commit 3d7cb6b04c3f3115719235cc6866b10326de34cd Author: Linus Torvalds Date: Sun Jul 31 14:03:01 2022 -0700 Linux 5.19 commit 334c0ef6429f261c7f53dc035632435ffbc0c60d Merge: 89caf575400a9 8dc592c41f387 Author: Linus Torvalds Date: Sun Jul 31 09:52:20 2022 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fix from Stephen Boyd: "One-liner fix of a NULL pointer deref in the Allwinner clk driver" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: sunxi-ng: Fix H6 RTC clock definition commit 89caf575400a9296e45b7de97b07d2fbf249c1f5 Merge: 5e4823e6dab8f ea304a8b89fd0 Author: Linus Torvalds Date: Sun Jul 31 09:26:53 2022 -0700 Merge tag 'x86_urgent_for_v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Update the 'mitigations=' kernel param documentation - Check the IBPB feature flag before enabling IBPB in firmware calls because cloud vendors' fantasy when it comes to creating guest configurations is unlimited - Unexport sev_es_ghcb_hv_call() before 5.19 releases now that HyperV doesn't need it anymore - Remove dead CONFIG_* items * tag 'x86_urgent_for_v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: docs/kernel-parameters: Update descriptions for "mitigations=" param with retbleed x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available Revert "x86/sev: Expose sev_es_ghcb_hv_call() for use by HyperV" x86/configs: Update configs in x86_debug.config commit 5e4823e6dab8fcc897757c1be68d157a369e4bb5 Merge: cd2715b7929bc 6eebd5fb20838 Author: Linus Torvalds Date: Sun Jul 31 09:21:13 2022 -0700 Merge tag 'locking_urgent_for_v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Borislav Petkov: - Avoid rwsem lockups in certain situations when handling the handoff bit * tag 'locking_urgent_for_v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by first waiter commit cd2715b7929bcaf6e38d13ac512e0a9bba8df10d Merge: 6a010258447d3 5e2805d537961 Author: Linus Torvalds Date: Sun Jul 31 09:12:58 2022 -0700 Merge tag 'edac_urgent_for_v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras Pull EDAC fixes from Borislav Petkov: - Relax the condition under which the DIMM label in ghes_edac is set in order to accomodate an HPE BIOS which sets only the device but not the bank - Two forgotten fixes to synopsys_edac when handling error interrupts * tag 'edac_urgent_for_v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/ras/ras: EDAC/ghes: Set the DIMM label unconditionally EDAC/synopsys: Re-enable the error interrupts on v3 hw EDAC/synopsys: Use the correct register to disable the error interrupt on v3 hw commit 6a010258447d386186ca10cd374d888ac66ffe1a Merge: 620725263f422 ec85bd369fd2b Author: Linus Torvalds Date: Sat Jul 30 17:24:16 2022 -0700 Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Last set of ARM fixes for 5.19: - fix for MAX_DMA_ADDRESS overflow - fix for find_*_bit performing an out of bounds memory access" * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: findbit: fix overflowing offset ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow commit 6eebd5fb20838f5971ba17df9f55cc4f84a31053 Author: Waiman Long Date: Wed Jun 22 16:04:19 2022 -0400 locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by first waiter With commit d257cc8cb8d5 ("locking/rwsem: Make handoff bit handling more consistent"), the writer that sets the handoff bit can be interrupted out without clearing the bit if the wait queue isn't empty. This disables reader and writer optimistic lock spinning and stealing. Now if a non-first writer in the queue is somehow woken up or a new waiter enters the slowpath, it can't acquire the lock. This is not the case before commit d257cc8cb8d5 as the writer that set the handoff bit will clear it when exiting out via the out_nolock path. This is less efficient as the busy rwsem stays in an unlock state for a longer time. In some cases, this new behavior may cause lockups as shown in [1] and [2]. This patch allows a non-first writer to ignore the handoff bit if it is not originally set or initiated by the first waiter. This patch is shown to be effective in fixing the lockup problem reported in [1]. [1] https://lore.kernel.org/lkml/20220617134325.GC30825@techsingularity.net/ [2] https://lore.kernel.org/lkml/3f02975c-1a9d-be20-32cf-f1d8e3dfafcc@oracle.com/ Fixes: d257cc8cb8d5 ("locking/rwsem: Make handoff bit handling more consistent") Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Acked-by: John Donnelly Tested-by: Mel Gorman Link: https://lore.kernel.org/r/20220622200419.778799-1-longman@redhat.com commit 620725263f4222b3c94d4ee19846835feec0ad69 Merge: 8a91f86f3e9e9 8a295dbbaf729 Author: Linus Torvalds Date: Fri Jul 29 21:02:35 2022 -0700 Merge tag 'mm-hotfixes-stable-2022-07-29' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "Two hotfixes, both cc:stable" * tag 'mm-hotfixes-stable-2022-07-29' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mm/hmm: fault non-owner device private entries page_alloc: fix invalid watermark check on a negative value commit 8a91f86f3e9e9608210166c70aaad4919018c0e7 Merge: e65c6a46df94c eda3953b6a805 Author: Linus Torvalds Date: Fri Jul 29 16:07:35 2022 -0700 Merge tag 'block-5.19-2022-07-29' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "Just a single fix for NVMe, yet another quirk addition" * tag 'block-5.19-2022-07-29' of git://git.kernel.dk/linux-block: nvme-pci: Crucial P2 has bogus namespace ids commit e65c6a46df94c8d76ea1129eb2d4564670c6f214 Merge: 1c8ac1c4af178 ce156c8a1811c Author: Linus Torvalds Date: Fri Jul 29 13:25:31 2022 -0700 Merge tag 'drm-fixes-2022-07-30' of git://anongit.freedesktop.org/drm/drm Pull more drm fixes from Dave Airlie: "Maxime had the dog^Wmailing list server eat his homework^Wmisc pull request. Two more small fixes, one in nouveau svm code and the other in simpledrm. nouveau: - page migration fix simpledrm: - fix mode_valid return value" * tag 'drm-fixes-2022-07-30' of git://anongit.freedesktop.org/drm/drm: nouveau/svm: Fix to migrate all requested pages drm/simpledrm: Fix return type of simpledrm_simple_display_pipe_mode_valid() commit ce156c8a1811c96a243590abd0e9b5a3b72c1f3a Merge: f16a2f593d009 66cee9097e2b7 Author: Dave Airlie Date: Sat Jul 30 06:09:48 2022 +1000 Merge tag 'drm-misc-fixes-2022-07-29' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes One fix to fix simpledrm mode_valid return value, and one for page migration in nouveau Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20220729094514.sfzhc3gqjgwgal62@penduick commit 1c8ac1c4af178ebcdf6fd4a0ba11716e2c814593 Merge: bb83c99d3d0aa f5c2976e0cb0f Author: Linus Torvalds Date: Fri Jul 29 13:07:03 2022 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Four fixes, three in drivers. The two biggest fixes are ufs and the remaining driver and core fix are small and obvious (and the core fix is low risk)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: ufs: core: Fix a race condition related to device management scsi: core: Fix warning in scsi_alloc_sgtables() scsi: ufs: host: Hold reference returned by of_parse_phandle() scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown commit ea304a8b89fd0d6cf94ee30cb139dc23d9f1a62f Author: Eiichi Tsukata Date: Thu Jul 28 04:39:07 2022 +0000 docs/kernel-parameters: Update descriptions for "mitigations=" param with retbleed Updates descriptions for "mitigations=off" and "mitigations=auto,nosmt" with the respective retbleed= settings. Signed-off-by: Eiichi Tsukata Signed-off-by: Borislav Petkov Cc: corbet@lwn.net Link: https://lore.kernel.org/r/20220728043907.165688-1-eiichi.tsukata@nutanix.com commit 8a295dbbaf7292c582a40ce469c326f472d51f66 Author: Ralph Campbell Date: Mon Jul 25 11:36:14 2022 -0700 mm/hmm: fault non-owner device private entries If hmm_range_fault() is called with the HMM_PFN_REQ_FAULT flag and a device private PTE is found, the hmm_range::dev_private_owner page is used to determine if the device private page should not be faulted in. However, if the device private page is not owned by the caller, hmm_range_fault() returns an error instead of calling migrate_to_ram() to fault in the page. For example, if a page is migrated to GPU private memory and a RDMA fault capable NIC tries to read the migrated page, without this patch it will get an error. With this patch, the page will be migrated back to system memory and the NIC will be able to read the data. Link: https://lkml.kernel.org/r/20220727000837.4128709-2-rcampbell@nvidia.com Link: https://lkml.kernel.org/r/20220725183615.4118795-2-rcampbell@nvidia.com Fixes: 08ddddda667b ("mm/hmm: check the device private page owner in hmm_range_fault()") Signed-off-by: Ralph Campbell Reported-by: Felix Kuehling Reviewed-by: Alistair Popple Cc: Philip Yang Cc: Jason Gunthorpe Cc: Signed-off-by: Andrew Morton commit 9282012fc0aa248b77a69f5eb802b67c5a16bb13 Author: Jaewon Kim Date: Mon Jul 25 18:52:12 2022 +0900 page_alloc: fix invalid watermark check on a negative value There was a report that a task is waiting at the throttle_direct_reclaim. The pgscan_direct_throttle in vmstat was increasing. This is a bug where zone_watermark_fast returns true even when the free is very low. The commit f27ce0e14088 ("page_alloc: consider highatomic reserve in watermark fast") changed the watermark fast to consider highatomic reserve. But it did not handle a negative value case which can be happened when reserved_highatomic pageblock is bigger than the actual free. If watermark is considered as ok for the negative value, allocating contexts for order-0 will consume all free pages without direct reclaim, and finally free page may become depleted except highatomic free. Then allocating contexts may fall into throttle_direct_reclaim. This symptom may easily happen in a system where wmark min is low and other reclaimers like kswapd does not make free pages quickly. Handle the negative case by using MIN. Link: https://lkml.kernel.org/r/20220725095212.25388-1-jaewon31.kim@samsung.com Fixes: f27ce0e14088 ("page_alloc: consider highatomic reserve in watermark fast") Signed-off-by: Jaewon Kim Reported-by: GyeongHwan Hong Acked-by: Mel Gorman Cc: Minchan Kim Cc: Baoquan He Cc: Vlastimil Babka Cc: Johannes Weiner Cc: Michal Hocko Cc: Yong-Taek Lee Cc: Signed-off-by: Andrew Morton commit bb83c99d3d0aa2f51ba0b2abd7115002620118e6 Merge: 4b20426d04416 9a241805673ec Author: Linus Torvalds Date: Fri Jul 29 11:26:28 2022 -0700 Merge tag 'perf-tools-fixes-for-v5.19-2022-07-29' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux Pull perf tools fixes from Arnaldo Carvalho de Melo: - Fix addresses for bss symbols, describing variables used in resolving data access in tools such as 'perf c2c' and 'perf mem'. - Skip symbols if SHF_ALLOC flag is not set, a technique used for listing deprecated symbols, its addresses are zeros, so not useful. - Remove undefined behavior from bpf_perf_object__next() when dealing with an empty bpf_objects_list list. - Make a ARM CoreSight disasm script work with both python2 and python3. - Sync x86's cpufeatures header with with the kernel sources. * tag 'perf-tools-fixes-for-v5.19-2022-07-29' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: perf bpf: Remove undefined behavior from bpf_perf_object__next() perf symbol: Skip symbols if SHF_ALLOC flag is not set perf symbol: Correct address for bss symbols perf scripts python: Let script to be python2 compliant tools headers cpufeatures: Sync with the kernel sources commit 4b20426d044163df0ff9d868e9767ca9e65dd36c Merge: 506e6dfb0f113 46a4d679ef882 Author: Linus Torvalds Date: Fri Jul 29 11:20:40 2022 -0700 Merge tag 'wq-for-5.19-rc8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq Pull workqueue fix from Tejun Heo: "Just one commit to suppress a spurious warning added during the 5.19 cycle" * tag 'wq-for-5.19-rc8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue: Avoid a false warning in unbind_workers() commit 506e6dfb0f1131f104df66ccae1197bdf8f1b6b0 Merge: e4d8b09d671f0 d295ad34f236c Author: Linus Torvalds Date: Fri Jul 29 10:57:26 2022 -0700 Merge tag 'pm-5.19-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Make some false positive RCU splats resulting from a recent intel_idle driver change go away (Waiman Long)" * tag 'pm-5.19-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: intel_idle: Fix false positive RCU splats due to incorrect hardirqs state commit 46a4d679ef88285ea17c3e1e4fed330be2044f21 Author: Lai Jiangshan Date: Fri Jul 29 17:44:38 2022 +0800 workqueue: Avoid a false warning in unbind_workers() Doing set_cpus_allowed_ptr() with wq_unbound_cpumask can be possible fails and trigger the false warning. Use cpu_possible_mask instead when wq_unbound_cpumask has no active CPUs. It is very easy to trigger the warning: Set wq_unbound_cpumask to a small set of CPUs. Offline all the CPUs of wq_unbound_cpumask. Offline an extra CPU and trigger the warning. Fixes: 10a5a651e3af ("workqueue: Restrict kworker in the offline CPU pool running on housekeeping CPUs") Signed-off-by: Lai Jiangshan Signed-off-by: Tejun Heo commit e4d8b09d671f0ee92d36c48b65d2f34affcdd531 Merge: a95eb1d086dcc 88bd24d73d5bf Author: Linus Torvalds Date: Fri Jul 29 10:46:03 2022 -0700 Merge tag 'riscv-for-linus-5.19-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fix from Palmer Dabbelt: "A build fix for 'make vdso_install' that avoids an issue trying to install the compat VDSO" * tag 'riscv-for-linus-5.19-rc9' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: compat: vdso: Fix vdso_install target commit a95eb1d086dcc579d52ca4c34742516f6434d1f2 Merge: 9d928d9b78bee 45b53c9051770 Author: Linus Torvalds Date: Fri Jul 29 10:10:30 2022 -0700 Merge tag 'loongarch-fixes-5.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson Pull LoongArch fixes from Huacai Chen: - Fix cache size calculation, stack protection attributes, ptrace's fpr_set and "ROM Size" in boardinfo - Some cleanups and improvements of assembly - Some cleanups of unused code and useless code * tag 'loongarch-fixes-5.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: LoongArch: Fix wrong "ROM Size" of boardinfo LoongArch: Fix missing fcsr in ptrace's fpr_set LoongArch: Fix shared cache size calculation LoongArch: Disable executable stack by default LoongArch: Remove unused variables LoongArch: Remove clock setting during cpu hotplug stage LoongArch: Remove useless header compiler.h LoongArch: Remove several syntactic sugar macros for branches LoongArch: Re-tab the assembly files LoongArch: Simplify "BGT foo, zero" with BGTZ LoongArch: Simplify "BLT foo, zero" with BLTZ LoongArch: Simplify "BEQ/BNE foo, zero" with BEQZ/BNEZ LoongArch: Use the "move" pseudo-instruction where applicable LoongArch: Use the "jr" pseudo-instruction where applicable LoongArch: Use ABI names of registers where appropriate commit 9d928d9b78beec5d4b8afde9c144919b979685f2 Merge: 6e2c0490769ef c653c591789b3 Author: Linus Torvalds Date: Fri Jul 29 09:57:07 2022 -0700 Merge tag 'powerpc-5.19-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - Re-enable the new amdgpu display engine for powerpc, as long as the compiler is correctly configured. - Disable stack variable initialisation in prom_init to fix GCC 12 allmodconfig. Thanks to Dan Horák and Sudip Mukherjee. * tag 'powerpc-5.19-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: drm/amdgpu: Re-enable DCN for 64-bit powerpc powerpc/64s: Disable stack variable initialisation for prom_init commit 45b53c9051770c0d9145083a328548745ee2e75b Author: Tiezhu Yang Date: Thu Jul 21 17:53:01 2022 +0800 LoongArch: Fix wrong "ROM Size" of boardinfo We can see the "ROM Size" is different in the following outputs: [root@linux loongson]# cat /sys/firmware/loongson/boardinfo BIOS Information Vendor : Loongson Version : vUDK2018-LoongArch-V2.0.pre-beta8 ROM Size : 63 KB Release Date : 06/15/2022 Board Information Manufacturer : Loongson Board Name : Loongson-LS3A5000-7A1000-1w-A2101 Family : LOONGSON64 [root@linux loongson]# dmidecode | head -11 ... Handle 0x0000, DMI type 0, 26 bytes BIOS Information Vendor: Loongson Version: vUDK2018-LoongArch-V2.0.pre-beta8 Release Date: 06/15/2022 ROM Size: 4 MB According to "BIOS Information (Type 0) structure" in the SMBIOS Reference Specification [1], it shows 64K * (n+1) is the size of the physical device containing the BIOS if the size is less than 16M. Additionally, we can see the related code in dmidecode [2]: u64 s = { .l = (code1 + 1) << 6 }; So the output of dmidecode is correct, the output of boardinfo is wrong, fix it. By the way, at present no need to consider the size is 16M or greater on LoongArch, because it is usually 4M or 8M which is enough to use. [1] https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.6.0.pdf [2] https://git.savannah.nongnu.org/cgit/dmidecode.git/tree/dmidecode.c#n347 Fixes: 628c3bb40e9a ("LoongArch: Add boot and setup routines") Reviewed-by: WANG Xuerui Signed-off-by: Tiezhu Yang Signed-off-by: Huacai Chen commit b0f3bdc00240fc9d7bf0f2a076943122d168c95e Author: Qi Hu Date: Thu Jul 14 14:25:50 2022 +0800 LoongArch: Fix missing fcsr in ptrace's fpr_set In file ptrace.c, function fpr_set does not copy fcsr data from ubuf to kbuf. That's the reason why fcsr cannot be modified by ptrace. This patch fixs this problem and allows users using ptrace to modify the fcsr. Co-developed-by: Xu Li Signed-off-by: Qi Hu Signed-off-by: Huacai Chen commit 1aea29d7c3569e5b6c40e73c51e9f4b2142c96ef Author: Huacai Chen Date: Wed Jul 13 18:00:41 2022 +0800 LoongArch: Fix shared cache size calculation Current calculation of shared cache size is from the node (die) scope, but we hope 'lscpu' to show the shared cache size of the whole package for multi-die chips (e.g., Loongson-3C5000L, which contains 4 dies in one package). So fix it by multiplying nodes_per_package. Signed-off-by: Huacai Chen commit 317980e6b4d03884429f2cdaf51efd28f01b71b0 Author: Huacai Chen Date: Tue Jul 26 20:43:11 2022 +0800 LoongArch: Disable executable stack by default Disable executable stack for LoongArch by default, as all modern architectures do. Reported-by: Andreas Schwab Suggested-by: WANG Xuerui Link: https://sourceware.org/pipermail/binutils/2022-July/121992.html Tested-by: WANG Xuerui Tested-by: Xi Ruoyao Signed-off-by: Huacai Chen commit 3a3a4f7a65e3ff7ad395afc8c41ac317c8667546 Author: Bibo Mao Date: Wed Jul 20 15:21:52 2022 +0800 LoongArch: Remove unused variables There are some variables never used or referenced, this patch removes these varaibles and make the code cleaner. Reviewed-by: WANG Xuerui Signed-off-by: Bibo Mao Signed-off-by: Huacai Chen commit 71610ab1d017e131a9888ef8acd035284fb0e1dd Author: Bibo Mao Date: Wed Jul 20 15:21:51 2022 +0800 LoongArch: Remove clock setting during cpu hotplug stage On physical machine we can save power by disabling clock of hot removed cpu. However as different platforms require different methods to configure clocks, the code is platform-specific, and probably belongs to firmware/pmu or cpu regulator, rather than generic arch/loongarch code. Also, there is no such register on QEMU virt machine since the clock/frequency regulation is not emulated. This patch removes the hard-coded clock register accesses in generic LoongArch cpu hotplug flow. Reviewed-by: WANG Xuerui Signed-off-by: Bibo Mao Signed-off-by: Huacai Chen commit f62b7626cb79dfbfe292145b7ebeee4dc63c9499 Author: Jun Yi Date: Thu Jul 21 19:10:49 2022 +0800 LoongArch: Remove useless header compiler.h The content of LoongArch's compiler.h is trivial, with some unused anywhere, so inline the definitions and remove the header. Signed-off-by: Jun Yi Signed-off-by: Huacai Chen commit ab6e57a69df515cc9231b578de5b820f9ba3d0be Author: WANG Xuerui Date: Tue Jul 26 23:57:15 2022 +0800 LoongArch: Remove several syntactic sugar macros for branches These syntactic sugars have been supported by upstream binutils from the beginning, so no need to patch them locally. Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit f5c3c22f21b6a002e371afdcc9180a2fa47dc267 Author: WANG Xuerui Date: Tue Jul 26 23:57:22 2022 +0800 LoongArch: Re-tab the assembly files Reflow the *.S files for better stylistic consistency, namely hard tabs after mnemonic position, and vertical alignment of the first operand with hard tabs. Tab width is obviously 8. Some pre-existing intra-block vertical alignments are preserved. Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit 1fdb9a92495a6b6996530d27781892796e22f08b Author: WANG Xuerui Date: Tue Jul 26 23:57:21 2022 +0800 LoongArch: Simplify "BGT foo, zero" with BGTZ Support for the syntactic sugar is present in upstream binutils port from the beginning. Use it for shorter lines and better consistency. Generated code should be identical. Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit d1bc75d7595b237f78b594509ea7cc159f98cae9 Author: WANG Xuerui Date: Tue Jul 26 23:57:20 2022 +0800 LoongArch: Simplify "BLT foo, zero" with BLTZ Support for the syntactic sugar is present in upstream binutils port from the beginning. Use it for shorter lines and better consistency. Generated code should be identical. Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit d47b2dc87c58154052daf8ac0f9229db5c7890cc Author: WANG Xuerui Date: Tue Jul 26 23:57:19 2022 +0800 LoongArch: Simplify "BEQ/BNE foo, zero" with BEQZ/BNEZ While B{EQ,NE}Z and B{EQ,NE} are different instructions, and the vastly expanded range for branch destination does not really matter in the few cases touched, use the B{EQ,NE}Z where possible for shorter lines and better consistency (e.g. some places used "BEQ foo, zero", while some used "BEQ zero, foo"). Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit 57ce5d3eefacfaadfe2ed0a3a85713d1ae6287b9 Author: WANG Xuerui Date: Tue Jul 26 23:57:18 2022 +0800 LoongArch: Use the "move" pseudo-instruction where applicable Some of the assembly code in the LoongArch port likely originated from a time when the assembler did not support pseudo-instructions like "move" or "jr", so the desugared form was used and readability suffers (to a minor degree) as a result. As the upstream toolchain supports these pseudo-instructions from the beginning, migrate the existing few usages to them for better readability. Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit 07b480695d24d1c9f27bb60fd4b980ae87e8bc1e Author: WANG Xuerui Date: Tue Jul 26 23:57:17 2022 +0800 LoongArch: Use the "jr" pseudo-instruction where applicable Some of the assembly code in the LoongArch port likely originated from a time when the assembler did not support pseudo-instructions like "move" or "jr", so the desugared form was used and readability suffers (to a minor degree) as a result. As the upstream toolchain supports these pseudo-instructions from the beginning, migrate the existing few usages to them for better readability. Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit d8e7f201a4cf148c3801cdc9603963061d28d64f Author: WANG Xuerui Date: Tue Jul 26 23:57:16 2022 +0800 LoongArch: Use ABI names of registers where appropriate Some of the assembly in the LoongArch port seem to come from a prehistoric time, when the assembler didn't even have support for the ABI names we all come to know and love, thus used raw register numbers which hampered readability. The usages are found with a regex match inside arch/loongarch, then manually adjusted for those non-definitions. Signed-off-by: WANG Xuerui Signed-off-by: Huacai Chen commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 Author: Russell King (Oracle) Date: Tue Jul 26 23:51:48 2022 +0100 ARM: findbit: fix overflowing offset When offset is larger than the size of the bit array, we should not attempt to access the array as we can perform an access beyond the end of the array. Fix this by changing the pre-condition. Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since this will always take the branch when r1 is zero, irrespective of the value of r2. This means we can fix this bug without adding any additional code! Tested-by: Guenter Roeck Signed-off-by: Russell King (Oracle) commit 571c30b1a88465a1c85a6f7762609939b9085a15 Author: Thadeu Lima de Souza Cascardo Date: Thu Jul 28 09:26:02 2022 -0300 x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available Some cloud hypervisors do not provide IBPB on very recent CPU processors, including AMD processors affected by Retbleed. Using IBPB before firmware calls on such systems would cause a GPF at boot like the one below. Do not enable such calls when IBPB support is not present. EFI Variables Facility v0.08 2004-May-17 general protection fault, maybe for address 0x1: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 24 Comm: kworker/u2:1 Not tainted 5.19.0-rc8+ #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 Workqueue: efi_rts_wq efi_call_rts RIP: 0010:efi_call_rts Code: e8 37 33 58 ff 41 bf 48 00 00 00 49 89 c0 44 89 f9 48 83 c8 01 4c 89 c2 48 c1 ea 20 66 90 b9 49 00 00 00 b8 01 00 00 00 31 d2 <0f> 30 e8 7b 9f 5d ff e8 f6 f8 ff ff 4c 89 f1 4c 89 ea 4c 89 e6 48 RSP: 0018:ffffb373800d7e38 EFLAGS: 00010246 RAX: 0000000000000001 RBX: 0000000000000006 RCX: 0000000000000049 RDX: 0000000000000000 RSI: ffff94fbc19d8fe0 RDI: ffff94fbc1b2b300 RBP: ffffb373800d7e70 R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000000b R11: 000000000000000b R12: ffffb3738001fd78 R13: ffff94fbc2fcfc00 R14: ffffb3738001fd80 R15: 0000000000000048 FS: 0000000000000000(0000) GS:ffff94fc3da00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff94fc30201000 CR3: 000000006f610000 CR4: 00000000000406f0 Call Trace: ? __wake_up process_one_work worker_thread ? rescuer_thread kthread ? kthread_complete_and_exit ret_from_fork Modules linked in: Fixes: 28a99e95f55c ("x86/amd: Use IBPB for firmware calls") Reported-by: Dimitri John Ledkov Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Borislav Petkov Cc: Link: https://lore.kernel.org/r/20220728122602.2500509-1-cascardo@canonical.com commit 6e2c0490769ef8a95b61304389116ccc85c53e12 Merge: 33ea1340bafe1 f16a2f593d009 Author: Linus Torvalds Date: Thu Jul 28 20:34:59 2022 -0700 Merge tag 'drm-fixes-2022-07-29' of git://anongit.freedesktop.org/drm/drm Pull drm fix from Dave Airlie: "Quiet extra week, just a single fix for i915 workaround with execlist backend. i915: - Further reset robustness improvements for execlists [Wa_22011802037]" * tag 'drm-fixes-2022-07-29' of git://anongit.freedesktop.org/drm/drm: drm/i915/reset: Add additional steps for Wa_22011802037 for execlist backend commit f16a2f593d0095e82e6b7f9d776f869c8ab45952 Merge: e0dccc3b76fb3 a7a47a5dfa9a9 Author: Dave Airlie Date: Fri Jul 29 11:39:13 2022 +1000 Merge tag 'drm-intel-fixes-2022-07-28-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Further reset robustness improvements for execlists [Wa_22011802037] (Umesh Nerlige Ramappa) Signed-off-by: Dave Airlie From: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/YuJIWaEbKcs/q0NY@tursulin-desk commit 66cee9097e2b74ff3c8cc040ce5717c521a0c3fa Author: Alistair Popple Date: Wed Jul 20 16:27:45 2022 +1000 nouveau/svm: Fix to migrate all requested pages Users may request that pages from an OpenCL SVM allocation be migrated to the GPU with clEnqueueSVMMigrateMem(). In Nouveau this will call into nouveau_dmem_migrate_vma() to do the migration. If the total range to be migrated exceeds SG_MAX_SINGLE_ALLOC the pages will be migrated in chunks of size SG_MAX_SINGLE_ALLOC. However a typo in updating the starting address means that only the first chunk will get migrated. Fix the calculation so that the entire range will get migrated if possible. Signed-off-by: Alistair Popple Fixes: e3d8b0890469 ("drm/nouveau/svm: map pages after migration") Reviewed-by: Ralph Campbell Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220720062745.960701-1-apopple@nvidia.com Cc: # v5.8+ commit 33ea1340bafe1f394e5bf96fceef73e9771d066b Merge: e64ab2dbd8829 4d3d3a1b244fd Author: Linus Torvalds Date: Thu Jul 28 11:54:59 2022 -0700 Merge tag 'net-5.19-final' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from bluetooth and netfilter, no known blockers for the release. Current release - regressions: - wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop(), fix taking the lock before its initialized - Bluetooth: mgmt: fix double free on error path Current release - new code bugs: - eth: ice: fix tunnel checksum offload with fragmented traffic Previous releases - regressions: - tcp: md5: fix IPv4-mapped support after refactoring, don't take the pure v6 path - Revert "tcp: change pingpong threshold to 3", improving detection of interactive sessions - mld: fix netdev refcount leak in mld_{query | report}_work() due to a race - Bluetooth: - always set event mask on suspend, avoid early wake ups - L2CAP: fix use-after-free caused by l2cap_chan_put - bridge: do not send empty IFLA_AF_SPEC attribute Previous releases - always broken: - ping6: fix memleak in ipv6_renew_options() - sctp: prevent null-deref caused by over-eager error paths - virtio-net: fix the race between refill work and close, resulting in NAPI scheduled after close and a BUG() - macsec: - fix three netlink parsing bugs - avoid breaking the device state on invalid change requests - fix a memleak in another error path Misc: - dt-bindings: net: ethernet-controller: rework 'fixed-link' schema - two more batches of sysctl data race adornment" * tag 'net-5.19-final' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (67 commits) stmmac: dwmac-mediatek: fix resource leak in probe ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr net: ping6: Fix memleak in ipv6_renew_options(). net/funeth: Fix fun_xdp_tx() and XDP packet reclaim sctp: leave the err path free in sctp_stream_init to sctp_stream_free sfc: disable softirqs for ptp TX ptp: ocp: Select CRC16 in the Kconfig. tcp: md5: fix IPv4-mapped support virtio-net: fix the race between refill work and close mptcp: Do not return EINPROGRESS when subflow creation succeeds Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Bluetooth: Always set event mask on suspend Bluetooth: mgmt: Fix double free on error path wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop() ice: do not setup vlan for loopback VSI ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) ice: Fix VSIs unable to share unicast MAC ice: Fix tunnel checksum offload with fragmented traffic ice: Fix max VLANs available for VF netfilter: nft_queue: only allow supported familes and hooks ... commit 4d3d3a1b244fd54629a6b7047f39a7bbc8d11910 Author: Dan Carpenter Date: Thu Jul 28 14:52:09 2022 +0300 stmmac: dwmac-mediatek: fix resource leak in probe If mediatek_dwmac_clks_config() fails, then call stmmac_remove_config_dt() before returning. Otherwise it is a resource leak. Fixes: fa4b3ca60e80 ("stmmac: dwmac-mediatek: fix clock issue") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YuJ4aZyMUlG6yGGa@kili Signed-off-by: Jakub Kicinski commit 85f0173df35e5462d89947135a6a5599c6c3ef6f Author: Ziyang Xuan Date: Thu Jul 28 09:33:07 2022 +0800 ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr Change net device's MTU to smaller than IPV6_MIN_MTU or unregister device while matching route. That may trigger null-ptr-deref bug for ip6_ptr probability as following. ========================================================= BUG: KASAN: null-ptr-deref in find_match.part.0+0x70/0x134 Read of size 4 at addr 0000000000000308 by task ping6/263 CPU: 2 PID: 263 Comm: ping6 Not tainted 5.19.0-rc7+ #14 Call trace: dump_backtrace+0x1a8/0x230 show_stack+0x20/0x70 dump_stack_lvl+0x68/0x84 print_report+0xc4/0x120 kasan_report+0x84/0x120 __asan_load4+0x94/0xd0 find_match.part.0+0x70/0x134 __find_rr_leaf+0x408/0x470 fib6_table_lookup+0x264/0x540 ip6_pol_route+0xf4/0x260 ip6_pol_route_output+0x58/0x70 fib6_rule_lookup+0x1a8/0x330 ip6_route_output_flags_noref+0xd8/0x1a0 ip6_route_output_flags+0x58/0x160 ip6_dst_lookup_tail+0x5b4/0x85c ip6_dst_lookup_flow+0x98/0x120 rawv6_sendmsg+0x49c/0xc70 inet_sendmsg+0x68/0x94 Reproducer as following: Firstly, prepare conditions: $ip netns add ns1 $ip netns add ns2 $ip link add veth1 type veth peer name veth2 $ip link set veth1 netns ns1 $ip link set veth2 netns ns2 $ip netns exec ns1 ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1 $ip netns exec ns2 ip -6 addr add 2001:0db8:0:f101::2/64 dev veth2 $ip netns exec ns1 ifconfig veth1 up $ip netns exec ns2 ifconfig veth2 up $ip netns exec ns1 ip -6 route add 2000::/64 dev veth1 metric 1 $ip netns exec ns2 ip -6 route add 2001::/64 dev veth2 metric 1 Secondly, execute the following two commands in two ssh windows respectively: $ip netns exec ns1 sh $while true; do ip -6 addr add 2001:0db8:0:f101::1/64 dev veth1; ip -6 route add 2000::/64 dev veth1 metric 1; ping6 2000::2; done $ip netns exec ns1 sh $while true; do ip link set veth1 mtu 1000; ip link set veth1 mtu 1500; sleep 5; done It is because ip6_ptr has been assigned to NULL in addrconf_ifdown() firstly, then ip6_ignore_linkdown() accesses ip6_ptr directly without NULL check. cpu0 cpu1 fib6_table_lookup __find_rr_leaf addrconf_notify [ NETDEV_CHANGEMTU ] addrconf_ifdown RCU_INIT_POINTER(dev->ip6_ptr, NULL) find_match ip6_ignore_linkdown So we can add NULL check for ip6_ptr before using in ip6_ignore_linkdown() to fix the null-ptr-deref bug. Fixes: dcd1f572954f ("net/ipv6: Remove fib6_idev") Signed-off-by: Ziyang Xuan Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20220728013307.656257-1-william.xuanziyang@huawei.com Signed-off-by: Jakub Kicinski commit e27326009a3d247b831eda38878c777f6f4eb3d1 Author: Kuniyuki Iwashima Date: Wed Jul 27 18:22:20 2022 -0700 net: ping6: Fix memleak in ipv6_renew_options(). When we close ping6 sockets, some resources are left unfreed because pingv6_prot is missing sk->sk_prot->destroy(). As reported by syzbot [0], just three syscalls leak 96 bytes and easily cause OOM. struct ipv6_sr_hdr *hdr; char data[24] = {0}; int fd; hdr = (struct ipv6_sr_hdr *)data; hdr->hdrlen = 2; hdr->type = IPV6_SRCRT_TYPE_4; fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP); setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24); close(fd); To fix memory leaks, let's add a destroy function. Note the socket() syscall checks if the GID is within the range of net.ipv4.ping_group_range. The default value is [1, 0] so that no GID meets the condition (1 <= GID <= 0). Thus, the local DoS does not succeed until we change the default value. However, at least Ubuntu/Fedora/RHEL loosen it. $ cat /usr/lib/sysctl.d/50-default.conf ... -net.ipv4.ping_group_range = 0 2147483647 Also, there could be another path reported with these options, and some of them require CAP_NET_RAW. setsockopt IPV6_ADDRFORM (inet6_sk(sk)->pktoptions) IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu) IPV6_HOPOPTS (inet6_sk(sk)->opt) IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt) IPV6_RTHDR (inet6_sk(sk)->opt) IPV6_DSTOPTS (inet6_sk(sk)->opt) IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt) getsockopt IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list) For the record, I left a different splat with syzbot's one. unreferenced object 0xffff888006270c60 (size 96): comm "repro2", pid 231, jiffies 4294696626 (age 13.118s) hex dump (first 32 bytes): 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554) [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715) [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024) [<000000007096a025>] __sys_setsockopt (net/socket.c:2254) [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262) [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) [0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176 Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com Reported-by: Ayushman Dutta Signed-off-by: Kuniyuki Iwashima Reviewed-by: David Ahern Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski commit e64ab2dbd882933b65cd82ff6235d705ad65dbb6 Author: Linus Torvalds Date: Thu Jul 28 10:31:12 2022 +0100 watch_queue: Fix missing locking in add_watch_to_object() If a watch is being added to a queue, it needs to guard against interference from addition of a new watch, manual removal of a watch and removal of a watch due to some other queue being destroyed. KEYCTL_WATCH_KEY guards against this for the same {key,queue} pair by holding the key->sem writelocked and by holding refs on both the key and the queue - but that doesn't prevent interaction from other {key,queue} pairs. While add_watch_to_object() does take the spinlock on the event queue, it doesn't take the lock on the source's watch list. The assumption was that the caller would prevent that (say by taking key->sem) - but that doesn't prevent interference from the destruction of another queue. Fix this by locking the watcher list in add_watch_to_object(). Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-by: syzbot+03d7b43290037d1f87ca@syzkaller.appspotmail.com Signed-off-by: David Howells cc: keyrings@vger.kernel.org Signed-off-by: Linus Torvalds commit e0339f036ef4beb9b20f0b6532a1e0ece7f594c6 Author: David Howells Date: Thu Jul 28 10:31:06 2022 +0100 watch_queue: Fix missing rcu annotation Since __post_watch_notification() walks wlist->watchers with only the RCU read lock held, we need to use RCU methods to add to the list (we already use RCU methods to remove from the list). Fix add_watch_to_object() to use hlist_add_head_rcu() instead of hlist_add_head() for that list. Fixes: c73be61cede5 ("pipe: Add general notification queue support") Signed-off-by: David Howells Signed-off-by: Linus Torvalds commit 51a83391d77bb0f7ff0aef06ca4c7f5aa9e80b4c Author: Dimitris Michailidis Date: Tue Jul 26 14:59:23 2022 -0700 net/funeth: Fix fun_xdp_tx() and XDP packet reclaim The current implementation of fun_xdp_tx(), used for XPD_TX, is incorrect in that it takes an address/length pair and later releases it with page_frag_free(). It is OK for XDP_TX but the same code is used by ndo_xdp_xmit. In that case it loses the XDP memory type and releases the packet incorrectly for some of the types. Assorted breakage follows. Change fun_xdp_tx() to take xdp_frame and rely on xdp_return_frame() in reclaim. Fixes: db37bc177dae ("net/funeth: add the data path") Signed-off-by: Dimitris Michailidis Link: https://lore.kernel.org/r/20220726215923.7887-1-dmichail@fungible.com Signed-off-by: Paolo Abeni commit bf84719df765f1a832a770f3cd0cdc8bee20c91f Merge: 181d8d2066c00 cc019545a2385 Author: Jakub Kicinski Date: Wed Jul 27 19:56:28 2022 -0700 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2022-07-26 This series contains updates to ice driver only. Przemyslaw corrects accounting for VF VLANs to allow for correct number of VLANs for untrusted VF. He also correct issue with checksum offload on VXLAN tunnels. Ani allows for two VSIs to share the same MAC address. Maciej corrects checked bits for descriptor completion of loopback * '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: ice: do not setup vlan for loopback VSI ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) ice: Fix VSIs unable to share unicast MAC ice: Fix tunnel checksum offload with fragmented traffic ice: Fix max VLANs available for VF ==================== Link: https://lore.kernel.org/r/20220726204646.2171589-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 181d8d2066c000ba0a0e6940a7ad80f1a0e68e9d Author: Xin Long Date: Mon Jul 25 18:11:06 2022 -0400 sctp: leave the err path free in sctp_stream_init to sctp_stream_free A NULL pointer dereference was reported by Wei Chen: BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:__list_del_entry_valid+0x26/0x80 Call Trace: sctp_sched_dequeue_common+0x1c/0x90 sctp_sched_prio_dequeue+0x67/0x80 __sctp_outq_teardown+0x299/0x380 sctp_outq_free+0x15/0x20 sctp_association_free+0xc3/0x440 sctp_do_sm+0x1ca7/0x2210 sctp_assoc_bh_rcv+0x1f6/0x340 This happens when calling sctp_sendmsg without connecting to server first. In this case, a data chunk already queues up in send queue of client side when processing the INIT_ACK from server in sctp_process_init() where it calls sctp_stream_init() to alloc stream_in. If it fails to alloc stream_in all stream_out will be freed in sctp_stream_init's err path. Then in the asoc freeing it will crash when dequeuing this data chunk as stream_out is missing. As we can't free stream out before dequeuing all data from send queue, and this patch is to fix it by moving the err path stream_out/in freeing in sctp_stream_init() to sctp_stream_free() which is eventually called when freeing the asoc in sctp_association_free(). This fix also makes the code in sctp_process_init() more clear. Note that in sctp_association_init() when it fails in sctp_stream_init(), sctp_association_free() will not be called, and in that case it should go to 'stream_free' err path to free stream instead of 'fail_init'. Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") Reported-by: Wei Chen Signed-off-by: Xin Long Link: https://lore.kernel.org/r/831a3dc100c4908ff76e5bcc363be97f2778bc0b.1658787066.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski commit 67c3b611d92fc238c43734878bc3e232ab570c79 Author: Alejandro Lucero Date: Tue Jul 26 08:45:04 2022 +0200 sfc: disable softirqs for ptp TX Sending a PTP packet can imply to use the normal TX driver datapath but invoked from the driver's ptp worker. The kernel generic TX code disables softirqs and preemption before calling specific driver TX code, but the ptp worker does not. Although current ptp driver functionality does not require it, there are several reasons for doing so: 1) The invoked code is always executed with softirqs disabled for non PTP packets. 2) Better if a ptp packet transmission is not interrupted by softirq handling which could lead to high latencies. 3) netdev_xmit_more used by the TX code requires preemption to be disabled. Indeed a solution for dealing with kernel preemption state based on static kernel configuration is not possible since the introduction of dynamic preemption level configuration at boot time using the static calls functionality. Fixes: f79c957a0b537 ("drivers: net: sfc: use netdev_xmit_more helper") Signed-off-by: Alejandro Lucero Link: https://lore.kernel.org/r/20220726064504.49613-1-alejandro.lucero-palau@amd.com Signed-off-by: Jakub Kicinski commit 0c104556267242d922a3def60be8092b280e4fee Author: Jonathan Lemon Date: Tue Jul 26 15:06:04 2022 -0700 ptp: ocp: Select CRC16 in the Kconfig. The crc16() function is used to check the firmware validity, but the library was not explicitly selected. Fixes: 3c3673bde50c ("ptp: ocp: Add firmware header checks") Reported-by: kernel test robot Signed-off-by: Jonathan Lemon Acked-by: Vadim Fedorenko Link: https://lore.kernel.org/r/20220726220604.1339972-1-jonathan.lemon@gmail.com Signed-off-by: Jakub Kicinski commit 8dc592c41f38735306d1f1dc0b183601379c6d94 Author: Jernej Skrabec Date: Tue Jul 19 20:37:25 2022 +0200 clk: sunxi-ng: Fix H6 RTC clock definition While RTC clock was added in H616 ccu_common list, it was not in H6 list. That caused invalid pointer dereference like this: Unable to handle kernel NULL pointer dereference at virtual address 000000000000020c Mem abort info: ESR = 0x96000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004d574000 [000000000000020c] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 96000004 [#1] PREEMPT SMP CPU: 3 PID: 339 Comm: cat Tainted: G B 5.18.0-rc1+ #1352 Hardware name: Tanix TX6 (DT) pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : ccu_gate_is_enabled+0x48/0x74 lr : ccu_gate_is_enabled+0x40/0x74 sp : ffff80000c0b76d0 x29: ffff80000c0b76d0 x28: 00000000016e3600 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000002 x24: ffff00000952fe08 x23: ffff800009611400 x22: ffff00000952fe79 x21: 0000000000000000 x20: 0000000000000001 x19: ffff80000aad6f08 x18: 0000000000000000 x17: 2d2d2d2d2d2d2d2d x16: 2d2d2d2d2d2d2d2d x15: 2d2d2d2d2d2d2d2d x14: 0000000000000000 x13: 00000000f2f2f2f2 x12: ffff700001816e89 x11: 1ffff00001816e88 x10: ffff700001816e88 x9 : dfff800000000000 x8 : ffff80000c0b7447 x7 : 0000000000000001 x6 : ffff700001816e88 x5 : ffff80000c0b7440 x4 : 0000000000000001 x3 : ffff800008935c50 x2 : dfff800000000000 x1 : 0000000000000000 x0 : 000000000000020c Call trace: ccu_gate_is_enabled+0x48/0x74 clk_core_is_enabled+0x7c/0x1c0 clk_summary_show_subtree+0x1dc/0x334 clk_summary_show_subtree+0x250/0x334 clk_summary_show_subtree+0x250/0x334 clk_summary_show_subtree+0x250/0x334 clk_summary_show_subtree+0x250/0x334 clk_summary_show+0x90/0xdc seq_read_iter+0x248/0x6d4 seq_read+0x17c/0x1fc full_proxy_read+0x90/0xf0 vfs_read+0xdc/0x28c ksys_read+0xc8/0x174 __arm64_sys_read+0x44/0x5c invoke_syscall+0x60/0x190 el0_svc_common.constprop.0+0x7c/0x160 do_el0_svc+0x38/0xa0 el0_svc+0x68/0x160 el0t_64_sync_handler+0x10c/0x140 el0t_64_sync+0x18c/0x190 Code: d1006260 97e5c981 785e8260 8b0002a0 (b9400000) ---[ end trace 0000000000000000 ]--- Fix that by adding rtc clock to H6 ccu_common list too. Fixes: 38d321b61bda ("clk: sunxi-ng: h6-r: Add RTC gate clock") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20220719183725.2605141-1-jernej.skrabec@gmail.com Reviewed-by: Samuel Holland Signed-off-by: Stephen Boyd commit e62d2e110356093c034998e093675df83057e511 Author: Eric Dumazet Date: Tue Jul 26 11:57:43 2022 +0000 tcp: md5: fix IPv4-mapped support After the blamed commit, IPv4 SYN packets handled by a dual stack IPv6 socket are dropped, even if perfectly valid. $ nstat | grep MD5 TcpExtTCPMD5Failure 5 0.0 For a dual stack listener, an incoming IPv4 SYN packet would call tcp_inbound_md5_hash() with @family == AF_INET, while tp->af_specific is pointing to tcp_sock_ipv6_specific. Only later when an IPv4-mapped child is created, tp->af_specific is changed to tcp_sock_ipv6_mapped_specific. Fixes: 7bbb765b7349 ("net/tcp: Merge TCP-MD5 inbound callbacks") Reported-by: Brian Vazquez Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Reviewed-by: Dmitry Safonov Tested-by: Leonard Crestez Link: https://lore.kernel.org/r/20220726115743.2759832-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit fb0fd3469ead5b937293c213daa1f589b4b7ce46 Author: Florian Fainelli Date: Tue Jul 19 17:33:21 2022 +0100 ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow Commit 26f09e9b3a06 ("mm/memblock: add memblock memory allocation apis") added a check to determine whether arm_dma_zone_size is exceeding the amount of kernel virtual address space available between the upper 4GB virtual address limit and PAGE_OFFSET in order to provide a suitable definition of MAX_DMA_ADDRESS that should fit within the 32-bit virtual address space. The quantity used for comparison was off by a missing trailing 0, leading to MAX_DMA_ADDRESS to be overflowing a 32-bit quantity. This was caught thanks to CONFIG_DEBUG_VIRTUAL on the bcm2711 platform where we define a dma_zone_size of 1GB and we have a PAGE_OFFSET value of 0xc000_0000 (CONFIG_VMSPLIT_3G) leading to MAX_DMA_ADDRESS being 0x1_0000_0000 which overflows the unsigned long type used throughout __pa() and then __virt_addr_valid(). Because the virtual address passed to __virt_addr_valid() would now be 0, the function would loudly warn and flood the kernel log, thus making the platform unable to boot properly. Fixes: 26f09e9b3a06 ("mm/memblock: add memblock memory allocation apis") Signed-off-by: Florian Fainelli Reviewed-by: Linus Walleij Signed-off-by: Russell King (Oracle) commit 6e7765cb477a9753670d4351d14de93f1e9dbbd4 Merge: 9d8a8616ee47f e2a619ca0b38f Author: Linus Torvalds Date: Wed Jul 27 09:50:18 2022 -0700 Merge tag 'asm-generic-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic Pull asm-generic fixes from Arnd Bergmann: "Two more bug fixes for asm-generic, one addressing an incorrect Kconfig symbol reference and another one fixing a build failure for the perf tool on mips and possibly others" * tag 'asm-generic-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic: asm-generic: remove a broken and needless ifdef conditional tools: Fixed MIPS builds due to struct flock re-definition commit 9d8a8616ee47f478a9f78ab97f55c3fbf71bb5f0 Merge: 39c3c396f8131 c5cdb9286913a Author: Linus Torvalds Date: Wed Jul 27 09:43:07 2022 -0700 Merge tag 'soc-fixes-5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "One last set of changes for the soc tree: - fix clock frequency on lan966x - fix incorrect GPIO numbers on some pxa machines - update Baolin's email address" * tag 'soc-fixes-5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: pxa2xx: Fix GPIO descriptor tables mailmap: update Baolin Wang's email ARM: dts: lan966x: fix sys_clk frequency commit 5bb6c1d1126ebcbcd6314f80d82f50b021a9e351 Author: Borislav Petkov Date: Wed Jul 27 13:24:21 2022 +0200 Revert "x86/sev: Expose sev_es_ghcb_hv_call() for use by HyperV" This reverts commit 007faec014cb5d26983c1f86fd08c6539b41392e. Now that hyperv does its own protocol negotiation: 49d6a3c062a1 ("x86/Hyper-V: Add SEV negotiate protocol support in Isolation VM") revert this exposure of the sev_es_ghcb_hv_call() helper. Cc: Wei Liu Signed-off-by: Borislav Petkov Reviewed-by:Tianyu Lan Link: https://lore.kernel.org/r/20220614014553.1915929-1-ltykernel@gmail.com commit 871808fd6981bcc6bb48f71032f983ca77748e96 Author: Lukas Bulwahn Date: Fri Jul 22 14:18:15 2022 +0200 x86/configs: Update configs in x86_debug.config Commit 4675ff05de2d ("kmemcheck: rip it out") removed kmemcheck and its corresponding build config KMEMCHECK. Commit 0f620cefd775 ("objtool: Rename "VMLINUX_VALIDATION" -> "NOINSTR_VALIDATION"") renamed the debug config option. Adjust x86_debug.config to those changes in debug configs. Signed-off-by: Lukas Bulwahn Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220722121815.27535-1-lukas.bulwahn@gmail.com commit eda3953b6a805d6df87a4c51058493ec88bfc622 Merge: 82e094f7bd988 d6c52fa3e955b Author: Jens Axboe Date: Wed Jul 27 10:03:40 2022 -0600 Merge tag 'nvme-5.19-2022-07-27' of git://git.infradead.org/nvme into block-5.19 Pull NVMe fix from Christoph: "nvme fix for Linux 5.19 - yet another duplicate ID quirk (Tobias Gruetzmacher)" * tag 'nvme-5.19-2022-07-27' of git://git.infradead.org/nvme: nvme-pci: Crucial P2 has bogus namespace ids commit 9a241805673ec0a826b7ddf84b00f4e03adb0a5e Author: Ian Rogers Date: Tue Jul 26 15:09:21 2022 -0700 perf bpf: Remove undefined behavior from bpf_perf_object__next() bpf_perf_object__next() folded the last element in the list test with the empty list test. However, this meant that offsets were computed against null and that a struct list_head was compared against a 'struct bpf_perf_object'. Working around this with clang's undefined behavior sanitizer required -fno-sanitize=null and -fno-sanitize=object-size. Remove the undefined behavior by using the regular Linux list APIs and handling the starting case separately from the end testing case. Looking at uses like bpf_perf_object__for_each(), as the constant NULL or non-NULL argument can be constant propagated, the code is no less efficient. Signed-off-by: Ian Rogers Cc: Alexander Shishkin Cc: Alexei Starovoitov Cc: Andrii Nakryiko Cc: Christy Lee Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Miaoqian Lin Cc: Namhyung Kim Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Tom Rix Cc: bpf@vger.kernel.org Cc: llvm@lists.linux.dev Link: https://lore.kernel.org/r/20220726220921.2567761-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit 882528d2e77687c3ef26abb9c490f77a9c1f6e1a Author: Leo Yan Date: Sun Jul 24 14:00:13 2022 +0800 perf symbol: Skip symbols if SHF_ALLOC flag is not set Some symbols are observed with the 'st_value' field zeroed. E.g. libc.so.6 in Ubuntu contains a symbol '__evoke_link_warning_getwd' which resides in the '.gnu.warning.getwd' section. Unlike normal sections, such kind of sections are used for linker warning when a file calls deprecated functions, but they are not part of memory images, the symbols in these sections should be dropped. This patch checks the section attribute SHF_ALLOC bit, if the bit is not set, it skips symbols to avoid spurious ones. Suggested-by: Fangrui Song Signed-off-by: Leo Yan Acked-by: Namhyung Kim Cc: Alexander Shishkin Cc: Chang Rui Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20220724060013.171050-3-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo commit 2d86612aacb7805f72873691a2644d7279ed0630 Author: Leo Yan Date: Sun Jul 24 14:00:12 2022 +0800 perf symbol: Correct address for bss symbols When using 'perf mem' and 'perf c2c', an issue is observed that tool reports the wrong offset for global data symbols. This is a common issue on both x86 and Arm64 platforms. Let's see an example, for a test program, below is the disassembly for its .bss section which is dumped with objdump: ... Disassembly of section .bss: 0000000000004040 : ... 0000000000004080 : ... 00000000000040c0 : ... 0000000000004100 : ... First we used 'perf mem record' to run the test program and then used 'perf --debug verbose=4 mem report' to observe what's the symbol info for 'buf1' and 'buf2' structures. # ./perf mem record -e ldlat-loads,ldlat-stores -- false_sharing.exe 8 # ./perf --debug verbose=4 mem report ... dso__load_sym_internal: adjusting symbol: st_value: 0x40c0 sh_addr: 0x4040 sh_offset: 0x3028 symbol__new: buf2 0x30a8-0x30e8 ... dso__load_sym_internal: adjusting symbol: st_value: 0x4080 sh_addr: 0x4040 sh_offset: 0x3028 symbol__new: buf1 0x3068-0x30a8 ... The perf tool relies on libelf to parse symbols, in executable and shared object files, 'st_value' holds a virtual address; 'sh_addr' is the address at which section's first byte should reside in memory, and 'sh_offset' is the byte offset from the beginning of the file to the first byte in the section. The perf tool uses below formula to convert a symbol's memory address to a file address: file_address = st_value - sh_addr + sh_offset ^ ` Memory address We can see the final adjusted address ranges for buf1 and buf2 are [0x30a8-0x30e8) and [0x3068-0x30a8) respectively, apparently this is incorrect, in the code, the structure for 'buf1' and 'buf2' specifies compiler attribute with 64-byte alignment. The problem happens for 'sh_offset', libelf returns it as 0x3028 which is not 64-byte aligned, combining with disassembly, it's likely libelf doesn't respect the alignment for .bss section, therefore, it doesn't return the aligned value for 'sh_offset'. Suggested by Fangrui Song, ELF file contains program header which contains PT_LOAD segments, the fields p_vaddr and p_offset in PT_LOAD segments contain the execution info. A better choice for converting memory address to file address is using the formula: file_address = st_value - p_vaddr + p_offset This patch introduces elf_read_program_header() which returns the program header based on the passed 'st_value', then it uses the formula above to calculate the symbol file address; and the debugging log is updated respectively. After applying the change: # ./perf --debug verbose=4 mem report ... dso__load_sym_internal: adjusting symbol: st_value: 0x40c0 p_vaddr: 0x3d28 p_offset: 0x2d28 symbol__new: buf2 0x30c0-0x3100 ... dso__load_sym_internal: adjusting symbol: st_value: 0x4080 p_vaddr: 0x3d28 p_offset: 0x2d28 symbol__new: buf1 0x3080-0x30c0 ... Fixes: f17e04afaff84b5c ("perf report: Fix ELF symbol parsing") Reported-by: Chang Rui Suggested-by: Fangrui Song Signed-off-by: Leo Yan Acked-by: Namhyung Kim Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20220724060013.171050-2-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo commit b226521923aee7051f4b24df9be5bf07d53f0a2b Author: Leo Yan Date: Mon Jul 25 18:42:20 2022 +0800 perf scripts python: Let script to be python2 compliant The mainline kernel can be used for relative old distros, e.g. RHEL 7. The distro doesn't upgrade from python2 to python3, this causes the building error that the python script is not python2 compliant. To fix the building failure, this patch changes from the python f-string format to traditional string format. Fixes: 12fdd6c009da0d02 ("perf scripts python: Support Arm CoreSight trace data disassembly") Reported-by: Akemi Yagi Signed-off-by: Leo Yan Cc: Alexander Shishkin Cc: ElRepo Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Leo Yan Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20220725104220.1106663-1-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo commit 553de6e1157df63fc6cdfe4573e04c8edcbe68f2 Author: Arnaldo Carvalho de Melo Date: Thu Jul 1 13:39:15 2021 -0300 tools headers cpufeatures: Sync with the kernel sources To pick the changes from: 28a99e95f55c6185 ("x86/amd: Use IBPB for firmware calls") This only causes these perf files to be rebuilt: CC /tmp/build/perf/bench/mem-memcpy-x86-64-asm.o CC /tmp/build/perf/bench/mem-memset-x86-64-asm.o And addresses this perf build warning: Warning: Kernel ABI header at 'tools/arch/x86/include/asm/cpufeatures.h' differs from latest version at 'arch/x86/include/asm/cpufeatures.h' diff -u tools/arch/x86/include/asm/cpufeatures.h arch/x86/include/asm/cpufeatures.h Cc: Adrian Hunter Cc: Borislav Petkov Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra commit 5a159128faff151b7fe5f4eb0f310b1e0a2d56bf Author: Jason Wang Date: Mon Jul 25 15:21:59 2022 +0800 virtio-net: fix the race between refill work and close We try using cancel_delayed_work_sync() to prevent the work from enabling NAPI. This is insufficient since we don't disable the source of the refill work scheduling. This means an NAPI poll callback after cancel_delayed_work_sync() can schedule the refill work then can re-enable the NAPI that leads to use-after-free [1]. Since the work can enable NAPI, we can't simply disable NAPI before calling cancel_delayed_work_sync(). So fix this by introducing a dedicated boolean to control whether or not the work could be scheduled from NAPI. [1] ================================================================== BUG: KASAN: use-after-free in refill_work+0x43/0xd4 Read of size 2 at addr ffff88810562c92e by task kworker/2:1/42 CPU: 2 PID: 42 Comm: kworker/2:1 Not tainted 5.19.0-rc1+ #480 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: events refill_work Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0xbb/0x6ac ? _printk+0xad/0xde ? refill_work+0x43/0xd4 kasan_report+0xa8/0x130 ? refill_work+0x43/0xd4 refill_work+0x43/0xd4 process_one_work+0x43d/0x780 worker_thread+0x2a0/0x6f0 ? process_one_work+0x780/0x780 kthread+0x167/0x1a0 ? kthread_exit+0x50/0x50 ret_from_fork+0x22/0x30 ... Fixes: b2baed69e605c ("virtio_net: set/cancel work on ndo_open/ndo_stop") Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Reviewed-by: Xuan Zhuo Signed-off-by: David S. Miller commit 5e2805d5379619c4a2e3ae4994e73b36439f4bad Author: Toshi Kani Date: Thu Jul 21 12:05:03 2022 -0600 EDAC/ghes: Set the DIMM label unconditionally The commit cb51a371d08e ("EDAC/ghes: Setup DIMM label from DMI and use it in error reports") enforced that both the bank and device strings passed to dimm_setup_label() are not NULL. However, there are BIOSes, for example on a HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 03/15/2019 which don't populate both strings: Handle 0x0020, DMI type 17, 84 bytes Memory Device Array Handle: 0x0013 Error Information Handle: Not Provided Total Width: 72 bits Data Width: 64 bits Size: 32 GB Form Factor: DIMM Set: None Locator: PROC 1 DIMM 1 <===== device Bank Locator: Not Specified <===== bank This results in a buffer overflow because ghes_edac_register() calls strlen() on an uninitialized label, which had non-zero values left over from krealloc_array(): detected buffer overflow in __fortify_strlen ------------[ cut here ]------------ kernel BUG at lib/string_helpers.c:983! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1 Comm: swapper/0 Tainted: G I 5.18.6-200.fc36.x86_64 #1 Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 03/15/2019 RIP: 0010:fortify_panic ... Call Trace: ghes_edac_register.cold ghes_probe platform_probe really_probe __driver_probe_device driver_probe_device __driver_attach ? __device_attach_driver bus_for_each_dev bus_add_driver driver_register acpi_ghes_init acpi_init ? acpi_sleep_proc_init do_one_initcall The label contains garbage because the commit in Fixes reallocs the DIMMs array while scanning the system but doesn't clear the newly allocated memory. Change dimm_setup_label() to always initialize the label to fix the issue. Set it to the empty string in case BIOS does not provide both bank and device so that ghes_edac_register() can keep the default label given by edac_mc_alloc_dimms(). [ bp: Rewrite commit message. ] Fixes: b9cae27728d1f ("EDAC/ghes: Scan the system once on driver init") Co-developed-by: Robert Richter Signed-off-by: Robert Richter Signed-off-by: Toshi Kani Signed-off-by: Borislav Petkov Tested-by: Robert Elliott Cc: Link: https://lore.kernel.org/r/20220719220124.760359-1-toshi.kani@hpe.com commit b5177ed92bf6f9d90a2493ed51c1327e088be1df Author: Mat Martineau Date: Mon Jul 25 13:52:31 2022 -0700 mptcp: Do not return EINPROGRESS when subflow creation succeeds New subflows are created within the kernel using O_NONBLOCK, so EINPROGRESS is the expected return value from kernel_connect(). __mptcp_subflow_connect() has the correct logic to consider EINPROGRESS to be a successful case, but it has also used that error code as its return value. Before v5.19 this was benign: all the callers ignored the return value. Starting in v5.19 there is a MPTCP_PM_CMD_SUBFLOW_CREATE generic netlink command that does use the return value, so the EINPROGRESS gets propagated to userspace. Make __mptcp_subflow_connect() always return 0 on success instead. Fixes: ec3edaa7ca6c ("mptcp: Add handling of outgoing MP_JOIN requests") Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Acked-by: Paolo Abeni Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20220725205231.87529-1-mathew.j.martineau@linux.intel.com Signed-off-by: Jakub Kicinski commit e77ea97d2bd99b004e96c339ee22408c5475a52e Merge: e53f529397318 47f4f510ad586 Author: Jakub Kicinski Date: Tue Jul 26 19:53:09 2022 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Florian Westphal says: ==================== netfilter updates for net Three late fixes for netfilter: 1) If nf_queue user requests packet truncation below size of l3 header, we corrupt the skb, then crash. Reject such requests. 2) add cond_resched() calls when doing cycle detection in the nf_tables graph. This avoids softlockup warning with certain rulesets. 3) Reject rulesets that use nftables 'queue' expression in family/chain combinations other than those that are supported. Currently the ruleset will load, but when userspace attempts to reinject you get WARN splat + packet drops. * git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nft_queue: only allow supported familes and hooks netfilter: nf_tables: add rescheduling points during loop detection walks netfilter: nf_queue: do not allow packet truncation below transport header offset ==================== Link: https://lore.kernel.org/r/20220726192056.13497-1-fw@strlen.de Signed-off-by: Jakub Kicinski commit e53f5293973181e8f557a7fef9a47f131fc3d4f0 Merge: aa40d5a43526c d0be8347c623e Author: Jakub Kicinski Date: Tue Jul 26 19:48:24 2022 -0700 Merge tag 'for-net-2022-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - Fix early wakeup after suspend - Fix double free on error - Fix use-after-free on l2cap_chan_put * tag 'for-net-2022-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put Bluetooth: Always set event mask on suspend Bluetooth: mgmt: Fix double free on error path ==================== Link: https://lore.kernel.org/r/20220726221328.423714-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski commit 39c3c396f8131f3db454c80e0fcfcdc54ed9ec01 Merge: 5de64d44968e4 1f7ea54727caa Author: Linus Torvalds Date: Tue Jul 26 19:38:46 2022 -0700 Merge tag 'mm-hotfixes-stable-2022-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "Thirteen hotfixes. Eight are cc:stable and the remainder are for post-5.18 issues or are too minor to warrant backporting" * tag 'mm-hotfixes-stable-2022-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mailmap: update Gao Xiang's email addresses userfaultfd: provide properly masked address for huge-pages Revert "ocfs2: mount shared volume without ha stack" hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte fs: sendfile handles O_NONBLOCK of out_fd ntfs: fix use-after-free in ntfs_ucsncmp() secretmem: fix unhandled fault in truncate mm/hugetlb: separate path for hwpoison entry in copy_hugetlb_page_range() mm: fix missing wake-up event for FSDAX pages mm: fix page leak with multiple threads mapping the same page mailmap: update Seth Forshee's email address tmpfs: fix the issue that the mount and remount results are inconsistent. mm: kfence: apply kmemleak_ignore_phys on early allocated pool commit f5c2976e0cb0f6236013bfb479868531b04f61d4 Author: Bart Van Assche Date: Wed Jul 20 10:02:23 2022 -0700 scsi: ufs: core: Fix a race condition related to device management If a device management command completion happens after wait_for_completion_timeout() times out and before ufshcd_clear_cmds() is called, then the completion code may crash on the complete() call in __ufshcd_transfer_req_compl(). Fix the following crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Call trace: complete+0x64/0x178 __ufshcd_transfer_req_compl+0x30c/0x9c0 ufshcd_poll+0xf0/0x208 ufshcd_sl_intr+0xb8/0xf0 ufshcd_intr+0x168/0x2f4 __handle_irq_event_percpu+0xa0/0x30c handle_irq_event+0x84/0x178 handle_fasteoi_irq+0x150/0x2e8 __handle_domain_irq+0x114/0x1e4 gic_handle_irq.31846+0x58/0x300 el1_irq+0xe4/0x1c0 efi_header_end+0x110/0x680 __irq_exit_rcu+0x108/0x124 __handle_domain_irq+0x118/0x1e4 gic_handle_irq.31846+0x58/0x300 el1_irq+0xe4/0x1c0 cpuidle_enter_state+0x3ac/0x8c4 do_idle+0x2fc/0x55c cpu_startup_entry+0x84/0x90 kernel_init+0x0/0x310 start_kernel+0x0/0x608 start_kernel+0x4ec/0x608 Link: https://lore.kernel.org/r/20220720170228.1598842-1-bvanassche@acm.org Fixes: 5a0b0cb9bee7 ("[SCSI] ufs: Add support for sending NOP OUT UPIU") Cc: Adrian Hunter Cc: Avri Altman Cc: Bean Huo Cc: Stanley Chu Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit d9a434fa0c12ed5f7afe1e9dd30003ab5d059b85 Author: Jason Yan Date: Wed Jul 20 10:51:20 2022 +0800 scsi: core: Fix warning in scsi_alloc_sgtables() As explained in SG_IO howto[1]: "If iovec_count is non-zero then 'dxfer_len' should be equal to the sum of iov_len lengths. If not, the minimum of the two is the transfer length." When iovec_count is non-zero and dxfer_len is zero, the sg_io() just genarated a null bio, and finally caused a warning below. To fix it, skip generating a bio for this request if dxfer_len is zero. [1] https://tldp.org/HOWTO/SCSI-Generic-HOWTO/x198.html WARNING: CPU: 2 PID: 3643 at drivers/scsi/scsi_lib.c:1032 scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032 Modules linked in: CPU: 2 PID: 3643 Comm: syz-executor397 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-204/01/2014 RIP: 0010:scsi_alloc_sgtables+0xc7d/0xf70 drivers/scsi/scsi_lib.c:1032 Code: e7 fc 31 ff 44 89 f6 e8 c1 4e e7 fc 45 85 f6 0f 84 1a f5 ff ff e8 93 4c e7 fc 83 c5 01 0f b7 ed e9 0f f5 ff ff e8 83 4c e7 fc <0f> 0b 41 bc 0a 00 00 00 e9 2b fb ff ff 41 bc 09 00 00 00 e9 20 fb RSP: 0018:ffffc90000d07558 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88801bfc96a0 RCX: 0000000000000000 RDX: ffff88801c876000 RSI: ffffffff849060bd RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff849055b9 R11: 0000000000000000 R12: ffff888012b8c000 R13: ffff88801bfc9580 R14: 0000000000000000 R15: ffff88801432c000 FS: 00007effdec8e700(0000) GS:ffff88802cc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007effdec6d718 CR3: 00000000206d6000 CR4: 0000000000150ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: scsi_setup_scsi_cmnd drivers/scsi/scsi_lib.c:1219 [inline] scsi_prepare_cmd drivers/scsi/scsi_lib.c:1614 [inline] scsi_queue_rq+0x283e/0x3630 drivers/scsi/scsi_lib.c:1730 blk_mq_dispatch_rq_list+0x6ea/0x22e0 block/blk-mq.c:1851 __blk_mq_sched_dispatch_requests+0x20b/0x410 block/blk-mq-sched.c:299 blk_mq_sched_dispatch_requests+0xfb/0x180 block/blk-mq-sched.c:332 __blk_mq_run_hw_queue+0xf9/0x350 block/blk-mq.c:1968 __blk_mq_delay_run_hw_queue+0x5b6/0x6c0 block/blk-mq.c:2045 blk_mq_run_hw_queue+0x30f/0x480 block/blk-mq.c:2096 blk_mq_sched_insert_request+0x340/0x440 block/blk-mq-sched.c:451 blk_execute_rq+0xcc/0x340 block/blk-mq.c:1231 sg_io+0x67c/0x1210 drivers/scsi/scsi_ioctl.c:485 scsi_ioctl_sg_io drivers/scsi/scsi_ioctl.c:866 [inline] scsi_ioctl+0xa66/0x1560 drivers/scsi/scsi_ioctl.c:921 sd_ioctl+0x199/0x2a0 drivers/scsi/sd.c:1576 blkdev_ioctl+0x37a/0x800 block/ioctl.c:588 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7effdecdc5d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007effdec8e2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007effded664c0 RCX: 00007effdecdc5d9 RDX: 0000000020002300 RSI: 0000000000002285 RDI: 0000000000000004 RBP: 00007effded34034 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003 R13: 00007effded34054 R14: 2f30656c69662f2e R15: 00007effded664c8 Link: https://lore.kernel.org/r/20220720025120.3226770-1-yanaijie@huawei.com Fixes: 25636e282fe9 ("block: fix SG_IO vector request data length handling") Reported-by: syzbot+d44b35ecfb807e5af0b5@syzkaller.appspotmail.com Reviewed-by: Christoph Hellwig Reviewed-by: Bart Van Assche Signed-off-by: Jason Yan Signed-off-by: Martin K. Petersen commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 Author: Liang He Date: Tue Jul 19 15:15:29 2022 +0800 scsi: ufs: host: Hold reference returned by of_parse_phandle() In ufshcd_populate_vreg(), we should hold the reference returned by of_parse_phandle() and then use it to call of_node_put() for refcount balance. Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com Fixes: aa4976130934 ("ufs: Add regulator enable support") Reviewed-by: Bart Van Assche Signed-off-by: Liang He Signed-off-by: Martin K. Petersen commit 0fde22c5420ed258ee538a760291c2f3935f6a01 Author: David Jeffery Date: Fri Jul 22 10:24:48 2022 -0400 scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown During system shutdown or reboot, mpt3sas will reset the firmware back to ready state. However, the driver leaves running a watchdog work item intended to keep the firmware in operational state. This causes a second, unneeded reset on shutdown and moves the firmware back to operational instead of in ready state as intended. And if the mpt3sas_fwfault_debug module parameter is set, this extra reset also panics the system. mpt3sas's scsih_shutdown needs to stop the watchdog before resetting the firmware back to ready state. Link: https://lore.kernel.org/r/20220722142448.6289-1-djeffery@redhat.com Fixes: fae21608c31c ("scsi: mpt3sas: Transition IOC to Ready state during shutdown") Tested-by: Laurence Oberman Acked-by: Sreekanth Reddy Signed-off-by: David Jeffery Signed-off-by: Martin K. Petersen commit 1f7ea54727caaa6701a15af0cbeddfdb015b2869 Author: Gao Xiang Date: Tue Jul 19 23:42:46 2022 +0800 mailmap: update Gao Xiang's email addresses I've been in Alibaba Cloud for more than one year, mainly to address cloud-native challenges (such as high-performance container images) for open source communities. Update my email addresses on behalf of my current employer (Alibaba Cloud) to support all my (team) work in this area. Also add an outdated @redhat.com address of me. Link: https://lkml.kernel.org/r/20220719154246.62970-1-xiang@kernel.org Signed-off-by: Gao Xiang Signed-off-by: Andrew Morton commit d172b1a3bd065dd89234eac547fc62cf80681631 Author: Nadav Amit Date: Mon Jul 11 09:59:06 2022 -0700 userfaultfd: provide properly masked address for huge-pages Commit 824ddc601adc ("userfaultfd: provide unmasked address on page-fault") was introduced to fix an old bug, in which the offset in the address of a page-fault was masked. Concerns were raised - although were never backed by actual code - that some userspace code might break because the bug has been around for quite a while. To address these concerns a new flag was introduced, and only when this flag is set by the user, userfaultfd provides the exact address of the page-fault. The commit however had a bug, and if the flag is unset, the offset was always masked based on a base-page granularity. Yet, for huge-pages, the behavior prior to the commit was that the address is masked to the huge-page granulrity. While there are no reports on real breakage, fix this issue. If the flag is unset, use the address with the masking that was done before. Link: https://lkml.kernel.org/r/20220711165906.2682-1-namit@vmware.com Fixes: 824ddc601adc ("userfaultfd: provide unmasked address on page-fault") Signed-off-by: Nadav Amit Reported-by: James Houghton Reviewed-by: Mike Rapoport Reviewed-by: Peter Xu Reviewed-by: James Houghton Cc: David Hildenbrand Cc: Jan Kara Cc: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton commit d0be8347c623e0ac4202a1d4e0373882821f56b0 Author: Luiz Augusto von Dentz Date: Thu Jul 21 09:10:50 2022 -0700 Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put This fixes the following trace which is caused by hci_rx_work starting up *after* the final channel reference has been put() during sock_close() but *before* the references to the channel have been destroyed, so instead the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. refcount_t: increment on 0; use-after-free. BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W 4.14.234-00003-g1fb6d0bd49a4-dirty #28 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame DVT (DT) Workqueue: hci0 hci_rx_work Call trace: dump_backtrace+0x0/0x378 show_stack+0x20/0x2c dump_stack+0x124/0x148 print_address_description+0x80/0x2e8 __kasan_report+0x168/0x188 kasan_report+0x10/0x18 __asan_load4+0x84/0x8c refcount_dec_and_test+0x20/0xd0 l2cap_chan_put+0x48/0x12c l2cap_recv_frame+0x4770/0x6550 l2cap_recv_acldata+0x44c/0x7a4 hci_acldata_packet+0x100/0x188 hci_rx_work+0x178/0x23c process_one_work+0x35c/0x95c worker_thread+0x4cc/0x960 kthread+0x1a8/0x1c4 ret_from_fork+0x10/0x18 Cc: stable@kernel.org Reported-by: Lee Jones Signed-off-by: Luiz Augusto von Dentz Tested-by: Lee Jones Signed-off-by: Luiz Augusto von Dentz commit ef61b6ea154464fefd8a6712d7a3b43b445c3d4a Author: Abhishek Pandit-Subedi Date: Mon Jul 25 15:34:21 2022 -0700 Bluetooth: Always set event mask on suspend When suspending, always set the event mask once disconnects are successful. Otherwise, if wakeup is disallowed, the event mask is not set before suspend continues and can result in an early wakeup. Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") Cc: stable@vger.kernel.org Signed-off-by: Abhishek Pandit-Subedi Signed-off-by: Luiz Augusto von Dentz commit 4b2f4e072fb2599b6a2e5e277f0d2b5705eaa630 Author: Dan Carpenter Date: Tue Jul 26 18:13:44 2022 +0300 Bluetooth: mgmt: Fix double free on error path Don't call mgmt_pending_remove() twice (double free). Fixes: 6b88eff43704 ("Bluetooth: hci_sync: Refactor remove Adv Monitor") Signed-off-by: Dan Carpenter Signed-off-by: Luiz Augusto von Dentz commit aa40d5a43526cca9439a2b45fcfdcd016594dece Author: Tetsuo Handa Date: Sun Jul 17 21:21:52 2022 +0900 wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop() lockdep complains use of uninitialized spinlock at ieee80211_do_stop() [1], for commit f856373e2f31ffd3 ("wifi: mac80211: do not wake queues on a vif that is being stopped") guards clear_bit() using fq.lock even before fq_init() from ieee80211_txq_setup_flows() initializes this spinlock. According to discussion [2], Toke was not happy with expanding usage of fq.lock. Since __ieee80211_wake_txqs() is called under RCU read lock, we can instead use synchronize_rcu() for flushing ieee80211_wake_txqs(). Link: https://syzkaller.appspot.com/bug?extid=eceab52db7c4b961e9d6 [1] Link: https://lkml.kernel.org/r/874k0zowh2.fsf@toke.dk [2] Reported-by: syzbot Signed-off-by: Tetsuo Handa Fixes: f856373e2f31ffd3 ("wifi: mac80211: do not wake queues on a vif that is being stopped") Tested-by: syzbot Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/9cc9b81d-75a3-3925-b612-9d0ad3cab82b@I-love.SAKURA.ne.jp [ pick up commit 3598cb6e1862 ("wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop()") from -next] Link: https://lore.kernel.org/all/87o7xcq6qt.fsf@kernel.org/ Signed-off-by: Jakub Kicinski commit cc019545a238518fa9da1e2a889f6e1bb1005a63 Author: Maciej Fijalkowski Date: Thu Jul 7 12:20:43 2022 +0200 ice: do not setup vlan for loopback VSI Currently loopback test is failiing due to the error returned from ice_vsi_vlan_setup(). Skip calling it when preparing loopback VSI. Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") Signed-off-by: Maciej Fijalkowski Tested-by: George Kuruvinakunnel Signed-off-by: Tony Nguyen commit 283d736ff7c7e96ac5b32c6c0de40372f8eb171e Author: Maciej Fijalkowski Date: Thu Jul 7 12:20:42 2022 +0200 ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS) Tx side sets EOP and RS bits on descriptors to indicate that a particular descriptor is the last one and needs to generate an irq when it was sent. These bits should not be checked on completion path regardless whether it's the Tx or the Rx. DD bit serves this purpose and it indicates that a particular descriptor is either for Rx or was successfully Txed. EOF is also set as loopback test does not xmit fragmented frames. Look at (DD | EOF) bits setting in ice_lbtest_receive_frames() instead of EOP and RS pair. Fixes: 0e674aeb0b77 ("ice: Add handler for ethtool selftest") Signed-off-by: Maciej Fijalkowski Tested-by: George Kuruvinakunnel Signed-off-by: Tony Nguyen commit 5c8e3c7ff3e7bd7b938659be704f75cc746b697f Author: Anirudh Venkataramanan Date: Thu Jul 21 10:03:09 2022 +0200 ice: Fix VSIs unable to share unicast MAC The driver currently does not allow two VSIs in the same PF domain to have the same unicast MAC address. This is incorrect in the sense that a policy decision is being made in the driver when it must be left to the user. This approach was causing issues when rebooting the system with VFs spawned not being able to change their MAC addresses. Such errors were present in dmesg: [ 7921.068237] ice 0000:b6:00.2 ens2f2: Unicast MAC 6a:0d:e4:70:ca:d1 already exists on this PF. Preventing setting VF 7 unicast MAC address to 6a:0d:e4:70:ca:d1 Fix that by removing this restriction. Doing this also allows us to remove some additional code that's checking if a unicast MAC filter already exists. Fixes: 47ebc7b02485 ("ice: Check if unicast MAC exists before setting VF MAC") Signed-off-by: Anirudh Venkataramanan Signed-off-by: Sylwester Dziedziuch Signed-off-by: Mateusz Palczewski Signed-off-by: Jedrzej Jagielski Tested-by: Marek Szlosek Signed-off-by: Tony Nguyen commit 01658aeeada6f93c2924af94d895ff28d559690c Author: Przemyslaw Patynowski Date: Mon Jul 18 13:34:27 2022 +0200 ice: Fix tunnel checksum offload with fragmented traffic Fix checksum offload on VXLAN tunnels. In case, when mpls protocol is not used, set l4 header to transport header of skb. This fixes case, when user tries to offload checksums of VXLAN tunneled traffic. Steps for reproduction (requires link partner with tunnels): ip l s enp130s0f0 up ip a f enp130s0f0 ip a a 10.10.110.2/24 dev enp130s0f0 ip l s enp130s0f0 mtu 1600 ip link add vxlan12_sut type vxlan id 12 group 238.168.100.100 dev enp130s0f0 dstport 4789 ip l s vxlan12_sut up ip a a 20.10.110.2/24 dev vxlan12_sut iperf3 -c 20.10.110.1 #should connect Offload params: td_offset, cd_tunnel_params were corrupted, due to l4 header pointing wrong address. NIC would then drop those packets internally, due to incorrect TX descriptor data, which increased GLV_TEPC register. Fixes: 69e66c04c672 ("ice: Add mpls+tso support") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Mateusz Palczewski Signed-off-by: Jedrzej Jagielski Tested-by: Gurucharan (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 1e308c6fb7127371f48a0fb9770ea0b30a6b5698 Author: Przemyslaw Patynowski Date: Mon Jul 4 15:46:12 2022 +0200 ice: Fix max VLANs available for VF Legacy VLAN implementation allows for untrusted VF to have 8 VLAN filters, not counting VLAN 0 filters. Current VLAN_V2 implementation lowers available filters for VF, by counting in VLAN 0 filter for both TPIDs. Fix this by counting only non zero VLAN filters. Without this patch, untrusted VF would not be able to access 8 VLAN filters. Fixes: cc71de8fa133 ("ice: Add support for VIRTCHNL_VF_OFFLOAD_VLAN_V2") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Mateusz Palczewski Tested-by: Marek Szlosek Signed-off-by: Tony Nguyen commit 47f4f510ad586032b85c89a0773fbb011d412425 Author: Florian Westphal Date: Tue Jul 26 19:49:00 2022 +0200 netfilter: nft_queue: only allow supported familes and hooks Trying to use 'queue' statement in ingress (for example) triggers a splat on reinject: WARNING: CPU: 3 PID: 1345 at net/netfilter/nf_queue.c:291 ... because nf_reinject cannot find the ruleset head. The netdev family doesn't support async resume at the moment anyway, so disallow loading such rulesets with a more appropriate error message. v2: add 'validate' callback and also check hook points, v1 did allow ingress use in 'table inet', but that doesn't work either. (Pablo) Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso commit 81ea010667417ef3f218dfd99b69769fe66c2b67 Author: Florian Westphal Date: Tue Jul 26 12:44:35 2022 +0200 netfilter: nf_tables: add rescheduling points during loop detection walks Add explicit rescheduling points during ruleset walk. Switching to a faster algorithm is possible but this is a much smaller change, suitable for nf tree. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1460 Signed-off-by: Florian Westphal Acked-by: Pablo Neira Ayuso commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 Author: Florian Westphal Date: Tue Jul 26 12:42:06 2022 +0200 netfilter: nf_queue: do not allow packet truncation below transport header offset Domingo Dirutigliano and Nicola Guerrera report kernel panic when sending nf_queue verdict with 1-byte nfta_payload attribute. The IP/IPv6 stack pulls the IP(v6) header from the packet after the input hook. If user truncates the packet below the header size, this skb_pull() will result in a malformed skb (skb->len < 0). Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") Reported-by: Domingo Dirutigliano Signed-off-by: Florian Westphal Reviewed-by: Pablo Neira Ayuso commit 5de64d44968e4ae66ebdb0a2d08b443f189d3651 Merge: cdb281e638740 918e75f77af7d Author: Linus Torvalds Date: Tue Jul 26 10:03:53 2022 -0700 Merge tag 's390-5.19-7' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fix from Alexander GordeevL - Prevent relatively slow PRNO TRNG random number operation from being called from interrupt context. That could for example cause some network loads to timeout. * tag 's390-5.19-7' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/archrandom: prevent CPACF trng invocations in interrupt context commit cdb281e63874086a650552d36c504ea717a0e0cb Author: Qi Zheng Date: Tue Jul 26 14:24:36 2022 +0800 mm: fix NULL pointer dereference in wp_page_reuse() The vmf->page can be NULL when the wp_page_reuse() is invoked by wp_pfn_shared(), it will cause the following panic: BUG: kernel NULL pointer dereference, address: 000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 18 PID: 923 Comm: Xorg Not tainted 5.19.0-rc8.bm.1-amd64 #263 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g14 RIP: 0010:_compound_head+0x0/0x40 [...] Call Trace: wp_page_reuse+0x1c/0xa0 do_wp_page+0x1a5/0x3f0 __handle_mm_fault+0x8cf/0xd20 handle_mm_fault+0xd5/0x2a0 do_user_addr_fault+0x1d0/0x680 exc_page_fault+0x78/0x170 asm_exc_page_fault+0x22/0x30 To fix it, this patch performs a NULL pointer check before dereferencing the vmf->page. Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive") Signed-off-by: Qi Zheng Reviewed-by: David Hildenbrand Signed-off-by: Linus Torvalds commit 0c09bc33aa8e9dc867300acaadc318c2f0d85a1e Author: Nathan Chancellor Date: Mon Jul 25 16:36:29 2022 -0700 drm/simpledrm: Fix return type of simpledrm_simple_display_pipe_mode_valid() When booting a kernel compiled with clang's CFI protection (CONFIG_CFI_CLANG), there is a CFI failure in drm_simple_kms_crtc_mode_valid() when trying to call simpledrm_simple_display_pipe_mode_valid() through ->mode_valid(): [ 0.322802] CFI failure (target: simpledrm_simple_display_pipe_mode_valid+0x0/0x8): ... [ 0.324928] Call trace: [ 0.324969] __ubsan_handle_cfi_check_fail+0x58/0x60 [ 0.325053] __cfi_check_fail+0x3c/0x44 [ 0.325120] __cfi_slowpath_diag+0x178/0x200 [ 0.325192] drm_simple_kms_crtc_mode_valid+0x58/0x80 [ 0.325279] __drm_helper_update_and_validate+0x31c/0x464 ... The ->mode_valid() member in 'struct drm_simple_display_pipe_funcs' expects a return type of 'enum drm_mode_status', not 'int'. Correct it to fix the CFI failure. Cc: stable@vger.kernel.org Fixes: 11e8f5fd223b ("drm: Add simpledrm driver") Link: https://github.com/ClangBuiltLinux/linux/issues/1647 Reported-by: Tomasz Paweł Gajc Signed-off-by: Nathan Chancellor Signed-off-by: Thomas Zimmermann Reviewed-by: Sami Tolvanen Link: https://patchwork.freedesktop.org/patch/msgid/20220725233629.223223-1-nathan@kernel.org commit 9b134b1694ec8926926ba6b7b80884ea829245a0 Author: Benjamin Poirier Date: Mon Jul 25 09:12:36 2022 +0900 bridge: Do not send empty IFLA_AF_SPEC attribute After commit b6c02ef54913 ("bridge: Netlink interface fix."), br_fill_ifinfo() started to send an empty IFLA_AF_SPEC attribute when a bridge vlan dump is requested but an interface does not have any vlans configured. iproute2 ignores such an empty attribute since commit b262a9becbcb ("bridge: Fix output with empty vlan lists") but older iproute2 versions as well as other utilities have their output changed by the cited kernel commit, resulting in failed test cases. Regardless, emitting an empty attribute is pointless and inefficient. Avoid this change by canceling the attribute if no AF_SPEC data was added. Fixes: b6c02ef54913 ("bridge: Netlink interface fix.") Reviewed-by: Ido Schimmel Signed-off-by: Benjamin Poirier Acked-by: Nikolay Aleksandrov Link: https://lore.kernel.org/r/20220725001236.95062-1-bpoirier@nvidia.com Signed-off-by: Paolo Abeni commit 33881ab73d6f6b4f0a2a89aece86dd60e6e507c6 Merge: b89fc26f741d9 59e1be6f83b92 Author: Paolo Abeni Date: Tue Jul 26 13:05:46 2022 +0200 Merge branch 'octeontx2-minor-tc-fixes' Subbaraya Sundeep says: ==================== Octeontx2 minor tc fixes This patch set fixes two problems found in tc code wrt to ratelimiting and when installing UDP/TCP filters. Patch 1: CN10K has different register format compared to CN9xx hence fixes that. Patch 2: Check flow mask also before installing a src/dst port filter, otherwise installing for one port installs for other one too. ==================== Link: https://lore.kernel.org/r/1658650874-16459-1-git-send-email-sbhatta@marvell.com Signed-off-by: Paolo Abeni commit 59e1be6f83b928a04189bbf3ab683a1fc6248db3 Author: Subbaraya Sundeep Date: Sun Jul 24 13:51:14 2022 +0530 octeontx2-pf: Fix UDP/TCP src and dst port tc filters Check the mask for non-zero value before installing tc filters for L4 source and destination ports. Otherwise installing a filter for source port installs destination port too and vice-versa. Fixes: 1d4d9e42c240 ("octeontx2-pf: Add tc flower hardware offload on ingress traffic") Signed-off-by: Subbaraya Sundeep Signed-off-by: Sunil Goutham Signed-off-by: Paolo Abeni commit b354eaeec8637d87003945439209251d76a2bb95 Author: Sunil Goutham Date: Sun Jul 24 13:51:13 2022 +0530 octeontx2-pf: cn10k: Fix egress ratelimit configuration NIX_AF_TLXX_PIR/CIR register format has changed from OcteonTx2 to CN10K. CN10K supports larger burst size. Fix burst exponent and burst mantissa configuration for CN10K. Also fixed 'maxrate' from u32 to u64 since 'police.rate_bytes_ps' passed by stack is also u64. Fixes: e638a83f167e ("octeontx2-pf: TC_MATCHALL egress ratelimiting offload") Signed-off-by: Sunil Goutham Signed-off-by: Subbaraya Sundeep Signed-off-by: Paolo Abeni commit b89fc26f741d9f9efb51cba3e9b241cf1380ec5a Author: Duoming Zhou Date: Sat Jul 23 09:58:09 2022 +0800 sctp: fix sleep in atomic context bug in timer handlers There are sleep in atomic context bugs in timer handlers of sctp such as sctp_generate_t3_rtx_event(), sctp_generate_probe_event(), sctp_generate_t1_init_event(), sctp_generate_timeout_event(), sctp_generate_t3_rtx_event() and so on. The root cause is sctp_sched_prio_init_sid() with GFP_KERNEL parameter that may sleep could be called by different timer handlers which is in interrupt context. One of the call paths that could trigger bug is shown below: (interrupt context) sctp_generate_probe_event sctp_do_sm sctp_side_effects sctp_cmd_interpreter sctp_outq_teardown sctp_outq_init sctp_sched_set_sched n->init_sid(..,GFP_KERNEL) sctp_sched_prio_init_sid //may sleep This patch changes gfp_t parameter of init_sid in sctp_sched_set_sched() from GFP_KERNEL to GFP_ATOMIC in order to prevent sleep in atomic context bugs. Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") Signed-off-by: Duoming Zhou Acked-by: Marcelo Ricardo Leitner Link: https://lore.kernel.org/r/20220723015809.11553-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski commit c7560d1203b7a1ea0b99a5c575547e95d564b2a8 Author: Vladimir Oltean Date: Sat Jul 23 04:24:11 2022 +0300 net: dsa: fix reference counting for LAG FDBs Due to an invalid conflict resolution on my side while working on 2 different series (LAG FDBs and FDB isolation), dsa_switch_do_lag_fdb_add() does not store the database associated with a dsa_mac_addr structure. So after adding an FDB entry associated with a LAG, dsa_mac_addr_find() fails to find it while deleting it, because &a->db is zeroized memory for all stored FDB entries of lag->fdbs, and dsa_switch_do_lag_fdb_del() returns -ENOENT rather than deleting the entry. Fixes: c26933639b54 ("net: dsa: request drivers to perform FDB isolation") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220723012411.1125066-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 5fcbb711024aac6d4db385623e6f2fdf019f7782 Author: Michal Maloszewski Date: Fri Jul 22 10:54:01 2022 -0700 i40e: Fix interface init with MSI interrupts (no MSI-X) Fix the inability to bring an interface up on a setup with only MSI interrupts enabled (no MSI-X). Solution is to add a default number of QPs = 1. This is enough, since without MSI-X support driver enables only a basic feature set. Fixes: bc6d33c8d93f ("i40e: Fix the number of queues available to be mapped for use") Signed-off-by: Dawid Lukwinski Signed-off-by: Michal Maloszewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20220722175401.112572-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit c653c591789b3acfa4bf6ae45d5af4f330e50a91 Author: Michael Ellerman Date: Mon Jul 25 14:37:29 2022 +1000 drm/amdgpu: Re-enable DCN for 64-bit powerpc Commit d11219ad53dc ("amdgpu: disable powerpc support for the newer display engine") disabled the DCN driver for all of powerpc due to unresolved build failures with some compilers. Further digging shows that the build failures only occur with compilers that default to 64-bit long double. Both the ppc64 and ppc64le ABIs define long double to be 128-bits, but there are compilers in the wild that default to 64-bits. The compilers provided by the major distros (Fedora, Ubuntu) default to 128-bits and are not affected by the build failure. There is a compiler flag to force 128-bit long double, which may be the correct long term fix, but as an interim fix only allow building the DCN driver if long double is 128-bits by default. The bisection in commit d11219ad53dc must have gone off the rails at some point, the build failure occurs all the way back to the original commit that enabled DCN support on powerpc, at least with some toolchains. Depends-on: d11219ad53dc ("amdgpu: disable powerpc support for the newer display engine") Fixes: 16a9dea110a6 ("amdgpu: Enable initial DCN support on POWER") Signed-off-by: Michael Ellerman Acked-by: Alex Deucher Reviewed-by: Dan Horák Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2100 Link: https://lore.kernel.org/r/20220725123918.1903255-1-mpe@ellerman.id.au commit d295ad34f236c3518634fb6403d4c0160456e470 Author: Waiman Long Date: Sat Jul 23 15:59:32 2022 -0400 intel_idle: Fix false positive RCU splats due to incorrect hardirqs state Commit 32d4fd5751ea ("cpuidle,intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE") uses raw_local_irq_enable/local_irq_disable() around call to __intel_idle() in intel_idle_irq(). With interrupt enabled, timer tick interrupt can happen and a subsequently call to __do_softirq() may change the lockdep hardirqs state of a debug kernel back to 'on'. This will result in a mismatch between the cpu hardirqs state (off) and the lockdep hardirqs state (on) causing a number of false positive "WARNING: suspicious RCU usage" splats. Fix that by using local_irq_disable() to disable interrupt in intel_idle_irq(). Fixes: 32d4fd5751ea ("cpuidle,intel_idle: Fix CPUIDLE_FLAG_IRQ_ENABLE") Signed-off-by: Waiman Long Cc: 5.16+ # 5.16+ Signed-off-by: Rafael J. Wysocki commit a7a47a5dfa9a9692a41764ee9ab4054f12924a42 Author: Umesh Nerlige Ramappa Date: Tue Jun 21 12:21:05 2022 -0700 drm/i915/reset: Add additional steps for Wa_22011802037 for execlist backend For execlists backend, current implementation of Wa_22011802037 is to stop the CS before doing a reset of the engine. This WA was further extended to wait for any pending MI FORCE WAKEUPs before issuing a reset. Add the extended steps in the execlist path of reset. In addition, extend the WA to gen11. v2: (Tvrtko) - Clarify comments, commit message, fix typos - Use IS_GRAPHICS_VER for gen 11/12 checks v3: (Daneile) - Drop changes to intel_ring_submission since WA does not apply to it - Log an error if MSG IDLE is not defined for an engine Signed-off-by: Umesh Nerlige Ramappa Fixes: f6aa0d713c88 ("drm/i915: Add Wa_22011802037 force cs halt") Acked-by: Tvrtko Ursulin Reviewed-by: Daniele Ceraolo Spurio Signed-off-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20220621192105.2100585-1-umesh.nerlige.ramappa@intel.com (cherry picked from commit 0667429ce68e0b08f9f1fec8fd0b1f57228f605e) Signed-off-by: Tvrtko Ursulin commit 9af0620de1e118666881376f6497d1785758b04c Merge: 3e7d18b9dca38 96b9bd8c6d125 Author: David S. Miller Date: Mon Jul 25 12:42:10 2022 +0100 Merge branch 'net-sysctl-races-part-6' Kuniyuki Iwashima says: ==================== sysctl: Fix data-races around ipv4_net_table (Round 6, Final). This series fixes data-races around 11 knobs after tcp_pacing_ss_ratio ipv4_net_table, and this is the final round for ipv4_net_table. While at it, other data-races around these related knobs are fixed. - decnet_mem - decnet_rmem - tipc_rmem There are still 58 tables possibly missing some fixes under net/. $ grep -rnE "struct ctl_table.*?\[\] =" net/ | wc -l 60 ==================== Signed-off-by: David S. Miller commit 96b9bd8c6d125490f9adfb57d387ef81a55a103e Author: Kuniyuki Iwashima Date: Fri Jul 22 11:22:05 2022 -0700 ipv4: Fix data-races around sysctl_fib_notify_on_flag_change. While reading sysctl_fib_notify_on_flag_change, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 680aea08e78c ("net: ipv4: Emit notification when fib hardware flags are changed") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 870e3a634b6a6cb1543b359007aca73fe6a03ac5 Author: Kuniyuki Iwashima Date: Fri Jul 22 11:22:04 2022 -0700 tcp: Fix data-races around sysctl_tcp_reflect_tos. While reading sysctl_tcp_reflect_tos, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: ac8f1710c12b ("tcp: reflect tos value received in SYN to the socket") Signed-off-by: Kuniyuki Iwashima Acked-by: Wei Wang Signed-off-by: David S. Miller commit 79f55473bfc8ac51bd6572929a679eeb4da22251 Author: Kuniyuki Iwashima Date: Fri Jul 22 11:22:03 2022 -0700 tcp: Fix a data-race around sysctl_tcp_comp_sack_nr. While reading sysctl_tcp_comp_sack_nr, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 9c21d2fc41c0 ("tcp: add tcp_comp_sack_nr sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 22396941a7f343d704738360f9ef0e6576489d43 Author: Kuniyuki Iwashima Date: Fri Jul 22 11:22:02 2022 -0700 tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns. While reading sysctl_tcp_comp_sack_slack_ns, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: a70437cc09a1 ("tcp: add hrtimer slack to sack compression") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 4866b2b0f7672b6d760c4b8ece6fb56f965dcc8a Author: Kuniyuki Iwashima Date: Fri Jul 22 11:22:01 2022 -0700 tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns. While reading sysctl_tcp_comp_sack_delay_ns, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 6d82aa242092 ("tcp: add tcp_comp_sack_delay_ns sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 02739545951ad4c1215160db7fbf9b7a918d3c0b Author: Kuniyuki Iwashima Date: Fri Jul 22 11:22:00 2022 -0700 net: Fix data-races around sysctl_[rw]mem(_offset)?. While reading these sysctl variables, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. - .sysctl_rmem - .sysctl_rwmem - .sysctl_rmem_offset - .sysctl_wmem_offset - sysctl_tcp_rmem[1, 2] - sysctl_tcp_wmem[1, 2] - sysctl_decnet_rmem[1] - sysctl_decnet_wmem[1] - sysctl_tipc_rmem[1] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 59bf6c65a09fff74215517aecffbbdcd67df76e3 Author: Kuniyuki Iwashima Date: Fri Jul 22 11:21:59 2022 -0700 tcp: Fix data-races around sk_pacing_rate. While reading sysctl_tcp_pacing_(ss|ca)_ratio, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. Fixes: 43e122b014c9 ("tcp: refine pacing rate determination") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 3e7d18b9dca388940a19cae30bfc1f76dccd8c28 Author: Taehee Yoo Date: Fri Jul 22 17:06:35 2022 +0000 net: mld: fix reference count leak in mld_{query | report}_work() mld_{query | report}_work() processes queued events. If there are too many events in the queue, it re-queue a work. And then, it returns without in6_dev_put(). But if queuing is failed, it should call in6_dev_put(), but it doesn't. So, a reference count leak would occur. THREAD0 THREAD1 mld_report_work() spin_lock_bh() if (!mod_delayed_work()) in6_dev_hold(); spin_unlock_bh() spin_lock_bh() schedule_delayed_work() spin_unlock_bh() Script to reproduce(by Hangbin Liu): ip netns add ns1 ip netns add ns2 ip netns exec ns1 sysctl -w net.ipv6.conf.all.force_mld_version=1 ip netns exec ns2 sysctl -w net.ipv6.conf.all.force_mld_version=1 ip -n ns1 link add veth0 type veth peer name veth0 netns ns2 ip -n ns1 link set veth0 up ip -n ns2 link set veth0 up for i in `seq 50`; do for j in `seq 100`; do ip -n ns1 addr add 2021:${i}::${j}/64 dev veth0 ip -n ns2 addr add 2022:${i}::${j}/64 dev veth0 done done modprobe -r veth ip -a netns del splat looks like: unregister_netdevice: waiting for veth0 to become free. Usage count = 2 leaked reference. ipv6_add_dev+0x324/0xec0 addrconf_notify+0x481/0xd10 raw_notifier_call_chain+0xe3/0x120 call_netdevice_notifiers+0x106/0x160 register_netdevice+0x114c/0x16b0 veth_newlink+0x48b/0xa50 [veth] rtnl_newlink+0x11a2/0x1a40 rtnetlink_rcv_msg+0x63f/0xc00 netlink_rcv_skb+0x1df/0x3e0 netlink_unicast+0x5de/0x850 netlink_sendmsg+0x6c9/0xa90 ____sys_sendmsg+0x76a/0x780 __sys_sendmsg+0x27c/0x340 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Tested-by: Hangbin Liu Fixes: f185de28d9ae ("mld: add new workqueues for process mld events") Signed-off-by: Taehee Yoo Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit c7b205fbbf3cffa374721bb7623f7aa8c46074f1 Author: Jianglei Nie Date: Fri Jul 22 17:29:02 2022 +0800 net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa() init_rx_sa() allocates relevant resource for rx_sa->stats and rx_sa-> key.tfm with alloc_percpu() and macsec_alloc_tfm(). When some error occurs after init_rx_sa() is called in macsec_add_rxsa(), the function released rx_sa with kfree() without releasing rx_sa->stats and rx_sa-> key.tfm, which will lead to a resource leak. We should call macsec_rxsa_put() instead of kfree() to decrease the ref count of rx_sa and release the relevant resource if the refcount is 0. The same bug exists in macsec_add_txsa() for tx_sa as well. This patch fixes the above two bugs. Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") Signed-off-by: Jianglei Nie Signed-off-by: David S. Miller commit 20a854616d384d3210d96fee248a3ea327bab810 Merge: 1aaa62c4838a1 c630d1fe62197 Author: David S. Miller Date: Mon Jul 25 11:49:25 2022 +0100 Merge branch 'macsec-config-issues' Sabrina Dubroca says: ==================== macsec: fix config issues The patch adding netlink support for XPN (commit 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)")) introduced several issues, including a kernel panic reported at [1]. Reproducing those bugs with upstream iproute is limited, since iproute doesn't currently support XPN. I'm also working on this. [1] https://bugzilla.kernel.org/show_bug.cgi?id=208315 ==================== Signed-off-by: David S. Miller commit c630d1fe6219769049c87d1a6a0e9a6de55328a1 Author: Sabrina Dubroca Date: Fri Jul 22 11:16:30 2022 +0200 macsec: always read MACSEC_SA_ATTR_PN as a u64 Currently, MACSEC_SA_ATTR_PN is handled inconsistently, sometimes as a u32, sometimes forced into a u64 without checking the actual length of the attribute. Instead, we can use nla_get_u64 everywhere, which will read up to 64 bits into a u64, capped by the actual length of the attribute coming from userspace. This fixes several issues: - the check in validate_add_rxsa doesn't work with 32-bit attributes - the checks in validate_add_txsa and validate_upd_sa incorrectly reject X << 32 (with X != 0) Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller commit b07a0e2044057f201d694ab474f5c42a02b6465b Author: Sabrina Dubroca Date: Fri Jul 22 11:16:29 2022 +0200 macsec: limit replay window size with XPN IEEE 802.1AEbw-2013 (section 10.7.8) specifies that the maximum value of the replay window is 2^30-1, to help with recovery of the upper bits of the PN. To avoid leaving the existing macsec device in an inconsistent state if this test fails during changelink, reuse the cleanup mechanism introduced for HW offload. This wasn't needed until now because macsec_changelink_common could not fail during changelink, as modifying the cipher suite was not allowed. Finally, this must happen after handling IFLA_MACSEC_CIPHER_SUITE so that secy->xpn is set. Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller commit 3240eac4ff20e51b87600dbd586ed814daf313db Author: Sabrina Dubroca Date: Fri Jul 22 11:16:28 2022 +0200 macsec: fix error message in macsec_add_rxsa and _txsa The expected length is MACSEC_SALT_LEN, not MACSEC_SA_ATTR_SALT. Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller commit f46040eeaf2e523a4096199fd93a11e794818009 Author: Sabrina Dubroca Date: Fri Jul 22 11:16:27 2022 +0200 macsec: fix NULL deref in macsec_add_rxsa Commit 48ef50fa866a added a test on tb_sa[MACSEC_SA_ATTR_PN], but nothing guarantees that it's not NULL at this point. The same code was added to macsec_add_txsa, but there it's not a problem because validate_add_txsa checks that the MACSEC_SA_ATTR_PN attribute is present. Note: it's not possible to reproduce with iproute, because iproute doesn't allow creating an SA without specifying the PN. Fixes: 48ef50fa866a ("macsec: Netlink support of XPN cipher suites (IEEE 802.1AEbw)") Link: https://bugzilla.kernel.org/show_bug.cgi?id=208315 Reported-by: Frantisek Sumsal Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller commit 1aaa62c4838a140d0592935c51985158963d5971 Author: Slark Xiao Date: Fri Jul 22 17:38:34 2022 +0800 s390/qeth: Fix typo 'the the' in comment Replace 'the the' with 'the' in the comment. Signed-off-by: Slark Xiao Signed-off-by: David S. Miller commit 2540d3c99926c234718e058acdd956d7c614eddd Author: Slark Xiao Date: Fri Jul 22 16:22:27 2022 +0800 net: ipa: Fix typo 'the the' in comment Replace 'the the' with 'the' in the comment. Signed-off-by: Slark Xiao Signed-off-by: David S. Miller commit af35f95aca69a86058d480a63f4e096f0220905c Author: Slark Xiao Date: Fri Jul 22 16:20:27 2022 +0800 nfp: bpf: Fix typo 'the the' in comment Replace 'the the' with 'the' in the comment. Signed-off-by: Slark Xiao Acked-by: Simon Horman Signed-off-by: David S. Miller commit d6c52fa3e955b97f8eb3ac824d2a3e0af147b3ce Author: Tobias Gruetzmacher Date: Fri Jul 22 19:05:57 2022 +0200 nvme-pci: Crucial P2 has bogus namespace ids This adds a quirk for the Crucial P2. Signed-off-by: Tobias Gruetzmacher Signed-off-by: Christoph Hellwig commit 3c69a99b62fde9de86a612ef1daaa07d95f0a773 Merge: be640317a1d0b ff6992735ade7 Author: Michael Ellerman Date: Mon Jul 25 13:49:22 2022 +1000 Merge tag 'v5.19-rc7' into fixes Merge v5.19-rc7 into fixes to bring in: d11219ad53dc ("amdgpu: disable powerpc support for the newer display engine") commit aa709da0e032cee7c202047ecd75f437bb0126ed Author: Xin Long Date: Thu Jul 21 10:35:46 2022 -0400 Documentation: fix sctp_wmem in ip-sysctl.rst Since commit 1033990ac5b2 ("sctp: implement memory accounting on tx path"), SCTP has supported memory accounting on tx path where 'sctp_wmem' is used by sk_wmem_schedule(). So we should fix the description for this option in ip-sysctl.rst accordingly. v1->v2: - Improve the description as Marcelo suggested. Fixes: 1033990ac5b2 ("sctp: implement memory accounting on tx path") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit f6336724a4d4220c89a4ec38bca84b03b178b1a3 Author: Maxim Mikityanskiy Date: Thu Jul 21 12:11:27 2022 +0300 net/tls: Remove the context from the list in tls_device_down tls_device_down takes a reference on all contexts it's going to move to the degraded state (software fallback). If sk_destruct runs afterwards, it can reduce the reference counter back to 1 and return early without destroying the context. Then tls_device_down will release the reference it took and call tls_device_free_ctx. However, the context will still stay in tls_device_down_list forever. The list will contain an item, memory for which is released, making a memory corruption possible. Fix the above bug by properly removing the context from all lists before any call to tls_device_free_ctx. Fixes: 3740651bf7e2 ("tls: Fix context leak on tls_device_down") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: David S. Miller commit e0dccc3b76fb35bb257b4118367a883073d7390e Author: Linus Torvalds Date: Sun Jul 24 13:26:27 2022 -0700 Linux 5.19-rc8 commit e90886291c7cd89577bf11729b205cc0ed42fbec Author: Adam Borowski Date: Mon Jul 18 15:50:34 2022 +0200 certs: make system keyring depend on x509 parser This code requires x509_load_certificate_list() to be built-in. Fixes: 60050ffe3d77 ("certs: Move load_certificate_list() to be with the asymmetric keys code") Reported-by: kernel test robot Reported-by: Steven Rostedt Link: https://lore.kernel.org/all/202206221515.DqpUuvbQ-lkp@intel.com/ Link: https://lore.kernel.org/all/20220712104554.408dbf42@gandalf.local.home/ Signed-off-by: Adam Borowski Signed-off-by: Linus Torvalds commit af2c9ac24019ece9281e606662e5c78fa67f5930 Merge: c2602a7ce0fc6 b0380e13502ad Author: Linus Torvalds Date: Sun Jul 24 09:55:53 2022 -0700 Merge tag 'perf_urgent_for_v5.19_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fix from Borislav Petkov: - Reorganize the perf LBR init code so that a TSX quirk is applied early enough in order for the LBR MSR access to not #GP * tag 'perf_urgent_for_v5.19_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel/lbr: Fix unchecked MSR access error on HSW commit c2602a7ce0fc66318325df170a9ee275d7df5c2e Merge: 05017fed92de3 ddfc710395ccc Author: Linus Torvalds Date: Sun Jul 24 09:50:53 2022 -0700 Merge tag 'sched_urgent_for_v5.19_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Borislav Petkov: "A single fix to correct a wrong BUG_ON() condition for deboosted tasks" * tag 'sched_urgent_for_v5.19_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/deadline: Fix BUG_ON condition for deboosted tasks commit 05017fed92de32c167bbd21a5ee9ad0e489e19d4 Merge: 714b82c18ba0d b648ab487f31b Author: Linus Torvalds Date: Sun Jul 24 09:40:17 2022 -0700 Merge tag 'x86_urgent_for_v5.19_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: "A couple more retbleed fallout fixes. It looks like their urgency is decreasing so it seems like we've managed to catch whatever snafus the limited -rc testing has exposed. Maybe we're getting ready... :) - Make retbleed mitigations 64-bit only (32-bit will need a bit more work if even needed, at all). - Prevent return thunks patching of the LKDTM modules as it is not needed there - Avoid writing the SPEC_CTRL MSR on every kernel entry on eIBRS parts - Enhance error output of apply_returns() when it fails to patch a return thunk - A sparse fix to the sev-guest module - Protect EFI fw calls by issuing an IBPB on AMD" * tag 'x86_urgent_for_v5.19_rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/speculation: Make all RETbleed mitigations 64-bit only lkdtm: Disable return thunks in rodata.c x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts x86/alternative: Report missing return thunk details virt: sev-guest: Pass the appropriate argument type to iounmap() x86/amd: Use IBPB for firmware calls commit 714b82c18ba0d2e76e9c3fd7785ff5a060f5980b Merge: 515f71412bb73 25c2a075eb6a3 Author: Linus Torvalds Date: Sun Jul 24 09:33:13 2022 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fix from Stephen Boyd: "One more fix to set the correct IO mapping for a clk gate in the lan966x driver" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: lan966x: Fix the lan966x clock gate register address commit 515f71412bb73ebd7f41f90e1684fc80b8730789 Merge: 301c8949322fe cf5029d5dd7cb Author: Linus Torvalds Date: Sat Jul 23 10:22:26 2022 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: - Check for invalid flags to KVM_CAP_X86_USER_SPACE_MSR - Fix use of sched_setaffinity in selftests - Sync kernel headers to tools - Fix KVM_STATS_UNIT_MAX * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: Protect the unused bits in MSR exiting flags tools headers UAPI: Sync linux/kvm.h with the kernel sources KVM: selftests: Fix target thread to be migrated in rseq_test KVM: stats: Fix value for KVM_STATS_UNIT_MAX for boolean stats commit b648ab487f31bc4c38941bc770ea97fe394304bb Author: Ben Hutchings Date: Sat Jul 23 17:22:47 2022 +0200 x86/speculation: Make all RETbleed mitigations 64-bit only The mitigations for RETBleed are currently ineffective on x86_32 since entry_32.S does not use the required macros. However, for an x86_32 target, the kconfig symbols for them are still enabled by default and /sys/devices/system/cpu/vulnerabilities/retbleed will wrongly report that mitigations are in place. Make all of these symbols depend on X86_64, and only enable RETHUNK by default on X86_64. Fixes: f43b9876e857 ("x86/retbleed: Add fine grained Kconfig knobs") Signed-off-by: Ben Hutchings Signed-off-by: Borislav Petkov Cc: Link: https://lore.kernel.org/r/YtwSR3NNsWp1ohfV@decadent.org.uk commit 301c8949322fe46766b334cc60ada5819b92000e Merge: 70664fc10c0d7 b620aa3a7be34 Author: Linus Torvalds Date: Fri Jul 22 16:40:03 2022 -0700 Merge tag 'spi-fix-v5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A few more small driver specific fixes" * tag 'spi-fix-v5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: spi-rspi: Fix PIO fallback on RZ platforms spi: spi-cadence: Fix SPI NO Slave Select macro definition spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers commit 4d8f24eeedc58d5f87b650ddda73c16e8ba56559 Author: Wei Wang Date: Thu Jul 21 20:44:04 2022 +0000 Revert "tcp: change pingpong threshold to 3" This reverts commit 4a41f453bedfd5e9cd040bad509d9da49feb3e2c. This to-be-reverted commit was meant to apply a stricter rule for the stack to enter pingpong mode. However, the condition used to check for interactive session "before(tp->lsndtime, icsk->icsk_ack.lrcvtime)" is jiffy based and might be too coarse, which delays the stack entering pingpong mode. We revert this patch so that we no longer use the above condition to determine interactive session, and also reduce pingpong threshold to 1. Fixes: 4a41f453bedf ("tcp: change pingpong threshold to 3") Reported-by: LemmyHuang Suggested-by: Neal Cardwell Signed-off-by: Wei Wang Acked-by: Neal Cardwell Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220721204404.388396-1-weiwan@google.com Signed-off-by: Jakub Kicinski commit 70664fc10c0d722ec79d746d8ac1db8546c94114 Merge: ae21fbac18b98 c1f6eff304e4d Author: Linus Torvalds Date: Fri Jul 22 13:02:05 2022 -0700 Merge tag 'riscv-for-linus-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - Two kexec-related build fixes - A DTS update to make the GPIO nodes match the upcoming dtschema - A fix that passes -mno-relax directly to the assembler when building modules, to work around compilers that fail to do so * tag 'riscv-for-linus-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: add as-options for modules with assembly compontents riscv: dts: align gpio-key node names with dtschema RISC-V: kexec: Fix build error without CONFIG_KEXEC RISCV: kexec: Fix build error without CONFIG_MODULES commit ae21fbac18b980ecfd895ff32833a2543c157ee2 Merge: a5235996e1b04 09073396ea62d Author: Linus Torvalds Date: Fri Jul 22 12:56:49 2022 -0700 Merge tag 'acpi-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Fix yet another piece of ACPI CPPC changes fallout on AMD platforms (Mario Limonciello)" * tag 'acpi-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: CPPC: Don't require flexible address space if X86_FEATURE_CPPC is supported commit a5235996e1b04405fbd6deea37b051715214fd2a Merge: d945404f74f34 934447a603b22 Author: Linus Torvalds Date: Fri Jul 22 12:47:09 2022 -0700 Merge tag 'io_uring-5.19-2022-07-21' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: "Fix for a bad kfree() introduced in this cycle, and a quick fix for disabling buffer recycling for IORING_OP_READV. The latter will get reworked for 5.20, but it gets the job done for 5.19" * tag 'io_uring-5.19-2022-07-21' of git://git.kernel.dk/linux-block: io_uring: do not recycle buffer in READV io_uring: fix free of unallocated buffer list commit d945404f74f34b76cb02d73025b92ce8b4729d3f Merge: 4a1dcf77f47ec 82e094f7bd988 Author: Linus Torvalds Date: Fri Jul 22 12:41:14 2022 -0700 Merge tag 'block-5.19-2022-07-21' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "Just a single fix for missing error propagation for an allocation failure in raid5" * tag 'block-5.19-2022-07-21' of git://git.kernel.dk/linux-block: md/raid5: missing error code in setup_conf() commit 4a1dcf77f47ec45e4c66787b2cd47f8b768c74da Merge: 6f8e4e10434e2 4ca8ca873d454 Author: Linus Torvalds Date: Fri Jul 22 12:36:59 2022 -0700 Merge tag 'i2c-for-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Two driver bugfixes and a typo fix" * tag 'i2c-for-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: cadence: Change large transfer count reset logic to be unconditional i2c: imx: fix typo in comment i2c: mlxcpld: Fix register setting for 400KHz frequency commit 6f8e4e10434e2345c1e929aa93919808f99ba66e Merge: 614719111265a 32c094a09d582 Author: Linus Torvalds Date: Fri Jul 22 12:28:47 2022 -0700 Merge tag 'gpio-fixes-for-v5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - fix several regmap usage issues in gpio-pca953x - fix out-of-tree build for GPIO selftests - fix integer overflow in gpio-xilinx * tag 'gpio-fixes-for-v5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: gpio-xilinx: Fix integer overflow selftests: gpio: fix include path to kernel headers for out of tree builds gpio: pca953x: use the correct register address when regcache sync during init gpio: pca953x: use the correct range when do regmap sync gpio: pca953x: only use single read/write for No AI mode commit 614719111265a7a76d0ae54758f23d8614966b82 Merge: 8f636c6a16f2a 4546760619cfa Author: Linus Torvalds Date: Fri Jul 22 12:24:04 2022 -0700 Merge tag 'pinctrl-v5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Only driver fixes: - NULL check for the ralink and sunplus drivers - Add Jacky Bai as maintainer for the Freescale pin controllers - Fix pin config ops for the Ocelot LAN966x and SparX5 - Disallow AMD pin control to be a module: the GPIO lines need to be active in early boot, so no can do - Fix the Armada 37xx to use raw spinlocks in the interrupt handler path to avoid wait context" * tag 'pinctrl-v5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait context pinctrl: armada-37xx: make irq_lock a raw spinlock to avoid invalid wait context pinctrl: Don't allow PINCTRL_AMD to be a module pinctrl: ocelot: Fix pincfg pinctrl: ocelot: Fix pincfg for lan966x MAINTAINERS: Update freescale pin controllers maintainer pinctrl: sunplus: Add check for kcalloc pinctrl: ralink: Check for null return of devm_kcalloc commit 88bd24d73d5bfa1b7b97a9221ff320fc44ef401a Author: Emil Renner Berthing Date: Sat Jun 25 16:42:07 2022 +0100 riscv: compat: vdso: Fix vdso_install target When CONFIG_COMPAT=y the vdso_install target fails: $ make ARCH=riscv CROSS_COMPILE=riscv64-linux-gnu- vdso_install INSTALL vdso.so make[1]: *** No rule to make target 'vdso_install'. Stop. make: *** [arch/riscv/Makefile:112: vdso_install] Error 2 The problem is that arch/riscv/kernel/compat_vdso/Makefile doesn't have a vdso_install target, but instead calls it compat_vdso_install. Signed-off-by: Emil Renner Berthing Link: https://lore.kernel.org/r/20220625154207.80972-1-emil.renner.berthing@canonical.com Fixes: 0715372a06ce ("riscv: compat: vdso: Add COMPAT_VDSO base code implementation") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit 8f636c6a16f2a6809f7de27c99e0780dd569fb23 Merge: 85029503fc95e cf33ce6f0c220 Author: Linus Torvalds Date: Fri Jul 22 12:19:02 2022 -0700 Merge tag 'sound-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Only undoes the Rockchip BCLK changes to address a regression" * tag 'sound-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ASoC: rockchip-i2s: Undo BCLK pinctrl changes ASoC: rockchip: i2s: Fix NULL pointer dereference when pinctrl is not found commit 85029503fc95ea16e0c0856251f5cba750847c85 Merge: 8e65afba6baaa 51189eb9ddc88 Author: Linus Torvalds Date: Fri Jul 22 12:14:13 2022 -0700 Merge tag 'mmc-v5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fix from Ulf Hansson: - sdhci-omap: Fix a lockdep warning while probing * tag 'mmc-v5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sdhci-omap: Fix a lockdep warning for PM runtime init commit 8e65afba6baaa1317efc4038cbced1268c6e2f6b Merge: 4ba1329cbb945 7f5ec14a4e07a Author: Linus Torvalds Date: Fri Jul 22 12:03:19 2022 -0700 Merge tag 'drm-fixes-2022-07-22' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Fixes for this week. The main one is the i915 firmware fix for the phoronix reported issue. I've written some firmware guidelines as a result, should land in -next soon. Otherwise a few amdgpu fixes, a scheduler fix, ttm fix and two other minor ones. scheduler: - scheduling while atomic fix ttm: - locking fix edp: - variable typo fix i915: - add back support for v69 firmware on ADL-P amdgpu: - Drop redundant buffer cleanup that can lead to a segfault - Add a bo_list mutex to avoid possible list corruption in CS - dmub notification fix imx: - fix error path" * tag 'drm-fixes-2022-07-22' of git://anongit.freedesktop.org/drm/drm: drm/amdgpu: Protect the amdgpu_bo_list list with a mutex v2 drm/imx/dcss: Add missing of_node_put() in fail path drm/i915/guc: support v69 in parallel to v70 drm/i915/guc: Support programming the EU priority in the GuC descriptor drm/panel-edp: Fix variable typo when saving hpd absent delay from DT drm/amdgpu: Remove one duplicated ef removal drm/ttm: fix locking in vmap/vunmap TTM GEM helpers drm/scheduler: Don't kill jobs in interrupt context drm/amd/display: Fix new dmub notification enabling in DM commit 4ba1329cbb9456c937bff1ed8ad4ca91ab75eab6 Merge: 7fb5e50831906 4f2bfd9494a07 Author: Linus Torvalds Date: Fri Jul 22 10:01:20 2022 -0700 Merge tag 'rcu-urgent.2022.07.21a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu Pull RCU fix from Paul McKenney: "This contains a pair of commits that fix 282d8998e997 ("srcu: Prevent expedited GPs and blocking readers from consuming CPU"), which was itself a fix to an SRCU expedited grace-period problem that could prevent kernel live patching (KLP) from completing. That SRCU fix for KLP introduced large (as in minutes) boot-time delays to embedded Linux kernels running on qemu/KVM. These delays were due to the emulation of certain MMIO operations controlling memory layout, which were emulated with one expedited grace period per access. Common configurations required thousands of boot-time MMIO accesses, and thus thousands of boot-time expedited SRCU grace periods. In these configurations, the occasional sleeps that allowed KLP to proceed caused excessive boot delays. These commits preserve enough sleeps to permit KLP to proceed, but few enough that the virtual embedded kernels still boot reasonably quickly. This represents a regression introduced in the v5.19 merge window, and the bug is causing significant inconvenience" * tag 'rcu-urgent.2022.07.21a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu: srcu: Make expedited RCU grace periods block even less frequently srcu: Block less aggressively for expedited grace periods commit 7fb5e508319068de1d69e6d7230416c390cb3cbb Author: Linus Torvalds Date: Fri Jul 22 09:28:34 2022 -0700 mmu_gather: fix the CONFIG_MMU_GATHER_NO_RANGE case Sudip reports that alpha doesn't build properly, with errors like include/asm-generic/tlb.h:401:1: error: redefinition of 'tlb_update_vma_flags' 401 | tlb_update_vma_flags(struct mmu_gather *tlb, struct vm_area_struct *vma) | ^~~~~~~~~~~~~~~~~~~~ include/asm-generic/tlb.h:372:1: note: previous definition of 'tlb_update_vma_flags' with type 'void(struct mmu_gather *, struct vm_area_struct *)' 372 | tlb_update_vma_flags(struct mmu_gather *tlb, struct vm_area_struct *vma) { } the cause being that We have this odd situation where some architectures were never converted to the newer TLB flushing interfaces that have a range for the flush. Instead people left them alone, and we have them select the MMU_GATHER_NO_RANGE config option to make the tlb header files account for this. Peter Zijlstra cleaned some of these nasty header file games up in commits 1e9fdf21a433 ("mmu_gather: Remove per arch tlb_{start,end}_vma()") 18ba064e42df ("mmu_gather: Let there be one tlb_{start,end}_vma() implementation") but tlb_update_vma_flags() was left alone, and then commit b67fbebd4cf9 ("mmu_gather: Force tlb-flush VM_PFNMAP vmas") ended up removing only _one_ of the two stale duplicate dummy inline functions. This removes the other stale one. Somebody braver than me should try to remove MMU_GATHER_NO_RANGE entirely, but it requires fixing up the oddball architectures that use it: alpha, m68k, microblaze, nios2 and openrisc. The fixups should be fairly straightforward ("fix the build errors it exposes by adding the appropriate range arguments"), but the reason this wasn't done in the first place is that so few people end up working on those architectures. But it could be done one architecture at a time, hint, hint. Reported-by: Sudip Mukherjee (Codethink) Fixes: b67fbebd4cf9 ("mmu_gather: Force tlb-flush VM_PFNMAP vmas") Link: https://lore.kernel.org/all/YtpXh0QHWwaEWVAY@debian/ Cc: Peter Zijlstra Cc: Will Deacon Cc: "Aneesh Kumar K.V" Cc: Andrew Morton Cc: Nick Piggin Cc: Arnd Bergmann Signed-off-by: Linus Torvalds commit c5cdb9286913aa5a5ebb81bcca0c17df3b0e2c79 Author: Linus Walleij Date: Fri Jul 22 13:46:11 2022 +0200 ARM: pxa2xx: Fix GPIO descriptor tables Laurence reports: "Kernel >5.18 on Zaurus has a bug where the power management code can't talk to devices, emitting the following errors: sharpsl-pm sharpsl-pm: Error: AC check failed: voltage -22. sharpsl-pm sharpsl-pm: Charging Error! sharpsl-pm sharpsl-pm: Warning: Cannot read main battery! Looking at the recent changes, I found that commit 31455bbda208 ("spi: pxa2xx_spi: Convert to use GPIO descriptors") replaced the deprecated SPI chip select platform device code with a gpiod lookup table. However, this didn't seem to work until I changed the `dev_id` member from the device name to the bus id. I'm not entirely sure why this is necessary, but I suspect it is related to the fact that in sysfs SPI devices are attached under /sys/devices/.../dev_name/spi_master/spiB/spiB.C, rather than directly to the device." After reviewing the change I conclude that the same fix is needed for all affected boards. Fixes: 31455bbda208 ("spi: pxa2xx_spi: Convert to use GPIO descriptors") Reported-by: Laurence de Bruxelles Signed-off-by: Linus Walleij Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220722114611.1517414-1-linus.walleij@linaro.org' Signed-off-by: Arnd Bergmann commit e2a619ca0b38f2114347b7078b8a67d72d457a3d Author: Lukas Bulwahn Date: Fri Jul 22 13:07:11 2022 +0200 asm-generic: remove a broken and needless ifdef conditional Commit 527701eda5f1 ("lib: Add a generic version of devmem_is_allowed()") introduces the config symbol GENERIC_LIB_DEVMEM_IS_ALLOWED, but then falsely refers to CONFIG_GENERIC_DEVMEM_IS_ALLOWED (note the missing LIB in the reference) in ./include/asm-generic/io.h. Luckily, ./scripts/checkkconfigsymbols.py warns on non-existing configs: GENERIC_DEVMEM_IS_ALLOWED Referencing files: include/asm-generic/io.h The actual fix, though, is simply to not to make this function declaration dependent on any kernel config. For architectures that intend to use the generic version, the arch's 'select GENERIC_LIB_DEVMEM_IS_ALLOWED' will lead to picking the function definition, and for other architectures, this function is simply defined elsewhere. The wrong '#ifndef' on a non-existing config symbol also always had the same effect (although more by mistake than by intent). So, there is no functional change. Remove this broken and needless ifdef conditional. Fixes: 527701eda5f1 ("lib: Add a generic version of devmem_is_allowed()") Signed-off-by: Lukas Bulwahn Signed-off-by: Arnd Bergmann commit 4bcffe941758ee17becb43af3b25487f848f6512 Author: Sherry Sun Date: Wed Apr 27 09:51:37 2022 +0800 EDAC/synopsys: Re-enable the error interrupts on v3 hw zynqmp_get_error_info() writes 0 to the ECC_CLR_OFST register after an interrupt for a {un-,}correctable error is raised, which disables the error interrupts. Then the interrupt handler will be called only once. Therefore, re-enable the error interrupt line at the end of intr_handler() for v3.x Synopsys EDAC DDR. Fixes: f7824ded4149 ("EDAC/synopsys: Add support for version 3 of the Synopsys EDAC DDR") Signed-off-by: Sherry Sun Signed-off-by: Borislav Petkov Reviewed-by: Shubhrajyoti Datta Acked-by: Michal Simek Cc: Link: https://lore.kernel.org/r/20220427015137.8406-3-sherry.sun@nxp.com commit be76ceaf03bc04e74be5e28f608316b73c2b04ad Author: Sherry Sun Date: Wed Apr 27 09:51:36 2022 +0800 EDAC/synopsys: Use the correct register to disable the error interrupt on v3 hw v3.x Synopsys EDAC DDR doesn't have the QOS Interrupt register. Use the ECC Clear Register to disable the error interrupts instead. Fixes: f7824ded4149 ("EDAC/synopsys: Add support for version 3 of the Synopsys EDAC DDR") Signed-off-by: Sherry Sun Signed-off-by: Borislav Petkov Reviewed-by: Shubhrajyoti Datta Acked-by: Michal Simek Cc: Link: https://lore.kernel.org/r/20220427015137.8406-2-sherry.sun@nxp.com commit 8ee18e2a9e7b0e97730549f58dd618433c15811b Author: Christophe JAILLET Date: Wed Jul 20 21:49:46 2022 +0200 caif: Fix bitmap data type in "struct caifsock" Bitmap are "unsigned long", so use it instead of a "u32" to make things more explicit. While at it, remove some useless cast (and leading spaces) when using the bitmap API. Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller commit 030f21ba2ab14c221ff31cf22a16c78963328f6f Author: Rob Herring Date: Tue Jul 19 15:51:08 2022 -0600 dt-bindings: net: fsl,fec: Add missing types to phy-reset-* properties The phy-reset-* properties are missing type definitions and are not common properties. Even though they are deprecated, a type is needed. Signed-off-by: Rob Herring Signed-off-by: David S. Miller commit 17161c341de0b02788b0428cb253a35b9a3c89b3 Author: Rob Herring Date: Tue Jul 19 15:50:59 2022 -0600 dt-bindings: net: ethernet-controller: Rework 'fixed-link' schema While the if/then schemas mostly work, there's a few issues. The 'allOf' schema will also be true if 'fixed-link' is not an array or object as a false 'if' schema (without an 'else') will be true. In the array case doesn't set the type (uint32-array) in the 'then' clause. In the node case, 'additionalProperties' is missing. Rework the schema to use oneOf with each possible type. Signed-off-by: Rob Herring Signed-off-by: David S. Miller commit b20a7ca8cfa4dce01f848056fe6313b444b7dcf5 Merge: ebbbe23fdf607 2afdbe7b8de84 Author: David S. Miller Date: Fri Jul 22 12:06:18 2022 +0100 Merge branch 'sysctl-races-part-5' Kuniyuki Iwashima says: ==================== sysctl: Fix data-races around ipv4_net_table (Round 5). This series fixes data-races around 15 knobs after tcp_dsack in ipv4_net_table. tcp_tso_win_divisor was skipped because it already uses READ_ONCE(). So, the final round for ipv4_net_table will start with tcp_pacing_ss_ratio. ==================== Signed-off-by: David S. Miller commit 2afdbe7b8de84c28e219073a6661080e1b3ded48 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:26 2022 -0700 tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit. While reading sysctl_tcp_invalid_ratelimit, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 032ee4236954 ("tcp: helpers to mitigate ACK loops by rate-limiting out-of-window dupacks") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 85225e6f0a76e6745bc841c9f25169c509b573d8 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:25 2022 -0700 tcp: Fix a data-race around sysctl_tcp_autocorking. While reading sysctl_tcp_autocorking, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: f54b311142a9 ("tcp: auto corking") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 1330ffacd05fc9ac4159d19286ce119e22450ed2 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:24 2022 -0700 tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen. While reading sysctl_tcp_min_rtt_wlen, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: f672258391b4 ("tcp: track min RTT using windowed min-filter") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 2455e61b85e9c99af38cd889a7101f1d48b33cb4 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:23 2022 -0700 tcp: Fix a data-race around sysctl_tcp_tso_rtt_log. While reading sysctl_tcp_tso_rtt_log, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 65466904b015 ("tcp: adjust TSO packet sizes based on min_rtt") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit e0bb4ab9dfddd872622239f49fb2bd403b70853b Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:22 2022 -0700 tcp: Fix a data-race around sysctl_tcp_min_tso_segs. While reading sysctl_tcp_min_tso_segs, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 95bd09eb2750 ("tcp: TSO packets automatic sizing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit db3815a2fa691da145cfbe834584f31ad75df9ff Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:21 2022 -0700 tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit. While reading sysctl_tcp_challenge_ack_limit, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 9fb90193fbd66b4c5409ef729fd081861f8b6351 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:20 2022 -0700 tcp: Fix a data-race around sysctl_tcp_limit_output_bytes. While reading sysctl_tcp_limit_output_bytes, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 46d3ceabd8d9 ("tcp: TCP Small Queues") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 0f1e4d06591d0a7907c71f7b6d1c79f8a4de8098 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:19 2022 -0700 tcp: Fix data-races around sysctl_tcp_workaround_signed_windows. While reading sysctl_tcp_workaround_signed_windows, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 15d99e02baba ("[TCP]: sysctl to allow TCP window > 32767 sans wscale") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 780476488844e070580bfc9e3bc7832ec1cea883 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:18 2022 -0700 tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf. While reading sysctl_tcp_moderate_rcvbuf, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit ab1ba21b523ab496b1a4a8e396333b24b0a18f9a Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:17 2022 -0700 tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save. While reading sysctl_tcp_no_ssthresh_metrics_save, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 65e6d90168f3 ("net-tcp: Disable TCP ssthresh metrics cache by default") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 8499a2454d9e8a55ce616ede9f9580f36fd5b0f3 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:16 2022 -0700 tcp: Fix a data-race around sysctl_tcp_nometrics_save. While reading sysctl_tcp_nometrics_save, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 706c6202a3589f290e1ef9be0584a8f4a3cc0507 Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:15 2022 -0700 tcp: Fix a data-race around sysctl_tcp_frto. While reading sysctl_tcp_frto, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 36eeee75ef0157e42fb6593dcc65daab289b559e Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:14 2022 -0700 tcp: Fix a data-race around sysctl_tcp_adv_win_scale. While reading sysctl_tcp_adv_win_scale, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 02ca527ac5581cf56749db9fd03d854e842253dd Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:13 2022 -0700 tcp: Fix a data-race around sysctl_tcp_app_win. While reading sysctl_tcp_app_win, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 58ebb1c8b35a8ef38cd6927431e0fa7b173a632d Author: Kuniyuki Iwashima Date: Wed Jul 20 09:50:12 2022 -0700 tcp: Fix data-races around sysctl_tcp_dsack. While reading sysctl_tcp_dsack, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 32c094a09d5829ad9b02cdf667569aefa8de0ea6 Author: Srinivas Neeli Date: Thu Jul 21 13:09:09 2022 +0530 gpio: gpio-xilinx: Fix integer overflow Current implementation is not able to configure more than 32 pins due to incorrect data type. So type casting with unsigned long to avoid it. Fixes: 02b3f84d9080 ("xilinx: Switch to use bitmap APIs") Signed-off-by: Srinivas Neeli Signed-off-by: Bartosz Golaszewski commit 7f5ec14a4e07a2a78fbde069709d5c8806882be2 Merge: 1c46f3c075911 02c87df2480ac Author: Dave Airlie Date: Fri Jul 22 12:16:15 2022 +1000 Merge tag 'drm-misc-fixes-2022-07-21' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes A scheduling-while-atomic fix for drm/scheduler, a locking fix for TTM, a typo fix for panel-edp and a resource removal fix for imx/dcss Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20220721085550.hrwbukj34y56rzva@houat commit ebbbe23fdf6070e31509638df3321688358cc211 Author: Liang He Date: Wed Jul 20 21:10:03 2022 +0800 net: sungem_phy: Add of_node_put() for reference returned by of_get_parent() In bcm5421_init(), we should call of_node_put() for the reference returned by of_get_parent() which has increased the refcount. Fixes: 3c326fe9cb7a ("[PATCH] ppc64: Add new PHY to sungem") Signed-off-by: Liang He Link: https://lore.kernel.org/r/20220720131003.1287426-1-windhl@126.com Signed-off-by: Jakub Kicinski commit 27161db0904ee48e59140aa8d0835939a666c1f1 Author: Vladimir Oltean Date: Wed Jul 20 14:20:57 2022 +0300 net: pcs: xpcs: propagate xpcs_read error to xpcs_get_state_c37_sgmii While phylink_pcs_ops :: pcs_get_state does return void, xpcs_get_state() does check for a non-zero return code from xpcs_get_state_c37_sgmii() and prints that as a message to the kernel log. However, a non-zero return code from xpcs_read() is translated into "return false" (i.e. zero as int) and the I/O error is therefore not printed. Fix that. Fixes: b97b5331b8ab ("net: pcs: add C37 SGMII AN support for intel mGbE controller") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220720112057.3504398-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit c1f6eff304e4dfa4558b6a8c6b2d26a91db6c998 Author: Ben Dooks Date: Sun May 29 16:22:00 2022 +0100 riscv: add as-options for modules with assembly compontents When trying to load modules built for RISC-V which include assembly files the kernel loader errors with "unexpected relocation type 'R_RISCV_ALIGN'" due to R_RISCV_ALIGN relocations being generated by the assembler. The R_RISCV_ALIGN relocations can be removed at the expense of code space by adding -mno-relax to gcc and as. In commit 7a8e7da42250138 ("RISC-V: Fixes to module loading") -mno-relax is added to the build variable KBUILD_CFLAGS_MODULE. See [1] for more info. The issue is that when kbuild builds a .S file, it invokes gcc with the -mno-relax flag, but this is not being passed through to the assembler. Adding -Wa,-mno-relax to KBUILD_AFLAGS_MODULE ensures that the assembler is invoked correctly. This may have now been fixed in gcc[2] and this addition should not stop newer gcc and as from working. [1] https://github.com/riscv/riscv-elf-psabi-doc/issues/183 [2] https://github.com/gcc-mirror/gcc/commit/3b0a7d624e64eeb81e4d5e8c62c46d86ef521857 Signed-off-by: Ben Dooks Reviewed-by: Bin Meng Link: https://lore.kernel.org/r/20220529152200.609809-1-ben.dooks@codethink.co.uk Fixes: ab1ef68e5401 ("RISC-V: Add sections of PLT and GOT for kernel module") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit 68e77ffbfd06ae3ef8f2abf1c3b971383c866983 Merge: 7ca433dc6dedb 0fddf9ad06fd9 Author: Linus Torvalds Date: Thu Jul 21 11:28:26 2022 -0700 Merge tag 'mtd/fixes-for-5.19-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull MTD fix from Richard Weinberger: "A aingle NAND controller fix: - gpmi: Fix busy timeout setting (wrong calculation, yes again)" * tag 'mtd/fixes-for-5.19-final' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times commit 7ca433dc6dedb2ec98dfc943f6db0c9b8996ed11 Merge: b67fbebd4cf98 44484fa8eedf1 Author: Linus Torvalds Date: Thu Jul 21 11:08:35 2022 -0700 Merge tag 'net-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from can. Still no major regressions, most of the changes are still due to data races fixes, plus the usual bunch of drivers fixes. Previous releases - regressions: - tcp/udp: make early_demux back namespacified. - dsa: fix issues with vlan_filtering_is_global Previous releases - always broken: - ip: fix data-races around ipv4_net_table (round 2, 3 & 4) - amt: fix validation and synchronization bugs - can: fix detection of mcp251863 - eth: iavf: fix handling of dummy receive descriptors - eth: lan966x: fix issues with MAC table - eth: stmmac: dwmac-mediatek: fix clock issue Misc: - dsa: update documentation" * tag 'net-5.19-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (107 commits) mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication net/sched: cls_api: Fix flow action initialization tcp: Fix data-races around sysctl_tcp_max_reordering. tcp: Fix a data-race around sysctl_tcp_abort_on_overflow. tcp: Fix a data-race around sysctl_tcp_rfc1337. tcp: Fix a data-race around sysctl_tcp_stdurg. tcp: Fix a data-race around sysctl_tcp_retrans_collapse. tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. tcp: Fix data-races around sysctl_tcp_recovery. tcp: Fix a data-race around sysctl_tcp_early_retrans. tcp: Fix data-races around sysctl knobs related to SYN option. udp: Fix a data-race around sysctl_udp_l3mdev_accept. ip: Fix data-races around sysctl_ip_prot_sock. ipv4: Fix data-races around sysctl_fib_multipath_hash_fields. ipv4: Fix data-races around sysctl_fib_multipath_hash_policy. ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. can: rcar_canfd: Add missing of_node_put() in rcar_canfd_probe() can: mcp251xfd: fix detection of mcp251863 Documentation: fix udp_wmem_min in ip-sysctl.rst ... commit 918e75f77af7d2e049bb70469ec0a2c12782d96a Author: Harald Freudenberger Date: Wed Jul 13 15:17:21 2022 +0200 s390/archrandom: prevent CPACF trng invocations in interrupt context This patch slightly reworks the s390 arch_get_random_seed_{int,long} implementation: Make sure the CPACF trng instruction is never called in any interrupt context. This is done by adding an additional condition in_task(). Justification: There are some constrains to satisfy for the invocation of the arch_get_random_seed_{int,long}() functions: - They should provide good random data during kernel initialization. - They should not be called in interrupt context as the TRNG instruction is relatively heavy weight and may for example make some network loads cause to timeout and buck. However, it was not clear what kind of interrupt context is exactly encountered during kernel init or network traffic eventually calling arch_get_random_seed_long(). After some days of investigations it is clear that the s390 start_kernel function is not running in any interrupt context and so the trng is called: Jul 11 18:33:39 t35lp54 kernel: [<00000001064e90ca>] arch_get_random_seed_long.part.0+0x32/0x70 Jul 11 18:33:39 t35lp54 kernel: [<000000010715f246>] random_init+0xf6/0x238 Jul 11 18:33:39 t35lp54 kernel: [<000000010712545c>] start_kernel+0x4a4/0x628 Jul 11 18:33:39 t35lp54 kernel: [<000000010590402a>] startup_continue+0x2a/0x40 The condition in_task() is true and the CPACF trng provides random data during kernel startup. The network traffic however, is more difficult. A typical call stack looks like this: Jul 06 17:37:07 t35lp54 kernel: [<000000008b5600fc>] extract_entropy.constprop.0+0x23c/0x240 Jul 06 17:37:07 t35lp54 kernel: [<000000008b560136>] crng_reseed+0x36/0xd8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b5604b8>] crng_make_state+0x78/0x340 Jul 06 17:37:07 t35lp54 kernel: [<000000008b5607e0>] _get_random_bytes+0x60/0xf8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b56108a>] get_random_u32+0xda/0x248 Jul 06 17:37:07 t35lp54 kernel: [<000000008aefe7a8>] kfence_guarded_alloc+0x48/0x4b8 Jul 06 17:37:07 t35lp54 kernel: [<000000008aeff35e>] __kfence_alloc+0x18e/0x1b8 Jul 06 17:37:07 t35lp54 kernel: [<000000008aef7f10>] __kmalloc_node_track_caller+0x368/0x4d8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b611eac>] kmalloc_reserve+0x44/0xa0 Jul 06 17:37:07 t35lp54 kernel: [<000000008b611f98>] __alloc_skb+0x90/0x178 Jul 06 17:37:07 t35lp54 kernel: [<000000008b6120dc>] __napi_alloc_skb+0x5c/0x118 Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f06b4>] qeth_extract_skb+0x13c/0x680 Jul 06 17:37:07 t35lp54 kernel: [<000000008b8f6526>] qeth_poll+0x256/0x3f8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b63d76e>] __napi_poll.constprop.0+0x46/0x2f8 Jul 06 17:37:07 t35lp54 kernel: [<000000008b63dbec>] net_rx_action+0x1cc/0x408 Jul 06 17:37:07 t35lp54 kernel: [<000000008b937302>] __do_softirq+0x132/0x6b0 Jul 06 17:37:07 t35lp54 kernel: [<000000008abf46ce>] __irq_exit_rcu+0x13e/0x170 Jul 06 17:37:07 t35lp54 kernel: [<000000008abf531a>] irq_exit_rcu+0x22/0x50 Jul 06 17:37:07 t35lp54 kernel: [<000000008b922506>] do_io_irq+0xe6/0x198 Jul 06 17:37:07 t35lp54 kernel: [<000000008b935826>] io_int_handler+0xd6/0x110 Jul 06 17:37:07 t35lp54 kernel: [<000000008b9358a6>] psw_idle_exit+0x0/0xa Jul 06 17:37:07 t35lp54 kernel: ([<000000008ab9c59a>] arch_cpu_idle+0x52/0xe0) Jul 06 17:37:07 t35lp54 kernel: [<000000008b933cfe>] default_idle_call+0x6e/0xd0 Jul 06 17:37:07 t35lp54 kernel: [<000000008ac59f4e>] do_idle+0xf6/0x1b0 Jul 06 17:37:07 t35lp54 kernel: [<000000008ac5a28e>] cpu_startup_entry+0x36/0x40 Jul 06 17:37:07 t35lp54 kernel: [<000000008abb0d90>] smp_start_secondary+0x148/0x158 Jul 06 17:37:07 t35lp54 kernel: [<000000008b935b9e>] restart_int_handler+0x6e/0x90 which confirms that the call is in softirq context. So in_task() covers exactly the cases where we want to have CPACF trng called: not in nmi, not in hard irq, not in soft irq but in normal task context and during kernel init. Signed-off-by: Harald Freudenberger Acked-by: Jason A. Donenfeld Reviewed-by: Juergen Christ Link: https://lore.kernel.org/r/20220713131721.257907-1-freude@linux.ibm.com Fixes: e4f74400308c ("s390/archrandom: simplify back to earlier design and initialize earlier") [agordeev@linux.ibm.com changed desc, added Fixes and Link, removed -stable] Signed-off-by: Alexander Gordeev commit b67fbebd4cf980aecbcc750e1462128bffe8ae15 Author: Peter Zijlstra Date: Fri Jul 8 09:18:06 2022 +0200 mmu_gather: Force tlb-flush VM_PFNMAP vmas Jann reported a race between munmap() and unmap_mapping_range(), where unmap_mapping_range() will no-op once unmap_vmas() has unlinked the VMA; however munmap() will not yet have invalidated the TLBs. Therefore unmap_mapping_range() will complete while there are still (stale) TLB entries for the specified range. Mitigate this by force flushing TLBs for VM_PFNMAP ranges. Signed-off-by: Peter Zijlstra (Intel) Acked-by: Will Deacon Signed-off-by: Linus Torvalds commit 18ba064e42df3661e196ab58a23931fc732a420b Author: Peter Zijlstra Date: Fri Jul 8 09:18:05 2022 +0200 mmu_gather: Let there be one tlb_{start,end}_vma() implementation Now that architectures are no longer allowed to override tlb_{start,end}_vma() re-arrange code so that there is only one implementation for each of these functions. This much simplifies trying to figure out what they actually do. Signed-off-by: Peter Zijlstra (Intel) Acked-by: Will Deacon Signed-off-by: Linus Torvalds commit 1d7708e75c49d08392884a08feeebaa3f9d80703 Author: Peter Zijlstra Date: Fri Jul 8 09:18:04 2022 +0200 csky/tlb: Remove tlb_flush() define The previous patch removed the tlb_flush_end() implementation which used tlb_flush_range(). This means: - csky did double invalidates, a range invalidate per vma and a full invalidate at the end - csky actually has range invalidates and as such the generic tlb_flush implementation is more efficient for it. Signed-off-by: Peter Zijlstra (Intel) Acked-by: Will Deacon Tested-by: Guo Ren Signed-off-by: Linus Torvalds commit 1e9fdf21a4339b102539f476a9842e7526c01939 Author: Peter Zijlstra Date: Fri Jul 8 09:18:03 2022 +0200 mmu_gather: Remove per arch tlb_{start,end}_vma() Scattered across the archs are 3 basic forms of tlb_{start,end}_vma(). Provide two new MMU_GATHER_knobs to enumerate them and remove the per arch tlb_{start,end}_vma() implementations. - MMU_GATHER_NO_FLUSH_CACHE indicates the arch has flush_cache_range() but does *NOT* want to call it for each VMA. - MMU_GATHER_MERGE_VMAS indicates the arch wants to merge the invalidate across multiple VMAs if possible. With these it is possible to capture the three forms: 1) empty stubs; select MMU_GATHER_NO_FLUSH_CACHE and MMU_GATHER_MERGE_VMAS 2) start: flush_cache_range(), end: empty; select MMU_GATHER_MERGE_VMAS 3) start: flush_cache_range(), end: flush_tlb_range(); default Obviously, if the architecture does not have flush_cache_range() then it also doesn't need to select MMU_GATHER_NO_FLUSH_CACHE. Signed-off-by: Peter Zijlstra (Intel) Acked-by: Will Deacon Cc: David Miller Signed-off-by: Linus Torvalds commit 23a67619bc7e12e1b3776802f16084530b357a5d Author: Khalid Masum Date: Thu Jul 21 15:30:42 2022 +0600 scripts/gdb: Fix gdb 'lx-symbols' command Currently the command 'lx-symbols' in gdb exits with the error`Function "do_init_module" not defined in "kernel/module.c"`. This occurs because the file kernel/module.c was moved to kernel/module/main.c. Fix this breakage by changing the path to "kernel/module/main.c" in LoadModuleBreakpoint. Signed-off-by: Khalid Masum Acked-by: Luis Chamberlain Fixes: cfc1d277891e ("module: Move all into module/") Reviewed-by: Douglas Anderson Signed-off-by: Linus Torvalds commit 44e29e64cf1ac0cffb152e0532227ea6d002aa28 Author: Linus Torvalds Date: Thu Jul 21 10:30:14 2022 -0700 watch-queue: remove spurious double semicolon Sedat Dilek noticed that I had an extraneous semicolon at the end of a line in the previous patch. It's harmless, but unintentional, and while compilers just treat it as an extra empty statement, for all I know some other tooling might warn about it. So clean it up before other people notice too ;) Fixes: 353f7988dd84 ("watchqueue: make sure to serialize 'wqueue->defunct' properly") Reported-by: Sedat Dilek Signed-off-by: Linus Torvalds Reported-by: Sedat Dilek commit b620aa3a7be346f04ae7789b165937615c6ee8d3 Author: Biju Das Date: Thu Jul 21 15:34:49 2022 +0100 spi: spi-rspi: Fix PIO fallback on RZ platforms RSPI IP on RZ/{A, G2L} SoC's has the same signal for both interrupt and DMA transfer request. Setting DMARS register for DMA transfer makes the signal to work as a DMA transfer request signal and subsequent interrupt requests to the interrupt controller are masked. PIO fallback does not work as interrupt signal is disabled. This patch fixes this issue by re-enabling the interrupts by calling dmaengine_synchronize(). Signed-off-by: Biju Das Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20220721143449.879257-1-biju.das.jz@bp.renesas.com Signed-off-by: Mark Brown commit 934447a603b22d98f45a679115d8402e1efdd0f7 Author: Dylan Yudaken Date: Thu Jul 21 06:13:25 2022 -0700 io_uring: do not recycle buffer in READV READV cannot recycle buffers as it would lose some of the data required to reimport that buffer. Reported-by: Ammar Faizi Fixes: b66e65f41426 ("io_uring: never call io_buffer_select() for a buffer re-select") Signed-off-by: Dylan Yudaken Link: https://lore.kernel.org/r/20220721131325.624788-1-dylany@fb.com Signed-off-by: Jens Axboe commit ec8516f3b7c40ba7050e6b3a32467e9de451ecdf Author: Dylan Yudaken Date: Thu Jul 21 04:01:15 2022 -0700 io_uring: fix free of unallocated buffer list in the error path of io_register_pbuf_ring, only free bl if it was allocated. Reported-by: Dipanjan Das Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers") Signed-off-by: Dylan Yudaken Reviewed-by: Pavel Begunkov Link: https://lore.kernel.org/all/CANX2M5bXKw1NaHdHNVqssUUaBCs8aBpmzRNVEYEvV0n44P7ioA@mail.gmail.com/ Link: https://lore.kernel.org/all/CANX2M5YiZBXU3L6iwnaLs-HHJXRvrxM8mhPDiMDF9Y9sAvOHUA@mail.gmail.com/ Signed-off-by: Jens Axboe commit 430d31bb2e6031f82fe2f2fe15500dde2ac5f8a6 Merge: 7849f5cf7639c ef0324b6415db Author: Arnd Bergmann Date: Thu Jul 21 14:58:45 2022 +0200 Merge tag 'at91-fixes-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/at91/linux into arm/fixes AT91 fixes for 5.19 #3 It contains one fix for LAN966 based SoCs fixing the frequency of sys_clk. sys_clk is feeding different IPs so having proper frequency for it in DT is necessary for proper working of different drivers. * tag 'at91-fixes-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/at91/linux: ARM: dts: lan966x: fix sys_clk frequency Link: https://lore.kernel.org/r/20220721075705.1739915-1-claudiu.beznea@microchip.com Signed-off-by: Arnd Bergmann commit ddfc710395cccc61247348df9eb18ea50321cbed Author: Juri Lelli Date: Thu Jul 14 17:19:08 2022 +0200 sched/deadline: Fix BUG_ON condition for deboosted tasks Tasks the are being deboosted from SCHED_DEADLINE might enter enqueue_task_dl() one last time and hit an erroneous BUG_ON condition: since they are not boosted anymore, the if (is_dl_boosted()) branch is not taken, but the else if (!dl_prio) is and inside this one we BUG_ON(!is_dl_boosted), which is of course false (BUG_ON triggered) otherwise we had entered the if branch above. Long story short, the current condition doesn't make sense and always leads to triggering of a BUG. Fix this by only checking enqueue flags, properly: ENQUEUE_REPLENISH has to be present, but additional flags are not a problem. Fixes: 64be6f1f5f71 ("sched/deadline: Don't replenish from a !SCHED_DEADLINE entity") Signed-off-by: Juri Lelli Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20220714151908.533052-1-juri.lelli@redhat.com commit 1c46f3c0759116d70cb424fc227371a254c47b25 Merge: 4b2b2ee1f87db 90af0ca047f30 Author: Dave Airlie Date: Thu Jul 21 13:22:39 2022 +1000 Merge tag 'amd-drm-fixes-5.19-2022-07-20' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.19-2022-07-20: amdgpu: - Drop redundant buffer cleanup that can lead to a segfault - Add a bo_list mutex to avoid possible list corruption in CS Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20220720210917.6202-1-alexander.deucher@amd.com commit 4b2b2ee1f87db6354895ed4fd76420ceeca0fda6 Merge: ff6992735ade7 443148858f26e Author: Dave Airlie Date: Thu Jul 21 13:21:58 2022 +1000 Merge tag 'drm-intel-fixes-2022-07-20-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fix the regression caused by the lack of GuC v70. Let's accept the fallback to v69. Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/YtgguaR5JYK083oZ@intel.com commit 90af0ca047f3049c4b46e902f432ad6ef1e2ded6 Author: Luben Tuikov Date: Wed Jul 20 15:04:18 2022 -0400 drm/amdgpu: Protect the amdgpu_bo_list list with a mutex v2 Protect the struct amdgpu_bo_list with a mutex. This is used during command submission in order to avoid buffer object corruption as recorded in the link below. v2 (chk): Keep the mutex looked for the whole CS to avoid using the list from multiple CS threads at the same time. Suggested-by: Christian König Cc: Alex Deucher Cc: Andrey Grodzovsky Cc: Vitaly Prosyak Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2048 Signed-off-by: Luben Tuikov Signed-off-by: Christian König Tested-by: Luben Tuikov Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 353f7988dd8413c47718f7ca79c030b6fb62cfe5 Author: Linus Torvalds Date: Tue Jul 19 11:09:01 2022 -0700 watchqueue: make sure to serialize 'wqueue->defunct' properly When the pipe is closed, we mark the associated watchqueue defunct by calling watch_queue_clear(). However, while that is protected by the watchqueue lock, new watchqueue entries aren't actually added under that lock at all: they use the pipe->rd_wait.lock instead, and looking up that pipe happens without any locking. The watchqueue code uses the RCU read-side section to make sure that the wqueue entry itself hasn't disappeared, but that does not protect the pipe_info in any way. So make sure to actually hold the wqueue lock when posting watch events, properly serializing against the pipe being torn down. Reported-by: Noam Rathaus Cc: Greg KH Cc: David Howells Signed-off-by: Linus Torvalds commit e1502ba41699736c578ba9d61ae6285d49f6921b Author: Sai Krishna Potthuri Date: Wed Jul 13 22:15:29 2022 +0530 spi: spi-cadence: Fix SPI NO Slave Select macro definition Fix SPI NO Slave Select macro definition, when all the SPI CS bits are high which means no slave is selected. Fixes: 21b511ddee09 ("spi: spi-cadence: Fix SPI CS gets toggling sporadically") Signed-off-by: Sai Krishna Potthuri Signed-off-by: Amit Kumar Mahapatra Link: https://lore.kernel.org/r/20220713164529.28444-1-amit.kumar-mahapatra@xilinx.com Signed-off-by: Mark Brown commit b0380e13502adf7dd8be4c47d622c3522aae6c63 Author: Kan Liang Date: Thu Jul 14 11:26:30 2022 -0700 perf/x86/intel/lbr: Fix unchecked MSR access error on HSW The fuzzer triggers the below trace. [ 7763.384369] unchecked MSR access error: WRMSR to 0x689 (tried to write 0x1fffffff8101349e) at rIP: 0xffffffff810704a4 (native_write_msr+0x4/0x20) [ 7763.397420] Call Trace: [ 7763.399881] [ 7763.401994] intel_pmu_lbr_restore+0x9a/0x1f0 [ 7763.406363] intel_pmu_lbr_sched_task+0x91/0x1c0 [ 7763.410992] __perf_event_task_sched_in+0x1cd/0x240 On a machine with the LBR format LBR_FORMAT_EIP_FLAGS2, when the TSX is disabled, a TSX quirk is required to access LBR from registers. The lbr_from_signext_quirk_needed() is introduced to determine whether the TSX quirk should be applied. However, the lbr_from_signext_quirk_needed() is invoked before the intel_pmu_lbr_init(), which parses the LBR format information. Without the correct LBR format information, the TSX quirk never be applied. Move the lbr_from_signext_quirk_needed() into the intel_pmu_lbr_init(). Checking x86_pmu.lbr_has_tsx in the lbr_from_signext_quirk_needed() is not required anymore. Both LBR_FORMAT_EIP_FLAGS2 and LBR_FORMAT_INFO have LBR_TSX flag, but only the LBR_FORMAT_EIP_FLAGS2 requirs the quirk. Update the comments accordingly. Fixes: 1ac7fd8159a8 ("perf/x86/intel/lbr: Support LBR format V7") Reported-by: Vince Weaver Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20220714182630.342107-1-kan.liang@linux.intel.com commit efc72a665a61fd48c462f5248a9e3dc991398ddd Author: Josh Poimboeuf Date: Mon Jul 18 07:50:25 2022 -0700 lkdtm: Disable return thunks in rodata.c The following warning was seen: WARNING: CPU: 0 PID: 0 at arch/x86/kernel/alternative.c:557 apply_returns (arch/x86/kernel/alternative.c:557 (discriminator 1)) Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc4-00008-gee88d363d156 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014 RIP: 0010:apply_returns (arch/x86/kernel/alternative.c:557 (discriminator 1)) Code: ff ff 74 cb 48 83 c5 04 49 39 ee 0f 87 81 fe ff ff e9 22 ff ff ff 0f 0b 48 83 c5 04 49 39 ee 0f 87 6d fe ff ff e9 0e ff ff ff <0f> 0b 48 83 c5 04 49 39 ee 0f 87 59 fe ff ff e9 fa fe ff ff 48 89 The warning happened when apply_returns() failed to convert "JMP __x86_return_thunk" to RET. It was instead a JMP to nowhere, due to the thunk relocation not getting resolved. That rodata.o code is objcopy'd to .rodata, and later memcpy'd, so relocations don't work (and are apparently silently ignored). LKDTM is only used for testing, so the naked RET should be fine. So just disable return thunks for that file. While at it, disable objtool and KCSAN for the file. Fixes: 0b53c374b9ef ("x86/retpoline: Use -mfunction-return") Reported-by: kernel test robot Debugged-by: Peter Zijlstra Signed-off-by: Josh Poimboeuf Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/lkml/Ys58BxHxoDZ7rfpr@xsang-OptiPlex-9020/ commit eb23b5ef9131e6d65011de349a4d25ef1b3d4314 Author: Pawan Gupta Date: Thu Jul 14 16:15:35 2022 -0700 x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts IBRS mitigation for spectre_v2 forces write to MSR_IA32_SPEC_CTRL at every kernel entry/exit. On Enhanced IBRS parts setting MSR_IA32_SPEC_CTRL[IBRS] only once at boot is sufficient. MSR writes at every kernel entry/exit incur unnecessary performance loss. When Enhanced IBRS feature is present, print a warning about this unnecessary performance loss. Signed-off-by: Pawan Gupta Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Thadeu Lima de Souza Cascardo Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/2a5eaf54583c2bfe0edc4fea64006656256cca17.1657814857.git.pawan.kumar.gupta@linux.intel.com commit 65cdf0d623bedf0e069bb64ed52e8bb20105e2ba Author: Kees Cook Date: Wed Jul 13 14:38:19 2022 -0700 x86/alternative: Report missing return thunk details Debugging missing return thunks is easier if we can see where they're happening. Suggested-by: Peter Zijlstra Signed-off-by: Kees Cook Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/lkml/Ys66hwtFcGbYmoiZ@hirez.programming.kicks-ass.net/ commit 543ce63b664e2c2f9533d089a4664b559c3e6b5b Author: Eric Snowberg Date: Wed Jul 20 12:40:27 2022 -0400 lockdown: Fix kexec lockdown bypass with ima policy The lockdown LSM is primarily used in conjunction with UEFI Secure Boot. This LSM may also be used on machines without UEFI. It can also be enabled when UEFI Secure Boot is disabled. One of lockdown's features is to prevent kexec from loading untrusted kernels. Lockdown can be enabled through a bootparam or after the kernel has booted through securityfs. If IMA appraisal is used with the "ima_appraise=log" boot param, lockdown can be defeated with kexec on any machine when Secure Boot is disabled or unavailable. IMA prevents setting "ima_appraise=log" from the boot param when Secure Boot is enabled, but this does not cover cases where lockdown is used without Secure Boot. To defeat lockdown, boot without Secure Boot and add ima_appraise=log to the kernel command line; then: $ echo "integrity" > /sys/kernel/security/lockdown $ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > \ /sys/kernel/security/ima/policy $ kexec -ls unsigned-kernel Add a call to verify ima appraisal is set to "enforce" whenever lockdown is enabled. This fixes CVE-2022-21505. Cc: stable@vger.kernel.org Fixes: 29d3c1c8dfe7 ("kexec: Allow kexec_file() with appropriate IMA policy when locked down") Signed-off-by: Eric Snowberg Acked-by: Mimi Zohar Reviewed-by: John Haxby Signed-off-by: Linus Torvalds commit 4ceaa684459d414992acbefb4e4c31f2dfc50641 Author: Marc Kleine-Budde Date: Tue Jul 19 09:22:35 2022 +0200 spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers In case a IRQ based transfer times out the bcm2835_spi_handle_err() function is called. Since commit 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag") the TX and RX DMA transfers are unconditionally canceled, leading to NULL pointer derefs if ctlr->dma_tx or ctlr->dma_rx are not set. Fix the NULL pointer deref by checking that ctlr->dma_tx and ctlr->dma_rx are valid pointers before accessing them. Fixes: 1513ceee70f2 ("spi: bcm2835: Drop dma_pending flag") Cc: Lukas Wunner Signed-off-by: Marc Kleine-Budde Link: https://lore.kernel.org/r/20220719072234.2782764-1-mkl@pengutronix.de Signed-off-by: Mark Brown commit f63731e18e8d8350e05b0176e39a76639f6483c7 Author: Kent Gibson Date: Tue Jul 19 19:06:01 2022 +0800 selftests: gpio: fix include path to kernel headers for out of tree builds When building selftests out of the kernel tree the gpio.h the include path is incorrect and the build falls back to the system includes which may be outdated. Add the KHDR_INCLUDES to the CFLAGS to include the gpio.h from the build tree. Fixes: 4f4d0af7b2d9 ("selftests: gpio: restore CFLAGS options") Reported-by: kernel test robot Signed-off-by: Kent Gibson Signed-off-by: Bartosz Golaszewski commit 9b31e60800d8fa69027baf9ec7f03a0c5b145079 Author: Florian Fainelli Date: Fri Jul 15 11:55:49 2022 -0700 tools: Fixed MIPS builds due to struct flock re-definition Building perf for MIPS failed after 9f79b8b72339 ("uapi: simplify __ARCH_FLOCK{,64}_PAD a little") with the following error: CC /home/fainelli/work/buildroot/output/bmips/build/linux-custom/tools/perf/trace/beauty/fcntl.o In file included from ../../../../host/mipsel-buildroot-linux-gnu/sysroot/usr/include/asm/fcntl.h:77, from ../include/uapi/linux/fcntl.h:5, from trace/beauty/fcntl.c:10: ../include/uapi/asm-generic/fcntl.h:188:8: error: redefinition of 'struct flock' struct flock { ^~~~~ In file included from ../include/uapi/linux/fcntl.h:5, from trace/beauty/fcntl.c:10: ../../../../host/mipsel-buildroot-linux-gnu/sysroot/usr/include/asm/fcntl.h:63:8: note: originally defined here struct flock { ^~~~~ This is due to the local copy under tools/include/uapi/asm-generic/fcntl.h including the toolchain's kernel headers which already define 'struct flock' and define HAVE_ARCH_STRUCT_FLOCK to future inclusions make a decision as to whether re-defining 'struct flock' is appropriate or not. Make sure what do not re-define 'struct flock' when HAVE_ARCH_STRUCT_FLOCK is already defined. Fixes: 9f79b8b72339 ("uapi: simplify __ARCH_FLOCK{,64}_PAD a little") Signed-off-by: Florian Fainelli Reviewed-by: Christoph Hellwig [arnd: sync with include/uapi/asm-generic/fcntl.h as well] Signed-off-by: Arnd Bergmann commit 44484fa8eedf1c6e8f23ba2675b266abdd170a6e Merge: e5ec6a2513383 7b66dfcc6e1e1 Author: David S. Miller Date: Wed Jul 20 11:13:54 2022 +0100 Merge tag 'linux-can-fixes-for-5.19-20220720' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== this is a pull request of 2 patches for net/master. The first patch is by me and fixes the detection of the mcp251863 in the mcp251xfd driver. The last patch is by Liang He and adds a missing of_node_put() in the rcar_canfd driver. ==================== Signed-off-by: David S. Miller commit e5ec6a2513383fe2ecc2ee3b5f51d97acbbcd4d8 Author: Ido Schimmel Date: Tue Jul 19 15:26:26 2022 +0300 mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication mlxsw needs to distinguish nexthops with a gateway from connected nexthops in order to write the former to the adjacency table of the device. The check used to rely on the fact that nexthops with a gateway have a 'link' scope whereas connected nexthops have a 'host' scope. This is no longer correct after commit 747c14307214 ("ip: fix dflt addr selection for connected nexthop"). Fix that by instead checking the address family of the gateway IP. This is a more direct way and also consistent with the IPv6 counterpart in mlxsw_sp_rt6_is_gateway(). Cc: stable@vger.kernel.org Fixes: 747c14307214 ("ip: fix dflt addr selection for connected nexthop") Fixes: 597cfe4fc339 ("nexthop: Add support for IPv4 nexthops") Signed-off-by: Ido Schimmel Reviewed-by: Amit Cohen Reviewed-by: Nicolas Dichtel Reviewed-by: David Ahern Signed-off-by: David S. Miller commit c0f47c2822aadeb8b2829f3e4c3792f184c7be33 Author: Oz Shlomo Date: Tue Jul 19 15:24:09 2022 +0300 net/sched: cls_api: Fix flow action initialization The cited commit refactored the flow action initialization sequence to use an interface method when translating tc action instances to flow offload objects. The refactored version skips the initialization of the generic flow action attributes for tc actions, such as pedit, that allocate more than one offload entry. This can cause potential issues for drivers mapping flow action ids. Populate the generic flow action fields for all the flow action entries. Fixes: c54e1d920f04 ("flow_offload: add ops to tc_action_ops for flow action setup") Signed-off-by: Oz Shlomo Reviewed-by: Roi Dayan ---- v1 -> v2: - coalese the generic flow action fields initialization to a single loop Reviewed-by: Baowen Zheng Signed-off-by: David S. Miller commit 3b15b3e93e405828c0b38df15439d9a851468d98 Merge: ef5621758a02f a11e5b3e7a59f Author: David S. Miller Date: Wed Jul 20 10:14:50 2022 +0100 Merge branch 'net-sysctl-races-round-4' Kuniyuki Iwashima says: ==================== sysctl: Fix data-races around ipv4_net_table (Round 4). This series fixes data-races around 17 knobs after fib_multipath_use_neigh in ipv4_net_table. tcp_fack was skipped because it's obsolete and there's no readers. So, round 5 will start with tcp_dsack, 2 rounds left for 27 knobs. ==================== Signed-off-by: David S. Miller commit a11e5b3e7a59fde1a90b0eaeaa82320495cf8cae Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:53 2022 -0700 tcp: Fix data-races around sysctl_tcp_max_reordering. While reading sysctl_tcp_max_reordering, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: dca145ffaa8d ("tcp: allow for bigger reordering level") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 2d17d9c7382327d00aeaea35af44e9b26d53206e Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:52 2022 -0700 tcp: Fix a data-race around sysctl_tcp_abort_on_overflow. While reading sysctl_tcp_abort_on_overflow, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 0b484c91911e758e53656d570de58c2ed81ec6f2 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:51 2022 -0700 tcp: Fix a data-race around sysctl_tcp_rfc1337. While reading sysctl_tcp_rfc1337, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 4e08ed41cb1194009fc1a916a59ce3ed4afd77cd Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:50 2022 -0700 tcp: Fix a data-race around sysctl_tcp_stdurg. While reading sysctl_tcp_stdurg, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 1a63cb91f0c2fcdeced6d6edee8d1d886583d139 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:49 2022 -0700 tcp: Fix a data-race around sysctl_tcp_retrans_collapse. While reading sysctl_tcp_retrans_collapse, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 4845b5713ab18a1bb6e31d1fbb4d600240b8b691 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:48 2022 -0700 tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. While reading sysctl_tcp_slow_start_after_idle, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 35089bb203f4 ("[TCP]: Add tcp_slow_start_after_idle sysctl.") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 7c6f2a86ca590d5187a073d987e9599985fb1c7c Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:47 2022 -0700 tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. While reading sysctl_tcp_thin_linear_timeouts, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 36e31b0af587 ("net: TCP thin linear timeouts") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit e7d2ef837e14a971a05f60ea08c47f3fed1a36e4 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:46 2022 -0700 tcp: Fix data-races around sysctl_tcp_recovery. While reading sysctl_tcp_recovery, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 4f41b1c58a32 ("tcp: use RACK to detect losses") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 52e65865deb6a36718a463030500f16530eaab74 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:45 2022 -0700 tcp: Fix a data-race around sysctl_tcp_early_retrans. While reading sysctl_tcp_early_retrans, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: eed530b6c676 ("tcp: early retransmit") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 3666f666e99600518ab20982af04a078bbdad277 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:44 2022 -0700 tcp: Fix data-races around sysctl knobs related to SYN option. While reading these knobs, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. - tcp_sack - tcp_window_scaling - tcp_timestamps Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 3d72bb4188c708bb16758c60822fc4dda7a95174 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:43 2022 -0700 udp: Fix a data-race around sysctl_udp_l3mdev_accept. While reading sysctl_udp_l3mdev_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 63a6fff353d0 ("net: Avoid receiving packets with an l3mdev on unbound UDP sockets") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 9b55c20f83369dd54541d9ddbe3a018a8377f451 Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:42 2022 -0700 ip: Fix data-races around sysctl_ip_prot_sock. sysctl_ip_prot_sock is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. Fixes: 4548b683b781 ("Introduce a sysctl that modifies the value of PROT_SOCK.") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 8895a9c2ac76fb9d3922fed4fe092c8ec5e5cccc Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:41 2022 -0700 ipv4: Fix data-races around sysctl_fib_multipath_hash_fields. While reading sysctl_fib_multipath_hash_fields, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: ce5c9c20d364 ("ipv4: Add a sysctl to control multipath hash fields") Signed-off-by: Kuniyuki Iwashima Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller commit 7998c12a08c97cc26660532c9f90a34bd7d8da5a Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:40 2022 -0700 ipv4: Fix data-races around sysctl_fib_multipath_hash_policy. While reading sysctl_fib_multipath_hash_policy, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: bf4e0a3db97e ("net: ipv4: add support for ECMP hash policy choice") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 87507bcb4f5de16bb419e9509d874f4db6c0ad0f Author: Kuniyuki Iwashima Date: Mon Jul 18 10:26:39 2022 -0700 ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. While reading sysctl_fib_multipath_use_neigh, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: a6db4494d218 ("net: ipv4: Consider failed nexthops in multipath routes") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit ef5621758a02fe8178de9d0df414ffb79463ff86 Merge: 48ea8ea32dbf3 e79b9473e9b59 Author: David S. Miller Date: Wed Jul 20 10:11:58 2022 +0100 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2022-07-20 1) Fix a policy refcount imbalance in xfrm_bundle_lookup. From Hangyu Hua. 2) Fix some clang -Wformat warnings. Justin Stitt ==================== Signed-off-by: David S. Miller commit 7b66dfcc6e1e1f018492619c3d0fc432b6b54272 Author: Liang He Date: Tue Jul 12 17:56:23 2022 +0800 can: rcar_canfd: Add missing of_node_put() in rcar_canfd_probe() We should use of_node_put() for the reference returned by of_get_child_by_name() which has increased the refcount. Fixes: 45721c406dcf ("can: rcar_canfd: Add support for r8a779a0 SoC") Link: https://lore.kernel.org/all/20220712095623.364287-1-windhl@126.com Signed-off-by: Liang He Signed-off-by: Marc Kleine-Budde commit db87c005b9cce0b815b2268963502c178a1e27c8 Author: Marc Kleine-Budde Date: Tue Jul 5 21:30:38 2022 +0200 can: mcp251xfd: fix detection of mcp251863 In commit c6f2a617a0a8 ("can: mcp251xfd: add support for mcp251863") support for the mcp251863 was added. However it was not taken into account that the auto detection of the chip model cannot distinguish between mcp2518fd and mcp251863 and would lead to a warning message if the firmware specifies a mcp251863. Fix auto detection: If a mcp2518fd compatible chip is found, keep the mcp251863 if specified by firmware, use mcp2518fd instead. Link: https://lore.kernel.org/all/20220706064835.1848864-1-mkl@pengutronix.de Fixes: c6f2a617a0a8 ("can: mcp251xfd: add support for mcp251863") Signed-off-by: Marc Kleine-Budde commit 02c87df2480ac855d88ee308ce3fa857d9bd55a8 Author: Liang He Date: Thu Jul 14 16:13:37 2022 +0800 drm/imx/dcss: Add missing of_node_put() in fail path In dcss_dev_create() and dcss_dev_destroy(), we should call of_node_put() in fail path or before the dcss's destroy as of_graph_get_port_by_id() has increased the refcount. Fixes: 9021c317b770 ("drm/imx: Add initial support for DCSS on iMX8MQ") Signed-off-by: Liang He Reviewed-by: Laurentiu Palcu Signed-off-by: Laurentiu Palcu Link: https://patchwork.freedesktop.org/patch/msgid/20220714081337.374761-1-windhl@126.com commit 7849f5cf7639cd1125a3546a31675af4ab54278f Author: Baolin Wang Date: Wed Jul 20 15:03:58 2022 +0800 mailmap: update Baolin Wang's email I recently switched to my Alibaba email address. So add aliases for my previous email addresses. Signed-off-by: Baolin Wang Signed-off-by: Arnd Bergmann commit be640317a1d0b9cf42fedb2debc2887a7cfa38de Author: Michael Ellerman Date: Mon Jul 18 23:44:18 2022 +1000 powerpc/64s: Disable stack variable initialisation for prom_init With GCC 12 allmodconfig prom_init fails to build: Error: External symbol 'memset' referenced from prom_init.c make[2]: *** [arch/powerpc/kernel/Makefile:204: arch/powerpc/kernel/prom_init_check] Error 1 The allmodconfig build enables KASAN, so all calls to memset in prom_init should be converted to __memset by the #ifdefs in asm/string.h, because prom_init must use the non-KASAN instrumented versions. The build failure happens because there's a call to memset that hasn't been caught by the pre-processor and converted to __memset. Typically that's because it's a memset generated by the compiler itself, and that is the case here. With GCC 12, allmodconfig enables CONFIG_INIT_STACK_ALL_PATTERN, which causes the compiler to emit memset calls to initialise on-stack variables with a pattern. Because prom_init is non-user-facing boot-time only code, as a workaround just disable stack variable initialisation to unbreak the build. Reported-by: Sudip Mukherjee Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220718134418.354114-1-mpe@ellerman.id.au commit 443148858f26ee0fea6ad1b292d49d884dce92d1 Author: Daniele Ceraolo Spurio Date: Mon Jul 18 16:07:32 2022 -0700 drm/i915/guc: support v69 in parallel to v70 This patch re-introduces support for GuC v69 in parallel to v70. As this is a quick fix, v69 has been re-introduced as the single "fallback" guc version in case v70 is not available on disk and only for platforms that are out of force_probe and require the GuC by default. All v69 specific code has been labeled as such for easy identification, and the same was done for all v70 functions for which there is a separate v69 version, to avoid accidentally calling the wrong version via the unlabeled name. When the fallback mode kicks in, a drm_notice message is printed in dmesg to inform the user of the required update. The existing logging of the fetch function has also been updated so that we no longer complain immediately if we can't find a fw and we only throw an error if the fetch of both the base and fallback blobs fails. The plan is to follow this up with a more complex rework to allow for multiple different GuC versions to be supported at the same time. v2: reduce the fallback to platform that require it, switch to firmware_request_nowarn(), improve logs. Fixes: 2584b3549f4c ("drm/i915/guc: Update to GuC version 70.1.1") Link: https://lists.freedesktop.org/archives/intel-gfx/2022-July/301640.html Signed-off-by: Daniele Ceraolo Spurio Cc: John Harrison Cc: Matthew Brost Cc: Matt Roper Cc: Dave Airlie Cc: Michal Wajdeczko Acked-by: Rodrigo Vivi Reviewed-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20220718230732.1409641-1-daniele.ceraolospurio@intel.com (cherry picked from commit 774ce1510e6ccb9c0752d4aa7a9ff3624b3db3f3) Signed-off-by: Rodrigo Vivi commit e7999fa14f19254ee6a8b52e2711de1f6bef2a1c Author: Matthew Brost Date: Wed May 4 16:46:36 2022 -0700 drm/i915/guc: Support programming the EU priority in the GuC descriptor In GuC submission mode the EU priority must be updated by the GuC rather than the driver as the GuC owns the programming of the context descriptor. Given that the GuC code uses the GuC priorities, we can't use a generic function using i915 priorities for both execlists and GuC submission. The existing function has therefore been pushed to the execlists back-end while a new one has been added for GuC. v2: correctly use the GuC prio. Cc: John Harrison Cc: Matt Roper Signed-off-by: Matthew Brost Signed-off-by: Aravind Iddamsetty Signed-off-by: Daniele Ceraolo Spurio Reviewed-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20220504234636.2119794-1-daniele.ceraolospurio@intel.com (cherry picked from commit a5c89f7c43c12c592a882a0ec2a15e9df0011e80) Signed-off-by: Rodrigo Vivi commit 48ea8ea32dbf3231882e9bc0b297fe1400785219 Merge: c6b10de537b90 d8fa2fd791a72 Author: Jakub Kicinski Date: Tue Jul 19 17:43:02 2022 -0700 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2022-07-18 This series contains updates to iavf driver only. Przemyslaw fixes handling of multiple VLAN requests to account for individual errors instead of rejecting them all. He removes incorrect implementations of ETHTOOL_COALESCE_MAX_FRAMES and ETHTOOL_COALESCE_MAX_FRAMES_IRQ. He also corrects an issue with NULL pointer caused by improper handling of dummy receive descriptors. Finally, he corrects debug prints reporting an unknown state. * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: iavf: Fix missing state logs iavf: Fix handling of dummy receive descriptors iavf: Disallow changing rx/tx-frames and rx/tx-frames-irq iavf: Fix VLAN_V2 addition/rejection ==================== Link: https://lore.kernel.org/r/20220718174807.4113582-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit c6b10de537b904fb70522d8cc4600c2f11246c93 Author: Xin Long Date: Mon Jul 18 13:56:59 2022 -0400 Documentation: fix udp_wmem_min in ip-sysctl.rst UDP doesn't support tx memory accounting, and sysctl udp_wmem_min is not really used anywhere. So we should fix the description in ip-sysctl.rst accordingly. Fixes: 95766fff6b9a ("[UDP]: Add memory accounting.") Signed-off-by: Xin Long Link: https://lore.kernel.org/r/c880a963d9b1fb5f442ae3c9e4dfa70d45296a16.1658167019.