Equalize hotplug memory and io for occupied and empty slots' + mainline: de3ffa301142bf8802a7b0de17f9985acde5c223 + upstream: 0012438a122c56d727712169df42fd0e297a42b0 +0a5d6964e9374945dfef1227972e8cc1a2a6d5ef: + title: 'PCI: Fix resource double counting on remove & rescan' + mainline: 903534fa7d30214d8ba840ab1cd9e917e0c88e41 + upstream: 2044071c6e42d041e3656bad105be5879f6b70f1 +8e50a9f8175582f34a709024496217f3fca864e5: + title: 'RDMA/mlx4: Fix truncated output warning in mad.c' + mainline: 0d2e6992fc956e3308cd5376c18567def4cb3967 + upstream: c4eaaf28068a99d8363bf02a20a32bf207be13e1 +e9d4656f8f0c014de2ffcf8d4903c4630c43c72b: + title: 'RDMA/mlx4: Fix truncated output warning in alias_GUID.c' + mainline: 5953e0647cec703ef436ead37fed48943507b433 + upstream: 087abc7e244700f741c0431af59b28e910a82dc1 +117e5c14bbbb75364fabcb7d2e70e19167efc931: + title: 'RDMA/rxe: Don''t set BTH_ACK_MASK for UC or UD QPs' + mainline: 4adcaf969d77d3d3aa3871bbadc196258a38aec6 + upstream: 796c0f32fc956b88c345195472e2d74823be0d03 +550d6bbd2dedbc88697932ddbe5f930b20a4d7c1: + title: 'mtd: make mtd_test.c a separate module' + mainline: a5cf054d325e6f362e82fe6d124a1871a4af8174 + upstream: 17b016971c27ee1e884da3ce502801cb95f84ff1 +e547f41337badd93753b4fe3ae3817ed8400abd6: + title: 'Input: elan_i2c - do not leave interrupt disabled on suspend failure' + mainline: 5f82c1e04721e7cd98e604eb4e58f0724d8e5a65 + upstream: 2ee59e846895b6b061defbc6cde83126f91b7abd +fd5b433d1390c5586bc367f3e10fbb226ad9e2ac: + title: 'MIPS: Octeron: remove source file executable bit' + mainline: 89c7f5078935872cf47a713a645affb5037be694 + upstream: 12bc3aca7d100a8f749c2a6fcdb6be08ad41c105 +971a6101e844da8bcbdd4bd046a826c6cc44d861: + title: 'powerpc/xmon: Fix disassembly CPU feature checks' + mainline: 14196e47c5ffe32af7ed5a51c9e421c5ea5bccce + upstream: 5b84d47a0baee13434fadb3b9506c39f51f9ab98 +20b6b7a306d9487bb507af81df8e926b8141d902: + title: 'macintosh/therm_windtunnel: fix module unload.' + mainline: fd748e177194ebcbbaf98df75152a30e08230cc6 + upstream: eeb9a0f79d8e4ea27b4f85a73f3765dc0046ab01 +4f51eb5763820de8cf9bc32b26b20d19f7ccfc5d: + title: 'bnxt_re: Fix imm_data endianness' + mainline: 95b087f87b780daafad1dbb2c84e81b729d5d33f + upstream: dfb40b2535b298b34b37780fe8eced6d38e28c5c +ccfb620ebf3085fca54472461544c796cbd7db5d: + title: 'netfilter: ctnetlink: use helper function to calculate expect ID' + mainline: 782161895eb4ac45cf7cfa8db375bd4766cb8299 + upstream: 66e7650dbbb8e236e781c670b167edc81e771450 +ee8bf45248bc530e2dc9a0a7f833febbe89fd2e1: + title: 'pinctrl: core: fix possible memory leak when pinctrl_enable() fails' + mainline: ae1cf4759972c5fe665ee4c5e0c29de66fe3cf4a + upstream: 636f8fe03a14b0994a3dbdc05c8fa8c8296c1357 +fbd206c9e544f6e8fbb844534d05817ab6ed637a: + title: 'pinctrl: single: fix possible memory leak when pinctrl_enable() fails' + mainline: 8f773bfbdd428819328a2d185976cfc6ae811cd3 + upstream: 9dad82c7c7424c240db65f10ad999266f2967479 +9521c0b13c94c6ad389f9a5d7f8213891d8924a7: + title: 'pinctrl: ti: ti-iodelay: Drop if block with always false condition' + mainline: 88b3f108502bc45e6ebd005702add46759f3f45a + upstream: 268b3ff414ae8942af9d6c981b5df8667c2b76b6 +78e3f7ec45416b8b0a25ef8fcbf85b653f49d5bb: + title: 'pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails' + mainline: 9b401f4a7170125365160c9af267a41ff6b39001 + upstream: 7d720f351714dcbeb578af67bb7e66326504826c +251acaffa0bd813f67f7a92082bdbd101c395f4d: + title: 'pinctrl: freescale: mxs: Fix refcount of child' + mainline: 7f500f2011c0bbb6e1cacab74b4c99222e60248e + upstream: c90d81a6e1f3daab4c06f7f8aba346abc76ae07a +2891e08c6f20e3c7b4b09dac8e949a195b46ff8c: + title: 'fs/nilfs2: remove some unused macros to tame gcc' + mainline: e7920b3e9d9f5470d5ff7d883e72a47addc0a137 + upstream: 175ac70d8af52bc0f5b100901702fdb2bc662885 +440e5d6b0d782ee0786d780761f57a117c904288: + title: 'nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro' + mainline: 0f3819e8c483771a59cf9d3190cd68a7a990083c + upstream: d2b9bc7dfd6b0fa1a37eb91e68bca3175cb5ef50 +3065612975c688a1ea3f759a23856a4b9eefdc12: + title: 'tick/broadcast: Make takeover of broadcast hrtimer reliable' + mainline: f7d43dd206e7e18c182f200e67a8db8c209907fa + upstream: dfe19aa91378972f10530635ad83b2d77f481044 +d5744057122276d5d9c9b33a8e567e963897d502: + title: 'net: netconsole: Disable target before netpoll cleanup' + mainline: 97d9fba9a812cada5484667a46e14a4c976ca330 + upstream: 608a07143563a2a0d1edd57b2f4e95b0199fb497 +6d8fa691e6733006d5c061a297fe601d126d748b: + title: 'af_packet: Handle outgoing VLAN packets without hardware offloading' + mainline: 79eecf631c14e7f4057186570ac20e2cfac3802e + upstream: 3dfd84aa72fa7329ed4a257c8f40e0c9aff4dc8f +f58439a91781f888dce8463243b4d83be380d21c: + title: 'ipv6: take care of scope when choosing the src addr' + mainline: abb9a68d2c64dd9b128ae1f2e635e4d805e7ce64 + upstream: b4f67f09287392e0a2f7422199a193e37f2737af +058c66e9aa0cd80581ff06b9294521e05ea1d0dd: + title: 'media: venus: fix use after free in vdec_close' + mainline: a0157b5aa34eb43ec4c5510f9c260bbb03be937e + upstream: ad8cf035baf29467158e0550c7a42b7bb43d1db6 +26722f11717342d8f7deeb0c23fa6814bc31a48c: + title: 'hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()' + mainline: 26a2ed107929a855155429b11e1293b83e6b2a8b + upstream: f7316b2b2f11cf0c6de917beee8d3de728be24db +d92238c8b1116bff1babca839d923d345128c202: + title: 'drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes' + mainline: cb520c3f366c77e8d69e4e2e2781a8ce48d98e79 + upstream: f392c36cebf4c1d6997a4cc2c0f205254acef42a +2c7d6f35aea17924ebb60002a151c8e4909cb226: + title: 'drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes' + mainline: 2df7aac81070987b0f052985856aa325a38debf6 + upstream: 13b5f3ee94bdbdc4b5f40582aab62977905aedee +1ac49c559cf87bd78734f326ef6db4c2d876d804: + title: 'm68k: amiga: Turn off Warp1260 interrupts during boot' + mainline: 1d8491d3e726984343dd8c3cdbe2f2b47cfdd928 + upstream: 296185ef87e6184e364bd9e7c983089b8e606a55 +4ed99f550b6316ae9cfa1ffdb6c4f053631117e6: + title: 'ext4: check dot and dotdot of dx_root before making dir indexed' + mainline: 50ea741def587a64e08879ce6c6a30131f7111e7 + upstream: b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db +839f30000100e2b3fb252f1755c4434cad12da0c: + title: 'ext4: make sure the first directory block is not a hole' + mainline: f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6 + upstream: d81d7e347d1f1f48a5634607d39eb90c161c8afe +b9bb3e4e90d4b44dc0667e7e5e24a8c4cd9eb9f5: + title: 'wifi: mwifiex: Fix interface type change' + mainline: a17b9f590f6ec2b9f1b12b1db3bf1d181de6b272 + upstream: 98cf9959a20dc374b7bba4b9357203e54484be58 +4e71b875b885df71c21f8f1fa380064b59fdd414: + title: 'leds: ss4200: Convert PCIBIOS_* return codes to errnos' + mainline: ce068e83976140badb19c7f1307926b4b562fac4 + upstream: db1871789f3018c5b0788318d3b1c685f2decceb +63576e19060aa3b515c02583870bde5d75260ed8: + title: 'hwrng: amd - Convert PCIBIOS_* return codes to errnos' + mainline: 14cba6ace79627a57fb9058582b03f0ed3832390 + upstream: d48e11483e3eb8ade86c57f4145644725cd33eed +31754844f0fd1fbfd0a6fd857ec7021240b6d3a3: + title: 'PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN' + mainline: fea93a3e5d5e6a09eb153866d2ce60ea3287a70d + upstream: e9cafb31aa498558d6ff7b28baed894db7d801f3 +080400d0031e6b30ae84fa1722d55cb6a3376f8c: + title: 'binder: fix hang of unregistered readers' + mainline: 31643d84b8c3d9c846aa0e20bc033e46c68c7e7d + upstream: 229670361c29381b0e1677763590e4dbc209ecbe +0900cd07eb9119e80a55a97784e8cc1ca6390402: + title: 'scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds' + mainline: ce2065c4cc4f05635413f63f6dc038d7d4842e31 + upstream: 5c9d1ac649469feaab4240c0c1b5920ea8649b50 +24eb54283c4effe2b0c2d94401d19e0ff004e357: + title: 'f2fs: prevent newly created inode from being dirtied incorrectly' +27f9505abcdef5527ce43c5c21ecf89bc76f2278: + title: 'f2fs: fix to don''t dirty inode for readonly filesystem' + mainline: 192b8fb8d1c8ca3c87366ebbef599fa80bb626b8 + upstream: 2d2916516577f2239b3377d9e8d12da5e6ccdfcf +e38af31723db1861d58b71410895872b72abc272: + title: 'ubi: eba: properly rollback inside self_check_eba' + mainline: 745d9f4a31defec731119ee8aad8ba9f2536dd9a + upstream: 29f2c831822fde87b78c73e5db6ecfb106473cff +a01900bb7d4f831a50f19c58b1b9e3c9aa9dd9d9: + title: 'decompress_bunzip2: fix rare decompression failure' + mainline: bf6acd5d16057d7accbbb1bf7dc6d8c56eeb4ecc + upstream: 16b92b031b4da174342bd909130731c55f20c7ea +930865dbd92b29bc57364695d561c289d693f72d: + title: 'scsi: qla2xxx: During vport delete send async logout explicitly' + mainline: 76f480d7c717368f29a3870f7d64471ce0ff8fb2 + upstream: 086489256696eb774654a5410e86381c346356fe +b212bfa809f6d1235bbbb6c491621ce314b073a6: + title: 'perf/x86/intel/pt: Fix topa_entry base length' + mainline: 5638bd722a44bbe97c1a7b3fae5b9efddb3e70ff + upstream: b4030b619066aa1c20e075ce9382f103e0168145 +dbffea43e8b704e5cb23e776be21c12a3e0f0b65: + title: 'watchdog/perf: properly initialize the turbo mode timestamp and rearm counter' + mainline: f944ffcbc2e1c759764850261670586ddf3bdabb + upstream: 6d94ca5d571dfdb34f12dc3f63273ea275e8f40c +8e28810fed0aaf5624155ae6974d1cc95623edf2: + title: 'platform: mips: cpu_hwmon: Disable driver on unsupported hardware' + mainline: f4d430db17b4ef4e9c3c352a04b2fe3c93011978 + upstream: 0818a768c96a10343d08a622906adab54da6e014 +4a7a97d0ef008b684e246ead6e1474949cb0b579: + title: 'RDMA/iwcm: Remove a set-but-not-used variable' +b4099074459a9baa637aba3a5fa6d814f32e5eb2: + title: 'RDMA/iwcm: Fix a use-after-free related to destroying CM IDs' + mainline: aee2424246f9f1dadc33faa78990c1e2eb7826e4 + upstream: d91d253c87fd1efece521ff2612078a35af673c6 +0a35556f0aa6435749d819919639e400943a3430: + title: 'selftests/sigaltstack: Fix ppc64 GCC build' + mainline: 17c743b9da9e0d073ff19fd5313f521744514939 + upstream: 8010e0748cca059187021d194bb6d883d159e172 +0e318baa084d870466c8cefaab8d2689e56d21e7: + title: 'nilfs2: handle inconsistent state in nilfs_btnode_create_block()' + mainline: 4811f7af6090e8f5a398fbdd766f903ef6c0d787 + upstream: 19cce46238ffe3546e44b9c74057103ff8b24c62 +2527458f09eb86ba89b673081c8a408c8a3f7591: + title: 'kdb: Fix bound check compiler warning' + mainline: ca976bfb3154c7bc67c4651ecd144fdf67ccaee7 + upstream: b15593e2904d2ff0094b7170f806dba0eeefac75 +fbcf6bbfac542e249d92ce80277a03dde0699305: + title: 'kdb: address -Wformat-security warnings' + mainline: 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 + upstream: 22a100556ceab8b906ad180788bd6bdc07390f50 +4925aa995a5cf9f49c04fdd1257b1d8f341dd4f5: + title: 'kdb: Use the passed prompt in kdb_position_cursor()' + mainline: e2e821095949cde46256034975a90f88626a2a73 + upstream: 90f2409c1d552f27a2b2bf8dc598d147c4173128 +4c2dc9502e8728f3a9ba9029aeaa08fc01e420d1: + title: 'jfs: Fix array-index-out-of-bounds in diFree' + mainline: f73f969b2eb39ad8056f6c7f3a295fa2f85e313a + upstream: 55b732c8b09b41148eaab2fa8e31b0af47671e00 +5a9dbd8f70793aba9e12d6d5216ce45cd9597a78: + title: 'dma: fix call order in dmam_free_coherent' + mainline: 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 + upstream: fe2d246080f035e0af5793cb79067ba125e4fb63 +1184f039bc84987937ac8144df7a5daaffb0795c: + title: 'MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later' + mainline: a263e5f309f32301e1f3ad113293f4e68a82a646 + upstream: 3213ac4e85945c54350ac06c09902d1c82211100 +5b3e5dc382a0cab89cea2c533a0e5b65ae4d686e: + title: 'net: ip_rt_get_source() - use new style struct initializer instead of memset' + mainline: e351bb6227fbe2bb5da6f38a4cf5bd18810b0557 + upstream: 0e8712254b48a7c6ebb76dce414a9539e772d406 +ef5a6f1d6d270c55e210ed3775352ff75e2aa48e: + title: 'ipv4: Fix incorrect source address in Record Route option' + mainline: cc73bbab4b1fb8a4f53a24645871dafa5f81266a + upstream: 5c65e55e41e1300c4ebf4dda22a704b2beed2423 +f204855673caa3a17b49c8b9642edcd269a4fac7: + title: 'net: bonding: correctly annotate RCU in bond_should_notify_peers()' + mainline: 3ba359c0cd6eb5ea772125a7aededb4a2d516684 + upstream: 6c9261a2bdf614b376dbefa01e0c6bb32d14e019 +1ae654c0cdf7bfcd142367568d3a1afbed7d54e8: + title: 'tipc: Return non-zero value from tipc_udp_addr2str() on error' + mainline: fa96c6baef1b5385e2f0c0677b32b3839e716076 + upstream: 7ec3335dd89c8d169e9650e4bac64fde71fdf15b +70609fe847bf6600554b6f511b10015f76834d58: + title: 'mISDN: Fix a use after free in hfcmulti_tx()' + mainline: 61ab751451f5ebd0b98e02276a44e23a10110402 + upstream: 70db2c84631f50e02e6b32b543700699dd395803 +1967ea8b282b3b05c9da41c1e2426c3bfb04bf54: + title: 'mm: avoid overflows in dirty throttling logic' + mainline: 385d838df280eba6c8680f9777bfa0d0bfe7e8b2 + upstream: 2b2d2b8766db028bd827af34075f221ae9e9efff +aff1d3ed73ce5882235d9f42c4510c642b9e1dac: + title: 'PCI: rockchip: Make ''ep-gpios'' DT property optional' + mainline: 58adbfb3ebec460e8b58875c682bafd866808e80 + upstream: 11f71f0c562dbfbc3f3e2c56053bca42f7e8d71c +5a659bbb75dd76c32388a8b4c8ea8dff2aa79c12: + title: 'PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio' + mainline: 840b7a5edf88fe678c60dee88a135647c0ea4375 + upstream: 8de378d17e5b737907c04acc2fab6d966a129f70 +d34a87ca6e4c611b125d238c3a56b712a612acd6: + title: 'parport: parport_pc: Mark expected switch fall-through' + mainline: aa1f0fa374ed23528b915a693a11b0f275a299c0 + upstream: f1af18ba5925abb275de8bf387fceb9fbf93a096 +af0192bb58b539ec732125a76fe4d69660147cca: + title: 'parport: Convert printk(KERN_ to pr_(' + mainline: decf26f6ec25dac868782dc1751623a87d147831 + upstream: cb2a998b88d173ec23423fa13ae2da463449728a +4582fe6f2d5fddcf7a63b59b666e8837f2cecf9a: + title: 'parport: Standardize use of printmode' + mainline: a6abfdff4fe5dd19d1f1b37d72ba34cd4492fd4d + upstream: 884ab25dbf115938facb91be85ffed9266e26f8b +598e7acd167941653c0a54d5732bad40db488504: + title: 'dev/parport: fix the array out-of-bounds risk' + mainline: ab11dac93d2d568d151b1918d7b84c2d02bacbd5 + upstream: 166a0bddcc27de41fe13f861c8348e8e53e988c8 +bdec7b3d4ccbcbd78fd4b6a2c6fe7a849754af52: + title: 'driver core: Cast to (void *) with __force for __percpu pointer' + mainline: d7aa44f5a1f86cb40659eef06035d8d92604b9d5 + upstream: b9c258b2a02ba8d6d004f45a1eafa23fd810746b +9b6f7f34aae733309a35d9990d4a0cdf2d2eea3b: + title: 'devres: Fix memory leakage caused by driver API devm_free_percpu()' + mainline: bd50a974097bb82d52a458bd3ee39fb723129a0c + upstream: 700e8abd65b10792b2f179ce4e858f2ca2880f85 +9ce7856eccc159df29f62b1e5ff0c6239422bf63: + title: 'perf/x86/intel/pt: Export pt_cap_get()' + mainline: f6d079ce867d679e4dffef5b3112c7634215fd88 + upstream: bea2d4588e90f56da62b0dd9099484a42498b08a +2de7be6b1893e070e92da91bbaa35ce22950b189: + title: 'perf/x86/intel/pt: Use helpers to obtain ToPA entry size' + mainline: fffec50f541ace292383c0cbe9a2a97d16d201c6 + upstream: e3fb71f7ecbf87228148c3287eac965927ef49be +ab03429ae696126f00509dac54b632bfb2282240: + title: 'perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation' + mainline: 539f7c26b41d4ed7d88dd9756de3966ae7ca07b4 + upstream: 67968b8c7603007751f140f3f9f8aa8e64fc26b2 +a87ac310cc99adff1aa8315d829ce984dfc0cda6: + title: 'perf/x86/intel/pt: Split ToPA metadata and page layout' + mainline: 38bb8d77d0b932a0773b5de2ef42479409314f96 + upstream: e9d9ec1019a90aafdb54765a3b46f36f402b481a +d6c356954a61ce5a5f851b9aa858f9d906e4228d: + title: 'perf/x86/intel/pt: Fix a topa_entry base address calculation' + mainline: ad97196379d0b8cb24ef3d5006978a6554e6467f + upstream: 418f7db13405953c2d9223275d365d9828169076 +5d99fd6160cb1a1ecd0163220164b8d1fe2cecf6: + title: 'remoteproc: imx_rproc: ignore mapping vdev regions' + mainline: 8f2d8961640f0346cbe892273c3260a0d30c1931 + upstream: 35df377f38fb516111933f132b51a386b4d4892f +c1239a005bbf4c6b43aec1155ac3d8466b640051: + title: 'remoteproc: imx_rproc: Fix ignoring mapping vdev regions' + mainline: afe670e23af91d8a74a8d7049f6e0984bbf6ea11 + upstream: a80423f6566bc5085d6bbdd2acdb80aa20c0e915 +3e1715ba7291483690f92608e08aba0d12c5ef70: + title: 'remoteproc: imx_rproc: Skip over memory region when node value is NULL' + mainline: 2fa26ca8b786888673689ccc9da6094150939982 + upstream: 6884fd0283e0831be153fb8d82d9eda8a55acaaa +4aff76137ef2fa40ec1f424eb8e743673ffe5434: + title: 'drm/vmwgfx: Fix overlay when using Screen Targets' + mainline: cb372a505a994cb39aa75acfb8b3bcf94787cf94 + upstream: 6f4bc8b021d3436e5dda88350d8e0ac3c8df400f +582d87d965d3600b178bbaf8947523e5478da1d1: + title: 'net/iucv: fix use after free in iucv_sock_close()' + mainline: f558120cd709682b739207b48cf7479fd9568431 + upstream: 84f40b46787ecb67c7ad08a5bb1376141fa10c01 +c04add3c9adf1402f47ff8f51dd2ee533e863a00: + title: 'ipv6: fix ndisc_is_useropt() handling for PIO' + mainline: a46c68debf3be3a477a69ccbf0a1d050df841676 + upstream: 97a4f78feadc431a050cc26355f95ac3d73a4d4c +f4c005cc381764f082f66825073bb6c43f54fe14: + title: protect the fetch of ->fd[fd] in do_dup2() from mispredictions + mainline: 8aa37bde1a7b645816cda8b80df4753ecf172bf1 + upstream: ed42e8ff509d2a61c6642d1825032072dab79f26 +71a0712ba842211e6dc1a4f7e91dd6c7502eebe5: + title: 'ALSA: usb-audio: Correct surround channels in UAC1 channel map' + mainline: b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d + upstream: f4eb853103674698416ba66d41317b1d869d4bdc +3f465b02b4b919181c45ef14fe5ca3638b87ac5c: + title: 'net: usb: sr9700: fix uninitialized variable use in sr_mdio_read' + mainline: 08f3a5c38087d1569e982a121aad1e6acbf145ce + upstream: 9f04dbd139aa1988fc8b7984ffbce7849be73f21 +6f4e6f1f7e5d27fa977d9900aba67c9cc3c15d4e: + title: 'irqchip/mbigen: Fix mbigen node address layout' + mainline: 6be6cba9c4371d27f78d900ccfe34bb880d9ee20 + upstream: 2f61f0c6b7411212acd6490c5629b0049e8eaefa +193653bb5bb78ddaa2698760912db0248833cccc: + title: 