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski commit 53eb9b04560cc368b7874a7ef1ca7666741739e4 Author: Lorenzo Bianconi Date: Mon Jul 18 11:51:53 2022 +0200 net: ethernet: mtk_ppe: fix possible NULL pointer dereference in mtk_flow_get_wdma_info odev pointer can be NULL in mtk_flow_offload_replace routine according to the flower action rules. Fix possible NULL pointer dereference in mtk_flow_get_wdma_info. Fixes: a333215e10cb5 ("net: ethernet: mtk_eth_soc: implement flow offloading to WED devices") Signed-off-by: Lorenzo Bianconi Link: https://lore.kernel.org/r/4e1685bc4976e21e364055f6bee86261f8f9ee93.1658137753.git.lorenzo@kernel.org Signed-off-by: Jakub Kicinski commit cdf0b86b250fd3c1c3e120c86583ea510c52e4ce Author: Hayes Wang Date: Mon Jul 18 16:21:20 2022 +0800 r8152: fix a WOL issue This fixes that the platform is waked by an unexpected packet. The size and range of FIFO is different when the device enters S3 state, so it is necessary to correct some settings when suspending. Regardless of jumbo frame, set RMS to 1522 and MTPS to MTPS_DEFAULT. Besides, enable MCU_BORW_EN to update the method of calculating the pointer of data. Then, the hardware could get the correct data. Fixes: 195aae321c82 ("r8152: support new chips") Signed-off-by: Hayes Wang Link: https://lore.kernel.org/r/20220718082120.10957-391-nic_swsd@realtek.com Signed-off-by: Jakub Kicinski commit ef2084a8388b19c8812356106e0c8d29915f9d8b Author: Nícolas F. R. A. Prado Date: Tue Jul 19 16:38:56 2022 -0400 drm/panel-edp: Fix variable typo when saving hpd absent delay from DT The value read from the "hpd-absent-delay-ms" property in DT was being saved to the wrong variable, overriding the hpd_reliable delay. Fix the typo. Fixes: 5540cf8f3e8d ("drm/panel-edp: Implement generic "edp-panel"s probed by EDID") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: André Almeida Reviewed-by: Douglas Anderson Signed-off-by: Douglas Anderson Link: https://patchwork.freedesktop.org/patch/msgid/20220719203857.1488831-4-nfraprado@collabora.com commit 908fc4c2abdb1835f303cf6827e66676568943e7 Author: Tom Lendacky Date: Tue Jul 19 12:12:52 2022 -0500 virt: sev-guest: Pass the appropriate argument type to iounmap() Fix a sparse warning in sev_guest_probe() where the wrong argument type is provided to iounmap(). Fixes: fce96cf04430 ("virt: Add SEV-SNP guest driver") Reported-by: kernel test robot Signed-off-by: Tom Lendacky Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/202207150617.jqwQ0Rpz-lkp@intel.com commit 82e094f7bd988c02df27f8c8d81af8f750660b2a Merge: 957a2b345cbcf 5f7ef4875f995 Author: Jens Axboe Date: Tue Jul 19 12:42:33 2022 -0600 Merge branch 'md-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md into block-5.19 Pull MD fix from Song. * 'md-fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md: md/raid5: missing error code in setup_conf() commit 4f2bfd9494a072d58203600de6bedd72680e612a Author: Neeraj Upadhyay Date: Fri Jul 1 08:45:45 2022 +0530 srcu: Make expedited RCU grace periods block even less frequently The purpose of commit 282d8998e997 ("srcu: Prevent expedited GPs and blocking readers from consuming CPU") was to prevent a long series of never-blocking expedited SRCU grace periods from blocking kernel-live-patching (KLP) progress. Although it was successful, it also resulted in excessive boot times on certain embedded workloads running under qemu with the "-bios QEMU_EFI.fd" command line. Here "excessive" means increasing the boot time up into the three-to-four minute range. This increase in boot time was due to the more than 6000 back-to-back invocations of synchronize_rcu_expedited() within the KVM host OS, which in turn resulted from qemu's emulation of a long series of MMIO accesses. Commit 640a7d37c3f4 ("srcu: Block less aggressively for expedited grace periods") did not significantly help this particular use case. Zhangfei Gao and Shameerali Kolothum Thodi did experiments varying the value of SRCU_MAX_NODELAY_PHASE with HZ=250 and with various values of non-sleeping per phase counts on a system with preemption enabled, and observed the following boot times: +──────────────────────────+────────────────+ | SRCU_MAX_NODELAY_PHASE | Boot time (s) | +──────────────────────────+────────────────+ | 100 | 30.053 | | 150 | 25.151 | | 200 | 20.704 | | 250 | 15.748 | | 500 | 11.401 | | 1000 | 11.443 | | 10000 | 11.258 | | 1000000 | 11.154 | +──────────────────────────+────────────────+ Analysis on the experiment results show additional improvements with CPU-bound delays approaching one jiffy in duration. This improvement was also seen when number of per-phase iterations were scaled to one jiffy. This commit therefore scales per-grace-period phase number of non-sleeping polls so that non-sleeping polls extend for about one jiffy. In addition, the delay-calculation call to srcu_get_delay() in srcu_gp_end() is replaced with a simple check for an expedited grace period. This change schedules callback invocation immediately after expedited grace periods complete, which results in greatly improved boot times. Testing done by Marc and Zhangfei confirms that this change recovers most of the performance degradation in boottime; for CONFIG_HZ_250 configuration, specifically, boot times improve from 3m50s to 41s on Marc's setup; and from 2m40s to ~9.7s on Zhangfei's setup. In addition to the changes to default per phase delays, this change adds 3 new kernel parameters - srcutree.srcu_max_nodelay, srcutree.srcu_max_nodelay_phase, and srcutree.srcu_retry_check_delay. This allows users to configure the srcu grace period scanning delays in order to more quickly react to additional use cases. Fixes: 640a7d37c3f4 ("srcu: Block less aggressively for expedited grace periods") Fixes: 282d8998e997 ("srcu: Prevent expedited GPs and blocking readers from consuming CPU") Reported-by: Zhangfei Gao Reported-by: yueluck Signed-off-by: Neeraj Upadhyay Tested-by: Marc Zyngier Tested-by: Zhangfei Gao Link: https://lore.kernel.org/all/20615615-0013-5adc-584f-2b1d5c03ebfc@linaro.org/ Signed-off-by: Paul E. McKenney commit 8f870e6eb8c0c3f9869bf3fcf9db39f86cfcea49 Author: Paul E. McKenney Date: Sun Jun 12 15:00:06 2022 -0700 srcu: Block less aggressively for expedited grace periods Commit 282d8998e997 ("srcu: Prevent expedited GPs and blocking readers from consuming CPU") fixed a problem where a long-running expedited SRCU grace period could block kernel live patching. It did so by giving up on expediting once a given SRCU expedited grace period grew too old. Unfortunately, this added excessive delays to boots of virtual embedded systems specifying "-bios QEMU_EFI.fd" to qemu. This commit therefore makes the transition away from expediting less aggressive, increasing the per-grace-period phase number of non-sleeping polls of readers from one to three and increasing the required grace-period age from one jiffy (actually from zero to one jiffies) to two jiffies (actually from one to two jiffies). Fixes: 282d8998e997 ("srcu: Prevent expedited GPs and blocking readers from consuming CPU") Signed-off-by: Paul E. McKenney Reported-by: Zhangfei Gao Reported-by: chenxiang (M)" Cc: Shameerali Kolothum Thodi Cc: Paolo Bonzini Reviewed-by: Neeraj Upadhyay Link: https://lore.kernel.org/all/20615615-0013-5adc-584f-2b1d5c03ebfc@linaro.org/ commit cf5029d5dd7cb0aaa53250fa9e389abd231606b3 Author: Aaron Lewis Date: Thu Jul 14 16:13:15 2022 +0000 KVM: x86: Protect the unused bits in MSR exiting flags The flags for KVM_CAP_X86_USER_SPACE_MSR and KVM_X86_SET_MSR_FILTER have no protection for their unused bits. Without protection, future development for these features will be difficult. Add the protection needed to make it possible to extend these features in the future. Signed-off-by: Aaron Lewis Message-Id: <20220714161314.1715227-1-aaronlewis@google.com> Signed-off-by: Paolo Bonzini commit 5f7ef4875f99538b741527963ffe09e869b49826 Author: Dan Carpenter Date: Tue Jul 19 12:48:01 2022 +0300 md/raid5: missing error code in setup_conf() Return -ENOMEM if the allocation fails. Don't return success. Fixes: 8fbcba6b999b ("md/raid5: Cleanup setup_conf() error returns") Signed-off-by: Dan Carpenter Reviewed-by: Logan Gunthorpe Signed-off-by: Song Liu commit dc951e22a1a2a6a11b29648c3c8b191bc8f3e5df Author: Paolo Bonzini Date: Tue Jul 19 09:16:53 2022 -0400 tools headers UAPI: Sync linux/kvm.h with the kernel sources Silence this perf build warning: Warning: Kernel ABI header at 'tools/include/uapi/linux/kvm.h' differs from latest version at 'include/uapi/linux/kvm.h' diff -u tools/include/uapi/linux/kvm.h include/uapi/linux/kvm.h Reported-by: Arnaldo Carvalho de Melo Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Signed-off-by: Paolo Bonzini commit e923b0537d28e15c9d31ce8b38f810b325816903 Author: Gavin Shan Date: Tue Jul 19 10:08:30 2022 +0800 KVM: selftests: Fix target thread to be migrated in rseq_test In rseq_test, there are two threads, which are vCPU thread and migration worker separately. Unfortunately, the test has the wrong PID passed to sched_setaffinity() in the migration worker. It forces migration on the migration worker because zeroed PID represents the calling thread, which is the migration worker itself. It means the vCPU thread is never enforced to migration and it can migrate at any time, which eventually leads to failure as the following logs show. host# uname -r 5.19.0-rc6-gavin+ host# # cat /proc/cpuinfo | grep processor | tail -n 1 processor : 223 host# pwd /home/gavin/sandbox/linux.main/tools/testing/selftests/kvm host# for i in `seq 1 100`; do \ echo "--------> $i"; ./rseq_test; done --------> 1 --------> 2 --------> 3 --------> 4 --------> 5 --------> 6 ==== Test Assertion Failure ==== rseq_test.c:265: rseq_cpu == cpu pid=3925 tid=3925 errno=4 - Interrupted system call 1 0x0000000000401963: main at rseq_test.c:265 (discriminator 2) 2 0x0000ffffb044affb: ?? ??:0 3 0x0000ffffb044b0c7: ?? ??:0 4 0x0000000000401a6f: _start at ??:? rseq CPU = 4, sched CPU = 27 Fix the issue by passing correct parameter, TID of the vCPU thread, to sched_setaffinity() in the migration worker. Fixes: 61e52f1630f5 ("KVM: selftests: Add a test for KVM_RUN+rseq to detect task migration bugs") Suggested-by: Sean Christopherson Signed-off-by: Gavin Shan Reviewed-by: Oliver Upton Message-Id: <20220719020830.3479482-1-gshan@redhat.com> Reviewed-by: Andrew Jones Signed-off-by: Paolo Bonzini commit 450a563924ae9437758bd468c5b7cee9468ce749 Author: Oliver Upton Date: Tue Jul 19 12:52:29 2022 +0000 KVM: stats: Fix value for KVM_STATS_UNIT_MAX for boolean stats commit 1b870fa5573e ("kvm: stats: tell userspace which values are boolean") added a new stat unit (boolean) but failed to raise KVM_STATS_UNIT_MAX. Fix by pointing UNIT_MAX at the new max value of UNIT_BOOLEAN. Fixes: 1b870fa5573e ("kvm: stats: tell userspace which values are boolean") Reported-by: Janis Schoetterl-Glausch Signed-off-by: Oliver Upton Message-Id: <20220719125229.2934273-1-oupton@google.com> Signed-off-by: Paolo Bonzini commit b3fcfc4f0c50a716487fd7ebd0e6b64a2db29d76 Merge: 1774559f07993 989918482bbcc Author: Paolo Abeni Date: Tue Jul 19 12:37:04 2022 +0200 Merge branch 'amt-fix-validation-and-synchronization-bugs' Taehee Yoo says: ==================== amt: fix validation and synchronization bugs There are some synchronization issues in the amt module. Especially, an amt gateway doesn't well synchronize its own variables and status(amt->status). It tries to use a workqueue for handles in a single thread. A global lock is also good, but it would occur complex locking complex. In this patchset, only the gateway uses workqueue. The reason why only gateway interface uses workqueue is that gateway should manage its own states and variables a little bit statefully. But relay doesn't need to manage tunnels statefully, stateless is okay. So, relay side message handlers are okay to be called concurrently. But it doesn't mean that no lock is needed. Only amt multicast data message type will not be processed by the work queue because It contains actual multicast data. So, it should be processed immediately. When any amt gateway events are triggered(sending discovery message by delayed_work, sending request message by delayed_work and receiving messages), it stores event and skb into the event queue(amt->events[16]). Then, workqueue processes these events one by one. The first patch is to use the work queue. The second patch is to remove unnecessary lock due to a previous patch. The third patch is to use READ_ONCE() in the amt module. Even if the amt module uses a single thread, some variables (ready4, ready6, amt->status) can be accessed concurrently. The fourth patch is to add missing nonce generation logic when it sends a new request message. The fifth patch is to drop unexpected advertisement messages. advertisement message should be received only after the gateway sends a discovery message first. So, the gateway should drop advertisement messages if it has never sent a discovery message and it also should drop duplicate advertisement messages. Using nonce is good to distinguish whether a received message is an expected message or not. The sixth patch is to drop unexpected query messages. This is the same behavior as the fourth patch. Query messages should be received only after the gateway sends a request message first. The nonce variable is used to distinguish whether it is a reply to a previous request message or not. amt->ready4 and amt->ready6 are used to distinguish duplicate messages. The seventh patch is to drop unexpected multicast data. AMT gateway should not receive multicast data message type before establish between gateway and relay. In order to drop unexpected multicast data messages, it checks amt->status. The last patch is to fix a locking problem on the relay side. amt->nr_tunnels variable is protected by amt->lock. But amt_request_handler() doesn't protect this variable. v2: - Use local_bh_disable() instead of rcu_read_lock_bh() in amt_membership_query_handler. - Fix using uninitialized variables. - Fix unexpectedly start the event_wq after stopping. - Fix possible deadlock in amt_event_work(). - Add a limit variable in amt_event_work() to prevent infinite working. - Rename amt_queue_events() to amt_queue_event(). ==================== Link: https://lore.kernel.org/r/20220717160910.19156-1-ap420073@gmail.com Signed-off-by: Paolo Abeni commit 989918482bbccbbce3ba2bb9156eb4c193319983 Author: Taehee Yoo Date: Sun Jul 17 16:09:10 2022 +0000 amt: do not use amt->nr_tunnels outside of lock amt->nr_tunnels is protected by amt->lock. But, amt_request_handler() has been using this variable without the amt->lock. So, it expands context of amt->lock in the amt_request_handler() to protect amt->nr_tunnels variable. Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit e882827d5b8942a27b4d28548aa27562a3a7e94c Author: Taehee Yoo Date: Sun Jul 17 16:09:09 2022 +0000 amt: drop unexpected multicast data AMT gateway interface should not receive unexpected multicast data. Multicast data message type should be received after sending an update message, which means all establishment between gateway and relay is finished. So, amt_multicast_data_handler() checks amt->status. Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit 239d886601e38d948a28f3b2a1c9ce5f01bf75f2 Author: Taehee Yoo Date: Sun Jul 17 16:09:08 2022 +0000 amt: drop unexpected query message AMT gateway interface should not receive unexpected query messages. In order to drop unexpected query messages, it checks nonce. And it also checks ready4 and ready6 variables to drop duplicated messages. Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit 40185f359fbabaa61da754cc29d12f3a41e0a987 Author: Taehee Yoo Date: Sun Jul 17 16:09:07 2022 +0000 amt: drop unexpected advertisement message AMT gateway interface should not receive unexpected advertisement messages. In order to drop these packets, it should check nonce and amt->status. Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit 627f16931bf3cb20d50274d9341380ac2c3035fd Author: Taehee Yoo Date: Sun Jul 17 16:09:06 2022 +0000 amt: add missing regeneration nonce logic in request logic When AMT gateway starts sending a new request message, it should regenerate the nonce variable. Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit 928f353cb8672f0d6078aad75eeec0ed33875b12 Author: Taehee Yoo Date: Sun Jul 17 16:09:05 2022 +0000 amt: use READ_ONCE() in amt module There are some data races in the amt module. amt->ready4, amt->ready6, and amt->status can be accessed concurrently without locks. So, it uses READ_ONCE() and WRITE_ONCE(). Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit 9c343ea6185febe5f6b74f7f7b3757f3dd9c5af6 Author: Taehee Yoo Date: Sun Jul 17 16:09:04 2022 +0000 amt: remove unnecessary locks By the previous patch, amt gateway handlers are changed to worked by a single thread. So, most locks for gateway are not needed. So, it removes. Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit 30e22a6ebca039572ce9bc10f1934f4eabfb5b7f Author: Taehee Yoo Date: Sun Jul 17 16:09:03 2022 +0000 amt: use workqueue for gateway side message handling There are some synchronization issues(amt->status, amt->req_cnt, etc) if the interface is in gateway mode because gateway message handlers are processed concurrently. This applies a work queue for processing these messages instead of expanding the locking context. So, the purposes of this patch are to fix exist race conditions and to make gateway to be able to validate a gateway status more correctly. When the AMT gateway interface is created, it tries to establish to relay. The establishment step looks stateless, but it should be managed well. In order to handle messages in the gateway, it saves the current status(i.e. AMT_STATUS_XXX). This patch makes gateway code to be worked with a single thread. Now, all messages except the multicast are triggered(received or delay expired), and these messages will be stored in the event queue(amt->events). Then, the single worker processes stored messages asynchronously one by one. The multicast data message type will be still processed immediately. Now, amt->lock is only needed to access the event queue(amt->events) if an interface is the gateway mode. Fixes: cbc21dc1cfe9 ("amt: add data plane of amt interface") Signed-off-by: Taehee Yoo Signed-off-by: Paolo Abeni commit 1774559f07993e1cac33c2406e99049d4bdea6c8 Author: Oleksij Rempel Date: Sun Jul 17 15:58:31 2022 +0200 net: dsa: vitesse-vsc73xx: silent spi_device_id warnings Add spi_device_id entries to silent SPI warnings. Fixes: 5fa6863ba692 ("spi: Check we have a spi_device_id for each DT compatible") Signed-off-by: Oleksij Rempel Reviewed-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220717135831.2492844-2-o.rempel@pengutronix.de Signed-off-by: Paolo Abeni commit 855fe49984a8a3899f07ae1d149d46cd8d4acb52 Author: Oleksij Rempel Date: Sun Jul 17 15:58:30 2022 +0200 net: dsa: sja1105: silent spi_device_id warnings Add spi_device_id entries to silent following warnings: SPI driver sja1105 has no spi_device_id for nxp,sja1105e SPI driver sja1105 has no spi_device_id for nxp,sja1105t SPI driver sja1105 has no spi_device_id for nxp,sja1105p SPI driver sja1105 has no spi_device_id for nxp,sja1105q SPI driver sja1105 has no spi_device_id for nxp,sja1105r SPI driver sja1105 has no spi_device_id for nxp,sja1105s SPI driver sja1105 has no spi_device_id for nxp,sja1110a SPI driver sja1105 has no spi_device_id for nxp,sja1110b SPI driver sja1105 has no spi_device_id for nxp,sja1110c SPI driver sja1105 has no spi_device_id for nxp,sja1110d Fixes: 5fa6863ba692 ("spi: Check we have a spi_device_id for each DT compatible") Signed-off-by: Oleksij Rempel Reviewed-by: Vladimir Oltean Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20220717135831.2492844-1-o.rempel@pengutronix.de Signed-off-by: Paolo Abeni commit d7241f679a59cfe27f92cb5c6272cb429fb1f7ec Author: Hristo Venev Date: Sat Jul 16 11:51:34 2022 +0300 be2net: Fix buffer overflow in be_get_module_eeprom be_cmd_read_port_transceiver_data assumes that it is given a buffer that is at least PAGE_DATA_LEN long, or twice that if the module supports SFF 8472. However, this is not always the case. Fix this by passing the desired offset and length to be_cmd_read_port_transceiver_data so that we only copy the bytes once. Fixes: e36edd9d26cf ("be2net: add ethtool "-m" option support") Signed-off-by: Hristo Venev Link: https://lore.kernel.org/r/20220716085134.6095-1-hristo@venev.name Signed-off-by: Paolo Abeni commit b8c768ccdd8338504fb78370747728d5002b1b5a Author: Haibo Chen Date: Mon Jul 18 16:31:43 2022 +0800 gpio: pca953x: use the correct register address when regcache sync during init For regcache_sync_region, we need to use pca953x_recalc_addr() to get the real register address. Fixes: ec82d1eba346 ("gpio: pca953x: Zap ad-hoc reg_output cache") Fixes: 0f25fda840a9 ("gpio: pca953x: Zap ad-hoc reg_direction cache") Signed-off-by: Haibo Chen Reviewed-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski commit 2abc17a93867dc816f0ed9d32021dda8078e7330 Author: Haibo Chen Date: Mon Jul 18 16:31:42 2022 +0800 gpio: pca953x: use the correct range when do regmap sync regmap will sync a range of registers, here use the correct range to make sure the sync do not touch other unexpected registers. Find on pca9557pw on imx8qxp/dxl evk board, this device support 8 pin, so only need one register(8 bits) to cover all the 8 pins's property setting. But when sync the output, we find it actually update two registers, output register and the following register. Fixes: b76574300504 ("gpio: pca953x: Restore registers after suspend/resume cycle") Fixes: ec82d1eba346 ("gpio: pca953x: Zap ad-hoc reg_output cache") Fixes: 0f25fda840a9 ("gpio: pca953x: Zap ad-hoc reg_direction cache") Signed-off-by: Haibo Chen Reviewed-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski commit db8edaa09d7461ec08672a92a2eef63d5882bb79 Author: Haibo Chen Date: Mon Jul 18 16:31:41 2022 +0800 gpio: pca953x: only use single read/write for No AI mode For the device use NO AI mode(not support auto address increment), only use the single read/write when config the regmap. We meet issue on PCA9557PW on i.MX8QXP/DXL evk board, this device do not support AI mode, but when do the regmap sync, regmap will sync 3 byte data to register 1, logically this means write first data to register 1, write second data to register 2, write third data to register 3. But this device do not support AI mode, finally, these three data write only into register 1 one by one. the reault is the value of register 1 alway equal to the latest data, here is the third data, no operation happened on register 2 and register 3. This is not what we expect. Fixes: 49427232764d ("gpio: pca953x: Perform basic regmap conversion") Signed-off-by: Haibo Chen Reviewed-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski commit 25c2a075eb6a3031813b6051bd10dfc22c36a2a4 Author: Herve Codina Date: Mon Jul 4 12:28:43 2022 +0200 clk: lan966x: Fix the lan966x clock gate register address The register address used for the clock gate register is the base register address coming from first reg map (ie. the generic clock registers) instead of the second reg map defining the clock gate register. Use the correct clock gate register address. Fixes: 5ad5915dea00 ("clk: lan966x: Extend lan966x clock driver for clock gating support") Signed-off-by: Herve Codina Link: https://lore.kernel.org/r/20220704102845.168438-2-herve.codina@bootlin.com Reviewed-by: Claudiu Beznea Tested-by: Michael Walle Signed-off-by: Stephen Boyd commit da791bac104a3169b05b54270afe75daacba4641 Author: Wong Vee Khee Date: Fri Jul 15 20:24:02 2022 +0800 net: stmmac: remove redunctant disable xPCS EEE call Disable is done in stmmac_init_eee() on the event of MAC link down. Since setting enable/disable EEE via ethtool will eventually trigger a MAC down, removing this redunctant call in stmmac_ethtool.c to avoid calling xpcs_config_eee() twice. Fixes: d4aeaed80b0e ("net: stmmac: trigger PCS EEE to turn off on link down") Signed-off-by: Wong Vee Khee Link: https://lore.kernel.org/r/20220715122402.1017470-1-vee.khee.wong@linux.intel.com Signed-off-by: Jakub Kicinski commit 49a2f5c88e8f8a66d81e93ed034f00dee9fe9cf7 Merge: 1e53834ce541d 1699b4d502eda Author: Jakub Kicinski Date: Mon Jul 18 20:14:27 2022 -0700 Merge branch 'fix-2-dsa-issues-with-vlan_filtering_is_global' Vladimir Oltean says: ==================== Fix 2 DSA issues with vlan_filtering_is_global This patch set fixes 2 issues with vlan_filtering_is_global switches. Both are regressions introduced by refactoring commit d0004a020bb5 ("net: dsa: remove the "dsa_to_port in a loop" antipattern from the core"), which wasn't tested on a wide enough variety of switches. Tested on the sja1105 driver. ==================== Link: https://lore.kernel.org/r/20220715151659.780544-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 1699b4d502eda3c7ea4070debad3ee570b5091b1 Author: Vladimir Oltean Date: Fri Jul 15 18:16:59 2022 +0300 net: dsa: fix NULL pointer dereference in dsa_port_reset_vlan_filtering The "ds" iterator variable used in dsa_port_reset_vlan_filtering() -> dsa_switch_for_each_port() overwrites the "dp" received as argument, which is later used to call dsa_port_vlan_filtering() proper. As a result, switches which do enter that code path (the ones with vlan_filtering_is_global=true) will dereference an invalid dp in dsa_port_reset_vlan_filtering() after leaving a VLAN-aware bridge. Use a dedicated "other_dp" iterator variable to avoid this from happening. Fixes: d0004a020bb5 ("net: dsa: remove the "dsa_to_port in a loop" antipattern from the core") Signed-off-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit 4db2a5ef4ccbe6d138828284cfab241b434b5d95 Author: Vladimir Oltean Date: Fri Jul 15 18:16:58 2022 +0300 net: dsa: fix dsa_port_vlan_filtering when global The blamed refactoring commit changed a "port" iterator with "other_dp", but still looked at the slave_dev of the dp outside the loop, instead of other_dp->slave from the loop. As a result, dsa_port_vlan_filtering() would not call dsa_slave_manage_vlan_filtering() except for the port in cause, and not for all switch ports as expected. Fixes: d0004a020bb5 ("net: dsa: remove the "dsa_to_port in a loop" antipattern from the core") Reported-by: Lucian Banu Signed-off-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit 1e53834ce541d4fe271cdcca7703e50be0a44f8a Author: Piotr Skajewski Date: Fri Jul 15 14:44:56 2022 -0700 ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero It is possible to disable VFs while the PF driver is processing requests from the VF driver. This can result in a panic. BUG: unable to handle kernel paging request at 000000000000106c PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 8 PID: 0 Comm: swapper/8 Kdump: loaded Tainted: G I --------- - Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020 RIP: 0010:ixgbe_msg_task+0x4c8/0x1690 [ixgbe] Code: 00 00 48 8d 04 40 48 c1 e0 05 89 7c 24 24 89 fd 48 89 44 24 10 83 ff 01 0f 84 b8 04 00 00 4c 8b 64 24 10 4d 03 a5 48 22 00 00 <41> 80 7c 24 4c 00 0f 84 8a 03 00 00 0f b7 c7 83 f8 08 0f 84 8f 0a RSP: 0018:ffffb337869f8df8 EFLAGS: 00010002 RAX: 0000000000001020 RBX: 0000000000000000 RCX: 000000000000002b RDX: 0000000000000002 RSI: 0000000000000008 RDI: 0000000000000006 RBP: 0000000000000006 R08: 0000000000000002 R09: 0000000000029780 R10: 00006957d8f42832 R11: 0000000000000000 R12: 0000000000001020 R13: ffff8a00e8978ac0 R14: 000000000000002b R15: ffff8a00e8979c80 FS: 0000000000000000(0000) GS:ffff8a07dfd00000(0000) knlGS:00000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000106c CR3: 0000000063e10004 CR4: 00000000007726e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? ttwu_do_wakeup+0x19/0x140 ? try_to_wake_up+0x1cd/0x550 ? ixgbevf_update_xcast_mode+0x71/0xc0 [ixgbevf] ixgbe_msix_other+0x17e/0x310 [ixgbe] __handle_irq_event_percpu+0x40/0x180 handle_irq_event_percpu+0x30/0x80 handle_irq_event+0x36/0x53 handle_edge_irq+0x82/0x190 handle_irq+0x1c/0x30 do_IRQ+0x49/0xd0 common_interrupt+0xf/0xf This can be eventually be reproduced with the following script: while : do echo 63 > /sys/class/net//device/sriov_numvfs sleep 1 echo 0 > /sys/class/net//device/sriov_numvfs sleep 1 done Add lock when disabling SR-IOV to prevent process VF mailbox communication. Fixes: d773d1310625 ("ixgbe: Fix memory leak when SR-IOV VFs are direct assigned") Signed-off-by: Piotr Skajewski Tested-by: Marek Szlosek Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20220715214456.2968711-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit f838a63369818faadec4ad1736cfbd20ab5da00e Author: Dawid Lukwinski Date: Fri Jul 15 14:45:41 2022 -0700 i40e: Fix erroneous adapter reinitialization during recovery process Fix an issue when driver incorrectly detects state of recovery process and erroneously reinitializes interrupts, which results in a kernel error and call trace message. The issue was caused by a combination of two factors: 1. Assuming the EMP reset issued after completing firmware recovery means the whole recovery process is complete. 2. Erroneous reinitialization of interrupt vector after detecting the above mentioned EMP reset. Fixes (1) by changing how recovery state change is detected and (2) by adjusting the conditional expression to ensure using proper interrupt reinitialization method, depending on the situation. Fixes: 4ff0ee1af016 ("i40e: Introduce recovery mode support") Signed-off-by: Dawid Lukwinski Signed-off-by: Jan Sokolowski Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20220715214542.2968762-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 3696c952da0733b843c8da3441345055b1cbacd9 Author: Tom Rix Date: Sat Jul 16 17:46:54 2022 -0400 net: ethernet: mtk_eth_soc: fix off by one check of ARRAY_SIZE In mtk_wed_tx_ring_setup(.., int idx, ..), idx is used as an index here struct mtk_wed_ring *ring = &dev->tx_ring[idx]; The bounds of idx are checked here BUG_ON(idx > ARRAY_SIZE(dev->tx_ring)); If idx is the size of the array, it will pass this check and overflow. So change the check to >= . Fixes: 804775dfc288 ("net: ethernet: mtk_eth_soc: add support for Wireless Ethernet Dispatch (WED)") Signed-off-by: Tom Rix Link: https://lore.kernel.org/r/20220716214654.1540240-1-trix@redhat.com Signed-off-by: Jakub Kicinski commit b6224a36de8bb30bfec9ff2bc45ed8002e79a79a Merge: c32349f3257f3 675c807ae26b2 Author: Jakub Kicinski Date: Mon Jul 18 20:00:05 2022 -0700 Merge branch 'net-lan966x-fix-issues-with-mac-table' Horatiu Vultur says: ==================== net: lan966x: Fix issues with MAC table The patch series fixes 2 issues: - when an entry was forgotten the irq thread was holding a spin lock and then was talking also rtnl_lock. - the access to the HW MAC table is indirect, so the access to the HW MAC table was not synchronized, which means that there could be race conditions. ==================== Link: https://lore.kernel.org/r/20220714194040.231651-1-horatiu.vultur@microchip.com Signed-off-by: Jakub Kicinski commit 675c807ae26b267233b97cd5006979a6bb8d54d4 Author: Horatiu Vultur Date: Thu Jul 14 21:40:40 2022 +0200 net: lan966x: Fix usage of lan966x->mac_lock when used by FDB When the SW bridge was trying to add/remove entries to/from HW, the access to HW was not protected by any lock. In this way, it was possible to have race conditions. Fix this by using the lan966x->mac_lock to protect parallel access to HW for this cases. Fixes: 25ee9561ec622 ("net: lan966x: More MAC table functionality") Signed-off-by: Horatiu Vultur Reviewed-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit c1924684369762b112428a333ad00eac6ca89d96 Author: Horatiu Vultur Date: Thu Jul 14 21:40:39 2022 +0200 net: lan966x: Fix usage of lan966x->mac_lock inside lan966x_mac_irq_handler The problem with this spin lock is that it was just protecting the list of the MAC entries in SW and not also the access to the MAC entries in HW. Because the access to HW is indirect, then it could happen to have race conditions. For example when SW introduced an entry in MAC table and the irq mac is trying to read something from the MAC. Update such that also the access to MAC entries in HW is protected by this lock. Fixes: 5ccd66e01cbef ("net: lan966x: add support for interrupts from analyzer") Signed-off-by: Horatiu Vultur Reviewed-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit 99343cfa4f7560abf933fff7ab3ea58a6905c917 Author: Horatiu Vultur Date: Thu Jul 14 21:40:38 2022 +0200 net: lan966x: Fix usage of lan966x->mac_lock when entry is removed To remove an entry to the MAC table, it is required first to setup the entry and then issue a command for the MAC to forget the entry. So if it happens for two threads to remove simultaneously an entry in MAC table then it would be a race condition. Fix this by using lan966x->mac_lock to protect the HW access. Fixes: e18aba8941b40 ("net: lan966x: add mactable support") Signed-off-by: Horatiu Vultur Reviewed-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit 43243bb3195b0dc27741679471e23baed1efe98e Author: Horatiu Vultur Date: Thu Jul 14 21:40:37 2022 +0200 net: lan966x: Fix usage of lan966x->mac_lock when entry is added To add an entry to the MAC table, it is required first to setup the entry and then issue a command for the MAC to learn the entry. So if it happens for two threads to add simultaneously an entry in MAC table then it would be a race condition. Fix this by using lan966x->mac_lock to protect the HW access. Fixes: fc0c3fe7486f2 ("net: lan966x: Add function lan966x_mac_ip_learn()") Signed-off-by: Horatiu Vultur Reviewed-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit 45533a534a45cb12c20c81615d17306176cb1c57 Author: Horatiu Vultur Date: Thu Jul 14 21:40:36 2022 +0200 net: lan966x: Fix taking rtnl_lock while holding spin_lock When the HW deletes an entry in MAC table then it generates an interrupt. The SW will go through it's own list of MAC entries and if it is not found then it would notify the listeners about this. The problem is that when the SW will go through it's own list it would take a spin lock(lan966x->mac_lock) and when it notifies that the entry is deleted. But to notify the listeners it taking the rtnl_lock which is illegal. This is fixed by instead of notifying right away that the entry is deleted, move the entry on a temp list and once, it checks all the entries then just notify that the entries from temp list are deleted. Fixes: 5ccd66e01cbe ("net: lan966x: add support for interrupts from analyzer") Signed-off-by: Horatiu Vultur Reviewed-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit ca85855bdcae8f84f1512e88b4c75009ea17ea2f Merge: 80e19f34c2887 cc0315564d6ee Author: Linus Torvalds Date: Mon Jul 18 17:16:22 2022 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "Two bug fixes for irdma: - x722 does not support 1GB pages, trying to configure them will corrupt the dma mapping - Fix a sleep while holding a spinlock" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/irdma: Fix sleep from invalid context BUG RDMA/irdma: Do not advertise 1GB page size for x722 commit 4546760619cfa9b718fe2059ceb07101cf9ff61e Author: Vladimir Oltean Date: Sun Jul 17 02:37:45 2022 +0300 pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait context The irqchip->irq_set_type method is called by __irq_set_trigger() under the desc->lock raw spinlock. The armada-37xx implementation, armada_37xx_irq_set_type(), uses an MMIO regmap created by of_syscon_register(), which uses plain spinlocks (the kind that are sleepable on RT). Therefore, this is an invalid locking scheme for which we get a kernel splat stating just that ("[ BUG: Invalid wait context ]"), because the context in which the plain spinlock may sleep is atomic due to the raw spinlock. We need to go raw spinlocks all the way. Make this driver create its own MMIO regmap, with use_raw_spinlock=true, and stop relying on syscon to provide it. This patch depends on commit 67021f25d952 ("regmap: teach regmap to use raw spinlocks if requested in the config"). Cc: # 5.15+ Fixes: 2f227605394b ("pinctrl: armada-37xx: Add irqchip support") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220716233745.1704677-3-vladimir.oltean@nxp.com Signed-off-by: Linus Walleij commit 984245b66cf32c494b1e4f95f5ed6ba16b8771eb Author: Vladimir Oltean Date: Sun Jul 17 02:37:44 2022 +0300 pinctrl: armada-37xx: make irq_lock a raw spinlock to avoid invalid wait context The irqchip->irq_set_type method is called by __irq_set_trigger() under the desc->lock raw spinlock. The armada-37xx implementation, armada_37xx_irq_set_type(), takes a plain spinlock, the kind that becomes sleepable on RT. Therefore, this is an invalid locking scheme for which we get a kernel splat stating just that ("[ BUG: Invalid wait context ]"), because the context in which the plain spinlock may sleep is atomic due to the raw spinlock. We need to go raw spinlocks all the way. Replace the driver's irq_lock with a raw spinlock, to disable preemption even on RT. Cc: # 5.15+ Fixes: 2f227605394b ("pinctrl: armada-37xx: Add irqchip support") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220716233745.1704677-2-vladimir.oltean@nxp.com Signed-off-by: Linus Walleij commit c80af0c250c8f8a3c978aa5aafbe9c39b336b813 Author: Junxiao Bi Date: Fri Jun 3 15:28:01 2022 -0700 Revert "ocfs2: mount shared volume without ha stack" This reverts commit 912f655d78c5d4ad05eac287f23a435924df7144. This commit introduced a regression that can cause mount hung. The changes in __ocfs2_find_empty_slot causes that any node with none-zero node number can grab the slot that was already taken by node 0, so node 1 will access the same journal with node 0, when it try to grab journal cluster lock, it will hung because it was already acquired by node 0. It's very easy to reproduce this, in one cluster, mount node 0 first, then node 1, you will see the following call trace from node 1. [13148.735424] INFO: task mount.ocfs2:53045 blocked for more than 122 seconds. [13148.739691] Not tainted 5.15.0-2148.0.4.el8uek.mountracev2.x86_64 #2 [13148.742560] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [13148.745846] task:mount.ocfs2 state:D stack: 0 pid:53045 ppid: 53044 flags:0x00004000 [13148.749354] Call Trace: [13148.750718] [13148.752019] ? usleep_range+0x90/0x89 [13148.753882] __schedule+0x210/0x567 [13148.755684] schedule+0x44/0xa8 [13148.757270] schedule_timeout+0x106/0x13c [13148.759273] ? __prepare_to_swait+0x53/0x78 [13148.761218] __wait_for_common+0xae/0x163 [13148.763144] __ocfs2_cluster_lock.constprop.0+0x1d6/0x870 [ocfs2] [13148.765780] ? ocfs2_inode_lock_full_nested+0x18d/0x398 [ocfs2] [13148.768312] ocfs2_inode_lock_full_nested+0x18d/0x398 [ocfs2] [13148.770968] ocfs2_journal_init+0x91/0x340 [ocfs2] [13148.773202] ocfs2_check_volume+0x39/0x461 [ocfs2] [13148.775401] ? iput+0x69/0xba [13148.777047] ocfs2_mount_volume.isra.0.cold+0x40/0x1f5 [ocfs2] [13148.779646] ocfs2_fill_super+0x54b/0x853 [ocfs2] [13148.781756] mount_bdev+0x190/0x1b7 [13148.783443] ? ocfs2_remount+0x440/0x440 [ocfs2] [13148.785634] legacy_get_tree+0x27/0x48 [13148.787466] vfs_get_tree+0x25/0xd0 [13148.789270] do_new_mount+0x18c/0x2d9 [13148.791046] __x64_sys_mount+0x10e/0x142 [13148.792911] do_syscall_64+0x3b/0x89 [13148.794667] entry_SYSCALL_64_after_hwframe+0x170/0x0 [13148.797051] RIP: 0033:0x7f2309f6e26e [13148.798784] RSP: 002b:00007ffdcee7d408 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [13148.801974] RAX: ffffffffffffffda RBX: 00007ffdcee7d4a0 RCX: 00007f2309f6e26e [13148.804815] RDX: 0000559aa762a8ae RSI: 0000559aa939d340 RDI: 0000559aa93a22b0 [13148.807719] RBP: 00007ffdcee7d5b0 R08: 0000559aa93a2290 R09: 00007f230a0b4820 [13148.810659] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdcee7d420 [13148.813609] R13: 0000000000000000 R14: 0000559aa939f000 R15: 0000000000000000 [13148.816564] To fix it, we can just fix __ocfs2_find_empty_slot. But original commit introduced the feature to mount ocfs2 locally even it is cluster based, that is a very dangerous, it can easily cause serious data corruption, there is no way to stop other nodes mounting the fs and corrupting it. Setup ha or other cluster-aware stack is just the cost that we have to take for avoiding corruption, otherwise we have to do it in kernel. Link: https://lkml.kernel.org/r/20220603222801.42488-1-junxiao.bi@oracle.com Fixes: 912f655d78c5("ocfs2: mount shared volume without ha stack") Signed-off-by: Junxiao Bi Acked-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Cc: Signed-off-by: Andrew Morton commit da9a298f5fad0dc615079a340da42928bc5b138e Author: Miaohe Lin Date: Sat Jul 9 17:26:29 2022 +0800 hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte When alloc_huge_page fails, *pagep is set to NULL without put_page first. So the hugepage indicated by *pagep is leaked. Link: https://lkml.kernel.org/r/20220709092629.54291-1-linmiaohe@huawei.com Fixes: 8cc5fcbb5be8 ("mm, hugetlb: fix racy resv_huge_pages underflow on UFFDIO_COPY") Signed-off-by: Miaohe Lin Acked-by: Muchun Song Reviewed-by: Anshuman Khandual Reviewed-by: Baolin Wang Reviewed-by: Mike Kravetz Cc: Signed-off-by: Andrew Morton commit bdeb77bc2c405fa9f954c20269db175a0bd2793f Author: Andrei Vagin Date: Sat Jul 16 21:37:10 2022 -0700 fs: sendfile handles O_NONBLOCK of out_fd sendfile has to return EAGAIN if out_fd is nonblocking and the write into it would block. Here is a small reproducer for the problem: #define _GNU_SOURCE /* See feature_test_macros(7) */ #include #include #include #include #include #include #include #define FILE_SIZE (1UL << 30) int main(int argc, char **argv) { int p[2], fd; if (pipe2(p, O_NONBLOCK)) return 1; fd = open(argv[1], O_RDWR | O_TMPFILE, 0666); if (fd < 0) return 1; ftruncate(fd, FILE_SIZE); if (sendfile(p[1], fd, 0, FILE_SIZE) == -1) { fprintf(stderr, "FAIL\n"); } if (sendfile(p[1], fd, 0, FILE_SIZE) != -1 || errno != EAGAIN) { fprintf(stderr, "FAIL\n"); } return 0; } It worked before b964bf53e540, it is stuck after b964bf53e540, and it works again with this fix. This regression occurred because do_splice_direct() calls pipe_write that handles O_NONBLOCK. Here is a trace log from the reproducer: 1) | __x64_sys_sendfile64() { 1) | do_sendfile() { 1) | __fdget() 1) | rw_verify_area() 1) | __fdget() 1) | rw_verify_area() 1) | do_splice_direct() { 1) | rw_verify_area() 1) | splice_direct_to_actor() { 1) | do_splice_to() { 1) | rw_verify_area() 1) | generic_file_splice_read() 1) + 74.153 us | } 1) | direct_splice_actor() { 1) | iter_file_splice_write() { 1) | __kmalloc() 1) 0.148 us | pipe_lock(); 1) 0.153 us | splice_from_pipe_next.part.0(); 1) 0.162 us | page_cache_pipe_buf_confirm(); ... 16 times 1) 0.159 us | page_cache_pipe_buf_confirm(); 1) | vfs_iter_write() { 1) | do_iter_write() { 1) | rw_verify_area() 1) | do_iter_readv_writev() { 1) | pipe_write() { 1) | mutex_lock() 1) 0.153 us | mutex_unlock(); 1) 1.368 us | } 1) 1.686 us | } 1) 5.798 us | } 1) 6.084 us | } 1) 0.174 us | kfree(); 1) 0.152 us | pipe_unlock(); 1) + 14.461 us | } 1) + 14.783 us | } 1) 0.164 us | page_cache_pipe_buf_release(); ... 16 times 1) 0.161 us | page_cache_pipe_buf_release(); 1) | touch_atime() 1) + 95.854 us | } 1) + 99.784 us | } 1) ! 107.393 us | } 1) ! 107.699 us | } Link: https://lkml.kernel.org/r/20220415005015.525191-1-avagin@gmail.com Fixes: b964bf53e540 ("teach sendfile(2) to handle send-to-pipe directly") Signed-off-by: Andrei Vagin Cc: Al Viro Cc: Signed-off-by: Andrew Morton commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 Author: ChenXiaoSong Date: Thu Jul 7 18:53:29 2022 +0800 ntfs: fix use-after-free in ntfs_ucsncmp() Syzkaller reported use-after-free bug as follows: ================================================================== BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130 Read of size 2 at addr ffff8880751acee8 by task a.out/879 CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x1c0/0x2b0 print_address_description.constprop.0.cold+0xd4/0x484 print_report.cold+0x55/0x232 kasan_report+0xbf/0xf0 ntfs_ucsncmp+0x123/0x130 ntfs_are_names_equal.cold+0x2b/0x41 ntfs_attr_find+0x43b/0xb90 ntfs_attr_lookup+0x16d/0x1e0 ntfs_read_locked_attr_inode+0x4aa/0x2360 ntfs_attr_iget+0x1af/0x220 ntfs_read_locked_inode+0x246c/0x5120 ntfs_iget+0x132/0x180 load_system_files+0x1cc6/0x3480 ntfs_fill_super+0xa66/0x1cf0 mount_bdev+0x38d/0x460 legacy_get_tree+0x10d/0x220 vfs_get_tree+0x93/0x300 do_new_mount+0x2da/0x6d0 path_mount+0x496/0x19d0 __x64_sys_mount+0x284/0x300 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f3f2118d9ea Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00 RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44 R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the physical page: page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac memcg:ffff888101f7e180 anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201 raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== The reason is that struct ATTR_RECORD->name_offset is 6485, end address of name string is out of bounds. Fix this by adding sanity check on end address of attribute name string. [akpm@linux-foundation.org: coding-style cleanups] [chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei] Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@huawei.com Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huawei.com Signed-off-by: ChenXiaoSong Signed-off-by: Hawkins Jiawei Cc: Anton Altaparmakov Cc: ChenXiaoSong Cc: Yongqiang Liu Cc: Zhang Yi Cc: Zhang Xiaoxu Signed-off-by: Andrew Morton commit 84ac013046ccc438af04b7acecd4d3ab84fe4bde Author: Mike Rapoport Date: Thu Jul 7 19:56:50 2022 +0300 secretmem: fix unhandled fault in truncate syzkaller reports the following issue: BUG: unable to handle page fault for address: ffff888021f7e005 PGD 11401067 P4D 11401067 PUD 11402067 PMD 21f7d063 PTE 800fffffde081060 Oops: 0002 [#1] PREEMPT SMP KASAN CPU: 0 PID: 3761 Comm: syz-executor281 Not tainted 5.19.0-rc4-syzkaller-00014-g941e3e791269 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:64 Code: c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 01 RSP: 0018:ffffc9000329fa90 EFLAGS: 00010202 RAX: 0000000000000000 RBX: 0000000000001000 RCX: 0000000000000ffb RDX: 0000000000000ffb RSI: 0000000000000000 RDI: ffff888021f7e005 RBP: ffffea000087df80 R08: 0000000000000001 R09: ffff888021f7e005 R10: ffffed10043efdff R11: 0000000000000000 R12: 0000000000000005 R13: 0000000000000000 R14: 0000000000001000 R15: 0000000000000ffb FS: 00007fb29d8b2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888021f7e005 CR3: 0000000026e7b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: zero_user_segments include/linux/highmem.h:272 [inline] folio_zero_range include/linux/highmem.h:428 [inline] truncate_inode_partial_folio+0x76a/0xdf0 mm/truncate.c:237 truncate_inode_pages_range+0x83b/0x1530 mm/truncate.c:381 truncate_inode_pages mm/truncate.c:452 [inline] truncate_pagecache+0x63/0x90 mm/truncate.c:753 simple_setattr+0xed/0x110 fs/libfs.c:535 secretmem_setattr+0xae/0xf0 mm/secretmem.c:170 notify_change+0xb8c/0x12b0 fs/attr.c:424 do_truncate+0x13c/0x200 fs/open.c:65 do_sys_ftruncate+0x536/0x730 fs/open.c:193 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7fb29d900899 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb29d8b2318 EFLAGS: 00000246 ORIG_RAX: 000000000000004d RAX: ffffffffffffffda RBX: 00007fb29d988408 RCX: 00007fb29d900899 RDX: 00007fb29d900899 RSI: 0000000000000005 RDI: 0000000000000003 RBP: 00007fb29d988400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb29d98840c R13: 00007ffca01a23bf R14: 00007fb29d8b2400 R15: 0000000000022000 Modules linked in: CR2: ffff888021f7e005 ---[ end trace 0000000000000000 ]--- Eric Biggers suggested that this happens when secretmem_setattr()->simple_setattr() races with secretmem_fault() so that a page that is faulted in by secretmem_fault() (and thus removed from the direct map) is zeroed by inode truncation right afterwards. Use mapping->invalidate_lock to make secretmem_fault() and secretmem_setattr() mutually exclusive. [rppt@linux.ibm.com: v3] Link: https://lkml.kernel.org/r/20220714091337.412297-1-rppt@kernel.org Link: https://lkml.kernel.org/r/20220707165650.248088-1-rppt@kernel.org Reported-by: syzbot+9bd2b7adbd34b30b87e4@syzkaller.appspotmail.com Signed-off-by: Mike Rapoport Suggested-by: Eric Biggers Reviewed-by: Axel Rasmussen Reviewed-by: Jan Kara Cc: Eric Biggers Cc: Hillf Danton Cc: Matthew Wilcox Cc: Signed-off-by: Andrew Morton commit c2cb0dcce9dd8b748b6ca8bb8d4a389f2e232307 Author: Naoya Horiguchi Date: Mon Jul 4 10:33:05 2022 +0900 mm/hugetlb: separate path for hwpoison entry in copy_hugetlb_page_range() Originally copy_hugetlb_page_range() handles migration entries and hwpoisoned entries in similar manner. But recently the related code path has more code for migration entries, and when is_writable_migration_entry() was converted to !is_readable_migration_entry(), hwpoison entries on source processes got to be unexpectedly updated (which is legitimate for migration entries, but not for hwpoison entries). This results in unexpected serious issues like kernel panic when forking processes with hwpoison entries in pmd. Separate the if branch into one for hwpoison entries and one for migration entries. Link: https://lkml.kernel.org/r/20220704013312.2415700-3-naoya.horiguchi@linux.dev Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive") Signed-off-by: Naoya Horiguchi Reviewed-by: Miaohe Lin Reviewed-by: Mike Kravetz Reviewed-by: Muchun Song Cc: [5.18] Cc: David Hildenbrand Cc: Liu Shixin Cc: Oscar Salvador Cc: Yang Shi Signed-off-by: Andrew Morton commit f4f451a16dd1f478fdb966bcbb612c1e4ce6b962 Author: Muchun Song Date: Tue Jul 5 20:35:32 2022 +0800 mm: fix missing wake-up event for FSDAX pages FSDAX page refcounts are 1-based, rather than 0-based: if refcount is 1, then the page is freed. The FSDAX pages can be pinned through GUP, then they will be unpinned via unpin_user_page() using a folio variant to put the page, however, folio variants did not consider this special case, the result will be to miss a wakeup event (like the user of __fuse_dax_break_layouts()). This results in a task being permanently stuck in TASK_INTERRUPTIBLE state. Since FSDAX pages are only possibly obtained by GUP users, so fix GUP instead of folio_put() to lower overhead. Link: https://lkml.kernel.org/r/20220705123532.283-1-songmuchun@bytedance.com Fixes: d8ddc099c6b3 ("mm/gup: Add gup_put_folio()") Signed-off-by: Muchun Song Suggested-by: Matthew Wilcox Cc: Jason Gunthorpe Cc: John Hubbard Cc: William Kucharski Cc: Dan Williams Cc: Jan Kara Cc: Signed-off-by: Andrew Morton commit 3fe2895cfecd03ac74977f32102b966b6589f481 Author: Josef Bacik Date: Tue Jul 5 16:00:36 2022 -0400 mm: fix page leak with multiple threads mapping the same page We have an application with a lot of threads that use a shared mmap backed by tmpfs mounted with -o huge=within_size. This application started leaking loads of huge pages when we upgraded to a recent kernel. Using the page ref tracepoints and a BPF program written by Tejun Heo we were able to determine that these pages would have multiple refcounts from the page fault path, but when it came to unmap time we wouldn't drop the number of refs we had added from the faults. I wrote a reproducer that mmap'ed a file backed by tmpfs with -o huge=always, and then spawned 20 threads all looping faulting random offsets in this map, while using madvise(MADV_DONTNEED) randomly for huge page aligned ranges. This very quickly reproduced the problem. The problem here is that we check for the case that we have multiple threads faulting in a range that was previously unmapped. One thread maps the PMD, the other thread loses the race and then returns 0. However at this point we already have the page, and we are no longer putting this page into the processes address space, and so we leak the page. We actually did the correct thing prior to f9ce0be71d1f, however it looks like Kirill copied what we do in the anonymous page case. In the anonymous page case we don't yet have a page, so we don't have to drop a reference on anything. Previously we did the correct thing for file based faults by returning VM_FAULT_NOPAGE so we correctly drop the reference on the page we faulted in. Fix this by returning VM_FAULT_NOPAGE in the pmd_devmap_trans_unstable() case, this makes us drop the ref on the page properly, and now my reproducer no longer leaks the huge pages. [josef@toxicpanda.com: v2] Link: https://lkml.kernel.org/r/e90c8f0dbae836632b669c2afc434006a00d4a67.1657721478.git.josef@toxicpanda.com Link: https://lkml.kernel.org/r/2b798acfd95c9ab9395fe85e8d5a835e2e10a920.1657051137.git.josef@toxicpanda.com Fixes: f9ce0be71d1f ("mm: Cleanup faultaround and finish_fault() codepaths") Signed-off-by: Josef Bacik Signed-off-by: Rik van Riel Signed-off-by: Chris Mason Acked-by: Kirill A. Shutemov Cc: Matthew Wilcox (Oracle) Cc: Signed-off-by: Andrew Morton commit f073c8335929a9746c19d4551aeb2d4d0dbef0d1 Author: Seth Forshee Date: Tue Jun 28 15:07:34 2022 -0500 mailmap: update Seth Forshee's email address seth.forshee@canonical.com is no longer valid, use sforshee@kernel.org instead. Link: https://lkml.kernel.org/r/20220628200734.424495-1-sforshee@kernel.org Signed-off-by: Seth Forshee Signed-off-by: Andrew Morton commit 0c98c8e1e181478152d440a89d802ee4508c66a6 Author: ZhaoLong Wang Date: Wed Jun 29 20:43:24 2022 +0800 tmpfs: fix the issue that the mount and remount results are inconsistent. An undefined-behavior issue has not been completely fixed since commit d14f5efadd84 ("tmpfs: fix undefined-behaviour in shmem_reconfigure()"). In the commit, check in the shmem_reconfigure() is added in remount process to avoid the Ubsan problem. However, the check is not added to the mount process. It causes inconsistent results between mount and remount. The operations to reproduce the problem in user mode as follows: If nr_blocks is set to 0x8000000000000000, the mounting is successful. # mount tmpfs /dev/shm/ -t tmpfs -o nr_blocks=0x8000000000000000 However, when -o remount is used, the mount fails because of the check in the shmem_reconfigure() # mount tmpfs /dev/shm/ -t tmpfs -o remount,nr_blocks=0x8000000000000000 mount: /dev/shm: mount point not mounted or bad option. Therefore, add checks in the shmem_parse_one() function and remove the check in shmem_reconfigure() to avoid this problem. Link: https://lkml.kernel.org/r/20220629124324.1640807-1-wangzhaolong1@huawei.com Signed-off-by: ZhaoLong Wang Cc: Luo Meng Cc: Hugh Dickins Cc: Yu Kuai Cc: Zhihao Cheng Cc: Zhang Yi Signed-off-by: Andrew Morton commit 07313a2b29ed1079eaa7722624544b97b3ead84b Author: Yee Lee Date: Tue Jun 28 19:37:11 2022 +0800 mm: kfence: apply kmemleak_ignore_phys on early allocated pool This patch solves two issues. (1) The pool allocated by memblock needs to unregister from kmemleak scanning. Apply kmemleak_ignore_phys to replace the original kmemleak_free as its address now is stored in the phys tree. (2) The pool late allocated by page-alloc doesn't need to unregister. Move out the freeing operation from its call path. Link: https://lkml.kernel.org/r/20220628113714.7792-2-yee.lee@mediatek.com Fixes: 0c24e061196c21d5 ("mm: kmemleak: add rbtree and store physical address for objects allocated with PA") Signed-off-by: Yee Lee Suggested-by: Catalin Marinas Reviewed-by: Catalin Marinas Suggested-by: Marco Elver Reviewed-by: Marco Elver Tested-by: Geert Uytterhoeven Signed-off-by: Andrew Morton commit 80e19f34c2887a8881084b7bb7480e9544d56b91 Merge: ff6992735ade7 85ff37e302efd Author: Linus Torvalds Date: Mon Jul 18 11:47:04 2022 -0700 Merge tag 'hte/for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux Pull hardware timestamp fix from Thierry Reding: "A single fix for an out-of-sync kerneldoc comment" * tag 'hte/for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux: gpiolib: cdev: Fix kernel doc for struct line commit 09073396ea62d0a10b03f5661dcabfd8eca3f098 Author: Mario Limonciello Date: Fri Jul 15 12:33:25 2022 -0500 ACPI: CPPC: Don't require flexible address space if X86_FEATURE_CPPC is supported Commit 0651ab90e4ad ("ACPI: CPPC: Check _OSC for flexible address space") changed _CPC probing to require flexible address space to be negotiated for CPPC to work. However it was observed that this caused a regression for Arek's ROG Zephyrus G15 GA503QM which previously CPPC worked, but now it stopped working. To avoid causing a regression waive this failure when the CPU is known to support CPPC. Cc: Pierre Gondois Link: https://bugzilla.kernel.org/show_bug.cgi?id=216248 Fixes: 0651ab90e4ad ("ACPI: CPPC: Check _OSC for flexible address space") Reported-and-tested-by: Arek Ruśniak Signed-off-by: Mario Limonciello Signed-off-by: Rafael J. Wysocki commit d8fa2fd791a72087c1ce3336fbeefec4057c37c8 Author: Przemyslaw Patynowski Date: Wed Jun 15 13:57:20 2022 -0400 iavf: Fix missing state logs Fix debug prints, by adding missing state prints. Extend iavf_state_str by strings for __IAVF_INIT_EXTENDED_CAPS and __IAVF_INIT_CONFIG_ADAPTER. Without this patch, when enabling debug prints for iavf.h, user will see: iavf 0000:06:0e.0: state transition from:__IAVF_INIT_GET_RESOURCES to:__IAVF_UNKNOWN_STATE iavf 0000:06:0e.0: state transition from:__IAVF_UNKNOWN_STATE to:__IAVF_UNKNOWN_STATE Fixes: 605ca7c5c670 ("iavf: Fix kernel BUG in free_msi_irqs") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Jun Zhang Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen commit a9f49e0060301a9bfebeca76739158d0cf91cdf6 Author: Przemyslaw Patynowski Date: Fri Jun 24 17:33:01 2022 -0700 iavf: Fix handling of dummy receive descriptors Fix memory leak caused by not handling dummy receive descriptor properly. iavf_get_rx_buffer now sets the rx_buffer return value for dummy receive descriptors. Without this patch, when the hardware writes a dummy descriptor, iavf would not free the page allocated for the previous receive buffer. This is an unlikely event but can still happen. [Jesse: massaged commit message] Fixes: efa14c398582 ("iavf: allow null RX descriptors") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Jesse Brandeburg Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen commit 4635fd3a9d77581498f34ab9a7e4bcc211bf0a4c Author: Przemyslaw Patynowski Date: Mon Jun 13 19:07:42 2022 -0400 iavf: Disallow changing rx/tx-frames and rx/tx-frames-irq Remove from supported_coalesce_params ETHTOOL_COALESCE_MAX_FRAMES and ETHTOOL_COALESCE_MAX_FRAMES_IRQ. As tx-frames-irq allowed user to change budget for iavf_clean_tx_irq, remove work_limit and use define for budget. Without this patch there would be possibility to change rx/tx-frames and rx/tx-frames-irq, which for rx/tx-frames did nothing, while for rx/tx-frames-irq it changed rx/tx-frames and only changed budget for cleaning NAPI poll. Fixes: fbb7ddfef253 ("i40evf: core ethtool functionality") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Jun Zhang Tested-by: Marek Szlosek Signed-off-by: Tony Nguyen commit 968996c070ef080ee7d6150faa98a4e562ce4625 Author: Przemyslaw Patynowski Date: Fri Jun 10 14:15:54 2022 +0200 iavf: Fix VLAN_V2 addition/rejection Fix VLAN addition, so that PF driver does not reject whole VLAN batch. Add VLAN reject handling, so rejected VLANs, won't litter VLAN filter list. Fix handling of active_(c/s)vlans, so it will be possible to re-add VLAN filters for user. Without this patch, after changing trust to off, with VLAN filters saturated, no VLAN is added, due to PF rejecting addition. Fixes: 92fc50859872 ("iavf: Restrict maximum VLAN filters for VIRTCHNL_VF_OFFLOAD_VLAN_V2") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Jedrzej Jagielski Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen commit e1aadbab445b06e072013a1365fd0cf2aa25e843 Author: xinhui pan Date: Fri Jul 8 09:22:44 2022 +0800 drm/amdgpu: Remove one duplicated ef removal That has been done in BO release notify. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2074 Signed-off-by: xinhui pan Acked-by: Christian König Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher commit 28a99e95f55c61855983d36a88c05c178d966bb7 Author: Peter Zijlstra Date: Mon Jul 18 13:41:37 2022 +0200 x86/amd: Use IBPB for firmware calls On AMD IBRS does not prevent Retbleed; as such use IBPB before a firmware call to flush the branch history state. And because in order to do an EFI call, the kernel maps a whole lot of the kernel page table into the EFI page table, do an IBPB just in case in order to prevent the scenario of poisoning the BTB and causing an EFI call using the unprotected RET there. [ bp: Massage. ] Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220715194550.793957-1-cascardo@canonical.com commit c32349f3257f329a01e776e02b577bf7af97f30b Merge: c9f21106d97b5 7b02f40350f1b Author: David S. Miller Date: Mon Jul 18 12:44:37 2022 +0100 Merge branch 'dsa-docs' Vladimir Oltean says: ==================== Update DSA documentation These are some updates of dsa.rst, since it hasn't kept up with development (in some cases, even since 2017). I've added Fixes: tags as I thought was appropriate. ==================== Signed-off-by: David S. Miller commit 7b02f40350f1b8011f724a052dcb0849cffa6c38 Author: Vladimir Oltean Date: Sat Jul 16 21:53:44 2022 +0300 docs: net: dsa: mention that VLANs are now refcounted on shared ports The blamed commit updated the way in which VLANs are handled at the cross-chip notifier layer and didn't update the documentation to say that. Fix it. Fixes: 134ef2388e7f ("net: dsa: add explicit support for host bridge VLANs") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 6ba1a4aa5974f8a47e6322cecc965e6357b58d80 Author: Vladimir Oltean Date: Sat Jul 16 21:53:43 2022 +0300 docs: net: dsa: delete misinformation about -EOPNOTSUPP for FDB/MDB/VLAN Returning -EOPNOTSUPP does *NOT* mean anything special. port_vlan_add() is actually called from 2 code paths, one is vlan_vid_add() from 8021q module and the other is br_switchdev_port_vlan_add() from switchdev. The bridge has a wrapper __vlan_vid_add() which first tries via switchdev, then if that returns -EOPNOTSUPP, tries again via the VLAN RX filters in the 8021q module. But DSA doesn't distinguish between one call path and the other when calling the driver's port_vlan_add(), so if the driver returns -EOPNOTSUPP to switchdev, it also returns -EOPNOTSUPP to the 8021q module. And the latter is a hard error. port_fdb_add() is called from the deferred dsa_owq only, so obviously its return code isn't propagated anywhere, and cannot be interpreted in any way. The return code from port_mdb_add() is propagated to the bridge, but again, this doesn't do anything special when -EOPNOTSUPP is returned, but rather, br_switchdev_mdb_notify() returns void. Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit ea7006a7aaee54a8861e0bfd5cf6a8495fb998a7 Author: Vladimir Oltean Date: Sat Jul 16 21:53:42 2022 +0300 docs: net: dsa: re-explain what port_fdb_dump actually does Switchdev has changed radically from its initial implementation, and the currently provided definition is incorrect and very confusing. Rewrite it in light of what it actually does. Fixes: 2bedde1abbef ("net: dsa: Move FDB dump implementation inside DSA") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 4e9d9bb6df6b4ef87f217e81a8eb37c359400e2e Author: Vladimir Oltean Date: Sat Jul 16 21:53:41 2022 +0300 docs: net: dsa: add a section for address databases The given definition for what VID 0 represents in the current port_fdb_add and port_mdb_add is blatantly wrong. Delete it and explain the concepts surrounding DSA's understanding of FDB isolation. Fixes: c26933639b54 ("net: dsa: request drivers to perform FDB isolation") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 7f75d3dd4f5b00a1d3ef853f044a25b4cb55082a Author: Vladimir Oltean Date: Sat Jul 16 21:53:40 2022 +0300 docs: net: dsa: delete port_mdb_dump This was deleted in 2017, stop documenting it. Fixes: dc0cbff3ff9f ("net: dsa: Remove redundant MDB dump support") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit e465d507c76ce2552e1e08513f1d1ca8c4175e9c Author: Vladimir Oltean Date: Sat Jul 16 21:53:39 2022 +0300 docs: net: dsa: remove port_vlan_dump This was deleted in 2017, delete the obsolete documentation. Fixes: c069fcd82c57 ("net: dsa: Remove support for bypass bridge port attributes/vlan set") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 308362394850b680ef3e2cd548bfaa27fd120a4d Author: Vladimir Oltean Date: Sat Jul 16 21:53:38 2022 +0300 docs: net: dsa: remove port_bridge_tx_fwd_offload We've changed the API through which we can offload the bridge TX forwarding process. Update the documentation in light of the removal of 2 DSA switch ops. Fixes: b079922ba2ac ("net: dsa: add a "tx_fwd_offload" argument to ->port_bridge_join") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 0cb8682ebf5eedbfd71a8b212f23afc1aedfe1ba Author: Vladimir Oltean Date: Sat Jul 16 21:53:37 2022 +0300 docs: net: dsa: document port_fast_age The provided information about FDB flushing is not really up to date. The DSA core automatically calls port_fast_age() when necessary, and drivers should just implement that rather than hooking it to port_bridge_leave, port_stp_state_set and others. Fixes: 732f794c1baf ("net: dsa: add port fast ageing") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 3c87237ecd27fe5534f3324a4dccbce059c04e40 Author: Vladimir Oltean Date: Sat Jul 16 21:53:36 2022 +0300 docs: net: dsa: document port_setup and port_teardown These methods were added without being documented, fix that. Fixes: fd292c189a97 ("net: dsa: tear down devlink port regions when tearing down the devlink port on error") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit b763f50dc157c2796dded090fac3e05cb5147348 Author: Vladimir Oltean Date: Sat Jul 16 21:53:35 2022 +0300 docs: net: dsa: document the teardown method A teardown method was added to dsa_switch_ops without being documented. Do so now. Fixes: 5e3f847a02aa ("net: dsa: Add teardown callback for drivers") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit d6a0336addd47af8869953a480e44a63726fad8f Author: Vladimir Oltean Date: Sat Jul 16 21:53:34 2022 +0300 docs: net: dsa: document change_tag_protocol Support for changing the tagging protocol was added without this operation being documented; do so now. Fixes: 53da0ebaad10 ("net: dsa: allow changing the tag protocol via the "tagging" device attribute") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit c56313a42aaa0c353af6425aed63719823ccfc32 Author: Vladimir Oltean Date: Sat Jul 16 21:53:33 2022 +0300 docs: net: dsa: add more info about the other arguments to get_tag_protocol Changes were made to the prototype of get_tag_protocol without describing at a high level what they are about. Update the documentation to explain that. Fixes: 5ed4e3eb0217 ("net: dsa: Pass a port to get_tag_protocol()") Fixes: 4d776482ecc6 ("net: dsa: Get information about stacked DSA protocol") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit c3f0e84d10862b2b2ed927561f12fe0bf8033590 Author: Vladimir Oltean Date: Sat Jul 16 21:53:32 2022 +0300 docs: net: dsa: rename tag_protocol to get_tag_protocol Since the blamed commit, the enum was turned into a function pointer and also renamed. Update the documentation. Fixes: 7b314362a234 ("net: dsa: Allow the DSA driver to indicate the tag protocol") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 54367831c5d0ce273d82814f5fcb35c004f6a912 Author: Vladimir Oltean Date: Sat Jul 16 21:53:31 2022 +0300 docs: net: dsa: document the shutdown behavior Document the changes that took place in the DSA core in the blamed commit. Fixes: 0650bf52b31f ("net: dsa: be compatible with masters which unregister on shutdown") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 19b3b13c932fc8d613e50e3e92c1944f9fcc02c7 Author: Vladimir Oltean Date: Sat Jul 16 21:53:30 2022 +0300 docs: net: dsa: update probing documentation Since the blamed commit we don't have register_switch_driver() and unregister_switch_driver() anymore. Additionally, the expected dsa_register_switch() and dsa_unregister_switch() calls aren't documented. Update the probing section with the details of how things are currently done. Fixes: 93e86b3bc842 ("net: dsa: Remove legacy probing support") Signed-off-by: Vladimir Oltean Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit c9f21106d97b5056f36613792fe55284a9c5f75b Merge: 1e20904e41773 021266ec640c7 Author: David S. Miller Date: Mon Jul 18 12:21:54 2022 +0100 Merge branch 'net-ipv4-sysctl-races-part-3' Kuniyuki Iwashima says: ==================== sysctl: Fix data-races around ipv4_net_table (Round 3). This series fixes data-races around 21 knobs after igmp_link_local_mcast_reports in ipv4_net_table. These 4 knobs are skipped because they are safe. - tcp_congestion_control: Safe with RCU and xchg(). - tcp_available_congestion_control: Read only. - tcp_allowed_congestion_control: Safe with RCU and spinlock(). - tcp_fastopen_key: Safe with RCU and xchg() So, round 4 will start with fib_multipath_use_neigh. ==================== Signed-off-by: David S. Miller commit 021266ec640c7a4527e6cd4b7349a512b351de1d Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:55 2022 -0700 tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout. While reading sysctl_tcp_fastopen_blackhole_timeout, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: cf1ef3f0719b ("net/tcp_fastopen: Disable active side TFO in certain scenarios") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 5a54213318c43f4009ae158347aa6016e3b9b55a Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:54 2022 -0700 tcp: Fix data-races around sysctl_tcp_fastopen. While reading sysctl_tcp_fastopen, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 2100c8d2d9db ("net-tcp: Fast Open base") Signed-off-by: Kuniyuki Iwashima Acked-by: Yuchung Cheng Signed-off-by: David S. Miller commit 79539f34743d3e14cc1fa6577d326a82cc64d62f Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:53 2022 -0700 tcp: Fix data-races around sysctl_max_syn_backlog. While reading sysctl_max_syn_backlog, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit cbfc6495586a3f09f6f07d9fb3c7cafe807e3c55 Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:52 2022 -0700 tcp: Fix a data-race around sysctl_tcp_tw_reuse. While reading sysctl_tcp_tw_reuse, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 55be873695ed8912eb77ff46d1d1cadf028bd0f3 Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:51 2022 -0700 tcp: Fix a data-race around sysctl_tcp_notsent_lowat. While reading sysctl_tcp_notsent_lowat, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: c9bee3b7fdec ("tcp: TCP_NOTSENT_LOWAT socket option") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 39e24435a776e9de5c6dd188836cf2523547804b Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:50 2022 -0700 tcp: Fix data-races around some timeout sysctl knobs. While reading these sysctl knobs, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. - tcp_retries1 - tcp_retries2 - tcp_orphan_retries - tcp_fin_timeout Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 46778cd16e6a5ad1b2e3a91f6c057c907379418e Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:49 2022 -0700 tcp: Fix data-races around sysctl_tcp_reordering. While reading sysctl_tcp_reordering, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 4177f545895b1da08447a80692f30617154efa6e Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:48 2022 -0700 tcp: Fix data-races around sysctl_tcp_migrate_req. While reading sysctl_tcp_migrate_req, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: f9ac779f881c ("net: Introduce net.ipv4.tcp_migrate_req.") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit f2e383b5bb6bbc60a0b94b87b3e49a2b1aefd11e Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:47 2022 -0700 tcp: Fix data-races around sysctl_tcp_syncookies. While reading sysctl_tcp_syncookies, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 20a3b1c0f603e8c55c3396abd12dfcfb523e4d3c Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:46 2022 -0700 tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries. While reading sysctl_tcp_syn(ack)?_retries, they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit f2f316e287e6c2e3a1c5bab8d9b77ee03daa0463 Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:45 2022 -0700 tcp: Fix data-races around keepalive sysctl knobs. While reading sysctl_tcp_keepalive_(time|probes|intvl), they can be changed concurrently. Thus, we need to add READ_ONCE() to their readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 8ebcc62c738f68688ee7c6fec2efe5bc6d3d7e60 Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:44 2022 -0700 igmp: Fix data-races around sysctl_igmp_qrv. While reading sysctl_igmp_qrv, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. This test can be packed into a helper, so such changes will be in the follow-up series after net is merged into net-next. qrv ?: READ_ONCE(net->ipv4.sysctl_igmp_qrv); Fixes: a9fe8e29945d ("ipv4: implement igmp_qrv sysctl to tune igmp robustness variable") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 6ae0f2e553737b8cce49a1372573c81130ffa80e Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:43 2022 -0700 igmp: Fix data-races around sysctl_igmp_max_msf. While reading sysctl_igmp_max_msf, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 6305d821e3b9b5379d348528e5b5faf316383bc2 Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:42 2022 -0700 igmp: Fix a data-race around sysctl_igmp_max_memberships. While reading sysctl_igmp_max_memberships, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit f6da2267e71106474fbc0943dc24928b9cb79119 Author: Kuniyuki Iwashima Date: Fri Jul 15 10:17:41 2022 -0700 igmp: Fix data-races around sysctl_igmp_llm_reports. While reading sysctl_igmp_llm_reports, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. This test can be packed into a helper, so such changes will be in the follow-up series after net is merged into net-next. if (ipv4_is_local_multicast(pmc->multiaddr) && !READ_ONCE(net->ipv4.sysctl_igmp_llm_reports)) Fixes: df2cf4a78e48 ("IGMP: Inhibit reports for local multicast groups") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 41ef3c1a6bb0fd4a3f81170dd17de3adbff80783 Author: Mario Limonciello Date: Wed Jul 13 12:59:50 2022 -0500 pinctrl: Don't allow PINCTRL_AMD to be a module It was observed that by allowing pinctrl_amd to be loaded later in the boot process that interrupts sent to the GPIO controller early in the boot are not serviced. The kernel treats these as a spurious IRQ and disables the IRQ. This problem was exacerbated because it happened on a system with an encrypted partition so the kernel object was not accesssible for an extended period of time while waiting for a passphrase. To avoid this situation from occurring, stop allowing pinctrl-amd from being built as a module and instead require it to be built-in or disabled. Reported-by: madcatx@atlas.cz Suggested-by: jwrdegoede@fedoraproject.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=216230 Signed-off-by: Mario Limonciello Acked-by: Hans de Goede Link: https://lore.kernel.org/r/20220713175950.964-1-mario.limonciello@amd.com Signed-off-by: Linus Walleij commit 1e20904e417738066b26490de2daf7ef3ed34483 Author: Maksym Glubokiy Date: Fri Jul 15 15:55:50 2022 +0300 net: prestera: acl: use proper mask for port selector Adjusted as per packet processor documentation. This allows to properly match 'indev' for clsact rules. Fixes: 47327e198d42 ("net: prestera: acl: migrate to new vTCAM api") Signed-off-by: Maksym Glubokiy Signed-off-by: David S. Miller commit f08d8c1bb97c48f24a82afaa2fd8c140f8d3da8b Author: Tariq Toukan Date: Fri Jul 15 11:42:16 2022 +0300 net/tls: Fix race in TLS device down flow Socket destruction flow and tls_device_down function sync against each other using tls_device_lock and the context refcount, to guarantee the device resources are freed via tls_dev_del() by the end of tls_device_down. In the following unfortunate flow, this won't happen: - refcount is decreased to zero in tls_device_sk_destruct. - tls_device_down starts, skips the context as refcount is zero, going all the way until it flushes the gc work, and returns without freeing the device resources. - only then, tls_device_queue_ctx_destruction is called, queues the gc work and frees the context's device resources. Solve it by decreasing the refcount in the socket's destruction flow under the tls_device_lock, for perfect synchronization. This does not slow down the common likely destructor flow, in which both the refcount is decreased and the spinlock is acquired, anyway. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Reviewed-by: Maxim Mikityanskiy Signed-off-by: Tariq Toukan Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller commit 613b065ca32e90209024ec4a6bb5ca887ee70980 Author: Junxiao Chang Date: Fri Jul 15 15:47:01 2022 +0800 net: stmmac: fix dma queue left shift overflow issue When queue number is > 4, left shift overflows due to 32 bits integer variable. Mask calculation is wrong for MTL_RXQ_DMA_MAP1. If CONFIG_UBSAN is enabled, kernel dumps below warning: [ 10.363842] ================================================================== [ 10.363882] UBSAN: shift-out-of-bounds in /build/linux-intel-iotg-5.15-8e6Tf4/ linux-intel-iotg-5.15-5.15.0/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c:224:12 [ 10.363929] shift exponent 40 is too large for 32-bit type 'unsigned int' [ 10.363953] CPU: 1 PID: 599 Comm: NetworkManager Not tainted 5.15.0-1003-intel-iotg [ 10.363956] Hardware name: ADLINK Technology Inc. LEC-EL/LEC-EL, BIOS 0.15.11 12/22/2021 [ 10.363958] Call Trace: [ 10.363960] [ 10.363963] dump_stack_lvl+0x4a/0x5f [ 10.363971] dump_stack+0x10/0x12 [ 10.363974] ubsan_epilogue+0x9/0x45 [ 10.363976] __ubsan_handle_shift_out_of_bounds.cold+0x61/0x10e [ 10.363979] ? wake_up_klogd+0x4a/0x50 [ 10.363983] ? vprintk_emit+0x8f/0x240 [ 10.363986] dwmac4_map_mtl_dma.cold+0x42/0x91 [stmmac] [ 10.364001] stmmac_mtl_configuration+0x1ce/0x7a0 [stmmac] [ 10.364009] ? dwmac410_dma_init_channel+0x70/0x70 [stmmac] [ 10.364020] stmmac_hw_setup.cold+0xf/0xb14 [stmmac] [ 10.364030] ? page_pool_alloc_pages+0x4d/0x70 [ 10.364034] ? stmmac_clear_tx_descriptors+0x6e/0xe0 [stmmac] [ 10.364042] stmmac_open+0x39e/0x920 [stmmac] [ 10.364050] __dev_open+0xf0/0x1a0 [ 10.364054] __dev_change_flags+0x188/0x1f0 [ 10.364057] dev_change_flags+0x26/0x60 [ 10.364059] do_setlink+0x908/0xc40 [ 10.364062] ? do_setlink+0xb10/0xc40 [ 10.364064] ? __nla_validate_parse+0x4c/0x1a0 [ 10.364068] __rtnl_newlink+0x597/0xa10 [ 10.364072] ? __nla_reserve+0x41/0x50 [ 10.364074] ? __kmalloc_node_track_caller+0x1d0/0x4d0 [ 10.364079] ? pskb_expand_head+0x75/0x310 [ 10.364082] ? nla_reserve_64bit+0x21/0x40 [ 10.364086] ? skb_free_head+0x65/0x80 [ 10.364089] ? security_sock_rcv_skb+0x2c/0x50 [ 10.364094] ? __cond_resched+0x19/0x30 [ 10.364097] ? kmem_cache_alloc_trace+0x15a/0x420 [ 10.364100] rtnl_newlink+0x49/0x70 This change fixes MTL_RXQ_DMA_MAP1 mask issue and channel/queue mapping warning. Fixes: d43042f4da3e ("net: stmmac: mapping mtl rx to dma channel") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=216195 Reported-by: Cedric Wassenaar Signed-off-by: Junxiao Chang Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 76c16d3e19446deea98b7883f261758b96b8781a Author: Wong Vee Khee Date: Thu Jul 14 15:54:27 2022 +0800 net: stmmac: switch to use interrupt for hw crosstimestamping Using current implementation of polling mode, there is high chances we will hit into timeout error when running phc2sys. Hence, update the implementation of hardware crosstimestamping to use the MAC interrupt service routine instead of polling for TSIS bit in the MAC Timestamp Interrupt Status register to be set. Cc: Richard Cochran Signed-off-by: Wong Vee Khee Signed-off-by: David S. Miller commit ba9c4745fca70bf773b2d5c602dcd85d1a40b07a Author: Horatiu Vultur Date: Wed Jul 13 21:37:50 2022 +0200 pinctrl: ocelot: Fix pincfg The blamed commit changed to use regmaps instead of __iomem. But it didn't update the register offsets to be at word offset, so it uses byte offset. Another issue with the same commit is that it has a limit of 32 registers which is incorrect. The sparx5 has 64 while lan966x has 77. Fixes: 076d9e71bcf8 ("pinctrl: ocelot: convert pinctrl to regmap") Acked-by: Colin Foster Reviewed-by: Andy Shevchenko Signed-off-by: Horatiu Vultur Link: https://lore.kernel.org/r/20220713193750.4079621-3-horatiu.vultur@microchip.com Signed-off-by: Linus Walleij commit dc62db7138aa9365480254dda4c3e1316b1b1bbc Author: Horatiu Vultur Date: Wed Jul 13 21:37:49 2022 +0200 pinctrl: ocelot: Fix pincfg for lan966x The blamed commit introduce support for lan966x which use the same pinconf_ops as sparx5. The problem is that pinconf_ops is specific to sparx5. More precisely the offset of the bits in the pincfg register are different and also lan966x doesn't have support for PIN_CONFIG_INPUT_SCHMITT_ENABLE. Fix this by making pinconf_ops more generic such that it can be also used by lan966x. This is done by introducing 'ocelot_pincfg_data' which contains the offset and what is supported for each SOC. Fixes: 531d6ab36571 ("pinctrl: ocelot: Extend support for lan966x") Signed-off-by: Horatiu Vultur Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220713193750.4079621-2-horatiu.vultur@microchip.com Signed-off-by: Linus Walleij commit dbd0da2453c694f2f74651834d90fb280b57f151 Author: Christian König Date: Fri Jul 15 09:57:22 2022 +0200 drm/ttm: fix locking in vmap/vunmap TTM GEM helpers I've stumbled over this while reviewing patches for DMA-buf and it looks like we completely messed the locking up here. In general most TTM function should only be called while holding the appropriate BO resv lock. Without this we could break the internal buffer object state here. Only compile tested! Signed-off-by: Christian König Fixes: 43676605f890 ("drm/ttm: Add vmap/vunmap to TTM and TTM GEM helpers") Cc: stable@vger.kernel.org Reviewed-by: Dmitry Osipenko Link: https://patchwork.freedesktop.org/patch/msgid/20220715111533.467012-1-christian.koenig@amd.com commit ef0324b6415db6742bd632dc0dfbb8fbc111473b Author: Michael Walle Date: Sat Mar 26 20:40:28 2022 +0100 ARM: dts: lan966x: fix sys_clk frequency The sys_clk frequency is 165.625MHz. The register reference of the Generic Clock controller lists the CPU clock as 600MHz, the DDR clock as 300MHz and the SYS clock as 162.5MHz. This is wrong. It was first noticed during the fan driver development and it was measured and verified via the CLK_MON output of the SoC which can be configured to output sys_clk/64. The core PLL settings (which drives the SYS clock) seems to be as follows: DIVF = 52 DIVQ = 3 DIVR = 1 With a refernce clock of 25MHz, this means we have a post divider clock Fpfd = Fref / (DIVR + 1) = 25MHz / (1 + 1) = 12.5MHz The resulting VCO frequency is then Fvco = Fpfd * (DIVF + 1) * 2 = 12.5MHz * (52 + 1) * 2 = 1325MHz And the output frequency is Fout = Fvco / 2^DIVQ = 1325MHz / 2^3 = 165.625Mhz This all adds up to the constrains of the PLL: 10MHz <= Fpfd <= 200MHz 20MHz <= Fout <= 1000MHz 1000MHz <= Fvco <= 2000MHz Fixes: 290deaa10c50 ("ARM: dts: add DT for lan966 SoC and 2-port board pcb8291") Signed-off-by: Michael Walle Reviewed-by: Kavyasree Kotagiri Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20220326194028.2945985-1-michael@walle.cc commit ff6992735ade75aae3e35d16b17da1008d753d28 Author: Linus Torvalds Date: Sun Jul 17 13:30:22 2022 -0700 Linux 5.19-rc7 commit 55ea9bd666887ed4159df38d1494c204246cf2bc Merge: f7f4da303dd89 ced7866db39fc Author: Linus Torvalds Date: Sun Jul 17 13:08:03 2022 -0700 Merge tag 'drm-intel-fixes-2022-07-17' of git://anongit.freedesktop.org/drm/drm-intel Pull intel drm build fix from Rodrigo Vivi: "Our 'dim' flow has a problem with fixes of fixes getting missed. We need to take a look on that later. Meanwhile, please allow me to quickly propagate this fix for the 32-bit build issue here upstream" * tag 'drm-intel-fixes-2022-07-17' of git://anongit.freedesktop.org/drm/drm-intel: drm/i915/ttm: fix 32b build commit f7f4da303dd8946228860e78bd7f36c2cc47a636 Merge: 2b18593e4b9f5 4b335e1e0d6f8 Author: Linus Torvalds Date: Sun Jul 17 12:42:57 2022 -0700 Merge tag 'perf-tools-fixes-for-v5.19-2022-07-17' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux Pull perf tools fixes from Arnaldo Carvalho de Melo: - Fix SIGSEGV when processing syscall args in perf.data files in 'perf trace' - Sync kvm, msr-index and cpufeatures headers with the kernel sources - Fix 'convert perf time to TSC' 'perf test': - No need to open events twice - Fix finding correct event on hybrid systems * tag 'perf-tools-fixes-for-v5.19-2022-07-17' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: perf trace: Fix SIGSEGV when processing syscall args perf tests: Fix Convert perf time to TSC test for hybrid perf tests: Stop Convert perf time to TSC test opening events twice tools arch x86: Sync the msr-index.h copy with the kernel sources tools headers cpufeatures: Sync with the kernel sources tools headers UAPI: Sync linux/kvm.h with the kernel sources commit ced7866db39fc5c59ee05e154d4abc0977a17f6b Author: Matthew Auld Date: Tue Jul 12 18:40:50 2022 +0100 drm/i915/ttm: fix 32b build Since segment_pages is no longer a compile time constant, it looks the DIV_ROUND_UP(node->size, segment_pages) breaks the 32b build. Simplest is just to use the ULL variant, but really we should need not need more than u32 for the page alignment (also we are limited by that due to the sg->length type), so also make it all u32. Reported-by: Ville Syrjälä Fixes: aff1e0b09b54 ("drm/i915/ttm: fix sg_table construction") Signed-off-by: Matthew Auld Cc: Nirmoy Das Reviewed-by: Nirmoy Das Link: https://patchwork.freedesktop.org/patch/msgid/20220712174050.592550-1-matthew.auld@intel.com (cherry picked from commit 9306b2b2dfce6931241ef804783692cee526599c) Signed-off-by: Rodrigo Vivi commit 2b18593e4b9f5781a7683fca256036515bd9b946 Merge: 59c80f053d504 68e3c69803dad Author: Linus Torvalds Date: Sun Jul 17 08:34:02 2022 -0700 Merge tag 'perf_urgent_for_v5.19_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fix from Borislav Petkov: - A single data race fix on the perf event cleanup path to avoid endless loops due to insufficient locking * tag 'perf_urgent_for_v5.19_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() commit 59c80f053d50467758c8284348b463fa820b1b1f Merge: 2eccaca7b62b2 bcf163150cd37 Author: Linus Torvalds Date: Sun Jul 17 08:27:30 2022 -0700 Merge tag 'x86_urgent_for_v5.19_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Improve the check whether the kernel supports WP mappings so that it can accomodate a XenPV guest due to how the latter is setting up the PAT machinery - Now that the retbleed nightmare is public, here's the first round of fallout fixes: * Fix a build failure on 32-bit due to missing include * Remove an untraining point in espfix64 return path * other small cleanups * tag 'x86_urgent_for_v5.19_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/bugs: Remove apostrophe typo um: Add missing apply_returns() x86/entry: Remove UNTRAIN_RET from native_irq_return_ldt x86/bugs: Mark retbleed_strings static x86/pat: Fix x86_has_pat_wp() x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit commit 2eccaca7b62b2836260c6fb22156a44e3d99a74a Merge: 8ad4b6fa0f874 7329b07172964 Author: Linus Torvalds Date: Sun Jul 17 07:58:19 2022 -0700 Merge tag 'gpio-fixes-for-v5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fix from Bartosz Golaszewski: - fix a configfs attribute of the gpio-sim module * tag 'gpio-fixes-for-v5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: sim: fix the chip_name configfs item commit 8ad4b6fa0f874ec8ec6e92a90116e3ab43cded6c Merge: 396df7005ba0f 2a96271fb66c4 Author: Linus Torvalds Date: Sun Jul 17 07:52:46 2022 -0700 Merge tag 'input-for-v5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: - fix Goodix driver to properly behave on the Aya Neo Next - some more sanity checks in usbtouchscreen driver - a tweak in wm97xx driver in preparation for remove() to return void - a clarification in input core regarding units of measurement for resolution on touch events. * tag 'input-for-v5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: document the units for resolution of size axes Input: goodix - call acpi_device_fix_up_power() in some cases Input: wm97xx - make .remove() obviously always return 0 Input: usbtouchscreen - add driver_info sanity check commit 396df7005ba0f02646e96e05456a14b52e0f02f4 Merge: 972a278fe60c3 093d27bb6f2d1 Author: Linus Torvalds Date: Sun Jul 17 07:45:51 2022 -0700 Merge tag 'for-v5.19-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply Pull power supply fixes from Sebastian Reichel: - power-supply core temperature interpolation regression fix for incorrect boundaries - ab8500 needs to destroy its work queues in error paths - Fix old DT refcount leak in arm-versatile * tag 'for-v5.19-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: power: supply: core: Fix boundary conditions in interpolation power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe power: supply: ab8500_fg: add missing destroy_workqueue in ab8500_fg_probe commit 4b335e1e0d6f8fa91dac615a44b123c9f26e93d3 Author: Naveen N. Rao Date: Thu Jul 7 14:39:00 2022 +0530 perf trace: Fix SIGSEGV when processing syscall args On powerpc, 'perf trace' is crashing with a SIGSEGV when trying to process a perf.data file created with 'perf trace record -p': #0 0x00000001225b8988 in syscall_arg__scnprintf_augmented_string at builtin-trace.c:1492 #1 syscall_arg__scnprintf_filename at builtin-trace.c:1492 #2 syscall_arg__scnprintf_filename at builtin-trace.c:1486 #3 0x00000001225bdd9c in syscall_arg_fmt__scnprintf_val at builtin-trace.c:1973 #4 syscall__scnprintf_args at builtin-trace.c:2041 #5 0x00000001225bff04 in trace__sys_enter at builtin-trace.c:2319 That points to the below code in tools/perf/builtin-trace.c: /* * If this is raw_syscalls.sys_enter, then it always comes with the 6 possible * arguments, even if the syscall being handled, say "openat", uses only 4 arguments * this breaks syscall__augmented_args() check for augmented args, as we calculate * syscall->args_size using each syscalls:sys_enter_NAME tracefs format file, * so when handling, say the openat syscall, we end up getting 6 args for the * raw_syscalls:sys_enter event, when we expected just 4, we end up mistakenly * thinking that the extra 2 u64 args are the augmented filename, so just check * here and avoid using augmented syscalls when the evsel is the raw_syscalls one. */ if (evsel != trace->syscalls.events.sys_enter) augmented_args = syscall__augmented_args(sc, sample, &augmented_args_size, trace->raw_augmented_syscalls_args_size); As the comment points out, we should not be trying to augment the args for raw_syscalls. However, when processing a perf.data file, we are not initializing those properly. Fix the same. Reported-by: Claudio Carvalho Signed-off-by: Naveen N. Rao Cc: Jiri Olsa Cc: Namhyung Kim Link: http://lore.kernel.org/lkml/20220707090900.572584-1-naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Arnaldo Carvalho de Melo commit deb44a6249f696106645c63c0603eab08a6122af Author: Adrian Hunter Date: Wed Jul 13 15:34:59 2022 +0300 perf tests: Fix Convert perf time to TSC test for hybrid The test does not always correctly determine the number of events for hybrids, nor allow for more than 1 evsel when parsing. Fix by iterating the events actually created and getting the correct evsel for the events processed. Fixes: d9da6f70eb235110 ("perf tests: Support 'Convert perf time to TSC' test for hybrid") Reviewed-by: Kan Liang Signed-off-by: Adrian Hunter Cc: Ian Rogers Cc: Jin Yao Cc: Jiri Olsa Cc: Namhyung Kim Cc: Thomas Richter Link: https://lore.kernel.org/r/20220713123459.24145-3-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo commit 498c7a54f169b2699104d3060604d840424f15d2 Author: Adrian Hunter Date: Wed Jul 13 15:34:58 2022 +0300 perf tests: Stop Convert perf time to TSC test opening events twice Do not call evlist__open() twice. Fixes: 5bb017d4b97a0f13 ("perf test: Fix error message for test case 71 on s390, where it is not supported") Reviewed-by: Kan Liang Signed-off-by: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Cc: Thomas Richter Link: https://lore.kernel.org/r/20220713123459.24145-2-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo commit 91d248c3b903b46a58cbc7e8d38d684d3e4007c2 Author: Arnaldo Carvalho de Melo Date: Thu Jul 1 13:32:18 2021 -0300 tools arch x86: Sync the msr-index.h copy with the kernel sources To pick up the changes from these csets: 4ad3278df6fe2b08 ("x86/speculation: Disable RRSBA behavior") d7caac991feeef1b ("x86/cpu/amd: Add Spectral Chicken") That cause no changes to tooling: $ tools/perf/trace/beauty/tracepoints/x86_msr.sh > before $ cp arch/x86/include/asm/msr-index.h tools/arch/x86/include/asm/msr-index.h $ tools/perf/trace/beauty/tracepoints/x86_msr.sh > after $ diff -u before after $ Just silences this perf build warning: Warning: Kernel ABI header at 'tools/arch/x86/include/asm/msr-index.h' differs from latest version at 'arch/x86/include/asm/msr-index.h' diff -u tools/arch/x86/include/asm/msr-index.h arch/x86/include/asm/msr-index.h Cc: Adrian Hunter Cc: Borislav Petkov Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Cc: Pawan Gupta Cc: Peter Zijlstra Link: https://lore.kernel.org/lkml/YtQTm9wsB3hxQWvy@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit f098addbdb44c8a565367f5162f3ab170ed9404a Author: Arnaldo Carvalho de Melo Date: Thu Jul 1 13:39:15 2021 -0300 tools headers cpufeatures: Sync with the kernel sources To pick the changes from: f43b9876e857c739 ("x86/retbleed: Add fine grained Kconfig knobs") a149180fbcf336e9 ("x86: Add magic AMD return-thunk") 15e67227c49a5783 ("x86: Undo return-thunk damage") 369ae6ffc41a3c11 ("x86/retpoline: Cleanup some #ifdefery") 4ad3278df6fe2b08 x86/speculation: Disable RRSBA behavior 26aae8ccbc197223 x86/cpu/amd: Enumerate BTC_NO 9756bba28470722d x86/speculation: Fill RSB on vmexit for IBRS 3ebc170068885b6f x86/bugs: Add retbleed=ibpb 2dbb887e875b1de3 x86/entry: Add kernel IBRS implementation 6b80b59b35557065 x86/bugs: Report AMD retbleed vulnerability a149180fbcf336e9 x86: Add magic AMD return-thunk 15e67227c49a5783 x86: Undo return-thunk damage a883d624aed463c8 x86/cpufeatures: Move RETPOLINE flags to word 11 51802186158c74a0 x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug This only causes these perf files to be rebuilt: CC /tmp/build/perf/bench/mem-memcpy-x86-64-asm.o CC /tmp/build/perf/bench/mem-memset-x86-64-asm.o And addresses this perf build warning: Warning: Kernel ABI header at 'tools/arch/x86/include/asm/cpufeatures.h' differs from latest version at 'arch/x86/include/asm/cpufeatures.h' diff -u tools/arch/x86/include/asm/cpufeatures.h arch/x86/include/asm/cpufeatures.h Warning: Kernel ABI header at 'tools/arch/x86/include/asm/disabled-features.h' differs from latest version at 'arch/x86/include/asm/disabled-features.h' diff -u tools/arch/x86/include/asm/disabled-features.h arch/x86/include/asm/disabled-features.h Cc: Adrian Hunter Cc: Borislav Petkov Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra commit eee51fe38e372b89317f3950d2dc3e3ea7bace12 Author: Arnaldo Carvalho de Melo Date: Sun May 9 09:39:02 2021 -0300 tools headers UAPI: Sync linux/kvm.h with the kernel sources To pick the changes in: 1b870fa5573e260b ("kvm: stats: tell userspace which values are boolean") That just rebuilds perf, as these patches don't add any new KVM ioctl to be harvested for the the 'perf trace' ioctl syscall argument beautifiers. This is also by now used by tools/testing/selftests/kvm/, a simple test build succeeded. This silences this perf build warning: Warning: Kernel ABI header at 'tools/include/uapi/linux/kvm.h' differs from latest version at 'include/uapi/linux/kvm.h' diff -u tools/include/uapi/linux/kvm.h include/uapi/linux/kvm.h Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Cc: Paolo Bonzini Link: http://lore.kernel.org/lkml/YtQLDvQrBhJNl3n5@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit 972a278fe60c361eb8f37619f562f092e8786d7c Merge: c5fe7a97f20c7 088aea3b97e0a Author: Linus Torvalds Date: Sat Jul 16 13:48:55 2022 -0700 Merge tag 'for-5.19-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs reverts from David Sterba: "Due to a recent report [1] we need to revert the radix tree to xarray conversion patches. There's a problem with sleeping under spinlock, when xa_insert could allocate memory under pressure. We use GFP_NOFS so this is a real problem that we unfortunately did not discover during review. I'm sorry to do such change at rc6 time but the revert is IMO the safer option, there are patches to use mutex instead of the spin locks but that would need more testing. The revert branch has been tested on a few setups, all seem ok. The conversion to xarray will be revisited in the future" Link: https://lore.kernel.org/linux-btrfs/cover.1657097693.git.fdmanana@suse.com/ [1] * tag 'for-5.19-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: Revert "btrfs: turn delayed_nodes_tree into an XArray" Revert "btrfs: turn name_cache radix tree into XArray in send_ctx" Revert "btrfs: turn fs_info member buffer_radix into XArray" Revert "btrfs: turn fs_roots_radix in btrfs_fs_info into an XArray" commit c5fe7a97f20c7f3070ac870144515c0fabc6b999 Merge: 6bca047ecd675 355bf2e036c95 Author: Linus Torvalds Date: Sat Jul 16 11:45:40 2022 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Six small and reasonably obvious fixes, all in drivers" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: pm80xx: Set stopped phy's linkrate to Disabled scsi: pm80xx: Fix 'Unknown' max/min linkrate scsi: ufs: core: Fix missing clk change notification on host reset scsi: ufs: core: Drop loglevel of WriteBoost message scsi: megaraid: Clear READ queue map's nr_queues scsi: target: Fix WRITE_SAME No Data Buffer crash commit 6bca047ecd675325eca4bc0753ef91864954bd3d Merge: 9ed714dbd5746 957a2b345cbcf Author: Linus Torvalds Date: Sat Jul 16 11:40:10 2022 -0700 Merge tag 'block-5.19-2022-07-15' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Two NVMe fixes, and a regression fix for the core block layer from this merge window" * tag 'block-5.19-2022-07-15' of git://git.kernel.dk/linux-block: block: fix missing blkcg_bio_issue_init nvme: fix block device naming collision nvme-pci: fix freeze accounting for error handling commit 9ed714dbd574663c1fcb01dde07e949fe7473fa8 Merge: 8c91723ac9c60 3486af89dd3c0 Author: Linus Torvalds Date: Sat Jul 16 11:21:15 2022 -0700 Merge tag 'usb-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB driver fixes from Greg KH: "Here are some small USB driver fixes and new device ids for 5.19-rc7. They include: - new usb-serial driver ids - typec uevent fix - uvc gadget driver fix - dwc3 driver fixes - ehci-fsl driver fix All of these have been in linux-next for a while with no reported issues" * tag 'usb-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: USB: serial: ftdi_sio: add Belimo device ids drivers/usb/host/ehci-fsl: Fix interrupt setup in host mode. usb: gadget: uvc: fix changing interface name via configfs usb: typec: add missing uevent when partner support PD usb: dwc3-am62: remove unnecesary clk_put() usb: dwc3: gadget: Fix event pending check commit 8c91723ac9c60840e3a9819e5f767af3e7ca2660 Merge: c658cabbfd325 a501ab75e7624 Author: Linus Torvalds Date: Sat Jul 16 11:11:56 2022 -0700 Merge tag 'tty-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty and serial driver fixes from Greg KH: "Here are some TTY and Serial driver fixes for 5.19-rc7. They resolve a number of reported problems including: - longtime bug in pty_write() that has been reported in the past. - 8250 driver fixes - new serial device ids - vt overlapping data copy bugfix - other tiny serial driver bugfixes All of these have been in linux-next for a while with no reported problems" * tag 'tty-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() serial: 8250: dw: Fix the macro RZN1_UART_xDMACR_8_WORD_BURST vt: fix memory overlapping when deleting chars in the buffer serial: mvebu-uart: correctly report configured baudrate value serial: 8250: Fix PM usage_count for console handover serial: 8250: fix return error code in serial8250_request_std_resource() serial: stm32: Clear prev values before setting RTS delays tty: Add N_CAN327 line discipline ID for ELM327 based CAN driver serial: 8250: Fix __stop_tx() & DMA Tx restart races serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle tty: serial: samsung_tty: set dma burst_size to 1 serial: 8250: dw: enable using pdata with ACPI commit c658cabbfd32527060c2367f405bafb4e5815c6e Merge: ab6efe68a7367 2f23256c0ea20 Author: Linus Torvalds Date: Sat Jul 16 11:00:40 2022 -0700 Merge tag 's390-5.19-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Alexander Gordeev: - Fix building of out-of-tree kernel modules without a pre-built kernel in case CONFIG_EXPOLINE_EXTERN=y. - Fix a reference counting error that could prevent unloading of zcrypt modules. * tag 's390-5.19-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/ap: fix error handling in __verify_queue_reservations() s390/nospec: remove unneeded header includes s390/nospec: build expoline.o for modules_prepare target commit ab6efe68a736748cf922a7641751583a3c783cb1 Merge: 16c957f089d52 5a5adb1528e59 Author: Linus Torvalds Date: Sat Jul 16 10:56:28 2022 -0700 Merge tag 'pm-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki "Fix recent regression in the cpufreq mediatek driver related to incorrect handling of regulator_get_optional() return value (AngeloGioacchino Del Regno)" * tag 'pm-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: mediatek: Handle sram regulator probe deferral commit 16c957f089d520893b0b08e06641329fbcec492d Merge: be9b7b6acfeae fbd74d16890b9 Author: Linus Torvalds Date: Sat Jul 16 10:52:41 2022 -0700 Merge tag 'acpi-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Fix more fallout from recent changes of the ACPI CPPC handling on AMD platforms (Mario Limonciello)" * tag 'acpi-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: CPPC: Fix enabling CPPC on AMD systems with shared memory commit be9b7b6acfeae47778f829d9d176ab1f9269593e Merge: 829d680e82a96 1ac8ec2731a5a Author: Linus Torvalds Date: Sat Jul 16 10:46:03 2022 -0700 Merge tag 'printk-for-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux Pull printk fix from Petr Mladek: - Make pr_flush() fast when consoles are suspended. * tag 'printk-for-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/printk/linux: printk: do not wait for consoles when suspended commit 829d680e82a961c5370d9636130b43009ac36eb8 Author: Jason A. Donenfeld Date: Wed Jul 13 17:11:15 2022 +0200 random: cap jitter samples per bit to factor of HZ Currently the jitter mechanism will require two timer ticks per iteration, and it requires N iterations per bit. This N is determined with a small measurement, and if it's too big, it won't waste time with jitter entropy because it'd take too long or not have sufficient entropy anyway. With the current max N of 32, there are large timeouts on systems with a small CONFIG_HZ. Rather than set that maximum to 32, instead choose a factor of CONFIG_HZ. In this case, 1/30 seems to yield sane values for different configurations of CONFIG_HZ. Reported-by: Vladimir Murzin Fixes: 78c768e619fb ("random: vary jitter iterations based on cycle counter speed") Signed-off-by: Jason A. Donenfeld Tested-by: Vladimir Murzin Signed-off-by: Linus Torvalds commit 51a6fa0732d6be6a44e0032752ad2ac10d67c796 Author: Thadeu Lima de Souza Cascardo Date: Fri Jul 15 16:45:50 2022 -0300 efi/x86: use naked RET on mixed mode call wrapper When running with return thunks enabled under 32-bit EFI, the system crashes with: kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle page fault for address: 000000005bc02900 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0011) - permissions violation PGD 18f7063 P4D 18f7063 PUD 18ff063 PMD 190e063 PTE 800000005bc02063 Oops: 0011 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.19.0-rc6+ #166 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:0x5bc02900 Code: Unable to access opcode bytes at RIP 0x5bc028d6. RSP: 0018:ffffffffb3203e10 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000048 RDX: 000000000190dfac RSI: 0000000000001710 RDI: 000000007eae823b RBP: ffffffffb3203e70 R08: 0000000001970000 R09: ffffffffb3203e28 R10: 747563657865206c R11: 6c6977203a696665 R12: 0000000000001710 R13: 0000000000000030 R14: 0000000001970000 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8e013ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0018 ES: 0018 CR0: 0000000080050033 CR2: 000000005bc02900 CR3: 0000000001930000 CR4: 00000000000006f0 Call Trace: ? efi_set_virtual_address_map+0x9c/0x175 efi_enter_virtual_mode+0x4a6/0x53e start_kernel+0x67c/0x71e x86_64_start_reservations+0x24/0x2a x86_64_start_kernel+0xe9/0xf4 secondary_startup_64_no_verify+0xe5/0xeb That's because it cannot jump to the return thunk from the 32-bit code. Using a naked RET and marking it as safe allows the system to proceed booting. Fixes: aa3d480315ba ("x86: Use return-thunk in asm code") Reported-by: Guenter Roeck Signed-off-by: Thadeu Lima de Souza Cascardo Cc: Peter Zijlstra (Intel) Cc: Borislav Petkov Cc: Josh Poimboeuf Cc: Tested-by: Guenter Roeck Signed-off-by: Linus Torvalds commit 4ca8ca873d454635c20d508261bfc0081af75cf8 Author: Robert Hancock Date: Tue Jun 14 17:29:19 2022 -0600 i2c: cadence: Change large transfer count reset logic to be unconditional Problems were observed on the Xilinx ZynqMP platform with large I2C reads. When a read of 277 bytes was performed, the controller NAKed the transfer after only 252 bytes were transferred and returned an ENXIO error on the transfer. There is some code in cdns_i2c_master_isr to handle this case by resetting the transfer count in the controller before it reaches 0, to allow larger transfers to work, but it was conditional on the CDNS_I2C_BROKEN_HOLD_BIT quirk being set on the controller, and ZynqMP uses the r1p14 version of the core where this quirk is not being set. The requirement to do this to support larger reads seems like an inherently required workaround due to the core only having an 8-bit transfer size register, so it does not appear that this should be conditional on the broken HOLD bit quirk which is used elsewhere in the driver. Remove the dependency on the CDNS_I2C_BROKEN_HOLD_BIT for this transfer size reset logic to fix this problem. Fixes: 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq Ultrascale+ MPSoC") Signed-off-by: Robert Hancock Reviewed-by: Shubhrajyoti Datta Acked-by: Michal Simek Signed-off-by: Wolfram Sang commit 824a826e2e767ae1051a4c5c8ea44ec7a0c1dd26 Author: Flavio Suligoi Date: Fri Jul 15 15:42:18 2022 +0200 i2c: imx: fix typo in comment to provid --> to provide Signed-off-by: Flavio Suligoi Acked-by: Oleksij Rempel Signed-off-by: Wolfram Sang commit e1f77ecc75aaee6bed04e8fd7830e00032af012e Author: Vadim Pasternak Date: Wed Jul 13 12:14:05 2022 +0300 i2c: mlxcpld: Fix register setting for 400KHz frequency Fix setting of 'Half Cycle' register for 400KHz frequency. Fixes: fa1049135c15 ("i2c: mlxcpld: Modify register setting for 400KHz frequency") Signed-off-by: Vadim Pasternak Signed-off-by: Wolfram Sang commit bcf163150cd37348a0cb59e95c916a83a9344b0e Author: Kim Phillips Date: Fri Jul 8 16:21:28 2022 -0500 x86/bugs: Remove apostrophe typo Remove a superfluous ' in the mitigation string. Fixes: e8ec1b6e08a2 ("x86/bugs: Enable STIBP for JMP2RET") Signed-off-by: Kim Phillips Signed-off-by: Borislav Petkov commit 11052589cf5c0bab3b4884d423d5f60c38fcf25d Author: Kuniyuki Iwashima Date: Wed Jul 13 10:52:07 2022 -0700 tcp/udp: Make early_demux back namespacified. Commit e21145a9871a ("ipv4: namespacify ip_early_demux sysctl knob") made it possible to enable/disable early_demux on a per-netns basis. Then, we introduced two knobs, tcp_early_demux and udp_early_demux, to switch it for TCP/UDP in commit dddb64bcb346 ("net: Add sysctl to toggle early demux for tcp and udp"). However, the .proc_handler() was wrong and actually disabled us from changing the behaviour in each netns. We can execute early_demux if net.ipv4.ip_early_demux is on and each proto .early_demux() handler is not NULL. When we toggle (tcp|udp)_early_demux, the change itself is saved in each netns variable, but the .early_demux() handler is a global variable, so the handler is switched based on the init_net's sysctl variable. Thus, netns (tcp|udp)_early_demux knobs have nothing to do with the logic. Whether we CAN execute proto .early_demux() is always decided by init_net's sysctl knob, and whether we DO it or not is by each netns ip_early_demux knob. This patch namespacifies (tcp|udp)_early_demux again. For now, the users of the .early_demux() handler are TCP and UDP only, and they are called directly to avoid retpoline. So, we can remove the .early_demux() handler from inet6?