'net: usb: qmi_wwan: fix memory leak for not ip packets' + mainline: 7ab107544b777c3bd7feb9fe447367d8edd5b202 + upstream: 3c90a69533b5bba73401ef884d033ea49ee99662 +928a0513e3f0353f456c9734695c47a94f423c54: + title: 'net: linkwatch: use system_unbound_wq' + mainline: 3e7917c0cdad835a5121520fc5686d954b7a61ab + upstream: 3840189e4619af11f558e6faff80813f008246a6 +0c7df8f6eff3aa1044d3f97dd249112dc4301778: + title: 'Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()' + mainline: c531e63871c0b50c8c4e62c048535a08886fba3e + upstream: 64f4938368f4be563b7652d6b18d37b317913b47 +20cb64898909ba7ccad47d1e52e980ba859c29c0: + title: 'net: fec: Stop PPS on driver remove' + mainline: 8fee6d5ad5fa18c270eedb2a2cdf58dbadefb94b + upstream: 7762f5317db83b70099ed1b2c100df54abddaec1 +a10b1779aca24535b14edba941cb59fbd35ce7c9: + title: 'md/raid5: avoid BUG_ON() while continue reshape after reassembling' + mainline: 305a5170dc5cf3d395bb4c4e9239bca6d0b54b49 + upstream: 2c92f8c1c456d556f15cbf51667b385026b2e6a0 +f9ec6971715991696e49430547551697f1153be6: + title: 'clocksource/drivers/sh_cmt: Address race condition for clock events' + mainline: db19d3aa77612983a02bd223b3f273f896b243cf + upstream: 026befb502ce41384e5119df12c9f2d4067cb23c +ca0a3431163788b838bdccff1eac2b84a30bee91: + title: 'PCI: Add Edimax Vendor ID to pci_ids.h' + mainline: eee5528890d54b22b46f833002355a5ee94c3bb4 + upstream: a35a163cd56b583ef698eadef9b856b0fe6e2727 +ed09bb9292ca0c02ada12cd5f17ef9e976cb5f8c: + title: 'udf: Fix signed/unsigned format specifiers' +12ce9c96b15650623040f0d999b91b5d12f9936f: + title: 'udf: prevent integer overflow in udf_bitmap_free_blocks()' + mainline: 56e69e59751d20993f243fb7dd6991c4e522424c + upstream: 097420e48e30f51e8f4f650b5c946f5af63ec1a3 +a253db7576fd90aaa15b1dabec335f2f9df7c21e: + title: 'wifi: nl80211: don''t give key data to userspace' + mainline: a7e5793035792cc46a1a4b0a783655ffa897dfe9 + upstream: f4d99b55dca90ca703bdd57ee8d557cd8d6c1639 +dd102bb94b5dba7e5376f09504503f3bc2cf16da: + title: 'btrfs: fix bitmap leak when loading free space cache on duplicate entry' + mainline: 320d8dc612660da84c3b70a28658bb38069e5a9a + upstream: fad0bb34cfcea693903409356693988f04715b8e +feddc92ee4859f5e6c5a69135f94547740b292a9: + title: 'media: uvcvideo: Ignore empty TS packets' + mainline: 5cd7c25f6f0576073b3d03bc4cfb1e8ca63a1195 + upstream: 019f538f9fe0b48bb436135edba69aa3a5156cdb +00a39f4e0adbb1b194e0a1ba2219e26c57042dc7: + title: 'media: uvcvideo: Fix the bandwdith quirk on USB 3.x' + mainline: 9e3d55fbd160b3ca376599a68b4cddfdc67d4153 + upstream: eada6212c055089962ca3ee7b8ab11d8f4d0e4f5 +82f1f40db08d606f0538e4a88e06a919b8656645: + title: 'jbd2: avoid memleak in jbd2_journal_write_metadata_buffer' + mainline: cc102aa24638b90e04364d64e4f58a1fa91a1976 + upstream: 831db95409cc12589c14a71b9bf6c3e7f70bf5a0 +6062fd1ee48c6cb081cbc525e31fd43fa9632dbc: + title: 'SUNRPC: Fix a race to wake a sync task' + mainline: ed0172af5d6fc07d1b40ca82f5ca3979300369f7 + upstream: 06d281f0ad7504e9f250c6a9ef78d9e48cea5717 +fb37e57b6e2f8217b201737f10af809289674469: + title: 'ext4: fix wrong unit use in ext4_mb_find_by_goal' + mainline: 99c515e3a860576ba90c11acbc1d6488dfca6463 + upstream: 585b8d86c39882425f737b800e7552fb42a4785f +7a346f1ce3ab37134f2365ab6a74422747285fdb: + title: 'i2c: smbus: Don''t filter out duplicate alerts' + mainline: dca0dd28fa5e0a1ec41a623dbaf667601fc62331 + upstream: 6adca954fc039151ef4f9c1ea1f201e12a24593d +c364d250ada36665ea06f204449d1162cb5e1432: + title: 'i2c: smbus: Improve handling of stuck alerts' + mainline: 37c526f00bc1c4f847fc800085f8f009d2e11be6 + upstream: 9540badee607a99cc07bddbd0a7d4a01fd3b9661 +a0bb631d7d0a1773ebbb427ac8564ae8818b4dfe: + title: 'i2c: smbus: Send alert notifications to all devices if source not found' + mainline: f6c29f710c1ff2590109f83be3e212b86c01e0f3 + upstream: 3b20631d0704fe4f6bf4cf9a49fd19871ebaeffb +5ec8022d2f6ecf35ce105eafaf28b73c46619207: + title: 'spi: lpspi: Switch to SPDX identifier' +0ef61696a9fff3915fb5aa6f7bb9f89682d10ad9: + title: 'spi: lpspi: Replace all "master" with "controller"' + mainline: 07d71557494c05b0651def1651bf6d7e7f47bbbb + upstream: bebc69b574d6a3c54e8951dd891e78a20e2a3f54 +12bfab716ae4cd47449d7636a25326099daa10a9: + title: 'spi: lpspi: Add slave mode support' + mainline: bcd87317aae26b9ac497cbc1232783aaea1aeed4 + upstream: b1b5a04eadd9b786dcd4bc82e726498a8f6fd50a +6a6c19da1d3917fc8c51d2fd69b667a5e7b192ec: + title: 'spi: lpspi: Let watermark change with send data length' + mainline: cf86874bb9bdb99ba3620428b59b0408fbc703d0 + upstream: 8f8b12339ef7cc8e15989f6445aad5a9bf8c00f5 +dc2d2de15c66a8e41275b4d59e6082955e477991: + title: 'spi: lpspi: Add i.MX8 boards support for lpspi' + mainline: f5e5afdb0e56e81123e02b6a64dd32adc19a90d4 + upstream: 0b536d6c52a88b6a5a7f40d1ac91ffe170b8df87 +030b58b3539d0fdccf6284113c29f60c76b60916: + title: 'spi: lpspi: add the error info of transfer speed setting' + mainline: 77736a98b859e2c64aebbd0f90b2ce4b17682396 + upstream: 3bb46e26783c3c86e67172f695908a066be69e12 +d859e0255cb169a2d7aa96b42defafd7c515df0c: + title: 'spi: fsl-lpspi: remove unneeded array' + mainline: 2fa98705a9289c758b6154a22174aa8d4041a285 + upstream: da6cc32c245500f417e4b96d67722b8a0a07fd94 +dcde078eb1be234c810305963c845eaa63f20813: + title: 'spi: spi-fsl-lpspi: Fix scldiv calculation' + mainline: 730bbfaf7d4890bd99e637db7767dc68cfeb24e7 + upstream: 81964823116357a636201afa4010fa30f050446e +9ab8902f51b8ac3c51666922a9719c1e4d81f105: + title: 'ALSA: line6: Fix racy access to midibuf' + mainline: 15b7a03205b31bc5623378c190d22b7ff60026f1 + upstream: 643293b68fbb6c03f5e907736498da17d43f0d81 +d41cf1c7bc4e9706d684d3fb2c24046f673ffb78: + title: 'usb: vhci-hcd: Do not drop references before new references are gained' + mainline: afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a + upstream: 5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89 +95314b1272d1d96f5737c5b1e208fabd1128db3c: + title: 'USB: serial: debug: do not echo input by default' + mainline: 00af4f3dda1461ec90d892edc10bec6d3c50c554 + upstream: 1907ed1be026c771086e6adc560f38dc50e82382 +551fbbddb6f5ff52bdb1c0cdb3d096e359e088da: + title: 'usb: gadget: core: Check for unset descriptor' + mainline: 973a57891608a98e894db2887f278777f564de18 + upstream: ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a +b41af170f9ad55d4780688b92c032579655218fe: + title: 'scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic' + mainline: ab9fd06cb8f0db0854291833fc40c789e43a361f + upstream: c4da5b5deb343346909920c41645ad85adff4c6c +6fad54cc7a6c8c4750209bfcff1b54dd60b086db: + title: 'tick/broadcast: Move per CPU pointer access into the atomic section' + mainline: 6881e75237a84093d0986f56223db3724619f26e + upstream: f54abf332a2bc0413cfa8bd6a8511f7aa99faea0 +07f7f40df90538c4bacb06d64ededc68b6d6e9bf: + title: 'ntp: Clamp maxerror and esterror to operating range' + mainline: 87d571d6fb77ec342a985afa8744bb9bb75b3622 + upstream: 9dfe2eef1ecfbb1f29e678700247de6010784eb9 +c72f8e96b8386d50894df2faed9718d7cbfc312d: + title: 'driver core: Fix uevent_show() vs driver detach race' + mainline: 15fffc6a5624b13b428bb1c6e9088e32a55eb82c + upstream: 49ea4e0d862632d51667da5e7a9c88a560e9c5a1 +53390d85b1f4fca100eca68612fe9ae736ef5caf: + title: 'ntp: Safeguard against time_constant overflow' + mainline: 06c03c8edce333b9ad9c6b207d93d3a5ae7c10c0 + upstream: a13f8b269b6f4c9371ab149ecb65d2edb52e9669 +1d33b86b2b99774eae26926b2f5f4900f826638f: + title: 'serial: core: check uartclk for zero to avoid divide by zero' + mainline: 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 + upstream: 3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba +d9b1fa9a24e5ba3115a289421d535abf954efd7a: + title: 'power: supply: axp288_charger: Fix constant_charge_voltage writes' + mainline: b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 + upstream: f1aa9f19da35f72ce8ec3196f0a7bc06e296aaeb +bd9bfbcc05c1c7af22dfa9ca8b2ff1d6395db661: + title: 'power: supply: axp288_charger: Round constant_charge_voltage writes down' + mainline: 81af7f2342d162e24ac820c10e68684d9f927663 + upstream: e3cb8400a72a9e5e25365d380b290cdd50ccdb5c +b28271a4428daf3c20b71a8e7cf218a4c38c698b: + title: 'tracing: Fix overflow in get_free_elt()' + mainline: bcf86c01ca4676316557dd482c8416ece8c2e143 + upstream: 302ceb625d7b990db205a15e371f9a71238de91c +4f0b886693fe2a82d8896cd431eb529777e1bbdc: + title: 'x86/mtrr: Check if fixed MTRRs exist before saving them' + mainline: 919f18f961c03d6694aa726c514184f2311a4614 + upstream: 34f36e6ee5bd7eff8b2adcd9fcaef369f752d82e +d5775da332c5377cc22a6e497a9b324c1f2fe2a1: + title: 'drm/bridge: analogix_dp: Check AUX_EN status when doing AUX transfer' +a413584fad9b551cb6e15f5e8a05f94d16871585: + title: 'drm/bridge: analogix_dp: Reset aux channel if an error occurred' +9f77a8ee77d6ec538dbccfc03c463586323300d0: + title: 'drm/bridge: analogix_dp: Properly