_protos and need not dereference them in ip6?_rcv_finish_core(). If another proto needs .early_demux(), we can restore it at that time. Fixes: dddb64bcb346 ("net: Add sysctl to toggle early demux for tcp and udp") Signed-off-by: Kuniyuki Iwashima Link: https://lore.kernel.org/r/20220713175207.7727-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski commit df254d4508f96f298be8aff08da4d7e33d8584a0 Merge: a14bd7475452c 7c1ddcee5311f Author: Jakub Kicinski Date: Fri Jul 15 16:45:29 2022 -0700 Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2022-07-14 This series contains updates to e1000e and igc drivers. Sasha re-enables GPT clock when exiting s0ix to prevent hardware unit hang and reverts a workaround for this issue on e1000e. Lennert Buytenhek restores checks for removed device while accessing registers to prevent NULL pointer dereferences for igc. * '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue: igc: Reinstate IGC_REMOVED logic and implement it properly Revert "e1000e: Fix possible HW unit hang after an s0ix exit" e1000e: Enable GPT clock before sending message to CSME ==================== Link: https://lore.kernel.org/r/20220714175857.933537-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit a14bd7475452c51835dd5a0cee4c8fa48dd0b539 Author: Liang He Date: Thu Jul 14 23:31:38 2022 +0800 net: dsa: microchip: ksz_common: Fix refcount leak bug In ksz_switch_register(), we should call of_node_put() for the reference returned by of_get_child_by_name() which has increased the refcount. Fixes: 912aae27c6af ("net: dsa: microchip: really look for phy-mode in port nodes") Signed-off-by: Liang He Reviewed-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220714153138.375919-1-windhl@126.com Signed-off-by: Jakub Kicinski commit 9b59ec8d50a1f28747ceff9a4f39af5deba9540e Merge: a8ebfcd33caf2 7fccd72391270 Author: Linus Torvalds Date: Fri Jul 15 10:40:50 2022 -0700 Merge tag 'riscv-for-linus-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: - A fix to avoid printing a warning when modules do not exercise any errata-dependent behavior and the SiFive errata are enabled. - A fix to the Microchip PFSOC to attach the L2 cache to the CPU nodes. * tag 'riscv-for-linus-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: don't warn for sifive erratas in modules riscv: dts: microchip: hook up the mpfs' l2cache commit a8ebfcd33caf29592957229c8350f67b48b8efce Merge: 1ce9d792e8ef2 79629181607e8 Author: Linus Torvalds Date: Fri Jul 15 10:31:46 2022 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: "RISC-V: - Fix missing PAGE_PFN_MASK - Fix SRCU deadlock caused by kvm_riscv_check_vcpu_requests() x86: - Fix for nested virtualization when TSC scaling is active - Estimate the size of fastcc subroutines conservatively, avoiding disastrous underestimation when return thunks are enabled - Avoid possible use of uninitialized fields of 'struct kvm_lapic_irq' Generic: - Mark as such the boolean values available from the statistics file descriptors - Clarify statistics documentation" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: emulate: do not adjust size of fastop and setcc subroutines KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op() Documentation: kvm: clarify histogram units kvm: stats: tell userspace which values are boolean x86/kvm: fix FASTOP_SIZE when return thunks are enabled KVM: nVMX: Always enable TSC scaling for L2 when it was enabled for L1 RISC-V: KVM: Fix SRCU deadlock caused by kvm_riscv_check_vcpu_requests() riscv: Fix missing PAGE_PFN_MASK commit 1ce9d792e8ef286ed03b151b9bdfcd921e04a988 Merge: 8006112d6c413 fac47b43c760e Author: Linus Torvalds Date: Fri Jul 15 10:27:28 2022 -0700 Merge tag 'ceph-for-5.19-rc7' of https://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A folio locking fixup that Xiubo and David cooperated on, marked for stable. Most of it is in netfs but I picked it up into ceph tree on agreement with David" * tag 'ceph-for-5.19-rc7' of https://github.com/ceph/ceph-client: netfs: do not unlock and put the folio twice commit 8006112d6c4137bc48ca723261198c63d9e6d38a Merge: 1c49f281c9b78 73d5fe0462702 Author: Linus Torvalds Date: Fri Jul 15 10:23:43 2022 -0700 Merge tag 'spi-fix-v5.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "A few driver specific fixes, none especially remarkable, plus a MAINTAINERS file update due to the previous maintainer for the NXP FSPI driver having left the company" * tag 'spi-fix-v5.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: cadence-quadspi: Remove spi_master_put() in probe failure path MAINTAINERS: change the NXP FSPI driver maintainer. spi: amd: Limit max transfer and message size spi: aspeed: Fix division by zero spi: aspeed: Add dev_dbg() to dump the spi-mem direct mapping descriptor commit 1c49f281c9b78da9c0f0d7a8965c26fb46e71a53 Merge: 2a347a06ebb1b d332a1f6b4c4b Author: Linus Torvalds Date: Fri Jul 15 10:16:44 2022 -0700 Merge tag 'soc-fixes-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "Most of the contents are bugfixes for the devicetree files: - A Qualcomm MSM8974 pin controller regression, caused by a cleanup patch that gets partially reverted here. - Missing properties for Broadcom BCM49xx to fix timer detection and SMP boot. - Fix touchscreen pinctrl for imx6ull-colibri board - Multiple fixes for Rockchip rk3399 based machines including the vdu clock-rate fix, otg port fix on Quartz64-A and ethernet on Quartz64-B - Fixes for misspelled DT contents causing minor problems on imx6qdl-ts7970m, orangepi-zero, sama5d2, kontron-kswitch-d10, and ls1028a And a couple of changes elsewhere: - Fix binding for Allwinner D1 display pipeline - Trivial code fixes to the TEE and reset controller driver subsystems and the rockchip platform code. - Multiple updates to the MAINTAINERS files, marking the Palm Treo support as orphaned, and fixing some entries for added or changed file names" * tag 'soc-fixes-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (21 commits) arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero ARM: dts: at91: sama5d2: Fix typo in i2s1 node tee: tee_get_drvdata(): fix description of return value optee: Remove duplicate 'of' in two places. ARM: dts: kswitch-d10: use open drain mode for coma-mode pins ARM: dts: colibri-imx6ull: fix snvs pinmux group optee: smc_abi.c: fix wrong pointer passed to IS_ERR/PTR_ERR() MAINTAINERS: add polarfire rng, pci and clock drivers MAINTAINERS: mark ARM/PALM TREO SUPPORT orphan ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count arm64: dts: ls1028a: Update SFP node to include clock dt-bindings: display: sun4i: Fix D1 pipeline count ARM: dts: qcom: msm8974: re-add missing pinctrl reset: Fix devm bulk optional exclusive control getter MAINTAINERS: rectify entry for SYNOPSYS AXS10x RESET CONTROLLER DRIVER ARM: rockchip: Add missing of_node_put() in rockchip_suspend_init() arm64: dts: rockchip: Assign RK3399 VDU clock rate arm64: dts: rockchip: Fix Quartz64-A dwc3 otg port behavior ... commit 088aea3b97e0ae5a2a86f5d142ad10fec8a1b80f Author: David Sterba Date: Fri Jul 15 13:59:45 2022 +0200 Revert "btrfs: turn delayed_nodes_tree into an XArray" This reverts commit 253bf57555e451dec5a7f09dc95d380ce8b10e5b. Revert the xarray conversion, there's a problem with potential sleep-inside-spinlock [1] when calling xa_insert that triggers GFP_NOFS allocation. The radix tree used the preloading mechanism to avoid sleeping but this is not available in xarray. Conversion from spin lock to mutex is possible but at time of rc6 is riskier than a clean revert. [1] https://lore.kernel.org/linux-btrfs/cover.1657097693.git.fdmanana@suse.com/ Reported-by: Filipe Manana Signed-off-by: David Sterba commit 5b8418b84303d9a0a0f7f28d6eaed915247ebdc3 Author: David Sterba Date: Fri Jul 15 13:59:38 2022 +0200 Revert "btrfs: turn name_cache radix tree into XArray in send_ctx" This reverts commit 4076942021fe14efecae33bf98566df6dd5ae6f7. Revert the xarray conversion, there's a problem with potential sleep-inside-spinlock [1] when calling xa_insert that triggers GFP_NOFS allocation. The radix tree used the preloading mechanism to avoid sleeping but this is not available in xarray. Conversion from spin lock to mutex is possible but at time of rc6 is riskier than a clean revert. [1] https://lore.kernel.org/linux-btrfs/cover.1657097693.git.fdmanana@suse.com/ Reported-by: Filipe Manana Signed-off-by: David Sterba commit 01cd390903e00c8f42ba0e84f25a70e3d613a15c Author: David Sterba Date: Fri Jul 15 13:59:31 2022 +0200 Revert "btrfs: turn fs_info member buffer_radix into XArray" This reverts commit 8ee922689d67b7cfa6acbe2aa1ee76ac72e6fc8a. Revert the xarray conversion, there's a problem with potential sleep-inside-spinlock [1] when calling xa_insert that triggers GFP_NOFS allocation. The radix tree used the preloading mechanism to avoid sleeping but this is not available in xarray. Conversion from spin lock to mutex is possible but at time of rc6 is riskier than a clean revert. [1] https://lore.kernel.org/linux-btrfs/cover.1657097693.git.fdmanana@suse.com/ Reported-by: Filipe Manana Signed-off-by: David Sterba commit fc7cbcd4890e297de5d6487e04344a99b39de9be Author: David Sterba Date: Fri Jul 15 13:59:21 2022 +0200 Revert "btrfs: turn fs_roots_radix in btrfs_fs_info into an XArray" This reverts commit 48b36a602a335c184505346b5b37077840660634. Revert the xarray conversion, there's a problem with potential sleep-inside-spinlock [1] when calling xa_insert that triggers GFP_NOFS allocation. The radix tree used the preloading mechanism to avoid sleeping but this is not available in xarray. Conversion from spin lock to mutex is possible but at time of rc6 is riskier than a clean revert. [1] https://lore.kernel.org/linux-btrfs/cover.1657097693.git.fdmanana@suse.com/ Reported-by: Filipe Manana Signed-off-by: David Sterba commit 2a347a06ebb1b186a5cb919c9f5ab6e040554be7 Merge: 339f74e38f53c 5ad26161a371e Author: Linus Torvalds Date: Fri Jul 15 10:12:22 2022 -0700 Merge tag 'platform-drivers-x86-v5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Hans de Goede: "Highlights: - Fix brightness key events getting reported twice on some Dells. Regression caused by recent Panasonic hotkey fixes - Fix poweroff no longer working on some devices regression caused by recent poweroff handler rework - Mark new (in 5.19) Intel IFS driver as broken, because of some issues surrounding the userspace (sysfs) API which need to be cleared up - Some hardware-id / quirk additions" * tag 'platform-drivers-x86-v5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: ACPI: video: Fix acpi_video_handles_brightness_key_presses() platform/x86: intel_atomisp2_led: Also turn off the always-on camera LED on the Asus T100TAF platform/x86/intel/ifs: Mark as BROKEN platform/x86: asus-wmi: Add key mappings efi: Fix efi_power_off() not being run before acpi_power_off() when necessary platform/x86: x86-android-tablets: Fix Lenovo Yoga Tablet 2 830/1050 poweroff again platform/x86: gigabyte-wmi: add support for B660I AORUS PRO DDR4 platform/x86/amd/pmc: Add new platform support platform/x86/amd/pmc: Add new acpi id for PMC controller commit 339f74e38f53c83b5715abd28f7002b66731d917 Merge: fcd1b2b9c7b08 166d386323166 Author: Linus Torvalds Date: Fri Jul 15 10:00:49 2022 -0700 Merge tag 'for-linus-5.19a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fix from Juergen Gross: "Fix for the Xen gntdev driver causing inappropriate WARN() messages" * tag 'for-linus-5.19a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE commit fcd1b2b9c7b085e9c200f73c079b322eb8c666f9 Merge: 862161e8af0db 093f8d8f10aa2 Author: Linus Torvalds Date: Fri Jul 15 09:56:24 2022 -0700 Merge tag 'drm-fixes-2022-07-15' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "This is the regular fixes pull for this week. This has a bunch of amdgpu fixes, major one reverts the buddy allocator until it can be tested more, otherwise just small ones, then i915 has a bunch of fixes. The outstanding firmware regressions reported by phoronix will hopefully be dealt with ASAP. amdgpu: - revert buddy allocator support for now - DP MST blank screen fix for specific platforms - MEC firmware check fix for GC 10.3.7 - Deep color fix for DCE - Fix possible divide by 0 - Coverage blend mode fix - Fix cursor only commit timestamps i915: - Selftest fix - TTM fix sg_table construction - Error return fixes - Fix a performance regression related to waitboost - Fix GT resets" * tag 'drm-fixes-2022-07-15' of git://anongit.freedesktop.org/drm/drm: drm/amd/display: Ensure valid event timestamp for cursor-only commits drm/amd/display: correct check of coverage blend mode drm/amd/pm: Prevent divide by zero drm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines. drm/amdkfd: correct the MEC atomic support firmware checking for GC 10.3.7 drm/amd/display: Ignore First MST Sideband Message Return Error drm/i915/selftests: fix subtraction overflow bug drm/i915/gem: Look for waitboosting across the whole object prior to individual waits drm/i915/gt: Serialize TLB invalidates with GT resets drm/i915/gt: Serialize GRDOM access between multiple engine resets drm/i915/ttm: fix sg_table construction drm/i915/selftests: fix a couple IS_ERR() vs NULL tests drm/i915: Fix vm use-after-free in vma destruction drm/i915/guc: ADL-N should use the same GuC FW as ADL-S drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() drm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist() Revert "drm/amdgpu: add drm buddy support to amdgpu" commit 862161e8af0db1b725c6ad5fd93aa636125f3db5 Merge: e5d523f1ae8f2 43b5240ca6b33 Author: Linus Torvalds Date: Fri Jul 15 09:52:35 2022 -0700 Merge tag 'sysctl-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux Pyll sysctl fix from Luis Chamberlain: "Only one fix for sysctl" * tag 'sysctl-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux: mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE commit 0fddf9ad06fd9f439f137139861556671673e31c Author: Sascha Hauer Date: Fri Jul 1 13:03:41 2022 +0200 mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times 06781a5026350 Fixes the calculation of the DEVICE_BUSY_TIMEOUT register value from busy_timeout_cycles. busy_timeout_cycles is calculated wrong though: It is calculated based on the maximum page read time, but the timeout is also used for page write and block erase operations which require orders of magnitude bigger timeouts. Fix this by calculating busy_timeout_cycles from the maximum of tBERS_max and tPROG_max. This is for now the easiest and most obvious way to fix the driver. There's room for improvements though: The NAND_OP_WAITRDY_INSTR tells us the desired timeout for the current operation, so we could program the timeout dynamically for each operation instead of setting a fixed timeout. Also we could wire up the interrupt handler to actually detect and forward timeouts occurred when waiting for the chip being ready. As a sidenote I verified that the change in 06781a5026350 is really correct. I wired up the interrupt handler in my tree and measured the time between starting the operation and the timeout interrupt handler coming in. The time increases 41us with each step in the timeout register which corresponds to 4096 clock cycles with the 99MHz clock that I have. Fixes: 06781a5026350 ("mtd: rawnand: gpmi: Fix setting busy timeout setting") Fixes: b1206122069aa ("mtd: rawniand: gpmi: use core timings instead of an empirical derivation") Cc: stable@vger.kernel.org Signed-off-by: Sascha Hauer Acked-by: Han Xu Tested-by: Tomasz Moń Signed-off-by: Richard Weinberger commit 1ac8ec2731a5ae0f283d103873be7b945ba97e90 Merge: 51889d225ce2c 9023ca0866250 Author: Petr Mladek Date: Fri Jul 15 16:43:42 2022 +0200 Merge branch 'rework/kthreads' into for-linus commit 9b04369b060fd4885f728b7a4ab4851ffb1abb64 Author: Dmitry Osipenko Date: Tue Apr 12 01:15:36 2022 +0300 drm/scheduler: Don't kill jobs in interrupt context Interrupt context can't sleep. Drivers like Panfrost and MSM are taking mutex when job is released, and thus, that code can sleep. This results into "BUG: scheduling while atomic" if locks are contented while job is freed. There is no good reason for releasing scheduler's jobs in IRQ context, hence use normal context to fix the trouble. Cc: stable@vger.kernel.org Fixes: 542cff7893a3 ("drm/sched: Avoid lockdep spalt on killing a processes") Signed-off-by: Dmitry Osipenko Signed-off-by: Andrey Grodzovsky Link: https://patchwork.freedesktop.org/patch/msgid/20220411221536.283312-1-dmitry.osipenko@collabora.com commit 2d4bd81fea1ad6ebba543bd6da3ef5179d130e6a Author: Stylon Wang Date: Thu Jul 7 16:23:29 2022 +0800 drm/amd/display: Fix new dmub notification enabling in DM [Why] Changes from "Fix for dmub outbox notification enable" need to land in DM or DMUB outbox notification would be disabled. [How] Enable outbox notification only after interrupt are enabled and IRQ handlers registered. Any pending notification will be sent by DMUB once outbox notification is enabled. Fixes: ed7208706448 ("drm/amd/display: Fix for dmub outbox notification enable") Reviewed-by: Nicholas Kazlauskas Acked-by: Solomon Chiu Signed-off-by: Stylon Wang Acked-by: Harry Wentland Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 5a5adb1528e59e8a4b23ffa7dda4849b61e97cf8 Merge: 32346491ddf24 d2394860b45c3 Author: Rafael J. Wysocki Date: Fri Jul 15 13:54:14 2022 +0200 Merge tag 'cpufreq-arm-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm Pull a cpufreq ARM fix for 5.19-rc7 from Viresh Kumar: - mediatek: Handle sram regulator probe deferral * tag 'cpufreq-arm-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm: cpufreq: mediatek: Handle sram regulator probe deferral commit 79629181607e801c0b41b8790ac4ee2eb5d7bc3e Author: Paolo Bonzini Date: Fri Jul 15 07:34:55 2022 -0400 KVM: emulate: do not adjust size of fastop and setcc subroutines Instead of doing complicated calculations to find the size of the subroutines (which are even more complicated because they need to be stringified into an asm statement), just hardcode to 16. It is less dense for a few combinations of IBT/SLS/retbleed, but it has the advantage of being really simple. Cc: stable@vger.kernel.org # 5.15.x: 84e7051c0bc1: x86/kvm: fix FASTOP_SIZE when return thunks are enabled Cc: stable@vger.kernel.org Suggested-by: Linus Torvalds Signed-off-by: Paolo Bonzini commit 8f3184b951164131a8b35770f225082cc02008be Merge: 782d86fe44e38 f4c7d8948e866 Author: David S. Miller Date: Fri Jul 15 12:06:56 2022 +0100 Merge branch 'stmmac-dwmac-mediatec-clock-fix' Biao Huang says: ==================== stmmac: dwmac-mediatek: fix clock issue changes in v5: 1. add reivewd-by as Matthias's comments. 2. fix "warning: unused variable 'ret' [-Wunused-variable]" as Jakub's comments changes in v4: 1. improve commit message and test ko insertion/remove as Matthias's comments. 2. add patch "net: stmmac: fix pm runtime issue in stmmac_dvr_remove()" to fix vlan filter deletion issue. 3. add patch "net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow" to fix unbalanced ptp clock issue in suspend/resume flow. changes in v3: 1. delete mediatek_dwmac_exit() since there is no operation in it, as Matthias's comments. changes in v2: 1. clock configuration is still needed in probe, and invoke mediatek_dwmac_clks_config() instead. 2. update commit message. v1: remove duplicated clock configuration in init/exit. ==================== Signed-off-by: David S. Miller commit f4c7d8948e866918d61493264dbbd67e45ef2bda Author: Biao Huang Date: Thu Jul 14 14:00:14 2022 +0800 net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow Current stmmac driver will prepare/enable ptp_ref clock in stmmac_init_tstamp_counter(). The stmmac_pltfr_noirq_suspend will disable it once in suspend flow. But in resume flow, stmmac_pltfr_noirq_resume --> stmmac_init_tstamp_counter stmmac_resume --> stmmac_hw_setup --> stmmac_init_ptp --> stmmac_init_tstamp_counter ptp_ref clock reference counter increases twice, which leads to unbalance ptp clock when resume back. Move ptp_ref clock prepare/enable out of stmmac_init_tstamp_counter to fix it. Fixes: 0735e639f129d ("net: stmmac: skip only stmmac_ptp_register when resume from suspend") Signed-off-by: Biao Huang Signed-off-by: David S. Miller commit 0d9a15913b871e03fdd3b3d90a2e665fb22f9bcf Author: Biao Huang Date: Thu Jul 14 14:00:13 2022 +0800 net: stmmac: fix pm runtime issue in stmmac_dvr_remove() If netif is running when stmmac_dvr_remove is invoked, the unregister_netdev will call ndo_stop(stmmac_release) and vlan_kill_rx_filter(stmmac_vlan_rx_kill_vid). Currently, stmmac_dvr_remove() will disable pm runtime before unregister_netdev. When stmmac_vlan_rx_kill_vid is invoked, pm_runtime_resume_and_get in it returns EACCESS error number, and reports: dwmac-mediatek 11021000.ethernet eth0: stmmac_dvr_remove: removing driver dwmac-mediatek 11021000.ethernet eth0: FPE workqueue stop dwmac-mediatek 11021000.ethernet eth0: failed to kill vid 0081/0 Move the pm_runtime_disable to the end of stmmac_dvr_remove to fix this issue. Fixes: 6449520391dfc ("net: stmmac: properly handle with runtime pm in stmmac_dvr_remove()") Signed-off-by: Biao Huang Signed-off-by: David S. Miller commit fa4b3ca60e8011d3046765b3de8d3f1ffc53af28 Author: Biao Huang Date: Thu Jul 14 14:00:12 2022 +0800 stmmac: dwmac-mediatek: fix clock issue The pm_runtime takes care of the clock handling in current stmmac drivers, and dwmac-mediatek implement the mediatek_dwmac_clks_config() as the callback for pm_runtime. Then, stripping duplicated clocks handling in old init()/exit() to fix clock issue in suspend/resume test. As to clocks in probe/remove, vendor need symmetric handling to ensure clocks balance. Test pass, including suspend/resume and ko insertion/remove. Fixes: 3186bdad97d5 ("stmmac: dwmac-mediatek: add platform level clocks management") Signed-off-by: Biao Huang Reviewed-by: Matthias Brugger Signed-off-by: David S. Miller commit 782d86fe44e38c0a02e92042fff2ce417d62c61a Merge: db886979683a8 2a85388f1d94a Author: David S. Miller Date: Fri Jul 15 11:49:56 2022 +0100 Merge branch 'net-sysctl-races-round2' Kuniyuki Iwashima says: ==================== sysctl: Fix data-races around ipv4_net_table (Round 2). This series fixes data-races around 15 knobs after ip_default_ttl in ipv4_net_table. These two knobs are skipped. - ip_local_port_range is safe with its own lock. - ip_local_reserved_ports uses proc_do_large_bitmap(), which will need an additional lock and can be fixed later. So, the next round will start with igmp_link_local_mcast_reports. ==================== Signed-off-by: David S. Miller commit 2a85388f1d94a9f8b5a529118a2c5eaa0520d85c Author: Kuniyuki Iwashima Date: Wed Jul 13 13:52:05 2022 -0700 tcp: Fix a data-race around sysctl_tcp_probe_interval. While reading sysctl_tcp_probe_interval, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 05cbc0db03e8 ("ipv4: Create probe timer for tcp PMTU as per RFC4821") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 92c0aa4175474483d6cf373314343d4e624e882a Author: Kuniyuki Iwashima Date: Wed Jul 13 13:52:04 2022 -0700 tcp: Fix a data-race around sysctl_tcp_probe_threshold. While reading sysctl_tcp_probe_threshold, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 6b58e0a5f32d ("ipv4: Use binary search to choose tcp PMTU probe_size") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 8e92d4423615a5257d0d871fc067aa561f597deb Author: Kuniyuki Iwashima Date: Wed Jul 13 13:52:03 2022 -0700 tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. While reading sysctl_tcp_mtu_probe_floor, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: c04b79b6cfd7 ("tcp: add new tcp_mtu_probe_floor sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 78eb166cdefcc3221c8c7c1e2d514e91a2eb5014 Author: Kuniyuki Iwashima Date: Wed Jul 13 13:52:02 2022 -0700 tcp: Fix data-races around sysctl_tcp_min_snd_mss. While reading sysctl_tcp_min_snd_mss, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 5f3e2bf008c2 ("tcp: add tcp_min_snd_mss sysctl") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 88d78bc097cd8ebc6541e93316c9d9bf651b13e8 Author: Kuniyuki Iwashima Date: Wed Jul 13 13:52:01 2022 -0700 tcp: Fix data-races around sysctl_tcp_base_mss. While reading sysctl_tcp_base_mss, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 5d424d5a674f ("[TCP]: MTU probing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit f47d00e077e7d61baf69e46dde3210c886360207 Author: Kuniyuki Iwashima Date: Wed Jul 13 13:52:00 2022 -0700 tcp: Fix data-races around sysctl_tcp_mtu_probing. While reading sysctl_tcp_mtu_probing, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 5d424d5a674f ("[TCP]: MTU probing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 08a75f10679470552a3a443f9aefd1399604d31d Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:59 2022 -0700 tcp: Fix data-races around sysctl_tcp_l3mdev_accept. While reading sysctl_tcp_l3mdev_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 6dd9a14e92e5 ("net: Allow accepted sockets to be bound to l3mdev domain") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 1a0008f9df59451d0a17806c1ee1a19857032fa8 Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:58 2022 -0700 tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. While reading sysctl_tcp_fwmark_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 84f39b08d786 ("net: support marking accepting TCP sockets") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 85d0b4dbd74b95cc492b1f4e34497d3f894f5d9a Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:57 2022 -0700 ip: Fix a data-race around sysctl_fwmark_reflect. While reading sysctl_fwmark_reflect, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 0db232765887d9807df8bcb7b6f29b2871539eab Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:56 2022 -0700 ip: Fix a data-race around sysctl_ip_autobind_reuse. While reading sysctl_ip_autobind_reuse, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 4b01a9674231 ("tcp: bind(0) remove the SO_REUSEADDR restriction when ephemeral ports are exhausted.") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 289d3b21fb0bfc94c4e98f10635bba1824e5f83c Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:55 2022 -0700 ip: Fix data-races around sysctl_ip_nonlocal_bind. While reading sysctl_ip_nonlocal_bind, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 7bf9e18d9a5e99e3c83482973557e9f047b051e7 Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:54 2022 -0700 ip: Fix data-races around sysctl_ip_fwd_update_priority. While reading sysctl_ip_fwd_update_priority, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 432e05d32892 ("net: ipv4: Control SKB reprioritization after forwarding") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 60c158dc7b1f0558f6cadd5b50d0386da0000d50 Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:53 2022 -0700 ip: Fix data-races around sysctl_ip_fwd_use_pmtu. While reading sysctl_ip_fwd_use_pmtu, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: f87c10a8aa1e ("ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 0968d2a441bf6afb551fd99e60fa65ed67068963 Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:52 2022 -0700 ip: Fix data-races around sysctl_ip_no_pmtu_disc. While reading sysctl_ip_no_pmtu_disc, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 8281b7ec5c56b71cb2cc5a1728b41607be66959c Author: Kuniyuki Iwashima Date: Wed Jul 13 13:51:51 2022 -0700 ip: Fix data-races around sysctl_ip_default_ttl. While reading sysctl_ip_default_ttl, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit cf33ce6f0c220fbfe5dafcb08d4c5655097a5fa4 Merge: 9b043a8f38648 1e347f861da8d Author: Takashi Iwai Date: Fri Jul 15 12:31:07 2022 +0200 Merge tag 'asoc-fix-v5.19-rc4-2' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Drop Rockchip BCLK management for v5.19 As covered in the second revert commit in this pull request the version of the BCLK muxing that's in v5.19 is causing issues, let's just revert it and wait for the more complete support in v5.20 instead. commit 9023ca0866250d268b047f21e1392e7a81277a54 Author: John Ogness Date: Fri Jul 15 08:16:42 2022 +0206 printk: do not wait for consoles when suspended The console_stop() and console_start() functions call pr_flush(). When suspending, these functions are called by the serial subsystem while the serial port is suspended. In this scenario, if there are any pending messages, a call to pr_flush() will always result in a timeout because the serial port cannot make forward progress. This causes longer suspend and resume times. Add a check in pr_flush() so that it will immediately timeout if the consoles are suspended. Fixes: 3b604ca81202 ("printk: add pr_flush()") Reported-by: Todd Brandt Signed-off-by: John Ogness Tested-by: Todd Brandt Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220715061042.373640-2-john.ogness@linutronix.de commit 2f23256c0ea20627c91ea2d468cda945f68c3395 Author: Tony Krowiak Date: Wed Jul 6 17:43:29 2022 -0400 s390/ap: fix error handling in __verify_queue_reservations() The AP bus's __verify_queue_reservations function increments the ref count for the device driver passed in as a parameter, but fails to decrement it before returning control to the caller. This will prevents any subsequent removal of the module. Signed-off-by: Tony Krowiak Reported-by: Tony Krowiak Reviewed-by: Harald Freudenberger Fixes: 4f8206b88286 ("s390/ap: driver callback to indicate resource in use") Link: https://lore.kernel.org/r/20220706222619.602094-1-akrowiak@linux.ibm.com Cc: stable@vger.kernel.org [agordeev@linux.ibm.com fixed description, added Fixes and Link] Signed-off-by: Alexander Gordeev commit 093f8d8f10aa22935bc8bf7100700f714ebaba9c Merge: 5bde069b30503 3283c83eb6fcf Author: Dave Airlie Date: Fri Jul 15 11:26:20 2022 +1000 Merge tag 'amd-drm-fixes-5.19-2022-07-13' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.19-2022-07-13: amdgpu: - DP MST blank screen fix for specific platforms - MEC firmware check fix for GC 10.3.7 - Deep color fix for DCE - Fix possible divide by 0 - Coverage blend mode fix - Fix cursor only commit timestamps Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20220713172920.6037-1-alexander.deucher@amd.com commit 5bde069b305037f9a0beb95094e047d45de9a249 Merge: b1f4347f732f8 333991c4e66b3 Author: Dave Airlie Date: Fri Jul 15 09:27:05 2022 +1000 Merge tag 'drm-intel-fixes-2022-07-13' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Selftest fix (Andrzej) - TTM fix sg_table construction (Matt Auld) - Error return fixes (Dan) - Fix a performance regression related to waitboost (Chris) - Fix GT resets (Chris) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/Ys87yMujcG2sJC1R@intel.com commit b1f4347f732f84c7ef77467a20edc893e9ec5f92 Merge: 3590b44b9434a 925b6e59138ce Author: Dave Airlie Date: Fri Jul 15 09:26:00 2022 +1000 Merge tag 'drm-misc-fixes-2022-07-14' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes Only a revert for amdgpu reverting the switch to the drm buddy allocator. Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20220714071821.hsejxpsgkbbzlec2@houat commit e5d523f1ae8f2cef01f8e071aeee432654166708 Author: Nick Desaulniers Date: Thu Jul 14 13:56:43 2022 -0700 ubsan: disable UBSAN_DIV_ZERO for clang Building with UBSAN_DIV_ZERO with clang produces numerous fallthrough warnings from objtool. In the case of uncheck division, UBSAN_DIV_ZERO may introduce new control flow to check for division by zero. Because the result of the division is undefined, LLVM may optimize the control flow such that after the call to __ubsan_handle_divrem_overflow doesn't matter. If panic_on_warn was set, __ubsan_handle_divrem_overflow would panic. The problem is is that panic_on_warn is run time configurable. If it's disabled, then we cannot guarantee that we will be able to recover safely. Disable this config for clang until we can come up with a solution in LLVM. Link: https://github.com/ClangBuiltLinux/linux/issues/1657 Link: https://github.com/llvm/llvm-project/issues/56289 Link: https://lore.kernel.org/lkml/CAHk-=wj1qhf7y3VNACEexyp5EbkNpdcu_542k-xZpzmYLOjiCg@mail.gmail.com/ Reported-by: Sudip Mukherjee Suggested-by: Linus Torvalds Signed-off-by: Nick Desaulniers Acked-by: Nathan Chancellor Signed-off-by: Linus Torvalds commit b926f2adb0442090351dc8321ec1f99b22e372da Author: Linus Torvalds Date: Thu Jul 14 15:35:24 2022 -0700 Revert "vf/remap: return the amount of bytes actually deduplicated" This reverts commit 4a57a8400075bc5287c5c877702c68aeae2a033d. Dave Chinner reports: "As I suspected would occur, this change causes test failures. e.g generic/517 in fstests fails with: generic/517 1s ... - output mismatch [..] -deduped 131172/131172 bytes at offset 65536 +deduped 131072/131172 bytes at offset 65536" can you please revert this commit for the 5.19 series to give us more time to investigate and consider the impact of the the API change on userspace applications before we commit to changing the API" That changed return value seems to reflect reality, but with the fstest change, let's revert for now. Requested-by: Dave Chinner Link: https://lore.kernel.org/all/20220714223238.GH3600936@dread.disaster.area/ Cc: Ansgar Lößer Signed-off-by: Linus Torvalds commit db886979683a8360ced9b24ab1125ad0c4d2cf76 Author: Nathan Chancellor Date: Wed Jul 13 08:24:37 2022 -0700 x86/speculation: Use DECLARE_PER_CPU for x86_spec_ctrl_current Clang warns: arch/x86/kernel/cpu/bugs.c:58:21: error: section attribute is specified on redeclared variable [-Werror,-Wsection] DEFINE_PER_CPU(u64, x86_spec_ctrl_current); ^ arch/x86/include/asm/nospec-branch.h:283:12: note: previous declaration is here extern u64 x86_spec_ctrl_current; ^ 1 error generated. The declaration should be using DECLARE_PER_CPU instead so all attributes stay in sync. Cc: stable@vger.kernel.org Fixes: fc02735b14ff ("KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS") Reported-by: kernel test robot Signed-off-by: Nathan Chancellor Signed-off-by: Linus Torvalds commit 89551fdd44a272ac88258b231b07e5644fd2b2e7 Author: Krzysztof Kozlowski Date: Fri Jun 24 19:08:11 2022 +0200 riscv: dts: align gpio-key node names with dtschema The node names should be generic and DT schema expects certain pattern (e.g. with key/button/switch). Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220624170811.66395-1-krzysztof.kozlowski@linaro.org Link: https://lore.kernel.org/all/20220616005224.18391-1-krzysztof.kozlowski@linaro.org/ Signed-off-by: Palmer Dabbelt commit 3a66a087599483612a6e6a4970ec403e61c30821 Author: Li Zhengyu Date: Wed Jun 1 15:02:04 2022 +0800 RISC-V: kexec: Fix build error without CONFIG_KEXEC When CONFIG_KEXEC_FILE=y but CONFIG_KEXEC is not set: kernel/kexec_core.o: In function `kimage_free': kexec_core.c:(.text+0xa0c): undefined reference to `machine_kexec_cleanup' kernel/kexec_core.o: In function `.L0 ': kexec_core.c:(.text+0xde8): undefined reference to `machine_crash_shutdown' kexec_core.c:(.text+0xdf4): undefined reference to `machine_kexec' kernel/kexec_core.o: In function `.L231': kexec_core.c:(.text+0xe1c): undefined reference to `riscv_crash_save_regs' kernel/kexec_core.o: In function `.L0 ': kexec_core.c:(.text+0x119e): undefined reference to `machine_shutdown' kernel/kexec_core.o: In function `.L312': kexec_core.c:(.text+0x11b2): undefined reference to `machine_kexec' kernel/kexec_file.o: In function `.L0 ': kexec_file.c:(.text+0xb84): undefined reference to `machine_kexec_prepare' kernel/kexec_file.o: In function `.L177': kexec_file.c:(.text+0xc5a): undefined reference to `machine_kexec_prepare' Makefile:1160: recipe for target 'vmlinux' failed make: *** [vmlinux] Error 1 These symbols should depend on CONFIG_KEXEC_CORE rather than CONFIG_KEXEC when kexec_file has been implemented on RISC-V, like the other archs have done. Signed-off-by: Li Zhengyu Reviewed-by: Masahiro Yamada Acked-by: Randy Dunlap Tested-by: Randy Dunlap Link: https://lore.kernel.org/r/20220601070204.26882-1-lizhengyu3@huawei.com Fixes: 6261586e0c91 ("RISC-V: Add kexec_file support") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit a927444aa953f757eaea5bb3615916fba6db58bf Author: Li Zhengyu Date: Wed Jun 1 14:39:24 2022 +0800 RISCV: kexec: Fix build error without CONFIG_MODULES When CONFIG_MODULES is not set/enabled: ../arch/riscv/kernel/elf_kexec.c:353:9: error: unknown type name 'Elf_Rela'; did you mean 'Elf64_Rela'? 353 | Elf_Rela *relas; | ^~~~~~~~ | Elf64_Rela Replace Elf_Rela by Elf64_Rela to avoid relying on CONFIG_MODULES. Signed-off-by: Li Zhengyu Acked-by: Randy Dunlap Tested-by: Randy Dunlap Link: https://lore.kernel.org/r/20220601063924.13037-1-lizhengyu3@huawei.com Fixes: 838b3e28488f ("RISC-V: Load purgatory in kexec_file") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit 43b5240ca6b33108998810593248186b1e3ae34a Author: Muchun Song Date: Thu Jun 9 18:40:32 2022 +0800 mm: sysctl: fix missing numa_stat when !CONFIG_HUGETLB_PAGE "numa_stat" should not be included in the scope of CONFIG_HUGETLB_PAGE, if CONFIG_HUGETLB_PAGE is not configured even if CONFIG_NUMA is configured, "numa_stat" is missed form /proc. Move it out of CONFIG_HUGETLB_PAGE to fix it. Fixes: 4518085e127d ("mm, sysctl: make NUMA stats configurable") Signed-off-by: Muchun Song Cc: Acked-by: Michal Hocko Acked-by: Mel Gorman Signed-off-by: Luis Chamberlain commit 9bd572ec7a66b56e1aed896217ff311d981cf575 Merge: f41d5df5f146d 656bd03a2cd85 Author: Linus Torvalds Date: Thu Jul 14 12:48:07 2022 -0700 Merge tag 'net-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter, bpf and wireless. Still no major regressions, the release continues to be calm. An uptick of fixes this time around due to trivial data race fixes and patches flowing down from subtrees. There has been a few driver fixes (particularly a few fixes for false positives due to 66e4c8d95008 which went into -next in May!) that make me worry the wide testing is not exactly fully through. So "calm" but not "let's just cut the final ASAP" vibes over here. Current release - regressions: - wifi: rtw88: fix write to const table of channel parameters Current release - new code bugs: - mac80211: add gfp_t arg to ieeee80211_obss_color_collision_notify - mlx5: - TC, allow offload from uplink to other PF's VF - Lag, decouple FDB selection and shared FDB - Lag, correct get the port select mode str - bnxt_en: fix and simplify XDP transmit path - r8152: fix accessing unset transport header Previous releases - regressions: - conntrack: fix crash due to confirmed bit load reordering (after atomic -> refcount conversion) - stmmac: dwc-qos: disable split header for Tegra194 Previous releases - always broken: - mlx5e: ring the TX doorbell on DMA errors - bpf: make sure mac_header was set before using it - mac80211: do not wake queues on a vif that is being stopped - mac80211: fix queue selection for mesh/OCB interfaces - ip: fix dflt addr selection for connected nexthop - seg6: fix skb checksums for SRH encapsulation/insertion - xdp: fix spurious packet loss in generic XDP TX path - bunch of sysctl data race fixes - nf_log: incorrect offset to network header Misc: - bpf: add flags arg to bpf_dynptr_read and bpf_dynptr_write APIs" * tag 'net-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (87 commits) nfp: flower: configure tunnel neighbour on cmsg rx net/tls: Check for errors in tls_device_init MAINTAINERS: Add an additional maintainer to the AMD XGBE driver xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue selftests/net: test nexthop without gw ip: fix dflt addr selection for connected nexthop net: atlantic: remove aq_nic_deinit() when resume net: atlantic: remove deep parameter on suspend/resume functions sfc: fix kernel panic when creating VF seg6: bpf: fix skb checksum in bpf_push_seg6_encap() seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors seg6: fix skb checksum evaluation in SRH encapsulation/insertion sfc: fix use after free when disabling sriov net: sunhme: output link status with a single print. r8152: fix accessing unset transport header net: stmmac: fix leaks in probe net: ftgmac100: Hold reference returned by of_get_child_by_name() nexthop: Fix data-races around nexthop_compat_mode. ipv4: Fix data-races around sysctl_ip_dynaddr. tcp: Fix a data-race around sysctl_tcp_ecn_fallback. ... commit 5ad26161a371e4aa2d2553286f0cac580987a493 Author: Hans de Goede Date: Wed Jul 13 23:11:01 2022 +0200 ACPI: video: Fix acpi_video_handles_brightness_key_presses() Commit 3a0cf7ab8df3 ("ACPI: video: Change how we determine if brightness key-presses are handled") made acpi_video_handles_brightness_key_presses() report false when none of the ACPI Video Devices support backlight control. But it turns out that at least on a Dell Inspiron N4010 there is no ACPI backlight control, yet brightness hotkeys are still reported through the ACPI Video Bus; and since acpi_video_handles_brightness_key_presses() now returns false, brightness keypresses are now reported twice. To fix this rename the has_backlight flag to may_report_brightness_keys and also set it the first time a brightness key press event is received. Depending on the delivery of the other ACPI (WMI) event vs the ACPI Video Bus event this means that the first brightness key press might still get reported twice, but all further keypresses will be filtered as before. Note that this relies on other drivers reporting brightness key events calling acpi_video_handles_brightness_key_presses() when delivering the events (rather then once during driver probe). This is already required and documented in include/acpi/video.h: /* * Note: The value returned by acpi_video_handles_brightness_key_presses() * may change over time and should not be cached. */ Fixes: 3a0cf7ab8df3 ("ACPI: video: Change how we determine if brightness key-presses are handled") Link: https://lore.kernel.org/regressions/CALF=6jEe5G8+r1Wo0vvz4GjNQQhdkLT5p8uCHn6ZXhg4nsOWow@mail.gmail.com/ Reported-and-tested-by: Ben Greening Signed-off-by: Hans de Goede Acked-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/20220713211101.85547-2-hdegoede@redhat.com commit f41d5df5f146d606df02ec8fafd080a5ee6e6e81 Merge: a24a6c05ffa7a 32f319183c439 Author: Linus Torvalds Date: Thu Jul 14 12:35:15 2022 -0700 Merge tag '5.19-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Three smb3 client fixes: - two multichannel fixes: fix a potential deadlock freeing a channel, and fix a race condition on failed creation of a new channel - mount failure fix: work around a server bug in some common older Samba servers by avoiding padding at the end of the negotiate protocol request" * tag '5.19-rc6-smb3-client-fixes' of git://git.samba.org/sfrench/cifs-2.6: smb3: workaround negprot bug in some Samba servers cifs: remove unnecessary locking of chan_lock while freeing session cifs: fix race condition with delayed threads commit a24a6c05ffa7adb3f2d4b417ca46eedbe67b7302 Merge: 4adfa865bb972 1197eb5906a54 Author: Linus Torvalds Date: Thu Jul 14 12:29:43 2022 -0700 Merge tag 'nfsd-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fixes from Chuck Lever: "Notable regression fixes: - Enable SETATTR(time_create) to fix regression with Mac OS clients - Fix a lockd crasher and broken NLM UNLCK behavior" * tag 'nfsd-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: lockd: fix nlm_close_files lockd: set fl_owner when unlocking files NFSD: Decode NFSv4 birth time attribute commit 4adfa865bb972d38d35a6fb19e59a86074d25a75 Merge: 2eb5866cac071 067d252187413 Author: Linus Torvalds Date: Thu Jul 14 12:15:42 2022 -0700 Merge tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity fixes from Mimi Zohar: "Here are a number of fixes for recently found bugs. Only 'ima: fix violation measurement list record' was introduced in the current release. The rest address existing bugs" * tag 'integrity-v5.19-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: Fix potential memory leak in ima_init_crypto() ima: force signature verification when CONFIG_KEXEC_SIG is configured ima: Fix a potential integer overflow in ima_appraise_measurement ima: fix violation measurement list record Revert "evm: Fix memleak in init_desc" commit 2eb5866cac07121b0990d0af5085e36ca5b1ccad Merge: 097da1a44d1ae 29589ca09a74c Author: Linus Torvalds Date: Thu Jul 14 12:08:59 2022 -0700 Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: - quieten the spectre-bhb prints - mark flattened device tree sections as shareable - remove some obsolete CPU domain code and help text - fix thumb unaligned access abort emulation - fix amba_device_add() refcount underflow - fix literal placement * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 9208/1: entry: add .ltorg directive to keep literals in range ARM: 9207/1: amba: fix refcount underflow if amba_device_add() fails ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction ARM: 9213/1: Print message about disabled Spectre workarounds only once ARM: 9212/1: domain: Modify Kconfig help text ARM: 9211/1: domain: drop modify_domain() ARM: 9210/1: Mark the FDT_FIXED sections as shareable ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle commit 097da1a44d1aef15739214fecf8f4c63792bb665 Author: Guenter Roeck Date: Thu Jul 14 11:46:00 2022 -0700 um: Replace to_phys() and to_virt() with less generic function names The UML function names to_virt() and to_phys() are exposed by UML headers, and are very generic and may be defined by drivers. As it turns out, commit 9409c9b6709e ("pmem: refactor pmem_clear_poison()") did exactly that. This results in build errors such as the following when trying to build um:allmodconfig: drivers/nvdimm/pmem.c: In function ‘pmem_dax_zero_page_range’: ./arch/um/include/asm/page.h:105:20: error: too few arguments to function ‘to_phys’ 105 | #define __pa(virt) to_phys((void *) (unsigned long) (virt)) | ^~~~~~~ Use less generic function names for the um specific to_phys() and to_virt() functions to fix the problem and to avoid similar problems in the future. Fixes: 9409c9b6709e ("pmem: refactor pmem_clear_poison()") Cc: Dan Williams Cc: Christoph Hellwig Signed-off-by: Guenter Roeck Signed-off-by: Linus Torvalds commit c4634a3c7dcabed7321304efc00b5a81559adeca Merge: d11219ad53dcf 9b043a8f38648 Author: Linus Torvalds Date: Thu Jul 14 11:34:16 2022 -0700 Merge tag 'sound-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Hopefully the last one for 5.19. This became bigger than wished, but all changes are pretty device-specific small fixes, which look less worrisome. The majority of changes are about various ASoC fixes, while the usual HD-audio quirks are included as well" * tag 'sound-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (28 commits) ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 ALSA: hda/realtek: fix mute/micmute LEDs for HP machines ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 ALSA: hda - Add fixup for Dell Latitidue E5430 ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model ALSA: hda/realtek: Fix headset mic for Acer SF313-51 ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks() ASoC: rt5640: Fix the wrong state of JD1 and JD2 ASoC: Intel: sof_rt5682: fix out-of-bounds array access ASoC: qdsp6: fix potential memory leak in q6apm_get_audioreach_graph() ASoC: tas2764: Fix amp gain register offset & default ASoC: tas2764: Correct playback volume range ASoC: tas2764: Fix and extend FSYNC polarity handling ASoC: tas2764: Add post reset delays ASoC: dt-bindings: Fix description for msm8916 ASoC: doc: Capitalize RESET line name ASoC: arizona: Update arizona_aif_cfg_changed to use RX_BCLK_RATE ASoC: cs47l92: Fix event generation for OUT1 demux ... commit 656bd03a2cd853e7c7c4e08968ad8c0ea993737d Author: Tianyu Yuan Date: Thu Jul 14 10:19:15 2022 +0200 nfp: flower: configure tunnel neighbour on cmsg rx nfp_tun_write_neigh() function will configure a tunnel neighbour when calling nfp_tun_neigh_event_handler() or nfp_flower_cmsg_process_one_rx() (with no tunnel neighbour type) from firmware. When configuring IP on physical port as a tunnel endpoint, no operation will be performed after receiving the cmsg mentioned above. Therefore, add a progress to configure tunnel neighbour in this case. v2: Correct format of fixes tag. Fixes: f1df7956c11f ("nfp: flower: rework tunnel neighbour configuration") Signed-off-by: Tianyu Yuan Reviewed-by: Louis Peens Reviewed-by: Baowen Zheng Signed-off-by: Simon Horman Link: https://lore.kernel.org/r/20220714081915.148378-1-simon.horman@corigine.com Signed-off-by: Jakub Kicinski commit 3d8c51b25a235e283e37750943bbf356ef187230 Author: Tariq Toukan Date: Thu Jul 14 10:07:54 2022 +0300 net/tls: Check for errors in tls_device_init Add missing error checks in tls_device_init. Fixes: e8f69799810c ("net/tls: Add generic NIC offload infrastructure") Reported-by: Jakub Kicinski Reviewed-by: Maxim Mikityanskiy Signed-off-by: Tariq Toukan Link: https://lore.kernel.org/r/20220714070754.1428-1-tariqt@nvidia.com Signed-off-by: Jakub Kicinski commit 51f1c31f8ba713f70f1659e7c91e837fe5f5554f Author: Tom Lendacky Date: Wed Jul 13 17:31:41 2022 -0500 MAINTAINERS: Add an additional maintainer to the AMD XGBE driver Add Shyam Sundar S K as an additional maintainer to support the AMD XGBE network device driver. Cc: Shyam Sundar S K Signed-off-by: Tom Lendacky Link: https://lore.kernel.org/r/db367f24089c2bbbcd1cec8e21af49922017a110.1657751501.git.thomas.lendacky@amd.com Signed-off-by: Jakub Kicinski commit 94e8100678889ab428e68acadf042de723f094b9 Author: Juergen Gross Date: Wed Jul 13 15:53:22 2022 +0200 xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue xenvif_rx_next_skb() is expecting the rx queue not being empty, but in case the loop in xenvif_rx_action() is doing multiple iterations, the availability of another skb in the rx queue is not being checked. This can lead to crashes: [40072.537261] BUG: unable to handle kernel NULL pointer dereference at 0000000000000080 [40072.537407] IP: xenvif_rx_skb+0x23/0x590 [xen_netback] [40072.537534] PGD 0 P4D 0 [40072.537644] Oops: 0000 [#1] SMP NOPTI [40072.537749] CPU: 0 PID: 12505 Comm: v1-c40247-q2-gu Not tainted 4.12.14-122.121-default #1 SLE12-SP5 [40072.537867] Hardware name: HP ProLiant DL580 Gen9/ProLiant DL580 Gen9, BIOS U17 11/23/2021 [40072.537999] task: ffff880433b38100 task.stack: ffffc90043d40000 [40072.538112] RIP: e030:xenvif_rx_skb+0x23/0x590 [xen_netback] [40072.538217] RSP: e02b:ffffc90043d43de0 EFLAGS: 00010246 [40072.538319] RAX: 0000000000000000 RBX: ffffc90043cd7cd0 RCX: 00000000000000f7 [40072.538430] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffffc90043d43df8 [40072.538531] RBP: 000000000000003f R08: 000077ff80000000 R09: 0000000000000008 [40072.538644] R10: 0000000000007ff0 R11: 00000000000008f6 R12: ffffc90043ce2708 [40072.538745] R13: 0000000000000000 R14: ffffc90043d43ed0 R15: ffff88043ea748c0 [40072.538861] FS: 0000000000000000(0000) GS:ffff880484600000(0000) knlGS:0000000000000000 [40072.538988] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 [40072.539088] CR2: 0000000000000080 CR3: 0000000407ac8000 CR4: 0000000000040660 [40072.539211] Call Trace: [40072.539319] xenvif_rx_action+0x71/0x90 [xen_netback] [40072.539429] xenvif_kthread_guest_rx+0x14a/0x29c [xen_netback] Fix that by stopping the loop in case the rx queue becomes empty. Cc: stable@vger.kernel.org Fixes: 98f6d57ced73 ("xen-netback: process guest rx packets in batches") Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Reviewed-by: Paul Durrant Link: https://lore.kernel.org/r/20220713135322.19616-1-jgross@suse.com Signed-off-by: Jakub Kicinski commit d11219ad53dcf61ced53ca60fe0c4a8d34393e6c Author: Linus Torvalds Date: Wed Jul 13 12:36:50 2022 -0700 amdgpu: disable powerpc support for the newer display engine The DRM_AMD_DC_DCN display engine support (Raven, Navi, and newer) has not been building cleanly on powerpc and causes link errors due to mixing hard- and soft-float object files: powerpc64-linux-ld: drivers/gpu/drm/amd/amdgpu/../display/dc/dml/display_mode_lib.o uses hard float, drivers/gpu/drm/amd/amdgpu/../display/dc/dcn31/dcn31_resource.o uses soft float powerpc64-linux-ld: failed to merge target specific data of file drivers/gpu/drm/amd/amdgpu/../display/dc/dcn31/dcn31_resource.o [..] and while patches are floating around, it's not exactly obvious what is going on. The problem bisects to commit 41b7a347bf14 ("powerpc: Book3S 64-bit outline-only KASAN support") but that is probably more about changing config variables than the fundamental cause. Despite the bisection result, a more directly related commit seems to be 26f4712aedbd ("drm/amd/display: move FPU related code from dcn31 to dml/dcn31 folder"). It's probably a combination of the two. This has been going on since the merge window, without any final word. So instead of blindly applying patches that may or may not be the right thing, let's disable this for now. As Michael Ellerman says: "IIUIC this code was never enabled on ppc before, so disabling it seems like a reasonable fix to get the build clean" and once we have more actual feedback (and find any potential users) we can always re-enable it with the patch that fixes the issues and back-port as necessary. Fixes: 41b7a347bf14 ("powerpc: Book3S 64-bit outline-only KASAN support") Fixes: 26f4712aedbd ("drm/amd/display: move FPU related code from dcn31 to dml/dcn31 folder") Reported-and-tested-by: Guenter Roeck Link: https://lore.kernel.org/all/20220606153910.GA1773067@roeck-us.net/ Link: https://lore.kernel.org/all/20220618232737.2036722-1-linux@roeck-us.net/ Link: https://lore.kernel.org/all/20220713050724.GA2471738@roeck-us.net/ Acked-by: Michael Ellerman Acked-by: Alex Deucher Signed-off-by: Linus Torvalds commit 957a2b345cbcf41b4b25d471229f0e35262f066c Author: Muchun Song Date: Wed Jul 13 22:02:26 2022 +0800 block: fix missing blkcg_bio_issue_init The commit 513616843d73 ("block: remove superfluous calls to blkcg_bio_issue_init") has removed blkcg_bio_issue_init from __bio_clone since submit_bio will override ->bi_issue. However, __blk_queue_split is called after blkcg_bio_issue_init (see blk_mq_submit_bio) in submit_bio. In this case, the ->bi_issue is 0. Fix it. Fixes: 513616843d73 ("block: remove superfluous calls to blkcg_bio_issue_init") Signed-off-by: Muchun Song Link: https://lore.kernel.org/r/20220713140226.68135-1-songmuchun@bytedance.com Signed-off-by: Jens Axboe commit c24b06e1c237ee2bf3245786b0ee844ddd1610be Merge: 6b0de7d0f3285 6961b5e02876b Author: Jens Axboe Date: Thu Jul 14 10:29:56 2022 -0600 Merge tag 'nvme-5.19-2022-07-14' of git://git.infradead.org/nvme into block-5.19 Pull NVMe fixes from Christoph: "nvme fixes for Linux 5.19 - fix a block device naming collision (Israel Rukshin) - fix freeze accounting for PCI error handling (Keith Busch)" * tag 'nvme-5.19-2022-07-14' of git://git.infradead.org/nvme: nvme: fix block device naming collision nvme-pci: fix freeze accounting for error handling commit 7c1ddcee5311f3315096217881d2dbe47cc683f9 Author: Lennert Buytenhek Date: Thu Jun 2 18:58:11 2022 +0300 igc: Reinstate IGC_REMOVED logic and implement it properly The initially merged version of the igc driver code (via commit 146740f9abc4, "igc: Add support for PF") contained the following IGC_REMOVED checks in the igc_rd32/wr32() MMIO accessors: u32 igc_rd32(struct igc_hw *hw, u32 reg) { u8 __iomem *hw_addr = READ_ONCE(hw->hw_addr); u32 value = 0; if (IGC_REMOVED(hw_addr)) return ~value; value = readl(&hw_addr[reg]); /* reads should not return all F's */ if (!(~value) && (!reg || !(~readl(hw_addr)))) hw->hw_addr = NULL; return value; } And: #define wr32(reg, val) \ do { \ u8 __iomem *hw_addr = READ_ONCE((hw)->hw_addr); \ if (!IGC_REMOVED(hw_addr)) \ writel((val), &hw_addr[(reg)]); \ } while (0) E.g. igb has similar checks in its MMIO accessors, and has a similar macro E1000_REMOVED, which is implemented as follows: #define E1000_REMOVED(h) unlikely(!(h)) These checks serve to detect and take note of an 0xffffffff MMIO read return from the device, which can be caused by a PCIe link flap or some other kind of PCI bus error, and to avoid performing MMIO reads and writes from that point onwards. However, the IGC_REMOVED macro was not originally implemented: #ifndef IGC_REMOVED #define IGC_REMOVED(a) (0) #endif /* IGC_REMOVED */ This led to the IGC_REMOVED logic to be removed entirely in a subsequent commit (commit 3c215fb18e70, "igc: remove IGC_REMOVED function"), with the rationale that such checks matter only for virtualization and that igc does not support virtualization -- but a PCIe device can become detached even without virtualization being in use, and without proper checks, a PCIe bus error affecting an igc adapter will lead to various NULL pointer dereferences, as the first access after the error will set hw->hw_addr to NULL, and subsequent accesses will blindly dereference this now-NULL pointer. This patch reinstates the IGC_REMOVED checks in igc_rd32/wr32(), and implements IGC_REMOVED the way it is done for igb, by checking for the unlikely() case of hw_addr being NULL. This change prevents the oopses seen when a PCIe link flap occurs on an igc adapter. Fixes: 146740f9abc4 ("igc: Add support for PF") Signed-off-by: Lennert Buytenhek Tested-by: Naama Meir Acked-by: Sasha Neftin Signed-off-by: Tony Nguyen commit 6cfa45361d3eac31ba67d7d0bbef547151450106 Author: Sasha Neftin Date: Mon May 9 11:52:54 2022 +0300 Revert "e1000e: Fix possible HW unit hang after an s0ix exit" This reverts commit 1866aa0d0d6492bc2f8d22d0df49abaccf50cddd. Commit 1866aa0d0d64 ("e1000e: Fix possible HW unit hang after an s0ix exit") was a workaround for CSME problem to handle messages comes via H2ME mailbox. This problem has been fixed by patch "e1000e: Enable the GPT clock before sending message to the CSME". Fixes: 3e55d231716e ("e1000e: Add handshake with the CSME to support S0ix") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=214821 Signed-off-by: Sasha Neftin Tested-by: Naama Meir Signed-off-by: Tony Nguyen commit b49feacbeffc7635cc6692cbcc6a1eae2c17da6f Author: Sasha Neftin Date: Sun May 8 10:09:05 2022 +0300 e1000e: Enable GPT clock before sending message to CSME On corporate (CSME) ADL systems, the Ethernet Controller may stop working ("HW unit hang") after exiting from the s0ix state. The reason is that CSME misses the message sent by the host. Enabling the dynamic GPT clock solves this problem. This clock is cleared upon HW initialization. Fixes: 3e55d231716e ("e1000e: Add handshake with the CSME to support S0ix") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=214821 Reviewed-by: Dima Ruinskiy Signed-off-by: Sasha Neftin Tested-by: Chia-Lin Kao (AceLan) Tested-by: Naama Meir Signed-off-by: Tony Nguyen commit 8a414f943f8b5f94bbaafdec863d6f3dbef33f8a Author: Vitaly Kuznetsov Date: Fri Jul 8 14:51:47 2022 +0200 KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op() 'vector' and 'trig_mode' fields of 'struct kvm_lapic_irq' are left uninitialized in kvm_pv_kick_cpu_op(). While these fields are normally not needed for APIC_DM_REMRD, they're still referenced by __apic_accept_irq() for trace_kvm_apic_accept_irq(). Fully initialize the structure to avoid consuming random stack memory. Fixes: a183b638b61c ("KVM: x86: make apic_accept_irq tracepoint more generic") Reported-by: syzbot+d6caa905917d353f0d07@syzkaller.appspotmail.com Signed-off-by: Vitaly Kuznetsov Reviewed-by: Sean Christopherson Message-Id: <20220708125147.593975-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini commit 6961b5e02876b3b47f030a1f1ee8fd3e631ac270 Author: Israel Rukshin Date: Thu Jul 14 12:42:10 2022 +0000 nvme: fix block device naming collision The issue exists when multipath is enabled and the namespace is shared, but all the other controller checks at nvme_is_unique_nsid() are false. The reason for this issue is that nvme_is_unique_nsid() returns false when is called from nvme_mpath_alloc_disk() due to an uninitialized value of head->shared. The patch fixes it by setting head->shared before nvme_mpath_alloc_disk() is called. Fixes: 5974ea7ce0f9 ("nvme: allow duplicate NSIDs for private namespaces") Signed-off-by: Israel Rukshin Reviewed-by: Keith Busch Reviewed-by: Max Gurtovoy Signed-off-by: Christoph Hellwig commit 081f5e753c9c4cd1dd86000bcc7f5fe14cbdcab0 Author: Keith Busch Date: Tue Jul 12 08:16:32 2022 -0700 nvme-pci: fix freeze accounting for error handling A reset on a live device experiencing a link error still needs to have the queue freeze state started for the subsequent reinitialization. Skip only the register read if the device is not present instead of bypassing the freeze checks. Fixes: b98235d3a471e ("nvme-pci: harden drive presence detect in nvme_dev_disable()") Reported-by: Niklas Schnelle Signed-off-by: Keith Busch Tested-by: Niklas Schnelle Signed-off-by: Christoph Hellwig commit 3486af89dd3c0b0bef194c4bccf17c31ef16b99f Merge: 7e50133234007 7c239a071d1f0 Author: Greg Kroah-Hartman Date: Thu Jul 14 16:22:12 2022 +0200 Merge tag 'usb-serial-5.19-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for 5.19-rc7 Here are a couple of new device ids for ftdi_sio. Everything has been in linux-next with no reported issues. * tag 'usb-serial-5.19-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: ftdi_sio: add Belimo device ids commit 7e50133234007f77d40c5ad871960a3171b362c3 Merge: bb160ee61c04f 32346491ddf24 Author: Greg Kroah-Hartman Date: Thu Jul 14 16:18:22 2022 +0200 Merge tag 'v5.19-rc6' into usb-linus The usb-serial fixes are based on this branch, so merge it in here to prevent merge confusion when merging in that tree. Signed-off-by: Greg Kroah-Hartman commit cca3f3381bef16ae04933cc3ff480952f7ae298f Merge: 942d9e89524c1 99482726452bd Author: Paolo Bonzini Date: Thu Jul 14 10:04:12 2022 -0400 Merge commit 'kvm-vmx-nested-tsc-fix' into kvm-master Merge bugfix needed in both 5.19 (because it's bad) and 5.20 (because it is a prerequisite to test new features). commit cd72e61bad145a0968df85193dcf1261cb66c4c6 Author: Nicolas Dichtel Date: Wed Jul 13 13:48:53 2022 +0200 selftests/net: test nexthop without gw This test implement the scenario described in the commit "ip: fix dflt addr selection for connected nexthop". The test configures a nexthop object with an output device only (no gateway address) and a route that uses this nexthop. The goal is to check if the kernel selects a valid source address. Link: https://lore.kernel.org/netdev/20220712095545.10947-1-nicolas.dichtel@6wind.com/ Signed-off-by: Nicolas Dichtel Link: https://lore.kernel.org/r/20220713114853.29406-2-nicolas.dichtel@6wind.com Signed-off-by: Paolo Abeni commit 747c14307214b55dbd8250e1ab44cad8305756f1 Author: Nicolas Dichtel Date: Wed Jul 13 13:48:52 2022 +0200 ip: fix dflt addr selection for connected nexthop When a nexthop is added, without a gw address, the default scope was set to 'host'. Thus, when a source address is selected, 127.0.0.1 may be chosen but rejected when the route is used. When using a route without a nexthop id, the scope can be configured in the route, thus the problem doesn't exist. To explain more deeply: when a user creates a nexthop, it cannot specify the scope. To create it, the function nh_create_ipv4() calls fib_check_nh() with scope set to 0. fib_check_nh() calls fib_check_nh_nongw() wich was setting scope to 'host'. Then, nh_create_ipv4() calls fib_info_update_nhc_saddr() with scope set to 'host'. The src addr is chosen before the route is inserted. When a 'standard' route (ie without a reference to a nexthop) is added, fib_create_info() calls fib_info_update_nhc_saddr() with the scope set by the user. iproute2 set the scope to 'link' by default. Here is a way to reproduce the problem: ip netns add foo ip -n foo link set lo up ip netns add bar ip -n bar link set lo up sleep 1 ip -n foo link add name eth0 type dummy ip -n foo link set eth0 up ip -n foo address add 192.168.0.1/24 dev eth0 ip -n foo link add name veth0 type veth peer name veth1 netns bar ip -n foo link set veth0 up ip -n bar link set veth1 up ip -n bar address add 192.168.1.1/32 dev veth1 ip -n bar route add default dev veth1 ip -n foo nexthop add id 1 dev veth0 ip -n foo route add 192.168.1.1 nhid 1 Try to get/use the route: > $ ip -n foo route get 192.168.1.1 > RTNETLINK answers: Invalid argument > $ ip netns exec foo ping -c1 192.168.1.1 > ping: connect: Invalid argument Try without nexthop group (iproute2 sets scope to 'link' by dflt): ip -n foo route del 192.168.1.1 ip -n foo route add 192.168.1.1 dev veth0 Try to get/use the route: > $ ip -n foo route get 192.168.1.1 > 192.168.1.1 dev veth0 src 192.168.0.1 uid 0 > cache > $ ip netns exec foo ping -c1 192.168.1.1 > PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. > 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.039 ms > > --- 192.168.1.1 ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 0.039/0.039/0.039/0.000 ms CC: stable@vger.kernel.org Fixes: 597cfe4fc339 ("nexthop: Add support for IPv4 nexthops") Reported-by: Edwin Brossette Signed-off-by: Nicolas Dichtel Link: https://lore.kernel.org/r/20220713114853.29406-1-nicolas.dichtel@6wind.com Signed-off-by: Paolo Abeni commit 73d5fe046270281a46344e06bf986c607632f7ea Author: Vaishnav Achath Date: Wed Jun 1 12:46:11 2022 +0530 spi: cadence-quadspi: Remove spi_master_put() in probe failure path Currently the spi_master is allocated by devm_spi_alloc_master() and devres core manages the deallocation, but in probe failure path spi_master_put() is being handled manually which causes "refcount underflow use-after-free" warning when probe failure happens after allocating spi_master. Trimmed backtrace during failure: refcount_t: underflow; use-after-free. pc : refcount_warn_saturate+0xf4/0x144 Call trace: refcount_warn_saturate kobject_put put_device devm_spi_release_controller devres_release_all This commit makes relevant changes to remove spi_master_put() from probe failure path. Fixes: 606e5d408184 ("spi: cadence-quadspi: Handle spi_unregister_master() in remove()") Signed-off-by: Vaishnav Achath Link: https://lore.kernel.org/r/20220601071611.11853-1-vaishnav.a@ti.com Signed-off-by: Mark Brown commit 1e347f861da8ddb17e1d1b3113cb6c188e0de3e5 Author: Mark Brown Date: Wed Jul 13 14:04:51 2022 +0100 ASoC: rockchip-i2s: Undo BCLK pinctrl changes The version of the BCLK pinctrl management changes that made it into v5.19 has caused problems on some systems due to overly strict DT requirements but attempts to fix it have caused further breakage on other platforms. Just drop the changes for this release, we already have a better version queued for -next. Fixes: 26b9f2fa7b1c ("ASoC: rockchip: i2s: Fix NULL pointer dereference when pinctrl is not found") Fixes: a5450aba737d ("ASoC: rockchip: i2s: switch BCLK to GPIO") Signed-off-by: Mark Brown Link: https://lore.kernel.org/r/20220713130451.31481-1-broonie@kernel.org Signed-off-by: Mark Brown commit 29589ca09a74cfc0c50ad002e298bf4b8e69e0bd Author: Ard Biesheuvel Date: Tue May 31 09:49:24 2022 +0100 ARM: 9208/1: entry: add .ltorg directive to keep literals in range LKP reports a build issue on Clang, related to a literal load of __current issued through the ldr_va macro. This turns out to be due to the fact that group relocations are disabled when CONFIG_COMPILE_TEST=y, which means that the ldr_va macro resolves to a pair of LDR instructions, the first one being a literal load issued too far from its literal pool. Due to the introduction of a couple of new uses of this macro in commit 508074607c7b95b2 ("ARM: 9195/1: entry: avoid explicit literal loads"), the literal pools end up getting rearranged in a way that causes the literal for __current to go out of range. Let's fix this up by putting a .ltorg directive in a suitable place in the code. Link: https://lore.kernel.org/all/202205290805.1vZLAr36-lkp@intel.com/ Fixes: 508074607c7b95b2 ("ARM: 9195/1: entry: avoid explicit literal loads") Reported-by: kernel test robot Signed-off-by: Ard Biesheuvel Tested-by: Nathan Chancellor Signed-off-by: Russell King (Oracle) commit 8030aa3ce12e3b9d47afa62344c601ed508c2d9e Author: Wang Kefeng Date: Tue May 24 09:03:46 2022 +0100 ARM: 9207/1: amba: fix refcount underflow if amba_device_add() fails "ARM: 9192/1: amba: fix memory leak in amba_device_try_add()" leads to a refcount underflow if amba_device_add() fails, which called by of_amba_device_create(), the of_amba_device_create() already exists the error handling, so amba_put_device() only need to be added into amba_deferred_retry(). Fixes: 7719a68b2fa4 ("ARM: 9192/1: amba: fix memory leak in amba_device_try_add()") Reported-by: Guenter Roeck Tested-by: Guenter Roeck Signed-off-by: Kefeng Wang Signed-off-by: Russell King (Oracle) commit 942d9e89524c135615e557fffa144104ea8fb361 Author: Paolo Bonzini Date: Thu Jul 14 07:29:57 2022 -0400 Documentation: kvm: clarify histogram units In the case of histogram statistics, the values are always sample counts; the unit instead applies to the bucket range. For example, halt_poll_success_hist is a nanosecond statistic because the buckets are for 0ns, 1ns, 2-3ns, 4-7ns etc. There isn't really any other sensible interpretation, but clarify this anyway in the Documentation. Signed-off-by: Paolo Bonzini commit 1b870fa5573e260bc74d19f381ab0dd971a8d8e7 Author: Paolo Bonzini Date: Thu Jul 14 07:27:31 2022 -0400 kvm: stats: tell userspace which values are boolean Some of the statistics values exported by KVM are always only 0 or 1. It can be useful to export this fact to userspace so that it can track them specially (for example by polling the value every now and then to compute a % of time spent in a specific state). Therefore, add "boolean value" as a new "unit". While it is not exactly a unit, it walks and quacks like one. In particular, using the type would be wrong because boolean values could be instantaneous or peak values (e.g. "is the rmap allocated?") or even two-bucket histograms (e.g. "number of posted vs. non-posted interrupt injections"). Suggested-by: Amneesh Singh Signed-off-by: Paolo Bonzini commit 84e7051c0bc1f2a13101553959b3a9d9a8e24939 Author: Thadeu Lima de Souza Cascardo Date: Wed Jul 13 14:12:41 2022 -0300 x86/kvm: fix FASTOP_SIZE when return thunks are enabled The return thunk call makes the fastop functions larger, just like IBT does. Consider a 16-byte FASTOP_SIZE when CONFIG_RETHUNK is enabled. Otherwise, functions will be incorrectly aligned and when computing their position for differently sized operators, they will executed in the middle or end of a function, which may as well be an int3, leading to a crash like: [ 36.091116] int3: 0000 [#1] SMP NOPTI [ 36.091119] CPU: 3 PID: 1371 Comm: qemu-system-x86 Not tainted 5.15.0-41-generic #44 [ 36.091120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 36.091121] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm] [ 36.091185] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc [ 36.091186] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202 [ 36.091188] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000 [ 36.091188] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200 [ 36.091189] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002 [ 36.091190] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70 [ 36.091190] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000 [ 36.091191] FS: 00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000 [ 36.091192] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.091192] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0 [ 36.091195] PKRU: 55555554 [ 36.091195] Call Trace: [ 36.091197] [ 36.091198] ? fastop+0x5a/0xa0 [kvm] [ 36.091222] x86_emulate_insn+0x7b8/0xe90 [kvm] [ 36.091244] x86_emulate_instruction+0x2f4/0x630 [kvm] [ 36.091263] ? kvm_arch_vcpu_load+0x7c/0x230 [kvm] [ 36.091283] ? vmx_prepare_switch_to_host+0xf7/0x190 [kvm_intel] [ 36.091290] complete_emulated_mmio+0x297/0x320 [kvm] [ 36.091310] kvm_arch_vcpu_ioctl_run+0x32f/0x550 [kvm] [ 36.091330] kvm_vcpu_ioctl+0x29e/0x6d0 [kvm] [ 36.091344] ? kvm_vcpu_ioctl+0x120/0x6d0 [kvm] [ 36.091357] ? __fget_files+0x86/0xc0 [ 36.091362] ? __fget_files+0x86/0xc0 [ 36.091363] __x64_sys_ioctl+0x92/0xd0 [ 36.091366] do_syscall_64+0x59/0xc0 [ 36.091369] ? syscall_exit_to_user_mode+0x27/0x50 [ 36.091370] ? do_syscall_64+0x69/0xc0 [ 36.091371] ? syscall_exit_to_user_mode+0x27/0x50 [ 36.091372] ? __x64_sys_writev+0x1c/0x30 [ 36.091374] ? do_syscall_64+0x69/0xc0 [ 36.091374] ? exit_to_user_mode_prepare+0x37/0xb0 [ 36.091378] ? syscall_exit_to_user_mode+0x27/0x50 [ 36.091379] ? do_syscall_64+0x69/0xc0 [ 36.091379] ? do_syscall_64+0x69/0xc0 [ 36.091380] ? do_syscall_64+0x69/0xc0 [ 36.091381] ? do_syscall_64+0x69/0xc0 [ 36.091381] entry_SYSCALL_64_after_hwframe+0x61/0xcb [ 36.091384] RIP: 0033:0x7efdfe6d1aff [ 36.091390] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00 [ 36.091391] RSP: 002b:00007efdfce8c460 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 36.091393] RAX: ffffffffffffffda RBX: 000000000000ae80 RCX: 00007efdfe6d1aff [ 36.091393] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 000000000000000c [ 36.091394] RBP: 0000558f1609e220 R08: 0000558f13fb8190 R09: 00000000ffffffff [ 36.091394] R10: 0000558f16b5e950 R11: 0000000000000246 R12: 0000000000000000 [ 36.091394] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 [ 36.091396] [ 36.091397] Modules linked in: isofs nls_iso8859_1 kvm_intel joydev kvm input_leds serio_raw sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ipmi_devintf ipmi_msghandler drm msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net net_failover crypto_simd ahci xhci_pci cryptd psmouse virtio_blk libahci xhci_pci_renesas failover [ 36.123271] ---[ end trace db3c0ab5a48fabcc ]--- [ 36.123272] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm] [ 36.123319] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc [ 36.123320] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202 [ 36.123321] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000 [ 36.123321] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200 [ 36.123322] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002 [ 36.123322] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70 [ 36.123323] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000 [ 36.123323] FS: 00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000 [ 36.123324] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.123325] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0 [ 36.123327] PKRU: 55555554 [ 36.123328] Kernel panic - not syncing: Fatal exception in interrupt [ 36.123410] Kernel Offset: 0x1400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 36.135305] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Fixes: aa3d480315ba ("x86: Use return-thunk in asm code") Signed-off-by: Thadeu Lima de Souza Cascardo Co-developed-by: Peter Zijlstra (Intel) Cc: Borislav Petkov Cc: Josh Poimboeuf Cc: Paolo Bonzini Reported-by: Linux Kernel Functional Testing Message-Id: <20220713171241.184026-1-cascardo@canonical.com> Tested-by: Jack Wang Signed-off-by: Paolo Bonzini commit 99482726452bdf8be9325199022b17fa6d7d58fe Author: Vitaly Kuznetsov Date: Tue Jul 12 15:50:09 2022 +0200 KVM: nVMX: Always enable TSC scaling for L2 when it was enabled for L1 Windows 10/11 guests with Hyper-V role (WSL2) enabled are observed to hang upon boot or shortly after when a non-default TSC frequency was set for L1. The issue is observed on a host where TSC scaling is supported. The problem appears to be that Windows doesn't use TSC frequency for its guests even when the feature is advertised and KVM filters SECONDARY_EXEC_TSC_SCALING out when creating L2 controls from L1's. This leads to L2 running with the default frequency (matching host's) while L1 is running with an altered one. Keep SECONDARY_EXEC_TSC_SCALING in secondary exec controls for L2 when it was set for L1. TSC_MULTIPLIER is already correctly computed and written by prepare_vmcs02(). Signed-off-by: Vitaly Kuznetsov Reviewed-by: Maxim Levitsky Message-Id: <20220712135009.952805-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini commit 564d998106397394b6aad260f219b882b3347e62 Author: Peter Zijlstra Date: Thu Jul 14 12:20:19 2022 +0200 um: Add missing apply_returns() Implement apply_returns() stub for UM, just like all the other patching routines. Fixes: 15e67227c49a ("x86: Undo return-thunk damage") Reported-by: Randy Dunlap Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/Ys%2Ft45l%2FgarIrD0u@worktop.programming.kicks-ass.net commit 2e15c51fefaffaf9f72255eaef4fada05055e4c5 Author: Chia-Lin Kao (AceLan) Date: Wed Jul 13 19:12:24 2022 +0800 net: atlantic: remove aq_nic_deinit() when resume aq_nic_deinit() has been called while suspending, so we don't have to call it again on resume. Actually, call it again leads to another hang issue when resuming from S3. Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992345] Call Trace: Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992346] Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992348] aq_nic_deinit+0xb4/0xd0 [atlantic] Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992356] aq_pm_thaw+0x7f/0x100 [atlantic] Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992362] pci_pm_resume+0x5c/0x90 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992366] ? pci_pm_thaw+0x80/0x80 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992368] dpm_run_callback+0x4e/0x120 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992371] device_resume+0xad/0x200 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992373] async_resume+0x1e/0x40 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992374] async_run_entry_fn+0x33/0x120 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992377] process_one_work+0x220/0x3c0 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992380] worker_thread+0x4d/0x3f0 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992382] ? process_one_work+0x3c0/0x3c0 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992384] kthread+0x12a/0x150 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992386] ? set_kthread_struct+0x40/0x40 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992387] ret_from_fork+0x22/0x30 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992391] Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992392] ---[ end trace 1ec8c79604ed5e0d ]--- Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992394] PM: dpm_run_callback(): pci_pm_resume+0x0/0x90 returns -110 Jul 8 03:09:44 u-Precision-7865-Tower kernel: [ 5910.992397] atlantic 0000:02:00.0: PM: failed to resume async: error -110 Fixes: 1809c30b6e5a ("net: atlantic: always deep reset on pm op, fixing up my null deref regression") Signed-off-by: Chia-Lin Kao (AceLan) Link: https://lore.kernel.org/r/20220713111224.1535938-2-acelan.kao@canonical.com Signed-off-by: Paolo Abeni commit 0f33250760384e05c36466b0a2f92f3c6007ba92 Author: Chia-Lin Kao (AceLan) Date: Wed Jul 13 19:12:23 2022 +0800 net: atlantic: remove deep parameter on suspend/resume functions Below commit claims that atlantic NIC requires to reset the device on pm op, and had set the deep to true for all suspend/resume functions. commit 1809c30b6e5a ("net: atlantic: always deep reset on pm op, fixing up my null deref regression") So, we could remove deep parameter on suspend/resume functions without any functional change. Fixes: 1809c30b6e5a ("net: atlantic: always deep reset on pm op, fixing up my null deref regression") Signed-off-by: Chia-Lin Kao (AceLan) Link: https://lore.kernel.org/r/20220713111224.1535938-1-acelan.kao@canonical.com Signed-off-by: Paolo Abeni commit ada74c5539eba06cf8b47d068f92e0b3963a9a6e Author: Íñigo Huguet Date: Wed Jul 13 11:21:16 2022 +0200 sfc: fix kernel panic when creating VF When creating VFs a kernel panic can happen when calling to efx_ef10_try_update_nic_stats_vf. When releasing a DMA coherent buffer, sometimes, I don't know in what specific circumstances, it has to unmap memory with vunmap. It is disallowed to do that in IRQ context or with BH disabled. Otherwise, we hit this line in vunmap, causing the crash: BUG_ON(in_interrupt()); This patch reenables BH to release the buffer. Log messages when the bug is hit: kernel BUG at mm/vmalloc.c:2727! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 6 PID: 1462 Comm: NetworkManager Kdump: loaded Tainted: G I --------- --- 5.14.0-119.el9.x86_64 #1 Hardware name: Dell Inc. PowerEdge R740/06WXJT, BIOS 2.8.2 08/27/2020 RIP: 0010:vunmap+0x2e/0x30 ...skip... Call Trace: __iommu_dma_free+0x96/0x100 efx_nic_free_buffer+0x2b/0x40 [sfc] efx_ef10_try_update_nic_stats_vf+0x14a/0x1c0 [sfc] efx_ef10_update_stats_vf+0x18/0x40 [sfc] efx_start_all+0x15e/0x1d0 [sfc] efx_net_open+0x5a/0xe0 [sfc] __dev_open+0xe7/0x1a0 __dev_change_flags+0x1d7/0x240 dev_change_flags+0x21/0x60 ...skip... Fixes: d778819609a2 ("sfc: DMA the VF stats only when requested") Reported-by: Ma Yuying Signed-off-by: Íñigo Huguet Acked-by: Edward Cree Link: https://lore.kernel.org/r/20220713092116.21238-1-ihuguet@redhat.com Signed-off-by: Paolo Abeni commit d13122ca3cdf75f0ab82b4080c2058604834d1da Merge: 4a57a8400075b be82abe6a76ba Author: Paolo Bonzini Date: Thu Jul 14 06:01:53 2022 -0400 Merge tag 'kvm-riscv-fixes-5.19-2' of https://github.com/kvm-riscv/linux into HEAD KVM/riscv fixes for 5.19, take #2 - Fix missing PAGE_PFN_MASK - Fix SRCU deadlock caused by kvm_riscv_check_vcpu_requests() commit cc91b09b9ef8f8a9f29b4fdff5f65ab5700872e2 Merge: f46a5a9c679f4 4889fbd98deaf Author: Paolo Abeni Date: Thu Jul 14 10:15:15 2022 +0200 Merge branch 'seg6-fix-skb-checksum-for-srh-encapsulation-insertion' Andrea Mayer says: ==================== seg6: fix skb checksum for SRH encapsulation/insertion The Linux kernel supports Segment Routing Header (SRH) encapsulation/insertion operations by providing the capability to: i) encapsulate a packet in an outer IPv6 header with a specified SRH; ii) insert a specified SRH directly after the IPv6 header of the packet. Note that the insertion operation is also referred to as 'injection'. The two operations are respectively supported by seg6_do_srh_encap() and seg6_do_srh_inline(), which operate on the skb associated to the packet as needed (e.g. adding the necessary headers and initializing them, while taking care to recalculate the skb checksum). seg6_do_srh_encap() and seg6_do_srh_inline() do not initialize the payload length of the IPv6 header, which is carried out by the caller functions. However, this approach causes the corruption of the skb checksum which needs to be updated only after initialization of headers is completed (thanks to Paolo Abeni for detecting this issue). The patchset fixes the skb checksum corruption by moving the IPv6 header payload length initialization from the callers of seg6_do_srh_encap() and seg6_do_srh_inline() directly into these functions. This patchset is organized as follows: - patch 1/3, seg6: fix skb checksum evaluation in SRH encapsulation/insertion; (* SRH encapsulation/insertion available since v4.10) - patch 2/3, seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors; (* SRv6 End.B6 and End.B6.Encaps behaviors available since v4.14) - patch 3/3, seg6: bpf: fix skb checksum in bpf_push_seg6_encap(); (* bpf IPv6 Segment Routing helpers available since v4.18) ==================== Link: https://lore.kernel.org/r/20220712175837.16267-1-andrea.mayer@uniroma2.it Signed-off-by: Paolo Abeni commit 4889fbd98deaf243c3baadc54e296d71c6af1eb0 Author: Andrea Mayer Date: Tue Jul 12 19:58:37 2022 +0200 seg6: bpf: fix skb checksum in bpf_push_seg6_encap() Both helper functions bpf_lwt_seg6_action() and bpf_lwt_push_encap() use the bpf_push_seg6_encap() to encapsulate the packet in an IPv6 with Segment Routing Header (SRH) or insert an SRH between the IPv6 header and the payload. To achieve this result, such helper functions rely on bpf_push_seg6_encap() which, in turn, leverages seg6_do_srh_{encap,inline}() to perform the required operation (i.e. encap/inline). This patch removes the initialization of the IPv6 header payload length from bpf_push_seg6_encap(), as it is now handled properly by seg6_do_srh_{encap,inline}() to prevent corruption of the skb checksum. Fixes: fe94cc290f53 ("bpf: Add IPv6 Segment Routing helpers") Signed-off-by: Andrea Mayer Signed-off-by: Paolo Abeni commit f048880fc77058d864aff5c674af7918b30f312a Author: Andrea Mayer Date: Tue Jul 12 19:58:36 2022 +0200 seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors The SRv6 End.B6 and End.B6.Encaps behaviors rely on functions seg6_do_srh_{encap,inline}() to, respectively: i) encapsulate the packet within an outer IPv6 header with the specified Segment Routing Header (SRH); ii) insert the specified SRH directly after the IPv6 header of the packet. This patch removes the initialization of the IPv6 header payload length from the input_action_end_b6{_encap}() functions, as it is now handled properly by seg6_do_srh_{encap,inline}() to avoid corruption of the skb checksum. Fixes: 140f04c33bbc ("ipv6: sr: implement several seg6local actions") Signed-off-by: Andrea Mayer Signed-off-by: Paolo Abeni commit df8386d13ea280d55beee1b95f61a59234a3798b Author: Andrea Mayer Date: Tue Jul 12 19:58:35 2022 +0200 seg6: fix skb checksum evaluation in SRH encapsulation/insertion Support for SRH encapsulation and insertion was introduced with commit 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels"), through the seg6_do_srh_encap() and seg6_do_srh_inline() functions, respectively. The former encapsulates the packet in an outer IPv6 header along with the SRH, while the latter inserts the SRH between the IPv6 header and the payload. Then, the headers are initialized/updated according to the operating mode (i.e., encap/inline). Finally, the skb checksum is calculated to reflect the changes applied to the headers. The IPv6 payload length ('payload_len') is not initialized within seg6_do_srh_{inline,encap}() but is deferred in seg6_do_srh(), i.e. the caller of seg6_do_srh_{inline,encap}(). However, this operation invalidates the skb checksum, since the 'payload_len' is updated only after the checksum is evaluated. To solve this issue, the initialization of the IPv6 payload length is moved from seg6_do_srh() directly into the seg6_do_srh_{inline,encap}() functions and before the skb checksum update takes place. Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") Reported-by: Paolo Abeni Link: https://lore.kernel.org/all/20220705190727.69d532417be7438b15404ee1@uniroma2.it Signed-off-by: Andrea Mayer Signed-off-by: Paolo Abeni commit fac47b43c760ea90e64b895dba60df0327be7775 Author: Xiubo Li Date: Mon Jul 11 12:11:21 2022 +0800 netfs: do not unlock and put the folio twice check_write_begin() will unlock and put the folio when return non-zero. So we should avoid unlocking and putting it twice in netfs layer. Change the way ->check_write_begin() works in the following two ways: (1) Pass it a pointer to the folio pointer, allowing it to unlock and put the folio prior to doing the stuff it wants to do, provided it clears the folio pointer. (2) Change the return values such that 0 with folio pointer set means continue, 0 with folio pointer cleared means re-get and all error codes indicating an error (no special treatment for -EAGAIN). [ bagasdotme: use Sphinx code text syntax for *foliop pointer ] Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/56423 Link: https://lore.kernel.org/r/cf169f43-8ee7-8697-25da-0204d1b4343e@redhat.com Co-developed-by: David Howells Signed-off-by: Xiubo Li Signed-off-by: David Howells Signed-off-by: Bagas Sanjaya Signed-off-by: Ilya Dryomov commit d16e0b26672066035439b2f49887f6576c4a3689 Author: Alexandre Chartre Date: Wed Jul 13 21:58:08 2022 +0200 x86/entry: Remove UNTRAIN_RET from native_irq_return_ldt UNTRAIN_RET is not needed in native_irq_return_ldt because RET untraining has already been done at this point. In addition, when the RETBleed mitigation is IBPB, UNTRAIN_RET clobbers several registers (AX, CX, DX) so here it trashes user values which are in these registers. Signed-off-by: Alexandre Chartre Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/35b0d50f-12d1-10c3-f5e8-d6c140486d4a@oracle.com commit 33a8573bdfeec5b746aedeea880733a4c7993158 Author: Jiapeng Chong Date: Thu Jul 14 15:29:39 2022 +0800 x86/bugs: Mark retbleed_strings static This symbol is not used outside of bugs.c, so mark it static. Reported-by: Abaci Robot Signed-off-by: Jiapeng Chong Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220714072939.71162-1-jiapeng.chong@linux.alibaba.com commit 355bf2e036c954317ddc4a9618b4f7e38ea5a970 Author: Changyuan Lyu Date: Fri Jul 8 13:50:26 2022 -0700 scsi: pm80xx: Set stopped phy's linkrate to Disabled Negotiated link rate needs to be updated to 'Disabled' when phy is stopped. Link: https://lore.kernel.org/r/20220708205026.969161-1-changyuanl@google.com Reviewed-by: Igor Pylypiv Signed-off-by: Changyuan Lyu Signed-off-by: Martin K. Petersen commit e78276cadb669d3e55cffe66bd166ff3c8572e38 Author: Changyuan Lyu Date: Thu Jul 7 10:52:10 2022 -0700 scsi: pm80xx: Fix 'Unknown' max/min linkrate Currently, the data flow of the max/min linkrate in the driver is * in pm8001_get_lrate_mode(): hardcoded value ==> struct sas_phy * in pm8001_bytes_dmaed(): struct pm8001_phy ==> struct sas_phy * in pm8001_phy_control(): libsas data ==> struct pm8001_phy Since pm8001_bytes_dmaed() follows pm8001_get_lrate_mode(), and the fields in struct pm8001_phy are not initialized, sysfs `/sys/class/sas_phy/phy-*/maximum_linkrate` always shows `Unknown`. To fix the issue, change the dataflow to the following: * in pm8001_phy_init(): initial value ==> struct pm8001_phy * in pm8001_get_lrate_mode(): struct pm8001_phy ==> struct sas_phy * in pm8001_phy_control(): libsas data ==> struct pm8001_phy For negotiated linkrate, the current dataflow is: * in pm8001_get_lrate_mode(): iomb data ==> struct asd_sas_phy ==> struct sas_phy * in pm8001_bytes_dmaed(): struct asd_sas_phy ==> struct sas_phy Since pm8001_bytes_dmaed() follows pm8001_get_lrate_mode(), the assignment statements in pm8001_bytes_dmaed() are unnecessary and cleaned up. Link: https://lore.kernel.org/r/20220707175210.528858-1-changyuanl@google.com Reviewed-by: Igor Pylypiv Acked-by: Jack Wang Signed-off-by: Changyuan Lyu Signed-off-by: Martin K. Petersen commit 52a518019ca187227b786f8b8ee20869a97f3af4 Author: Po-Wen Kao Date: Mon Jul 11 22:42:23 2022 +0800 scsi: ufs: core: Fix missing clk change notification on host reset In ufshcd_host_reset_and_restore(), ufshcd_set_clk_freq() is called to scale clock rate. However, this did not call vops->clk_scale_notify() to inform platform driver of clock change. Call ufshcd_scale_clks() instead so that clock change can be properly handled. Link: https://lore.kernel.org/r/20220711144224.17916-2-powen.kao@mediatek.com Reviewed-by: Bart Van Assche Reviewed-by: Stanley Chu Signed-off-by: Po-Wen Kao Signed-off-by: Martin K. Petersen commit 2ae57c995003a7840cb6b5ec5f0c06193695321b Author: Bjorn Andersson Date: Fri Jul 8 17:00:27 2022 -0700 scsi: ufs: core: Drop loglevel of WriteBoost message Commit '3b5f3c0d0548 ("scsi: ufs: core: Tidy up WB configuration code")' changed the log level of the write boost enable/disable notification from debug to info. This results in a lot of noise in the kernel log during normal operation. Drop it back to debug level to avoid this. Link: https://lore.kernel.org/r/20220709000027.3929970-1-bjorn.andersson@linaro.org Fixes: 3b5f3c0d0548 ("scsi: ufs: core: Tidy up WB configuration code") Reviewed-by: Alim Akhtar Acked-by: Bean Huo Signed-off-by: Bjorn Andersson Signed-off-by: Martin K. Petersen commit f46a5a9c679f495c555b7842807db5e886a9e650 Merge: ebe41da5d47ac 7b6f9462a3234 Author: Jakub Kicinski Date: Wed Jul 13 20:16:03 2022 -0700 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2022-07-12 This series contains updates to ice driver only. Paul fixes detection of E822 devices for firmware update and changes NVM read for snapshot creation to be done in chunks as some systems cannot read the entire NVM in the allotted time. ==================== Link: https://lore.kernel.org/r/20220712164829.7275-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski commit 8312cd3a7b835ae3033a679e5f0014a40e7891c5 Author: Ming Lei Date: Wed Jul 6 20:59:42 2022 +0800 scsi: megaraid: Clear READ queue map's nr_queues The megaraid SCSI driver sets set->nr_maps as 3 if poll_queues is > 0, and blk-mq actually initializes each map's nr_queues as nr_hw_queues. Consequently the driver has to clear READ queue map's nr_queues, otherwise the queue map becomes broken if poll_queues is set as non-zero. Link: https://lore.kernel.org/r/20220706125942.528533-1-ming.lei@redhat.com Fixes: 9e4bec5b2a23 ("scsi: megaraid_sas: mq_poll support") Cc: Kashyap Desai Cc: sumit.saxena@broadcom.com Cc: chandrakanth.patil@broadcom.com Cc: linux-block@vger.kernel.org Cc: Hannes Reinecke Reported-by: Guangwu Zhang Tested-by: Guangwu Zhang Reviewed-by: Bart Van Assche Signed-off-by: Ming Lei Signed-off-by: Martin K. Petersen commit ebe41da5d47ac0fff877e57bd14c54dccf168827 Author: Íñigo Huguet Date: Tue Jul 12 08:26:42 2022 +0200 sfc: fix use after free when disabling sriov Use after free is detected by kfence when disabling sriov. What was read after being freed was vf->pci_dev: it was freed from pci_disable_sriov and later read in efx_ef10_sriov_free_vf_vports, called from efx_ef10_sriov_free_vf_vswitching. Set the pointer to NULL at release time to not trying to read it later. Reproducer and dmesg log (note that kfence doesn't detect it every time): $ echo 1 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs $ echo 0 > /sys/class/net/enp65s0f0np0/device/sriov_numvfs BUG: KFENCE: use-after-free read in efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] Use-after-free read at 0x00000000ff3c1ba5 (in kfence-#224): efx_ef10_sriov_free_vf_vswitching+0x82/0x170 [sfc] efx_ef10_pci_sriov_disable+0x38/0x70 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xfe/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae kfence-#224: 0x00000000edb8ef95-0x00000000671f5ce1, size=2792, cache=kmalloc-4k allocated by task 6771 on cpu 10 at 3137.860196s: pci_alloc_dev+0x21/0x60 pci_iov_add_virtfn+0x2a2/0x320 sriov_enable+0x212/0x3e0 efx_ef10_sriov_configure+0x67/0x80 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xba/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae freed by task 6771 on cpu 12 at 3170.991309s: device_release+0x34/0x90 kobject_cleanup+0x3a/0x130 pci_iov_remove_virtfn+0xd9/0x120 sriov_disable+0x30/0xe0 efx_ef10_pci_sriov_disable+0x57/0x70 [sfc] efx_pci_sriov_configure+0x24/0x40 [sfc] sriov_numvfs_store+0xfe/0x140 kernfs_fop_write_iter+0x11c/0x1b0 new_sync_write+0x11f/0x1b0 vfs_write+0x1eb/0x280 ksys_write+0x5f/0xe0 do_syscall_64+0x5c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 3c5eb87605e85 ("sfc: create vports for VFs and assign random MAC addresses") Reported-by: Yanghang Liu Signed-off-by: Íñigo Huguet Acked-by: Martin Habets Link: https://lore.kernel.org/r/20220712062642.6915-1-ihuguet@redhat.com Signed-off-by: Jakub Kicinski commit 32f319183c439b239294cb2d70ada3564c4c7c39 Author: Steve French Date: Tue Jul 12 00:11:42 2022 -0500 smb3: workaround negprot bug in some Samba servers Mount can now fail to older Samba servers due to a server bug handling padding at the end of the last negotiate context (negotiate contexts typically are rounded up to 8 bytes by adding padding if needed). This server bug can be avoided by switching the order of negotiate contexts, placing a negotiate context at the end that does not require padding (prior to the recent netname context fix this was the case on the client). Fixes: 73130a7b1ac9 ("smb3: fix empty netname context on secondary channels") Reported-by: Julian Sikorski Tested-by: Julian Sikorski Reviewed-by: Shyam Prasad N Signed-off-by: Steve French commit fbd74d16890b9f5d08ea69b5282b123c894f8860 Author: Mario Limonciello Date: Wed Jul 13 12:53:46 2022 -0500 ACPI: CPPC: Fix enabling CPPC on AMD systems with shared memory When commit 72f2ecb7ece7 ("ACPI: bus: Set CPPC _OSC bits for all and when CPPC_LIB is supported") was introduced, we found collateral damage that a number of AMD systems that supported CPPC but didn't advertise support in _OSC stopped having a functional amd-pstate driver. The _OSC was only enforced on Intel systems at that time. This was fixed for the MSR based designs by commit 8b356e536e69f ("ACPI: CPPC: Don't require _OSC if X86_FEATURE_CPPC is supported") but some shared memory based designs also support CPPC but haven't advertised support in the _OSC. Add support for those designs as well by hardcoding the list of systems. Fixes: 72f2ecb7ece7 ("ACPI: bus: Set CPPC _OSC bits for all and when CPPC_LIB is supported") Fixes: 8b356e536e69f ("ACPI: CPPC: Don't require _OSC if X86_FEATURE_CPPC is supported") Link: https://lore.kernel.org/all/3559249.JlDtxWtqDm@natalenko.name/ Cc: 5.18+ # 5.18+ Reported-and-tested-by: Oleksandr Natalenko Signed-off-by: Mario Limonciello Signed-off-by: Rafael J. Wysocki commit 4a57a8400075bc5287c5c877702c68aeae2a033d Author: Ansgar Lößer Date: Wed Jul 13 20:51:44 2022 +0200 vf/remap: return the amount of bytes actually deduplicated When using the FIDEDUPRANGE ioctl, in case of success the requested size is returned. In some cases this might not be the actual amount of bytes deduplicated. This change modifies vfs_dedupe_file_range() to report the actual amount of bytes deduplicated, instead of the requested amount. Link: https://lore.kernel.org/linux-fsdevel/5548ef63-62f9-4f46-5793-03165ceccacc@tu-darmstadt.de/ Reported-by: Ansgar Lößer Reported-by: Max Schlecht Reported-by: Björn Scheuermann Cc: Dave Chinner Cc: Darrick J Wong Signed-off-by: Ansgar Lößer Signed-off-by: Linus Torvalds commit d0b97f3891fb414bd1fd1cb3d83f0f6b9fd0d357 Merge: 5750676b64a56 07fd5b6cdf3cc Author: Linus Torvalds Date: Wed Jul 13 11:47:01 2022 -0700 Merge tag 'cgroup-for-5.19-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fix from Tejun Heo: "Fix an old and subtle bug in the migration path. css_sets are used to track tasks and migrations are tasks moving from a group of css_sets to another group of css_sets. The migration path pins all source and destination css_sets in the prep stage. Unfortunately, it was overloading the same list_head entry to track sources and destinations, which got confused for migrations which are partially identity leading to use-after-frees. Fixed by using dedicated list_heads for tracking sources and destinations" * tag 'cgroup-for-5.19-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: Use separate src/dst nodes when preloading css_sets for migration commit 7fccd723912702acfc2d75e8f0596982534f7f24 Merge: dc5cb7a833e83 efa310ba00716 Author: Palmer Dabbelt Date: Wed Jul 13 10:42:57 2022 -0700 Merge tag 'dt-fixes-for-palmer-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/conor/linux.git into fixes Microchip RISC-V devicetree fixes for 5.19-rc6 A single fix for mpfs.dtsi: - The l2 cache controller was never hooked up in the dt, so userspace is presented with the wrong topology information, so it has been hooked up. * tag 'dt-fixes-for-palmer-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/conor/linux.git: riscv: dts: microchip: hook up the mpfs' l2cache commit 5750676b64a561f7ec920d7c6ba130fc9c7378f3 Author: Dave Chinner Date: Wed Jul 13 17:49:15 2022 +1000 fs/remap: constrain dedupe of EOF blocks If dedupe of an EOF block is not constrainted to match against only other EOF blocks with the same EOF offset into the block, it can match against any other block that has the same matching initial bytes in it, even if the bytes beyond EOF in the source file do not match. Fix this by constraining the EOF block matching to only match against other EOF blocks that have identical EOF offsets and data. This allows "whole file dedupe" to continue to work without allowing eof blocks to randomly match against partial full blocks with the same data. Reported-by: Ansgar Lößer Fixes: 1383a7ed6749 ("vfs: check file ranges before cloning files") Link: https://lore.kernel.org/linux-fsdevel/a7c93559-4ba1-df2f-7a85-55a143696405@tu-darmstadt.de/ Signed-off-by: Dave Chinner Signed-off-by: Linus Torvalds commit 3283c83eb6fcfbda8ea03d7149d8e42e71c5d45e Author: Michel Dänzer Date: Mon Jul 11 16:51:31 2022 +0200 drm/amd/display: Ensure valid event timestamp for cursor-only commits Requires enabling the vblank machinery for them. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2030 Signed-off-by: Michel Dänzer Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 47053b1e7382628dd30415685ae257f766a311e4 Author: Melissa Wen Date: Tue Jul 12 10:32:39 2022 -0100 drm/amd/display: correct check of coverage blend mode Check the value of per_pixel_alpha to decide whether the Coverage pixel blend mode is applicable or not. Fixes: 76818cdd11a2 ("drm/amd/display: add Coverage blend mode for overlay plane") Reported-by: kernel test robot Reported-by: Dan Carpenter Reviewed-by: Harry Wentland Signed-off-by: Melissa Wen Signed-off-by: Alex Deucher commit 0638c98c17aa12fe914459c82cd178247e21fb2b Author: Yefim Barashkin Date: Mon Jul 11 14:35:11 2022 -0800 drm/amd/pm: Prevent divide by zero divide error: 0000 [#1] SMP PTI CPU: 3 PID: 78925 Comm: tee Not tainted 5.15.50-1-lts #1 Hardware name: MSI MS-7A59/Z270 SLI PLUS (MS-7A59), BIOS 1.90 01/30/2018 RIP: 0010:smu_v11_0_set_fan_speed_rpm+0x11/0x110 [amdgpu] Speed is user-configurable through a file. I accidentally set it to zero, and the driver crashed. Reviewed-by: Evan Quan Reviewed-by: André Almeida Signed-off-by: Yefim Barashkin Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit add61d3c31de6a4b5e11a2ab96aaf4c873481568 Author: Mario Kleiner Date: Mon Jul 11 19:39:28 2022 +0200 drm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines. Various DCE versions had trouble with 36 bpp lb depth, requiring fixes, last time in commit 353ca0fa5630 ("drm/amd/display: Fix 10bit 4K display on CIK GPUs") for DCE-8. So far >= DCE-11.2 was considered ok, but now I found out that on DCE-11.2 it causes dithering when there shouldn't be any, so identity pixel passthrough with identity gamma LUTs doesn't work when it should. This breaks various important neuroscience applications, as reported to me by scientific users of Polaris cards under Ubuntu 22.04 with Linux 5.15, and confirmed by testing it myself on DCE-11.2. Lets only use depth 36 for DCN engines, where my testing showed that it is both necessary for high color precision output, e.g., RGBA16 fb's, and not harmful, as far as more than one year in real-world use showed. DCE engines seem to work fine for high precision output at 30 bpp, so this ("famous last words") depth 30 should hopefully fix all known problems without introducing new ones. Successfully retested on DCE-11.2 Polaris and DCN-1.0 Raven Ridge on top of Linux 5.19.0-rc2 + drm-next. Fixes: 353ca0fa5630 ("drm/amd/display: Fix 10bit 4K display on CIK GPUs") Signed-off-by: Mario Kleiner Tested-by: Mario Kleiner Cc: stable@vger.kernel.org # 5.14.0 Cc: Alex Deucher Cc: Harry Wentland Signed-off-by: Alex Deucher commit c0044865480a162146b9dfe7783e73a08e97b2b9 Author: Prike Liang Date: Mon Jul 11 16:03:08 2022 +0800 drm/amdkfd: correct the MEC atomic support firmware checking for GC 10.3.7 On the GC 10.3.7 platform the initial MEC release version #3 can support atomic operation,so need correct and set its MEC atomic support version to #3. Signed-off-by: Prike Liang Reviewed-by: Aaron Liu Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 5.18.x commit acea108fa067d140bd155161a79b1fcd967f4137 Author: Fangzhi Zuo Date: Wed Jul 6 15:52:46 2022 -0400 drm/amd/display: Ignore First MST Sideband Message Return Error [why] First MST sideband message returns AUX_RET_ERROR_HPD_DISCON on certain intel platform. Aux transaction considered failure if HPD unexpected pulled low. The actual aux transaction success in such case, hence do not return error. [how] Not returning error when AUX_RET_ERROR_HPD_DISCON detected on the first sideband message. v2: squash in additional DMI entries v3: squash in static fix Signed-off-by: Fangzhi Zuo Acked-by: Solomon Chiu Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 067d2521874135267e681c19d42761c601d503d6 Author: Jianglei Nie Date: Tue Jul 12 09:10:37 2022 +0800 ima: Fix potential memory leak in ima_init_crypto() On failure to allocate the SHA1 tfm, IMA fails to initialize and exits without freeing the ima_algo_array. Add the missing kfree() for ima_algo_array to avoid the potential memory leak. Signed-off-by: Jianglei Nie Fixes: 6d94809af6b0 ("ima: Allocate and initialize tfm for each PCR bank") Signed-off-by: Mimi Zohar commit af16df54b89dee72df253abc5e7b5e8a6d16c11c Author: Coiby Xu Date: Wed Jul 13 15:21:11 2022 +0800 ima: force signature verification when CONFIG_KEXEC_SIG is configured Currently, an unsigned kernel could be kexec'ed when IMA arch specific policy is configured unless lockdown is enabled. Enforce kernel signature verification check in the kexec_file_load syscall when IMA arch specific policy is configured. Fixes: 99d5cadfde2b ("kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE") Reported-and-suggested-by: Mimi Zohar Signed-off-by: Coiby Xu Signed-off-by: Mimi Zohar commit b11e5f6a3a5c170d16c2cf0b1d8053bbf1f6b7de Author: Nick Bowler Date: Tue Jul 12 21:58:35 2022 -0400 net: sunhme: output link status with a single print. This driver currently prints the link status using four separate printk calls, which these days gets presented to the user as four distinct messages, not exactly ideal: [ 32.582778] eth0: Link is up using [ 32.582828] internal [ 32.582837] transceiver at [ 32.582888] 100Mb/s, Full Duplex. Restructure the display_link_mode function to use a single netdev_info call to present all this information as a single message, which is much nicer: [ 33.640143] hme 0000:00:01.1 eth0: Link is up using internal transceiver at 100Mb/s, Full Duplex. The display_forced_link_mode function has a similar structure, so adjust it in a similar fashion. Signed-off-by: Nick Bowler Signed-off-by: David S. Miller commit 057cc8c9005e23330e368afd18839ce3764dc0af Author: Hayes Wang Date: Wed Jul 13 11:31:11 2022 +0800 r8152: fix accessing unset transport header A warning is triggered by commit 66e4c8d95008 ("net: warn if transport header was not set"). The warning is harmless, because the value from skb_transport_offset() is only used for skb_is_gso() is true or the skb->ip_summed is equal to CHECKSUM_PARTIAL. Fixes: 66e4c8d95008 ("net: warn if transport header was not set") Signed-off-by: Hayes Wang Signed-off-by: David S. Miller commit 67de8acdd375e6f0d4ee9aa5745b9f9b329980b7 Merge: 23aa6d5088e3b 50e2ab3929194 Author: David S. Miller Date: Wed Jul 13 14:27:38 2022 +0100 Merge tag 'wireless-2022-07-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Johannes Berg says: ==================== A small set of fixes for * queue selection in mesh/ocb * queue handling on interface stop * hwsim virtio device vs. some other virtio changes * dt-bindings email addresses * color collision memory allocation * a const variable in rtw88 * shared SKB transmit in the ethernet format path * P2P client port authorization ==================== Signed-off-by: David S. Miller commit a0b0987a781157263b82f4022649cf686d36c787 Author: Vasily Gorbik Date: Mon Jun 27 14:50:56 2022 +0200 s390/nospec: remove unneeded header includes Commit 4efd417f298b ("s390: raise minimum supported machine generation to z10") removed the usage of alternatives and lowcore in expolines macros. Remove unneeded header includes as well. With that, expoline.S doesn't require asm-offsets.h and expoline_prepare target dependency could be removed. Tested-by: Joe Lawrence Link: https://lore.kernel.org/r/patch-2.thread-d13b6c.git-d13b6c96fb5f.your-ad-here.call-01656331067-ext-4899@work.hours Signed-off-by: Vasily Gorbik Signed-off-by: Alexander Gordeev commit c4e789572557aa147b13bf7fe09cc99663ed0cf5 Author: Vasily Gorbik Date: Mon Jun 27 14:50:53 2022 +0200 s390/nospec: build expoline.o for modules_prepare target When CONFIG_EXPOLINE_EXTERN is used expoline thunks are generated from arch/s390/lib/expoline.S and postlinked into every module. This is also true for external modules. Add expoline.o build to the modules_prepare target. Fixes: 1d2ad084800e ("s390/nospec: add an option to use thunk-extern") Reported-by: Joe Lawrence Tested-by: Sumanth Korikkar Acked-by: Sumanth Korikkar Tested-by: C. Erastus Toe Tested-by: Joe Lawrence Link: https://lore.kernel.org/r/patch-1.thread-d13b6c.git-a2387a74dc49.your-ad-here.call-01656331067-ext-4899@work.hours Signed-off-by: Vasily Gorbik Signed-off-by: Alexander Gordeev commit 23aa6d5088e3bd65de77c5c307237b9937f8b48a Author: Dan Carpenter Date: Tue Jul 12 17:42:25 2022 +0300 net: stmmac: fix leaks in probe These two error paths should clean up before returning. Fixes: 2bb4b98b60d7 ("net: stmmac: Add Ingenic SoCs MAC support.") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller commit 49b9f431ff0d845a36be0b3ede35ec324f2e5fee Author: Liang He Date: Tue Jul 12 14:14:17 2022 +0800 net: ftgmac100: Hold reference returned by of_get_child_by_name() In ftgmac100_probe(), we should hold the refernece returned by of_get_child_by_name() and use it to call of_node_put() for reference balance. Fixes: 39bfab8844a0 ("net: ftgmac100: Add support for DT phy-handle property") Signed-off-by: Liang He Signed-off-by: David S. Miller commit 7d5424b26f17b74d94e73815718b424ad207a3e7 Merge: 22b9c41a3fb8e bdf00bf24bef9 Author: David S. Miller Date: Wed Jul 13 12:56:50 2022 +0100 Merge branch 'net-sysctl-races' Kuniyuki Iwashima says: ==================== sysctl: Fix data-races around ipv4_net_table (Roun). This series fixes data-races around the first 13 knobs and nexthop_compat_mode in ipv4_net_table. I will post another patch for three early_demux knobs later, so the next round will start from ip_default_ttl. ==================== Signed-off-by: David S. Miller commit bdf00bf24bef9be1ca641a6390fd5487873e0d2e Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:33 2022 -0700 nexthop: Fix data-races around nexthop_compat_mode. While reading nexthop_compat_mode, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 4f80116d3df3 ("net: ipv4: add sysctl for nexthop api compatibility mode") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit e49e4aff7ec19b2d0d0957ee30e93dade57dab9e Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:32 2022 -0700 ipv4: Fix data-races around sysctl_ip_dynaddr. While reading sysctl_ip_dynaddr, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 12b8d9ca7e678abc48195294494f1815b555d658 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:31 2022 -0700 tcp: Fix a data-race around sysctl_tcp_ecn_fallback. While reading sysctl_tcp_ecn_fallback, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 492135557dc0 ("tcp: add rfc3168, section 6.1.1.1. fallback") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 4785a66702f086cf2ea84bdbe6ec921f274bd9f2 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:30 2022 -0700 tcp: Fix data-races around sysctl_tcp_ecn. While reading sysctl_tcp_ecn, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 1dace014928e6e385363032d359a04dee9158af0 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:29 2022 -0700 raw: Fix a data-race around sysctl_raw_l3mdev_accept. While reading sysctl_raw_l3mdev_accept, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 6897445fb194 ("net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 1ebcb25ad6fc3d50fca87350acf451b9a66dd31e Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:28 2022 -0700 icmp: Fix a data-race around sysctl_icmp_ratemask. While reading sysctl_icmp_ratemask, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 2a4eb714841f288cf51c7d942d98af6a8c6e4b01 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:27 2022 -0700 icmp: Fix a data-race around sysctl_icmp_ratelimit. While reading sysctl_icmp_ratelimit, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit d2efabce81db7eed1c98fa1a3f203f0edd738ac3 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:26 2022 -0700 icmp: Fix a data-race around sysctl_icmp_errors_use_inbound_ifaddr. While reading sysctl_icmp_errors_use_inbound_ifaddr, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1c2fb7f93cb2 ("[IPV4]: Sysctl configurable icmp error source address.") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit b04f9b7e85c7d7aecbada620e8759a662af068d3 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:25 2022 -0700 icmp: Fix a data-race around sysctl_icmp_ignore_bogus_error_responses. While reading sysctl_icmp_ignore_bogus_error_responses, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 66484bb98ed2dfa1dda37a32411483d8311ac269 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:24 2022 -0700 icmp: Fix a data-race around sysctl_icmp_echo_ignore_broadcasts. While reading sysctl_icmp_echo_ignore_broadcasts, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 4a2f7083cc6cb72dade9a63699ca352fad26d1cd Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:23 2022 -0700 icmp: Fix data-races around sysctl_icmp_echo_enable_probe. While reading sysctl_icmp_echo_enable_probe, it can be changed concurrently. Thus, we need to add READ_ONCE() to its readers. Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") Fixes: 1fd07f33c3ea ("ipv6: ICMPV6: add response to ICMPV6 RFC 8335 PROBE messages") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit bb7bb35a63b4812da8e3aff587773678e31d23e3 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:22 2022 -0700 icmp: Fix a data-race around sysctl_icmp_echo_ignore_all. While reading sysctl_icmp_echo_ignore_all, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 6f605b57f3782114e330e108ce1903ede22ec675 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:21 2022 -0700 tcp: Fix a data-race around sysctl_max_tw_buckets. While reading sysctl_max_tw_buckets, it can be changed concurrently. Thus, we need to add READ_ONCE() to its reader. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 7d1025e559782b58824b36cb8ad547a69f2e4b31 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:20 2022 -0700 sysctl: Fix data-races in proc_dointvec_ms_jiffies(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_dointvec_ms_jiffies() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_dointvec_ms_jiffies() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 7dee5d7747a69aa2be41f04c6a7ecfe3ac8cdf18 Author: Kuniyuki Iwashima Date: Mon Jul 11 17:15:19 2022 -0700 sysctl: Fix data-races in proc_dou8vec_minmax(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_dou8vec_minmax() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_dou8vec_minmax() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: cb9444130662 ("sysctl: add proc_dou8vec_minmax()") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit d2394860b45c3c1484e4b0a5d09909a1e3f6569e Author: AngeloGioacchino Del Regno Date: Wed Jul 13 13:15:36 2022 +0200 cpufreq: mediatek: Handle sram regulator probe deferral If the regulator_get_optional() call for the SRAM regulator returns a probe deferral, we must bail out and retry probing later: failing to do this will produce unstabilities on platforms requiring the handling for this regulator. Fixes: ffa7bdf7f344 ("cpufreq: mediatek: Make sram regulator optional") Signed-off-by: AngeloGioacchino Del Regno Signed-off-by: Viresh Kumar commit 230ec83d4299b30c51a1c133b4f2a669972cc08a Author: Juergen Gross Date: Fri Jul 8 15:14:56 2022 +0200 x86/pat: Fix x86_has_pat_wp() x86_has_pat_wp() is using a wrong test, as it relies on the normal PAT configuration used by the kernel. In case the PAT MSR has been setup by another entity (e.g. Xen hypervisor) it might return false even if the PAT configuration is allowing WP mappings. This due to the fact that when running as Xen PV guest the PAT MSR is setup by the hypervisor and cannot be changed by the guest. This results in the WP related entry to be at a different position when running as Xen PV guest compared to the bare metal or fully virtualized case. The correct way to test for WP support is: 1. Get the PTE protection bits needed to select WP mode by reading __cachemode2pte_tbl[_PAGE_CACHE_MODE_WP] (depending on the PAT MSR setting this might return protection bits for a stronger mode, e.g. UC-) 2. Translate those bits back into the real cache mode selected by those PTE bits by reading __pte2cachemode_tbl[__pte2cm_idx(prot)] 3. Test for the cache mode to be _PAGE_CACHE_MODE_WP Fixes: f88a68facd9a ("x86/mm: Extend early_memremap() support with additional attrs") Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov Cc: # 4.14 Link: https://lore.kernel.org/r/20220503132207.17234-1-jgross@suse.com commit 3131ef39fb03bbde237d0b8260445898f3dfda5b Author: Jiri Slaby Date: Wed Jul 13 11:50:46 2022 +0200 x86/asm/32: Fix ANNOTATE_UNRET_SAFE use on 32-bit The build on x86_32 currently fails after commit 9bb2ec608a20 (objtool: Update Retpoline validation) with: arch/x86/kernel/../../x86/xen/xen-head.S:35: Error: no such instruction: `annotate_unret_safe' ANNOTATE_UNRET_SAFE is defined in nospec-branch.h. And head_32.S is missing this include. Fix this. Fixes: 9bb2ec608a20 ("objtool: Update Retpoline validation") Signed-off-by: Jiri Slaby Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/63e23f80-033f-f64e-7522-2816debbc367@kernel.org commit 9b043a8f386485c74c0f8eea2c287d5bdbdf3279 Author: Meng Tang Date: Wed Jul 13 17:41:33 2022 +0800 ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop The headset on this machine is not defined, after applying the quirk ALC256_FIXUP_ASUS_HEADSET_MIC, the headset-mic works well Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220713094133.9894-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai commit 51189eb9ddc88851edc42f539a0f9862fd0630c2 Author: Tony Lindgren Date: Wed Jun 22 08:12:15 2022 +0300 mmc: sdhci-omap: Fix a lockdep warning for PM runtime init We need runtime PM enabled early in probe before sdhci_setup_host() for sdhci_omap_set_capabilities(). But on the first runtime resume we must not call sdhci_runtime_resume_host() as sdhci_setup_host() has not been called yet. Let's check for an initialized controller like we already do for context restore to fix a lockdep warning. Fixes: f433e8aac6b9 ("mmc: sdhci-omap: Implement PM runtime functions") Reported-by: Yegor Yefremov Suggested-by: Arnd Bergmann Signed-off-by: Tony Lindgren Acked-by: Adrian Hunter Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220622051215.34063-1-tony@atomide.com Signed-off-by: Ulf Hansson commit 68e3c69803dada336893640110cb87221bb01dcf Author: Peter Zijlstra Date: Tue Jul 5 15:07:26 2022 +0200 perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() Yang Jihing reported a race between perf_event_set_output() and perf_mmap_close(): CPU1 CPU2 perf_mmap_close(e2) if (atomic_dec_and_test(&e2->rb->mmap_count)) // 1 - > 0 detach_rest = true ioctl(e1, IOC_SET_OUTPUT, e2) perf_event_set_output(e1, e2) ... list_for_each_entry_rcu(e, &e2->rb->event_list, rb_entry) ring_buffer_attach(e, NULL); // e1 isn't yet added and // therefore not detached ring_buffer_attach(e1, e2->rb) list_add_rcu(&e1->rb_entry, &e2->rb->event_list) After this; e1 is attached to an unmapped rb and a subsequent perf_mmap() will loop forever more: again: mutex_lock(&e->mmap_mutex); if (event->rb) { ... if (!atomic_inc_not_zero(&e->rb->mmap_count)) { ... mutex_unlock(&e->mmap_mutex); goto again; } } The loop in perf_mmap_close() holds e2->mmap_mutex, while the attach in perf_event_set_output() holds e1->mmap_mutex. As such there is no serialization to avoid this race. Change perf_event_set_output() to take both e1->mmap_mutex and e2->mmap_mutex to alleviate that problem. Additionally, have the loop in perf_mmap() detach the rb directly, this avoids having to wait for the concurrent perf_mmap_close() to get around to doing it to make progress. Fixes: 9bb5d40cd93c ("perf: Fix mmap() accounting hole") Reported-by: Yang Jihong Signed-off-by: Peter Zijlstra (Intel) Tested-by: Yang Jihong Link: https://lkml.kernel.org/r/YsQ3jm2GR38SW7uD@worktop.programming.kicks-ass.net commit d332a1f6b4c4b07bf984f04df897818c7c7fce8f Merge: 52905140c3ed4 03110b46c99bb Author: Arnd Bergmann Date: Wed Jul 13 09:37:20 2022 +0200 Merge tag 'qcom-dts-fixes-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/fixes Qualcomm DTS fixe for 5.19 The pinctrl state was lost in the recent refactoring of the MSM8974 Devicetree, this contains a fix for this. * tag 'qcom-dts-fixes-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: ARM: dts: qcom: msm8974: re-add missing pinctrl Link: https://lore.kernel.org/r/20220713030627.1371156-1-bjorn.andersson@linaro.org Signed-off-by: Arnd Bergmann commit 52905140c3ed42a16644650d431cdd1051a0a337 Merge: 01277737e9bed 8bd582ae9a71d Author: Arnd Bergmann Date: Wed Jul 13 09:35:55 2022 +0200 Merge tag 'arm-soc/for-5.19/devicetree-arm64-fixes' of https://github.com/Broadcom/stblinux into arm/fixes This pull request contains Broadcom ARM64-based SoCs Device Tree fixes for 5.19, please pull the following: - William corrects the BCM4906 DTS to have an armv8-timer Device Tree, necessary for booting, and fixes the BCM4908 DTS to have a proper 'enable-method' and 'cpu-release-addr' properties for the kernel to boot when using u-boot * tag 'arm-soc/for-5.19/devicetree-arm64-fixes' of https://github.com/Broadcom/stblinux: arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC Link: https://lore.kernel.org/r/20220712231222.97850-1-f.fainelli@gmail.com Signed-off-by: Arnd Bergmann commit 4ba5c853d7945b3855c3dcb293f7f9f019db641e Author: Meng Tang Date: Wed Jul 13 14:33:32 2022 +0800 ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 On a HP 288 Pro G2 MT (X9W02AV), the front mic could not be detected. In order to get it working, the pin configuration needs to be set correctly, and the ALC221_FIXUP_HP_288PRO_MIC_NO_PRESENCE fixup needs to be applied. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220713063332.30095-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai commit 61d307855eb1a2ae849da445edd5389db8a58a5c Author: Jeremy Szu Date: Wed Jul 13 10:27:04 2022 +0800 ALSA: hda/realtek: fix mute/micmute LEDs for HP machines The HP ProBook 440/450 G9 and EliteBook 640/650 G9 have multiple motherboard design and they are using different subsystem ID of audio codec. Add the same quirk for other MBs. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20220713022706.22892-1-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai commit 7c239a071d1f04b7137789810807b4108d475c72 Author: Lucien Buchmann Date: Sat Jun 25 02:17:44 2022 +0200 USB: serial: ftdi_sio: add Belimo device ids Those two product ids are known. Signed-off-by: Lucien Buchmann Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold commit 22b9c41a3fb8ef4624bcda312665937d2ba98aa7 Merge: f946964a9f79f ddde5412fdaa5 Author: Jakub Kicinski Date: Tue Jul 12 20:36:00 2022 -0700 Merge branch 'bnxt_en-5-bug-fixes' Michael Chan says: ==================== bnxt_en: 5 Bug fixes This patchset fixes various issues, including SRIOV error unwinding, one error recovery path, live patch reporting, XDP transmit path, and PHC clock reading. ==================== Link: https://lore.kernel.org/r/1657592778-12730-1-git-send-email-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski commit ddde5412fdaa5048bbca31529d46cb8da882870c Author: Pavan Chebbi Date: Mon Jul 11 22:26:18 2022 -0400 bnxt_en: Fix bnxt_refclk_read() The upper 32-bit PHC register is not latched when reading the lower 32-bit PHC register. Current code leaves a small window where we may not read correct higher order bits if the lower order bits are just about to wrap around. This patch fixes this by reading higher order bits twice and makes sure that final value is correctly paired with its lower 32 bits. Fixes: 30e96f487f64 ("bnxt_en: Do not read the PTP PHC during chip reset") Cc: Richard Cochran Signed-off-by: Pavan Chebbi Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski commit 53f8c2d37efb5b03b9527ad04332df3bb889f0fa Author: Michael Chan Date: Mon Jul 11 22:26:17 2022 -0400 bnxt_en: Fix and simplify XDP transmit path Fix the missing length hint in the TX BD for the XDP transmit path. The length hint is required on legacy chips. Also, simplify the code by eliminating the first_buf local variable. tx_buf contains the same value. The opaque value only needs to be set on the first BD. Fix this also for correctness. Fixes: a7559bc8c17c ("bnxt: support transmit and free of aggregation buffers") Reviewed-by: Andy Gospodarek Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski commit 619b9b1622c283cc5ca86f4c487db266a8f55dab Author: Vikas Gupta Date: Mon Jul 11 22:26:16 2022 -0400 bnxt_en: fix livepatch query In the livepatch query fw_target BNXT_FW_SRT_PATCH is applicable for P5 chips only. Fixes: 3c4153394e2c ("bnxt_en: implement firmware live patching") Reviewed-by: Saravanan Vajravel Reviewed-by: Somnath Kotur Signed-off-by: Vikas Gupta Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski commit 4279414bff8af9898e8c53ae6c5bc17f68ad67b7 Author: Michael Chan Date: Mon Jul 11 22:26:15 2022 -0400 bnxt_en: Fix bnxt_reinit_after_abort() code path bnxt_reinit_after_abort() is called during ifup when a previous FW reset sequence has aborted or a previous ifup has failed after detecting FW reset. In all cases, it is safe to assume that a previous FW reset has completed and the driver may not have fully reinitialized. Prior to this patch, it is assumed that the FUNC_DRV_IF_CHANGE_RESP_FLAGS_HOT_FW_RESET_DONE flag will always be set by the firmware in bnxt_hwrm_if_change(). This may not be true if the driver has already attempted to register with the firmware. The firmware may not set the RESET_DONE flag again after the driver has registered, assuming that the driver has seen the flag already. Fix it to always go through the FW reset initialization path if the BNXT_STATE_FW_RESET_DET flag is set. This flag is always set by the driver after successfully going through bnxt_reinit_after_abort(). Fixes: 6882c36cf82e ("bnxt_en: attempt to reinitialize after aborted reset") Reviewed-by: Pavan Chebbi Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski commit c5b744d38c36a407a41e918602eec4d89730787b Author: Kashyap Desai Date: Mon Jul 11 22:26:14 2022 -0400 bnxt_en: reclaim max resources if sriov enable fails If bnxt_sriov_enable() fails after some resources have been reserved for the VFs, the current code is not unwinding properly and the reserved resources become unavailable afterwards. Fix it by properly unwinding with a call to bnxt_hwrm_func_qcaps() to reset all maximum resources. Also, add the missing bnxt_ulp_sriov_cfg() call to let the RDMA driver know to abort. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Kashyap Desai Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski commit b047602d579b4fb028128a525f056bbdc890e7f0 Merge: 72a8e05d4f66b 1e1fb420fe68d Author: Linus Torvalds Date: Tue Jul 12 16:17:40 2022 -0700 Merge tag 'trace-v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fixes from Steven Rostedt: "Fixes and minor clean ups for tracing: - Fix memory leak by reverting what was thought to be a double free. A static tool had gave a false positive that a double free was possible in the error path, but it was actually a different location that confused the static analyzer (and those of us that reviewed it). - Move use of static buffers by ftrace_dump() to a location that can be used by kgdb's ftdump(), as it needs it for the same reasons. - Clarify in the Kconfig description that function tracing has negligible impact on x86, but may have a bit bigger impact on other architectures. - Remove unnecessary extra semicolon in trace event. - Make a local variable static that is used in the fprobes sample - Use KSYM_NAME_LEN for length of function in kprobe sample and get rid of unneeded macro for the same purpose" * tag 'trace-v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: samples: Use KSYM_NAME_LEN for kprobes fprobe/samples: Make sample_probe static blk-iocost: tracing: atomic64_read(&ioc->vtime_rate) is assigned an extra semicolon ftrace: Be more specific about arch impact when function tracer is enabled tracing: Fix sleeping while atomic in kdb ftdump tracing/histograms: Fix memory leak problem commit 333991c4e66b3d4b5613315f18016da80344f659 Author: Andrzej Hajda Date: Fri Jun 24 13:35:28 2022 +0200 drm/i915/selftests: fix subtraction overflow bug On some machines hole_end can be small enough to cause subtraction overflow. On the other side (addr + 2 * min_alignment) can overflow in case of mock tests. This patch should handle both cases. Fixes: e1c5f754067b59 ("drm/i915: Avoid overflow in computing pot_hole loop termination") Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/3674 Signed-off-by: Andrzej Hajda Reviewed-by: Andi Shyti Signed-off-by: Andi Shyti Link: https://patchwork.freedesktop.org/patch/msgid/20220624113528.2159210-1-andrzej.hajda@intel.com Signed-off-by: Rodrigo Vivi (cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2) Signed-off-by: Rodrigo Vivi commit ad765fae792e16ce3c1d0b69ce939e3f7dba40ab Author: Chris Wilson Date: Fri Jul 8 16:20:11 2022 +0200 drm/i915/gem: Look for waitboosting across the whole object prior to individual waits We employ a "waitboost" heuristic to detect when userspace is stalled waiting for results from earlier execution. Under latency sensitive work mixed between the gpu/cpu, the GPU is typically under-utilised and so RPS sees that low utilisation as a reason to downclock the frequency, causing longer stalls and lower throughput. The user left waiting for the results is not impressed. On applying commit 047a1b877ed4 ("dma-buf & drm/amdgpu: remove dma_resv workaround") it was observed that deinterlacing h264 on Haswell performance dropped by 2-5x. The reason being that the natural workload was not intense enough to trigger RPS (using HW evaluation intervals) to upclock, and so it was depending on waitboosting for the throughput. Commit 047a1b877ed4 ("dma-buf & drm/amdgpu: remove dma_resv workaround") changes the composition of dma-resv from keeping a single write fence + multiple read fences, to a single array of multiple write and read fences (a maximum of one pair of write/read fences per context). The iteration order was also changed implicitly from all-read fences then the single write fence, to a mix of write fences followed by read fences. It is that ordering change that belied the fragility of waitboosting. Currently, a waitboost is inspected at the point of waiting on an outstanding fence. If the GPU is backlogged such that we haven't yet stated the request we need to wait on, we force the GPU to upclock until the completion of that request. By changing the order in which we waited upon requests, we ended up waiting on those requests in sequence and as such we saw that each request was already started and so not a suitable candidate for waitboosting. Instead of asking whether to boost each fence in turn, we can look at whether boosting is required for the dma-resv ensemble prior to waiting on any fence, making the heuristic more robust to the order in which fences are stored in the dma-resv. Reported-by: Thomas Voegtle Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6284 Fixes: 047a1b877ed4 ("dma-buf & drm/amdgpu: remove dma_resv workaround") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Signed-off-by: Karolina Drobnik Tested-by: Thomas Voegtle Reviewed-by: Andi Shyti Acked-by: Rodrigo Vivi Signed-off-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/07e05518d9f6620d20cc1101ec1849203fe973f9.1657289332.git.karolina.drobnik@intel.com (cherry picked from commit 394e2b57a989113de494c52d4683444bcb02d4e1) Signed-off-by: Rodrigo Vivi commit a1c5a7bf79c1faa5633b918b5c0666545e84c4d1 Author: Chris Wilson Date: Tue Jul 12 16:21:33 2022 +0100 drm/i915/gt: Serialize TLB invalidates with GT resets Avoid trying to invalidate the TLB in the middle of performing an engine reset, as this may result in the reset timing out. Currently, the TLB invalidate is only serialised by its own mutex, forgoing the uncore lock, but we can take the uncore->lock as well to serialise the mmio access, thereby serialising with the GDRST. Tested on a NUC5i7RYB, BIOS RYBDWi35.86A.0380.2019.0517.1530 with i915 selftest/hangcheck. Cc: stable@vger.kernel.org # v4.4 and upper Fixes: 7938d61591d3 ("drm/i915: Flush TLBs before releasing backing store") Reported-by: Mauro Carvalho Chehab Tested-by: Mauro Carvalho Chehab Reviewed-by: Mauro Carvalho Chehab Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Reviewed-by: Andi Shyti Acked-by: Thomas Hellström Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/1e59a7c45dd919a530256b9ac721ac6ea86c0677.1657639152.git.mchehab@kernel.org (cherry picked from commit 33da97894758737895e90c909f16786052680ef4) Signed-off-by: Rodrigo Vivi commit b24dcf1dc507f69ed3b5c66c2b6a0209ae80d4d4 Author: Chris Wilson Date: Tue Jul 12 16:21:32 2022 +0100 drm/i915/gt: Serialize GRDOM access between multiple engine resets Don't allow two engines to be reset in parallel, as they would both try to select a reset bit (and send requests to common registers) and wait on that register, at the same time. Serialize control of the reset requests/acks using the uncore->lock, which will also ensure that no other GT state changes at the same time as the actual reset. Cc: stable@vger.kernel.org # v4.4 and upper Reported-by: Mika Kuoppala Signed-off-by: Chris Wilson Acked-by: Mika Kuoppala Reviewed-by: Andi Shyti Reviewed-by: Andrzej Hajda Acked-by: Thomas Hellström Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/e0a2d894e77aed7c2e36b0d1abdc7dbac3011729.1657639152.git.mchehab@kernel.org (cherry picked from commit 336561a914fc0c6f1218228718f633b31b7af1c3) Signed-off-by: Rodrigo Vivi commit aff1e0b09b54b64944b7fe32997229552737b9e9 Author: Matthew Auld Date: Mon Jul 11 09:58:59 2022 +0100 drm/i915/ttm: fix sg_table construction If we encounter some monster sized local-memory page that exceeds the maximum sg length (UINT32_MAX), ensure that don't end up with some misaligned address in the entry that follows, leading to fireworks later. Also ensure we have some coverage of this in the selftests. v2(Chris): - Use round_down consistently to avoid udiv errors v3(Nirmoy): - Also update the max_segment in the selftest Fixes: f701b16d4cc5 ("drm/i915/ttm: add i915_sg_from_buddy_resource") Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/6379 Signed-off-by: Matthew Auld Cc: Thomas Hellström Cc: Nirmoy Das Reviewed-by: Nirmoy Das Link: https://patchwork.freedesktop.org/patch/msgid/20220711085859.24198-1-matthew.auld@intel.com (cherry picked from commit bc99f1209f19fefa3ee11e77464ccfae541f4291) Signed-off-by: Rodrigo Vivi commit 896dcabd1f8f613c533d948df17408c41f8929f5 Author: Dan Carpenter Date: Fri Jul 8 12:41:04 2022 +0300 drm/i915/selftests: fix a couple IS_ERR() vs NULL tests The shmem_pin_map() function doesn't return error pointers, it returns NULL. Fixes: be1cb55a07bf ("drm/i915/gt: Keep a no-frills swappable copy of the default context state") Signed-off-by: Dan Carpenter Reviewed-by: Matthew Auld Signed-off-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20220708094104.GL2316@kadam (cherry picked from commit d50f5a109cf4ed50c5b575c1bb5fc3bd17b23308) Signed-off-by: Rodrigo Vivi commit f99546298a4537965b75d518c210742f641be389 Merge: 48da0f67c53ee e87197fbd137c Author: Rodrigo Vivi Date: Tue Jul 12 18:21:10 2022 -0400 Merge tag 'gvt-fixes-2022-07-11' of https://github.com/intel/gvt-linux into drm-intel-fixes gvt-fixes-2022-07-11 - Fix return value for shmem_pin_map() Signed-off-by: Rodrigo Vivi From: Zhenyu Wang Link: https://patchwork.freedesktop.org/patch/msgid/20220711052021.GV1089@zhen-hp.sh.intel.com commit 48da0f67c53eecd2594c302be6c8a665b7740eaf Author: Thomas Hellström Date: Mon Jun 20 14:36:59 2022 +0200 drm/i915: Fix vm use-after-free in vma destruction In vma destruction, the following race may occur: Thread 1: Thread 2: i915_vma_destroy(); ... list_del_init(vma->vm_link); ... mutex_unlock(vma->vm->mutex); __i915_vm_release(); release_references(); And in release_reference() we dereference vma->vm to get to the vm gt pointer, leading to a use-after free. However, __i915_vm_release() grabs the vm->mutex so the vm won't be destroyed before vma->vm->mutex is released, so extract the gt pointer under the vm->mutex to avoid the vma->vm dereference in release_references(). v2: Fix a typo in the commit message (Andi Shyti) Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5944 Fixes: e1a7ab4fca0c ("drm/i915: Remove the vm open count") Cc: Niranjana Vishwanathapura Cc: Matthew Auld Signed-off-by: Thomas Hellström Acked-by: Nirmoy Das Reviewed-by: Andrzej Hajda Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20220620123659.381772-1-thomas.hellstrom@linux.intel.com (cherry picked from commit 1926a6b75954fc1a8b44d10bd0c67db957b78cf7) Signed-off-by: Rodrigo Vivi commit 1391b9cfd35bb8f10785a17cb4bb5ea8d10faaae Author: Daniele Ceraolo Spurio Date: Tue Jun 21 16:30:05 2022 -0700 drm/i915/guc: ADL-N should use the same GuC FW as ADL-S The only difference between the ADL S and P GuC FWs is the HWConfig support. ADL-N does not support HWConfig, so we should use the same binary as ADL-S, otherwise the GuC might attempt to fetch a config table that does not exist. ADL-N is internally identified as an ADL-P, so we need to special-case it in the FW selection code. Fixes: 7e28d0b26759 ("drm/i915/adl-n: Enable ADL-N platform") Cc: John Harrison Cc: Tejas Upadhyay Cc: Anusha Srivatsa Cc: Jani Nikula Signed-off-by: Daniele Ceraolo Spurio Reviewed-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20220621233005.3952293-1-daniele.ceraolospurio@intel.com (cherry picked from commit 971e4a9781742aaad1587e25fd5582b2dd595ef8) Signed-off-by: Rodrigo Vivi commit 046cd8a2a9eec7c2b46b03958a2b6252ddff55b2 Author: Hangyu Hua Date: Fri Jun 24 06:04:06 2022 -0700 drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() If drm_connector_init fails, intel_connector_free will be called to take care of proper free. So it is necessary to drop the refcount of port before intel_connector_free. Fixes: 091a4f91942a ("drm/i915: Handle drm-layer errors in intel_dp_add_mst_connector") Signed-off-by: Hangyu Hua Reviewed-by: José Roberto de Souza Link: https://patchwork.freedesktop.org/patch/msgid/20220624130406.17996-1-jose.souza@intel.com Signed-off-by: José Roberto de Souza (cherry picked from commit cea9ed611e85d36a05db52b6457bf584b7d969e2) Signed-off-by: Rodrigo Vivi commit 1e1fb420fe68d9d938db360fec700dfd230cc22a Author: Tiezhu Yang Date: Wed Jun 8 09:23:22 2022 +0800 samples: Use KSYM_NAME_LEN for kprobes It is better and enough to use KSYM_NAME_LEN for kprobes in samples, no need to define and use the other values. Link: https://lkml.kernel.org/r/1654651402-21552-1-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Tiezhu Yang Acked-by: Masami Hiramatsu (Google) Signed-off-by: Steven Rostedt (Google) commit e3655dfa58053d614ca9601c36657b469402650f Author: sunliming Date: Mon Jun 6 15:56:59 2022 +0800 fprobe/samples: Make sample_probe static This symbol is not used outside of fprobe_example.c, so marks it static. Fixes the following warning: sparse warnings: (new ones prefixed by >>) >> samples/fprobe/fprobe_example.c:23:15: sparse: sparse: symbol 'sample_probe' was not declared. Should it be static? Link: https://lkml.kernel.org/r/20220606075659.674556-1-sunliming@kylinos.cn Reported-by: kernel test robot Signed-off-by: sunliming Acked-by: Masami Hiramatsu (Google) Signed-off-by: Steven Rostedt (Google) commit 0bb7e14c8e15ad78b7300e7d89a615ea8b8c89a9 Author: Li kunyu Date: Wed Jun 29 11:00:13 2022 +0800 blk-iocost: tracing: atomic64_read(&ioc->vtime_rate) is assigned an extra semicolon Remove extra semicolon. Link: https://lkml.kernel.org/r/20220629030013.10362-1-kunyu@nfschina.com Cc: Tejun Heo Cc: Jens Axboe Signed-off-by: Li kunyu Signed-off-by: Steven Rostedt (Google) commit 0a6d7d45414a77876e8e9a77e454af754cea3a60 Author: Steven Rostedt (Google) Date: Wed Jul 6 16:12:31 2022 -0400 ftrace: Be more specific about arch impact when function tracer is enabled It was brought up that on ARMv7, that because the FUNCTION_TRACER does not use nops to keep function tracing disabled because of the use of a link register, it does have some performance impact. The start of functions when -pg is used to compile the kernel is: push {lr} bl 8010e7c0 <__gnu_mcount_nc> When function tracing is tuned off, it becomes: push {lr} add sp, sp, #4 Which just puts the stack back to its normal location. But these two instructions at the start of every function does incur some overhead. Be more honest in the Kconfig FUNCTION_TRACER description and specify that the overhead being in the noise was x86 specific, but other architectures may vary. Link: https://lore.kernel.org/all/20220705105416.GE5208@pengutronix.de/ Link: https://lkml.kernel.org/r/20220706161231.085a83da@gandalf.local.home Reported-by: Sascha Hauer Acked-by: Sascha Hauer Signed-off-by: Steven Rostedt (Google) commit 495fcec8648cdfb483b5b9ab310f3839f07cb3b8 Author: Douglas Anderson Date: Fri Jul 8 17:09:52 2022 -0700 tracing: Fix sleeping while atomic in kdb ftdump If you drop into kdb and type "ftdump" you'll get a sleeping while atomic warning from memory allocation in trace_find_next_entry(). This appears to have been caused by commit ff895103a84a ("tracing: Save off entry when peeking at next entry"), which added the allocation in that path. The problematic commit was already fixed by commit 8e99cf91b99b ("tracing: Do not allocate buffer in trace_find_next_entry() in atomic") but that fix missed the kdb case. The fix here is easy: just move the assignment of the static buffer to the place where it should have been to begin with: trace_init_global_iter(). That function is called in two places, once is right before the assignment of the static buffer added by the previous fix and once is in kdb. Note that it appears that there's a second static buffer that we need to assign that was added in commit efbbdaa22bb7 ("tracing: Show real address for trace event arguments"), so we'll move that too. Link: https://lkml.kernel.org/r/20220708170919.1.I75844e5038d9425add2ad853a608cb44bb39df40@changeid Fixes: ff895103a84a ("tracing: Save off entry when peeking at next entry") Fixes: efbbdaa22bb7 ("tracing: Show real address for trace event arguments") Signed-off-by: Douglas Anderson Signed-off-by: Steven Rostedt (Google) commit 7edc3945bdce9c39198a10d6129377a5c53559c2 Author: Zheng Yejian Date: Mon Jul 11 09:47:31 2022 +0800 tracing/histograms: Fix memory leak problem This reverts commit 46bbe5c671e06f070428b9be142cc4ee5cedebac. As commit 46bbe5c671e0 ("tracing: fix double free") said, the "double free" problem reported by clang static analyzer is: > In parse_var_defs() if there is a problem allocating > var_defs.expr, the earlier var_defs.name is freed. > This free is duplicated by free_var_defs() which frees > the rest of the list. However, if there is a problem allocating N-th var_defs.expr: + in parse_var_defs(), the freed 'earlier var_defs.name' is actually the N-th var_defs.name; + then in free_var_defs(), the names from 0th to (N-1)-th are freed; IF ALLOCATING PROBLEM HAPPENED HERE!!! -+ \ | 0th 1th (N-1)-th N-th V +-------------+-------------+-----+-------------+----------- var_defs: | name | expr | name | expr | ... | name | expr | name | /// +-------------+-------------+-----+-------------+----------- These two frees don't act on same name, so there was no "double free" problem before. Conversely, after that commit, we get a "memory leak" problem because the above "N-th var_defs.name" is not freed. If enable CONFIG_DEBUG_KMEMLEAK and inject a fault at where the N-th var_defs.expr allocated, then execute on shell like: $ echo 'hist:key=call_site:val=$v1,$v2:v1=bytes_req,v2=bytes_alloc' > \ /sys/kernel/debug/tracing/events/kmem/kmalloc/trigger Then kmemleak reports: unreferenced object 0xffff8fb100ef3518 (size 8): comm "bash", pid 196, jiffies 4295681690 (age 28.538s) hex dump (first 8 bytes): 76 31 00 00 b1 8f ff ff v1...... backtrace: [<0000000038fe4895>] kstrdup+0x2d/0x60 [<00000000c99c049a>] event_hist_trigger_parse+0x206f/0x20e0 [<00000000ae70d2cc>] trigger_process_regex+0xc0/0x110 [<0000000066737a4c>] event_trigger_write+0x75/0xd0 [<000000007341e40c>] vfs_write+0xbb/0x2a0 [<0000000087fde4c2>] ksys_write+0x59/0xd0 [<00000000581e9cdf>] do_syscall_64+0x3a/0x80 [<00000000cf3b065c>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Link: https://lkml.kernel.org/r/20220711014731.69520-1-zhengyejian1@huawei.com Cc: stable@vger.kernel.org Fixes: 46bbe5c671e0 ("tracing: fix double free") Reported-by: Hulk Robot Suggested-by: Steven Rostedt Reviewed-by: Tom Zanussi Signed-off-by: Zheng Yejian Signed-off-by: Steven Rostedt (Google) commit 7b6f9462a3234c35cf808453d39a074a04e71de1 Author: Paul M Stillwell Jr Date: Wed Jun 8 14:48:32 2022 -0700 ice: change devlink code to read NVM in blocks When creating a snapshot of the NVM the driver needs to read the entire contents from the NVM and store it. The NVM reads are protected by a lock that is shared between the driver and the firmware. If the driver takes too long to read the entire NVM (which can happen on some systems) then the firmware could reclaim the lock and cause subsequent reads from the driver to fail. We could fix this by increasing the timeout that we pass to the firmware, but we could end up in the same situation again if the system is slow. Instead have the driver break the reading of the NVM into blocks that are small enough that we have confidence that the read will complete within the timeout time, but large enough not to cause significant AQ overhead. Fixes: dce730f17825 ("ice: add a devlink region for dumping NVM contents") Signed-off-by: Paul M Stillwell Jr Tested-by: Gurucharan (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit f52d166819a4d8e0d5cca07d8a8dd6397c96dcf1 Author: Paul M Stillwell Jr Date: Wed Jun 8 14:09:52 2022 -0700 ice: handle E822 generic device ID in PLDM header The driver currently presumes that the record data in the PLDM header of the firmware image will match the device ID of the running device. This is true for E810 devices. It appears that for E822 devices that this is not guaranteed to be true. Fix this by adding a check for the generic E822 device. Fixes: d69ea414c9b4 ("ice: implement device flash update via devlink") Signed-off-by: Paul M Stillwell Jr Tested-by: Gurucharan (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit 72a8e05d4f66b5af7854df4490e3135168694b6b Merge: 29851567d1aa8 4a47c6385bb4e Author: Linus Torvalds Date: Tue Jul 12 08:59:35 2022 -0700 Merge tag 'ovl-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fix from Miklos Szeredi: "Add a temporary fix for posix acls on idmapped mounts introduced in this cycle. A proper fix will be added in the next cycle" * tag 'ovl-fixes-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: turn off SB_POSIXACL with idmapped layers temporarily commit 29851567d1aa8f0045170545d2e1a5d7a4057667 Merge: 0d8ba24e72b6e 3590b44b9434a Author: Linus Torvalds Date: Tue Jul 12 08:52:15 2022 -0700 Merge tag 'drm-fixes-2022-07-12' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "I see you picked up one of the fbdev fixes, this is the other stuff that was queued up last week. A bit of a scattering of fixes, three for i915, one amdgpu, and a couple of panfrost, rockchip, panel and bridge ones. amdgpu: - Hibernation fix dma-buf: - fix use after free of fence i915: - Fix a possible refcount leak in DP MST connector (Hangyu) - Fix on loading guc on ADL-N (Daniele) - Fix vm use-after-free in vma destruction (Thomas) bridge: - fsl-ldb : 3 LVDS modesetting fixes rockchip: - iommu domain fix panfrost: - fix memory corruption - error path fix panel: - orientation quirk fix for Yoga tablet 2 ssd130x: - fix pre-charge period setting" * tag 'drm-fixes-2022-07-12' of git://anongit.freedesktop.org/drm/drm: drm/ssd130x: Fix pre-charge period setting dma-buf: Fix one use-after-free of fence drm/i915: Fix vm use-after-free in vma destruction drm/i915/guc: ADL-N should use the same GuC FW as ADL-S drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() drm/amdgpu/display: disable prefer_shadow for generic fb helpers drm/amdgpu: keep fbdev buffers pinned during suspend drm/panfrost: Fix shrinker list corruption by madvise IOCTL drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error drm/rockchip: Detach from ARM DMA domain in attach_device drm/bridge: fsl-ldb: Drop DE signal polarity inversion drm/bridge: fsl-ldb: Enable split mode for LVDS dual link drm/bridge: fsl-ldb: Fix mode clock rate validation drm/aperture: Run fbdev removal before internal helpers drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Tablet 2 830 commit 0d8ba24e72b6ec45b1d62148c711bad54483b29a Merge: ce114c866860a c27c753ea6fd1 Author: Linus Torvalds Date: Tue Jul 12 08:40:09 2022 -0700 Merge tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull lockdep fix for x86 retbleed from Borislav Petkov: - Fix lockdep complaint for __static_call_fixup() * tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/static_call: Serialize __static_call_fixup() properly commit 2883f4b5a0e1ac9472c7e3ae9bbdb4ea5a2117c6 Author: Shyam Prasad N Date: Wed Jul 6 14:29:12 2022 +0000 cifs: remove unnecessary locking of chan_lock while freeing session In cifs_put_smb_ses, when we're freeing the last ref count to the session, we need to free up each channel. At this point, it is unnecessary to take chan_lock, since we have the last reference to the ses. Picking up this lock also introduced a deadlock because it calls cifs_put_tcp_ses, which locks cifs_tcp_ses_lock. Signed-off-by: Shyam Prasad N Acked-by: Enzo Matsumiya Signed-off-by: Steve French commit 50bd7d5a647bdf533575111c5335f49707c2ce2f Author: Shyam Prasad N Date: Tue Jul 5 11:16:24 2022 +0000 cifs: fix race condition with delayed threads On failure to create a new channel, first cancel the delayed threads, which could try to search for this channel, and not find it. The other option was to put the tcp session for the channel first, before decrementing chan_count. But that would leave a reference to the tcp session, when it has been freed already. So going with the former option and cancelling the delayed works first, before rolling back the channel. Fixes: aa45dadd34e4 ("cifs: change iface_list from array to sorted linked list") Signed-off-by: Shyam Prasad N Acked-by: Enzo Matsumiya Signed-off-by: Steve French commit a77c46f2b4d48a81f36442ee0c2160baebf6c1a0 Author: Han Xu Date: Mon Jul 11 11:08:02 2022 -0500 MAINTAINERS: change the NXP FSPI driver maintainer. Haibo Chen and me will take over the NXP FSPI driver maintainer role. Signed-off-by: Han Xu Link: https://lore.kernel.org/r/20220711160802.4938-1-han.xu@nxp.com Signed-off-by: Mark Brown commit c27c753ea6fd1237f4f96abf8b623d7bab505513 Author: Thomas Gleixner Date: Tue Jul 12 14:01:06 2022 +0200 x86/static_call: Serialize __static_call_fixup() properly __static_call_fixup() invokes __static_call_transform() without holding text_mutex, which causes lockdep to complain in text_poke_bp(). Adding the proper locking cures that, but as this is either used during early boot or during module finalizing, it's not required to use text_poke_bp(). Add an argument to __static_call_transform() which tells it to use text_poke_early() for it. Fixes: ee88d363d156 ("x86,static_call: Use alternative RET encoding") Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov commit 7329b071729645e243b6207e76bca2f4951c991b Author: Bartosz Golaszewski Date: Tue Jul 12 09:40:55 2022 +0200 gpio: sim: fix the chip_name configfs item The chip_name configs attribute always displays the device name of the first GPIO bank because the logic of the relevant function is simply wrong. Fix it by correctly comparing the bank's swnode against the GPIO device's children. Fixes: cb8c474e79be ("gpio: sim: new testing module") Cc: stable@vger.kernel.org Reported-by: Kent Gibson Signed-off-by: Bartosz Golaszewski Reviewed-by: Andy Shevchenko Reviewed-by: Kent Gibson Tested-by: Kent Gibson commit e79b9473e9b59e83e23db9b7411c6080b5a6826d Author: Justin Stitt Date: Fri Jul 8 17:37:04 2022 -0700 net: ipv4: fix clang -Wformat warnings When building with Clang we encounter these warnings: | net/ipv4/ah4.c:513:4: error: format specifies type 'unsigned short' but | the argument has type 'int' [-Werror,-Wformat] | aalg_desc->uinfo.auth.icv_fullbits / 8); - | net/ipv4/esp4.c:1114:5: error: format specifies type 'unsigned short' | but the argument has type 'int' [-Werror,-Wformat] | aalg_desc->uinfo.auth.icv_fullbits / 8); `aalg_desc->uinfo.auth.icv_fullbits` is a u16 but due to default argument promotion becomes an int. Variadic functions (printf-like) undergo default argument promotion. Documentation/core-api/printk-formats.rst specifically recommends using the promoted-to-type's format flag. As per C11 6.3.1.1: (https://www.open-std.org/jtc1/sc22/wg14/www/docs/n1548.pdf) `If an int can represent all values of the original type ..., the value is converted to an int; otherwise, it is converted to an unsigned int. These are called the integer promotions.` Thus it makes sense to change %hu to %d not only to follow this standard but to suppress the warning as well. Link: https://github.com/ClangBuiltLinux/linux/issues/378 Signed-off-by: Justin Stitt Suggested-by: Joe Perches Suggested-by: Nathan Chancellor Suggested-by: Nick Desaulniers Signed-off-by: Steffen Klassert commit f946964a9f79f8dcb5a6329265281eebfc23aee5 Author: Yevhen Orlov Date: Sun Jul 10 15:20:21 2022 +0300 net: marvell: prestera: fix missed deinit sequence Add unregister_fib_notifier as rollback of register_fib_notifier. Fixes: 4394fbcb78cf ("net: marvell: prestera: handle fib notifications") Signed-off-by: Yevhen Orlov Link: https://lore.kernel.org/r/20220710122021.7642-1-yevhen.orlov@plvision.eu Signed-off-by: Paolo Abeni commit dbe75d314748e08fc6e4576d153d8a69621ee5ca Author: Meng Tang Date: Tue Jul 12 17:22:22 2022 +0800 ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 On a HP 288 Pro G6, the front mic could not be detected.In order to get it working, the pin configuration needs to be set correctly, and the ALC671_FIXUP_HP_HEADSET_MIC2 fixup needs to be applied. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220712092222.21738-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai commit 841bdf85c226803a78a9319af9b2caa9bf3e2eda Author: Meng Tang Date: Tue Jul 12 14:00:05 2022 +0800 ALSA: hda - Add fixup for Dell Latitidue E5430 Another Dell model, another fixup entry: Latitude E5430 needs the same fixup as other Latitude E series as workaround for noise problems. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220712060005.20176-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai commit 4a46de446d3fb9ae304dd0f4b4fceb551b152498 Author: Jakub Kicinski Date: Fri Jul 8 19:41:41 2022 -0700 selftest: net: add tun to .gitignore Add missing .gitignore entry. Fixes: 839b92fede7b ("selftest: tun: add test for NAPI dismantle") Link: https://lore.kernel.org/r/20220709024141.321683-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit ce114c866860aa9eae3f50974efc68241186ba60 Merge: 5a29232d870d9 4ad3278df6fe2 Author: Linus Torvalds Date: Mon Jul 11 18:15:25 2022 -0700 Merge tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 retbleed fixes from Borislav Petkov: "Just when you thought that all the speculation bugs were addressed and solved and the nightmare is complete, here's the next one: speculating after RET instructions and leaking privileged information using the now pretty much classical covert channels. It is called RETBleed and the mitigation effort and controlling functionality has been modelled similar to what already existing mitigations provide" * tag 'x86_bugs_retbleed' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (54 commits) x86/speculation: Disable RRSBA behavior x86/kexec: Disable RET on kexec x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry x86/bugs: Add Cannon lake to RETBleed affected CPU list x86/retbleed: Add fine grained Kconfig knobs x86/cpu/amd: Enumerate BTC_NO x86/common: Stamp out the stepping madness KVM: VMX: Prevent RSB underflow before vmenter x86/speculation: Fill RSB on vmexit for IBRS KVM: VMX: Fix IBRS handling after vmexit KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS KVM: VMX: Convert launched argument to flags KVM: VMX: Flatten __vmx_vcpu_run() objtool: Re-add UNWIND_HINT_{SAVE_RESTORE} x86/speculation: Remove x86_spec_ctrl_mask x86/speculation: Use cached host SPEC_CTRL value for guest entry/exit x86/speculation: Fix SPEC_CTRL write on SMT state change x86/speculation: Fix firmware entry SPEC_CTRL handling x86/speculation: Fix RSB filling with CONFIG_RETPOLINE=n ... commit 3590b44b9434af1b9c81c3f40189087ed4fe3635 Merge: 42e0a87233e37 b68277f19e31a Author: Dave Airlie Date: Tue Jul 12 10:43:49 2022 +1000 Merge tag 'drm-misc-fixes-2022-07-07-1' of ssh://git.freedesktop.org/git/drm/drm-misc into drm-fixes Three mode setting fixes for fsl-ldb, a fbdev removal use-after-free fix, a dma-buf fence use-after-free fix, a DMA setup fix for rockchip, an error path fix and memory corruption fix for panfrost and one more orientation quirk Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20220708054306.wr6jcfdunuypftbq@houat commit 42e0a87233e373e1c0d0831d342294b1ba103d23 Merge: 7de96365878f7 12058077b2e96 Author: Dave Airlie Date: Tue Jul 12 10:40:24 2022 +1000 Merge tag 'drm-intel-fixes-2022-07-07' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fix a possible refcount leak in DP MST connector (Hangyu) - Fix on loading guc on ADL-N (Daniele) - Fix vm use-after-free in vma destruction (Thomas) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/YsbbgWnLTR8fr4lj@intel.com commit 7de96365878f769f21eae8205fc58f7f61250745 Merge: 32346491ddf24 3a4b1cc28fbdc Author: Dave Airlie Date: Tue Jul 12 10:34:42 2022 +1000 Merge tag 'amd-drm-fixes-5.19-2022-07-06' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.19-2022-07-06: amdgpu: - Hibernation fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20220707024421.5773-1-alexander.deucher@amd.com commit 5a29232d870d9e63fe5ff30b081be6ea7cc2465d Merge: 23458ac91dc8e b3a3b0255797e Author: Linus Torvalds Date: Mon Jul 11 14:41:44 2022 -0700 Merge tag 'for-5.19-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: "A more fixes that seem to me to be important enough to get merged before release: - in zoned mode, fix leak of a structure when reading zone info, this happens on normal path so this can be significant - in zoned mode, revert an optimization added in 5.19-rc1 to finish a zone when the capacity is full, but this is not reliable in all cases - try to avoid short reads for compressed data or inline files when it's a NOWAIT read, applications should handle that but there are two, qemu and mariadb, that are affected" * tag 'for-5.19-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: zoned: drop optimization of zone finish btrfs: zoned: fix a leaked bioc in read_zone_info btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents commit 23458ac91dc8e9a30c95b4208727f7e053eb5ff8 Merge: 8e59a6a7a4fa0 db7cfc380900b 3418357a32db6 Author: Linus Torvalds Date: Mon Jul 11 14:33:41 2022 -0700 Merge tags 'free-mq_sysctls-for-v5.19' and 'ptrace_unfreeze_fix-for-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull ipc namespace fix from Eric Biederman: "This fixes a bug with error handling if ipc creation fails that was reported by syzbot" For completeness, this also pulls the ptrace_unfreeze_fix tag that contains the original version of one of the hotfixes that I manually applied earlier so that it would be fixed in rc6. * tag 'free-mq_sysctls-for-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: ipc: Free mq_sysctls if ipc namespace creation failed * tag 'ptrace_unfreeze_fix-for-v5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: ptrace: fix clearing of JOBCTL_TRACED in ptrace_unfreeze_traced() commit 1197eb5906a5464dbaea24cac296dfc38499cc00 Author: Jeff Layton Date: Mon Jul 11 14:30:14 2022 -0400 lockd: fix nlm_close_files This loop condition tries a bit too hard to be clever. Just test for the two indices we care about explicitly. Cc: J. Bruce Fields Fixes: 7f024fcd5c97 ("Keep read and write fds with each nlm_file") Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever commit 8e59a6a7a4fa0bbcd174ea75f1da9531d3857937 Merge: b5374396e5de0 14c99d6594153 Author: Linus Torvalds Date: Mon Jul 11 12:49:56 2022 -0700 Merge tag 'mm-hotfixes-stable-2022-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull hotfixes from Andrew Morton: "Mainly MM fixes. About half for issues which were introduced after 5.18 and the remainder for longer-term issues" * tag 'mm-hotfixes-stable-2022-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: mm: split huge PUD on wp_huge_pud fallback nilfs2: fix incorrect masking of permission flags for symlinks mm/rmap: fix dereferencing invalid subpage pointer in try_to_migrate_one() riscv/mm: fix build error while PAGE_TABLE_CHECK enabled without MMU Documentation: highmem: use literal block for code example in highmem.h comment mm: sparsemem: fix missing higher order allocation splitting mm/damon: use set_huge_pte_at() to make huge pte old sh: convert nommu io{re,un}map() to static inline functions mm: userfaultfd: fix UFFDIO_CONTINUE on fallocated shmem pages commit aec158242b87a43d83322e99bc71ab4428e5ab79 Author: Jeff Layton Date: Mon Jul 11 14:30:13 2022 -0400 lockd: set fl_owner when unlocking files Unlocking a POSIX lock on an inode with vfs_lock_file only works if the owner matches. Ensure we set it in the request. Cc: J. Bruce Fields Fixes: 7f024fcd5c97 ("Keep read and write fds with each nlm_file") Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever commit b5374396e5de0402822bce4945c886d2a2962a40 Merge: 816e51dfb5ba4 e69a66147d495 Author: Linus Torvalds Date: Mon Jul 11 12:39:12 2022 -0700 Merge tag 'modules-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux Pull module fixes from Luis Chamberlain: "Although most of the move of code in in v5.19-rc1 should have not introduced a regression patch review on one of the file changes captured a checkpatch warning which advised to use strscpy() and it caused a buffer overflow when an incorrect length is passed. Another change which checkpatch complained about was an odd RCU usage, but that was properly addressed in a separate patch to the move by Aaron. That caused a regression with PREEMPT_RT=y due to an unbounded latency. This series fixes both and adjusts documentation which we forgot to do for the move" * tag 'modules-5.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux: module: kallsyms: Ensure preemption in add_kallsyms() with PREEMPT_RT doc: module: update file references module: Fix "warning: variable 'exit' set but not used" module: Fix selfAssignment cppcheck warning modules: Fix corruption of /proc/kallsyms commit 5b2f3e0777da2a5dd62824bbe2fdab1d12caaf8f Author: Chuck Lever Date: Sun Jul 10 14:46:04 2022 -0400 NFSD: Decode NFSv4 birth time attribute NFSD has advertised support for the NFSv4 time_create attribute since commit e377a3e698fb ("nfsd: Add support for the birth time attribute"). Igor Mammedov reports that Mac OS clients attempt to set the NFSv4 birth time attribute via OPEN(CREATE) and SETATTR if the server indicates that it supports it, but since the above commit was merged, those attempts now fail. Table 5 in RFC 8881 lists the time_create attribute as one that can be both set and retrieved, but the above commit did not add server support for clients to provide a time_create attribute. IMO that's a bug in our implementation of the NFSv4 protocol, which this commit addresses. Whether NFSD silently ignores the new birth time or actually sets it is another matter. I haven't found another filesystem service in the Linux kernel that enables users or clients to modify a file's birth time attribute. This commit reflects my (perhaps incorrect) understanding of whether Linux users can set a file's birth time. NFSD will now recognize a time_create attribute but it ignores its value. It clears the time_create bit in the returned attribute bitmask to indicate that the value was not used. Reported-by: Igor Mammedov Fixes: e377a3e698fb ("nfsd: Add support for the birth time attribute") Tested-by: Igor Mammedov Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever commit e69a66147d49506062cd837f3b230ee3e98102ab Author: Aaron Tomlin Date: Mon Jul 11 18:17:19 2022 +0100 module: kallsyms: Ensure preemption in add_kallsyms() with PREEMPT_RT The commit 08126db5ff73 ("module: kallsyms: Fix suspicious rcu usage") under PREEMPT_RT=y, disabling preemption introduced an unbounded latency since the loop is not fixed. This change caused a regression since previously preemption was not disabled and we would dereference RCU-protected pointers explicitly. That being said, these pointers cannot change. Before kallsyms-specific data is prepared/or set-up, we ensure that the unformed module is known to be unique i.e. does not already exist (see load_module()). Therefore, we can fix this by using the common and more appropriate RCU flavour as this section of code can be safely preempted. Reported-by: Steven Rostedt Fixes: 08126db5ff73 ("module: kallsyms: Fix suspicious rcu usage") Signed-off-by: Aaron Tomlin Signed-off-by: Luis Chamberlain commit 816e51dfb5ba47e4f989af656c956a8c0cc686c0 Merge: d5b36a4dbd06c afe4e376ac5d5 Author: Linus Torvalds Date: Mon Jul 11 10:02:03 2022 -0700 Merge tag 'vfio-v5.19-rc7' of https://github.com/awilliam/linux-vfio Pull VFIO fix from Alex Williamson: - Move IOMMU test to unbreak no-iommu support (Jason Gunthorpe) * tag 'vfio-v5.19-rc7' of https://github.com/awilliam/linux-vfio: vfio: Move IOMMU_CAP_CACHE_COHERENCY test to after we know we have a group commit d5b36a4dbd06c5e8e36ca8ccc552f679069e2946 Author: Oleg Nesterov Date: Mon Jul 11 18:16:25 2022 +0200 fix race between exit_itimers() and /proc/pid/timers As Chris explains, the comment above exit_itimers() is not correct, we can race with proc_timers_seq_ops. Change exit_itimers() to clear signal->posix_timers with ->siglock held. Cc: Reported-by: chris@accessvector.net Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds commit d16d69bf5a25d91c6d8f3e29711be12551bf56cd Author: Meng Tang Date: Mon Jul 11 18:17:44 2022 +0800 ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model There is another HP ProDesk 600 G3 model with the PCI SSID 103c:82b4 that requires the quirk HP_MIC_NO_PRESENCE. Add the corresponding entry to the quirk table. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220711101744.25189-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai commit 5f3fe25e70559fa3b096ab17e13316c93ddb7020 Author: Meng Tang Date: Mon Jul 11 16:15:27 2022 +0800 ALSA: hda/realtek: Fix headset mic for Acer SF313-51 The issue on Acer SWIFT SF313-51 is that headset microphone doesn't work. The following quirk fixed headset microphone issue. Note that the fixup of SF314-54/55 (ALC256_FIXUP_ACER_HEADSET_MIC) was not successful on my SF313-51. Signed-off-by: Meng Tang Cc: Link: https://lore.kernel.org/r/20220711081527.6254-1-tangmeng@uniontech.com Signed-off-by: Takashi Iwai commit 26b9f2fa7b1c6aba6fa9b83274a3e54868f69562 Author: Alexandru Elisei Date: Mon Jul 11 14:05:22 2022 +0100 ASoC: rockchip: i2s: Fix NULL pointer dereference when pinctrl is not found Commit a5450aba737d ("ASoC: rockchip: i2s: switch BCLK to GPIO") switched BCLK to GPIO functions when probing the i2s bus interface, but missed adding a check for when devm_pinctrl_get() returns an error. This can lead to the following NULL pointer dereference on a rockpro64-v2 if there are no "pinctrl" properties in the i2s device tree node. Check that i2s->pinctrl is valid before attempting to search for the bclk_on and bclk_off pinctrl states. Fixes: a5450aba737d ("ASoC: rockchip: i2s: switch BCLK to GPIO") Signed-off-by: Alexandru Elisei Link: https://lore.kernel.org/r/20220711130522.401551-1-alexandru.elisei@arm.com Signed-off-by: Mark Brown commit a9ab5bf33ce9883fbf5c2fc8f4eada00c46dc089 Author: Jacky Bai Date: Mon Jul 11 16:35:28 2022 +0800 MAINTAINERS: Update freescale pin controllers maintainer Add myself as co-maintainer of freescale pin controllers driver. As Stefan is no longer working on NXP pin controller, so remove Stefan from the list as suggested by him. Signed-off-by: Jacky Bai Reviewed-by: Fabio Estevam Acked-by: Stefan Agner Link: https://lore.kernel.org/r/20220711083528.27710-1-ping.bai@nxp.com Signed-off-by: Linus Walleij commit acf50233fc979b566e3b87d329191dcd01e2a72c Author: William Dean Date: Sun Jul 10 23:48:22 2022 +0800 pinctrl: sunplus: Add check for kcalloc As the potential failure of the kcalloc(), it should be better to check it in order to avoid the dereference of the NULL pointer. Fixes: aa74c44be19c8 ("pinctrl: Add driver for Sunplus SP7021") Reported-by: Hacash Robot Signed-off-by: William Dean Link: https://lore.kernel.org/r/20220710154822.2610801-1-williamsukatube@163.com Signed-off-by: Linus Walleij commit c3b821e8e406d5650e587b7ac624ac24e9b780a8 Author: William Dean Date: Sun Jul 10 23:49:22 2022 +0800 pinctrl: ralink: Check for null return of devm_kcalloc Because of the possible failure of the allocation, data->domains might be NULL pointer and will cause the dereference of the NULL pointer later. Therefore, it might be better to check it and directly return -ENOMEM without releasing data manually if fails, because the comment of the devm_kmalloc() says "Memory allocated with this function is automatically freed on driver detach.". Fixes: a86854d0c599b ("treewide: devm_kzalloc() -> devm_kcalloc()") Reported-by: Hacash Robot Signed-off-by: William Dean Link: https://lore.kernel.org/r/20220710154922.2610876-1-williamsukatube@163.com Signed-off-by: Linus Walleij commit 01277737e9bedf74b094c43704aa2ec7c1bc1230 Merge: 3f231ccb38835 6177a50fd32c6 Author: Arnd Bergmann Date: Mon Jul 11 13:17:23 2022 +0200 Merge tag 'imx-fixes-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 5.19, round 3: - Fix GPIO property for imx6qdl-ts7970 board. - Fix touchscreen pinctrl for imx6ull-colibri board by moving iomuxc-snvs pin to the correct controller device. - Fix SFP node of fsl-ls1028a to have a required clock property. * tag 'imx-fixes-5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: colibri-imx6ull: fix snvs pinmux group ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count arm64: dts: ls1028a: Update SFP node to include clock Link: https://lore.kernel.org/r/20220709032716.GA9868@dragon Signed-off-by: Arnd Bergmann commit e45955766b4300e7bbeeaa1c31e0001fe16383e7 Merge: 3c079a22db79c c39ba4de6b0a8 Author: David S. Miller Date: Mon Jul 11 11:58:38 2022 +0100 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) refcount_inc_not_zero() is not semantically equivalent to atomic_int_not_zero(), from Florian Westphal. My understanding was that refcount_*() API provides a wrapper to easier debugging of reference count leaks, however, there are semantic differences between these two APIs, where refcount_inc_not_zero() needs a barrier. Reason for this subtle difference to me is unknown. 