log AUX CH errors' +5dfe0cc24eab4d1e640e3cfc7ef155216fb29f2a: + title: 'drm/bridge: analogix_dp: properly handle zero sized AUX transactions' + mainline: e82290a2e0e8ec5e836ecad1ca025021b3855c2d + upstream: 52f05898629b25fc382754d837be624205ce67f8 +e391c9f51faaf4a35bb29343af0d29164938363a: + title: 'drm/mgag200: Set DDC timeout in milliseconds' + mainline: ecde5db1598aecab54cc392282c15114f526f05f + upstream: 7db72e8e538e10afefe589d6203ffb4f5a1cbd9a +6bd6cf1374f27ba771760e53caf8c276e794b638: + title: 'kbuild: Fix ''-S -c'' in x86 stack protector scripts' + mainline: 3415b10a03945b0da4a635e146750dfe5ce0f448 + upstream: 9dd6e5296c8ad1bbb88933b8150383bc0eba9488 +9aee9974b20b6907210221aba005ec36135348a4: + title: 'netfilter: nf_tables: set element extended ACK reporting support' + mainline: b53c116642502b0c85ecef78bff4f826a7dd4145 + upstream: 61fbbac22c8ce73d0c492caf45a286c3f021c0fd +827a69923a6dddeb669678005299af5144147452: + title: 'drm/i915: Try GGTT mmapping whole object as partial' +3ccfe379cab98c308e84733885655b1c7c956b80: + title: 'drm/i915/gem: Fix Virtual Memory mapping boundaries calculation' + mainline: 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 + upstream: 3e06073d24807f04b4694108a8474decb7b99e60 +02acb3b20db4e8372b854be6ce9846446def401c: + title: 'exec: Fix ToCToU between perm check and set-uid/gid usage' + mainline: f50733b45d865f91db90919f8311e2127ce5a0cb + upstream: d5c3c7e26275a2d83b894d30f7582a42853a958f +92af3424a5a42e8014f39c82996fe01a8ba6aaf0: + title: 'nvme/pci: Add APST quirk for Lenovo N60z laptop' + mainline: ab091ec536cb7b271983c0c063b17f62f3591583 + upstream: 9cc0878c7d7f12c10b3cc40197668816c918b465 +af183b69eaca031e9e4833d356ba1ef6c2adbaba: + title: 'Revert "selftests: make order checking verbose in msg_zerocopy selftest"' +2cb49c145133dc3d8b38832afe4be57ffc94836a: + title: 'Revert "selftests: fix OOM in msg_zerocopy selftest"' +d110d6dd927f5a2911fc5e697a14026eacc5da69: + title: 'Revert "selftests/net: reap zerocopy completions passed up as ancillary data."' +2d49c59f9120bc00d0cf6f055311d8f9ab7bb90d: + title: 'selftests: fix OOM in msg_zerocopy selftest' + mainline: af2b7e5b741aaae9ffbba2c660def434e07aa241 +144aa689351646efa81ec2ad9f0ba41599d9ffc8: + title: 'selftests: make order checking verbose in msg_zerocopy selftest' + mainline: 7d6d8f0c8b700c9493f2839abccb6d29028b4219 +795faf9727a66039c7c80e011fe0bad5bd88dd83: + title: 'net: fix __dst_negative_advice() race' + mainline: 92f1655aa2b2294d0b49925f3b875a634bd3b59e diff --git a/.elts/upstream/4.19.320.yaml b/.elts/upstream/4.19.320.yaml new file mode 100644 index 000000000000..71a503e22bb7 --- /dev/null +++ b/.elts/upstream/4.19.320.yaml @@ -0,0 +1,784 @@ +c0e53e36452d1b2a3ec71bf0586251245a5686c0: + title: 'platform/chrome: cros_ec_debugfs: fix wrong EC message version' + mainline: c2a28647bbb4e0894e8824362410f72b06ac57a4 + backport: dd6caa8da1ace4e2e4f02eb5284addebf4c5c2bb +fa4c26ce47b050d4988d8d5a7390e205abe4a2bc: + title: 'hfsplus: fix to avoid false alarm of circular locking' + mainline: be4edd1642ee205ed7bbf66edc0453b1be1fb8d7 + skipped: fixes patch not in branch +56d64c36b2aac95c9c24e303fb746591ecfa096a: + title: 'x86/of: Return consistent error type from x86_of_pci_irq_enable()' + mainline: ec0b4c4d45cf7cf9a6c9626a494a89cb1ae7c645 + backport: 78659ded3dbb7237c1582e91776e86a6b3247515 +600a520cc4e661aa712415e4a733924e9d22777d: + title: 'x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling' + mainline: 724852059e97c48557151b3aa4af424614819752 + backport: 5f1342ecebaf8161a43bcc1b8958c280452c8171 +5294b91618250c7719e4c85096cafe8f76a1bc20: + title: 'x86/pci/xen: Fix PCIBIOS_* return code handling' + mainline: e9d7b435dfaec58432f4106aaa632bf39f52ce9f + backport: 125df213ac935a71782e5c091206853ff9cb5556 +3f4f08e59ddf359da5bc4226ba865a59177a3a50: + title: 'x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos' + mainline: 7821fa101eab529521aa4b724bf708149d70820c + backport: 21be2282360c7df8b2535f9c2883674234dc7de2 +d9c01877d4ba1e39bbdc43faeeceeef2768be8e7: + title: 'hwmon: (adt7475) Fix default duty on fan is disabled' + mainline: 39b24cced70fdc336dbc0070f8b3bde61d8513a8 + backport: 1dd63dd3a8a7617a90bc1a9068fedb6adf5f5aac +383729f057245972e13fb0708c5ec7dd985fc50d: + title: 'pwm: stm32: Always do lazy disabling' + mainline: 7346e7a058a2c9aa9ff1cc699c7bf18a402d9f84 + backport: 25d404099dccdfe51abb9f810a864ced8b9d912b +21998f2c68edd4a7922875f34b39ce2bb78fabc0: + title: 'hwmon: (max6697) Fix underflow when writing limit attributes' + mainline: cbf7467828cd4ec7ceac7a8b5b5ddb2f69f07b0e + backport: 42cc04b6ae182a372082afc1c28d67f92fed5c29 +eb04482acd9870b84970fe1549203fedc1bbcc79: + title: 'hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants' + mainline: a5c47c0d388b939dd578fd466aa804b7f2445390 + backport: 625dffc4eaba4191520fb296a0e55743836bab4b +7a72d79eef89ce242e08edb18f64106374117295: + title: 'hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO}' + mainline: 740c2f2b86a71ad673f329241ac25cfe647aacd4 + backport: 64785dce17bc282c55ed7f21c3fbc4391cdb1ab0 +6b52603ed8bdcceb9b8c16d2db7abd19e024fbe2: + title: 'hwmon: (max6697) Fix swapped temp{1,8} critical alarms' + mainline: 1ea3fd1eb9869fcdcbc9c68f9728bfc47b9503f1 + backport: cb9e33d36836000d9a79d3b0121beee91c3323b9 +513fff3e8574d3c5b54ef71b6514cda12123879e: + title: 'arm64: dts: rockchip: Increase VOP clk rate on RK3328' + mainline: 0f2ddb128fa20f8441d903285632f2c69e90fae1 + backport: c731a44f2487b720039473b6255fba3ad26d7753 +b6c2b179b6908e439b2385c25d7b3477e4be4dce: + title: 'm68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages' + mainline: f70065a9fd988983b2c693631b801f25a615fc04 + backport: 266d74e904f119b2251094862e9f7d56c3fb74fe +cb9ad82cf270ce5bdcf5e768af48966833cc3caa: + title: 'x86/xen: Convert comma to semicolon' + mainline: 349d271416c61f82b853336509b1d0dc04c1fcbb + backport: 0d26a6a5f0bb7e82bfebf44b060294eec5a72b73 +8c43fbd39500ce7bdc779a772752cc2b436a692c: + title: 'm68k: cmpxchg: Fix return value for default case in __arch_xchg()' + mainline: 21b9e722ad28c19c2bc83f18f540b3dbd89bf762 + backport: 8bc40077dd7c321cc45107a639c176d317892413 +f33757e8db8f33aba783b88120245ec53e5fa88a: + title: 'wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device' + mainline: c636fa85feb450ca414a10010ed05361a73c93a6 + backport: 5fa524af8685b00160e9e766bbe196804a007844 +7fbbfd88613287ec01a54215b09aad3b05e4c070: + title: 'net/smc: Allow SMC-D 1MB DMB allocations' + mainline: 67161779a9ea926fccee8de047ae66cbd3482b91 + skipped: commit did not cherry-pick cleanly +248ded655e0b64e2a4c2f1ef6d052954ed88ed05: + title: 'net/smc: set rmb''s SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined' + mainline: 3ac14b9dfbd345e891d48d89f6c2fa519848f0f4 + skipped: commit did not cherry-pick cleanly +d92eac4db41d059554efdf3ba7415a196bc7b437: + title: 'selftests/bpf: Check length of recv in test_sockmap' + mainline: de1b5ea789dc28066cc8dc634b6825bd6148f38b + skipped: fixes patch not in branch +0166ece82068d6fa9739a677ac3884941fc35153: + title: 'wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he()' + mainline: 9ee0d44f055276fe2802b2f65058e920853f4f99 + skipped: fixes patch not in branch +45d20a1c54be4f3173862c7b950d4468447814c9: + title: 'wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he()' + mainline: bcbd771cd5d68c0c52567556097d75f9fc4e7cd6 + skipped: fixes patch not in branch +b072c604d58b1cd1079c4e2f0d22b1f469dda347: + title: 'net: fec: Refactor: #define magic constants' + mainline: ff049886671ccd4e624a30ec464cb20e4c39a313 + backport: 1a85ab4b601786019135c37ec3f11927ba4a561d +18074367ad100e129d0dccdaa64af6642363680b: + title: 'net: fec: Fix FEC_ECR_EN1588 being cleared on link-down' + mainline: c32fe1986f27cac329767d3497986e306cad1d5e + backport: c3996b8fae20c268b6c49e70ea078bceb96d0c27 +9340804ea465de0509a9afaeaaccf3fb74b14f9b: + title: 'ipvs: Avoid unnecessary calls to skb_is_gso_sctp' + mainline: 53796b03295cf7ab1fc8600016fa6dfbf4a494a0 + backport: 2a3559125bd5fc024c30b1655b626abc0c2fa3eb +542abbf58e88f34dfc659b63476a5976acf52c0e: + title: 'perf: Fix perf_aux_size() for greater-than 32-bit size' + mainline: 3df94a5b1078dfe2b0c03f027d018800faf44c82 + backport: 6f7bc617b3b66436641dba5329718933aea4b889 +d7b1a76f33e6fc93924725b4410126740c890c44: + title: 'perf: Prevent passing zero nr_pages to rb_alloc_aux()' + mainline: dbc48c8f41c208082cfa95e973560134489e3309 + backport: 26864f03cc21aaa1b9f2dbed5c8ad7bf676f2df4 +f121740f69eda4da2de9a20a6687a13593e72540: + title: 'bna: adjust ''name'' buf size of bna_tcb and bna_ccb structures' + mainline: c9741a03dc8e491e57b95fba0058ab46b7e506da + backport: be35c98c5aa383407f62428c4169a79d5c243c26 +e061713d466b9be56b66dd6fb50538ad2c5564ac: + title: 'selftests: forwarding: devlink_lib: Wait for udev events after reloading' + mainline: f67a90a0c8f5b3d0acc18f10650d90fec44775f9 + skipped: fixes patch not in branch +01b44d9e50a68ac3c645cc98a474455668dc8e70: + title: 'media: imon: Fix race getting ictx->lock' + mainline: 24147897507cd3a7d63745d1518a638bf4132238 + backport: ce58b8f17bfc9cfad7fafb57ebb626850d4802ba +001583ad640c70987efd5af70566a69f146dc99c: + title: 'saa7134: Unchecked i2c_transfer function result fixed' + mainline: 9d8683b3fd93f0e378f24dc3d9604e5d7d3e0a17 + backport: e0b07e242c61e819acf0143bb2c23d4859b135db +1e4347cf14496f33bd26f0401404fd6de51e4fc4: + title: 'media: uvcvideo: Allow entity-defined get_info and get_cur' + mainline: 65900c581d014499f0f8ceabfc02c652e9a88771 + skipped: commit did not cherry-pick cleanly +b8e307747242d3e692c6ad98ff30d315683f2a00: + title: 'media: uvcvideo: Override default flags' + mainline: 86419686e66da5b90a07fb8a40ab138fe97189b5 + skipped: fixes patch not in branch +ab1325f1074da2cfa1259417fb6c93a0886e74c8: + title: 'media: renesas: vsp1: Fix _irqsave and _irq mix' + mainline: 57edbbcf5258c378a9b9d0c80d33b03a010b22c8 + backport: f0a224ecf4ca80033edee705bd34405dae4ea20a +ae16866626ecae26a7317e0372224d5480211ff7: + title: 'media: renesas: vsp1: Store RPF partition configuration per RPF instance' + mainline: a213bc09b1025c771ee722ee341af1d84375db8a + backport: 49db8c90eba2da9ddc6f9a203a6d20984d1658a7 +c3b7a650c8717aa89df318364609c86cbc040156: + title: 'leds: trigger: Unregister sysfs attributes before calling deactivate()' + mainline: c0dc9adf9474ecb7106e60e5472577375aedaed3 + skipped: fixes patch not in branch +2e6abffcb52a36c89c0a70499b86e0a99df15d1e: + title: 'perf report: Fix condition in sort__sym_cmp()' + mainline: cb39d05e67dc24985ff9f5150e71040fa4d60ab8 + backport: 39632d1c383813e9ddb20088f6e9a3b44ee70569 +c7c74c8256206ffc27212ada1f998f5a05b8c54f: + title: 'drm/etnaviv: fix DMA direction handling for cached RW buffers' + mainline: 58979ad6330a70450ed78837be3095107d022ea9 + backport: fa7e07d7ebb21ec8b937faeb3254a608c4d2eea2 +4be759d6d5da05b76a19785defe0f312926dcb5b: + title: 'mfd: omap-usb-tll: Use struct_size to allocate tll' + mainline: 40176714c818b0b6a2ca8213cdb7654fbd49b742 + skipped: fixes patch not in branch +282e8d4e9d33182a5ca25fe6333beafdc5282946: + title: 'ext4: avoid writing unitialized memory to disk in EA inodes' + mainline: 65121eff3e4c8c90f8126debf3c369228691c591 + backport: 5e8bf661518b825696c6ee219e62292e6bc8df93 +6b4f676006a390edffd6a00f2ebc23276dd05031: + title: 'sparc64: Fix incorrect function signature and add prototype for prom_cif_init' + mainline: a6c3ea1ec96307dbfbb2f16d96c674c5cc80f445 + backport: 0549d286c615b284448fa4d449c322f3ae2aa55f +0012438a122c56d727712169df42fd0e297a42b0: + title: 'PCI: Equalize hotplug memory and io for occupied and empty slots' + mainline: de3ffa301142bf8802a7b0de17f9985acde5c223 + backport: 02a0104454d95405c65536870fdc426e8663512d +2044071c6e42d041e3656bad105be5879f6b70f1: + title: 'PCI: Fix resource double counting on remove & rescan' + mainline: 903534fa7d30214d8ba840ab1cd9e917e0c88e41 + backport: 0a5d6964e9374945dfef1227972e8cc1a2a6d5ef +c4eaaf28068a99d8363bf02a20a32bf207be13e1: + title: 'RDMA/mlx4: Fix truncated output warning in mad.c' + mainline: 0d2e6992fc956e3308cd5376c18567def4cb3967 + backport: 8e50a9f8175582f34a709024496217f3fca864e5 +087abc7e244700f741c0431af59b28e910a82dc1: + title: 'RDMA/mlx4: Fix truncated output warning in alias_GUID.c' + mainline: 5953e0647cec703ef436ead37fed48943507b433 + backport: e9d4656f8f0c014de2ffcf8d4903c4630c43c72b +796c0f32fc956b88c345195472e2d74823be0d03: + title: 'RDMA/rxe: Don''t set BTH_ACK_MASK for UC or UD QPs' + mainline: 4adcaf969d77d3d3aa3871bbadc196258a38aec6 + backport: 117e5c14bbbb75364fabcb7d2e70e19167efc931 +17b016971c27ee1e884da3ce502801cb95f84ff1: + title: 'mtd: make mtd_test.c a separate module' + mainline: a5cf054d325e6f362e82fe6d124a1871a4af8174 + backport: 550d6bbd2dedbc88697932ddbe5f930b20a4d7c1 +2ee59e846895b6b061defbc6cde83126f91b7abd: + title: 'Input: elan_i2c - do not leave interrupt disabled on suspend failure' + mainline: 5f82c1e04721e7cd98e604eb4e58f0724d8e5a65 + backport: e547f41337badd93753b4fe3ae3817ed8400abd6 +12bc3aca7d100a8f749c2a6fcdb6be08ad41c105: + title: 'MIPS: Octeron: remove source file executable bit' + mainline: 89c7f5078935872cf47a713a645affb5037be694 + backport: fd5b433d1390c5586bc367f3e10fbb226ad9e2ac +5b84d47a0baee13434fadb3b9506c39f51f9ab98: + title: 'powerpc/xmon: Fix disassembly CPU feature checks' + mainline: 14196e47c5ffe32af7ed5a51c9e421c5ea5bccce + backport: 971a6101e844da8bcbdd4bd046a826c6cc44d861 +eeb9a0f79d8e4ea27b4f85a73f3765dc0046ab01: + title: 'macintosh/therm_windtunnel: fix module unload.' + mainline: fd748e177194ebcbbaf98df75152a30e08230cc6 + backport: 20b6b7a306d9487bb507af81df8e926b8141d902 +dfb40b2535b298b34b37780fe8eced6d38e28c5c: + title: 'bnxt_re: Fix imm_data endianness' + mainline: 95b087f87b780daafad1dbb2c84e81b729d5d33f + backport: 4f51eb5763820de8cf9bc32b26b20d19f7ccfc5d +576862647ae00d67b09961f84629aea09736c047: + title: 'ice: Rework flex descriptor programming' + mainline: 22ef683b48182f4d6125a2fb2725eb8a141514ff + skipped: code does not exist in 4.14 +66e7650dbbb8e236e781c670b167edc81e771450: + title: 'netfilter: ctnetlink: use helper function to calculate expect ID' + mainline: 782161895eb4ac45cf7cfa8db375bd4766cb8299 + backport: ccfb620ebf3085fca54472461544c796cbd7db5d +636f8fe03a14b0994a3dbdc05c8fa8c8296c1357: + title: 'pinctrl: core: fix possible memory leak when pinctrl_enable() fails' + mainline: ae1cf4759972c5fe665ee4c5e0c29de66fe3cf4a + backport: ee8bf45248bc530e2dc9a0a7f833febbe89fd2e1 +9dad82c7c7424c240db65f10ad999266f2967479: + title: 'pinctrl: single: fix possible memory leak when pinctrl_enable() fails' + mainline: 8f773bfbdd428819328a2d185976cfc6ae811cd3 + backport: fbd206c9e544f6e8fbb844534d05817ab6ed637a +268b3ff414ae8942af9d6c981b5df8667c2b76b6: + title: 'pinctrl: ti: ti-iodelay: Drop if block with always false condition' + mainline: 88b3f108502bc45e6ebd005702add46759f3f45a + backport: 9521c0b13c94c6ad389f9a5d7f8213891d8924a7 +7d720f351714dcbeb578af67bb7e66326504826c: + title: 'pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails' + mainline: 9b401f4a7170125365160c9af267a41ff6b39001 + backport: 78e3f7ec45416b8b0a25ef8fcbf85b653f49d5bb +c90d81a6e1f3daab4c06f7f8aba346abc76ae07a: + title: 'pinctrl: freescale: mxs: Fix refcount of child' + mainline: 7f500f2011c0bbb6e1cacab74b4c99222e60248e + backport: 251acaffa0bd813f67f7a92082bdbd101c395f4d +175ac70d8af52bc0f5b100901702fdb2bc662885: + title: 'fs/nilfs2: remove some unused macros to tame gcc' + mainline: e7920b3e9d9f5470d5ff7d883e72a47addc0a137 + backport: 2891e08c6f20e3c7b4b09dac8e949a195b46ff8c +d2b9bc7dfd6b0fa1a37eb91e68bca3175cb5ef50: + title: 'nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro' + mainline: 0f3819e8c483771a59cf9d3190cd68a7a990083c + backport: 440e5d6b0d782ee0786d780761f57a117c904288 +dfe19aa91378972f10530635ad83b2d77f481044: + title: 'tick/broadcast: Make takeover of broadcast hrtimer reliable' + mainline: f7d43dd206e7e18c182f200e67a8db8c209907fa + backport: 3065612975c688a1ea3f759a23856a4b9eefdc12 +608a07143563a2a0d1edd57b2f4e95b0199fb497: + title: 'net: netconsole: Disable target before netpoll cleanup' + mainline: 97d9fba9a812cada5484667a46e14a4c976ca330 + backport: d5744057122276d5d9c9b33a8e567e963897d502 +3dfd84aa72fa7329ed4a257c8f40e0c9aff4dc8f: + title: 'af_packet: Handle outgoing VLAN packets without hardware offloading' + mainline: 79eecf631c14e7f4057186570ac20e2cfac3802e + backport: 6d8fa691e6733006d5c061a297fe601d126d748b +b4f67f09287392e0a2f7422199a193e37f2737af: + title: 'ipv6: take care of scope when choosing the src addr' + mainline: abb9a68d2c64dd9b128ae1f2e635e4d805e7ce64 + backport: f58439a91781f888dce8463243b4d83be380d21c +a97e1082454f45513bc5f7ee0d9cc4e9a6869a81: + title: 'char: tpm: Fix possible memory leak in tpm_bios_measurements_open()' + mainline: 5d8e2971e817bb64225fc0b6327a78752f58a9aa + skipped: fixes patch not in branch +ad8cf035baf29467158e0550c7a42b7bb43d1db6: + title: 'media: venus: fix use after free in vdec_close' + mainline: a0157b5aa34eb43ec4c5510f9c260bbb03be937e + backport: 058c66e9aa0cd80581ff06b9294521e05ea1d0dd +f7316b2b2f11cf0c6de917beee8d3de728be24db: + title: 'hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode()' + mainline: 26a2ed107929a855155429b11e1293b83e6b2a8b + backport: 26722f11717342d8f7deeb0c23fa6814bc31a48c +f392c36cebf4c1d6997a4cc2c0f205254acef42a: + title: 'drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes' + mainline: cb520c3f366c77e8d69e4e2e2781a8ce48d98e79 + backport: d92238c8b1116bff1babca839d923d345128c202 +13b5f3ee94bdbdc4b5f40582aab62977905aedee: + title: 'drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes' + mainline: 2df7aac81070987b0f052985856aa325a38debf6 + backport: 2c7d6f35aea17924ebb60002a151c8e4909cb226 +296185ef87e6184e364bd9e7c983089b8e606a55: + title: 'm68k: amiga: Turn off Warp1260 interrupts during boot' + mainline: 1d8491d3e726984343dd8c3cdbe2f2b47cfdd928 + backport: 1ac49c559cf87bd78734f326ef6db4c2d876d804 +b80575ffa98b5bb3a5d4d392bfe4c2e03e9557db: + title: 'ext4: check dot and dotdot of dx_root before making dir indexed' + mainline: 50ea741def587a64e08879ce6c6a30131f7111e7 + backport: 4ed99f550b6316ae9cfa1ffdb6c4f053631117e6 +d81d7e347d1f1f48a5634607d39eb90c161c8afe: + title: 'ext4: make sure the first directory block is not a hole' + mainline: f9ca51596bbfd0f9c386dd1c613c394c78d9e5e6 + backport: 839f30000100e2b3fb252f1755c4434cad12da0c +98cf9959a20dc374b7bba4b9357203e54484be58: + title: 'wifi: mwifiex: Fix interface type change' + mainline: a17b9f590f6ec2b9f1b12b1db3bf1d181de6b272 + backport: b9bb3e4e90d4b44dc0667e7e5e24a8c4cd9eb9f5 +db1871789f3018c5b0788318d3b1c685f2decceb: + title: 'leds: ss4200: Convert PCIBIOS_* return codes to errnos' + mainline: ce068e83976140badb19c7f1307926b4b562fac4 + backport: 4e71b875b885df71c21f8f1fa380064b59fdd414 +2e070bec9580702206281fc06178dea4836f2e1f: + title: 'tools/memory-model: Fix bug in lock.cat' + mainline: 4c830eef806679dc243e191f962c488dd9d00708 + skipped: fixes patch not in branch +d48e11483e3eb8ade86c57f4145644725cd33eed: + title: 'hwrng: amd - Convert PCIBIOS_* return codes to errnos' + mainline: 14cba6ace79627a57fb9058582b03f0ed3832390 + backport: 63576e19060aa3b515c02583870bde5d75260ed8 +e9cafb31aa498558d6ff7b28baed894db7d801f3: + title: 'PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN' + mainline: fea93a3e5d5e6a09eb153866d2ce60ea3287a70d + backport: 31754844f0fd1fbfd0a6fd857ec7021240b6d3a3 +229670361c29381b0e1677763590e4dbc209ecbe: + title: 'binder: fix hang of unregistered readers' + mainline: 31643d84b8c3d9c846aa0e20bc033e46c68c7e7d + backport: 080400d0031e6b30ae84fa1722d55cb6a3376f8c +5c9d1ac649469feaab4240c0c1b5920ea8649b50: + title: 'scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds' + mainline: ce2065c4cc4f05635413f63f6dc038d7d4842e31 + backport: 0900cd07eb9119e80a55a97784e8cc1ca6390402 +2d2916516577f2239b3377d9e8d12da5e6ccdfcf: + title: 'f2fs: fix to don''t dirty inode for readonly filesystem' + mainline: 192b8fb8d1c8ca3c87366ebbef599fa80bb626b8 + backport: 27f9505abcdef5527ce43c5c21ecf89bc76f2278 +2f35342e709ccf655c4927aa97cf16944cfe7344: + title: 'clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use' + mainline: a83b22754e351f13fb46596c85f667dc33da71ec + skipped: fixes patch not in branch +29f2c831822fde87b78c73e5db6ecfb106473cff: + title: 'ubi: eba: properly rollback inside self_check_eba' + mainline: 745d9f4a31defec731119ee8aad8ba9f2536dd9a + backport: e38af31723db1861d58b71410895872b72abc272 +16b92b031b4da174342bd909130731c55f20c7ea: + title: 'decompress_bunzip2: fix rare decompression failure' + mainline: bf6acd5d16057d7accbbb1bf7dc6d8c56eeb4ecc + backport: a01900bb7d4f831a50f19c58b1b9e3c9aa9dd9d9 +81a15d28f32af01493ae8c5457e0d55314a4167d: + title: 'kobject_uevent: Fix OOB access within zap_modalias_env()' + mainline: dd6e9894b451e7c85cceb8e9dc5432679a70e7dc + skipped: fixes patch not in branch +e08ec1587f576e55b855449d793eb2a3add54c44: + title: 'rtc: cmos: Fix return value of nvmem callbacks' + mainline: 1c184baccf0d5e2ef4cc1562261d0e48508a1c2b + skipped: fixes patch not in branch +086489256696eb774654a5410e86381c346356fe: + title: 'scsi: qla2xxx: During vport delete send async logout explicitly' + mainline: 76f480d7c717368f29a3870f7d64471ce0ff8fb2 + backport: 930865dbd92b29bc57364695d561c289d693f72d +549aac9655320c9b245a24271b204668c5d40430: + title: 'scsi: qla2xxx: validate nvme_local_port correctly' + mainline: eb1d4ce2609584eeb7694866f34d4b213caa3af9 + skipped: fixes code not in 4.14.y +b4030b619066aa1c20e075ce9382f103e0168145: + title: 'perf/x86/intel/pt: Fix topa_entry base length' + mainline: 5638bd722a44bbe97c1a7b3fae5b9efddb3e70ff + backport: b212bfa809f6d1235bbbb6c491621ce314b073a6 +6d94ca5d571dfdb34f12dc3f63273ea275e8f40c: + title: 'watchdog/perf: properly initialize the turbo mode timestamp and rearm counter' + mainline: f944ffcbc2e1c759764850261670586ddf3bdabb + backport: dbffea43e8b704e5cb23e776be21c12a3e0f0b65 +0818a768c96a10343d08a622906adab54da6e014: + title: 'platform: mips: cpu_hwmon: Disable driver on unsupported hardware' + mainline: f4d430db17b4ef4e9c3c352a04b2fe3c93011978 + backport: 8e28810fed0aaf5624155ae6974d1cc95623edf2 +d91d253c87fd1efece521ff2612078a35af673c6: + title: 'RDMA/iwcm: Fix a use-after-free related to destroying CM IDs' + mainline: aee2424246f9f1dadc33faa78990c1e2eb7826e4 + backport: b4099074459a9baa637aba3a5fa6d814f32e5eb2 +8010e0748cca059187021d194bb6d883d159e172: + title: 'selftests/sigaltstack: Fix ppc64 GCC build' + mainline: 17c743b9da9e0d073ff19fd5313f521744514939 + backport: 0a35556f0aa6435749d819919639e400943a3430 +19cce46238ffe3546e44b9c74057103ff8b24c62: + title: 'nilfs2: handle inconsistent state in nilfs_btnode_create_block()' + mainline: 4811f7af6090e8f5a398fbdd766f903ef6c0d787 + backport: 0e318baa084d870466c8cefaab8d2689e56d21e7 +b15593e2904d2ff0094b7170f806dba0eeefac75: + title: 'kdb: Fix bound check compiler warning' + mainline: ca976bfb3154c7bc67c4651ecd144fdf67ccaee7 + backport: 2527458f09eb86ba89b673081c8a408c8a3f7591 +22a100556ceab8b906ad180788bd6bdc07390f50: + title: 'kdb: address -Wformat-security warnings' + mainline: 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 + backport: fbcf6bbfac542e249d92ce80277a03dde0699305 +90f2409c1d552f27a2b2bf8dc598d147c4173128: + title: 'kdb: Use the passed prompt in kdb_position_cursor()' + mainline: e2e821095949cde46256034975a90f88626a2a73 + backport: 4925aa995a5cf9f49c04fdd1257b1d8f341dd4f5 +55b732c8b09b41148eaab2fa8e31b0af47671e00: + title: 'jfs: Fix array-index-out-of-bounds in diFree' + mainline: f73f969b2eb39ad8056f6c7f3a295fa2f85e313a + backport: 4c2dc9502e8728f3a9ba9029aeaa08fc01e420d1 +fe2d246080f035e0af5793cb79067ba125e4fb63: + title: 'dma: fix call order in dmam_free_coherent' + mainline: 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 + backport: 5a9dbd8f70793aba9e12d6d5216ce45cd9597a78 +3213ac4e85945c54350ac06c09902d1c82211100: + title: 'MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later' + mainline: a263e5f309f32301e1f3ad113293f4e68a82a646 + backport: 1184f039bc84987937ac8144df7a5daaffb0795c +0e8712254b48a7c6ebb76dce414a9539e772d406: + title: 'net: ip_rt_get_source() - use new style struct initializer instead of memset' + mainline: e351bb6227fbe2bb5da6f38a4cf5bd18810b0557 + backport: 5b3e5dc382a0cab89cea2c533a0e5b65ae4d686e +5c65e55e41e1300c4ebf4dda22a704b2beed2423: + title: 'ipv4: Fix incorrect source address in Record Route option' + mainline: cc73bbab4b1fb8a4f53a24645871dafa5f81266a + backport: ef5a6f1d6d270c55e210ed3775352ff75e2aa48e +6c9261a2bdf614b376dbefa01e0c6bb32d14e019: + title: 'net: bonding: correctly annotate RCU in bond_should_notify_peers()' + mainline: 3ba359c0cd6eb5ea772125a7aededb4a2d516684 + backport: f204855673caa3a17b49c8b9642edcd269a4fac7 +7ec3335dd89c8d169e9650e4bac64fde71fdf15b: + title: 'tipc: Return non-zero value from tipc_udp_addr2str() on error' + mainline: fa96c6baef1b5385e2f0c0677b32b3839e716076 + backport: 1ae654c0cdf7bfcd142367568d3a1afbed7d54e8 +70db2c84631f50e02e6b32b543700699dd395803: + title: 'mISDN: Fix a use after free in hfcmulti_tx()' + mainline: 61ab751451f5ebd0b98e02276a44e23a10110402 + backport: 70609fe847bf6600554b6f511b10015f76834d58 +2b2d2b8766db028bd827af34075f221ae9e9efff: + title: 'mm: avoid overflows in dirty throttling logic' + mainline: 385d838df280eba6c8680f9777bfa0d0bfe7e8b2 + backport: 1967ea8b282b3b05c9da41c1e2426c3bfb04bf54 +11f71f0c562dbfbc3f3e2c56053bca42f7e8d71c: + title: 'PCI: rockchip: Make ''ep-gpios'' DT property optional' + mainline: 58adbfb3ebec460e8b58875c682bafd866808e80 + backport: aff1d3ed73ce5882235d9f42c4510c642b9e1dac +8de378d17e5b737907c04acc2fab6d966a129f70: + title: 'PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio' + mainline: 840b7a5edf88fe678c60dee88a135647c0ea4375 + backport: 5a659bbb75dd76c32388a8b4c8ea8dff2aa79c12 +f1af18ba5925abb275de8bf387fceb9fbf93a096: + title: 'parport: parport_pc: Mark expected switch fall-through' + mainline: aa1f0fa374ed23528b915a693a11b0f275a299c0 + backport: d34a87ca6e4c611b125d238c3a56b712a612acd6 +cb2a998b88d173ec23423fa13ae2da463449728a: + title: 'parport: Convert printk(KERN_ to pr_(' + mainline: decf26f6ec25dac868782dc1751623a87d147831 + backport: af0192bb58b539ec732125a76fe4d69660147cca +884ab25dbf115938facb91be85ffed9266e26f8b: + title: 'parport: Standardize use of printmode' + mainline: a6abfdff4fe5dd19d1f1b37d72ba34cd4492fd4d + backport: 4582fe6f2d5fddcf7a63b59b666e8837f2cecf9a +166a0bddcc27de41fe13f861c8348e8e53e988c8: + title: 'dev/parport: fix the array out-of-bounds risk' + mainline: ab11dac93d2d568d151b1918d7b84c2d02bacbd5 + backport: 598e7acd167941653c0a54d5732bad40db488504 +b9c258b2a02ba8d6d004f45a1eafa23fd810746b: + title: 'driver core: Cast to (void *) with __force for __percpu pointer' + mainline: d7aa44f5a1f86cb40659eef06035d8d92604b9d5 + backport: bdec7b3d4ccbcbd78fd4b6a2c6fe7a849754af52 +700e8abd65b10792b2f179ce4e858f2ca2880f85: + title: 'devres: Fix memory leakage caused by driver API devm_free_percpu()' + mainline: bd50a974097bb82d52a458bd3ee39fb723129a0c + backport: 9b6f7f34aae733309a35d9990d4a0cdf2d2eea3b +bea2d4588e90f56da62b0dd9099484a42498b08a: + title: 'perf/x86/intel/pt: Export pt_cap_get()' + mainline: f6d079ce867d679e4dffef5b3112c7634215fd88 + backport: 9ce7856eccc159df29f62b1e5ff0c6239422bf63 +e3fb71f7ecbf87228148c3287eac965927ef49be: + title: 'perf/x86/intel/pt: Use helpers to obtain ToPA entry size' + mainline: fffec50f541ace292383c0cbe9a2a97d16d201c6 + backport: 2de7be6b1893e070e92da91bbaa35ce22950b189 +67968b8c7603007751f140f3f9f8aa8e64fc26b2: + title: 'perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation' + mainline: 539f7c26b41d4ed7d88dd9756de3966ae7ca07b4 + backport: ab03429ae696126f00509dac54b632bfb2282240 +e9d9ec1019a90aafdb54765a3b46f36f402b481a: + title: 'perf/x86/intel/pt: Split ToPA metadata and page layout' + mainline: 38bb8d77d0b932a0773b5de2ef42479409314f96 + backport: a87ac310cc99adff1aa8315d829ce984dfc0cda6 +418f7db13405953c2d9223275d365d9828169076: + title: 'perf/x86/intel/pt: Fix a topa_entry base address calculation' + mainline: ad97196379d0b8cb24ef3d5006978a6554e6467f + backport: d6c356954a61ce5a5f851b9aa858f9d906e4228d +35df377f38fb516111933f132b51a386b4d4892f: + title: 'remoteproc: imx_rproc: ignore mapping vdev regions' + mainline: 8f2d8961640f0346cbe892273c3260a0d30c1931 + backport: 5d99fd6160cb1a1ecd0163220164b8d1fe2cecf6 +a80423f6566bc5085d6bbdd2acdb80aa20c0e915: + title: 'remoteproc: imx_rproc: Fix ignoring mapping vdev regions' + mainline: afe670e23af91d8a74a8d7049f6e0984bbf6ea11 + backport: c1239a005bbf4c6b43aec1155ac3d8466b640051 +6884fd0283e0831be153fb8d82d9eda8a55acaaa: + title: 'remoteproc: imx_rproc: Skip over memory region when node value is NULL' + mainline: 2fa26ca8b786888673689ccc9da6094150939982 + backport: 3e1715ba7291483690f92608e08aba0d12c5ef70 +6f4bc8b021d3436e5dda88350d8e0ac3c8df400f: + title: 'drm/vmwgfx: Fix overlay when using Screen Targets' + mainline: cb372a505a994cb39aa75acfb8b3bcf94787cf94 + backport: 4aff76137ef2fa40ec1f424eb8e743673ffe5434 +84f40b46787ecb67c7ad08a5bb1376141fa10c01: + title: 'net/iucv: fix use after free in iucv_sock_close()' + mainline: f558120cd709682b739207b48cf7479fd9568431 + backport: 582d87d965d3600b178bbaf8947523e5478da1d1 +97a4f78feadc431a050cc26355f95ac3d73a4d4c: + title: 'ipv6: fix ndisc_is_useropt() handling for PIO' + mainline: a46c68debf3be3a477a69ccbf0a1d050df841676 + backport: c04add3c9adf1402f47ff8f51dd2ee533e863a00 +ed42e8ff509d2a61c6642d1825032072dab79f26: + title: protect the fetch of ->fd[fd] in do_dup2() from mispredictions + mainline: 8aa37bde1a7b645816cda8b80df4753ecf172bf1 + backport: f4c005cc381764f082f66825073bb6c43f54fe14 +f4eb853103674698416ba66d41317b1d869d4bdc: + title: 'ALSA: usb-audio: Correct surround channels in UAC1 channel map' + mainline: b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d + backport: 71a0712ba842211e6dc1a4f7e91dd6c7502eebe5 +9f04dbd139aa1988fc8b7984ffbce7849be73f21: + title: 'net: usb: sr9700: fix uninitialized variable use in sr_mdio_read' + mainline: 08f3a5c38087d1569e982a121aad1e6acbf145ce + backport: 3f465b02b4b919181c45ef14fe5ca3638b87ac5c +2f61f0c6b7411212acd6490c5629b0049e8eaefa: + title: 'irqchip/mbigen: Fix mbigen node address layout' + mainline: 6be6cba9c4371d27f78d900ccfe34bb880d9ee20 + backport: 6f4e6f1f7e5d27fa977d9900aba67c9cc3c15d4e +18da1b27ce16a14a9b636af9232acb4fb24f4c9e: + title: 'x86/mm: Fix pti_clone_pgtable() alignment assumption' + mainline: 41e71dbb0e0a0fe214545fe64af031303a08524c + skipped: fixes patch not in branch +3c90a69533b5bba73401ef884d033ea49ee99662: + title: 'net: usb: qmi_wwan: fix memory leak for not ip packets' + mainline: 7ab107544b777c3bd7feb9fe447367d8edd5b202 + backport: 193653bb5bb78ddaa2698760912db0248833cccc +3840189e4619af11f558e6faff80813f008246a6: + title: 'net: linkwatch: use system_unbound_wq' + mainline: 3e7917c0cdad835a5121520fc5686d954b7a61ab + backport: 928a0513e3f0353f456c9734695c47a94f423c54 +64f4938368f4be563b7652d6b18d37b317913b47: + title: 'Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()' + mainline: c531e63871c0b50c8c4e62c048535a08886fba3e + backport: 0c7df8f6eff3aa1044d3f97dd249112dc4301778 +7762f5317db83b70099ed1b2c100df54abddaec1: + title: 'net: fec: Stop PPS on driver remove' + mainline: 8fee6d5ad5fa18c270eedb2a2cdf58dbadefb94b + backport: 20cb64898909ba7ccad47d1e52e980ba859c29c0 +2c92f8c1c456d556f15cbf51667b385026b2e6a0: + title: 'md/raid5: avoid BUG_ON() while continue reshape after reassembling' + mainline: 305a5170dc5cf3d395bb4c4e9239bca6d0b54b49 + backport: a10b1779aca24535b14edba941cb59fbd35ce7c9 +026befb502ce41384e5119df12c9f2d4067cb23c: + title: 'clocksource/drivers/sh_cmt: Address race condition for clock events' + mainline: db19d3aa77612983a02bd223b3f273f896b243cf + backport: f9ec6971715991696e49430547551697f1153be6 +a35a163cd56b583ef698eadef9b856b0fe6e2727: + title: 'PCI: Add Edimax Vendor ID to pci_ids.h' + mainline: eee5528890d54b22b46f833002355a5ee94c3bb4 + backport: ca0a3431163788b838bdccff1eac2b84a30bee91 +097420e48e30f51e8f4f650b5c946f5af63ec1a3: + title: 'udf: prevent integer overflow in udf_bitmap_free_blocks()' + mainline: 56e69e59751d20993f243fb7dd6991c4e522424c + backport: 12ce9c96b15650623040f0d999b91b5d12f9936f +f4d99b55dca90ca703bdd57ee8d557cd8d6c1639: + title: 'wifi: nl80211: don''t give key data to userspace' + mainline: a7e5793035792cc46a1a4b0a783655ffa897dfe9 + backport: a253db7576fd90aaa15b1dabec335f2f9df7c21e +fad0bb34cfcea693903409356693988f04715b8e: + title: 'btrfs: fix bitmap leak when loading free space cache on duplicate entry' + mainline: 320d8dc612660da84c3b70a28658bb38069e5a9a + backport: dd102bb94b5dba7e5376f09504503f3bc2cf16da +019f538f9fe0b48bb436135edba69aa3a5156cdb: + title: 'media: uvcvideo: Ignore empty TS packets' + mainline: 5cd7c25f6f0576073b3d03bc4cfb1e8ca63a1195 + backport: feddc92ee4859f5e6c5a69135f94547740b292a9 +eada6212c055089962ca3ee7b8ab11d8f4d0e4f5: + title: 'media: uvcvideo: Fix the bandwdith quirk on USB 3.x' + mainline: 9e3d55fbd160b3ca376599a68b4cddfdc67d4153 + backport: 00a39f4e0adbb1b194e0a1ba2219e26c57042dc7 +831db95409cc12589c14a71b9bf6c3e7f70bf5a0: + title: 'jbd2: avoid memleak in jbd2_journal_write_metadata_buffer' + mainline: cc102aa24638b90e04364d64e4f58a1fa91a1976 + backport: 82f1f40db08d606f0538e4a88e06a919b8656645 +7a7e60ed23d471a07dbbe72565d2992ee8244bbe: + title: 's390/sclp: Prevent release of buffer in I/O' + mainline: bf365071ea92b9579d5a272679b74052a5643e35 + skipped: fixes code not in 4.14.y +06d281f0ad7504e9f250c6a9ef78d9e48cea5717: + title: 'SUNRPC: Fix a race to wake a sync task' + mainline: ed0172af5d6fc07d1b40ca82f5ca3979300369f7 + backport: 6062fd1ee48c6cb081cbc525e31fd43fa9632dbc +585b8d86c39882425f737b800e7552fb42a4785f: + title: 'ext4: fix wrong unit use in ext4_mb_find_by_goal' + mainline: 99c515e3a860576ba90c11acbc1d6488dfca6463 + backport: fb37e57b6e2f8217b201737f10af809289674469 +ced08f48bdc3f7d4b13d9355283cfeee523220ce: + title: 'arm64: Add support for SB barrier and patch in over DSB; ISB sequences' + mainline: bd4fb6d270bc423a9a4098108784f7f9254c4e6d + skipped: new feature +6ad94963c7bf76085eaf852a104afa0a272a7c3c: + title: 'arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space' + mainline: 237405ebef580a7352a52129b2465c117145eafa + skipped: new feature +ab807f3011075a045c2e6944a3c5fc22ed29532d: + title: 'arm64: Add Neoverse-V2 part' + mainline: f4d9d9dcc70b96b5e5d7801bd5fbf8491b07b13d + skipped: new feature +622c917154477948203f7f0871dbf528f48635cc: + title: 'arm64: cputype: Add Cortex-X4 definitions' + mainline: 02a0a04676fa7796d9cbc9eb5ca120aaa194d2dd + skipped: new feature +588fd573491287b3ebc84c51cfb6b357bdb9a002: + title: 'arm64: cputype: Add Neoverse-V3 definitions' + mainline: 0ce85db6c2141b7ffb95709d76fc55a27ff3cdc1 + skipped: new feature +213506584d4422288b73d1f99097a5fc39207b46: + title: 'arm64: errata: Add workaround for Arm errata 3194386 and 3312417' + mainline: 7187bb7d0b5c7dfa18ca82e9e5c75e13861b1d88 + skipped: new feature +a11ef811b9763002b41ad44185654f8e70da68d5: + title: 'arm64: cputype: Add Cortex-X3 definitions' + mainline: be5a6f238700f38b534456608588723fba96c5ab + skipped: new feature +b1759d12e00cbced653c450adc2bfa9c04ce3cc2: + title: 'arm64: cputype: Add Cortex-A720 definitions' + mainline: add332c40328cf06fe35e4b3cde8ec315c4629e5 + skipped: new feature +9c376afba7d9a787f8452052dc3af479253c5678: + title: 'arm64: cputype: Add Cortex-X925 definitions' + mainline: fd2ff5f0b320f418288e7a1f919f648fbc8a0dfc + skipped: new feature +023c0f2e7f168e0c9e6f04c126d404bef6ca3130: + title: 'arm64: errata: Unify speculative SSBS errata logic' + mainline: ec768766608092087dfb5c1fc45a16a6f524dee2 + skipped: new feature +873b451ffbd4a438d470ec1c95aba110610c09cd: + title: 'arm64: errata: Expand speculative SSBS workaround' + mainline: 75b3c43eab594bfbd8184ec8ee1a6b820950819a + skipped: new feature +e9a2bed4156d0504ad19cdf283194d63909b8d7c: + title: 'arm64: cputype: Add Cortex-X1C definitions' + mainline: 58d245e03c324d083a0ec3b9ab8ebd46ec9848d7 + skipped: new feature +6dbc0fbaa6f3db35c1ae78e381fa5f06327f0acf: + title: 'arm64: cputype: Add Cortex-A725 definitions' + mainline: 9ef54a384526911095db465e77acc1cb5266b32c + skipped: new feature +236f749edbd6c194f6dc8bd1393c8e56fd773f32: + title: 'arm64: errata: Expand speculative SSBS workaround (again)' + mainline: adeec61a4723fd3e39da68db4cc4d924e6d7f641 + skipped: new feature +6adca954fc039151ef4f9c1ea1f201e12a24593d: + title: 'i2c: smbus: Don''t filter out duplicate alerts' + mainline: dca0dd28fa5e0a1ec41a623dbaf667601fc62331 + backport: 7a346f1ce3ab37134f2365ab6a74422747285fdb +9540badee607a99cc07bddbd0a7d4a01fd3b9661: + title: 'i2c: smbus: Improve handling of stuck alerts' + mainline: 37c526f00bc1c4f847fc800085f8f009d2e11be6 + backport: c364d250ada36665ea06f204449d1162cb5e1432 +3b20631d0704fe4f6bf4cf9a49fd19871ebaeffb: + title: 'i2c: smbus: Send alert notifications to all devices if source not found' + mainline: f6c29f710c1ff2590109f83be3e212b86c01e0f3 + backport: a0bb631d7d0a1773ebbb427ac8564ae8818b4dfe +0b8cf71c2c1b9a6e8f7acd620d8e4b0c24a12920: + title: 'bpf: kprobe: remove unused declaring of bpf_kprobe_override' + mainline: 0e8b53979ac86eddb3fd76264025a70071a25574 + skipped: fixes patch not in branch +bebc69b574d6a3c54e8951dd891e78a20e2a3f54: + title: 'spi: lpspi: Replace all "master" with "controller"' + mainline: 07d71557494c05b0651def1651bf6d7e7f47bbbb + backport: 0ef61696a9fff3915fb5aa6f7bb9f89682d10ad9 +b1b5a04eadd9b786dcd4bc82e726498a8f6fd50a: + title: 'spi: lpspi: Add slave mode support' + mainline: bcd87317aae26b9ac497cbc1232783aaea1aeed4 + backport: 12bfab716ae4cd47449d7636a25326099daa10a9 +8f8b12339ef7cc8e15989f6445aad5a9bf8c00f5: + title: 'spi: lpspi: Let watermark change with send data length' + mainline: cf86874bb9bdb99ba3620428b59b0408fbc703d0 + backport: 6a6c19da1d3917fc8c51d2fd69b667a5e7b192ec +0b536d6c52a88b6a5a7f40d1ac91ffe170b8df87: + title: 'spi: lpspi: Add i.MX8 boards support for lpspi' + mainline: f5e5afdb0e56e81123e02b6a64dd32adc19a90d4 + backport: dc2d2de15c66a8e41275b4d59e6082955e477991 +3bb46e26783c3c86e67172f695908a066be69e12: + title: 'spi: lpspi: add the error info of transfer speed setting' + mainline: 77736a98b859e2c64aebbd0f90b2ce4b17682396 + backport: 030b58b3539d0fdccf6284113c29f60c76b60916 +da6cc32c245500f417e4b96d67722b8a0a07fd94: + title: 'spi: fsl-lpspi: remove unneeded array' + mainline: 2fa98705a9289c758b6154a22174aa8d4041a285 + backport: d859e0255cb169a2d7aa96b42defafd7c515df0c +81964823116357a636201afa4010fa30f050446e: + title: 'spi: spi-fsl-lpspi: Fix scldiv calculation' + mainline: 730bbfaf7d4890bd99e637db7767dc68cfeb24e7 + backport: dcde078eb1be234c810305963c845eaa63f20813 +643293b68fbb6c03f5e907736498da17d43f0d81: + title: 'ALSA: line6: Fix racy access to midibuf' + mainline: 15b7a03205b31bc5623378c190d22b7ff60026f1 + backport: 9ab8902f51b8ac3c51666922a9719c1e4d81f105 +5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89: + title: 'usb: vhci-hcd: Do not drop references before new references are gained' + mainline: afdcfd3d6fcdeca2735ca8d994c5f2d24a368f0a + backport: d41cf1c7bc4e9706d684d3fb2c24046f673ffb78 +1907ed1be026c771086e6adc560f38dc50e82382: + title: 'USB: serial: debug: do not echo input by default' + mainline: 00af4f3dda1461ec90d892edc10bec6d3c50c554 + backport: 95314b1272d1d96f5737c5b1e208fabd1128db3c +ba15815dd24cc5ec0d23e2170dc58c7db1e03b4a: + title: 'usb: gadget: core: Check for unset descriptor' + mainline: 973a57891608a98e894db2887f278777f564de18 + backport: 551fbbddb6f5ff52bdb1c0cdb3d096e359e088da +c4da5b5deb343346909920c41645ad85adff4c6c: + title: 'scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic' + mainline: ab9fd06cb8f0db0854291833fc40c789e43a361f + backport: b41af170f9ad55d4780688b92c032579655218fe +f54abf332a2bc0413cfa8bd6a8511f7aa99faea0: + title: 'tick/broadcast: Move per CPU pointer access into the atomic section' + mainline: 6881e75237a84093d0986f56223db3724619f26e + backport: 6fad54cc7a6c8c4750209bfcff1b54dd60b086db +9dfe2eef1ecfbb1f29e678700247de6010784eb9: + title: 'ntp: Clamp maxerror and esterror to operating range' + mainline: 87d571d6fb77ec342a985afa8744bb9bb75b3622 + backport: 07f7f40df90538c4bacb06d64ededc68b6d6e9bf +49ea4e0d862632d51667da5e7a9c88a560e9c5a1: + title: 'driver core: Fix uevent_show() vs driver detach race' + mainline: 15fffc6a5624b13b428bb1c6e9088e32a55eb82c + backport: c72f8e96b8386d50894df2faed9718d7cbfc312d +a13f8b269b6f4c9371ab149ecb65d2edb52e9669: + title: 'ntp: Safeguard against time_constant overflow' + mainline: 06c03c8edce333b9ad9c6b207d93d3a5ae7c10c0 + backport: 53390d85b1f4fca100eca68612fe9ae736ef5caf +3bbd90fca824e6fd61fb20f6dd2b0fa5f8b14bba: + title: 'serial: core: check uartclk for zero to avoid divide by zero' + mainline: 6eabce6608d6f3440f4c03aa3d3ef50a47a3d193 + backport: 1d33b86b2b99774eae26926b2f5f4900f826638f +f1aa9f19da35f72ce8ec3196f0a7bc06e296aaeb: + title: 'power: supply: axp288_charger: Fix constant_charge_voltage writes' + mainline: b34ce4a59cfe9cd0d6f870e6408e8ec88a964585 + backport: d9b1fa9a24e5ba3115a289421d535abf954efd7a +e3cb8400a72a9e5e25365d380b290cdd50ccdb5c: + title: 'power: supply: axp288_charger: Round constant_charge_voltage writes down' + mainline: 81af7f2342d162e24ac820c10e68684d9f927663 + backport: bd9bfbcc05c1c7af22dfa9ca8b2ff1d6395db661 +302ceb625d7b990db205a15e371f9a71238de91c: + title: 'tracing: Fix overflow in get_free_elt()' + mainline: bcf86c01ca4676316557dd482c8416ece8c2e143 + backport: b28271a4428daf3c20b71a8e7cf218a4c38c698b +34f36e6ee5bd7eff8b2adcd9fcaef369f752d82e: + title: 'x86/mtrr: Check if fixed MTRRs exist before saving them' + mainline: 919f18f961c03d6694aa726c514184f2311a4614 + backport: 4f0b886693fe2a82d8896cd431eb529777e1bbdc +52f05898629b25fc382754d837be624205ce67f8: + title: 'drm/bridge: analogix_dp: properly handle zero sized AUX transactions' + mainline: e82290a2e0e8ec5e836ecad1ca025021b3855c2d + backport: 5dfe0cc24eab4d1e640e3cfc7ef155216fb29f2a +7db72e8e538e10afefe589d6203ffb4f5a1cbd9a: + title: 'drm/mgag200: Set DDC timeout in milliseconds' + mainline: ecde5db1598aecab54cc392282c15114f526f05f + backport: e391c9f51faaf4a35bb29343af0d29164938363a +9dd6e5296c8ad1bbb88933b8150383bc0eba9488: + title: 'kbuild: Fix ''-S -c'' in x86 stack protector scripts' + mainline: 3415b10a03945b0da4a635e146750dfe5ce0f448 + backport: 6bd6cf1374f27ba771760e53caf8c276e794b638 +61fbbac22c8ce73d0c492caf45a286c3f021c0fd: + title: 'netfilter: nf_tables: set element extended ACK reporting support' + mainline: b53c116642502b0c85ecef78bff4f826a7dd4145 + backport: 9aee9974b20b6907210221aba005ec36135348a4 +f8dfda798650241c1692058713ca4fef8e429061: + title: 'netfilter: nf_tables: use timestamp to check for set element timeout' + mainline: 7395dfacfff65e9938ac0889dafa1ab01e987d15 + skipped: too risky to backport +1947e4c3346faa8ac7e343652c0fd3b3e394202f: + title: 'netfilter: nf_tables: prefer nft_chain_validate' + mainline: cff3bd012a9512ac5ed858d38e6ed65f6391008c + skipped: missing nft_chain_validate() and related code +5e1d9d92c5ef03c177422262cce31863af964ef3: + title: 'arm64: cpufeature: Fix the visibility of compat hwcaps' + mainline: 85f1506337f0c79a4955edfeee86a18628e3735f + skipped: (unknown reason) +92d206c404e4b1780a7d188aac2c7c34c3f15ac3: + title: 'media: uvcvideo: Use entity get_cur in uvc_ctrl_set' + mainline: 5f36851c36b30f713f588ed2b60aa7b4512e2c76 + skipped: revert fixed patch instead +3e06073d24807f04b4694108a8474decb7b99e60: + title: 'drm/i915/gem: Fix Virtual Memory mapping boundaries calculation' + mainline: 8bdd9ef7e9b1b2a73e394712b72b22055e0e26c3 + backport: 3ccfe379cab98c308e84733885655b1c7c956b80 +d5c3c7e26275a2d83b894d30f7582a42853a958f: + title: 'exec: Fix ToCToU between perm check and set-uid/gid usage' + mainline: f50733b45d865f91db90919f8311e2127ce5a0cb + backport: 02acb3b20db4e8372b854be6ce9846446def401c +9cc0878c7d7f12c10b3cc40197668816c918b465: + title: 'nvme/pci: Add APST quirk for Lenovo N60z laptop' + mainline: ab091ec536cb7b271983c0c063b17f62f3591583 + backport: 92af3424a5a42e8014f39c82996fe01a8ba6aaf0 diff --git a/Makefile b/Makefile index 1c92795b18c7..94fbe13542df 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # SPDX-License-Identifier: GPL-2.0 VERSION = 4 PATCHLEVEL = 14 -SUBLEVEL = 352 +SUBLEVEL = 353 EXTRAVERSION = -openela NAME = Petit Gorille