2) packet logging is not correct for ARP and IP packets, from the ARP family and netdev/egress respectively. Use skb_network_offset() to reach the headers accordingly. 3) set element extension length have been growing over time, replace a BUG_ON by EINVAL which might be triggerable from userspace. ==================== Signed-off-by: David S. Miller commit 3c079a22db79cf2cdd1b13b41a5447790e08069a Merge: 72a0b329114b1 3ddabc4336702 Author: David S. Miller Date: Mon Jul 11 11:31:38 2022 +0100 Merge branch 'mptcp-fixes' Mat Martineau says: ==================== mptcp: Disconnect and selftest fixes Patch 1 switches to a safe list iterator in the MPTCP disconnect code. Patch 2 adds the userspace_pm.sh selftest script to the MPTCP selftest Makefile, resolving the netdev/check_selftest CI failure. ==================== Signed-off-by: David S. Miller commit 3ddabc433670292492d217e0f3b5ce017c42da2c Author: Matthieu Baerts Date: Fri Jul 8 16:36:10 2022 -0700 selftests: mptcp: validate userspace PM tests by default The new script was not listed in the programs to test. By consequence, some CIs running MPTCP selftests were not validating these new tests. Note that MPTCP CI was validating it as it executes all .sh scripts from 'tools/testing/selftests/net/mptcp' directory. Fixes: 259a834fadda ("selftests: mptcp: functional tests for the userspace PM type") Reported-by: Jakub Kicinski Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit 5c835bb142d4013c2ab24bff5ae9f6709a39cbcf Author: Paolo Abeni Date: Fri Jul 8 16:36:09 2022 -0700 mptcp: fix subflow traversal at disconnect time At disconnect time the MPTCP protocol traverse the subflows list closing each of them. In some circumstances - MPJ subflow, passive MPTCP socket, the latter operation can remove the subflow from the list, invalidating the current iterator. Address the issue using the safe list traversing helper variant. Reported-by: van fantasy Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation") Tested-by: Matthieu Baerts Reviewed-by: Mat Martineau Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit 166d3863231667c4f64dee72b77d1102cdfad11f Author: Demi Marie Obenour Date: Sun Jul 10 19:05:22 2022 -0400 xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE The error paths of gntdev_mmap() can call unmap_grant_pages() even though not all of the pages have been successfully mapped. This will trigger the WARN_ON()s in __unmap_grant_pages_done(). The number of warnings can be very large; I have observed thousands of lines of warnings in the systemd journal. Avoid this problem by only warning on unmapping failure if the handle being unmapped is not INVALID_GRANT_HANDLE. The handle field of any page that was not successfully mapped will be INVALID_GRANT_HANDLE, so this catches all cases where unmapping can legitimately fail. Fixes: dbe97cff7dd9 ("xen/gntdev: Avoid blocking in unmap_grant_pages()") Cc: stable@vger.kernel.org Suggested-by: Juergen Gross Signed-off-by: Demi Marie Obenour Reviewed-by: Oleksandr Tyshchenko Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20220710230522.1563-1-demi@invisiblethingslab.com Signed-off-by: Juergen Gross commit 50e2ab39291947b6c6c7025cf01707c270fcde59 Author: Felix Fietkau Date: Sat Jul 2 16:52:27 2022 +0200 wifi: mac80211: fix queue selection for mesh/OCB interfaces When using iTXQ, the code assumes that there is only one vif queue for broadcast packets, using the BE queue. Allowing non-BE queue marking violates that assumption and txq->ac == skb_queue_mapping is no longer guaranteed. This can cause issues with queue handling in the driver and also causes issues with the recent ATF change, resulting in an AQL underflow warning. Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20220702145227.39356-1-nbd@nbd.name Signed-off-by: Johannes Berg commit cc0315564d6eec91c716d314b743321be24c70b3 Author: Mustafa Ismail Date: Tue Jul 5 18:08:37 2022 -0500 RDMA/irdma: Fix sleep from invalid context BUG Taking the qos_mutex to process RoCEv2 QP's on netdev events causes a kernel splat. Fix this by removing the handling for RoCEv2 in irdma_cm_teardown_connections that uses the mutex. This handling is only needed for iWARP to avoid having connections established while the link is down or having connections remain functional after the IP address is removed. BUG: sleeping function called from invalid context at kernel/locking/mutex. Call Trace: kernel: dump_stack+0x66/0x90 kernel: ___might_sleep.cold.92+0x8d/0x9a kernel: mutex_lock+0x1c/0x40 kernel: irdma_cm_teardown_connections+0x28e/0x4d0 [irdma] kernel: ? check_preempt_curr+0x7a/0x90 kernel: ? select_idle_sibling+0x22/0x3c0 kernel: ? select_task_rq_fair+0x94c/0xc90 kernel: ? irdma_exec_cqp_cmd+0xc27/0x17c0 [irdma] kernel: ? __wake_up_common+0x7a/0x190 kernel: irdma_if_notify+0x3cc/0x450 [irdma] kernel: ? sched_clock_cpu+0xc/0xb0 kernel: irdma_inet6addr_event+0xc6/0x150 [irdma] Fixes: 146b9756f14c ("RDMA/irdma: Add connection manager") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe commit 5e8afb8792f3b6ae7ccf700f8c19225382636401 Author: Mustafa Ismail Date: Tue Jul 5 18:08:36 2022 -0500 RDMA/irdma: Do not advertise 1GB page size for x722 x722 does not support 1GB page size but the irdma driver incorrectly advertises 1GB page size support for x722 device to ib_core to compute the best page size to use on this MR. This could lead to incorrect start offsets computed by hardware on the MR. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe commit e87197fbd137c888fd6c871c72fe7e89445dd015 Author: Dan Carpenter Date: Fri Jul 8 11:41:06 2022 +0300 drm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist() The shmem_pin_map() function returns NULL, it doesn't return error pointers. Fixes: 97ea656521c8 ("drm/i915/gvt: Parse default state to update reg whitelist") Reviewed-by: Andrzej Hajda Signed-off-by: Dan Carpenter Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/Ysftoia2BPUyqVcD@kili Acked-by: Zhenyu Wang commit be82abe6a76ba8e76f25312566182b0f13c4fbf9 Author: Anup Patel Date: Mon Jul 11 09:36:32 2022 +0530 RISC-V: KVM: Fix SRCU deadlock caused by kvm_riscv_check_vcpu_requests() The kvm_riscv_check_vcpu_requests() is called with SRCU read lock held and for KVM_REQ_SLEEP request it will block the VCPU without releasing SRCU read lock. This causes KVM ioctls (such as KVM_IOEVENTFD) from other VCPUs of the same Guest/VM to hang/deadlock if there is any synchronize_srcu() or synchronize_srcu_expedited() in the path. To fix the above in kvm_riscv_check_vcpu_requests(), we should do SRCU read unlock before blocking the VCPU and do SRCU read lock after VCPU wakeup. Fixes: cce69aff689e ("RISC-V: KVM: Implement VCPU interrupts and requests handling") Reported-by: Bin Meng Signed-off-by: Anup Patel Reviewed-by: Atish Patra Tested-by: Heinrich Schuchardt Tested-by: Bin Meng Signed-off-by: Anup Patel commit 88573389aaa34640b9ecde15622c68e8737d8f8c Author: Alexandre Ghiti Date: Mon Jul 11 09:29:51 2022 +0530 riscv: Fix missing PAGE_PFN_MASK There are a bunch of functions that use the PFN from a page table entry that end up with the svpbmt upper-bits because they are missing the newly introduced PAGE_PFN_MASK which leads to wrong addresses conversions and then crash: fix this by adding this mask. Fixes: 100631b48ded ("riscv: Fix accessing pfn bits in PTEs for non-32bit variants") Signed-off-by: Alexandre Ghiti Signed-off-by: Anup Patel commit 32346491ddf24599decca06190ebca03ff9de7f8 Author: Linus Torvalds Date: Sun Jul 10 14:40:51 2022 -0700 Linux 5.19-rc6 commit 24f4b40ec2184f3698faed3082895fcc1f6be282 Merge: 952c53cd357c7 fc82bbf4dede7 Author: Linus Torvalds Date: Sun Jul 10 14:26:49 2022 -0700 Merge branch 'hot-fixes' (fixes for rc6) This is a collection of three fixes for small annoyances. Two of these are already pending in other trees, but I really don't want to release another -rc with these issues pending, so I picked up the patches for these things directly. We'll end up with duplicate commits eventually, I prefer that over having these issues pending. The third one is just me getting rid of another BUG_ON() just because it was reported and I dislike those things so much. * merge 'hot-fixes' branch: ida: don't use BUG_ON() for debugging drm/aperture: Run fbdev removal before internal helpers ptrace: fix clearing of JOBCTL_TRACED in ptrace_unfreeze_traced() commit fc82bbf4dede758007763867d0282353c06d1121 Author: Linus Torvalds Date: Sun Jul 10 13:55:49 2022 -0700 ida: don't use BUG_ON() for debugging This is another old BUG_ON() that just shouldn't exist (see also commit a382f8fee42c: "signal handling: don't use BUG_ON() for debugging"). In fact, as Matthew Wilcox points out, this condition shouldn't really even result in a warning, since a negative id allocation result is just a normal allocation failure: "I wonder if we should even warn here -- sure, the caller is trying to free something that wasn't allocated, but we don't warn for kfree(NULL)" and goes on to point out how that current error check is only causing people to unnecessarily do their own index range checking before freeing it. This was noted by Itay Iellin, because the bluetooth HCI socket cookie code does *not* do that range checking, and ends up just freeing the error case too, triggering the BUG_ON(). The HCI code requires CAP_NET_RAW, and seems to just result in an ugly splat, but there really is no reason to BUG_ON() here, and we have generally striven for allocation models where it's always ok to just do free(alloc()); even if the allocation were to fail for some random reason (usually obviously that "random" reason being some resource limit). Fixes: 88eca0207cf1 ("ida: simplified functions for id allocation") Reported-by: Itay Iellin Suggested-by: Matthew Wilcox Signed-off-by: Linus Torvalds commit 952c53cd357c71338a59d444933ed48a879229e1 Merge: 5867f3b88bb54 607a48c78e6b4 Author: Linus Torvalds Date: Sun Jul 10 11:23:01 2022 -0700 Merge tag 'dmaengine-fix-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine Pull dmaengine fixes from Vinod Koul: "One core fix for DMA_INTERRUPT and rest driver fixes. Core: - Revert verification of DMA_INTERRUPT capability as that was incorrect Bunch of driver fixes for: - ti: refcount and put_device leak - qcom_bam: runtime pm overflow - idxd: force wq context cleanup and call idxd_enable_system_pasid() on success - dw-axi-dmac: RMW on channel suspend register - imx-sdma: restart cyclic channel when enabled - at_xdma: error handling for at_xdmac_alloc_desc - pl330: lockdep warning - lgm: error handling path in probe - allwinner: Fix min/max typo in binding" * tag 'dmaengine-fix-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine: dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo dmaengine: lgm: Fix an error handling path in intel_ldma_probe() dmaengine: pl330: Fix lockdep warning about non-static key dmaengine: idxd: Only call idxd_enable_system_pasid() if succeeded in enabling SVA feature dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly dmaengine: imx-sdma: only restart cyclic channel when enabled dmaengine: dw-axi-dmac: Fix RMW on channel suspend register dmaengine: idxd: force wq context cleanup on device disable path dmaengine: qcom: bam_dma: fix runtime PM underflow dmaengine: imx-sdma: Allow imx8m for imx7 FW revs dmaengine: Revert "dmaengine: add verification of DMA_INTERRUPT capability for dmatest" dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate commit b0d55983b2b885f6f96d6d6898d27a60bd9dc9a2 Author: Hans de Goede Date: Sun Jul 10 19:36:58 2022 +0200 platform/x86: intel_atomisp2_led: Also turn off the always-on camera LED on the Asus T100TAF Like the Asus T100TA the Asus T100TAF has a camera LED which is always on by default and both also use the same GPIO for the LED. Relax the DMI match for the Asus T100TA so that it also matches the T100TAF. Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20220710173658.221528-1-hdegoede@redhat.com commit 5867f3b88bb54016c42cdde510c184255488a12b Merge: b41362fdf2671 ee6c6e7342471 Author: Linus Torvalds Date: Sun Jul 10 09:51:56 2022 -0700 Merge tag 'staging-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fix from Greg KH: "Here is a single staging driver fix for a reported problem that showed up in 5.19-rc1 in the wlan-ng driver. It has been in linux-next for a week with no reported problems" * tag 'staging-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging/wlan-ng: get the correct struct hfa384x in work callback commit b41362fdf26710693535fade5e4eeda019c3b410 Merge: d9919d43cbf67 2cd37c2e72449 Author: Linus Torvalds Date: Sun Jul 10 09:45:29 2022 -0700 Merge tag 'char-misc-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are four small char/misc driver fixes for 5.19-rc6 to resolve some reported issues. They only affect two drivers: - rtsx_usb: fix for of-reported DMA warning error, the driver was handling memory buffers in odd ways, it has now been fixed up to be much simpler and correct by Shuah. - at25 eeprom driver bugfix for reported problem All of these have been in linux-next for a week with no reported problems" * tag 'char-misc-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: misc: rtsx_usb: set return value in rsp_buf alloc err path misc: rtsx_usb: use separate command and response buffers misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer eeprom: at25: Rework buggy read splitting commit d9919d43cbf6790d2bc0c0a2743c51fc25f26919 Merge: 2fbd36dfae40c d785a773bed96 Author: Linus Torvalds Date: Sun Jul 10 09:14:54 2022 -0700 Merge tag 'io_uring-5.19-2022-07-09' of git://git.kernel.dk/linux-block Pull io_uring fix from Jens Axboe: "A single fix for an issue that came up yesterday that we should plug for -rc6. This is a regression introduced in this cycle" * tag 'io_uring-5.19-2022-07-09' of git://git.kernel.dk/linux-block: io_uring: check that we have a file table when allocating update slots commit 2fbd36dfae40cc90ba6a4761e0efff62e4d919fe Merge: 2b9b31cedb706 f5a4618587fb5 Author: Linus Torvalds Date: Sun Jul 10 08:59:02 2022 -0700 Merge tag 'kbuild-fixes-v5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: - Adjust gen_compile_commands.py to the format change of *.mod files - Remove unused macro in scripts/Makefile.modinst * tag 'kbuild-fixes-v5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kbuild: remove unused cmd_none in scripts/Makefile.modinst gen_compile_commands: handle multiple lines per .mod file commit 2b9b31cedb7064b16510251cf20ed44b05b71456 Merge: 74a0032b8524e 80f2a248a2f92 Author: Linus Torvalds Date: Sun Jul 10 08:52:12 2022 -0700 Merge tag 'irq_urgent_for_v5.19_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Borislav Petkov: - Gracefully handle failure to request MMIO resources in the GICv3 driver - Make a static key static in the Apple AIC driver - Fix the Xilinx intc driver dependency on OF_ADDRESS * tag 'irq_urgent_for_v5.19_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/apple-aic: Make symbol 'use_fast_ipi' static irqchip/xilinx: Add explicit dependency on OF_ADDRESS irqchip/gicv3: Handle resource request failure consistently commit 74a0032b8524ee2bd4443128c0bf9775928680b0 Merge: b1c428b6c3684 cb8a4beac39b9 Author: Linus Torvalds Date: Sun Jul 10 08:43:52 2022 -0700 Merge tag 'x86_urgent_for_v5.19_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Prepare for and clear .brk early in order to address XenPV guests failures where the hypervisor verifies page tables and uninitialized data in that range leads to bogus failures in those checks - Add any potential setup_data entries supplied at boot to the identity pagetable mappings to prevent kexec kernel boot failures. Usually, this is not a problem for the normal kernel as those mappings are part of the initially mapped 2M pages but if kexec gets to allocate the second kernel somewhere else, those setup_data entries need to be mapped there too. - Fix objtool not to discard text references from the __tracepoints section so that ENDBR validation still works - Correct the setup_data types limit as it is user-visible, before 5.19 releases * tag 'x86_urgent_for_v5.19_rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/boot: Fix the setup data types max limit x86/ibt, objtool: Don't discard text references from tracepoint section x86/compressed/64: Add identity mappings for setup_data entries x86: Fix .brk attribute in linker script x86: Clear .brk area at early boot x86/xen: Use clear_bss() for Xen PV guests commit c483e7ea10fa889f9da5012753a6766be6e11309 Author: Hans de Goede Date: Sun Jul 10 16:07:36 2022 +0200 platform/x86/intel/ifs: Mark as BROKEN A recent suggested change to the IFS code has shown that the userspace API needs a bit more work, see: https://lore.kernel.org/platform-driver-x86/20220708151938.986530-1-jithu.joseph@intel.com/ Mark it as BROKEN before 5.19 ships, to give ourselves one more kernel-devel cycle to get the userspace API right. Link: https://lore.kernel.org/platform-driver-x86/20220708151938.986530-1-jithu.joseph@intel.com/ Cc: Jithu Joseph Cc: Ashok Raj Cc: Tony Luck Suggested-by: Greg KH Signed-off-by: Hans de Goede Acked-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20220710140736.6492-1-hdegoede@redhat.com commit f56e676a7f1ca7de9002526df3d2ee0e47dfd8ce Author: Misaka19465 Date: Sun Jul 10 19:37:27 2022 +0800 platform/x86: asus-wmi: Add key mappings On laptops like ASUS TUF Gaming A15, which have hotkeys to start Armoury Crate or AURA Sync, these hotkeys are unavailable. This patch add mappings for them. Signed-off-by: Misaka19465 Link: https://lore.kernel.org/r/20220710113727.281634-1-misaka19465@olddoctor.net Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit d40908f2621ea7abc6132ec8c5688a2960eeee3c Author: Hans de Goede Date: Fri Jul 8 15:14:12 2022 +0200 efi: Fix efi_power_off() not being run before acpi_power_off() when necessary Commit 98f30d0ecf79 ("ACPI: power: Switch to sys-off handler API") switched the ACPI sleep code from directly setting the old global pm_power_off handler to using the new register_sys_off_handler() mechanism with a priority of SYS_OFF_PRIO_FIRMWARE. This is a problem when the old global pm_power_off handler would later be overwritten, such as done by the late_initcall(efi_shutdown_init): if (efi_poweroff_required()) pm_power_off = efi_power_off; The old global pm_power_off handler gets run with a priority of SYS_OFF_PRIO_DEFAULT which is lower then SYS_OFF_PRIO_FIRMWARE, causing acpi_power_off() to run first, changing the behavior from before the ACPI sleep code switched to the new register_sys_off_handler(). Switch the registering of efi_power_off over to register_sys_off_handler() with a priority of SYS_OFF_PRIO_FIRMWARE + 1 so that it will run before acpi_power_off() as before. Note since the new sys-off-handler code will try all handlers in priority order, there is no more need for the EFI code to store and call the original pm_power_off handler. Fixes: 98f30d0ecf79 ("ACPI: power: Switch to sys-off handler API") Cc: Dmitry Osipenko Signed-off-by: Hans de Goede Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20220708131412.81078-3-hdegoede@redhat.com commit 4ce8f4c2027db46299b450b28e9e116aaf00a757 Author: Hans de Goede Date: Fri Jul 8 15:14:11 2022 +0200 platform/x86: x86-android-tablets: Fix Lenovo Yoga Tablet 2 830/1050 poweroff again Commit 98f30d0ecf79 ("ACPI: power: Switch to sys-off handler API") switched the ACPI sleep code from directly setting the old global pm_power_off handler to using the new register_sys_off_handler() mechanism with a priority of SYS_OFF_PRIO_FIRMWARE. This is a problem in special cases where the old global pm_power_off handler later gets overwritten, such as the Lenovo Tab2 poweroff bugfix in x86-android-tablets. The old global pm_power_off handler gets run with a priority of SYS_OFF_PRIO_DEFAULT which is lower then SYS_OFF_PRIO_FIRMWARE, causing the troublesome ACPI poweroff (which freezes the system) to run first. Switch the registering of lenovo_yoga_tab2_830_1050_power_off over to register_sys_off_handler() with a priority of SYS_OFF_PRIO_FIRMWARE + 1 so that it will run before acpi_power_off() to fix this. Fixes: 98f30d0ecf79 ("ACPI: power: Switch to sys-off handler API") Cc: Dmitry Osipenko Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20220708131412.81078-2-hdegoede@redhat.com commit 5d62261a65698c1ee4e71f00963b269282015b1e Author: Pär Eriksson Date: Tue Jul 5 20:44:07 2022 +0200 platform/x86: gigabyte-wmi: add support for B660I AORUS PRO DDR4 Add support for the B660I AORUS PRO DDR4. Signed-off-by: Pär Eriksson Link: https://lore.kernel.org/r/20220705184407.14181-1-parherman@gmail.com Signed-off-by: Hans de Goede commit 4ddef52f26cfaf330240c93d7685a00628c66b04 Author: Shyam Sundar S K Date: Thu Jun 30 10:33:24 2022 +0530 platform/x86/amd/pmc: Add new platform support PMC driver can be supported on a new upcoming platform. Add this information to the support list. Signed-off-by: Shyam Sundar S K Link: https://lore.kernel.org/r/20220630050324.3780654-2-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 1968f2be5c03073c3f90d49226723eac4d431282 Author: Shyam Sundar S K Date: Thu Jun 30 10:33:23 2022 +0530 platform/x86/amd/pmc: Add new acpi id for PMC controller New version of PMC controller will have a separate ACPI id, add that to the support list. Signed-off-by: Shyam Sundar S K Link: https://lore.kernel.org/r/20220630050324.3780654-1-Shyam-sundar.S-k@amd.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit f5a4618587fb5c5eb5fec3dcce165ca8fd7d7f91 Author: Masahiro Yamada Date: Thu Jun 30 17:09:35 2022 +0900 kbuild: remove unused cmd_none in scripts/Makefile.modinst Commit 65ce9c38326e ("kbuild: move module strip/compression code into scripts/Makefile.modinst") added this unused code. Perhaps, I thought cmd_none was useful for CONFIG_MODULE_COMPRESS_NONE, but I did not use it after all. Signed-off-by: Masahiro Yamada Reviewed-by: Nick Desaulniers commit cb8a4beac39b90cd60abbf9fd639a3357274e469 Author: Borislav Petkov Date: Sun Jul 10 11:15:47 2022 +0200 x86/boot: Fix the setup data types max limit Commit in Fixes forgot to change the SETUP_TYPE_MAX definition which contains the highest valid setup data type. Correct that. Fixes: 5ea98e01ab52 ("x86/boot: Add Confidential Computing type to setup_data") Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/ddba81dd-cc92-699c-5274-785396a17fb5@zytor.com commit b1c428b6c3684ee8ddf4137d68b3e8d51d2a700f Merge: d9cdc3b12525c 3501f0c663063 Author: Linus Torvalds Date: Sat Jul 9 11:20:15 2022 -0700 Merge tag 'i2c-for-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Two I2C driver bugfixes preventing resource leaks" * tag 'i2c-for-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: cadence: Unregister the clk notifier in error path i2c: piix4: Fix a memory leak in the EFCH MMIO support commit 84499c5d220a4f8fb0a35fa4673148525c81ea83 Author: Thomas Zimmermann Date: Fri Jun 17 14:10:27 2022 +0200 drm/aperture: Run fbdev removal before internal helpers Always run fbdev removal first to remove simpledrm via sysfb_disable(). This clears the internal state. The later call to drm_aperture_detach_drivers() then does nothing. Otherwise, with drm_aperture_detach_drivers() running first, the call to sysfb_disable() uses inconsistent state. Example backtrace show below: BUG: KASAN: use-after-free in device_del+0x79/0x5f0 Read of size 8 at addr ffff888108185050 by task systemd-udevd/311 CPU: 0 PID: 311 Comm: systemd-udevd Tainted: G E 5.19.0-rc2-1-default+ #1689 Hardware name: HP ProLiant DL120 G7, BIOS J01 04/21/2011 Call Trace: device_del+0x79/0x5f0 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x30 sysfb_disable+0x2d/0x70 remove_conflicting_framebuffers+0x1c/0xf0 remove_conflicting_pci_framebuffers+0x130/0x1a0 drm_aperture_remove_conflicting_pci_framebuffers+0x86/0xb0 mgag200_pci_probe+0x2d/0x140 [mgag200] Signed-off-by: Thomas Zimmermann Fixes: 873eb3b11860 ("fbdev: Disable sysfb device registration when removing conflicting FBs") Cc: Javier Martinez Canillas Cc: Daniel Vetter Cc: Daniel Vetter Cc: Sam Ravnborg Cc: Helge Deller Cc: Thomas Zimmermann Cc: Alex Deucher Cc: Zhen Lei Cc: Changcheng Deng Reviewed-by: Zack Rusin Reviewed-by: Javier Martinez Canillas Signed-off-by: Linus Torvalds commit de2a34771f5123270bc3842535ac91673116dd03 Author: Sven Schnelle Date: Wed Jul 6 12:16:25 2022 +0200 ptrace: fix clearing of JOBCTL_TRACED in ptrace_unfreeze_traced() CI reported the following splat while running the strace testsuite: WARNING: CPU: 1 PID: 3570031 at kernel/ptrace.c:272 ptrace_check_attach+0x12e/0x178 CPU: 1 PID: 3570031 Comm: strace Tainted: G OE 5.19.0-20220624.rc3.git0.ee819a77d4e7.300.fc36.s390x #1 Hardware name: IBM 3906 M04 704 (z/VM 7.1.0) Call Trace: [<00000000ab4b645a>] ptrace_check_attach+0x132/0x178 ([<00000000ab4b6450>] ptrace_check_attach+0x128/0x178) [<00000000ab4b6cde>] __s390x_sys_ptrace+0x86/0x160 [<00000000ac03fcec>] __do_syscall+0x1d4/0x200 [<00000000ac04e312>] system_call+0x82/0xb0 Last Breaking-Event-Address: [<00000000ab4ea3c8>] wait_task_inactive+0x98/0x190 This is because JOBCTL_TRACED is set, but the task is not in TASK_TRACED state. Caused by ptrace_unfreeze_traced() which does: task->jobctl &= ~TASK_TRACED but it should be: task->jobctl &= ~JOBCTL_TRACED Fixes: 31cae1eaae4f ("sched,signal,ptrace: Rework TASK_TRACED, TASK_STOPPED state") Signed-off-by: Sven Schnelle Tested-by: Alexander Gordeev Acked-by: Oleg Nesterov Acked-by: Peter Zijlstra Cc: Eric Biederman Cc: Steven Rostedt Cc: Kees Cook Signed-off-by: Linus Torvalds commit d9cdc3b12525c85b4a2a8b6f3f8f61d9f467ab9a Merge: e5524c2a1fc40 887502826549c Author: Linus Torvalds Date: Sat Jul 9 10:34:08 2022 -0700 Merge tag 'powerpc-5.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fix from Michael Ellerman: - On Power8 bare metal, fix creation of RNG platform devices, which are needed for the /dev/hwrng driver to probe correctly. Thanks to Jason A. Donenfeld, and Sachin Sant. * tag 'powerpc-5.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/powernv: delay rng platform device creation until later in boot commit a4bd9358d5539516c19daa1b35b36bbc0c0637df Merge: c5e58c4545a69 fc976f5629afb Author: Takashi Iwai Date: Sat Jul 9 18:23:54 2022 +0200 Merge tag 'asoc-fix-v5.19-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v5.19 Quite a large batch due to things building up for a couple of weeks but all driver specific apart from Marek's documentation fix. commit c39ba4de6b0a843bec5d46c2b6f2064428dada5e Author: Pablo Neira Ayuso Date: Tue Jul 5 11:41:59 2022 +0200 netfilter: nf_tables: replace BUG_ON by element length check BUG_ON can be triggered from userspace with an element with a large userdata area. Replace it by length check and return EINVAL instead. Over time extensions have been growing in size. Pick a sufficiently old Fixes: tag to propagate this fix. Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data") Signed-off-by: Pablo Neira Ayuso commit d785a773bed966a75ca1f11d108ae1897189975b Author: Jens Axboe Date: Sat Jul 9 07:02:10 2022 -0600 io_uring: check that we have a file table when allocating update slots If IORING_FILE_INDEX_ALLOC is set asking for an allocated slot, the helper doesn't check if we actually have a file table or not. The non alloc path does do that correctly, and returns -ENXIO if we haven't set one up. Do the same for the allocated path, avoiding a NULL pointer dereference when trying to find a free bit. Fixes: a7c41b4687f5 ("io_uring: let IORING_OP_FILES_UPDATE support choosing fixed file slots") Signed-off-by: Jens Axboe commit 72a0b329114b1caa8e69dfa7cdad1dd3c69b8602 Author: Eric Dumazet Date: Fri Jul 8 15:11:53 2022 +0000 vlan: fix memory leak in vlan_newlink() Blamed commit added back a bug I fixed in commit 9bbd917e0bec ("vlan: fix memory leak in vlan_dev_set_egress_priority") If a memory allocation fails in vlan_changelink() after other allocations succeeded, we need to call vlan_dev_free_egress_priority() to free all allocated memory because after a failed ->newlink() we do not call any methods like ndo_uninit() or dev->priv_destructor(). In following example, if the allocation for last element 2000:2001 fails, we need to free eight prior allocations: ip link add link dummy0 dummy0.100 type vlan id 100 \ egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001 syzbot report was: BUG: memory leak unreferenced object 0xffff888117bd1060 (size 32): comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s) hex dump (first 32 bytes): 09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc include/linux/slab.h:600 [inline] [] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193 [] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128 [] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185 [] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline] [] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580 [] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593 [] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089 [] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501 [] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] [] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345 [] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921 [] sock_sendmsg_nosec net/socket.c:714 [inline] [] sock_sendmsg+0x56/0x80 net/socket.c:734 [] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488 [] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542 [] __sys_sendmsg net/socket.c:2571 [inline] [] __do_sys_sendmsg net/socket.c:2580 [inline] [] __se_sys_sendmsg net/socket.c:2578 [inline] [] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Fixes: 37aa50c539bc ("vlan: introduce vlan_dev_free_egress_priority") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Xin Long Reviewed-by: Xin Long Signed-off-by: David S. Miller commit 9c840d5f9aaef87e65db900bae21c70b059aba5f Author: Baowen Zheng Date: Fri Jul 8 11:07:18 2022 +0100 nfp: fix issue of skb segments exceeds descriptor limitation TCP packets will be dropped if the segments number in the tx skb exceeds limitation when sending iperf3 traffic with --zerocopy option. we make the following changes: Get nr_frags in nfp_nfdk_tx_maybe_close_block instead of passing from outside because it will be changed after skb_linearize operation. Fill maximum dma_len in first tx descriptor to make sure the whole head is included in the first descriptor. Fixes: c10d12e3dce8 ("nfp: add support for NFDK data path") Signed-off-by: Baowen Zheng Reviewed-by: Louis Peens Signed-off-by: Simon Horman Signed-off-by: David S. Miller commit 4ad3278df6fe2b0852b00d5757fc2ccd8e92c26e Author: Pawan Gupta Date: Fri Jul 8 13:36:09 2022 -0700 x86/speculation: Disable RRSBA behavior Some Intel processors may use alternate predictors for RETs on RSB-underflow. This condition may be vulnerable to Branch History Injection (BHI) and intramode-BTI. Kernel earlier added spectre_v2 mitigation modes (eIBRS+Retpolines, eIBRS+LFENCE, Retpolines) which protect indirect CALLs and JMPs against such attacks. However, on RSB-underflow, RET target prediction may fallback to alternate predictors. As a result, RET's predicted target may get influenced by branch history. A new MSR_IA32_SPEC_CTRL bit (RRSBA_DIS_S) controls this fallback behavior when in kernel mode. When set, RETs will not take predictions from alternate predictors, hence mitigating RETs as well. Support for this is enumerated by CPUID.7.2.EDX[RRSBA_CTRL] (bit2). For spectre v2 mitigation, when a user selects a mitigation that protects indirect CALLs and JMPs against BHI and intramode-BTI, set RRSBA_DIS_S also to protect RETs for RSB-underflow case. Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov commit 697977d8415d61f3acbc4ee6d564c9dcf0309507 Author: Konrad Rzeszutek Wilk Date: Fri Jul 8 19:10:11 2022 +0200 x86/kexec: Disable RET on kexec All the invocations unroll to __x86_return_thunk and this file must be PIC independent. This fixes kexec on 64-bit AMD boxes. [ bp: Fix 32-bit build. ] Reported-by: Edward Tran Reported-by: Awais Tanveer Suggested-by: Ankur Arora Signed-off-by: Konrad Rzeszutek Wilk Signed-off-by: Alexandre Chartre Signed-off-by: Borislav Petkov commit 7a847c00eeba9744353ecdfad253143b9115678a Author: Pablo Neira Ayuso Date: Tue Jul 5 10:26:15 2022 +0200 netfilter: nf_log: incorrect offset to network header NFPROTO_ARP is expecting to find the ARP header at the network offset. In the particular case of ARP, HTYPE= field shows the initial bytes of the ethernet header destination MAC address. netdev out: IN= OUT=bridge0 MACSRC=c2:76:e5:71:e1:de MACDST=36:b0:4a:e2:72:ea MACPROTO=0806 ARP HTYPE=14000 PTYPE=0x4ae2 OPCODE=49782 NFPROTO_NETDEV egress hook is also expecting to find the IP headers at the network offset. Fixes: 35b9395104d5 ("netfilter: add generic ARP packet logger") Reported-by: Tom Yan Signed-off-by: Pablo Neira Ayuso commit 2a96271fb66c499e4a89d76a89d3d01170c10bef Author: Siarhei Vishniakou Date: Fri Jul 8 21:59:23 2022 -0700 Input: document the units for resolution of size axes Today, the resolution of size axes is not documented. As a result, it's not clear what the canonical interpretation of this value should be. On Android, there is a need to calculate the size of the touch ellipse in physical units (millimeters). After reviewing linux source, it turned out that most of the existing usages are already interpreting this value as "units/mm". This documentation will make it explicit. This will help device implementations with correctly following the linux specs, and will ensure that the devices will work on Android without needing further customized parameters for scaling of major/minor values. Signed-off-by: Siarhei Vishniakou Reviewed-by: Jeff LaBundy Link: https://lore.kernel.org/r/20220520084514.3451193-1-svv@google.com Signed-off-by: Dmitry Torokhov commit 3de93e6ed2df6521e3f68fb45eec0bb4fe1bb218 Author: Hans de Goede Date: Fri Jul 8 21:42:12 2022 -0700 Input: goodix - call acpi_device_fix_up_power() in some cases On ACPI boards, when we cannot get the GPIOs to do a reset ourselves if necessary, call acpi_device_fix_up_power() to force the ACPI _PS0 method to run. On some devices without proper GPIO descriptions this will reset the touchscreen for us and this may be necessary for us to be able to communicate to the touchscreen at all. Specifically on an Aya Neo Next this change will cause the _PS0() ACPI function to call INIT() which does: Method (INIT, 0, Serialized) { TP_I = 0x00A50000 TP_R = 0x00A50000 Sleep (0x0A) TP_I = 0x00E50000 Sleep (One) TP_R = 0x00E50000 Sleep (0x06) TP_I = 0x00A50000 Sleep (0x3C) TP_I = 0x00041800 } On older kernels the ACPI core assumed a power-on was necessary by itself and would run _PS0 before our probe function runs, which can be seen from the GPIO pin ctrl registers in /sys/kernel/debug/gpio which match the above hex values with older kernels. With newer kernels before this change the GPIO pin ctrl registers do not match, indicating INIT() has not run and probing the touchscreen fails. This change makes Linux run _PS0() again fixing the touchscreen not working on the Aya Neo Next. Reported-and-tested-by: Maya Matuszczyk Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20220618210233.208027-1-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov commit 6676d7270ce254596ab1d4ae0de27b8e19705d44 Merge: 7c895ef88403b cfbba7b46aef6 Author: Jakub Kicinski Date: Fri Jul 8 20:31:02 2022 -0700 Merge branch 'selftests-forwarding-install-two-missing-tests' Martin Blumenstingl says: ==================== selftests: forwarding: Install two missing tests For some distributions (e.g. OpenWrt) we don't want to rely on rsync to copy the tests to the target as some extra dependencies need to be installed. The Makefile in tools/testing/selftests/net/forwarding already installs most of the tests. This series adds the two missing tests to the list of installed tests. That way a downstream distribution can build a package using this Makefile (and add dependencies there as needed). ==================== Link: https://lore.kernel.org/r/20220707135532.1783925-1-martin.blumenstingl@googlemail.com Signed-off-by: Jakub Kicinski commit cfbba7b46aef631445909ab4c35b98c16e36074b Author: Martin Blumenstingl Date: Thu Jul 7 15:55:32 2022 +0200 selftests: forwarding: Install no_forwarding.sh When using the Makefile from tools/testing/selftests/net/forwarding/ all tests should be installed. Add no_forwarding.sh to the list of "to be installed tests" where it has been missing so far. Fixes: 476a4f05d9b83f ("selftests: forwarding: add a no_forwarding.sh test") Signed-off-by: Martin Blumenstingl Reviewed-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit 437ac2592c09fcf27430db3ac878d2a566a58692 Author: Martin Blumenstingl Date: Thu Jul 7 15:55:31 2022 +0200 selftests: forwarding: Install local_termination.sh When using the Makefile from tools/testing/selftests/net/forwarding/ all tests should be installed. Add local_termination.sh to the list of "to be installed tests" where it has been missing so far. Fixes: 90b9566aa5cd3f ("selftests: forwarding: add a test for local_termination.sh") Signed-off-by: Martin Blumenstingl Reviewed-by: Vladimir Oltean Signed-off-by: Jakub Kicinski commit e5524c2a1fc4002a52e16236659e779767617a4f Merge: 525496a030de4 85e4ea1049c70 Author: Linus Torvalds Date: Fri Jul 8 16:08:48 2022 -0700 Merge tag 'fscache-fixes-20220708' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull fscache fixes from David Howells: - Fix a check in fscache_wait_on_volume_collision() in which the polarity is reversed. It should complain if a volume is still marked acquisition-pending after 20s, but instead complains if the mark has been cleared (ie. the condition has cleared). Also switch an open-coded test of the ACQUIRE_PENDING volume flag to use the helper function for consistency. - Not a fix per se, but neaten the code by using a helper to check for the DROPPED state. - Fix cachefiles's support for erofs to only flush requests associated with a released control file, not all requests. - Fix a race between one process invalidating an object in the cache and another process trying to look it up. * tag 'fscache-fixes-20220708' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: fscache: Fix invalidation/lookup race cachefiles: narrow the scope of flushed requests when releasing fd fscache: Introduce fscache_cookie_is_dropped() fscache: Fix if condition in fscache_wait_on_volume_collision() commit 7c895ef88403bf970843c443a29e0385f65c3f39 Merge: 32b3ad1418ea5 f8d3da4ef8faf Author: Jakub Kicinski Date: Fri Jul 8 15:24:16 2022 -0700 Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== bpf 2022-07-08 We've added 3 non-merge commits during the last 2 day(s) which contain a total of 7 files changed, 40 insertions(+), 24 deletions(-). The main changes are: 1) Fix cBPF splat triggered by skb not having a mac header, from Eric Dumazet. 2) Fix spurious packet loss in generic XDP when pushing packets out (note that native XDP is not affected by the issue), from Johan Almbladh. 3) Fix bpf_dynptr_{read,write}() helper signatures with flag argument before its set in stone as UAPI, from Joanne Koong. * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Add flags arg to bpf_dynptr_read and bpf_dynptr_write APIs bpf: Make sure mac_header was set before using it xdp: Fix spurious packet loss in generic XDP TX path ==================== Link: https://lore.kernel.org/r/20220708213418.19626-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski commit 3418357a32db6c8ce5e4417964bac1edcc3f281a Author: Sven Schnelle Date: Wed Jul 6 12:16:25 2022 +0200 ptrace: fix clearing of JOBCTL_TRACED in ptrace_unfreeze_traced() CI reported the following splat while running the strace testsuite: [ 3976.640309] WARNING: CPU: 1 PID: 3570031 at kernel/ptrace.c:272 ptrace_check_attach+0x12e/0x178 [ 3976.640391] CPU: 1 PID: 3570031 Comm: strace Tainted: G OE 5.19.0-20220624.rc3.git0.ee819a77d4e7.300.fc36.s390x #1 [ 3976.640410] Hardware name: IBM 3906 M04 704 (z/VM 7.1.0) [ 3976.640452] Call Trace: [ 3976.640454] [<00000000ab4b645a>] ptrace_check_attach+0x132/0x178 [ 3976.640457] ([<00000000ab4b6450>] ptrace_check_attach+0x128/0x178) [ 3976.640460] [<00000000ab4b6cde>] __s390x_sys_ptrace+0x86/0x160 [ 3976.640463] [<00000000ac03fcec>] __do_syscall+0x1d4/0x200 [ 3976.640468] [<00000000ac04e312>] system_call+0x82/0xb0 [ 3976.640470] Last Breaking-Event-Address: [ 3976.640471] [<00000000ab4ea3c8>] wait_task_inactive+0x98/0x190 This is because JOBCTL_TRACED is set, but the task is not in TASK_TRACED state. Caused by ptrace_unfreeze_traced() which does: task->jobctl &= ~TASK_TRACED but it should be: task->jobctl &= ~JOBCTL_TRACED Fixes: 31cae1eaae4f ("sched,signal,ptrace: Rework TASK_TRACED, TASK_STOPPED state") Signed-off-by: Sven Schnelle Link: https://lkml.kernel.org/r/20220706101625.2100298-1-svens@linux.ibm.com Link: https://lkml.kernel.org/r/YrHA5UkJLornOdCz@li-4a3a4a4c-28e5-11b2-a85c-a8d192c6f089.ibm.com Link: https://bugzilla.redhat.com/show_bug.cgi?id=2101641 Acked-by: Peter Zijlstra (Intel) Tested-by: Alexander Gordeev Tested-by: Linus Torvalds Signed-off-by: Eric W. Biederman commit 3f231ccb38835121034a8fe09c798e57801ff4fd Merge: 5b7925988de46 884b66976a727 Author: Arnd Bergmann Date: Fri Jul 8 22:47:33 2022 +0200 Merge tag 'sunxi-fixes-for-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes - Fix SPI NOR compatible on Orange Pi Zero * tag 'sunxi-fixes-for-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero Link: https://lore.kernel.org/r/Ysh44qUmdmF6TWS6@kista.localdomain Signed-off-by: Arnd Bergmann commit 5b7925988de4653f70831857c269af083806177a Merge: 5e7230a4daf97 79471f29ec487 Author: Arnd Bergmann Date: Fri Jul 8 22:45:00 2022 +0200 Merge tag 'sunxi-fixes-for-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes - fix binding for D1 display pipeline * tag 'sunxi-fixes-for-5.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: dt-bindings: display: sun4i: Fix D1 pipeline count Link: https://lore.kernel.org/r/YshiPKZRq6NHxPzO@kista.localdomain Signed-off-by: Arnd Bergmann commit 5e7230a4daf97d2fb4c764395f1c79fc420dd96f Merge: 2dc94f06127f3 2fdf15b50a46e Author: Arnd Bergmann Date: Fri Jul 8 22:43:59 2022 +0200 Merge tag 'at91-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/at91/linux into arm/fixes AT91 fixes for 5.19 #2 It contains 2 DT fixes: - one for SAMA5D2 to fix the i2s1 assigned-clock-parents property - one for kswitch-d10 (LAN966 based) enforcing proper settings on GPIO pins * tag 'at91-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/at91/linux: ARM: dts: at91: sama5d2: Fix typo in i2s1 node ARM: dts: kswitch-d10: use open drain mode for coma-mode pins Link: https://lore.kernel.org/r/20220708151621.860339-1-claudiu.beznea@microchip.com Signed-off-by: Arnd Bergmann commit 12dc6adc49c9c491d830504e1e01b688ef789093 Author: Uwe Kleine-König Date: Fri Jul 8 13:19:19 2022 -0700 Input: wm97xx - make .remove() obviously always return 0 wm97xx_remove() returns zero unconditionally. To prepare changing the prototype for platform remove callbacks to return void, make it explicit that wm97xx_mfd_remove() always returns zero. The prototype for wm97xx_remove cannot be changed, as it's also used as a plain device remove callback. Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20220708062718.240013-1-u.kleine-koenig@pengutronix.de Signed-off-by: Dmitry Torokhov commit 525496a030de4ae64bb9e1d6bfc88eec6f5fe6e2 Merge: 3784fad934c5b 8b356e536e69f Author: Linus Torvalds Date: Fri Jul 8 13:05:56 2022 -0700 Merge tag 'acpi-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These fix two recent regressions related to CPPC support. Specifics: - Prevent _CPC from being used if the platform firmware does not confirm CPPC v2 support via _OSC (Mario Limonciello) - Allow systems with X86_FEATURE_CPPC set to use _CPC even if CPPC support cannot be agreed on via _OSC (Mario Limonciello)" * tag 'acpi-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: CPPC: Don't require _OSC if X86_FEATURE_CPPC is supported ACPI: CPPC: Only probe for _CPC if CPPC v2 is acked commit 3784fad934c5bd68551f0af4252821697957a72a Merge: 483e4a1d83db1 fe7c758c07c47 Author: Linus Torvalds Date: Fri Jul 8 13:01:04 2022 -0700 Merge tag 'pm-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix a NULL pointer dereference in a devfreq driver and a runtime PM framework issue that may cause a supplier device to be suspended before its consumer. Specifics: - Fix NULL pointer dereference related to printing a diagnostic message in the exynos-bus devfreq driver (Christian Marangi) - Fix race condition in the runtime PM framework which in some cases may cause a supplier device to be suspended when its consumer is still active (Rafael Wysocki)" * tag 'pm-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / devfreq: exynos-bus: Fix NULL pointer dereference PM: runtime: Fix supplier device management during consumer probe PM: runtime: Redefine pm_runtime_release_supplier() commit 483e4a1d83db1a6d339cd76f7966bf9e1748f752 Merge: f5645edf6cffb e35f5718903b0 Author: Linus Torvalds Date: Fri Jul 8 12:55:25 2022 -0700 Merge tag 'cxl-fixes-for-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl Pull cxl fixes from Vishal Verma: - Update MAINTAINERS for Ben's email - Fix cleanup of port devices on failure to probe driver - Fix endianness in get/set LSA mailbox command structures - Fix memregion_free() fallback definition - Fix missing variable payload checks in CXL cmd size validation * tag 'cxl-fixes-for-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: cxl/mbox: Fix missing variable payload checks in cmd size validation memregion: Fix memregion_free() fallback definition cxl/mbox: Use __le32 in get,set_lsa mailbox structures cxl/core: Use is_endpoint_decoder cxl: Fix cleanup of port devices on failure to probe driver. MAINTAINERS: Update Ben's email address commit f5645edf6cffb97d976c6eef31fb536a09f114fd Merge: 2b93fe647c0a9 c51b8f85c4157 Author: Linus Torvalds Date: Fri Jul 8 12:49:00 2022 -0700 Merge tag 'iommu-fixes-v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fixes from Joerg Roedel: - fix device setup failures in the Intel VT-d driver when the PASID table is shared - fix Intel VT-d device hot-add failure due to wrong device notifier order - remove the old IOMMU mailing list from the MAINTAINERS file now that it has been retired * tag 'iommu-fixes-v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: MAINTAINERS: Remove iommu@lists.linux-foundation.org iommu/vt-d: Fix RID2PASID setup/teardown failure iommu/vt-d: Fix PCI bus rescan device hot add commit 8bd582ae9a71d7f14c4e0c735b2eacaf7516d626 Author: William Zhang Date: Fri Jul 8 11:25:07 2022 -0700 arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot Add spin-table enable-method and cpu-release-addr properties for cpu0 node. This is required by all ARMv8 SoC. Otherwise some bootloader like u-boot can not update cpu-release-addr and linux fails to start up secondary cpus. Fixes: 2961f69f151c ("arm64: dts: broadcom: add BCM4908 and Asus GT-AC5300 early DTS files") Signed-off-by: William Zhang Signed-off-by: Florian Fainelli commit b4a544e415e9be33b37d9bfa9d9f9f4d13f553d6 Author: William Zhang Date: Fri Jul 8 11:25:06 2022 -0700 arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC The cpu mask value in interrupt property inherits from bcm4908.dtsi which sets to four cpus. Correct the value to two cpus for dual core BCM4906 SoC. Fixes: c8b404fb05dc ("arm64: dts: broadcom: bcm4908: add BCM4906 Netgear R8000P DTS files") Signed-off-by: William Zhang Signed-off-by: Florian Fainelli commit 2b93fe647c0a901e00eba0adab84a6ecba3f25c4 Merge: a471da3100ef2 c8e27a4a5136e Author: Linus Torvalds Date: Fri Jul 8 12:39:52 2022 -0700 Merge tag 'gpio-fixes-for-v5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - fix a build error in gpio-vf610 - fix a null-pointer dereference in the GPIO character device code * tag 'gpio-fixes-for-v5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpiolib: cdev: fix null pointer dereference in linereq_free() gpio: vf610: fix compilation error commit fe7c758c07c4729a16f940eb1d77027ad032ab29 Merge: ba7c3507087aa 8873710660390 Author: Rafael J. Wysocki Date: Fri Jul 8 20:38:51 2022 +0200 Merge branch 'pm-core' Merge a runtime PM framework cleanup and fix related to device links. * pm-core: PM: runtime: Fix supplier device management during consumer probe PM: runtime: Redefine pm_runtime_release_supplier() commit a471da3100ef2e8feb8449d378a52e29dd1e9ae1 Merge: 29837019d5ebb 6b0de7d0f3285 Author: Linus Torvalds Date: Fri Jul 8 11:32:23 2022 -0700 Merge tag 'block-5.19-2022-07-08' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "NVMe pull request with another id quirk addition, and a tracing fix" * tag 'block-5.19-2022-07-08' of git://git.kernel.dk/linux-block: nvme: use struct group for generic command dwords nvme-pci: phison e16 has bogus namespace ids commit 884b66976a7279ee889ba885fe364244d50b79e7 Author: Michal Suchanek Date: Fri Jul 8 19:45:29 2022 +0200 ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero The device tree should include generic "jedec,spi-nor" compatible, and a manufacturer-specific one. The macronix part is what is shipped on the boards that come with a flash chip. Fixes: 45857ae95478 ("ARM: dts: orange-pi-zero: add node for SPI NOR") Signed-off-by: Michal Suchanek Acked-by: Jernej Skrabec Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20220708174529.3360-1-msuchanek@suse.de commit 29837019d5ebb80a5f180af3107a0645c731a770 Merge: 086ff84617185 bdb2c48e4b38e Author: Linus Torvalds Date: Fri Jul 8 11:25:01 2022 -0700 Merge tag 'io_uring-5.19-2022-07-08' of git://git.kernel.dk/linux-block Pull io_uring tweak from Jens Axboe: "Just a minor tweak to an addition made in this release cycle: padding a 32-bit value that's in a 64-bit union to avoid any potential funkiness from that" * tag 'io_uring-5.19-2022-07-08' of git://git.kernel.dk/linux-block: io_uring: explicit sqe padding for ioctl commands commit 086ff84617185393a0bbf25830c4f36412a7d3f4 Merge: e8a4e1c1bb697 53a6e66b1b4fe Author: Linus Torvalds Date: Fri Jul 8 11:03:26 2022 -0700 Merge tag 'for-5.19/fbdev-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev Pull fbdev fixes from Helge Deller: - fbcon now prevents switching to screen resolutions which are smaller than the font size, and prevents enabling a font which is bigger than the current screen resolution. This fixes vmalloc-out-of-bounds accesses found by KASAN. - Guiling Deng fixed a bug where the centered fbdev logo wasn't displayed correctly if the screen size matched the logo size. - Hsin-Yi Wang provided a patch to include errno.h to fix build when CONFIG_OF isn't enabled. * tag 'for-5.19/fbdev-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbcon: Use fbcon_info_from_console() in fbcon_modechange_possible() fbmem: Check virtual screen sizes in fb_set_var() fbcon: Prevent that screen size is smaller than font size fbcon: Disallow setting font bigger than screen size video: of_display_timing.h: include errno.h fbdev: fbmem: Fix logo center image dx issue commit b3a3b0255797e1d395253366ba24a4cc6c8bdf9c Author: Naohiro Aota Date: Wed Jun 29 11:00:38 2022 +0900 btrfs: zoned: drop optimization of zone finish We have an optimization in do_zone_finish() to send REQ_OP_ZONE_FINISH only when necessary, i.e. we don't send REQ_OP_ZONE_FINISH when we assume we wrote fully into the zone. The assumption is determined by "alloc_offset == capacity". This condition won't work if the last ordered extent is canceled due to some errors. In that case, we consider the zone is deactivated without sending the finish command while it's still active. This inconstancy results in activating another block group while we cannot really activate the underlying zone, which causes the active zone exceeds errors like below. BTRFS error (device nvme3n2): allocation failed flags 1, wanted 520192 tree-log 0, relocation: 0 nvme3n2: I/O Cmd(0x7d) @ LBA 160432128, 127 blocks, I/O Error (sct 0x1 / sc 0xbd) MORE DNR active zones exceeded error, dev nvme3n2, sector 0 op 0xd:(ZONE_APPEND) flags 0x4800 phys_seg 1 prio class 0 nvme3n2: I/O Cmd(0x7d) @ LBA 160432128, 127 blocks, I/O Error (sct 0x1 / sc 0xbd) MORE DNR active zones exceeded error, dev nvme3n2, sector 0 op 0xd:(ZONE_APPEND) flags 0x4800 phys_seg 1 prio class 0 Fix the issue by removing the optimization for now. Fixes: 8376d9e1ed8f ("btrfs: zoned: finish superblock zone once no space left for new SB") Reviewed-by: Johannes Thumshirn Signed-off-by: Naohiro Aota Signed-off-by: David Sterba commit 2963457829decf0c824a443238d251151ed18ff5 Author: Christoph Hellwig Date: Thu Jun 30 18:03:19 2022 +0200 btrfs: zoned: fix a leaked bioc in read_zone_info The bioc would leak on the normal completion path and also on the RAID56 check (but that one won't happen in practice due to the invalid combination with zoned mode). Fixes: 7db1c5d14dcd ("btrfs: zoned: support dev-replace in zoned filesystems") CC: stable@vger.kernel.org # 5.16+ Reviewed-by: Anand Jain Signed-off-by: Christoph Hellwig [ update changelog ] Reviewed-by: David Sterba Signed-off-by: David Sterba commit a4527e1853f8ff6e0b7c2dadad6268bd38427a31 Author: Filipe Manana Date: Mon Jul 4 12:42:03 2022 +0100 btrfs: return -EAGAIN for NOWAIT dio reads/writes on compressed and inline extents When doing a direct IO read or write, we always return -ENOTBLK when we find a compressed extent (or an inline extent) so that we fallback to buffered IO. This however is not ideal in case we are in a NOWAIT context (io_uring for example), because buffered IO can block and we currently have no support for NOWAIT semantics for buffered IO, so if we need to fallback to buffered IO we should first signal the caller that we may need to block by returning -EAGAIN instead. This behaviour can also result in short reads being returned to user space, which although it's not incorrect and user space should be able to deal with partial reads, it's somewhat surprising and even some popular applications like QEMU (Link tag #1) and MariaDB (Link tag #2) don't deal with short reads properly (or at all). The short read case happens when we try to read from a range that has a non-compressed and non-inline extent followed by a compressed extent. After having read the first extent, when we find the compressed extent we return -ENOTBLK from btrfs_dio_iomap_begin(), which results in iomap to treat the request as a short read, returning 0 (success) and waiting for previously submitted bios to complete (this happens at fs/iomap/direct-io.c:__iomap_dio_rw()). After that, and while at btrfs_file_read_iter(), we call filemap_read() to use buffered IO to read the remaining data, and pass it the number of bytes we were able to read with direct IO. Than at filemap_read() if we get a page fault error when accessing the read buffer, we return a partial read instead of an -EFAULT error, because the number of bytes previously read is greater than zero. So fix this by returning -EAGAIN for NOWAIT direct IO when we find a compressed or an inline extent. Reported-by: Dominique MARTINET Link: https://lore.kernel.org/linux-btrfs/YrrFGO4A1jS0GI0G@atmark-techno.com/ Link: https://jira.mariadb.org/browse/MDEV-27900?focusedCommentId=216582&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-216582 Tested-by: Dominique MARTINET CC: stable@vger.kernel.org # 5.10+ Reviewed-by: Christoph Hellwig Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 2fdf15b50a46e366740df4cccbe2343269b4ff55 Author: Ryan Wanner Date: Thu Jul 7 14:58:12 2022 -0700 ARM: dts: at91: sama5d2: Fix typo in i2s1 node Fix typo in i2s1 causing errors in dt binding validation. Change assigned-parrents to assigned-clock-parents to match i2s0 node formatting. Fixes: 1ca81883c557 ("ARM: dts: at91: sama5d2: add nodes for I2S controllers") Signed-off-by: Ryan Wanner [claudiu.beznea: use imperative addressing in commit description, remove blank line after fixes tag, fix typo in commit message] Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20220707215812.193008-1-Ryan.Wanner@microchip.com commit 2dc94f06127f306201b10617df54ea7f265bcce9 Merge: a902fa8eccaf9 e5ce073c8a1e0 Author: Arnd Bergmann Date: Fri Jul 8 15:59:42 2022 +0200 Merge tag 'tee-fixes-for-v5.19' of https://git.linaro.org/people/jens.wiklander/linux-tee into arm/fixes Fixes for TEE subsystem A fix for the recently merged commit ed8faf6c8f8c ("optee: add OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG"). Two small fixes in comment, repeated words etc. * tag 'tee-fixes-for-v5.19' of https://git.linaro.org/people/jens.wiklander/linux-tee: tee: tee_get_drvdata(): fix description of return value optee: Remove duplicate 'of' in two places. optee: smc_abi.c: fix wrong pointer passed to IS_ERR/PTR_ERR() Link: https://lore.kernel.org/r/20220708134607.GA901814@jade Signed-off-by: Arnd Bergmann commit 4a47c6385bb4e0786826e75bd4555aba32953653 Author: Christian Brauner Date: Wed Jul 6 15:56:11 2022 +0200 ovl: turn of SB_POSIXACL with idmapped layers temporarily This cycle we added support for mounting overlayfs on top of idmapped mounts. Recently I've started looking into potential corner cases when trying to add additional tests and I noticed that reporting for POSIX ACLs is currently wrong when using idmapped layers with overlayfs mounted on top of it. I have sent out an patch that fixes this and makes POSIX ACLs work correctly but the patch is a bit bigger and we're already at -rc5 so I recommend we simply don't raise SB_POSIXACL when idmapped layers are used. Then we can fix the VFS part described below for the next merge window so we can have good exposure in -next. I'm going to give a rather detailed explanation to both the origin of the problem and mention the solution so people know what's going on. Let's assume the user creates the following directory layout and they have a rootfs /var/lib/lxc/c1/rootfs. The files in this rootfs are owned as you would expect files on your host system to be owned. For example, ~/.bashrc for your regular user would be owned by 1000:1000 and /root/.bashrc would be owned by 0:0. IOW, this is just regular boring filesystem tree on an ext4 or xfs filesystem. The user chooses to set POSIX ACLs using the setfacl binary granting the user with uid 4 read, write, and execute permissions for their .bashrc file: setfacl -m u:4:rwx /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc Now they to expose the whole rootfs to a container using an idmapped mount. So they first create: mkdir -pv /vol/contpool/{ctrover,merge,lowermap,overmap} mkdir -pv /vol/contpool/ctrover/{over,work} chown 10000000:10000000 /vol/contpool/ctrover/{over,work} The user now creates an idmapped mount for the rootfs: mount-idmapped/mount-idmapped --map-mount=b:0:10000000:65536 \ /var/lib/lxc/c2/rootfs \ /vol/contpool/lowermap This for example makes it so that /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc which is owned by uid and gid 1000 as being owned by uid and gid 10001000 at /vol/contpool/lowermap/home/ubuntu/.bashrc. Assume the user wants to expose these idmapped mounts through an overlayfs mount to a container. mount -t overlay overlay \ -o lowerdir=/vol/contpool/lowermap, \ upperdir=/vol/contpool/overmap/over, \ workdir=/vol/contpool/overmap/work \ /vol/contpool/merge The user can do this in two ways: (1) Mount overlayfs in the initial user namespace and expose it to the container. (2) Mount overlayfs on top of the idmapped mounts inside of the container's user namespace. Let's assume the user chooses the (1) option and mounts overlayfs on the host and then changes into a container which uses the idmapping 0:10000000:65536 which is the same used for the two idmapped mounts. Now the user tries to retrieve the POSIX ACLs using the getfacl command getfacl -n /vol/contpool/lowermap/home/ubuntu/.bashrc and to their surprise they see: # file: vol/contpool/merge/home/ubuntu/.bashrc # owner: 1000 # group: 1000 user::rw- user:4294967295:rwx group::r-- mask::rwx other::r-- indicating the uid wasn't correctly translated according to the idmapped mount. The problem is how we currently translate POSIX ACLs. Let's inspect the callchain in this example: idmapped mount /vol/contpool/merge: 0:10000000:65536 caller's idmapping: 0:10000000:65536 overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */ sys_getxattr() -> path_getxattr() -> getxattr() -> do_getxattr() |> vfs_getxattr() | -> __vfs_getxattr() | -> handler->get == ovl_posix_acl_xattr_get() | -> ovl_xattr_get() | -> vfs_getxattr() | -> __vfs_getxattr() | -> handler->get() /* lower filesystem callback */ |> posix_acl_fix_xattr_to_user() { 4 = make_kuid(&init_user_ns, 4); 4 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 4); /* FAILURE */ -1 = from_kuid(0:10000000:65536 /* caller's idmapping */, 4); } If the user chooses to use option (2) and mounts overlayfs on top of idmapped mounts inside the container things don't look that much better: idmapped mount /vol/contpool/merge: 0:10000000:65536 caller's idmapping: 0:10000000:65536 overlayfs idmapping (ofs->creator_cred): 0:10000000:65536 sys_getxattr() -> path_getxattr() -> getxattr() -> do_getxattr() |> vfs_getxattr() | -> __vfs_getxattr() | -> handler->get == ovl_posix_acl_xattr_get() | -> ovl_xattr_get() | -> vfs_getxattr() | -> __vfs_getxattr() | -> handler->get() /* lower filesystem callback */ |> posix_acl_fix_xattr_to_user() { 4 = make_kuid(&init_user_ns, 4); 4 = mapped_kuid_fs(&init_user_ns, 4); /* FAILURE */ -1 = from_kuid(0:10000000:65536 /* caller's idmapping */, 4); } As is easily seen the problem arises because the idmapping of the lower mount isn't taken into account as all of this happens in do_gexattr(). But do_getxattr() is always called on an overlayfs mount and inode and thus cannot possible take the idmapping of the lower layers into account. This problem is similar for fscaps but there the translation happens as part of vfs_getxattr() already. Let's walk through an fscaps overlayfs callchain: setcap 'cap_net_raw+ep' /var/lib/lxc/c2/rootfs/home/ubuntu/.bashrc The expected outcome here is that we'll receive the cap_net_raw capability as we are able to map the uid associated with the fscap to 0 within our container. IOW, we want to see 0 as the result of the idmapping translations. If the user chooses option (1) we get the following callchain for fscaps: idmapped mount /vol/contpool/merge: 0:10000000:65536 caller's idmapping: 0:10000000:65536 overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */ sys_getxattr() -> path_getxattr() -> getxattr() -> do_getxattr() -> vfs_getxattr() -> xattr_getsecurity() -> security_inode_getsecurity() ________________________________ -> cap_inode_getsecurity() | | { V | 10000000 = make_kuid(0:0:4k /* overlayfs idmapping */, 10000000); | 10000000 = mapped_kuid_fs(0:0:4k /* no idmapped mount */, 10000000); | /* Expected result is 0 and thus that we own the fscap. */ | 0 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000000); | } | -> vfs_getxattr_alloc() | -> handler->get == ovl_other_xattr_get() | -> vfs_getxattr() | -> xattr_getsecurity() | -> security_inode_getsecurity() | -> cap_inode_getsecurity() | { | 0 = make_kuid(0:0:4k /* lower s_user_ns */, 0); | 10000000 = mapped_kuid_fs(0:10000000:65536 /* idmapped mount */, 0); | 10000000 = from_kuid(0:0:4k /* overlayfs idmapping */, 10000000); | |____________________________________________________________________| } -> vfs_getxattr_alloc() -> handler->get == /* lower filesystem callback */ And if the user chooses option (2) we get: idmapped mount /vol/contpool/merge: 0:10000000:65536 caller's idmapping: 0:10000000:65536 overlayfs idmapping (ofs->creator_cred): 0:10000000:65536 sys_getxattr() -> path_getxattr() -> getxattr() -> do_getxattr() -> vfs_getxattr() -> xattr_getsecurity() -> security_inode_getsecurity() _______________________________ -> cap_inode_getsecurity() | | { V | 10000000 = make_kuid(0:10000000:65536 /* overlayfs idmapping */, 0); | 10000000 = mapped_kuid_fs(0:0:4k /* no idmapped mount */, 10000000); | /* Expected result is 0 and thus that we own the fscap. */ | 0 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000000); | } | -> vfs_getxattr_alloc() | -> handler->get == ovl_other_xattr_get() | |-> vfs_getxattr() | -> xattr_getsecurity() | -> security_inode_getsecurity() | -> cap_inode_getsecurity() | { | 0 = make_kuid(0:0:4k /* lower s_user_ns */, 0); | 10000000 = mapped_kuid_fs(0:10000000:65536 /* idmapped mount */, 0); | 0 = from_kuid(0:10000000:65536 /* overlayfs idmapping */, 10000000); | |____________________________________________________________________| } -> vfs_getxattr_alloc() -> handler->get == /* lower filesystem callback */ We can see how the translation happens correctly in those cases as the conversion happens within the vfs_getxattr() helper. For POSIX ACLs we need to do something similar. However, in contrast to fscaps we cannot apply the fix directly to the kernel internal posix acl data structure as this would alter the cached values and would also require a rework of how we currently deal with POSIX ACLs in general which almost never take the filesystem idmapping into account (the noteable exception being FUSE but even there the implementation is special) and instead retrieve the raw values based on the initial idmapping. The correct values are then generated right before returning to userspace. The fix for this is to move taking the mount's idmapping into account directly in vfs_getxattr() instead of having it be part of posix_acl_fix_xattr_to_user(). To this end we simply move the idmapped mount translation into a separate step performed in vfs_{g,s}etxattr() instead of in posix_acl_fix_xattr_{from,to}_user(). To see how this fixes things let's go back to the original example. Assume the user chose option (1) and mounted overlayfs on top of idmapped mounts on the host: idmapped mount /vol/contpool/merge: 0:10000000:65536 caller's idmapping: 0:10000000:65536 overlayfs idmapping (ofs->creator_cred): 0:0:4k /* initial idmapping */ sys_getxattr() -> path_getxattr() -> getxattr() -> do_getxattr() |> vfs_getxattr() | |> __vfs_getxattr() | | -> handler->get == ovl_posix_acl_xattr_get() | | -> ovl_xattr_get() | | -> vfs_getxattr() | | |> __vfs_getxattr() | | | -> handler->get() /* lower filesystem callback */ | | |> posix_acl_getxattr_idmapped_mnt() | | { | | 4 = make_kuid(&init_user_ns, 4); | | 10000004 = mapped_kuid_fs(0:10000000:65536 /* lower idmapped mount */, 4); | | 10000004 = from_kuid(&init_user_ns, 10000004); | | |_______________________ | | } | | | | | |> posix_acl_getxattr_idmapped_mnt() | | { | | V | 10000004 = make_kuid(&init_user_ns, 10000004); | 10000004 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 10000004); | 10000004 = from_kuid(&init_user_ns, 10000004); | } |_________________________________________________ | | | | |> posix_acl_fix_xattr_to_user() | { V 10000004 = make_kuid(0:0:4k /* init_user_ns */, 10000004); /* SUCCESS */ 4 = from_kuid(0:10000000:65536 /* caller's idmapping */, 10000004); } And similarly if the user chooses option (1) and mounted overayfs on top of idmapped mounts inside the container: idmapped mount /vol/contpool/merge: 0:10000000:65536 caller's idmapping: 0:10000000:65536 overlayfs idmapping (ofs->creator_cred): 0:10000000:65536 sys_getxattr() -> path_getxattr() -> getxattr() -> do_getxattr() |> vfs_getxattr() | |> __vfs_getxattr() | | -> handler->get == ovl_posix_acl_xattr_get() | | -> ovl_xattr_get() | | -> vfs_getxattr() | | |> __vfs_getxattr() | | | -> handler->get() /* lower filesystem callback */ | | |> posix_acl_getxattr_idmapped_mnt() | | { | | 4 = make_kuid(&init_user_ns, 4); | | 10000004 = mapped_kuid_fs(0:10000000:65536 /* lower idmapped mount */, 4); | | 10000004 = from_kuid(&init_user_ns, 10000004); | | |_______________________ | | } | | | | | |> posix_acl_getxattr_idmapped_mnt() | | { V | 10000004 = make_kuid(&init_user_ns, 10000004); | 10000004 = mapped_kuid_fs(&init_user_ns /* no idmapped mount */, 10000004); | 10000004 = from_kuid(0(&init_user_ns, 10000004); | |_________________________________________________ | } | | | |> posix_acl_fix_xattr_to_user() | { V 10000004 = make_kuid(0:0:4k /* init_user_ns */, 10000004); /* SUCCESS */ 4 = from_kuid(0:10000000:65536 /* caller's idmappings */, 10000004); } The last remaining problem we need to fix here is ovl_get_acl(). During ovl_permission() overlayfs will call: ovl_permission() -> generic_permission() -> acl_permission_check() -> check_acl() -> get_acl() -> inode->i_op->get_acl() == ovl_get_acl() > get_acl() /* on the underlying filesystem) ->inode->i_op->get_acl() == /*lower filesystem callback */ -> posix_acl_permission() passing through the get_acl request to the underlying filesystem. This will retrieve the acls stored in the lower filesystem without taking the idmapping of the underlying mount into account as this would mean altering the cached values for the lower filesystem. The simple solution is to have ovl_get_acl() simply duplicate the ACLs, update the values according to the idmapped mount and return it to acl_permission_check() so it can be used in posix_acl_permission(). Since overlayfs doesn't cache ACLs they'll be released right after. Link: https://github.com/brauner/mount-idmapped/issues/9 Cc: Seth Forshee Cc: Amir Goldstein Cc: Vivek Goyal Cc: Christoph Hellwig Cc: Aleksa Sarai Cc: linux-unionfs@vger.kernel.org Signed-off-by: Christian Brauner (Microsoft) Fixes: bc70682a497c ("ovl: support idmapped layers") Signed-off-by: Miklos Szeredi commit a501ab75e7624d133a5a3c7ec010687c8b961d23 Author: Jiri Slaby Date: Thu Jul 7 10:25:58 2022 +0200 tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() There is a race in pty_write(). pty_write() can be called in parallel with e.g. ioctl(TIOCSTI) or ioctl(TCXONC) which also inserts chars to the buffer. Provided, tty_flip_buffer_push() in pty_write() is called outside the lock, it can commit inconsistent tail. This can lead to out of bounds writes and other issues. See the Link below. To fix this, we have to introduce a new helper called tty_insert_flip_string_and_push_buffer(). It does both tty_insert_flip_string() and tty_flip_buffer_commit() under the port lock. It also calls queue_work(), but outside the lock. See 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty_write) for the reasons. Keep the helper internal-only (in drivers' tty.h). It is not intended to be used widely. Link: https://seclists.org/oss-sec/2022/q2/155 Fixes: 71a174b39f10 (pty: do tty_flip_buffer_push without port->lock in pty_write) Cc: 一只狗 Cc: Dan Carpenter Suggested-by: Hillf Danton Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220707082558.9250-2-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit 716b10580283fda66f2b88140e3964f8a7f9da89 Author: Jiri Slaby Date: Thu Jul 7 10:25:57 2022 +0200 tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() We will need this new helper in the next patch. Cc: Hillf Danton Cc: 一只狗 Cc: Dan Carpenter Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220707082558.9250-1-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman commit bb160ee61c04fe96f3cc0088ef1907214861dccc Author: Darren Stevens Date: Sat Jul 2 22:03:55 2022 +0100 drivers/usb/host/ehci-fsl: Fix interrupt setup in host mode. In patch a1a2b7125e10 (Drop static setup of IRQ resource from DT core) we stopped platform_get_resource() from returning the IRQ, as all drivers were supposed to have switched to platform_get_irq() Unfortunately the Freescale EHCI driver in host mode got missed. Fix it. Fixes: a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource from DT core") Reported-by: Christian Zigotzky Suggested-by: Rob Herring Tested-by: Christian Zigotzky Acked-by: Rob Herring Acked-by: Alan Stern Signed-off-by: Darren Stevens Link: https://lore.kernel.org/r/20220702220355.63b36fb8@Cyrus.lan Signed-off-by: Greg Kroah-Hartman commit 3d0dc539029b09fbd125444c16b11a8ed10b9d0f Author: Michael Grzeschik Date: Thu Jul 7 13:56:12 2022 +0200 usb: gadget: uvc: fix changing interface name via configfs When setting the function name, it is always truncated by one char since snprintf is always including the null-termination in the len parameter. We use strscpy and fix the size setting to use len + 1 instead. Fixes: 324e4f85070f ("usb: gadget: uvc: allow changing interface name via configfs") Signed-off-by: Michael Grzeschik Link: https://lore.kernel.org/r/20220707115612.2760569-1-m.grzeschik@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit 6fb9e1d94789e8ee5a258a23bc588693f743fd6c Author: Linyu Yuan Date: Fri Jul 1 16:08:54 2022 +0800 usb: typec: add missing uevent when partner support PD System like Android allow user control power role from UI, it is possible to implement application base on typec uevent to refresh UI, but found there is chance that UI show different state from typec attribute file. In typec_set_pwr_opmode(), when partner support PD, there is no uevent send to user space which cause the problem. Fix it by sending uevent notification when change power mode to PD. Fixes: bdecb33af34f ("usb: typec: API for controlling USB Type-C Multiplexers") Cc: stable@vger.kernel.org Signed-off-by: Linyu Yuan Link: https://lore.kernel.org/r/1656662934-10226-1-git-send-email-quic_linyyuan@quicinc.com Signed-off-by: Greg Kroah-Hartman commit 925b6e59138cefa47275c67891c65d48d3266d57 Author: Arunpravin Paneer Selvam Date: Fri Jul 8 02:30:47 2022 -0700 Revert "drm/amdgpu: add drm buddy support to amdgpu" This reverts commit c9cad937c0c58618fe5b0310fd539a854dc1ae95. This is part of a revert of the following commits: commit 708d19d9f362 ("drm/amdgpu: move internal vram_mgr function into the C file") commit 5e3f1e7729ec ("drm/amdgpu: fix start calculation in amdgpu_vram_mgr_new") commit c9cad937c0c5 ("drm/amdgpu: add drm buddy support to amdgpu") [WHY] Few users reported garbaged graphics as soon as x starts, reverting until this can be resolved. Signed-off-by: Arunpravin Paneer Selvam Link: https://patchwork.freedesktop.org/patch/msgid/20220708093047.492662-3-Arunpravin.PaneerSelvam@amd.com Reviewed-by: Christian König Signed-off-by: Christian König commit 32b3ad1418ea53184ab7d652f13b5d66414d1bba Merge: 820b8963adaea 73318c4b7dbd0 Author: David S. Miller Date: Fri Jul 8 12:10:34 2022 +0100 Merge branch 'sysctl-data-races' Kuniyuki Iwashima says: ==================== sysctl: Fix data-races around ipv4_table. A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. The first half of this series changes some proc handlers used in ipv4_table to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. Then, the second half adds READ_ONCE() to the other readers of ipv4_table. Changes: v2: * Drop some changes that makes backporting difficult * First cleanup patch * Lockless helpers and .proc_handler changes * Drop the tracing part for .sysctl_mem * Steve already posted a fix * Drop int-to-bool change for cipso * Should be posted to net-next later * Drop proc_dobool() change * Can be included in another series v1: https://lore.kernel.org/netdev/20220706052130.16368-1-kuniyu@amazon.com/ ==================== Signed-off-by: David S. Miller commit 73318c4b7dbd0e781aaababff17376b2894745c0 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:40:03 2022 -0700 ipv4: Fix a data-race around sysctl_fib_sync_mem. While reading sysctl_fib_sync_mem, it can be changed concurrently. So, we need to add READ_ONCE() to avoid a data-race. Fixes: 9ab948a91b2c ("ipv4: Allow amount of dirty memory from fib resizing to be controllable") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 48d7ee321ea5182c6a70782aa186422a70e67e22 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:40:02 2022 -0700 icmp: Fix data-races around sysctl. While reading icmp sysctl variables, they can be changed concurrently. So, we need to add READ_ONCE() to avoid data-races. Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit dd44f04b9214adb68ef5684ae87a81ba03632250 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:40:01 2022 -0700 cipso: Fix data-races around sysctl. While reading cipso sysctl variables, they can be changed concurrently. So, we need to add READ_ONCE() to avoid data-races. Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") Signed-off-by: Kuniyuki Iwashima Acked-by: Paul Moore Signed-off-by: David S. Miller commit 310731e2f1611d1d13aae237abcf8e66d33345d5 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:40:00 2022 -0700 net: Fix data-races around sysctl_mem. While reading .sysctl_mem, it can be changed concurrently. So, we need to add READ_ONCE() to avoid data-races. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 3d32edf1f3c38d3301f6434e56316f293466d7fb Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:59 2022 -0700 inetpeer: Fix data-races around sysctl. While reading inetpeer sysctl variables, they can be changed concurrently. So, we need to add READ_ONCE() to avoid data-races. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 47e6ab24e8c6e3ca10ceb5835413f401f90de4bf Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:58 2022 -0700 tcp: Fix a data-race around sysctl_tcp_max_orphans. While reading sysctl_tcp_max_orphans, it can be changed concurrently. So, we need to add READ_ONCE() to avoid a data-race. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit e877820877663fbae8cb9582ea597a7230b94df3 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:57 2022 -0700 sysctl: Fix data races in proc_dointvec_jiffies(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_dointvec_jiffies() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_dointvec_jiffies() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit c31bcc8fb89fc2812663900589c6325ba35d9a65 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:56 2022 -0700 sysctl: Fix data races in proc_doulongvec_minmax(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_doulongvec_minmax() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_doulongvec_minmax() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 2d3b559df3ed39258737789aae2ae7973d205bc1 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:55 2022 -0700 sysctl: Fix data races in proc_douintvec_minmax(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_douintvec_minmax() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_douintvec_minmax() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: 61d9b56a8920 ("sysctl: add unsigned int range support") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit f613d86d014b6375a4085901de39406598121e35 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:54 2022 -0700 sysctl: Fix data races in proc_dointvec_minmax(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_dointvec_minmax() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_dointvec_minmax() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 4762b532ec9539755aab61445d5da6e1926ccb99 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:53 2022 -0700 sysctl: Fix data races in proc_douintvec(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_douintvec() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_douintvec() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 1f1be04b4d48a2475ea1aab46a99221bfc5c0968 Author: Kuniyuki Iwashima Date: Wed Jul 6 16:39:52 2022 -0700 sysctl: Fix data races in proc_dointvec(). A sysctl variable is accessed concurrently, and there is always a chance of data-race. So, all readers and writers need some basic protection to avoid load/store-tearing. This patch changes proc_dointvec() to use READ_ONCE() and WRITE_ONCE() internally to fix data-races on the sysctl side. For now, proc_dointvec() itself is tolerant to a data-race, but we still need to add annotations on the other subsystem's side. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 820b8963adaea34a87abbecb906d1f54c0aabfb7 Author: Steven Rostedt (Google) Date: Wed Jul 6 10:50:40 2022 -0400 net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer The trace event sock_exceed_buf_limit saves the prot->sysctl_mem pointer and then dereferences it in the TP_printk() portion. This is unsafe as the TP_printk() portion is executed at the time the buffer is read. That is, it can be seconds, minutes, days, months, even years later. If the proto is freed, then this dereference will can also lead to a kernel crash. Instead, save the sysctl_mem array into the ring buffer and have the TP_printk() reference that instead. This is the proper and safe way to read pointers in trace events. Link: https://lore.kernel.org/all/20220706052130.16368-12-kuniyu@amazon.com/ Cc: stable@vger.kernel.org Fixes: 3847ce32aea9f ("core: add tracepoints for queueing skb to rcvbuf") Signed-off-by: Steven Rostedt (Google) Acked-by: Kuniyuki Iwashima Signed-off-by: David S. Miller commit 2259da159fbe5dba8ac00b560cf00b6a6537fa18 Author: Thadeu Lima de Souza Cascardo Date: Thu Jul 7 13:41:52 2022 -0300 x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported There are some VM configurations which have Skylake model but do not support IBPB. In those cases, when using retbleed=ibpb, userspace is going to be killed and kernel is going to panic. If the CPU does not support IBPB, warn and proceed with the auto option. Also, do not fallback to IBPB on AMD/Hygon systems if it is not supported. Fixes: 3ebc17006888 ("x86/bugs: Add retbleed=ibpb") Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Borislav Petkov commit f8d3da4ef8faf027261e06b7864583930dd7c7b9 Author: Joanne Koong Date: Wed Jul 6 16:25:47 2022 -0700 bpf: Add flags arg to bpf_dynptr_read and bpf_dynptr_write APIs Commit 13bbbfbea759 ("bpf: Add bpf_dynptr_read and bpf_dynptr_write") added the bpf_dynptr_write() and bpf_dynptr_read() APIs. However, it will be needed for some dynptr types to pass in flags as well (e.g. when writing to a skb, the user may like to invalidate the hash or recompute the checksum). This patch adds a "u64 flags" arg to the bpf_dynptr_read() and bpf_dynptr_write() APIs before their UAPI signature freezes where we then cannot change them anymore with a 5.19.x released kernel. Fixes: 13bbbfbea759 ("bpf: Add bpf_dynptr_read and bpf_dynptr_write") Signed-off-by: Joanne Koong Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/r/20220706232547.4016651-1-joannelkoong@gmail.com commit e5ce073c8a1e01b215a5eb32ba48f8d17ded3bd5 Author: Marc Kleine-Budde Date: Mon Jun 6 13:43:53 2022 +0200 tee: tee_get_drvdata(): fix description of return value This patch fixes the description of tee_get_drvdata()'s return value. It actually returns the driver_data pointer supplied to tee_device_alloc() since the TEE subsystem was added to the kernel. Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem") Cc: Jens Wiklander Signed-off-by: Marc Kleine-Budde Signed-off-by: Jens Wiklander commit b66527ee98d0e12fbf570d394fbea2be4ef1229e Author: Jiang Jian Date: Wed Jun 22 00:16:48 2022 +0800 optee: Remove duplicate 'of' in two places. file: ./drivers/tee/optee/optee_smc.h line: 192 * a2 Size of of SHM chanegd to * a2 Size of SHM Signed-off-by: Jiang Jian Signed-off-by: Jens Wiklander commit 86c43ea071ae9988b52fd0f654de439da4b5c20a Author: Michael Walle Date: Mon Jul 4 17:08:08 2022 +0200 ARM: dts: kswitch-d10: use open drain mode for coma-mode pins The driver use the coma-mode pins as open-drain. Flag them in the device tree accordingly. This avoids the following error: [ 14.114180] gpio-2007 (coma-mode): enforced open drain please flag it properly in DT/ACPI DSDT/board file Fixes: 46a9556d977e ("ARM: dts: kswitch-d10: enable networking") Signed-off-by: Michael Walle Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20220704150808.1104295-1-michael@walle.cc commit 6177a50fd32c6fd956c7265bc5297e725d221bfc Author: Max Krummenacher Date: Tue Jul 5 10:58:24 2022 +0200 ARM: dts: colibri-imx6ull: fix snvs pinmux group A pin controlled by the iomuxc-snvs pin controller must be specified under the dtb's iomuxc-snvs node. Move the one and only pin of that category from the iomuxc node and set the pinctrl-0 using it accordingly. Fixes: 2aa9d6201949 ("ARM: dts: imx6ull-colibri: add touchscreen device nodes") Signed-off-by: Max Krummenacher Signed-off-by: Shawn Guo commit d4fac258d971bead9a6b5c5ebe2f0e415d05d110 Author: Yang Yingliang Date: Tue Jun 28 14:52:16 2022 +0800 optee: smc_abi.c: fix wrong pointer passed to IS_ERR/PTR_ERR() In optee_smc_do_call_with_arg() there is a code path when the argument struct for RPC is passed appended to the primary argument struct. When the address of the RPC struct is retrieved there's an invalid check for success. It should be 'rpc_arg' pass to IS_ERR/PTR_ERR(). Fixes: ed8faf6c8f8c ("optee: add OPTEE_SMC_CALL_WITH_RPC_ARG and OPTEE_SMC_CALL_WITH_REGD_ARG") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang [jw: added background to the problem] Signed-off-by: Jens Wiklander commit c51b8f85c4157eb91c2f4ab34b0c52fea642e77c Author: Joerg Roedel Date: Wed Jul 6 12:33:31 2022 +0200 MAINTAINERS: Remove iommu@lists.linux-foundation.org The IOMMU mailing list has moved to iommu@lists.linux.dev and the old list should bounce by now. Remove it from the MAINTAINERS file. Cc: stable@vger.kernel.org Signed-off-by: Joerg Roedel Link: https://lore.kernel.org/r/20220706103331.10215-1-joro@8bytes.org commit a902fa8eccaf9ace2886e02aaf75d550996d077b Merge: 2058dc831ff82 a57f68ddc8865 Author: Arnd Bergmann Date: Fri Jul 8 09:10:26 2022 +0200 Merge tag 'reset-fixes-for-v5.19' of git://git.pengutronix.de/pza/linux into arm/fixes Reset controller fixes for v5.19 Fix the MAINTAINERS entry for the Synopsys AXS10x reset controller driver, which still points to a nonexistent .txt file after the device tree binding .yaml conversion. Also, fix the devm_reset_control_bulk_get_optional_exclusive() call, which was defective since its introduction due to a copy & paste error. * tag 'reset-fixes-for-v5.19' of git://git.pengutronix.de/pza/linux: reset: Fix devm bulk optional exclusive control getter MAINTAINERS: rectify entry for SYNOPSYS AXS10x RESET CONTROLLER DRIVER Link: https://lore.kernel.org/r/20220707101344.3329314-1-p.zabel@pengutronix.de Signed-off-by: Arnd Bergmann commit 2058dc831ff82eb8e93e882efd1ca964bd8a74c8 Author: Conor Dooley Date: Thu Jul 7 15:20:42 2022 +0100 MAINTAINERS: add polarfire rng, pci and clock drivers Hardware random, PCI and clock drivers for the PolarFire SoC have been upstreamed but are not covered by the MAINTAINERS entry, so add them. Daire is the author of the clock & PCI drivers, so add him as a maintainer in place of Lewis. Signed-off-by: Conor Dooley Acked-by: Bjorn Helgaas Acked-by: Stephen Boyd Link: https://lore.kernel.org/r/20220707142041.4096246-1-conor.dooley@microchip.com' Signed-off-by: Arnd Bergmann commit dc5cb7a833e83a0d51373ba7d96e2ed8e1890944 Author: Heiko Stuebner Date: Wed Jun 8 14:08:49 2022 +0200 riscv: don't warn for sifive erratas in modules The SiFive errata code contains code checking applicable erratas vs. actually applied erratas to suggest missing erratas to the user when their Kconfig options are not enabled. In the main kernel image one can be quite sure that all available erratas appear at least once, so that check will succeed. On the other hand modules can very well not use any errata-relevant code, so the newly added module-alternative support may also patch the module code, but not touch SiFive-specific erratas at all. So to restore the original behaviour don't warn when patching modules. This will keep the warning if necessary for the main kernel image but prevent spurious warnings for modules. Of course having such a vendor-specific warning may not be needed at all, as CONFIG_ERRATA_SIFIVE is selected by CONFIG_SOC_SIFIVE and the individual erratas are default-y so disabling them requires deliberate action anyway. But for now just restore the old behaviour. Fixes: a8e910168bba ("riscv: implement module alternatives") Reported-by: Ron Economos Signed-off-by: Heiko Stuebner Tested-by: Ron Economos Link: https://lore.kernel.org/r/20220608120849.1695191-1-heiko@sntech.de Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt commit f46fd3d7c3bd5d7bd5bb664135cf32ca9e97190b Author: Pavel Skripkin Date: Wed Jul 6 16:28:45 2022 +0300 net: ocelot: fix wrong time_after usage Accidentally noticed, that this driver is the only user of while (time_after(jiffies...)). It looks like typo, because likely this while loop will finish after 1st iteration, because time_after() returns true when 1st argument _is after_ 2nd one. There is one possible problem with this poll loop: the scheduler could put the thread to sleep, and it does not get woken up for OCELOT_FDMA_CH_SAFE_TIMEOUT_US. During that time, the hardware has done its thing, but you exit the while loop and return -ETIMEDOUT. Fix it by using sane poll API that avoids all problems described above Fixes: 753a026cfec1 ("net: ocelot: add FDMA support") Suggested-by: Andrew Lunn Signed-off-by: Pavel Skripkin Reviewed-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220706132845.27968-1-paskripkin@gmail.com Signed-off-by: Jakub Kicinski commit fe5235aef8558573c1d225199be3aaa7bcd22943 Merge: 0680e20af5fbf 5b759bf2f9d73 Author: Jakub Kicinski Date: Thu Jul 7 17:44:45 2022 -0700 Merge tag 'mlx5-fixes-2022-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2022-07-06 This series provides bug fixes to mlx5 driver. * tag 'mlx5-fixes-2022-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux: net/mlx5e: Ring the TX doorbell on DMA errors net/mlx5e: Fix capability check for updating vnic env counters net/mlx5e: CT: Use own workqueue instead of mlx5e priv net/mlx5: Lag, correct get the port select mode str net/mlx5e: Fix enabling sriov while tc nic rules are offloaded net/mlx5e: kTLS, Fix build time constant test in RX net/mlx5e: kTLS, Fix build time constant test in TX net/mlx5: Lag, decouple FDB selection and shared FDB net/mlx5: TC, allow offload from uplink to other PF's VF ==================== Link: https://lore.kernel.org/r/20220706231309.38579-1-saeed@kernel.org Signed-off-by: Jakub Kicinski commit 0680e20af5fbf41df8a11b11bd9a7c25b2ca0746 Author: Siddharth Vadapalli Date: Wed Jul 6 12:32:08 2022 +0530 net: ethernet: ti: am65-cpsw: Fix devlink port register sequence Renaming interfaces using udevd depends on the interface being registered before its netdev is registered. Otherwise, udevd reads an empty phys_port_name value, resulting in the interface not being renamed. Fix this by registering the interface before registering its netdev by invoking am65_cpsw_nuss_register_devlink() before invoking register_netdev() for the interface. Move the function call to devlink_port_type_eth_set(), invoking it after register_netdev() is invoked, to ensure that netlink notification for the port state change is generated after the netdev is completely initialized. Fixes: 58356eb31d60 ("net: ti: am65-cpsw-nuss: Add devlink support") Signed-off-by: Siddharth Vadapalli Link: https://lore.kernel.org/r/20220706070208.12207-1-s-vadapalli@ti.com Signed-off-by: Jakub Kicinski commit 029c1c2059e9c4b38f97a06204cdecd10cfbeb8a Author: Jon Hunter Date: Wed Jul 6 09:39:13 2022 +0100 net: stmmac: dwc-qos: Disable split header for Tegra194 There is a long-standing issue with the Synopsys DWC Ethernet driver for Tegra194 where random system crashes have been observed [0]. The problem occurs when the split header feature is enabled in the stmmac driver. In the bad case, a larger than expected buffer length is received and causes the calculation of the total buffer length to overflow. This results in a very large buffer length that causes the kernel to crash. Why this larger buffer length is received is not clear, however, the feedback from the NVIDIA design team is that the split header feature is not supported for Tegra194. Therefore, disable split header support for Tegra194 to prevent these random crashes from occurring. [0] https://lore.kernel.org/linux-tegra/b0b17697-f23e-8fa5-3757-604a86f3a095@nvidia.com/ Fixes: 67afd6d1cfdf ("net: stmmac: Add Split Header support and enable it in XGMAC cores") Signed-off-by: Jon Hunter Link: https://lore.kernel.org/r/20220706083913.13750-1-jonathanh@nvidia.com Signed-off-by: Jakub Kicinski commit 6b0de7d0f3285df849be2b3cc94fc3a0a31987bf Merge: f3163d8567adb 5c629dc9609dc Author: Jens Axboe Date: Thu Jul 7 17:38:19 2022 -0600 Merge tag 'nvme-5.19-2022-07-07' of git://git.infradead.org/nvme into block-5.19 Pull NVMe fixes from Christoph: "nvme fixes for Linux 5.19 - another bogus identifier quirk (Keith Busch) - use struct group in the tracer to avoid a gcc warning (Keith Busch)" * tag 'nvme-5.19-2022-07-07' of git://git.infradead.org/nvme: nvme: use struct group for generic command dwords nvme-pci: phison e16 has bogus namespace ids commit bdb2c48e4b38e6dbe82533b437468999ba3ae498 Author: Pavel Begunkov Date: Thu Jul 7 15:00:38 2022 +0100 io_uring: explicit sqe padding for ioctl commands 32 bit sqe->cmd_op is an union with 64 bit values. It's always a good idea to do padding explicitly. Also zero check it in prep, so it can be used in the future if needed without compatibility concerns. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/e6b95a05e970af79000435166185e85b196b2ba2.1657202417.git.asml.silence@gmail.com [axboe: turn bitwise OR into logical variant] Signed-off-by: Jens Axboe commit 3501f0c663063513ad604fb1b3f06af637d3396d Author: Satish Nagireddy Date: Tue Jun 28 12:12:16 2022 -0700 i2c: cadence: Unregister the clk notifier in error path This patch ensures that the clock notifier is unregistered when driver probe is returning error. Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") Signed-off-by: Satish Nagireddy Tested-by: Lars-Peter Clausen Reviewed-by: Michal Simek Signed-off-by: Wolfram Sang commit ccd3f449052449a917a3e577d8ba0368f43b8f29 Author: Mike Christie Date: Mon Jun 27 21:23:25 2022 -0500 scsi: target: Fix WRITE_SAME No Data Buffer crash In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. This patch adds a check for the NDOB bit in the common WRITE SAME code because we don't support it. And, it adds a check for zero SG elements in each handler in case the initiator tries to send a normal WRITE SAME with no data buffer. Link: https://lore.kernel.org/r/20220628022325.14627-2-michael.christie@oracle.com Reviewed-by: Christoph Hellwig Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen commit ba7c3507087aaf98bbeab04a62251bf63c6348c1 Merge: 88084a3df1672 c8934e4e34891 Author: Rafael J. Wysocki Date: Thu Jul 7 21:46:05 2022 +0200 Merge tag 'devfreq-fixes-for-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/chanwoo/linux Pull a devfreq fix for 5.19-rc6 from Chanwoo Choi: "- Fix exynos-bus NULL pointer dereference by correctly using the local generated freq_table to output the debug values instead of using the profile freq_table that is not used in the driver." * tag 'devfreq-fixes-for-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/chanwoo/linux: PM / devfreq: exynos-bus: Fix NULL pointer dereference commit c8934e4e348915caac54085c01fd9d04fa16134a Author: Christian Marangi Date: Fri Jul 1 15:31:26 2022 +0200 PM / devfreq: exynos-bus: Fix NULL pointer dereference Fix exynos-bus NULL pointer dereference by correctly using the local generated freq_table to output the debug values instead of using the profile freq_table that is not used in the driver. Reported-by: Marek Szyprowski Tested-by: Marek Szyprowski Fixes: b5d281f6c16d ("PM / devfreq: Rework freq_table to be local to devfreq struct") Cc: stable@vger.kernel.org Signed-off-by: Christian Marangi Acked-by: Chanwoo Choi Signed-off-by: Chanwoo Choi commit 0ed8f619b412b52360ccdfaf997223ccd9319569 Author: Florian Westphal Date: Wed Jul 6 16:50:04 2022 +0200 netfilter: conntrack: fix crash due to confirmed bit load reordering Kajetan Puchalski reports crash on ARM, with backtrace of: __nf_ct_delete_from_lists nf_ct_delete early_drop __nf_conntrack_alloc Unlike atomic_inc_not_zero, refcount_inc_not_zero is not a full barrier. conntrack uses SLAB_TYPESAFE_BY_RCU, i.e. it is possible that a 'newly' allocated object is still in use on another CPU: CPU1 CPU2 encounter 'ct' during hlist walk delete_from_lists refcount drops to 0 kmem_cache_free(ct); __nf_conntrack_alloc() // returns same object refcount_inc_not_zero(ct); /* might fail */ /* If set, ct is public/in the hash table */ test_bit(IPS_CONFIRMED_BIT, &ct->status); In case CPU1 already set refcount back to 1, refcount_inc_not_zero() will succeed. The expected possibilities for a CPU that obtained the object 'ct' (but no reference so far) are: 1. refcount_inc_not_zero() fails. CPU2 ignores the object and moves to the next entry in the list. This happens for objects that are about to be free'd, that have been free'd, or that have been reallocated by __nf_conntrack_alloc(), but where the refcount has not been increased back to 1 yet. 2. refcount_inc_not_zero() succeeds. CPU2 checks the CONFIRMED bit in ct->status. If set, the object is public/in the table. If not, the object must be skipped; CPU2 calls nf_ct_put() to un-do the refcount increment and moves to the next object. Parallel deletion from the hlists is prevented by a 'test_and_set_bit(IPS_DYING_BIT, &ct->status);' check, i.e. only one cpu will do the unlink, the other one will only drop its reference count. Because refcount_inc_not_zero is not a full barrier, CPU2 may try to delete an object that is not on any list: 1. refcount_inc_not_zero() successful (refcount inited to 1 on other CPU) 2. CONFIRMED test also successful (load was reordered or zeroing of ct->status not yet visible) 3. delete_from_lists unlinks entry not on the hlist, because IPS_DYING_BIT is 0 (already cleared). 2) is already wrong: CPU2 will handle a partially initited object that is supposed to be private to CPU1. Add needed barriers when refcount_inc_not_zero() is successful. It also inserts a smp_wmb() before the refcount is set to 1 during allocation. Because other CPU might still see the object, refcount_set(1) "resurrects" it, so we need to make sure that other CPUs will also observe the right content. In particular, the CONFIRMED bit test must only pass once the object is fully initialised and either in the hash or about to be inserted (with locks held to delay possible unlink from early_drop or gc worker). I did not change flow_offload_alloc(), as far as I can see it should call refcount_inc(), not refcount_inc_not_zero(): the ct object is attached to the skb so its refcount should be >= 1 in all cases. v2: prefer smp_acquire__after_ctrl_dep to smp_rmb (Will Deacon). v3: keep smp_acquire__after_ctrl_dep close to refcount_inc_not_zero call add comment in nf_conntrack_netlink, no control dependency there due to locks. Cc: Peter Zijlstra Link: https://lore.kernel.org/all/Yr7WTfd6AVTQkLjI@e126311.manchester.arm.com/ Reported-by: Kajetan Puchalski Diagnosed-by: Will Deacon Fixes: 719774377622 ("netfilter: conntrack: convert to refcount_t api") Signed-off-by: Florian Westphal Acked-by: Will Deacon commit 0326195f523a549e0a9d7fd44c70b26fd7265090 Author: Eric Dumazet Date: Thu Jul 7 12:39:00 2022 +0000 bpf: Make sure mac_header was set before using it Classic BPF has a way to load bytes starting from the mac header. Some skbs do not have a mac header, and skb_mac_header() in this case is returning a pointer that 65535 bytes after skb->head. Existing range check in bpf_internal_load_pointer_neg_helper() was properly kicking and no illegal access was happening. New sanity check in skb_mac_header() is firing, so we need to avoid it. WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 skb_mac_header include/linux/skbuff.h:2785 [inline] WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74 Modules linked in: CPU: 1 PID: 28990 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller-00865-g4874fb9484be #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 RIP: 0010:skb_mac_header include/linux/skbuff.h:2785 [inline] RIP: 0010:bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74 Code: ff ff 45 31 f6 e9 5a ff ff ff e8 aa 27 40 00 e9 3b ff ff ff e8 90 27 40 00 e9 df fe ff ff e8 86 27 40 00 eb 9e e8 2f 2c f3 ff <0f> 0b eb b1 e8 96 27 40 00 e9 79 fe ff ff 90 41 57 41 56 41 55 41 RSP: 0018:ffffc9000309f668 EFLAGS: 00010216 RAX: 0000000000000118 RBX: ffffffffffeff00c RCX: ffffc9000e417000 RDX: 0000000000040000 RSI: ffffffff81873f21 RDI: 0000000000000003 RBP: ffff8880842878c0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000001 R12: 0000000000000004 R13: ffff88803ac56c00 R14: 000000000000ffff R15: dffffc0000000000 FS: 00007f5c88a16700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdaa9f6c058 CR3: 000000003a82c000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ____bpf_skb_load_helper_32 net/core/filter.c:276 [inline] bpf_skb_load_helper_32+0x191/0x220 net/core/filter.c:264 Fixes: f9aefd6b2aa3 ("net: warn if mac header was not set") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220707123900.945305-1-edumazet@google.com commit e8a4e1c1bb697b1d9fc48f0e56dc0f50bc024bee Merge: ef4ab3ba4e4f9 f0fbe652e8529 Author: Linus Torvalds Date: Thu Jul 7 10:41:27 2022 -0700 Merge tag 'loongarch-fixes-5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson Pull LoongArch fixes from Huacai Chen: "A fix for tinyconfig build error, a fix for section mismatch warning, and two cleanups of obsolete code" * tag 'loongarch-fixes-5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: LoongArch: Fix section mismatch warning LoongArch: Fix build errors for tinyconfig LoongArch: Remove obsolete mentions of vcsr LoongArch: Drop these obsolete selects in Kconfig commit ef4ab3ba4e4f99b1f3af3a7b74815f59394d822e Merge: 651a8536572ae 07266d066301b Author: Linus Torvalds Date: Thu Jul 7 10:08:20 2022 -0700 Merge tag 'net-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from bpf, netfilter, can, and bluetooth. Current release - regressions: - bluetooth: fix deadlock on hci_power_on_sync Previous releases - regressions: - sched: act_police: allow 'continue' action offload - eth: usbnet: fix memory leak in error case - eth: ibmvnic: properly dispose of all skbs during a failover Previous releases - always broken: - bpf: - fix insufficient bounds propagation from adjust_scalar_min_max_vals - clear page contiguity bit when unmapping pool - netfilter: nft_set_pipapo: release elements in clone from abort path - mptcp: netlink: issue MP_PRIO signals from userspace PMs - can: - rcar_canfd: fix data transmission failed on R-Car V3U - gs_usb: gs_usb_open/close(): fix memory leak Misc: - add Wenjia as SMC maintainer" * tag 'net-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (57 commits) wireguard: Kconfig: select CRYPTO_CHACHA_S390 crypto: s390 - do not depend on CRYPTO_HW for SIMD implementations wireguard: selftests: use microvm on x86 wireguard: selftests: always call kernel makefile wireguard: selftests: use virt machine on m68k wireguard: selftests: set fake real time in init r8169: fix accessing unset transport header net: rose: fix UAF bug caused by rose_t0timer_expiry usbnet: fix memory leak in error case Revert "tls: rx: move counting TlsDecryptErrors for sync" mptcp: update MIB_RMSUBFLOW in cmd_sf_destroy mptcp: fix local endpoint accounting selftests: mptcp: userspace PM support for MP_PRIO signals mptcp: netlink: issue MP_PRIO signals from userspace PMs mptcp: Acquire the subflow socket lock before modifying MP_PRIO flags mptcp: Avoid acquiring PM lock for subflow priority changes mptcp: fix locking in mptcp_nl_cmd_sf_destroy() net/mlx5e: Fix matchall police parameters validation net/sched: act_police: allow 'continue' action offload net: lan966x: hardcode the number of external ports ... commit 651a8536572ae0dcce608b3e6720ae844155a787 Merge: a382f8fee42ca a1d4ef1adf8bb Author: Linus Torvalds Date: Thu Jul 7 10:02:38 2022 -0700 Merge tag 'pinctrl-v5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: - Tag Intel pin control as supported in MAINTAINERS - Fix a NULL pointer exception in the Aspeed driver - Correct some NAND functions in the Sunxi A83T driver - Use the right offset for some Sunxi pins - Fix a zero base offset in the Freescale (NXP) i.MX93 - Fix the IRQ support in the STM32 driver * tag 'pinctrl-v5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: stm32: fix optional IRQ support to gpios pinctrl: imx: Add the zero base flag for imx93 pinctrl: sunxi: sunxi_pconf_set: use correct offset pinctrl: sunxi: a83t: Fix NAND function name for some pins pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux() MAINTAINERS: Update Intel pin control to Supported commit a382f8fee42ca10c9bfce0d2352d4153f931f5dc Author: Linus Torvalds Date: Wed Jul 6 12:20:59 2022 -0700 signal handling: don't use BUG_ON() for debugging These are indeed "should not happen" situations, but it turns out recent changes made the 'task_is_stopped_or_trace()' case trigger (fix for that exists, is pending more testing), and the BUG_ON() makes it unnecessarily hard to actually debug for no good reason. It's been that way for a long time, but let's make it clear: BUG_ON() is not good for debugging, and should never be used in situations where you could just say "this shouldn't happen, but we can continue". Use WARN_ON_ONCE() instead to make sure it gets logged, and then just continue running. Instead of making the system basically unusuable because you crashed the machine while potentially holding some very core locks (eg this function is commonly called while holding 'tasklist_lock' for writing). Signed-off-by: Linus Torvalds commit fc976f5629afb4160ee77798b14a693eac903ffd Author: Peter Ujfalusi Date: Thu Jun 30 09:56:38 2022 +0300 ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array The struct nhlt_format's fmt_config is a flexible array, it must not be used as normal array. When moving to the next nhlt_fmt_cfg we need to take into account the data behind the ->config.caps (indicated by ->config.size). The logic of the code also changed: it is no longer saves the _last_ fmt_cfg for all found rates. Fixes: bc2bd45b1f7f3 ("ASoC: Intel: Skylake: Parse nhlt and register clock device") Signed-off-by: Peter Ujfalusi Reviewed-by: Cezary Rojewski Link: https://lore.kernel.org/r/20220630065638.11183-3-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown commit 219af251bd1694bce1f627d238347d2eaf13de61 Author: Peter Ujfalusi Date: Thu Jun 30 09:56:37 2022 +0300 ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks() The present flag is only set once when one rate has been found to be saved. This will effectively going to ignore any rate discovered at later time and based on the code, this is not the intention. Fixes: bc2bd45b1f7f3 ("ASoC: Intel: Skylake: Parse nhlt and register clock device") Signed-off-by: Peter Ujfalusi Reviewed-by: Cezary Rojewski Link: https://lore.kernel.org/r/20220630065638.11183-2-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown commit 051dade346957d5b68ad986f497835805fa7a9dd Author: Oder Chiou Date: Tue Jul 5 18:11:33 2022 +0800 ASoC: rt5640: Fix the wrong state of JD1 and JD2 The patch fixes the wrong state of JD1 and JD2 while the bst1 or bst2 is power on in the HDA JD using. Signed-off-by: Oder Chiou Reported-by: Sameer Pujar Link: https://lore.kernel.org/r/20220705101134.16792-1-oder_chiou@realtek.com Signed-off-by: Mark Brown commit c7dab6745f4288af1e45d3809bf86a3778301616 Author: Brent Lu Date: Fri Jul 1 22:15:17 2022 +0800 ASoC: Intel: sof_rt5682: fix out-of-bounds array access Starting from ADL platform we have four HDMI PCM devices which exceeds the size of sof_hdmi array. Since each sof_hdmi_pcm structure represents one HDMI PCM device, we remove the sof_hdmi array and add a new member hdmi_jack to the sof_hdmi_pcm structure to fix the out-of-bounds problem. Signed-off-by: Brent Lu Reviewed-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220701141517.264070-1-brent.lu@intel.com Signed-off-by: Mark Brown commit df5b4aca7248dc5a5cae93f162eae0decf972e48 Author: Jianglei Nie Date: Thu Jun 30 02:25:20 2022 +0800 ASoC: qdsp6: fix potential memory leak in q6apm_get_audioreach_graph() q6apm_get_audioreach_graph() allocates a memory chunk for graph->graph with audioreach_alloc_graph_pkt(). When idr_alloc() fails, graph->graph is not released, which will lead to a memory leak. We can release the graph->graph with kfree() when idr_alloc() fails to fix the memory leak. Signed-off-by: Jianglei Nie Reviewed-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220629182520.2164409-1-niejianglei2021@163.com Signed-off-by: Mark Brown commit 1c4f29ec878bbf1cc0a1eb54ae7da5ff98e19641 Author: Hector Martin Date: Thu Jun 30 09:51:35 2022 +0200 ASoC: tas2764: Fix amp gain register offset & default The register default is 0x28 per the datasheet, and the amp gain field is supposed to be shifted left by one. With the wrong default, the ALSA controls lie about the power-up state. With the wrong shift, we get only half the gain we expect. Signed-off-by: Hector Martin Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764") Signed-off-by: Martin Povišer Link: https://lore.kernel.org/r/20220630075135.2221-4-povik+lin@cutebit.org Signed-off-by: Mark Brown commit 3e99e5697e1f7120b5abc755e8a560b22612d6ed Author: Hector Martin Date: Thu Jun 30 09:51:34 2022 +0200 ASoC: tas2764: Correct playback volume range DVC value 0xc8 is -100dB and 0xc9 is mute; this needs to map to -100.5dB as far as the dB scale is concerned. Fix that and enable the mute flag, so alsamixer correctly shows the control as <0 dB .. -100 dB, mute>. Signed-off-by: Hector Martin Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764") Signed-off-by: Martin Povišer Link: https://lore.kernel.org/r/20220630075135.2221-3-povik+lin@cutebit.org Signed-off-by: Mark Brown commit d1a10f1b48202e2d183cce144c218a211e98d906 Author: Martin Povišer Date: Thu Jun 30 09:51:33 2022 +0200 ASoC: tas2764: Fix and extend FSYNC polarity handling Fix setting of FSYNC polarity in case of LEFT_J and DSP_A/B formats. Do NOT set the SCFG field as was previously done, because that is not correct and is also in conflict with the "ASI1 Source" control which sets the same SCFG field! Also add support for explicit polarity inversion. Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764") Signed-off-by: Martin Povišer Link: https://lore.kernel.org/r/20220630075135.2221-2-povik+lin@cutebit.org Signed-off-by: Mark Brown commit cd10bb89b0d57bca98eb75e0444854a1c129a14e Author: Martin Povišer Date: Thu Jun 30 09:51:32 2022 +0200 ASoC: tas2764: Add post reset delays Make sure there is at least 1 ms delay from reset to first command as is specified in the datasheet. This is a fix similar to commit 307f31452078 ("ASoC: tas2770: Insert post reset delay"). Fixes: 827ed8a0fa50 ("ASoC: tas2764: Add the driver for the TAS2764") Signed-off-by: Martin Povišer Link: https://lore.kernel.org/r/20220630075135.2221-1-povik+lin@cutebit.org Signed-off-by: Mark Brown commit 94c65dffd4c4af052b3ea8934fbcb2fa8da276a8 Author: Bryan O'Donoghue Date: Wed Jun 29 12:40:12 2022 +0100 ASoC: dt-bindings: Fix description for msm8916 For the existing msm8916 bindings the minimum reg/reg-names is 1 not 2. Similarly the minimum interrupt/interrupt-names is 1 not 2. Fixes: f3fc4fbfa2d2 ("ASoC: dt-bindings: Add SC7280 lpass cpu bindings") Signed-off-by: Bryan O'Donoghue Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20220629114012.3282945-1-bryan.odonoghue@linaro.org Signed-off-by: Mark Brown commit 0735e400fa07a3687797f241f5b74d77a6d383c7 Author: Marek Vasut Date: Tue Jun 28 18:58:40 2022 +0200 ASoC: doc: Capitalize RESET line name Make sure all AC97 interface lines are spelled in capitals, to avoid confusing readers about where the 5th line is. Signed-off-by: Marek Vasut Cc: Mark Brown Cc: Takashi Iwai Link: https://lore.kernel.org/r/20220628165840.152235-1-marex@denx.de Signed-off-by: Mark Brown commit f99e930655f411453170a5f332e12c2d2748822e Author: Charles Keepax Date: Tue Jun 28 16:34:09 2022 +0100 ASoC: arizona: Update arizona_aif_cfg_changed to use RX_BCLK_RATE Currently the function arizona_aif_cfg_changed uses the TX_BCLK_RATE, however this register is not used on wm8998. This was not noticed as previously snd_soc_component_read did not print an error message. However, now the log gets filled with error messages, further more the test for if the LRCLK changed will return spurious results. Update the code to use the RX_BCLK_RATE register, the LRCLK parameters are written to both registers and the RX_BCLK_RATE register is used across all Arizona devices. Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220628153409.3266932-4-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit 870d72ab9228575b2f005c9a23ea08787e0f63e6 Author: Charles Keepax Date: Tue Jun 28 16:34:08 2022 +0100 ASoC: cs47l92: Fix event generation for OUT1 demux cs47l92_put_demux returns the value of snd_soc_dapm_mux_update_power, which returns a 1 if a path was found for the kcontrol. This is obviously different to the expected return a 1 if the control was updated value. This results in spurious notifications to user-space. Update the handling to only return a 1 when the value is changed. Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220628153409.3266932-3-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit 15b2e5d10ccf32a1a1ae7c636511e2f51320fdb5 Author: Charles Keepax Date: Tue Jun 28 16:34:07 2022 +0100 ASoC: wm8998: Fix event generation for input mux wm8998_inmux_put returns the value of snd_soc_dapm_mux_update_power, which returns a 1 if a path was found for the kcontrol. This is obviously different to the expected return a 1 if the control was updated value. This results in spurious notifications to user-space. Update the handling to only return a 1 when the value is changed. Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220628153409.3266932-2-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit 71b5ab96ffe6589abe7a2e302b83f7a426ebe099 Author: Charles Keepax Date: Tue Jun 28 16:34:06 2022 +0100 ASoC: wm5102: Fix event generation for output compensation The output compensation controls always returns zero regardless of if the control value was updated. This results in missing notifications to user-space of the control change. Update the handling to return 1 when the value is changed. Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220628153409.3266932-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown commit a5d6d28e2ea38dff017cb562dfbe0259d093a851 Author: Yassine Oudjana Date: Wed Jun 22 10:17:45 2022 +0400 ASoC: wcd9335: Use int array instead of bitmask for TX mixers Currently slim_tx_mixer_get reports all TX mixers as enabled when at least one is, due to it reading the entire tx_port_value bitmask without testing the specific bit corresponding to a TX port. Furthermore, using the same bitmask for all capture DAIs makes setting one mixer affect them all. To prevent this, and since the SLIM TX muxes effectively only connect to one of the mixers at a time, turn tx_port_value into an int array storing the DAI index each of the ports is connected to. Signed-off-by: Yassine Oudjana Link: https://lore.kernel.org/r/20220622061745.35399-1-y.oudjana@protonmail.com Signed-off-by: Mark Brown commit 7d90c8e6396ba245da16bedd789df6d669375408 Author: Sascha Hauer Date: Fri Jun 24 12:57:16 2022 +0200 ASoC: tlv320adcx140: Fix tx_mask check The tx_mask check doesn't reflect what the driver and the chip support. The check currently checks for exactly two slots being enabled. The tlv320adcx140 supports anything between one and eight channels, so relax the check accordingly. The tlv320adcx140 supports arbitrary tx_mask settings, but the driver currently only supports adjacent slots beginning with the first slot, so extend the check to check that the first slot is being used and that there are no holes in the tx_mask. Leave a comment to make it's the driver that limits the tx_mask settings, not the chip itself. While at it remove the set-but-unused struct adcx140p_priv::tdm_delay field. Signed-off-by: Sascha Hauer Link: https://lore.kernel.org/r/20220624105716.2579539-1-s.hauer@pengutronix.de Signed-off-by: Mark Brown commit 9e51ac6ea6041641f64fb761ccf9de271e6576cb Author: Daniel Mack Date: Fri Jun 24 12:47:10 2022 +0200 ASoC: max98396: Fix register access for PCM format settings max98396_dai_set_fmt() modifes register 2041 and touches bits in the mask 0x3a. Make sure to use the right mask for that operation. Signed-off-by: Daniel Mack Link: https://lore.kernel.org/r/20220624104712.1934484-7-daniel@zonque.org Signed-off-by: Mark Brown commit f0d96937d31c4615a6418e4bed5cee50a952040e Author: David Owens Date: Mon Jun 20 13:37:43 2022 -0500 ASoC: ti: omap-mcbsp: duplicate sysfs error Convert to managed versions of sysfs and clk allocation to simplify unbinding and error handling in probe. Managed sysfs node creation specifically addresses the following error seen the second time probe is attempted after sdma_pcm_platform_register() previously requsted probe deferral: sysfs: cannot create duplicate filename '/devices/platform/68000000.ocp/49022000.mcbsp/max_tx_thres' Signed-off-by: David Owens Link: https://lore.kernel.org/r/20220620183744.3176557-1-dowens@precisionplanting.com Signed-off-by: Mark Brown commit 242a88ff27b23cbf626f9764955d91200f12b53a Author: Sascha Hauer Date: Fri Jun 24 11:26:01 2022 +0200 ASoC: audio_graph_card2: Fix port numbers in example The example in audio-graph-card2.c has multiple nodes with the same name in it. Change the port numbers to get different names. Signed-off-by: Sascha Hauer Link: https://lore.kernel.org/r/20220624092601.2445224-1-s.hauer@pengutronix.de Signed-off-by: Mark Brown commit 040e3360af3736348112d29425bf5d0be5b93115 Author: Francesco Dolcini Date: Fri Jun 24 12:13:01 2022 +0200 ASoC: sgtl5000: Fix noise on shutdown/remove Put the SGTL5000 in a silent/safe state on shutdown/remove, this is required since the SGTL5000 produces a constant noise on its output after it is configured and its clock is removed. Without this change this is happening every time the module is unbound/removed or from reboot till the clock is enabled again. The issue was experienced on both a Toradex Colibri/Apalis iMX6, but can be easily reproduced everywhere just playing something on the codec and after that removing/unbinding the driver. Fixes: 9b34e6cc3bc2 ("ASoC: Add Freescale SGTL5000 codec support") Signed-off-by: Francesco Dolcini Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/20220624101301.441314-1-francesco.dolcini@toradex.com Signed-off-by: Mark Brown commit d2ee2cfc4aa85ff6a2a3b198a3a524ec54e3d999 Author: Huaxin Lu Date: Tue Jul 5 13:14:17 2022 +0800 ima: Fix a potential integer overflow in ima_appraise_measurement When the ima-modsig is enabled, the rc passed to evm_verifyxattr() may be negative, which may cause the integer overflow problem. Fixes: 39b07096364a ("ima: Implement support for module-style appended signatures") Signed-off-by: Huaxin Lu Signed-off-by: Mimi Zohar commit fa293fb960ab8350c92e2327a08fc141f228b044 Author: Lukas Bulwahn Date: Thu Jul 7 13:26:45 2022 +0200 MAINTAINERS: mark ARM/PALM TREO SUPPORT orphan The email address sleep_walker@suse.com and the url http://hackndev.com/, provided in the ARM/PALM TREO SUPPORT section, are not reachable anymore. Make this machine support orphan, and give somebody the chance to step up. Move the maintainer into CREDITS to keep the attribution to his work. Signed-off-by: Lukas Bulwahn Signed-off-by: Arnd Bergmann commit 2c08b9b38f5b0f4a6c2d29be22b695e4ec4a556b Author: Peter Zijlstra Date: Wed Jul 6 15:33:30 2022 +0200 x86/entry: Move PUSH_AND_CLEAR_REGS() back into error_entry Commit ee774dac0da1 ("x86/entry: Move PUSH_AND_CLEAR_REGS out of error_entry()") moved PUSH_AND_CLEAR_REGS out of error_entry, into its own function, in part to avoid calling error_entry() for XenPV. However, commit 7c81c0c9210c ("x86/entry: Avoid very early RET") had to change that because the 'ret' was too early and moved it into idtentry, bloating the text size, since idtentry is expanded for every exception vector. However, with the advent of xen_error_entry() in commit d147553b64bad ("x86/xen: Add UNTRAIN_RET") it became possible to remove PUSH_AND_CLEAR_REGS from idtentry, back into *error_entry(). Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Borislav Petkov commit 38e0e4d04d4187c63d6b511396faae7db6a3cd9e Author: Peter Zijlstra Date: Tue Jun 28 12:57:42 2022 +0200 x86/ibt, objtool: Don't discard text references from tracepoint section On Tue, Jun 28, 2022 at 04:28:58PM +0800, Pengfei Xu wrote: > # ./ftracetest > === Ftrace unit tests === > [1] Basic trace file check [PASS] > [2] Basic test for tracers [PASS] > [3] Basic trace clock test [PASS] > [4] Basic event tracing check [PASS] > [5] Change the ringbuffer size [PASS] > [6] Snapshot and tracing setting [PASS] > [7] trace_pipe and trace_marker [PASS] > [8] Test ftrace direct functions against tracers [UNRESOLVED] > [9] Test ftrace direct functions against kprobes [UNRESOLVED] > [10] Generic dynamic event - add/remove eprobe events [FAIL] > [11] Generic dynamic event - add/remove kprobe events > > It 100% reproduced in step 11 and then missing ENDBR BUG generated: > " > [ 9332.752836] mmiotrace: enabled CPU7. > [ 9332.788612] mmiotrace: disabled. > [ 9337.103426] traps: Missing ENDBR: syscall_regfunc+0x0/0xb0 It turns out that while syscall_regfunc() does have an ENDBR when generated, it gets sealed by objtool's .ibt_endbr_seal list. Since the only text references to this function: $ git grep syscall_regfunc include/linux/tracepoint.h:extern int syscall_regfunc(void); include/trace/events/syscalls.h: syscall_regfunc, syscall_unregfunc include/trace/events/syscalls.h: syscall_regfunc, syscall_unregfunc kernel/tracepoint.c:int syscall_regfunc(void) appear in the __tracepoint section which is excluded by objtool. Fixes: 3c6f9f77e618 ("objtool: Rework ibt and extricate from stack validation") Reported-by: Pengfei Xu Link: https://lkml.kernel.org/r/Yrrepdaow4F5kqG0@hirez.programming.kicks-ass.net commit f54d45372c6ac9c993451de5e51312485f7d10bc Author: Pawan Gupta Date: Wed Jul 6 15:01:15 2022 -0700 x86/bugs: Add Cannon lake to RETBleed affected CPU list Cannon lake is also affected by RETBleed, add it to the list. Fixes: 6ad0ad2bf8a6 ("x86/bugs: Report Intel retbleed vulnerability") Signed-off-by: Pawan Gupta Signed-off-by: Borislav Petkov commit c8e27a4a5136e7230f9e4ffcf132705bf56864cc Author: Kent Gibson Date: Wed Jul 6 16:45:07 2022 +0800 gpiolib: cdev: fix null pointer dereference in linereq_free() Fix a kernel NULL pointer dereference reported by gpio kselftests. linereq_free() can be called as part of the cleanup of a failed request, at which time the desc for a line may not have been determined, so it is unsafe to dereference without a check. Add a check prior to dereferencing the line desc. Fixes: 2068339a6c35 ("gpiolib: cdev: Add hardware timestamp clock type") Signed-off-by: Kent Gibson Signed-off-by: Bartosz Golaszewski commit f0fbe652e8529a180630617a17cd5922298c4f13 Author: Tiezhu Yang Date: Mon Jun 27 14:57:35 2022 +0800 LoongArch: Fix section mismatch warning init_numa_memory() is annotated __init and not used by any module, thus don't export it. Remove not needed EXPORT_SYMBOL for init_numa_memory() to fix the following section mismatch warning: MODPOST vmlinux.symvers WARNING: modpost: vmlinux.o(___ksymtab+init_numa_memory+0x0): Section mismatch in reference from the variable __ksymtab_init_numa_memory to the function .init.text:init_numa_memory() The symbol init_numa_memory is exported and annotated __init Fix this by removing the __init annotation of init_numa_memory or drop the export. This is build on Linux 5.19-rc4. Fixes: d4b6f1562a3c ("LoongArch: Add Non-Uniform Memory Access (NUMA) support") Signed-off-by: Tiezhu Yang Signed-off-by: Huacai Chen commit e6ee90233eb155991e469d2047855fc466b831b6 Author: Huacai Chen Date: Wed Jul 6 11:03:09 2022 +0800 LoongArch: Fix build errors for tinyconfig Building loongarch:tinyconfig fails with the following error. ./arch/loongarch/include/asm/page.h: In function 'pfn_valid': ./arch/loongarch/include/asm/page.h:42:32: error: 'PHYS_OFFSET' undeclared Add the missing include file and fix succeeding vdso errors. Fixes: 09cfefb7fa70 ("LoongArch: Add memory management") Signed-off-by: Guenter Roeck Signed-off-by: Huacai Chen commit 112380996ac22e428264cd7186722e784db887e4 Author: Qi Hu Date: Wed Jul 6 19:29:37 2022 +0800 LoongArch: Remove obsolete mentions of vcsr The `vcsr` only exists in the old hardware design, it isn't used in any shipped hardware from Loongson-3A5000 on. Both scalar FP and LSX/LASX instructions use the `fcsr` as their control and status registers now. For example, the RM control bit in fcsr0 is shared by FP, LSX and LASX instructions. Particularly, fcsr16 to fcsr31 are reserved for LSX/LASX now, access to these registers has no visible effect if LSX/LASX is enabled, and will cause SXD/ASXD exceptions if LSX/LASX is not enabled. So, mentions of vcsr are obsolete in the first place (it was just used for debugging), let's remove them. Reviewed-by: WANG Xuerui Signed-off-by: Qi Hu Signed-off-by: Huacai Chen commit 7fd6ef61a5d610b4f74c0ac59450237b40130319 Author: Lukas Bulwahn Date: Tue Jul 5 09:34:05 2022 +0200 LoongArch: Drop these obsolete selects in Kconfig Commit fa96b57c1490 ("LoongArch: Add build infrastructure") adds the new file arch/loongarch/Kconfig. As the work on LoongArch was probably quite some time under development, various config symbols have changed and disappeared from the time of initial writing of the Kconfig file and its inclusion in the repository. The following four commits: commit c126a53c2760 ("arch: remove GENERIC_FIND_FIRST_BIT entirely") commit 140c8180eb7c ("arch: remove HAVE_COPY_THREAD_TLS") commit aca52c398389 ("mm: remove CONFIG_HAVE_MEMBLOCK") commit 3f08a302f533 ("mm: remove CONFIG_HAVE_MEMBLOCK_NODE_MAP option") remove the mentioned config symbol, and enable the intended setup by default without configuration. Drop these obsolete selects in loongarch's Kconfig. Reviewed-by: WANG Xuerui Signed-off-by: Lukas Bulwahn Signed-off-by: Huacai Chen commit 53a6e66b1b4fea4b52f8bc62e5f9530af9061027 Author: Helge Deller Date: Sat Jun 25 13:00:34 2022 +0200 fbcon: Use fbcon_info_from_console() in fbcon_modechange_possible() Use the fbcon_info_from_console() wrapper which was added to kernel v5.19 with commit 409d6c95f9c6 ("fbcon: Introduce wrapper for console->fb_info lookup"). Signed-off-by: Helge Deller Reviewed-by: Geert Uytterhoeven commit 6c11df58fd1ac0aefcb3b227f72769272b939e56 Author: Helge Deller Date: Wed Jun 29 15:53:55 2022 +0200 fbmem: Check virtual screen sizes in fb_set_var() Verify that the fbdev or drm driver correctly adjusted the virtual screen sizes. On failure report the failing driver and reject the screen size change. Signed-off-by: Helge Deller Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org # v5.4+ commit b68277f19e31a25312c4acccadb5cf1502e52e84 Author: Ezequiel Garcia Date: Wed Jul 6 15:41:33 2022 -0300 drm/ssd130x: Fix pre-charge period setting Fix small typo which causes the mask for the 'precharge1' setting to be used with the 'precharge2' value. Signed-off-by: Ezequiel Garcia Acked-by: Javier Martinez Canillas Signed-off-by: Javier Martinez Canillas Link: https://patchwork.freedesktop.org/patch/msgid/20220706184133.210888-1-ezequiel@vanguardiasur.com.ar commit e64242caef18b4a5840b0e7a9bff37abd4f4f933 Author: Helge Deller Date: Sat Jun 25 13:00:34 2022 +0200 fbcon: Prevent that screen size is smaller than font size We need to prevent that users configure a screen size which is smaller than the currently selected font size. Otherwise rendering chars on the screen will access memory outside the graphics memory region. This patch adds a new function fbcon_modechange_possible() which implements this check and which later may be extended with other checks if necessary. The new function is called from the FBIOPUT_VSCREENINFO ioctl handler in fbmem.c, which will return -EINVAL if userspace asked for a too small screen size. Signed-off-by: Helge Deller Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org # v5.4+ commit 65a01e601dbba8b7a51a2677811f70f783766682 Author: Helge Deller Date: Sat Jun 25 12:56:49 2022 +0200 fbcon: Disallow setting font bigger than screen size Prevent that users set a font size which is bigger than the physical screen. It's unlikely this may happen (because screens are usually much larger than the fonts and each font char is limited to 32x32 pixels), but it may happen on smaller screens/LCD displays. Signed-off-by: Helge Deller Reviewed-by: Daniel Vetter Reviewed-by: Geert Uytterhoeven Cc: stable@vger.kernel.org # v4.14+ commit 7c1aeba7bb977fe327fbc9682e9ccb36134cbf77 Author: xinhui pan Date: Thu Jul 7 16:02:41 2022 +0800 dma-buf: Fix one use-after-free of fence Need get the new fence when we replace the old one. Fixes: 047a1b877ed48 ("dma-buf & drm/amdgpu: remove dma_resv workaround") Signed-off-by: xinhui pan Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20220707080241.20060-1-xinhui.pan@amd.com Signed-off-by: Christian König commit 12058077b2e963d16d2d673d46233a7f46add7c9 Author: Thomas Hellström Date: Mon Jun 20 14:36:59 2022 +0200 drm/i915: Fix vm use-after-free in vma destruction In vma destruction, the following race may occur: Thread 1: Thread 2: i915_vma_destroy(); ... list_del_init(vma->vm_link); ... mutex_unlock(vma->vm->mutex); __i915_vm_release(); release_references(); And in release_reference() we dereference vma->vm to get to the vm gt pointer, leading to a use-after free. However, __i915_vm_release() grabs the vm->mutex so the vm won't be destroyed before vma->vm->mutex is released, so extract the gt pointer under the vm->mutex to avoid the vma->vm dereference in release_references(). v2: Fix a typo in the commit message (Andi Shyti) Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5944 Fixes: e1a7ab4fca0c ("drm/i915: Remove the vm open count") Cc: Niranjana Vishwanathapura Cc: Matthew Auld Signed-off-by: Thomas Hellström Acked-by: Nirmoy Das Reviewed-by: Andrzej Hajda Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20220620123659.381772-1-thomas.hellstrom@linux.intel.com (cherry picked from commit 1926a6b75954fc1a8b44d10bd0c67db957b78cf7) Signed-off-by: Rodrigo Vivi commit 25c95bf494067f7bd1dfa8064ef964abe88cafc2 Author: Daniele Ceraolo Spurio Date: Tue Jun 21 16:30:05 2022 -0700 drm/i915/guc: ADL-N should use the same GuC FW as ADL-S The only difference between the ADL S and P GuC FWs is the HWConfig support. ADL-N does not support HWConfig, so we should use the same binary as ADL-S, otherwise the GuC might attempt to fetch a config table that does not exist. ADL-N is internally identified as an ADL-P, so we need to special-case it in the FW selection code. Fixes: 7e28d0b26759 ("drm/i915/adl-n: Enable ADL-N platform") Cc: John Harrison Cc: Tejas Upadhyay Cc: Anusha Srivatsa Cc: Jani Nikula Signed-off-by: Daniele Ceraolo Spurio Reviewed-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20220621233005.3952293-1-daniele.ceraolospurio@intel.com (cherry picked from commit 971e4a9781742aaad1587e25fd5582b2dd595ef8) Signed-off-by: Rodrigo Vivi commit 85144df9ff4652816448369de76897c57cbb1b93 Author: Hangyu Hua Date: Fri Jun 24 06:04:06 2022 -0700 drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() If drm_connector_init fails, intel_connector_free will be called to take care of proper free. So it is necessary to drop the refcount of port before intel_connector_free. Fixes: 091a4f91942a ("drm/i915: Handle drm-layer errors in intel_dp_add_mst_connector") Signed-off-by: Hangyu Hua Reviewed-by: José Roberto de Souza Link: https://patchwork.freedesktop.org/patch/msgid/20220624130406.17996-1-jose.souza@intel.com Signed-off-by: José Roberto de Souza (cherry picked from commit cea9ed611e85d36a05db52b6457bf584b7d969e2) Signed-off-by: Rodrigo Vivi commit 07266d066301b97ad56a693f81b29b7ced429b27 Merge: faa4e04e5e140 0d1f700807d84 Author: Jakub Kicinski Date: Wed Jul 6 20:04:09 2022 -0700 Merge branch 'wireguard-patches-for-5-19-rc6' Jason A. Donenfeld says: ==================== wireguard patches for 5.19-rc6 1) A few small fixups to the selftests, per usual. Of particular note is a fix for a test flake that occurred on especially fast systems that boot in less than a second. 2) An addition during this cycle of some s390 crypto interacted with the way wireguard selects dependencies, resulting in linker errors reported by the kernel test robot. So Vladis sent in a patch for that, which also required a small preparatory fix moving some Kconfig symbols around. ==================== Link: https://lore.kernel.org/r/20220707003157.526645-1-Jason@zx2c4.com Signed-off-by: Jakub Kicinski commit 0d1f700807d846b00e33cc87d90f404bbc904a97 Author: Vladis Dronov Date: Thu Jul 7 02:31:57 2022 +0200 wireguard: Kconfig: select CRYPTO_CHACHA_S390 Select the new implementation of CHACHA20 for S390 when available. It is faster than the generic software implementation, but also prevents some linker errors in certain situations. Reported-by: kernel test robot Link: https://lore.kernel.org/linux-kernel/202207030630.6SZVkrWf-lkp@intel.com/ Signed-off-by: Vladis Dronov Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski commit b7133757da4c4c17d625970f6da3d76af12a8867 Author: Jason A. Donenfeld Date: Thu Jul 7 02:31:56 2022 +0200 crypto: s390 - do not depend on CRYPTO_HW for SIMD implementations Various accelerated software implementation Kconfig values for S390 were mistakenly placed into drivers/crypto/Kconfig, even though they're mainly just SIMD code and live in arch/s390/crypto/ like usual. This gives them the very unusual dependency on CRYPTO_HW, which leads to problems elsewhere. This patch fixes the issue by moving the Kconfig values for non-hardware drivers into the usual place in crypto/Kconfig. Acked-by: Herbert Xu Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski commit b83fdcd9fb8ad7e59f4188ba9ec221917f463a17 Author: Jason A. Donenfeld Date: Thu Jul 7 02:31:55 2022 +0200 wireguard: selftests: use microvm on x86 This makes for faster tests, faster compile time, and allows us to ditch ACPI finally. Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski commit 1a087eec257154e26a81a7a0a15380d7a2431765 Author: Jason A. Donenfeld Date: Thu Jul 7 02:31:54 2022 +0200 wireguard: selftests: always call kernel makefile These selftests are used for much more extensive changes than just the wireguard source files. So always call the kernel's build file, which will do something or nothing after checking the whole tree, per usual. Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski commit 1f2f341a62639c7066ee4c76b7d9ebe867e0a1d5 Author: Jason A. Donenfeld Date: Thu Jul 7 02:31:53 2022 +0200 wireguard: selftests: use virt machine on m68k This should be a bit more stable hopefully. Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski commit 829be057dbc1e71383b8d7de8edb31dcf07b4aa0 Author: Jason A. Donenfeld Date: Thu Jul 7 02:31:52 2022 +0200 wireguard: selftests: set fake real time in init Not all platforms have an RTC, and rather than trying to force one into each, it's much easier to just set a fixed time. This is necessary because WireGuard's latest handshakes parameter is returned in wallclock time, and if the system time isn't set, and the system is really fast, then this returns 0, which trips the test. Turning this on requires setting CONFIG_COMPAT_32BIT_TIME=y, as musl doesn't support settimeofday without it. Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski commit faa4e04e5e140a6d02260289a8fba8fd8d7a3003 Author: Heiner Kallweit Date: Tue Jul 5 21:15:22 2022 +0200 r8169: fix accessing unset transport header 66e4c8d95008 ("net: warn if transport header was not set") added a check that triggers a warning in r8169, see [0]. The commit referenced in the Fixes tag refers to the change from which the patch applies cleanly, there's nothing wrong with this commit. It seems the actual issue (not bug, because the warning is harmless here) was introduced with bdfa4ed68187 ("r8169: use Giant Send"). [0] https://bugzilla.kernel.org/show_bug.cgi?id=216157 Fixes: 8d520b4de3ed ("r8169: work around RTL8125 UDP hw bug") Reported-by: Erhard F. Tested-by: Erhard F. Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/1b2c2b29-3dc0-f7b6-5694-97ec526d51a0@gmail.com Signed-off-by: Jakub Kicinski commit 148ca04518070910739dfc4eeda765057856403d Author: Duoming Zhou Date: Tue Jul 5 20:56:10 2022 +0800 net: rose: fix UAF bug caused by rose_t0timer_expiry There are UAF bugs caused by rose_t0timer_expiry(). The root cause is that del_timer() could not stop the timer handler that is running and there is no synchronization. One of the race conditions is shown below: (thread 1) | (thread 2) | rose_device_event | rose_rt_device_down | rose_remove_neigh rose_t0timer_expiry | rose_stop_t0timer(rose_neigh) ... | del_timer(&neigh->t0timer) | kfree(rose_neigh) //[1]FREE neigh->dce_mode //[2]USE | The rose_neigh is deallocated in position [1] and use in position [2]. The crash trace triggered by POC is like below: BUG: KASAN: use-after-free in expire_timers+0x144/0x320 Write of size 8 at addr ffff888009b19658 by task swapper/0/0 ... Call Trace: dump_stack_lvl+0xbf/0xee print_address_description+0x7b/0x440 print_report+0x101/0x230 ? expire_timers+0x144/0x320 kasan_report+0xed/0x120 ? expire_timers+0x144/0x320 expire_timers+0x144/0x320 __run_timers+0x3ff/0x4d0 run_timer_softirq+0x41/0x80 __do_softirq+0x233/0x544 ... This patch changes rose_stop_ftimer() and rose_stop_t0timer() in rose_remove_neigh() to del_timer_sync() in order that the timer handler could be finished before the resources such as rose_neigh and so on are deallocated. As a result, the UAF bugs could be mitigated. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/20220705125610.77971-1-duoming@zju.edu.cn Signed-off-by: Jakub Kicinski commit 9fab303a2cb3d323ca3a32a8b4ab60b451141901 Author: Mimi Zohar Date: Thu Jun 30 11:23:38 2022 -0400 ima: fix violation measurement list record Although the violation digest in the IMA measurement list is always zeroes, the size of the digest should be based on the hash algorithm. Until recently the hash algorithm was hard coded to sha1. Fix the violation digest size included in the IMA measurement list. This is just a cosmetic change which should not affect attestation. Reported-by: Stefan Berger Fixes: 09091c44cb73 ("ima: use IMA default hash algorithm for integrity violations") Tested-by: Stefan Berger Signed-off-by: Mimi Zohar commit 3a4b1cc28fbdc2325b3e3ed7d8024995a75f9216 Author: Alex Deucher Date: Tue Jun 21 10:10:37 2022 -0400 drm/amdgpu/display: disable prefer_shadow for generic fb helpers Seems to break hibernation. Disable for now until we can root cause it. Fixes: 087451f372bf ("drm/amdgpu: use generic fb helpers instead of setting up AMD own's.") Bug: https://bugzilla.kernel.org/show_bug.cgi?id=216119 Acked-by: Evan Quan Signed-off-by: Alex Deucher commit f9a89117fbdc63c0d4ab63a8f3596a72c245bcfe Author: Alex Deucher Date: Tue Jun 21 10:04:55 2022 -0400 drm/amdgpu: keep fbdev buffers pinned during suspend Was dropped when we converted to the generic helpers. Fixes: 087451f372bf ("drm/amdgpu: use generic fb helpers instead of setting up AMD own's.") Acked-by: Evan Quan Signed-off-by: Alex Deucher commit b55a21b764c1e182014630fa5486d717484ac58f Author: Oliver Neukum Date: Tue Jul 5 14:53:51 2022 +0200 usbnet: fix memory leak in error case usbnet_write_cmd_async() mixed up which buffers need to be freed in which error case. v2: add Fixes tag v3: fix uninitialized buf pointer Fixes: 877bd862f32b8 ("usbnet: introduce usbnet 3 command helpers") Signed-off-by: Oliver Neukum Link: https://lore.kernel.org/r/20220705125351.17309-1-oneukum@suse.com Signed-off-by: Jakub Kicinski commit 5b759bf2f9d73db05369aef2344502095c4e5e73 Author: Maxim Mikityanskiy Date: Mon May 30 14:01:37 2022 +0300 net/mlx5e: Ring the TX doorbell on DMA errors TX doorbells may be postponed, because sometimes the driver knows that another packet follows (for example, when xmit_more is true, or when a MPWQE session is closed before transmitting a packet). However, the DMA mapping may fail for the next packet, in which case a new WQE is not posted, the doorbell isn't updated either, and the transmission of the previous packet will be delayed indefinitely. This commit fixes the described rare error flow by posting a NOP and ringing the doorbell on errors to flush all the previous packets. The MPWQE session is closed before that. DMA mapping in the MPWQE flow is moved to the beginning of mlx5e_sq_xmit_mpwqe, because empty sessions are not allowed. Stop room always has enough space for a NOP, because the actual TX WQE is not posted. Fixes: e586b3b0baee ("net/mlx5: Ethernet Datapath files") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 452133dd580811f184e76b1402983182ee425298 Author: Gal Pressman Date: Mon Jun 27 15:05:53 2022 +0300 net/mlx5e: Fix capability check for updating vnic env counters The existing capability check for vnic env counters only checks for receive steering discards, although we need the counters update for the exposed internal queue oob counter as well. This could result in the latter counter not being updated correctly when the receive steering discards counter is not supported. Fix that by checking whether any counter is supported instead of only the steering counter capability. Fixes: 0cfafd4b4ddf ("net/mlx5e: Add device out of buffer counter") Signed-off-by: Gal Pressman Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 6c4e8fa03fde7e5b304594294e397a9ba92feaf6 Author: Roi Dayan Date: Tue Jun 21 10:43:55 2022 +0300 net/mlx5e: CT: Use own workqueue instead of mlx5e priv Allocate a ct priv workqueue instead of using mlx5e priv one so flushing will only be of related CT entries. Also move flushing of the workqueue before rhashtable destroy otherwise entries won't be valid. Fixes: b069e14fff46 ("net/mlx5e: CT: Fix queued up restore put() executing after relevant ft release") Signed-off-by: Roi Dayan Reviewed-by: Oz Shlomo Signed-off-by: Saeed Mahameed commit 1afbd1e283d6a5449d8c24ce8ccae8ccb15ee943 Author: Liu, Changcheng Date: Fri May 27 16:49:14 2022 +0800 net/mlx5: Lag, correct get the port select mode str mode & mode_flags is updated at the end of mlx5_activate_lag which may not reflect the actual mode as shown in below logic: mlx5_activate_lag(struct mlx5_lag *ldev, |-- unsigned long flags = 0; |-- err = mlx5_lag_set_flags(ldev, mode, tracker, shared_fdb, &flags); |-- err = mlx5_create_lag(ldev, tracker, mode, flags); |-- mlx5_get_str_port_sel_mode(ldev); |-- ldev->mode = mode; |-- ldev->mode_flags = flags; Use mode & flag as parameters to get port select mode info. Fixes: 94db33177819 ("net/mlx5: Support multiport eswitch mode") Signed-off-by: Liu, Changcheng Reviewed-by: Eli Cohen Reviewed-by: Mark Bloch Signed-off-by: Saeed Mahameed commit 0c9d876545a56aebed30fa306d0460a4d28d271a Author: Paul Blakey Date: Wed Jun 22 13:11:18 2022 +0300 net/mlx5e: Fix enabling sriov while tc nic rules are offloaded There is a total of four 4M entries flow tables. In sriov disabled mode, ct, ct_nat and post_act take three of them. When adding the first tc nic rule in this mode, it will take another 4M table for the tc table. If user then enables sriov, the legacy flow table tries to take another 4M and fails, and so enablement fails. To fix that, have legacy fdb take the next available maximum size from the fs ft pool. Fixes: 4a98544d1827 ("net/mlx5: Move chains ft pool to be used by all firmware steering") Signed-off-by: Paul Blakey Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 2ec6cf9b742a5c18982861322fa5de6510f8f57e Author: Tariq Toukan Date: Mon Jun 6 21:21:10 2022 +0300 net/mlx5e: kTLS, Fix build time constant test in RX Use the correct constant (TLS_DRIVER_STATE_SIZE_RX) in the comparison against the size of the private RX TLS driver context. Fixes: 1182f3659357 ("net/mlx5e: kTLS, Add kTLS RX HW offload support") Signed-off-by: Tariq Toukan Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed commit 6cc2714e85754a621219693ea8aa3077d6fca0cb Author: Tariq Toukan Date: Mon Jun 6 21:20:29 2022 +0300 net/mlx5e: kTLS, Fix build time constant test in TX Use the correct constant (TLS_DRIVER_STATE_SIZE_TX) in the comparison against the size of the private TX TLS driver context. Fixes: df8d866770f9 ("net/mlx5e: kTLS, Use kernel API to extract private offload context") Signed-off-by: Tariq Toukan Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed commit 4892bd9830c363420f00d90186630e7acbed5c9e Author: Mark Bloch Date: Tue May 24 12:08:10 2022 +0300 net/mlx5: Lag, decouple FDB selection and shared FDB Multiport eswitch is required to use native FDB selection instead of affinity, This was achieved by passing the shared_fdb flag down the HW lag creation path. While it did accomplish the goal of setting FDB selection mode to native, it had the side effect of also creating a shared FDB configuration. This created a few issues: - TC rules are inserted into a non active FDB, which means traffic isn't offloaded as all traffic will reach only a single FDB. - All wire traffic is treated as if a single physical port received it; while this is true for a bond configuration, this shouldn't be the case for multiport eswitch. Create a new flag MLX5_LAG_MODE_FLAG_FDB_SEL_MODE_NATIVE to indicate what FDB selection mode should be used. Fixes: 94db33177819 ("net/mlx5: Support multiport eswitch mode") Signed-off-by: Mark Bloch Reviewed-by: Eli Cohen Signed-off-by: Saeed Mahameed commit d6c13d74b5c06bef75febf1f351de3c4c255f149 Author: Eli Cohen Date: Wed Jun 8 17:34:16 2022 +0300 net/mlx5: TC, allow offload from uplink to other PF's VF Redirecting traffic from uplink to a VF is a legal operation of mulitport eswitch mode. Remove the limitation. Fixes: 94db33177819 ("net/mlx5: Support multiport eswitch mode") Signed-off-by: Eli Cohen Reviewed-by: Maor Dickman Reviewed-by: Mark Bloch Signed-off-by: Saeed Mahameed commit e5c46fde75e43c15a29b40e5fc5641727f97ae47 Author: Ard Biesheuvel Date: Thu Jun 30 16:46:54 2022 +0100 ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction After emulating a misaligned load or store issued in Thumb mode, we have to advance the IT state by hand, or it will get out of sync with the actual instruction stream, which means we'll end up applying the wrong condition code to subsequent instructions. This might corrupt the program state rather catastrophically. So borrow the it_advance() helper from the probing code, and use it on CPSR if the emulated instruction is Thumb. Cc: Reviewed-by: Linus Walleij Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King (Oracle) commit e4ced82deb5fb17222fb82e092c3f8311955b585 Author: Dmitry Osipenko Date: Tue Jun 28 08:55:45 2022 +0100 ARM: 9213/1: Print message about disabled Spectre workarounds only once Print the message about disabled Spectre workarounds only once. The message is printed each time CPU goes out from idling state on NVIDIA Tegra boards, causing storm in KMSG that makes system unusable. Cc: stable@vger.kernel.org Signed-off-by: Dmitry Osipenko Signed-off-by: Russell King (Oracle) commit 2bf6204240fddb22cc4940b9e3f40c538390212e Author: Linus Walleij Date: Sun Jun 19 20:40:16 2022 +0100 ARM: 9212/1: domain: Modify Kconfig help text After the removal of set_fs() the reference to set_fs() is stale. Alter the helptext to reflect what the config option really does. Fixes: 8ac6f5d7f84b ("ARM: 9113/1: uaccess: remove set_fs() implementation") Acked-by: Arnd Bergmann Signed-off-by: Linus Walleij Signed-off-by: Russell King (Oracle) commit cc45b836388f0ccc6831288a08f77a33845f10b0 Author: Linus Walleij Date: Sun Jun 19 20:39:29 2022 +0100 ARM: 9211/1: domain: drop modify_domain() This function/macro isn't used anywhere in the kernel. The only user was set_fs() and was deleted in the set_fs() removal patch set. Fixes: 8ac6f5d7f84b ("ARM: 9113/1: uaccess: remove set_fs() implementation") Acked-by: Arnd Bergmann Signed-off-by: Linus Walleij Signed-off-by: Russell King (Oracle) commit 598f0a99fa8a35be44b27106b43ddc66417af3b1 Author: Zhen Lei Date: Mon Jun 13 15:05:41 2022 +0100 ARM: 9210/1: Mark the FDT_FIXED sections as shareable commit 7a1be318f579 ("ARM: 9012/1: move device tree mapping out of linear region") use FDT_FIXED_BASE to map the whole FDT_FIXED_SIZE memory area which contains fdt. But it only reserves the exact physical memory that fdt occupied. Unfortunately, this mapping is non-shareable. An illegal or speculative read access can bring the RAM content from non-fdt zone into cache, PIPT makes it to be hit by subsequently read access through shareable mapping(such as linear mapping), and the cache consistency between cores is lost due to non-shareable property. |<---------FDT_FIXED_SIZE------>| | | ------------------------------- | | | | ------------------------------- 1. CoreA read through MT_ROM mapping, the old data is loaded into the cache. 2. CoreB write to update data through linear mapping. CoreA received the notification to invalid the corresponding cachelines, but the property non-shareable makes it to be ignored. 3. CoreA read through linear mapping, cache hit, the old data is read. To eliminate this risk, add a new memory type MT_MEMORY_RO. Compared to MT_ROM, it is shareable and non-executable. Here's an example: list_del corruption. prev->next should be c0ecbf74, but was c08410dc kernel BUG at lib/list_debug.c:53! ... ... PC is at __list_del_entry_valid+0x58/0x98 LR is at __list_del_entry_valid+0x58/0x98 psr: 60000093 sp : c0ecbf30 ip : 00000000 fp : 00000001 r10: c08410d0 r9 : 00000001 r8 : c0825e0c r7 : 20000013 r6 : c08410d0 r5 : c0ecbf74 r4 : c0ecbf74 r3 : c0825d08 r2 : 00000000 r1 : df7ce6f4 r0 : 00000044 ... ... Stack: (0xc0ecbf30 to 0xc0ecc000) bf20: c0ecbf74 c0164fd0 c0ecbf70 c0165170 bf40: c0eca000 c0840c00 c0840c00 c0824500 c0825e0c c0189bbc c088f404 60000013 bf60: 60000013 c0e85100 000004ec 00000000 c0ebcdc0 c0ecbf74 c0ecbf74 c0825d08 ... ... < next prev > (__list_del_entry_valid) from (__list_del_entry+0xc/0x20) (__list_del_entry) from (finish_swait+0x60/0x7c) (finish_swait) from (rcu_gp_kthread+0x560/0xa20) (rcu_gp_kthread) from (kthread+0x14c/0x15c) (kthread) from (ret_from_fork+0x14/0x24) The faulty list node to be deleted is a local variable, its address is c0ecbf74. The dumped stack shows that 'prev' = c0ecbf74, but its value before lib/list_debug.c:53 is c08410dc. A large amount of printing results in swapping out the cacheline containing the old data(MT_ROM mapping is read only, so the cacheline cannot be dirty), and the subsequent dump operation obtains new data from the DDR. Fixes: 7a1be318f579 ("ARM: 9012/1: move device tree mapping out of linear region") Suggested-by: Ard Biesheuvel Signed-off-by: Zhen Lei Reviewed-by: Ard Biesheuvel Reviewed-by: Kefeng Wang Signed-off-by: Russell King (Oracle) commit 0609e200246bfd3b7516091c491bec4308349055 Author: Ard Biesheuvel Date: Tue May 31 09:53:42 2022 +0100 ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle Jon reports that the Spectre-BHB init code is filling up the kernel log with spurious notifications about which mitigation has been enabled, every time any CPU comes out of a low power state. Given that Spectre-BHB mitigations are system wide, only a single mitigation can be enabled, and we already print an error if two types of CPUs coexist in a single system that require different Spectre-BHB mitigations. This means that the pr_info() that describes the selected mitigation does not need to be emitted for each CPU anyway, and so we can simply emit it only once. In order to clarify the above in the log message, update it to describe that the selected mitigation will be enabled on all CPUs, including ones that are unaffected. If another CPU comes up later that is affected and requires a different mitigation, we report an error as before. Fixes: b9baf5c8c5c3 ("ARM: Spectre-BHB workaround") Tested-by: Jon Hunter Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King (Oracle) commit 5b1a01c16292208be9a1ccc170c99c747df0c4c4 Merge: 30554a1f0fd6a 6ece49c569655 Author: Mark Brown Date: Wed Jul 6 20:37:43 2022 +0100 spi: Merge AMD fix Work around problems with large transfers. commit 5c629dc9609dc43492a7bc8060cc6120875bf096 Author: Keith Busch Date: Wed Jul 6 10:05:05 2022 -0700 nvme: use struct group for generic command dwords This will allow the trace event to know the full size of the data intended to be copied and silence read overflow checks. Reported-by: John Garry Suggested-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Christoph Hellwig commit 9f09069cde34dcd86f5ecf3a3139fd752020812f Merge: c3850b3f975f9 48bddb89d59ee Author: Linus Torvalds Date: Wed Jul 6 10:10:26 2022 -0700 Merge tag 'for-linus' of https://github.com/openrisc/linux Pull OpenRISC fixes from Stafford Horne: "Fixups for OpenRISC found during recent testing: - An OpenRISC irqchip fix to stop acking level interrupts which was causing issues on SMP platforms - A comment typo fix in our unwinder code" * tag 'for-linus' of https://github.com/openrisc/linux: openrisc: unwinder: Fix grammar issue in comment irqchip: or1k-pic: Undefine mask_ack for level triggered hardware commit c3850b3f975f94317011421bb55325f828ae72ea Merge: e35e5b6f695d2 c5e58c4545a69 Author: Linus Torvalds Date: Wed Jul 6 10:01:00 2022 -0700 Merge tag 'sound-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "This became largish as it includes the pending ASoC fixes. Almost all changes are device-specific small fixes, while many of them are coverage for mixer issues that were detected by selftest. In addition, usual suspects for HD/USB-audio are there" * tag 'sound-5.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (43 commits) ALSA: cs46xx: Fix missing snd_card_free() call at probe error ALSA: usb-audio: Add quirk for Fiero SC-01 (fw v1.0.0) ALSA: usb-audio: Add quirk for Fiero SC-01 ALSA: hda/realtek: Add quirk for Clevo L140PU ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices ASoC: madera: Fix event generation for rate controls ASoC: madera: Fix event generation for OUT1 demux ASoC: cs47l15: Fix event generation for low power mux control ASoC: cs35l41: Add ASP TX3/4 source to register patch ASoC: dapm: Initialise kcontrol data for mux/demux controls ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error ASoC: cs35l41: Correct some control names ASoC: wm5110: Fix DRE control ASoC: wm_adsp: Fix event for preloader MAINTAINERS: update ASoC Qualcomm maintainer email-id ASoC: rockchip: i2s: switch BCLK to GPIO ASoC: SOF: Intel: disable IMR boot when resuming from ACPI S4 and S5 states ASoC: SOF: pm: add definitions for S4 and S5 states ASoC: SOF: pm: add explicit behavior for ACPI S1 and S2 ASoC: SOF: Intel: hda: Fix compressed stream position tracking ... commit 80f2a248a2f92c07873128808359756f72a0438b Merge: e35e5b6f695d2 1357d2a65601b Author: Thomas Gleixner Date: Wed Jul 6 18:31:59 2022 +0200 Merge tag 'irqchip-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent Pull irqchip fixes from Marc Zygnier: - Gracefully handle failure to request MMIO resources in the GICv3 driver - Make a static key static in the Apple AIC driver - Fix the Xilinx intc driver dependency on OF_ADDRESS Link: https://lore.kernel.org/all/20220701133531.1545319-1-maz@kernel.org commit 607a48c78e6b427b0b684d24e61c19e846ad65d6 Author: Samuel Holland Date: Fri Jul 1 22:19:02 2022 -0500 dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo The conditional block for variants with a second clock should have set minItems, not maxItems, which was already 2. Since clock-names requires two items, this typo should not have caused any problems. Fixes: edd14218bd66 ("dt-bindings: dmaengine: Convert Allwinner A31 and A64 DMA to a schema") Signed-off-by: Samuel Holland Reviewed-by: Rob Herring Link: https://lore.kernel.org/r/20220702031903.21703-1-samuel@sholland.org Signed-off-by: Vinod Koul commit 73029c9b23cf1213e5f54c2b59efce08665199e7 Author: Keith Busch Date: Tue Jul 5 10:21:02 2022 -0700 nvme-pci: phison e16 has bogus namespace ids Add the quirk. Link: https://bugzilla.kernel.org/show_bug.cgi?id=216049 Reported-by: Chris Egolf Signed-off-by: Keith Busch Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig commit 3663a2fb325b8782524f3edb0ae32d6faa615109 Author: Hsin-Yi Wang Date: Fri Jul 1 01:33:29 2022 +0800 video: of_display_timing.h: include errno.h If CONFIG_OF is not enabled, default of_get_display_timing() returns an errno, so include the header. Fixes: 422b67e0b31a ("videomode: provide dummy inline functions for !CONFIG_OF") Suggested-by: Stephen Boyd Signed-off-by: Hsin-Yi Wang Reviewed-by: Stephen Boyd Signed-off-by: Helge Deller commit 955f04766d4e6eb94bf3baa539e096808c74ebfb Author: Guiling Deng Date: Tue Jun 28 09:36:41 2022 -0700 fbdev: fbmem: Fix logo center image dx issue Image.dx gets wrong value because of missing '()'. If xres == logo->width and n == 1, image.dx = -16. Signed-off-by: Guiling Deng Fixes: 3d8b1933eb1c ("fbdev: fbmem: add config option to center the bootup logo") Cc: stable@vger.kernel.org # v5.0+ Signed-off-by: Helge Deller commit 1fd6e5675336daf4747940b4285e84b0c114ae32 Author: Johan Almbladh Date: Tue Jul 5 10:23:45 2022 +0200 xdp: Fix spurious packet loss in generic XDP TX path The byte queue limits (BQL) mechanism is intended to move queuing from the driver to the network stack in order to reduce latency caused by excessive queuing in hardware. However, when transmitting or redirecting a packet using generic XDP, the qdisc layer is bypassed and there are no additional queues. Since netif_xmit_stopped() also takes BQL limits into account, but without having any alternative queuing, packets are silently dropped. This patch modifies the drop condition to only consider cases when the driver itself cannot accept any more packets. This is analogous to the condition in __dev_direct_xmit(). Dropped packets are also counted on the device. Bypassing the qdisc layer in the generic XDP TX path means that XDP packets are able to starve other packets going through a qdisc, and DDOS attacks will be more effective. In-driver-XDP use dedicated TX queues, so they do not have this starvation issue. Signed-off-by: Johan Almbladh Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220705082345.2494312-1-johan.almbladh@anyfinetworks.com commit 6ece49c56965544262523dae4a071ace3db63507 Author: Cristian Ciocaltea Date: Wed Jul 6 13:06:22 2022 +0300 spi: amd: Limit max transfer and message size Enabling the SPI CS35L41 audio codec driver for Steam Deck [1] revealed a problem with the current AMD SPI controller driver implementation, consisting of an unrecoverable system hang. The issue can be prevented if we ensure the max transfer size and the max message size do not exceed the FIFO buffer size. According to the implementation of the downstream driver, the AMD SPI controller is not able to handle more than 70 bytes per transfer, which corresponds to the size of the FIFO buffer. Hence, let's fix this by setting the SPI limits mentioned above. [1] https://lore.kernel.org/r/20220621213819.262537-1-cristian.ciocaltea@collabora.com Reported-by: Anastasios Vacharakis Fixes: bbb336f39efc ("spi: spi-amd: Add AMD SPI controller driver support") Signed-off-by: Cristian Ciocaltea Link: https://lore.kernel.org/r/20220706100626.1234731-2-cristian.ciocaltea@collabora.com Signed-off-by: Mark Brown commit a069a90554168ac4cc81af65f000557d2a8a0745 Author: Gal Pressman Date: Tue Jul 5 14:08:37 2022 +0300 Revert "tls: rx: move counting TlsDecryptErrors for sync" This reverts commit 284b4d93daee56dff3e10029ddf2e03227f50dbf. When using TLS device offload and coming from tls_device_reencrypt() flow, -EBADMSG error in tls_do_decryption() should not be counted towards the TLSTlsDecryptError counter. Move the counter increase back to the decrypt_internal() call site in decrypt_skb_update(). This also fixes an issue where: if (n_sgin < 1) return -EBADMSG; Errors in decrypt_internal() were not counted after the cited patch. Fixes: 284b4d93daee ("tls: rx: move counting TlsDecryptErrors for sync") Cc: Jakub Kicinski Reviewed-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Gal Pressman Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller commit ae9fdf6cb4da4265bdc3a574d06eaad02a7f669a Merge: 44d632d5dde25 d2d21f175f1f9 Author: David S. Miller Date: Wed Jul 6 12:50:27 2022 +0100 Merge branch 'mptcp-path-manager-fixes' Mat Martineau says: ==================== mptcp: Path manager fixes for 5.19 The MPTCP userspace path manager is new in 5.19, and these patches fix some issues in that new code. Patches 1-3 fix path manager locking issues. Patches 4 and 5 allow userspace path managers to change priority of established subflows using the existing MPTCP_PM_CMD_SET_FLAGS generic netlink command. Includes corresponding self test update. Patches 6 and 7 fix accounting of available endpoint IDs and the MPTCP_MIB_RMSUBFLOW counter. ==================== Signed-off-by: David S. Miller commit d2d21f175f1f9580eb5681f5b476c8d7a0a3c895 Author: Geliang Tang Date: Tue Jul 5 14:32:17 2022 -0700 mptcp: update MIB_RMSUBFLOW in cmd_sf_destroy This patch increases MPTCP_MIB_RMSUBFLOW mib counter in userspace pm destroy subflow function mptcp_nl_cmd_sf_destroy() when removing subflow. Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Signed-off-by: Geliang Tang Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit 843b5e75efff04db34fcf9856de53c9e415530a2 Author: Paolo Abeni Date: Tue Jul 5 14:32:16 2022 -0700 mptcp: fix local endpoint accounting In mptcp_pm_nl_rm_addr_or_subflow() we always mark as available the id corresponding to the just removed address. The used bitmap actually tracks only the local IDs: we must restrict the operation when a (local) subflow is removed. Fixes: a88c9e496937 ("mptcp: do not block subflows creation on errors") Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit ca188a25d43f85f9c6f1e0a303edad47c9d24989 Author: Kishen Maloor Date: Tue Jul 5 14:32:15 2022 -0700 selftests: mptcp: userspace PM support for MP_PRIO signals This change updates the testing sample (pm_nl_ctl) to exercise the updated MPTCP_PM_CMD_SET_FLAGS command for userspace PMs to issue MP_PRIO signals over the selected subflow. E.g. ./pm_nl_ctl set 10.0.1.2 port 47234 flags backup token 823274047 rip 10.0.1.1 rport 50003 userspace_pm.sh has a new selftest that invokes this command. Fixes: 259a834fadda ("selftests: mptcp: functional tests for the userspace PM type") Acked-by: Paolo Abeni Signed-off-by: Kishen Maloor Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit 892f396c8e68faab7f76ff49cf39e9fbbeea4097 Author: Kishen Maloor Date: Tue Jul 5 14:32:14 2022 -0700 mptcp: netlink: issue MP_PRIO signals from userspace PMs This change updates MPTCP_PM_CMD_SET_FLAGS to allow userspace PMs to issue MP_PRIO signals over a specific subflow selected by the connection token, local and remote address+port. Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/286 Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Acked-by: Paolo Abeni Signed-off-by: Kishen Maloor Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit a657430260e5437df16004c8c317821d946b5ead Author: Mat Martineau Date: Tue Jul 5 14:32:13 2022 -0700 mptcp: Acquire the subflow socket lock before modifying MP_PRIO flags When setting up a subflow's flags for sending MP_PRIO MPTCP options, the subflow socket lock was not held while reading and modifying several struct members that are also read and modified in mptcp_write_options(). Acquire the subflow socket lock earlier and send the MP_PRIO ACK with that lock already acquired. Add a new variant of the mptcp_subflow_send_ack() helper to use with the subflow lock held. Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support") Acked-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit c21b50d5912b68c4414c60ef5b30416c103f9fd8 Author: Mat Martineau Date: Tue Jul 5 14:32:12 2022 -0700 mptcp: Avoid acquiring PM lock for subflow priority changes The in-kernel path manager code for changing subflow flags acquired both the msk socket lock and the PM lock when possibly changing the "backup" and "fullmesh" flags. mptcp_pm_nl_mp_prio_send_ack() does not access anything protected by the PM lock, and it must release and reacquire the PM lock. By pushing the PM lock to where it is needed in mptcp_pm_nl_fullmesh(), the lock is only acquired when the fullmesh flag is changed and the backup flag code no longer has to release and reacquire the PM lock. The change in locking context requires the MIB update to be modified - move that to a better location instead. This change also makes it possible to call mptcp_pm_nl_mp_prio_send_ack() for the userspace PM commands without manipulating the in-kernel PM lock. Fixes: 0f9f696a502e ("mptcp: add set_flags command in PM netlink") Acked-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit 5ccecaec5c1e85cabfda848c6f146da0d8d55bd6 Author: Paolo Abeni Date: Tue Jul 5 14:32:11 2022 -0700 mptcp: fix locking in mptcp_nl_cmd_sf_destroy() The user-space PM subflow removal path uses a couple of helpers that must be called under the msk socket lock and the current code lacks such requirement. Change the existing lock scope so that the relevant code is under its protection. Fixes: 702c2f646d42 ("mptcp: netlink: allow userspace-driven subflow establishment") Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/287 Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller commit 44d632d5dde2514b414bd6344918d68dacd8fe6f Merge: e6fa930f73a15 4d1e07d83ccc8 Author: David S. Miller Date: Wed Jul 6 12:44:39 2022 +0100 Merge branch 'act_police-continue-offload-fix' Vlad Buslov says: ==================== net: Fix police 'continue' action offload TC act_police with 'continue' action had been supported by mlx5 matchall classifier offload implementation for some time. However, 'continue' was assumed implicitly and recently got broken in multiple places. Fix it in both TC hardware offload validation code and mlx5 driver. ==================== Signed-off-by: David S. Miller commit 4d1e07d83ccc87f210e5b852b0a5ea812a2f191c Author: Vlad Buslov Date: Mon Jul 4 22:44:05 2022 +0200 net/mlx5e: Fix matchall police parameters validation Referenced commit prepared the code for upcoming extension that allows mlx5 to offload police action attached to flower classifier. However, with regard to existing matchall classifier offload validation should be reversed as FLOW_ACTION_CONTINUE is the only supported notexceed police action type. Fix the problem by allowing FLOW_ACTION_CONTINUE for police action and extend scan_tc_matchall_fdb_actions() to only allow such actions with matchall classifier. Fixes: d97b4b105ce7 ("flow_offload: reject offload for all drivers with invalid police parameters") Signed-off-by: Vlad Buslov Acked-by: Saeed Mahameed Signed-off-by: David S. Miller commit 052f744f44462cc49b88a125b0f7b93a9e47a9dd Author: Vlad Buslov Date: Mon Jul 4 22:44:04 2022 +0200 net/sched: act_police: allow 'continue' action offload Offloading police with action TC_ACT_UNSPEC was erroneously disabled even though it was supported by mlx5 matchall offload implementation, which didn't verify the action type but instead assumed that any single police action attached to matchall classifier is a 'continue' action. Lack of action type check made it non-obvious what mlx5 matchall implementation actually supports and caused implementers and reviewers of referenced commits to disallow it as a part of improved validation code. Fixes: b8cd5831c61c ("net: flow_offload: add tc police action parameters") Fixes: b50e462bc22d ("net/sched: act_police: Add extack messages for offload failure") Signed-off-by: Vlad Buslov Reviewed-by: Ido Schimmel Tested-by: Ido Schimmel Signed-off-by: David S. Miller commit aafc013e8297b30c517a6383516bc88a3425856c Merge: 3c5a4e6d833a6 f4470dbfb5ff9 Author: Arnd Bergmann Date: Wed Jul 6 13:36:16 2022 +0200 Merge tag 'v5.19-rockchip-socfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes Add a missing of_node_put in suspend code error path. * tag 'v5.19-rockchip-socfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: ARM: rockchip: Add missing of_node_put() in rockchip_suspend_init() Link: https://lore.kernel.org/r/7527945.6fTUFtlzNn@phil Signed-off-by: Arnd Bergmann commit 3c5a4e6d833a6165566d7467a34c82e6e5a987f3 Merge: c0d1a7bd6574c 2d56af33d4df9 Author: Arnd Bergmann Date: Wed Jul 6 13:35:12 2022 +0200 Merge tag 'v5.19-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes rk3399 vdu clock-rate fix, otg port fix on Quartz64-A and ethernet fix on Quartz64-B (actual production model) * tag 'v5.19-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: arm64: dts: rockchip: Assign RK3399 VDU clock rate arm64: dts: rockchip: Fix Quartz64-A dwc3 otg port behavior arm64: dts: rockchip: Fix ethernet on production Quartz64-B Link: https://lore.kernel.org/r/7723415.29KlJPOoH8@phil Signed-off-by: Arnd Bergmann commit 4140d77a022101376bbfa3ec3e3da5063455c60e Author: Lu Baolu Date: Sat Jun 25 21:34:30 2022 +0800 iommu/vt-d: Fix RID2PASID setup/teardown failure The IOMMU driver shares the pasid table for PCI alias devices. When the RID2PASID entry of the shared pasid table has been filled by the first device, the subsequent device will encounter the "DMAR: Setup RID2PASID failed" failure as the pasid entry has already been marked as present. As the result, the IOMMU probing process will be aborted. On the contrary, when any alias device is hot-removed from the system, for example, by writing to /sys/bus/pci/devices/.../remove, the shared RID2PASID will be cleared without any notifications to other devices. As the result, any DMAs from those rest devices are blocked. Sharing pasid table among PCI alias devices could save two memory pages for devices underneath the PCIe-to-PCI bridges. Anyway, considering that those devices are rare on modern platforms that support VT-d in scalable mode and the saved memory is negligible, it's reasonable to remove this part of immature code to make the driver feasible and stable. Fixes: ef848b7e5a6a0 ("iommu/vt-d: Setup pasid entry for RID2PASID support") Reported-by: Chenyi Qiang Reported-by: Ethan Zhao Signed-off-by: Lu Baolu Reviewed-by: Kevin Tian Reviewed-by: Ethan Zhao Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220623065720.727849-1-baolu.lu@linux.intel.com Link: https://lore.kernel.org/r/20220625133430.2200315-2-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel commit 316f92a705a4c2bf4712135180d56f3cca09243a Author: Yian Chen Date: Fri May 20 17:21:15 2022 -0700 iommu/vt-d: Fix PCI bus rescan device hot add Notifier calling chain uses priority to determine the execution order of the notifiers or listeners registered to the chain. PCI bus device hot add utilizes the notification mechanism. The current code sets low priority (INT_MIN) to Intel dmar_pci_bus_notifier and postpones DMAR decoding after adding new device into IOMMU. The result is that struct device pointer cannot be found in DRHD search for the new device's DMAR/IOMMU. Subsequently, the device is put under the "catch-all" IOMMU instead of the correct one. This could cause system hang when device TLB invalidation is sent to the wrong IOMMU. Invalidation timeout error and hard lockup have been observed and data inconsistency/crush may occur as well. This patch fixes the issue by setting a positive priority(1) for dmar_pci_bus_notifier while the priority of IOMMU bus notifier uses the default value(0), therefore DMAR decoding will be in advance of DRHD search for a new device to find the correct IOMMU. Following is a 2-step example that triggers the bug by simulating PCI device hot add behavior in Intel Sapphire Rapids server. echo 1 > /sys/bus/pci/devices/0000:6a:01.0/remove echo 1 > /sys/bus/pci/rescan Fixes: 59ce0515cdaf ("iommu/vt-d: Update DRHD/RMRR/ATSR device scope") Cc: stable@vger.kernel.org # v3.15+ Reported-by: Zhang, Bernice Signed-off-by: Jacob Pan Signed-off-by: Yian Chen Link: https://lore.kernel.org/r/20220521002115.1624069-1-yian.chen@intel.com Signed-off-by: Joerg Roedel commit b57feed2cc2622ae14b2fa62f19e973e5e0a60cf Author: Michael Roth Date: Tue Jul 5 21:53:15 2022 -0500 x86/compressed/64: Add identity mappings for setup_data entries The decompressed kernel initially relies on the identity map set up by the boot/compressed kernel for accessing things like boot_params. With the recent introduction of SEV-SNP support, the decompressed kernel also needs to access the setup_data entries pointed to by boot_params->hdr.setup_data. This can lead to a crash in the kexec kernel during early boot due to these entries not currently being included in the initial identity map, see thread at Link below. Include mappings for the setup_data entries in the initial identity map. [ bp: Massage commit message and use a helper var for better readability. ] Fixes: b190a043c49a ("x86/sev: Add SEV-SNP feature detection/setup") Reported-by: Jun'ichi Nomura Signed-off-by: Michael Roth Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/TYCPR01MB694815CD815E98945F63C99183B49@TYCPR01MB6948.jpnprd01.prod.outlook.com commit 1dbe67b9faea0bc340cce894018076679c16cb71 Author: Christophe JAILLET Date: Sun May 22 19:41:05 2022 +0200 dmaengine: lgm: Fix an error handling path in intel_ldma_probe() ldma_clk_disable() calls both: clk_disable_unprepare(d->core_clk); reset_control_assert(d->rst); So, should devm_reset_control_get_optional() fail, core_clk should not be prepare_enable'd before it, otherwise it will never be disable_unprepare'd. Reorder the code to handle the error handling path as expected. Fixes: 32d31c79a1a4 ("dmaengine: Add Intel LGM SoC DMA support.") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/18504549bc4d2b62a72a02cb22a2e4d8e6a58720.1653241224.git.christophe.jaillet@wanadoo.fr Signed-off-by: Vinod Koul commit b64b3b2f1d81f83519582e1feee87d77f51f5f17 Author: Dmitry Osipenko Date: Fri May 20 21:14:32 2022 +0300 dmaengine: pl330: Fix lockdep warning about non-static key The DEFINE_SPINLOCK() macro shouldn't be used for dynamically allocated spinlocks. The lockdep warns about this and disables locking validator. Fix the warning by making lock static. INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. Hardware name: Radxa ROCK Pi 4C (DT) Call trace: dump_backtrace.part.0+0xcc/0xe0 show_stack+0x18/0x6c dump_stack_lvl+0x8c/0xb8 dump_stack+0x18/0x34 register_lock_class+0x4a8/0x4cc __lock_acquire+0x78/0x20cc lock_acquire.part.0+0xe0/0x230 lock_acquire+0x68/0x84 _raw_spin_lock_irqsave+0x84/0xc4 add_desc+0x44/0xc0 pl330_get_desc+0x15c/0x1d0 pl330_prep_dma_cyclic+0x100/0x270 snd_dmaengine_pcm_trigger+0xec/0x1c0 dmaengine_pcm_trigger+0x18/0x24 ... Fixes: e588710311ee ("dmaengine: pl330: fix descriptor allocation fail") Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20220520181432.149904-1-dmitry.osipenko@collabora.com Signed-off-by: Vinod Koul commit e6fa930f73a15238f3cb0c204e2f786c919b815c Author: Michael Walle Date: Mon Jul 4 17:36:54 2022 +0200 net: lan966x: hardcode the number of external ports Instead of counting the child nodes in the device tree, hardcode the number of ports in the driver itself. The counting won't work at all if an ethernet port is marked as disabled, e.g. because it is not connected on the board at all. It turns out that the LAN9662 and LAN9668 use the same switching IP with the same synthesis parameters. The only difference is that the output ports are not connected. Thus, we can just hardcode the number of physical ports to 8. Fixes: db8bcaad5393 ("net: lan966x: add the basic lan966x driver") Signed-off-by: Michael Walle Reviewed-by: Horatiu Vultur Link: https://lore.kernel.org/r/20220704153654.1167886-1-michael@walle.cc Signed-off-by: Jakub Kicinski commit afe4e376ac5d568367b447ca90c12858d0935b86 Author: Jason Gunthorpe Date: Mon Jul 4 22:10:50 2022 -0300 vfio: Move IOMMU_CAP_CACHE_COHERENCY test to after we know we have a group The test isn't going to work if a group doesn't exist. Normally this isn't a problem since VFIO isn't going to create a device if there is no group, but the special CONFIG_VFIO_NOIOMMU behavior allows bypassing this prevention. The new cap test effectively forces a group and breaks this config option. Move the cap test to vfio_group_find_or_alloc() which is the earliest time we know we have a group available and thus are not running in noiommu mode. Fixes: e8ae0e140c05 ("vfio: Require that devices support DMA cache coherence") Reported-by: Xiang Chen Tested-by: Xiang Chen Signed-off-by: Jason Gunthorpe Link: https://lore.kernel.org/r/0-v1-e8934b490f36+f4-vfio_cap_fix_jgg@nvidia.com Signed-off-by: Alex Williamson commit 26c12725b462a4d39a8494554c9713d6fb86f6bd Merge: 029cc0963412c e36bea6e78ab2 Author: Jakub Kicinski Date: Tue Jul 5 14:42:09 2022 -0700 Merge tag 'for-net-2022-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - Fix deadlock when powering on. * tag 'for-net-2022-07-05' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: core: Fix deadlock on hci_power_on_sync. ==================== Link: https://lore.kernel.org/r/20220705202700.1689796-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski commit e36bea6e78ab2b6c9c7396972fee231eae551cfc Author: Vasyl Vavrychuk Date: Tue Jul 5 15:59:31 2022 +0300 Bluetooth: core: Fix deadlock on hci_power_on_sync. `cancel_work_sync(&hdev->power_on)` was moved to hci_dev_close_sync in commit [1] to ensure that power_on work is canceled after HCI interface down. But, in certain cases power_on work function may call hci_dev_close_sync itself: hci_power_on -> hci_dev_do_close -> hci_dev_close_sync -> cancel_work_sync(&hdev->power_on), causing deadlock. In particular, this happens when device is rfkilled on boot. To avoid deadlock, move power_on work canceling out of hci_dev_do_close/hci_dev_close_sync. Deadlock introduced by commit [1] was reported in [2,3] as broken suspend. Suspend did not work because `hdev->req_lock` held as result of `power_on` work deadlock. In fact, other BT features were not working. It was not observed when testing [1] since it was verified without rfkill in place. NOTE: It is not needed to cancel power_on work from other places where hci_dev_do_close/hci_dev_close_sync is called in case: * Requests were serialized due to `hdev->req_workqueue`. The power_on work is first in that workqueue. * hci_rfkill_set_block which won't close device anyway until HCI_SETUP is on. * hci_sock_release which runs after hci_sock_bind which ensures HCI_SETUP was cleared. As result, behaviour is the same as in pre-dd06ed7 commit, except power_on work cancel added to hci_dev_close. [1]: commit ff7f2926114d ("Bluetooth: core: Fix missing power_on work cancel on HCI close") [2]: https://lore.kernel.org/lkml/20220614181706.26513-1-max.oss.09@gmail.com/ [2]: https://lore.kernel.org/lkml/1236061d-95dd-c3ad-a38f-2dae7aae51ef@o2.pl/ Fixes: ff7f2926114d ("Bluetooth: core: Fix missing power_on work cancel on HCI close") Signed-off-by: Vasyl Vavrychuk Reported-by: Max Krummenacher Reported-by: Mateusz Jonczyk Tested-by: Max Krummenacher Signed-off-by: Luiz Augusto von Dentz commit 8b356e536e69f3a4d6778ae9f0858a1beadabb1f Author: Mario Limonciello Date: Tue Jul 5 13:29:15 2022 -0500 ACPI: CPPC: Don't require _OSC if X86_FEATURE_CPPC is supported commit 72f2ecb7ece7 ("ACPI: bus: Set CPPC _OSC bits for all and when CPPC_LIB is supported") added support for claiming to support CPPC in _OSC on non-Intel platforms. This unfortunately caused a regression on a vartiety of AMD platforms in the field because a number of AMD platforms don't set the `_OSC` bit 5 or 6 to indicate CPPC or CPPC v2 support. As these AMD platforms already claim CPPC support via a dedicated MSR from `X86_FEATURE_CPPC`, use this enable this feature rather than requiring the `_OSC` on platforms with a dedicated MSR. If there is additional breakage on the shared memory designs also missing this _OSC, additional follow up changes may be needed. Fixes: 72f2ecb7ece7 ("Set CPPC _OSC bits for all and when CPPC_LIB is supported") Reported-by: Perry Yuan Signed-off-by: Mario Limonciello Signed-off-by: Rafael J. Wysocki commit 7feec7430edddb87c24b0a86b08a03d0b496a755 Author: Mario Limonciello Date: Tue Jul 5 13:29:14 2022 -0500 ACPI: CPPC: Only probe for _CPC if CPPC v2 is acked Previously the kernel used to ignore whether the firmware masked CPPC or CPPCv2 and would just pretend that it worked. When support for the USB4 bit in _OSC was introduced from commit 9e1f561afb ("ACPI: Execute platform _OSC also with query bit clear") the kernel began to look at the return when the query bit was clear. This caused regressions that were misdiagnosed and attempted to be solved as part of commit 2ca8e6285250 ("Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag""). This caused a different regression where non-Intel systems weren't able to negotiate _OSC properly. This was reverted in commit 2ca8e6285250 ("Revert "ACPI: Pass the same capabilities to the _OSC regardless of the query flag"") and attempted to be fixed by commit c42fa24b4475 ("ACPI: bus: Avoid using CPPC if not supported by firmware") but the regression still returned. These systems with the regression only load support for CPPC from an SSDT dynamically when _OSC reports CPPC v2. Avoid the problem by not letting CPPC satisfy the requirement in `acpi_cppc_processor_probe`. Reported-by: CUI Hao Reported-by: maxim.novozhilov@gmail.com Reported-by: lethe.tree@protonmail.com Reported-by: garystephenwright@gmail.com Reported-by: galaxyking0419@gmail.com Fixes: c42fa24b4475 ("ACPI: bus: Avoid using CPPC if not supported by firmware") Fixes: 2ca8e6285250 ("Revert "ACPI Pass the same capabilities to the _OSC regardless of the query flag"") Link: https://bugzilla.kernel.org/show_bug.cgi?id=213023 Link: https://bugzilla.redhat.com/show_bug.cgi?id=2075387 Reviewed-by: Mika Westerberg Tested-by: CUI Hao Signed-off-by: Mario Limonciello Signed-off-by: Rafael J. Wysocki commit e35e5b6f695d241ffb1d223207da58a1fbcdff4b Merge: c1084b6c5620a b75cd218274e0 Author: Linus Torvalds Date: Tue Jul 5 09:18:32 2022 -0700 Merge tag 'xsa-5.19-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen security fixes from Juergen Gross: - XSA-403 (4 patches for blkfront and netfront drivers): Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). - XSA-405 (1 patch for netfront driver, only 5.10 and newer): While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. - XSA-406 (1 patch for Arm specific dom0 code): When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. * tag 'xsa-5.19-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/arm: Fix race in RB-tree based P2M accounting xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() xen/blkfront: force data bouncing when backend is untrusted xen/netfront: force data bouncing when backend is untrusted xen/netfront: fix leaking data in shared pages xen/blkfront: fix leaking data in shared pages commit efa310ba00716d7a872bdc5fa1f5545edc9efd69 Author: Conor Dooley Date: Wed Jun 29 21:07:33 2022 +0100 riscv: dts: microchip: hook up the mpfs' l2cache The initial PolarFire SoC devicetree must have been forked off from the fu540 one prior to the addition of l2cache controller support being added there. When the controller node was added to mpfs.dtsi, it was not hooked up to the CPUs & thus sysfs reports an incorrect cache configuration. Hook it up. Fixes: 0fa6107eca41 ("RISC-V: Initial DTS for Microchip ICICLE board") Reviewed-by: Sudeep Holla Reviewed-by: Daire McNamara Signed-off-by: Conor Dooley commit c5e58c4545a69677d078b4c813b5d10d3481be9c Author: Takashi Iwai Date: Tue Jul 5 17:23:36 2022 +0200 ALSA: cs46xx: Fix missing snd_card_free() call at probe error The previous cleanup with devres may lead to the incorrect release orders at the probe error handling due to the devres's nature. Until we register the card, snd_card_free() has to be called at first for releasing the stuff properly when the driver tries to manage and release the stuff via card->private_free(). This patch fixes it by calling snd_card_free() manually on the error from the probe callback. Fixes: 5bff69b3645d ("ALSA: cs46xx: Allocate resources with device-managed APIs") Cc: Reported-and-tested-by: Jan Engelhardt Link: https://lore.kernel.org/r/p2p1s96o-746-74p4-s95-61qo1p7782pn@vanv.qr Link: https://lore.kernel.org/r/20220705152336.350-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 85e4ea1049c70fb99de5c6057e835d151fb647da Author: David Howells Date: Wed Apr 20 14:27:17 2022 +0100 fscache: Fix invalidation/lookup race If an NFS file is opened for writing and closed, fscache_invalidate() will be asked to invalidate the file - however, if the cookie is in the LOOKING_UP state (or the CREATING state), then request to invalidate doesn't get recorded for fscache_cookie_state_machine() to do something with. Fix this by making __fscache_invalidate() set a flag if it sees the cookie is in the LOOKING_UP state to indicate that we need to go to invalidation. Note that this requires a count on the n_accesses counter for the state machine, which that will release when it's done. fscache_cookie_state_machine() then shifts to the INVALIDATING state if it sees the flag. Without this, an nfs file can get corrupted if it gets modified locally and then read locally as the cache contents may not get updated. Fixes: d24af13e2e23 ("fscache: Implement cookie invalidation") Reported-by: Max Kellermann Signed-off-by: David Howells Tested-by: Max Kellermann Link: https://lore.kernel.org/r/YlWWbpW5Foynjllo@rabbit.intern.cm-ag [1] commit 65aa5f6fd8a12e0a343aaf1815949a79a49e3f35 Author: Jia Zhu Date: Thu Jun 9 16:54:10 2022 +0800 cachefiles: narrow the scope of flushed requests when releasing fd When an anonymous fd is released, only flush the requests associated with it, rather than all of requests in xarray. Fixes: 9032b6e8589f ("cachefiles: implement on-demand read") Signed-off-by: Jia Zhu Signed-off-by: David Howells Reviewed-by: Jeffle Xu Reviewed-by: Gao Xiang Link: https://listman.redhat.com/archives/linux-cachefs/2022-June/006937.html commit 5c4588aea6675b69e328d468c5b6be5127e19a79 Author: Yue Hu Date: Wed May 25 10:51:50 2022 +0800 fscache: Introduce fscache_cookie_is_dropped() FSCACHE_COOKIE_STATE_DROPPED will be read more than once, so let's add a helper to avoid code duplication. Signed-off-by: Yue Hu Signed-off-by: David Howells Link: https://listman.redhat.com/archives/linux-cachefs/2022-May/006919.html commit bf17455b9cbd4b10bf30d39c047307e1d774fb1a Author: Yue Hu Date: Wed May 25 10:32:22 2022 +0800 fscache: Fix if condition in fscache_wait_on_volume_collision() After waiting for the volume to complete the acquisition with timeout, the if condition under which potential volume collision occurs should be acquire the volume is still pending rather than not pending so that we will continue to wait until the pending flag is cleared. Also, use the existing test pending wrapper directly instead of test_bit(). Fixes: 62ab63352350 ("fscache: Implement volume registration") Signed-off-by: Yue Hu Signed-off-by: David Howells Reviewed-by: Gao Xiang Reviewed-by: Jeffle Xu Reviewed-by: Jeff Layton Link: https://listman.redhat.com/archives/linux-cachefs/2022-May/006918.html commit 8af3a0b23818af59971f538bf258c15e1033ea55 Author: Leon Romanovsky Date: Tue Jul 5 13:21:14 2022 +0300 gpio: vf610: fix compilation error Fix compilation error by explicitly adding the missing include. drivers/gpio/gpio-vf610.c: In function ‘vf610_gpio_direction_input’: drivers/gpio/gpio-vf610.c:120:9: error: implicit declaration of function ‘pinctrl_gpio_direction_input’; did you mean ‘vf610_gpio_direction_input’? [-Werror=implicit-function-declaration] 120 | return pinctrl_gpio_direction_input(chip->base + gpio); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ | vf610_gpio_direction_input Fixes: 30a35c07d9e9 ("gpio: vf610: drop the SOC_VF610 dependency for GPIO_VF610") Signed-off-by: Leon Romanovsky Signed-off-by: Tariq Toukan Reviewed-by: Andy Shevchenko Reviewed-by: Peng Fan Signed-off-by: Bartosz Golaszewski commit 8ffccd119a5908b240a26182be44c0ff3d1e3d85 Author: Jerry Snitselaar Date: Sat Jun 25 22:16:48 2022 -0700 dmaengine: idxd: Only call idxd_enable_system_pasid() if succeeded in enabling SVA feature On a Sapphire Rapids system if boot without intel_iommu=on, the IDXD driver will crash during probe in iommu_sva_bind_device(). [ 21.423729] BUG: kernel NULL pointer dereference, address: 0000000000000038 [ 21.445108] #PF: supervisor read access in kernel mode [ 21.450912] #PF: error_code(0x0000) - not-present page [ 21.456706] PGD 0 [ 21.459047] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 21.464004] CPU: 0 PID: 1420 Comm: kworker/0:3 Not tainted 5.19.0-0.rc3.27.eln120.x86_64 #1 [ 21.464011] Hardware name: Intel Corporation EAGLESTREAM/EAGLESTREAM, BIOS EGSDCRB1.SYS.0067.D12.2110190954 10/19/2021 [ 21.464015] Workqueue: events work_for_cpu_fn [ 21.464030] RIP: 0010:iommu_sva_bind_device+0x1d/0xe0 [ 21.464046] Code: c3 cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 49 89 d6 41 55 41 54 55 53 48 83 ec 08 48 8b 87 d8 02 00 00 <48> 8b 40 38 48 8b 50 10 48 83 7a 70 00 48 89 14 24 0f 84 91 00 00 [ 21.464050] RSP: 0018:ff7245d9096b7db8 EFLAGS: 00010296 [ 21.464054] RAX: 0000000000000000 RBX: ff1eadeec8a51000 RCX: 0000000000000000 [ 21.464058] RDX: ff7245d9096b7e24 RSI: 0000000000000000 RDI: ff1eadeec8a510d0 [ 21.464060] RBP: ff1eadeec8a51000 R08: ffffffffb1a12300 R09: ff1eadffbfce25b4 [ 21.464062] R10: ffffffffffffffff R11: 0000000000000038 R12: ffffffffc09f8000 [ 21.464065] R13: ff1eadeec8a510d0 R14: ff7245d9096b7e24 R15: ff1eaddf54429000 [ 21.464067] FS: 0000000000000000(0000) GS:ff1eadee7f600000(0000) knlGS:0000000000000000 [ 21.464070] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.464072] CR2: 0000000000000038 CR3: 00000008c0e10006 CR4: 0000000000771ef0 [ 21.464074] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 21.464076] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 21.464078] PKRU: 55555554 [ 21.464079] Call Trace: [ 21.464083] [ 21.464092] idxd_pci_probe+0x259/0x1070 [idxd] [ 21.464121] local_pci_probe+0x3e/0x80 [ 21.464132] work_for_cpu_fn+0x13/0x20 [ 21.464136] process_one_work+0x1c4/0x380 [ 21.464143] worker_thread+0x1ab/0x380 [ 21.464147] ? _raw_spin_lock_irqsave+0x23/0x50 [ 21.464158] ? process_one_work+0x380/0x380 [ 21.464161] kthread+0xe6/0x110 [ 21.464168] ? kthread_complete_and_exit+0x20/0x20 [ 21.464172] ret_from_fork+0x1f/0x30 iommu_sva_bind_device() requires SVA has been enabled successfully on the IDXD device before it's called. Otherwise, iommu_sva_bind_device() will access a NULL pointer. If Intel IOMMU is disabled, SVA cannot be enabled and thus idxd_enable_system_pasid() and iommu_sva_bind_device() should not be called. Fixes: 42a1b73852c4 ("dmaengine: idxd: Separate user and kernel pasid enabling") Cc: Vinod Koul Cc: linux-kernel@vger.kernel.org Cc: Dave Jiang Cc: Fenghua Yu Link: https://lore.kernel.org/dmaengine/20220623170232.6whonfjuh3m5vcoy@cantor/ Signed-off-by: Jerry Snitselaar Acked-by: Fenghua Yu Link: https://lore.kernel.org/r/20220626051648.14249-1-jsnitsel@redhat.com Signed-off-by: Vinod Koul commit 3770d92bd5237d686e49da7b2fb86f53ee6ed259 Author: Michael Walle Date: Thu May 26 15:51:11 2022 +0200 dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly It seems that it is valid to have less than the requested number of descriptors. But what is not valid and leads to subsequent errors is to have zero descriptors. In that case, abort the probing. Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") Signed-off-by: Michael Walle Link: https://lore.kernel.org/r/20220526135111.1470926-1-michael@walle.cc Signed-off-by: Vinod Koul commit 029cc0963412c4f989d2731759ce4578f7e1a667 Merge: 7e8c182c36e23 83844aacab201 Author: Paolo Abeni Date: Tue Jul 5 11:52:35 2022 +0200 Merge branch 'fix-bridge_vlan_aware-sh-and-bridge_vlan_unaware-sh-with-iff_unicast_flt' Vladimir Oltean says: ==================== Fix bridge_vlan_aware.sh and bridge_vlan_unaware.sh with IFF_UNICAST_FLT Make sure that h1 and h2 don't drop packets with a random MAC DA, which otherwise confuses these selftests. Also, fix an incorrect error message found during those failures. ==================== Link: https://lore.kernel.org/r/20220703073626.937785-1-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni commit 83844aacab2015da1dba1df0cc61fc4b4c4e8076 Author: Vladimir Oltean Date: Sun Jul 3 10:36:26 2022 +0300 selftests: forwarding: fix error message in learning_test When packets are not received, they aren't received on $host1_if, so the message talking about the second host not receiving them is incorrect. Fix it. Fixes: d4deb01467ec ("selftests: forwarding: Add a test for FDB learning") Signed-off-by: Vladimir Oltean Reviewed-by: Ido Schimmel Signed-off-by: Paolo Abeni commit 1a635d3e1c80626237fdae47a5545b6655d8d81c Author: Vladimir Oltean Date: Sun Jul 3 10:36:25 2022 +0300 selftests: forwarding: fix learning_test when h1 supports IFF_UNICAST_FLT The first host interface has by default no interest in receiving packets MAC DA de:ad:be:ef:13:37, so it might drop them before they hit the tc filter and this might confuse the selftest. Enable promiscuous mode such that the filter properly counts received packets. Fixes: d4deb01467ec ("selftests: forwarding: Add a test for FDB learning") Signed-off-by: Vladimir Oltean Reviewed-by: Ido Schimmel Tested-by: Ido Schimmel Signed-off-by: Paolo Abeni commit b8e629b05f5d23f9649c901bef09fab8b0c2e4b9 Author: Vladimir Oltean Date: Sun Jul 3 10:36:24 2022 +0300 selftests: forwarding: fix flood_unicast_test when h2 supports IFF_UNICAST_FLT As mentioned in the blamed commit, flood_unicast_test() works by checking the match count on a tc filter placed on the receiving interface. But the second host interface (host2_if) has no interest in receiving a packet with MAC DA de:ad:be:ef:13:37, so its RX filter drops it even before the ingress tc filter gets to be executed. So we will incorrectly get the message "Packet was not flooded when should", when in fact, the packet was flooded as expected but dropped due to an unrelated reason, at some other layer on the receiving side. Force h2 to accept this packet by temporarily placing it in promiscuous mode. Alternatively we could either deliver to its MAC address or use tcpdump_start, but this has the fewest complications. This fixes the "flooding" test from bridge_vlan_aware.sh and bridge_vlan_unaware.sh, which calls flood_test from the lib. Fixes: 236dd50bf67a ("selftests: forwarding: Add a test for flooded traffic") Signed-off-by: Vladimir Oltean Reviewed-by: Ido Schimmel Tested-by: Ido Schimmel Signed-off-by: Paolo Abeni commit 7e8c182c36e2366b7402d3913bf717eac04e458d Merge: 1b18f09d31cfa 1c0e78a287e34 Author: Jakub Kicinski Date: Mon Jul 4 20:21:01 2022 -0700 Merge tag 'linux-can-fixes-for-5.19-20220704' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== can 2022-07-04 The 1st patch is by Oliver Hartkopp, targets the BCM CAN protocol and converts a costly synchronize_rcu() to call_rcu() to fix a performance regression. Srinivas Neeli's patch for the xilinx_can driver drops the brp limit down to 1, as only the pre-production silicon have an issue with a brp of 1. The next patch is by Duy Nguyen and fixes the data transmission on R-Car V3U SoCs in the rcar_canfd driver. Rhett Aultman's patch fixes a DMA memory leak in the gs_usb driver. Liang He's patch removes an extra of_node_get() in the grcan driver. The next 2 patches are by me, target the m_can driver and fix the timestamp handling used for peripheral devices like the tcan4x5x. Jimmy Assarsson contributes 3 patches for the kvaser_usb driver and fixes CAN clock and bit timing related issues. The remaining 5 patches target the mcp251xfd driver. Thomas Kopp contributes 2 patches to improve the workaround for broken CRC when reading the TBC register. 3 patches by me add a missing hrtimer_cancel() during the ndo_stop() callback, and fix the reading of the Device ID register. * tag 'linux-can-fixes-for-5.19-20220704' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can: can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix endianness conversion can: mcp251xfd: mcp251xfd_register_get_dev_id(): use correct length to read dev_id can: mcp251xfd: mcp251xfd_stop(): add missing hrtimer_cancel() can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on TBC register can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for mcp2517fd can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info can: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32 bits can: m_can: m_can_chip_config(): actually enable internal timestamping can: grcan: grcan_probe(): remove extra of_node_get() can: gs_usb: gs_usb_open/close(): fix memory leak can: rcar_canfd: Fix data transmission failed on R-Car V3U Revert "can: xilinx_can: Limit CANFD brp to 2" can: bcm: use call_rcu() instead of costly synchronize_rcu() ==================== Link: https://lore.kernel.org/r/20220704122613.1551119-1-mkl@pengutronix.de Signed-off-by: Jakub Kicinski commit e95ea0f687e679fcb0a3a67d0755b81ee7d60db0 Author: Kris Bahnsen Date: Thu Jun 30 14:03:27 2022 -0700 ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count Device-tree incorrectly used "ngpio" which caused the driver to fallback to 32 ngpios. This platform has 62 GPIO registers. Fixes: 9ff8e9fccef9 ("ARM: dts: TS-7970: add basic device tree") Signed-off-by: Kris Bahnsen Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo commit 3c12e9da3098a30fc82dea01768d355c28e3692d Author: Sean Anderson Date: Thu Apr 28 14:16:59 2022 -0400 arm64: dts: ls1028a: Update SFP node to include clock The clocks property is now mandatory. Add it to avoid warning message. Signed-off-by: Sean Anderson Reviewed-by: Michael Walle Fixes: eba5bea8f37f ("arm64: dts: ls1028a: add efuse node") Signed-off-by: Shawn Guo commit 79471f29ec4870bc02b4fea844e86669a8a4f2a5 Author: Samuel Holland Date: Fri Jul 1 22:29:21 2022 -0500 dt-bindings: display: sun4i: Fix D1 pipeline count When adding the bindings for the D1 display engine, I missed the condition for the number of pipelines. D1 has two mixers, so it will have two pipeline references. Fixes: ae5a5d26c15c ("dt-bindings: display: Add D1 display engine compatibles") Signed-off-by: Samuel Holland Reviewed-by: Jernej Skrabec Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20220702032921.22433-1-samuel@sholland.org commit c1084b6c5620a743f86947caca66d90f24060f56 Merge: 88084a3df1672 c0d1a7bd6574c Author: Linus Torvalds Date: Mon Jul 4 10:41:59 2022 -0700 Merge tag 'soc-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "Another set of minor patches for Arm DTS files and soc specific drivers: - More reference counting bug fixes for DT nodes, and other trivial code fixes - Multiple code fixes for the Arm SCMI firmware driver to improve compatibility with firmware implementations. - A patch series for at91 to address power management issues from using the wrong DT compatible properties. - A series of patches to fix pad settings for NXP imx8mp to leave the configuration untouched from the boot loader - Additional DT fixes for qualcomm and NXP platforms - A boot time fix for stm32mp15 DT - Konrad Dybcio becomes an additional reviewer for the Qualcomm platforms" * tag 'soc-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (42 commits) soc: qcom: smem: use correct format characters ARM: dts: stm32: add missing usbh clock and fix clk order on stm32mp15 ARM: dts: stm32: delete fixed clock node on STM32MP15-SCMI ARM: dts: stm32: DSI should use LSE SCMI clock on DK1/ED1 STM32 board ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 ARM: dts: stm32: fix pwr regulators references to use scmi soc: ixp4xx/npe: Fix unused match warning ARM: at91: pm: Mark at91_pm_secure_init as __init ARM: at91: fix soc detection for SAM9X60 SiPs ARM: dts: at91: sama5d2_icp: fix eeprom compatibles ARM: dts: at91: sam9x60ek: fix eeprom compatible and size ARM: at91: pm: use proper compatibles for sama7g5's rtc and rtt ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt ARM: at91: pm: use proper compatible for sama5d2's rtc arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo firmware: arm_scmi: Remove usage of the deprecated ida_simple_xxx API firmware: arm_scmi: Fix response size warning for OPTEE transport arm64: dts: imx8mp-icore-mx8mp-edim2.2: correct pad settings arm64: dts: imx8mp-phyboard-pollux-rdk: correct i2c2 & mmc settings arm64: dts: imx8mp-phyboard-pollux-rdk: correct eqos pad settings ... commit 9fc33eaaa979d112d10fea729edcd2a2e21aa912 Author: Dmitry Osipenko Date: Thu Jun 30 23:06:01 2022 +0300 drm/panfrost: Fix shrinker list corruption by madvise IOCTL Calling madvise IOCTL twice on BO causes memory shrinker list corruption and crashes kernel because BO is already on the list and it's added to the list again, while BO should be removed from the list before it's re-added. Fix it. Cc: stable@vger.kernel.org Fixes: 013b65101315 ("drm/panfrost: Add madvise and shrinker support") Acked-by: Alyssa Rosenzweig Reviewed-by: Steven Price Signed-off-by: Dmitry Osipenko Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20220630200601.1884120-3-dmitry.osipenko@collabora.com commit fb6e0637ab7ebd8e61fe24f4d663c4bae99cfa62 Author: Dmitry Osipenko Date: Thu Jun 30 23:06:00 2022 +0300 drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error When panfrost_mmu_map_fault_addr() fails, the BO's mapping should be unreferenced and not the shmem object which backs the mapping. Cc: stable@vger.kernel.org Fixes: bdefca2d8dc0 ("drm/panfrost: Add the panfrost_gem_mapping concept") Reviewed-by: Steven Price Signed-off-by: Dmitry Osipenko Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20220630200601.1884120-2-dmitry.osipenko@collabora.com commit 8490cad4dc4e2ee265ba9e12cd47bdfd6b9a3d34 Author: Steven Price Date: Wed Jun 15 16:48:30 2022 +0100 drm/rockchip: Detach from ARM DMA domain in attach_device Since commit 1ea2a07a532b ("iommu: Add DMA ownership management interfaces") the Rockchip display driver on the Firefly RK3288 fails to initialise properly. This is because ARM DMA domain is still attached. Let's follow the lead of exynos and tegra and add code to explicitly remove the ARM domain before attaching a new one. Fixes: 1ea2a07a532b ("iommu: Add DMA ownership management interfaces") Suggested-by: Robin Murphy Signed-off-by: Steven Price Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20220615154830.555422-1-steven.price@arm.com commit 1dbc790b4d416dacb124a6acd05f88a0bcf3be39 Author: Liu Ying Date: Fri Jul 1 14:56:34 2022 +0800 drm/bridge: fsl-ldb: Drop DE signal polarity inversion It's unnecessary to invert input data enable signal polarity according to the output one. Let's drop the inversion. Since ->atomic_check() does nothing more than the inversion, it can be dropped entirely as well. Without this patch, 'koe,tx26d202vm0bwa' LVDS panel connected with i.MX8MP EVK board does not show any data on screen. Fixes: 463db5c2ed4a ("drm: bridge: ldb: Implement simple Freescale i.MX8MP LDB bridge") Cc: Andrzej Hajda Cc: Neil Armstrong Cc: Robert Foss Cc: Laurent Pinchart Cc: Jonas Karlman Cc: Jernej Skrabec Cc: David Airlie Cc: Daniel Vetter Cc: Sam Ravnborg Cc: Marek Vasut Cc: NXP Linux Team Signed-off-by: Liu Ying Reviewed-by: Marek Vasut Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220701065634.4027537-4-victor.liu@nxp.com commit 57ef278ef125e9188474a164f35dcffc69836d01 Author: Liu Ying Date: Fri Jul 1 14:56:33 2022 +0800 drm/bridge: fsl-ldb: Enable split mode for LVDS dual link When LVDS dual link is used, we have to enable the LDB_CTRL_SPLIT_MODE bit. Fixes: 463db5c2ed4a ("drm: bridge: ldb: Implement simple Freescale i.MX8MP LDB bridge") Cc: Andrzej Hajda Cc: Neil Armstrong Cc: Robert Foss Cc: Laurent Pinchart Cc: Jonas Karlman Cc: Jernej Skrabec Cc: David Airlie Cc: Daniel Vetter Cc: Sam Ravnborg Cc: Marek Vasut Cc: NXP Linux Team Signed-off-by: Liu Ying Reviewed-by: Marek Vasut Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220701065634.4027537-3-victor.liu@nxp.com commit 591129d3db266648823bb953ebbc28c92e059bf3 Author: Liu Ying Date: Fri Jul 1 14:56:32 2022 +0800 drm/bridge: fsl-ldb: Fix mode clock rate validation With LVDS dual link, up to 160MHz mode clock rate is supported. With LVDS single link, up to 80MHz mode clock rate is supported. Fix mode clock rate validation by swapping the maximum mode clock rates of the two link modes. Fixes: 463db5c2ed4a ("drm: bridge: ldb: Implement simple Freescale i.MX8MP LDB bridge") Cc: Andrzej Hajda Cc: Neil Armstrong Cc: Robert Foss Cc: Laurent Pinchart Cc: Jonas Karlman Cc: Jernej Skrabec Cc: David Airlie Cc: Daniel Vetter Cc: Sam Ravnborg Cc: Marek Vasut Cc: NXP Linux Team Signed-off-by: Liu Ying Reviewed-by: Marek Vasut Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20220701065634.4027537-2-victor.liu@nxp.com commit c0d1a7bd6574c8805184468c736e26dc416bebf0 Merge: 0ec29ccf94eb4 1d0c1aadf1fd9 Author: Arnd Bergmann Date: Mon Jul 4 14:29:17 2022 +0200 Merge tag 'stm32-dt-for-v5.19-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32 into arm/fixes STM32 DT fixes for v5.19, round 2 Highlights: ----------- -Fixes STM32MP15: - Add missing usbh clock and fix clk order for usbh to avoid PLL issue. - Fix SCMI version: use scmi regulator and update missing SCMI clocks to be able to correcly boot. * tag 'stm32-dt-for-v5.19-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/atorgue/stm32: ARM: dts: stm32: add missing usbh clock and fix clk order on stm32mp15 ARM: dts: stm32: delete fixed clock node on STM32MP15-SCMI ARM: dts: stm32: DSI should use LSE SCMI clock on DK1/ED1 STM32 board ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 ARM: dts: stm32: fix pwr regulators references to use scmi Link: https://lore.kernel.org/r/1259e082-a3a4-96a5-ec9c-05dbb893a746@foss.st.com Signed-off-by: Arnd Bergmann commit 0ec29ccf94eb4c32570555a882575eca9eec6467 Author: Bill Wendling Date: Mon Mar 21 10:49:12 2022 -0700 soc: qcom: smem: use correct format characters When compiling with -Wformat, clang emits the following warnings: drivers/soc/qcom/smem.c:847:41: warning: format specifies type 'unsigned short' but the argument has type 'unsigned int' [-Wformat] dev_err(smem->dev, "bad host %hu\n", remote_host); ~~~ ^~~~~~~~~~~ %u ./include/linux/dev_printk.h:144:65: note: expanded from macro 'dev_err' dev_printk_index_wrap(_dev_err, KERN_ERR, dev, dev_fmt(fmt), ##__VA_ARGS__) ~~~ ^~~~~~~~~~~ ./include/linux/dev_printk.h:110:23: note: expanded from macro 'dev_printk_index_wrap' _p_func(dev, fmt, ##__VA_ARGS__); \ ~~~ ^~~~~~~~~~~ drivers/soc/qcom/smem.c:852:47: warning: format specifies type 'unsigned short' but the argument has type 'unsigned int' [-Wformat] dev_err(smem->dev, "duplicate host %hu\n", remote_host); ~~~ ^~~~~~~~~~~ %u ./include/linux/dev_printk.h:144:65: note: expanded from macro 'dev_err' dev_printk_index_wrap(_dev_err, KERN_ERR, dev, dev_fmt(fmt), ##__VA_ARGS__) ~~~ ^~~~~~~~~~~ ./include/linux/dev_printk.h:110:23: note: expanded from macro 'dev_printk_index_wrap' _p_func(dev, fmt, ##__VA_ARGS__); \ ~~~ ^~~~~~~~~~~ The types of these arguments are unconditionally defined, so this patch updates the format character to the correct one and change type of remote_host to "u16" to match with other types. Signed-off-by: Bill Wendling Tested-by: Justin Stitt Reviewed-by: Justin Stitt Link: https://github.com/ClangBuiltLinux/linux/issues/378 Signed-off-by: Arnd Bergmann commit dd84cfff3cc3b79c9d616f85bd1178df135cbd1a Merge: 2307a0e1ca0b5 980555e95f7ca Author: Takashi Iwai Date: Mon Jul 4 14:14:04 2022 +0200 Merge tag 'asoc-fix-v5.19-rc3' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v5.19 A collection of fixes for v5.19, quite large but nothing major - a good chunk of it is more stuff that was identified by mixer-test regarding event generation. commit 2307a0e1ca0b5c1337b37ac6302f96e017ebac3c Author: Egor Vorontsov Date: Mon Jun 27 13:00:35 2022 +0300 ALSA: usb-audio: Add quirk for Fiero SC-01 (fw v1.0.0) The patch applies the same quirks used for SC-01 at firmware v1.1.0 to the ones running v1.0.0, with respect to hard-coded sample rates. I got two more units and successfully tested the patch series with both firmwares. The support is now complete (not accounting ASIO). Signed-off-by: Egor Vorontsov Link: https://lore.kernel.org/r/20220627100041.2861494-2-sdoregor@sdore.me Signed-off-by: Takashi Iwai commit 4fb7c24f69c48fdc02ea7858dbd5a60ff08bf7e5 Author: Egor Vorontsov Date: Mon Jun 27 13:00:34 2022 +0300 ALSA: usb-audio: Add quirk for Fiero SC-01 Fiero SC-01 is a USB sound card with two mono inputs and a single stereo output. The inputs are composed into a single stereo stream. The device uses a vendor-provided driver on Windows and does not work at all without it. The driver mostly provides ASIO functionality, but also alters the way the sound card is queried for sample rates and clocks. ALSA queries those failing with an EPIPE (same as Windows 10 does). Presumably, the vendor-provided driver does not query it at all, simply matching by VID:PID. Thus, I consider this a buggy firmware and adhere to a set of fixed endpoint quirks instead. The soundcard has an internal clock. Implicit feedback mode is required for the playback. I have updated my device to v1.1.0 from a Windows 10 VM using a vendor- provided binary prior to the development, hoping for it to just begin working. The device provides no obvious way to downgrade the firmware, and regardless, there's no binary available for v1.0.0 anyway. Thus, I will be getting another unit to extend the patch with support for that. Expected to be a simple copy-paste of the existing one, though. There were no previous reports of that device in context of Linux anywhere. Other issues have been reported though, but that's out of the scope. Signed-off-by: Egor Vorontsov Link: https://lore.kernel.org/r/20220627100041.2861494-1-sdoregor@sdore.me Signed-off-by: Takashi Iwai commit 11bea26929a1a3a9dd1a287b60c2f471701bf706 Author: Tim Crawford Date: Fri Jun 24 08:41:09 2022 -0600 ALSA: hda/realtek: Add quirk for Clevo L140PU Fixes headset detection on Clevo L140PU. Signed-off-by: Tim Crawford Cc: Link: https://lore.kernel.org/r/20220624144109.3957-1-tcrawford@system76.com Signed-off-by: Takashi Iwai commit 6e2c9105e0b743c92a157389d40f00b81bdd09fe Author: John Veness Date: Fri Jun 24 15:07:57 2022 +0100 ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices Treat the claimed 96kHz 1ch in the descriptors as 48kHz 2ch, so that the audio stream doesn't sound mono. Also fix initial stream alignment, so that left and right channels are in the correct order. Signed-off-by: John Veness Link: https://lore.kernel.org/r/20220624140757.28758-1-john-linux@pelago.org.uk Signed-off-by: Takashi Iwai commit bf43e4521ff3223a613f3a496991a22a4d78e04b Author: Thomas Zimmermann Date: Fri Jun 17 14:10:27 2022 +0200 drm/aperture: Run fbdev removal before internal helpers Always run fbdev removal first to remove simpledrm via sysfb_disable(). This clears the internal state. The later call to drm_aperture_detach_drivers() then does nothing. Otherwise, with drm_aperture_detach_drivers() running first, the call to sysfb_disable() uses inconsistent state. Example backtrace show below: [ 11.663422] ================================================================== [ 11.663426] BUG: KASAN: use-after-free in device_del+0x79/0x5f0 [ 11.663435] Read of size 8 at addr ffff888108185050 by task systemd-udevd/311 [ 11.663440] CPU: 0 PID: 311 Comm: systemd-udevd Tainted: G E 5 .19.0-rc2-1-default+ #1689 [ 11.663445] Hardware name: HP ProLiant DL120 G7, BIOS J01 04/21/2011 [ 11.663447] Call Trace: [ 11.663449] [ 11.663451] ? device_del+0x79/0x5f0 [ 11.663456] dump_stack_lvl+0x5b/0x73 [ 11.663462] print_address_description.constprop.0+0x1f/0x1b0 [ 11.663468] ? device_del+0x79/0x5f0 [ 11.663471] ? device_del+0x79/0x5f0 [ 11.663475] print_report.cold+0x3c/0x21c [ 11.663481] ? lock_acquired+0x87/0x1e0 [ 11.663484] ? lock_acquired+0x87/0x1e0 [ 11.663489] ? device_del+0x79/0x5f0 [ 11.663492] kasan_report+0xbf/0xf0 [ 11.663498] ? device_del+0x79/0x5f0 [ 11.663503] device_del+0x79/0x5f0 [ 11.663509] ? device_remove_attrs+0x170/0x170 [ 11.663514] ? lock_is_held_type+0xe8/0x140 [ 11.663523] platform_device_del.part.0+0x19/0xe0 [ 11.663530] platform_device_unregister+0x1c/0x30 [ 11.663535] sysfb_disable+0x2d/0x70 [ 11.663540] remove_conflicting_framebuffers+0x1c/0xf0 [ 11.663546] remove_conflicting_pci_framebuffers+0x130/0x1a0 [ 11.663554] drm_aperture_remove_conflicting_pci_framebuffers+0x86/0xb0 [ 11.663561] ? mgag200_pci_remove+0x30/0x30 [mgag200] [ 11.663578] mgag200_pci_probe+0x2d/0x140 [mgag200] Reported-by: Zack Rusin Signed-off-by: Thomas Zimmermann Reviewed-by: Javier Martinez Canillas Reviewed-by: Zack Rusin Fixes: ee7a69aa38d8 ("fbdev: Disable sysfb device registration when removing conflicting FBs") Cc: Javier Martinez Canillas Cc: Daniel Vetter Cc: Daniel Vetter Cc: Sam Ravnborg Cc: Helge Deller Cc: Thomas Zimmermann Cc: Alex Deucher Cc: Zhen Lei Cc: Changcheng Deng Link: https://patchwork.freedesktop.org/patch/msgid/20220617121027.30273-1-tzimmermann@suse.de (cherry picked from commit fb84efa28a48e30b87fa1122e8aab8016c7347cd) Signed-off-by: Thomas Zimmermann commit 887502826549caa7e4215fd9e628f48f14c0825a Author: Jason A. Donenfeld Date: Thu Jun 30 14:16:54 2022 +0200 powerpc/powernv: delay rng platform device creation until later in boot The platform device for the rng must be created much later in boot. Otherwise it tries to connect to a parent that doesn't yet exist, resulting in this splat: [ 0.000478] kobject: '(null)' ((____ptrval____)): is not initialized, yet kobject_get() is being called. [ 0.002925] [c000000002a0fb30] [c00000000073b0bc] kobject_get+0x8c/0x100 (unreliable) [ 0.003071] [c000000002a0fba0] [c00000000087e464] device_add+0xf4/0xb00 [ 0.003194] [c000000002a0fc80] [c000000000a7f6e4] of_device_add+0x64/0x80 [ 0.003321] [c000000002a0fcb0] [c000000000a800d0] of_platform_device_create_pdata+0xd0/0x1b0 [ 0.003476] [c000000002a0fd00] [c00000000201fa44] pnv_get_random_long_early+0x240/0x2e4 [ 0.003623] [c000000002a0fe20] [c000000002060c38] random_init+0xc0/0x214 This patch fixes the issue by doing the platform device creation inside of machine_subsys_initcall. Fixes: f3eac426657d ("powerpc/powernv: wire up rng during setup_arch") Cc: stable@vger.kernel.org Reported-by: Sachin Sant Signed-off-by: Jason A. Donenfeld Tested-by: Sachin Sant [mpe: Change "of node" to "platform device" in change log] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220630121654.1939181-1-Jason@zx2c4.com commit 1c0e78a287e3493e22bde8553d02f3b89177eaf7 Author: Marc Kleine-Budde Date: Mon Jun 20 11:49:24 2022 +0200 can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix endianness conversion In mcp251xfd_register_get_dev_id() the device ID register is read with handcrafted SPI transfers. As all registers, this register is in little endian. Further it is not naturally aligned in struct mcp251xfd_map_buf_nocrc::data. However after the transfer the register content is converted from big endian to CPU endianness not taking care of being unaligned. Fix the conversion by converting from little endian to CPU endianness taking the unaligned source into account. Side note: So far the register content is 0x0 on all mcp251xfd compatible chips, and is only used for an informative printk. Link: https://lore.kernel.org/all/20220627092859.809042-1-mkl@pengutronix.de Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Reviewed-by: Rasmus Villemoes Reviewed-by: Manivannan Sadhasivam Signed-off-by: Marc Kleine-Budde commit 0ff32bfa0e794ccc3601de7158b522bf736fa63c Author: Marc Kleine-Budde Date: Thu Jun 16 11:38:00 2022 +0200 can: mcp251xfd: mcp251xfd_register_get_dev_id(): use correct length to read dev_id The device ID register is 32 bits wide. The driver uses incorrectly the size of a pointer to a u32 to calculate the length of the SPI transfer. This results in a read of 2 registers on 64 bit platforms. This is no problem on the Linux side, as the RX buffer of the SPI transfer is large enough. In the mpc251xfd chip this results in the read of an undocumented register. So far no problems were observed. Fix the length of the SPI transfer to read the device ID register only. Link: https://lore.kernel.org/all/20220616094914.244440-1-mkl@pengutronix.de Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Reported-by: Rasmus Villemoes Reviewed-by: Manivannan Sadhasivam Signed-off-by: Marc Kleine-Budde commit d5a972f561a003e302e4267340c57e8fbd096fa4 Author: Marc Kleine-Budde Date: Mon Jun 6 14:46:18 2022 +0200 can: mcp251xfd: mcp251xfd_stop(): add missing hrtimer_cancel() In commit 169d00a25658 ("can: mcp251xfd: add TX IRQ coalescing support") software based TX coalescing was added to the driver. The key idea is to keep the TX complete IRQ disabled for some time after processing it and re-enable later by a hrtimer. When bringing the interface down, this timer has to be stopped. Add the missing hrtimer_cancel() of the tx_irq_time hrtimer to mcp251xfd_stop(). Link: https://lore.kernel.org/all/20220620143942.891811-1-mkl@pengutronix.de Fixes: 169d00a25658 ("can: mcp251xfd: add TX IRQ coalescing support") Cc: stable@vger.kernel.org # v5.18 Reviewed-by: Manivannan Sadhasivam Signed-off-by: Marc Kleine-Budde commit e3d4ee7d5f7f5256dfe89219afcc7a2d553b731f Author: Thomas Kopp Date: Tue Dec 21 22:24:52 2021 +0000 can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on TBC register The mcp251xfd compatible chips have an erratum ([1], [2]), where the received CRC doesn't match the calculated CRC. In commit c7eb923c3caf ("can: mcp251xfd: mcp251xfd_regmap_crc_read(): work around broken CRC on TBC register") the following workaround was implementierend. - If a CRC read error on the TBC register is detected and the first byte is 0x00 or 0x80, the most significant bit of the first byte is flipped and the CRC is calculated again. - If the CRC now matches, the _original_ data is passed to the reader. For now we assume transferred data was OK. New investigations and simulations indicate that the CRC send by the device is calculated on correct data, and the data is incorrectly received by the SPI host controller. Use flipped instead of original data and update workaround description in mcp251xfd_regmap_crc_read(). [1] mcp2517fd: DS80000792C: "Incorrect CRC for certain READ_CRC commands" [2] mcp2518fd: DS80000789C: "Incorrect CRC for certain READ_CRC commands" Link: https://lore.kernel.org/all/DM4PR11MB53901D49578FE265B239E55AFB7C9@DM4PR11MB5390.namprd11.prod.outlook.com Fixes: c7eb923c3caf ("can: mcp251xfd: mcp251xfd_regmap_crc_read(): work around broken CRC on TBC register") Cc: stable@vger.kernel.org Signed-off-by: Thomas Kopp [mkl: split into 2 patches, update patch description and documentation] Signed-off-by: Marc Kleine-Budde commit 406cc9cdb3e8d644b15e8028948f091b82abdbca Author: Thomas Kopp Date: Tue Dec 21 22:24:52 2021 +0000 can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for mcp2517fd The mcp251xfd compatible chips have an erratum ([1], [2]), where the received CRC doesn't match the calculated CRC. In commit c7eb923c3caf ("can: mcp251xfd: mcp251xfd_regmap_crc_read(): work around broken CRC on TBC register") the following workaround was implementierend. - If a CRC read error on the TBC register is detected and the first byte is 0x00 or 0x80, the most significant bit of the first byte is flipped and the CRC is calculated again. - If the CRC now matches, the _original_ data is passed to the reader. For now we assume transferred data was OK. Measurements on the mcp2517fd show that the workaround is applicable not only of the lowest byte is 0x00 or 0x80, but also if 3 least significant bits are set. Update check on 1st data byte and workaround description accordingly. [1] mcp2517fd: DS80000792C: "Incorrect CRC for certain READ_CRC commands" [2] mcp2518fd: DS80000789C: "Incorrect CRC for certain READ_CRC commands" Link: https://lore.kernel.org/all/DM4PR11MB53901D49578FE265B239E55AFB7C9@DM4PR11MB5390.namprd11.prod.outlook.com Fixes: c7eb923c3caf ("can: mcp251xfd: mcp251xfd_regmap_crc_read(): work around broken CRC on TBC register") Cc: stable@vger.kernel.org Reported-by: Pavel Modilaynen Signed-off-by: Thomas Kopp [mkl: split into 2 patches, update patch description and documentation] Signed-off-by: Marc Kleine-Budde commit b3b6df2c56d80b8c6740433cff5f016668b8de70 Author: Jimmy Assarsson Date: Fri Jun 3 10:38:20 2022 +0200 can: kvaser_usb: kvaser_usb_leaf: fix bittiming limits Use correct bittiming limits depending on device. For devices based on USBcanII, Leaf M32C or Leaf i.MX28. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Fixes: b4f20130af23 ("can: kvaser_usb: add support for Kvaser Leaf v2 and usb mini PCIe") Fixes: f5d4abea3ce0 ("can: kvaser_usb: Add support for the USBcan-II family") Link: https://lore.kernel.org/all/20220603083820.800246-4-extja@kvaser.com Cc: stable@vger.kernel.org Signed-off-by: Jimmy Assarsson [mkl: remove stray netlink.h include] [mkl: keep struct can_bittiming_const kvaser_usb_flexc_bittiming_const in kvaser_usb_hydra.c] Signed-off-by: Marc Kleine-Budde commit e6c80e601053ffdac5709f11ff3ec1e19ed05f7b Author: Jimmy Assarsson Date: Fri Jun 3 10:38:19 2022 +0200 can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression The firmware of M32C based Leaf devices expects bittiming parameters calculated for 16MHz clock. Since we use the actual clock frequency of the device, the device may end up with wrong bittiming parameters, depending on user requested parameters. This regression affects M32C based Leaf devices with non-16MHz clock. Fixes: fb12797ab1fe ("can: kvaser_usb: get CAN clock frequency from device") Link: https://lore.kernel.org/all/20220603083820.800246-3-extja@kvaser.com Cc: stable@vger.kernel.org Signed-off-by: Jimmy Assarsson Signed-off-by: Marc Kleine-Budde commit 49f274c72357d2d74cba70b172cf369768909707 Author: Jimmy Assarsson Date: Fri Jun 3 10:38:18 2022 +0200 can: kvaser_usb: replace run-time checks with struct kvaser_usb_driver_info Unify and move compile-time known information into new struct kvaser_usb_driver_info, in favor of run-time checks. All Kvaser USBcanII supports listen-only mode and error counter reporting. Link: https://lore.kernel.org/all/20220603083820.800246-2-extja@kvaser.com Suggested-by: Marc Kleine-Budde Cc: stable@vger.kernel.org Signed-off-by: Jimmy Assarsson [mkl: move struct kvaser_usb_driver_info into kvaser_usb_core.c] Signed-off-by: Marc Kleine-Budde commit 1b18f09d31cfa7148df15a7d5c5e0e86f105f7d1 Author: Rick Lindsley Date: Sat Jul 2 03:37:12 2022 -0700 ibmvnic: Properly dispose of all skbs during a failover. During a reset, there may have been transmits in flight that are no longer valid and cannot be fulfilled. Resetting and clearing the queues is insufficient; each skb also needs to be explicitly freed so that upper levels are not left waiting for confirmation of a transmit that will never happen. If this happens frequently enough, the apparent backlog will cause TCP to begin "congestion control" unnecessarily, culminating in permanently decreased throughput. Fixes: d7c0ef36bde03 ("ibmvnic: Free and re-allocate scrqs when tx/rx scrqs change") Tested-by: Nick Child Reviewed-by: Brian King Signed-off-by: Rick Lindsley Signed-off-by: David S. Miller commit 4c3333693f07313f5f0145a922f14a7d3c0f4f21 Author: Marc Kleine-Budde Date: Mon May 30 19:30:28 2022 +0200 can: m_can: m_can_{read_fifo,echo_tx_event}(): shift timestamp to full 32 bits In commit 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context") the RX path for peripheral devices was switched to RX-offload. Received CAN frames are pushed to RX-offload together with a timestamp. RX-offload is designed to handle overflows of the timestamp correctly, if 32 bit timestamps are provided. The timestamps of m_can core are only 16 bits wide. So this patch shifts them to full 32 bit before passing them to RX-offload. Link: https://lore.kernel.org/all/20220612211410.4081390-1-mkl@pengutronix.de Fixes: 1be37d3b0414 ("can: m_can: fix periph RX path: use rx-offload to ensure skbs are sent from softirq context") Cc: # 5.13 Cc: Torin Cooper-Bennun Reviewed-by: Chandrasekar Ramakrishnan Signed-off-by: Marc Kleine-Budde commit 5b12933de4e76ec164031c18ce8e0904abf530d7 Author: Marc Kleine-Budde Date: Mon May 23 17:18:33 2022 +0200 can: m_can: m_can_chip_config(): actually enable internal timestamping In commit df06fd678260 ("can: m_can: m_can_chip_config(): enable and configure internal timestamps") the timestamping in the m_can core should be enabled. In peripheral mode, the RX'ed CAN frames, TX compete frames and error events are sorted by the timestamp. The above mentioned commit however forgot to enable the timestamping. Add the missing bits to enable the timestamp counter to the write of the Timestamp Counter Configuration register. Link: https://lore.kernel.org/all/20220612212708.4081756-1-mkl@pengutronix.de Fixes: df06fd678260 ("can: m_can: m_can_chip_config(): enable and configure internal timestamps") Cc: # 5.13 Cc: Torin Cooper-Bennun Reviewed-by: Chandrasekar Ramakrishnan Signed-off-by: Marc Kleine-Budde commit 562fed945ea482833667f85496eeda766d511386 Author: Liang He Date: Sun Jun 19 15:02:57 2022 +0800 can: grcan: grcan_probe(): remove extra of_node_get() In grcan_probe(), of_find_node_by_path() has already increased the refcount. There is no need to call of_node_get() again, so remove it. Link: https://lore.kernel.org/all/20220619070257.4067022-1-windhl@126.com Fixes: 1e93ed26acf0 ("can: grcan: grcan_probe(): fix broken system id check for errata workaround needs") Cc: stable@vger.kernel.org # v5.18 Cc: Andreas Larsson Signed-off-by: Liang He Signed-off-by: Marc Kleine-Budde commit 2bda24ef95c0311ab93bda00db40486acf30bd0a Author: Rhett Aultman Date: Sun Jul 3 19:33:06 2022 +0200 can: gs_usb: gs_usb_open/close(): fix memory leak The gs_usb driver appears to suffer from a malady common to many USB CAN adapter drivers in that it performs usb_alloc_coherent() to allocate a number of USB request blocks (URBs) for RX, and then later relies on usb_kill_anchored_urbs() to free them, but this doesn't actually free them. As a result, this may be leaking DMA memory that's been used by the driver. This commit is an adaptation of the techniques found in the esd_usb2 driver where a similar design pattern led to a memory leak. It explicitly frees the RX URBs and their DMA memory via a call to usb_free_coherent(). Since the RX URBs were allocated in the gs_can_open(), we remove them in gs_can_close() rather than in the disconnect function as was done in esd_usb2. For more information, see the 928150fad41b ("can: esd_usb2: fix memory leak"). Link: https://lore.kernel.org/all/alpine.DEB.2.22.394.2206031547001.1630869@thelappy Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Cc: stable@vger.kernel.org Signed-off-by: Rhett Aultman Signed-off-by: Marc Kleine-Budde commit 374e11f1bde91545674233459e5a0416ba842b69 Author: Duy Nguyen Date: Mon Jul 4 16:46:11 2022 +0900 can: rcar_canfd: Fix data transmission failed on R-Car V3U On R-Car V3U, this driver should use suitable register offset instead of other SoCs' one. Otherwise, data transmission failed on R-Car V3U. Fixes: 45721c406dcf ("can: rcar_canfd: Add support for r8a779a0 SoC") Link: https://lore.kernel.org/all/20220704074611.957191-1-yoshihiro.shimoda.uh@renesas.com Reviewed-by: Geert Uytterhoeven Signed-off-by: Duy Nguyen Signed-off-by: Yoshihiro Shimoda Signed-off-by: Marc Kleine-Budde commit c6da4590fe819dfe28a4f8037a8dc1e056542fb4 Author: Srinivas Neeli Date: Thu Jun 9 13:54:32 2022 +0530 Revert "can: xilinx_can: Limit CANFD brp to 2" This reverts commit 05ca14fdb6fe65614e0652d03e44b02748d25af7. On early silicon engineering samples observed bit shrinking issue when we use brp as 1. Hence updated brp_min as 2. As in production silicon this issue is fixed, so reverting the patch. Link: https://lore.kernel.org/all/20220609082433.1191060-2-srinivas.neeli@xilinx.com Signed-off-by: Srinivas Neeli Signed-off-by: Marc Kleine-Budde commit ea1c3b77bc0b2a414496b3fe988f3abba33db288 Merge: 280e3a857d96f 5d407ca738926 Author: David S. Miller Date: Mon Jul 4 10:06:50 2022 +0100 Merge branch 'netdev-docs' Jakub Kicinski says: ==================== docs: netdev: document more of our rules The patch series length limit and reverse xmas tree are not documented. Add those, and a tl;dr section summarizing how we differ. v2: improve the series length blurb (Andrew) ==================== Signed-off-by: David S. Miller commit 5d407ca7389261c002c49068e4a11ed3bff0fc8e Author: Jakub Kicinski Date: Fri Jul 1 20:12:09 2022 -0700 docs: netdev: add a cheat sheet for the rules Summarize the rules we see broken most often and which may be less familiar to kernel devs who are used to working outside of netdev. Signed-off-by: Jakub Kicinski Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller commit a24875641143fce726529e6d550b313c53eb5821 Author: Jakub Kicinski Date: Fri Jul 1 20:12:08 2022 -0700 docs: netdev: document reverse xmas tree Similarly to the 15 patch rule the reverse xmas tree is not documented. Signed-off-by: Jakub Kicinski Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller commit 02514a067fad6df27c4b21c316c1af93066af06e Author: Jakub Kicinski Date: Fri Jul 1 20:12:07 2022 -0700 docs: netdev: document that patch series length limit We had been asking people to avoid massive patch series but it does not appear in the FAQ. Signed-off-by: Jakub Kicinski Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller commit f1b4e32aca0811aa011c76e5d6cf2fa19224b386 Author: Oliver Hartkopp Date: Fri May 20 20:32:39 2022 +0200 can: bcm: use call_rcu() instead of costly synchronize_rcu() In commit d5f9023fa61e ("can: bcm: delay release of struct bcm_op after synchronize_rcu()") Thadeu Lima de Souza Cascardo introduced two synchronize_rcu() calls in bcm_release() (only once at socket close) and in bcm_delete_rx_op() (called on removal of each single bcm_op). Unfortunately this slow removal of the bcm_op's affects user space applications like cansniffer where the modification of a filter removes 2048 bcm_op's which blocks the cansniffer application for 40(!) seconds. In commit 181d4447905d ("can: gw: use call_rcu() instead of costly synchronize_rcu()") Eric Dumazet replaced the synchronize_rcu() calls with several call_rcu()'s to safely remove the data structures after the removal of CAN ID subscriptions with can_rx_unregister() calls. This patch adopts Erics approach for the can-bcm which should be applicable since the removal of tasklet_kill() in bcm_remove_op() and the introduction of the HRTIMER_MODE_SOFT timer handling in Linux 5.4. Fixes: d5f9023fa61e ("can: bcm: delay release of struct bcm_op after synchronize_rcu()") # >= 5.4 Link: https://lore.kernel.org/all/20220520183239.19111-1-socketcan@hartkopp.net Cc: stable@vger.kernel.org Cc: Eric Dumazet Cc: Norbert Slusarek Cc: Thadeu Lima de Souza Cascardo Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde commit 1d0c1aadf1fd9f3de95d1532b3651e8634546e71 Author: Fabrice Gasnier Date: Tue Jun 21 10:45:09 2022 +0200 ARM: dts: stm32: add missing usbh clock and fix clk order on stm32mp15 The USBH composed of EHCI and OHCI controllers needs the PHY clock to be initialized first, before enabling (gating) them. The reverse is also required when going to suspend. So, add USBPHY clock as 1st entry in both controllers, so the USBPHY PLL gets enabled 1st upon controller init. Upon suspend/resume, this also makes the clock to be disabled/re-enabled in the correct order. This fixes some IRQ storm conditions seen when going to low-power, due to PHY PLL being disabled before all clocks are cleanly gated. Fixes: 949a0c0dec85 ("ARM: dts: stm32: add USB Host (USBH) support to stm32mp157c") Fixes: db7be2cb87ae ("ARM: dts: stm32: use usbphyc ck_usbo_48m as USBH OHCI clock on stm32mp151") Signed-off-by: Fabrice Gasnier Signed-off-by: Alexandre Torgue commit bf74181e75c93a1b2b000ebf3c8b4c8c17cd59da Author: Gabriel Fernandez Date: Fri Jun 24 11:27:15 2022 +0200 ARM: dts: stm32: delete fixed clock node on STM32MP15-SCMI Delete the node fixed clock managed by secure world with SCMI. Signed-off-by: Gabriel Fernandez Signed-off-by: Alexandre Torgue commit cfd7ea394cd3b70ba4d9d87ee7b88e37459036b0 Author: Gabriel Fernandez Date: Fri Jun 24 11:27:14 2022 +0200 ARM: dts: stm32: DSI should use LSE SCMI clock on DK1/ED1 STM32 board LSE clock is provided by SCMI. Signed-off-by: Gabriel Fernandez Signed-off-by: Alexandre Torgue commit 78ece8cce1ba0c3f3e5a7c6c1b914b3794f04c44 Author: Gabriel Fernandez Date: Fri Jun 24 11:27:13 2022 +0200 ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 The peripheral clock of CEC is not LSE but CEC. Signed-off-by: Gabriel Fernandez Signed-off-by: Alexandre Torgue commit a34b42f8690ce2b8360971ca5b886786ee1781af Author: Etienne Carriere Date: Fri Jun 24 11:00:55 2022 +0200 ARM: dts: stm32: fix pwr regulators references to use scmi Fixes stm32mp15*-scmi DTS files introduced in [1] to also access PWR regulators through SCMI service. This is needed since enabling secure only access to RCC clock and reset controllers also enables secure access only on PWR voltage regulators reg11, reg18 and usb33 hence these must also be accessed through SCMI Voltage Domain protocol. This change applies on commit [2] that already corrects issues from commit [1]. Cc: Alexandre Torgue Link: [1] https://lore.kernel.org/linux-arm-kernel/20220422150952.20587-7-alexandre.torgue@foss.st.com Link: [2] https://lore.kernel.org/linux-arm-kernel/20220613071920.5463-1-alexandre.torgue@foss.st.com Signed-off-by: Etienne Carriere Signed-off-by: Alexandre Torgue commit 14c99d65941538aa33edd8dc7b1bbbb593c324a2 Author: Gowans, James Date: Thu Jun 23 05:24:03 2022 +0000 mm: split huge PUD on wp_huge_pud fallback Currently the implementation will split the PUD when a fallback is taken inside the create_huge_pud function. This isn't where it should be done: the splitting should be done in wp_huge_pud, just like it's done for PMDs. Reason being that if a callback is taken during create, there is no PUD yet so nothing to split, whereas if a fallback is taken when encountering a write protection fault there is something to split. It looks like this was the original intention with the commit where the splitting was introduced, but somehow it got moved to the wrong place between v1 and v2 of the patch series. Rebase mistake perhaps. Link: https://lkml.kernel.org/r/6f48d622eb8bce1ae5dd75327b0b73894a2ec407.camel@amazon.com Fixes: 327e9fd48972 ("mm: Split huge pages on write-notify or COW") Signed-off-by: James Gowans Reviewed-by: Thomas Hellström Cc: Christian König Cc: Jan H. Schönherr Signed-off-by: Andrew Morton commit 5924e6ec1585445f251ea92713eb15beb732622a Author: Ryusuke Konishi Date: Thu Jun 23 17:54:01 2022 +0900 nilfs2: fix incorrect masking of permission flags for symlinks The permission flags of newly created symlinks are wrongly dropped on nilfs2 with the current umask value even though symlinks should have 777 (rwxrwxrwx) permissions: $ umask 0022 $ touch file && ln -s file symlink; ls -l file symlink -rw-r--r--. 1 root root 0 Jun 23 16:29 file lrwxr-xr-x. 1 root root 4 Jun 23 16:29 symlink -> file This fixes the bug by inserting a missing check that excludes symlinks. Link: https://lkml.kernel.org/r/1655974441-5612-1-git-send-email-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: Tommy Pettersson Reported-by: Ciprian Craciun Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton commit 1118234e4bc22ff50e9eae40ad95b17a6b12cefa Author: David Hildenbrand Date: Thu Jun 23 22:53:32 2022 +0200 mm/rmap: fix dereferencing invalid subpage pointer in try_to_migrate_one() The subpage we calculate is an invalid pointer for device private pages, because device private pages are mapped via non-present device private entries, not ordinary present PTEs. Let's just not compute broken pointers and fixup later. Move the proper assignment of the correct subpage to the beginning of the function and assert that we really only have a single page in our folio. This currently results in a BUG when tying to compute anon_exclusive, because: [ 528.727237] BUG: unable to handle page fault for address: ffffea1fffffffc0 [ 528.739585] #PF: supervisor read access in kernel mode [ 528.745324] #PF: error_code(0x0000) - not-present page [ 528.751062] PGD 44eaf2067 P4D 44eaf2067 PUD 0 [ 528.756026] Oops: 0000 [#1] PREEMPT SMP NOPTI [ 528.760890] CPU: 120 PID: 18275 Comm: hmm-tests Not tainted 5.19.0-rc3-kfd-alex #257 [ 528.769542] Hardware name: AMD Corporation BardPeak/BardPeak, BIOS RTY1002BDS 09/17/2021 [ 528.778579] RIP: 0010:try_to_migrate_one+0x21a/0x1000 [ 528.784225] Code: f6 48 89 c8 48 2b 05 45 d1 6a 01 48 c1 f8 06 48 29 c3 48 8b 45 a8 48 c1 e3 06 48 01 cb f6 41 18 01 48 89 85 50 ff ff ff 74 0b <4c> 8b 33 49 c1 ee 11 41 83 e6 01 48 8b bd 48 ff ff ff e8 3f 99 02 [ 528.805194] RSP: 0000:ffffc90003cdfaa0 EFLAGS: 00010202 [ 528.811027] RAX: 00007ffff7ff4000 RBX: ffffea1fffffffc0 RCX: ffffeaffffffffc0 [ 528.818995] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffc90003cdfaf8 [ 528.826962] RBP: ffffc90003cdfb70 R08: 0000000000000000 R09: 0000000000000000 [ 528.834930] R10: ffffc90003cdf910 R11: 0000000000000002 R12: ffff888194450540 [ 528.842899] R13: ffff888160d057c0 R14: 0000000000000000 R15: 03ffffffffffffff [ 528.850865] FS: 00007ffff7fdb740(0000) GS:ffff8883b0600000(0000) knlGS:0000000000000000 [ 528.859891] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 528.866308] CR2: ffffea1fffffffc0 CR3: 00000001562b4003 CR4: 0000000000770ee0 [ 528.874275] PKRU: 55555554 [ 528.877286] Call Trace: [ 528.880016] [ 528.882356] ? lock_is_held_type+0xdf/0x130 [ 528.887033] rmap_walk_anon+0x167/0x410 [ 528.891316] try_to_migrate+0x90/0xd0 [ 528.895405] ? try_to_unmap_one+0xe10/0xe10 [ 528.900074] ? anon_vma_ctor+0x50/0x50 [ 528.904260] ? put_anon_vma+0x10/0x10 [ 528.908347] ? invalid_mkclean_vma+0x20/0x20 [ 528.913114] migrate_vma_setup+0x5f4/0x750 [ 528.917691] dmirror_devmem_fault+0x8c/0x250 [test_hmm] [ 528.923532] do_swap_page+0xac0/0xe50 [ 528.927623] ? __lock_acquire+0x4b2/0x1ac0 [ 528.932199] __handle_mm_fault+0x949/0x1440 [ 528.936876] handle_mm_fault+0x13f/0x3e0 [ 528.941256] do_user_addr_fault+0x215/0x740 [ 528.945928] exc_page_fault+0x75/0x280 [ 528.950115] asm_exc_page_fault+0x27/0x30 [ 528.954593] RIP: 0033:0x40366b ... Link: https://lkml.kernel.org/r/20220623205332.319257-1-david@redhat.com Fixes: 6c287605fd56 ("mm: remember exclusively mapped anonymous pages with PG_anon_exclusive") Signed-off-by: David Hildenbrand Reported-by: "Sierra Guiza, Alejandro (Alex)" Reviewed-by: Alistair Popple Tested-by: Alistair Popple Cc: Vlastimil Babka Cc: Christoph Hellwig Cc: "Matthew Wilcox (Oracle)" Signed-off-by: Andrew Morton commit 34c0a5b04da8a543bc7335953c635dea1099d757 Author: YueHaibing Date: Fri Jun 24 16:52:36 2022 +0800 riscv/mm: fix build error while PAGE_TABLE_CHECK enabled without MMU mm/page_table_check.c: In function `__page_table_check_pte_clear': mm/page_table_check.c:148:6: error: implicit declaration of function `pte_user_accessible_page'; did you mean `user_access_save'? [-Werror=implicit-function-declaration] if (pte_user_accessible_page(pte)) { ^~~~~~~~~~~~~~~~~~~~~~~~ user_access_save ARCH_SUPPORTS_PAGE_TABLE_CHECK should only enabled with MMU. Link: https://lkml.kernel.org/r/20220624085236.18544-1-yuehaibing@huawei.com Fixes: 3fee229a8eb9 ("riscv/mm: enable ARCH_SUPPORTS_PAGE_TABLE_CHECK") Signed-off-by: YueHaibing Cc: Paul Walmsley Cc: Palmer Dabbelt Cc: Albert Ou Cc: Pasha Tatashin Cc: Tong Tiangen Signed-off-by: Andrew Morton commit cffe57bee62b155c08d71218fc0e9e84a0a90bbb Author: Bagas Sanjaya Date: Wed Jun 22 15:45:46 2022 +0700 Documentation: highmem: use literal block for code example in highmem.h comment When building htmldocs on Linus's tree, there are inline emphasis warnings on include/linux/highmem.h: Documentation/vm/highmem:166: ./include/linux/highmem.h:154: WARNING: Inline emphasis start-string without end-string. Documentation/vm/highmem:166: ./include/linux/highmem.h:157: WARNING: Inline emphasis start-string without end-string. These warnings above are due to comments in code example at the mentioned lines above are enclosed by double dash (--), which confuses Sphinx as inline markup delimiters instead. Fix these warnings by indenting the code example with literal block indentation and making the comments C comments. Link: https://lkml.kernel.org/r/20220622084546.17745-1-bagasdotme@gmail.com Fixes: 85a85e7601263f ("Documentation/vm: move "Using kmap-atomic" to highmem.h") Signed-off-by: Bagas Sanjaya Reviewed-by: Ira Weiny Tested-by: Ira Weiny Cc: "Matthew Wilcox (Oracle)" Cc: "Fabio M. De Francesco" Cc: Sebastian Andrzej Siewior Signed-off-by: Andrew Morton commit 39d35edee4537487e5178f258e23518272a66413 Author: Muchun Song Date: Mon Jun 20 10:30:19 2022 +0800 mm: sparsemem: fix missing higher order allocation splitting Higher order allocations for vmemmap pages from buddy allocator must be able to be treated as indepdenent small pages as they can be freed individually by the caller. There is no problem for higher order vmemmap pages allocated at boot time since each individual small page will be initialized at boot time. However, it will be an issue for memory hotplug case since those higher order vmemmap pages are allocated from buddy allocator without initializing each individual small page's refcount. The system will panic in put_page_testzero() when CONFIG_DEBUG_VM is enabled if the vmemmap page is freed. Link: https://lkml.kernel.org/r/20220620023019.94257-1-songmuchun@bytedance.com Fixes: d8d55f5616cf ("mm: sparsemem: use page table lock to protect kernel pmd operations") Signed-off-by: Muchun Song Reviewed-by: Mike Kravetz Cc: Xiongchun Duan Cc: Signed-off-by: Andrew Morton commit ed1523a895ffdabcab6e067af18685ed00f5ce15 Author: Baolin Wang Date: Mon Jun 20 10:34:42 2022 +0800 mm/damon: use set_huge_pte_at() to make huge pte old The huge_ptep_set_access_flags() can not make the huge pte old according to the discussion [1], that means we will always mornitor the young state of the hugetlb though we stopped accessing the hugetlb, as a result DAMON will get inaccurate accessing statistics. So changing to use set_huge_pte_at() to make the huge pte old to fix this issue. [1] https://lore.kernel.org/all/Yqy97gXI4Nqb7dYo@arm.com/ Link: https://lkml.kernel.org/r/1655692482-28797-1-git-send-email-baolin.wang@linux.alibaba.com Fixes: 49f4203aae06 ("mm/damon: add access checking for hugetlb pages") Signed-off-by: Baolin Wang Reviewed-by: SeongJae Park Acked-by: Mike Kravetz Reviewed-by: Muchun Song Cc: Signed-off-by: Andrew Morton commit d684e0a52d36f8939eda30a0f31ee235ee4ee741 Author: Geert Uytterhoeven Date: Mon Jun 20 09:01:43 2022 +0200 sh: convert nommu io{re,un}map() to static inline functions Recently, nommu iounmap() was converted from a static inline function to a macro again, basically reverting commit 4580ba4ad2e6b8dd ("sh: Convert iounmap() macros to inline functions"). With -Werror, this leads to build failures like: drivers/iio/adc/xilinx-ams.c: In function `ams_iounmap_ps': drivers/iio/adc/xilinx-ams.c:1195:14: error: unused variable `ams' [-Werror=unused-variable] 1195 | struct ams *ams = data; | ^~~ Fix this by replacing the macros for ioremap() and iounmap() by static inline functions, based on . Link: https://lkml.kernel.org/r/8d1b1766260961799b04035e7bc39a7f59729f72.1655708312.git.geert+renesas@glider.be Fixes: 13f1fc870dd74713 ("sh: move the ioremap implementation out of line") Signed-off-by: Geert Uytterhoeven Reported-by: kernel test robot Reported-by: Jonathan Cameron Acked-by: Jonathan Cameron Reviewed-by: Christoph Hellwig Signed-off-by: Andrew Morton commit 73f37dbcfe1763ee2294c7717a1f571e27d17fd8 Author: Axel Rasmussen Date: Fri Jun 10 10:38:12 2022 -0700 mm: userfaultfd: fix UFFDIO_CONTINUE on fallocated shmem pages When fallocate() is used on a shmem file, the pages we allocate can end up with !PageUptodate. Since UFFDIO_CONTINUE tries to find the existing page the user wants to map with SGP_READ, we would fail to find such a page, since shmem_getpage_gfp returns with a "NULL" pagep for SGP_READ if it discovers !PageUptodate. As a result, UFFDIO_CONTINUE returns -EFAULT, as it would do if the page wasn't found in the page cache at all. This isn't the intended behavior. UFFDIO_CONTINUE is just trying to find if a page exists, and doesn't care whether it still needs to be cleared or not. So, instead of SGP_READ, pass in SGP_NOALLOC. This is the same, except for one critical difference: in the !PageUptodate case, SGP_NOALLOC will clear the page and then return it. With this change, UFFDIO_CONTINUE works properly (succeeds) on a shmem file which has been fallocated, but otherwise not modified. Link: https://lkml.kernel.org/r/20220610173812.1768919-1-axelrasmussen@google.com Fixes: 153132571f02 ("userfaultfd/shmem: support UFFDIO_CONTINUE for shmem") Signed-off-by: Axel Rasmussen Acked-by: Peter Xu Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton commit 88084a3df1672e131ddc1b4e39eeacfd39864acf Author: Linus Torvalds Date: Sun Jul 3 15:39:28 2022 -0700 Linux 5.19-rc5 commit b8d5109f50969ead9d49c3e8bd78ec1f82e548e3 Author: Linus Torvalds Date: Sun Jul 3 14:40:28 2022 -0700 lockref: remove unused 'lockref_get_or_lock()' function Looking at the conditional lock acquire functions in the kernel due to the new sparse support (see commit 4a557a5d1a61 "sparse: introduce conditional lock acquire function attribute"), it became obvious that the lockref code has a couple of them, but they don't match the usual naming convention for the other ones, and their return value logic is also reversed. In the other very similar places, the naming pattern is '*_and_lock()' (eg 'atomic_put_and_lock()' and 'refcount_dec_and_lock()'), and the function returns true when the lock is taken. The lockref code is superficially very similar to the refcount code, only with the special "atomic wrt the embedded lock" semantics. But instead of the '*_and_lock()' naming it uses '*_or_lock()'. And instead of returning true in case it took the lock, it returns true if it *didn't* take the lock. Now, arguably the reflock code is quite logical: it really is a "either decrement _or_ lock" kind of situation - and the return value is about whether the operation succeeded without any special care needed. So despite the similarities, the differences do make some sense, and maybe it's not worth trying to unify the different conditional locking primitives in this area. But while looking at this all, it did become obvious that the 'lockref_get_or_lock()' function hasn't actually had any users for almost a decade. The only user it ever had was the shortlived 'd_rcu_to_refcount()' function, and it got removed and replaced with 'lockref_get_not_dead()' back in 2013 in commits 0d98439ea3c6 ("vfs: use lockred 'dead' flag to mark unrecoverably dead dentries") and e5c832d55588 ("vfs: fix dentry RCU to refcounting possibly sleeping dput()") In fact, that single use was removed less than a week after the whole function was introduced in commit b3abd80250c1 ("lockref: add 'lockref_get_or_lock() helper") so this function has been around for a decade, but only had a user for six days. Let's just put this mis-designed and unused function out of its misery. We can think about the naming and semantic oddities of the remaining 'lockref_put_or_lock()' later, but at least that function has users. And while the naming is different and the return value doesn't match, that function matches the whole '{atomic,refcount}_dec_and_test()' pattern much better (ie the magic happens when the count goes down to zero, not when it is incremented from zero). Signed-off-by: Linus Torvalds commit 7ecd8a7af36efa52fb95fb42ecab03bc4e76c848 Merge: f99d621133ef4 5fb779558f1c9 Author: Arnd Bergmann Date: Sun Jul 3 22:36:46 2022 +0200 Merge tag 'qcom-arm64-fixes-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/fixes Qualcomm ARM64 DT fixes for v5.19 This removes duplicate includes in the sc7180-trogdor files, which accidentally ended up disabling nodes intended to be enabled. It corrects identifiers for CPU6/7 on MSM8994. On SM8450 the UFS node's interconnects property is updated to match the #interconnect-cells, avoiding sync_state issues and the GIC ITS is defined, to correct the references from the PCIe nodes. On SDM845 the display subsystem's AHB clock is corrected and on msm8992 devices, the supplies for lvs 1 and 2 are correctly specified. Lastly, a welcome addition of Konrad as reviewer for the Qualcomm SoC. * tag 'qcom-arm64-fixes-for-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: arm64: dts: qcom: msm8992-*: Fix vdd_lvs1_2-supply typo MAINTAINERS: Add myself as a reviewer for Qualcomm ARM/64 support arm64: dts: qcom: sdm845: use dispcc AHB clock for mdss node arm64: dts: qcom: sm8450 add ITS device tree node arm64: dts: qcom: msm8994: Fix CPU6/7 reg values arm64: dts: qcom: sm8450: fix interconnects property of UFS node arm64: dts: qcom: Remove duplicate sc7180-trogdor include on lazor/homestar Link: https://lore.kernel.org/r/20220703030208.408109-1-bjorn.andersson@linaro.org Signed-off-by: Arnd Bergmann commit 4a557a5d1a6145ea586dc9b17a9b4e5190c9c017 Author: Linus Torvalds Date: Thu Jun 30 09:34:10 2022 -0700 sparse: introduce conditional lock acquire function attribute The kernel tends to try to avoid conditional locking semantics because it makes it harder to think about and statically check locking rules, but we do have a few fundamental locking primitives that take locks conditionally - most obviously the 'trylock' functions. That has always been a problem for 'sparse' checking for locking imbalance, and we've had a special '__cond_lock()' macro that we've used to let sparse know how the locking works: # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0) so that you can then use this to tell sparse that (for example) the spinlock trylock macro ends up acquiring the lock when it succeeds, but not when it fails: #define raw_spin_trylock(lock) __cond_lock(lock, _raw_spin_trylock(lock)) and then sparse can follow along the locking rules when you have code like if (!spin_trylock(&dentry->d_lock)) return LRU_SKIP; .. sparse sees that the lock is held here.. spin_unlock(&dentry->d_lock); and sparse ends up happy about the lock contexts. However, this '__cond_lock()' use does result in very ugly header files, and requires you to basically wrap the real function with that macro that uses '__cond_lock'. Which has made PeterZ NAK things that try to fix sparse warnings over the years [1]. To solve this, there is now a very experimental patch to sparse that basically does the exact same thing as '__cond_lock()' did, but using a function attribute instead. That seems to make PeterZ happy [2]. Note that this does not replace existing use of '__cond_lock()', but only exposes the new proposed attribute and uses it for the previously unannotated 'refcount_dec_and_lock()' family of functions. For existing sparse installations, this will make no difference (a negative output context was ignored), but if you have the experimental sparse patch it will make sparse now understand code that uses those functions, the same way '__cond_lock()' makes sparse understand the very similar 'atomic_dec_and_lock()' uses that have the old '__cond_lock()' annotations. Note that in some cases this will silence existing context imbalance warnings. But in other cases it may end up exposing new sparse warnings for code that sparse just didn't see the locking for at all before. This is a trial, in other words. I'd expect that if it ends up being successful, and new sparse releases end up having this new attribute, we'll migrate the old-style '__cond_lock()' users to use the new-style '__cond_acquires' function attribute. The actual experimental sparse patch was posted in [3]. Link: https://lore.kernel.org/all/20130930134434.GC12926@twins.programming.kicks-ass.net/ [1] Link: https://lore.kernel.org/all/Yr60tWxN4P568x3W@worktop.programming.kicks-ass.net/ [2] Link: https://lore.kernel.org/all/CAHk-=wjZfO9hGqJ2_hGQG3U_XzSh9_XaXze=HgPdvJbgrvASfA@mail.gmail.com/ [3] Acked-by: Peter Zijlstra Cc: Alexander Aring Cc: Luc Van Oostenryck Signed-off-by: Linus Torvalds commit 20855e4cb361adeabce3665f5174b09b4a6ebfe6 Merge: 69cb6c6556ad8 7561cea5dbb97 Author: Linus Torvalds Date: Sun Jul 3 09:42:17 2022 -0700 Merge tag 'xfs-5.19-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fixes from Darrick Wong: "This fixes some stalling problems and corrects the last of the problems (I hope) observed during testing of the new atomic xattr update feature. - Fix statfs blocking on background inode gc workers - Fix some broken inode lock assertion code - Fix xattr leaf buffer leaks when cancelling a deferred xattr update operation - Clean up xattr recovery to make it easier to understand. - Fix xattr leaf block verifiers tripping over empty blocks. - Remove complicated and error prone xattr leaf block bholding mess. - Fix a bug where an rt extent crossing EOF was treated as "posteof" blocks and cleaned unnecessarily. - Fix a UAF when log shutdown races with unmount" * tag 'xfs-5.19-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: prevent a UAF when log IO errors race with unmount xfs: dont treat rt extents beyond EOF as eofblocks to be cleared xfs: don't hold xattr leaf buffers across transaction rolls xfs: empty xattr leaf header blocks are not corruption xfs: clean up the end of xfs_attri_item_recover xfs: always free xattri_leaf_bp when cancelling a deferred op xfs: use invalidate_lock to check the state of mmap_lock xfs: factor out the common lock flags assert xfs: introduce xfs_inodegc_push() xfs: bound maximum wait time for inodegc work commit 280e3a857d96f9ca8e24632788e1e7a0fec4e9f7 Merge: 3d5a2a396f198 9827a0e6e23bf Author: David S. Miller Date: Sun Jul 3 12:29:18 2022 +0100 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Insufficient validation of element datatype and length in nft_setelem_parse_data(). At least commit 7d7402642eaf updates maximum element data area up to 64 bytes when only 16 bytes where supported at the time. Support for larger element size came later in fdb9c405e35b though. Picking this older commit as Fixes: tag to be safe than sorry. 2) Memleak in pipapo destroy path, reproducible when transaction in aborted. This is already triggering in the existing netfilter test infrastructure since more recent new tests are covering this path. ==================== Signed-off-by: David S. Miller commit 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Author: Pablo Neira Ayuso Date: Sat Jul 2 04:16:31 2022 +0200 netfilter: nft_set_pipapo: release elements in clone from abort path New elements that reside in the clone are not released in case that the transaction is aborted. [16302.231754] ------------[ cut here ]------------ [16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables] [...] [16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G W 5.19.0-rc3+ #155 [...] [16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables] [16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 <0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05 [...] [16302.231917] Call Trace: [16302.231919] [16302.231921] __nf_tables_abort.cold+0x23/0x28 [nf_tables] [16302.231934] nf_tables_abort+0x30/0x50 [nf_tables] [16302.231946] nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink] [16302.231952] ? __nla_validate_parse+0x48/0x190 [16302.231959] nfnetlink_rcv+0x110/0x129 [nfnetlink] [16302.231963] netlink_unicast+0x211/0x340 [16302.231969] netlink_sendmsg+0x21e/0x460 Add nft_set_pipapo_match_destroy() helper function to release the elements in the lookup tables. Stefano Brivio says: "We additionally look for elements pointers in the cloned matching data if priv->dirty is set, because that means that cloned data might point to additional elements we did not commit to the working copy yet (such as the abort path case, but perhaps not limited to it)." Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 Author: Pablo Neira Ayuso Date: Sat Jul 2 04:16:30 2022 +0200 netfilter: nf_tables: stricter validation of element data Make sure element data type and length do not mismatch the one specified by the set declaration. Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data") Reported-by: Hugues ANGUELKOV Signed-off-by: Pablo Neira Ayuso commit 69cb6c6556ad89620547318439d6be8bb1629a5a Merge: 34074da5424c0 a23dd544debcd Author: Linus Torvalds Date: Sat Jul 2 11:20:56 2022 -0700 Merge tag 'nfsd-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux Pull nfsd fixes from Chuck Lever: "Notable regression fixes: - Fix NFSD crash during NFSv4.2 READ_PLUS operation - Fix incorrect status code returned by COMMIT operation" * tag 'nfsd-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux: SUNRPC: Fix READ_PLUS crasher NFSD: restore EINVAL error translation in nfsd_commit() commit 34074da5424c08542d197396757cc3194ef754b4 Merge: bb7c512687769 aa78fa905b443 Author: Linus Torvalds Date: Sat Jul 2 10:23:36 2022 -0700 Merge tag 'for-5.19/parisc-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc architecture fixes from Helge Deller: "Two important fixes for bugs in code which was added in 5.18: - Fix userspace signal failures on 32-bit kernel due to a bug in vDSO - Fix 32-bit load-word unalignment exception handler which returned wrong values" * tag 'for-5.19/parisc-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Fix vDSO signal breakage on 32-bit kernel parisc/unaligned: Fix emulate_ldw() breakage commit aa78fa905b4431c432071a878da99c2b37fc0e79 Author: Helge Deller Date: Fri Jul 1 09:00:41 2022 +0200 parisc: Fix vDSO signal breakage on 32-bit kernel Addition of vDSO support for parisc in kernel v5.18 suddenly broke glibc signal testcases on a 32-bit kernel. The trampoline code (sigtramp.S) which is mapped into userspace includes an offset to the context data on the stack, which is used by gdb and glibc to get access to registers. In a 32-bit kernel we used by mistake the offset into the compat context (which is valid on a 64-bit kernel only) instead of the offset into the "native" 32-bit context. Reported-by: John David Anglin Tested-by: John David Anglin Fixes: df24e1783e6e ("parisc: Add vDSO support") CC: stable@vger.kernel.org # 5.18 Signed-off-by: Helge Deller commit bb7c51268776941b7533374caabcaaed302b91e0 Merge: 5411de0733623 ff898552fb32d Author: Linus Torvalds Date: Sat Jul 2 09:28:36 2022 -0700 Merge tag 'perf-tools-fixes-for-v5.19-2022-07-02' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux Pull perf tools fixes from Arnaldo Carvalho de Melo: - BPF program info linear (BPIL) data is accessed assuming 64-bit alignment resulting in undefined behavior as the data is just byte aligned. Fix it, Found using -fsanitize=undefined. - Fix 'perf offcpu' build on old kernels wrt task_struct's state/__state field. - Fix perf_event_attr.sample_type setting on the 'offcpu-time' event synthesized by the 'perf offcpu' tool. - Don't bail out when synthesizing PERF_RECORD_ events for pre-existing threads when one goes away while parsing its procfs entries. - Don't sort the task scan result from /proc, its not needed and introduces bugs when the main thread isn't the first one to be processed. - Fix uninitialized 'offset' variable on aarch64 in the unwind code. - Sync KVM headers with the kernel sources. * tag 'perf-tools-fixes-for-v5.19-2022-07-02' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: perf synthetic-events: Ignore dead threads during event synthesis perf synthetic-events: Don't sort the task scan result from /proc perf unwind: Fix unitialized 'offset' variable on aarch64 tools headers UAPI: Sync linux/kvm.h with the kernel sources perf bpf: 8 byte align bpil data tools kvm headers arm64: Update KVM headers from the kernel sources perf offcpu: Accept allowed sample types only perf offcpu: Fix build failure on old kernels commit 5411de073362300d99bb35d46d77d656760e4606 Merge: 089866061428e ac790d09885d3 Author: Linus Torvalds Date: Sat Jul 2 09:11:44 2022 -0700 Merge tag 'powerpc-5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - Fix BPF uapi confusion about the correct type of bpf_user_pt_regs_t. - Fix virt_addr_valid() when memory is hotplugged above the boot-time high_memory value. - Fix a bug in 64-bit Book3E map_kernel_page() which would incorrectly allocate a PMD page at PUD level. - Fix a couple of minor issues found since we enabled KASAN for 64-bit Book3S. Thanks to Aneesh Kumar K.V, Cédric Le Goater, Christophe Leroy, Kefeng Wang, Liam Howlett, Nathan Lynch, and Naveen N. Rao. * tag 'powerpc-5.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/memhotplug: Add add_pages override for PPC powerpc/bpf: Fix use of user_pt_regs in uapi powerpc/prom_init: Fix kernel config grep powerpc/book3e: Fix PUD allocation size in map_kernel_page() powerpc/xive/spapr: correct bitmap allocation size commit 3d5a2a396f19874b02196268a567a529ad5c7448 Author: Karsten Graul Date: Fri Jul 1 20:41:43 2022 +0200 MAINTAINERS: add Wenjia as SMC maintainer Add Wenjia as maintainer for Shared Memory Communications (SMC) Sockets. Acked-by: Wenjia Zhang Acked-by: Alexandra Winter Signed-off-by: Karsten Graul Signed-off-by: David S. Miller commit 2cd37c2e72449a7add6da1183d20a6247d6db111 Author: Shuah Khan Date: Fri Jul 1 10:53:52 2022 -0600 misc: rtsx_usb: set return value in rsp_buf alloc err path Set return value in rsp_buf alloc error path before going to error handling. drivers/misc/cardreader/rtsx_usb.c:639:6: warning: variable 'ret' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized] if (!ucr->rsp_buf) ^~~~~~~~~~~~~ drivers/misc/cardreader/rtsx_usb.c:678:9: note: uninitialized use occurs here return ret; ^~~ drivers/misc/cardreader/rtsx_usb.c:639:2: note: remove the 'if' if its condition is always false if (!ucr->rsp_buf) ^~~~~~~~~~~~~~~~~~ drivers/misc/cardreader/rtsx_usb.c:622:9: note: initialize the variable 'ret' to silence this warning int ret; ^ = 0 Fixes: 3776c7855985 ("misc: rtsx_usb: use separate command and response buffers") Reported-by: kernel test robot Cc: stable Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20220701165352.15687-1-skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit ff898552fb32d255517fb0676f9fa500664c484d Author: Namhyung Kim Date: Fri Jul 1 13:54:58 2022 -0700 perf synthetic-events: Ignore dead threads during event synthesis When it synthesize various task events, it scans the list of task first and then accesses later. There's a window threads can die between the two and proc entries may not be available. Instead of bailing out, we can ignore that thread and move on. Signed-off-by: Namhyung Kim Acked-by: Ian Rogers Cc: Jiri Olsa Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20220701205458.985106-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit 363afa3aef24f5e08df6a539f5dc3aae4cddcc1a Author: Namhyung Kim Date: Fri Jul 1 13:54:57 2022 -0700 perf synthetic-events: Don't sort the task scan result from /proc It should not sort the result as procfs already returns a proper ordering of tasks. Actually sorting the order caused problems that it doesn't guararantee to process the main thread first. Signed-off-by: Namhyung Kim Acked-by: Ian Rogers Cc: Jiri Olsa Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20220701205458.985106-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit 5eb502b2e1ae1ab052cdf6bdd7615217e8517360 Author: Ivan Babrou Date: Fri Jul 1 11:20:46 2022 -0700 perf unwind: Fix unitialized 'offset' variable on aarch64 Commit dc2cf4ca866f5715 ("perf unwind: Fix segbase for ld.lld linked objects") uncovered the following issue on aarch64: util/unwind-libunwind-local.c: In function 'find_proc_info': util/unwind-libunwind-local.c:386:28: error: 'offset' may be used uninitialized in this function [-Werror=maybe-uninitialized] 386 | if (ofs > 0) { | ^ util/unwind-libunwind-local.c:199:22: note: 'offset' was declared here 199 | u64 address, offset; | ^~~~~~ util/unwind-libunwind-local.c:371:20: error: 'offset' may be used uninitialized in this function [-Werror=maybe-uninitialized] 371 | if (ofs <= 0) { | ^ util/unwind-libunwind-local.c:199:22: note: 'offset' was declared here 199 | u64 address, offset; | ^~~~~~ util/unwind-libunwind-local.c:363:20: error: 'offset' may be used uninitialized in this function [-Werror=maybe-uninitialized] 363 | if (ofs <= 0) { | ^ util/unwind-libunwind-local.c:199:22: note: 'offset' was declared here 199 | u64 address, offset; | ^~~~~~ In file included from util/libunwind/arm64.c:37: Fixes: dc2cf4ca866f5715 ("perf unwind: Fix segbase for ld.lld linked objects") Signed-off-by: Ivan Babrou Cc: Alexander Shishkin Cc: Fangrui Song Cc: Ian Rogers Cc: James Clark Cc: Jiri Olsa Cc: kernel-team@cloudflare.com Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20220701182046.12589-1-ivan@cloudflare.com Signed-off-by: Arnaldo Carvalho de Melo commit d28b25a62a47a8c8aa19bd543863aab6717e68c9 Author: Hangbin Liu Date: Thu Jun 30 14:22:28 2022 +0800 selftests/net: fix section name when using xdp_dummy.o Since commit 8fffa0e3451a ("selftests/bpf: Normalize XDP section names in selftests") the xdp_dummy.o's section name has changed to xdp. But some tests are still using "section xdp_dummy", which make the tests failed. Fix them by updating to the new section name. Fixes: 8fffa0e3451a ("selftests/bpf: Normalize XDP section names in selftests") Signed-off-by: Hangbin Liu Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20220630062228.3453016-1-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski commit bc38fae3a68b5140a39e2948de2b5b301438abfe Merge: 8dfeee9dc52cb a49b8ce7306cf Author: Jakub Kicinski Date: Fri Jul 1 19:56:28 2022 -0700 Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2022-07-02 We've added 7 non-merge commits during the last 14 day(s) which contain a total of 6 files changed, 193 insertions(+), 86 deletions(-). The main changes are: 1) Fix clearing of page contiguity when unmapping XSK pool, from Ivan Malov. 2) Two verifier fixes around bounds data propagation, from Daniel Borkmann. 3) Fix fprobe sample module's parameter descriptions, from Masami Hiramatsu. 4) General BPF maintainer entry revamp to better scale patch reviews. * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf, selftests: Add verifier test case for jmp32's jeq/jne bpf, selftests: Add verifier test case for imm=0,umin=0,umax=1 scalar bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals bpf: Fix incorrect verifier simulation around jmp32's jeq/jne xsk: Clear page contiguity bit when unmapping pool bpf, docs: Better scale maintenance of BPF subsystem fprobe, samples: Add module parameter descriptions ==================== Link: https://lore.kernel.org/r/20220701230121.10354-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski commit 089866061428ec9bf67221247c936792078c41a4 Merge: 1ce8c443e9569 ef9102004a87c Author: Linus Torvalds Date: Fri Jul 1 16:58:19 2022 -0700 Merge tag 'libnvdimm-fixes-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fix from Vishal Verma: - Fix a bug in the libnvdimm 'BTT' (Block Translation Table) driver where accounting for poison blocks to be cleared was off by one, causing a failure to clear the the last badblock in an nvdimm region. * tag 'libnvdimm-fixes-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: nvdimm: Fix badblocks clear off-by-one error commit 2cc39179acbbe524127f0427cee92b629db4d64b Author: Masahiro Yamada Date: Wed Jun 15 06:33:03 2022 +0900 doc: module: update file references Adjust documents to the file moves made by commit cfc1d277891e ("module: Move all into module/"). Thanks to Yanteng Si for helping me to update Documentation/translations/zh_CN/core-api/kernel-api.rst Signed-off-by: Masahiro Yamada Acked-by: Yanteng Si Signed-off-by: Luis Chamberlain commit f963ef123900ac534aeb6141642e5351989ac14c Author: Christophe Leroy Date: Sun Jun 12 17:33:20 2022 +0200 module: Fix "warning: variable 'exit' set but not used" When CONFIG_MODULE_UNLOAD is not selected, 'exit' is set but never used. It is not possible to replace the #ifdef CONFIG_MODULE_UNLOAD by IS_ENABLED(CONFIG_MODULE_UNLOAD) because mod->exit doesn't exist when CONFIG_MODULE_UNLOAD is not selected. And because of the rcu_read_lock_sched() section it is not easy to regroup everything in a single #ifdef. Let's regroup partially and add missing #ifdef to completely opt out the use of 'exit' when CONFIG_MODULE_UNLOAD is not selected. Reported-by: kernel test robot Signed-off-by: Christophe Leroy Signed-off-by: Luis Chamberlain commit cfa94c538be621a0ba645adfa9ead005b5fa02f6 Author: Christophe Leroy Date: Sun Jun 12 17:21:56 2022 +0200 module: Fix selfAssignment cppcheck warning cppcheck reports the following warnings: kernel/module/main.c:1455:26: warning: Redundant assignment of 'mod->core_layout.size' to itself. [selfAssignment] mod->core_layout.size = strict_align(mod->core_layout.size); ^ kernel/module/main.c:1489:26: warning: Redundant assignment of 'mod->init_layout.size' to itself. [selfAssignment] mod->init_layout.size = strict_align(mod->init_layout.size); ^ kernel/module/main.c:1493:26: warning: Redundant assignment of 'mod->init_layout.size' to itself. [selfAssignment] mod->init_layout.size = strict_align(mod->init_layout.size); ^ kernel/module/main.c:1504:26: warning: Redundant assignment of 'mod->init_layout.size' to itself. [selfAssignment] mod->init_layout.size = strict_align(mod->init_layout.size); ^ kernel/module/main.c:1459:26: warning: Redundant assignment of 'mod->data_layout.size' to itself. [selfAssignment] mod->data_layout.size = strict_align(mod->data_layout.size); ^ kernel/module/main.c:1463:26: warning: Redundant assignment of 'mod->data_layout.size' to itself. [selfAssignment] mod->data_layout.size = strict_align(mod->data_layout.size); ^ kernel/module/main.c:1467:26: warning: Redundant assignment of 'mod->data_layout.size' to itself. [selfAssignment] mod->data_layout.size = strict_align(mod->data_layout.size); ^ This is due to strict_align() being a no-op when CONFIG_STRICT_MODULE_RWX is not selected. Transform strict_align() macro into an inline function. It will allow type checking and avoid the selfAssignment warning. Reported-by: kernel test robot Signed-off-by: Christophe Leroy Signed-off-by: Luis Chamberlain commit 35adf9a4e55e0b0a9d5e313e65ad83681dc32e9a Author: Adrian Hunter Date: Fri Jul 1 12:44:03 2022 +0300 modules: Fix corruption of /proc/kallsyms The commit 91fb02f31505 ("module: Move kallsyms support into a separate file") changed from using strlcpy() to using strscpy() which created a buffer overflow. That happened because: 1) an incorrect value was passed as the buffer length 2) strscpy() (unlike strlcpy()) may copy beyond the length of the input string when copying word-by-word. The assumption was that because it was already known that the strings being copied would fit in the space available, it was not necessary to correctly set the buffer length. strscpy() breaks that assumption because although it will not touch bytes beyond the given buffer length it may write bytes beyond the input string length when writing word-by-word. The result of the buffer overflow is to corrupt the symbol type information that follows. e.g. $ sudo cat -v /proc/kallsyms | grep '\^' | head ffffffffc0615000 ^@ rfcomm_session_get [rfcomm] ffffffffc061c060 ^@ session_list [rfcomm] ffffffffc06150d0 ^@ rfcomm_send_frame [rfcomm] ffffffffc0615130 ^@ rfcomm_make_uih [rfcomm] ffffffffc07ed58d ^@ bnep_exit [bnep] ffffffffc07ec000 ^@ bnep_rx_control [bnep] ffffffffc07ec1a0 ^@ bnep_session [bnep] ffffffffc07e7000 ^@ input_leds_event [input_leds] ffffffffc07e9000 ^@ input_leds_handler [input_leds] ffffffffc07e7010 ^@ input_leds_disconnect [input_leds] Notably, the null bytes (represented above by ^@) can confuse tools. Fix by correcting the buffer length. Fixes: 91fb02f31505 ("module: Move kallsyms support into a separate file") Signed-off-by: Adrian Hunter Signed-off-by: Luis Chamberlain commit f99d621133ef48c9ace6416e864ffacba1cb2bc8 Merge: d95ce66d4cc3b 34d2cd3fccced Author: Arnd Bergmann Date: Fri Jul 1 22:27:45 2022 +0200 Merge tag 'amlogic-arm-for-v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux into arm/fixes Amlogic ARM mach-meson changes for v5.20: - Fix refcount leak in meson_smp_prepare_cpus * tag 'amlogic-arm-for-v5.20' of git://git.kernel.org/pub/scm/linux/kernel/git/amlogic/linux: ARM: meson: Fix refcount leak in meson_smp_prepare_cpus Link: https://lore.kernel.org/r/cbf6bcb5-c7be-40fe-4436-4578c9d6c532@baylibre.com Signed-off-by: Arnd Bergmann commit d95ce66d4cc3b088308821de185cb372097fec84 Merge: 1f66f63c7312e 4ce7e51dc712f Author: Arnd Bergmann Date: Fri Jul 1 22:25:43 2022 +0200 Merge tag 'scmi-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into arm/fixes Arm SCMI firmware driver fixes for v5.19 Few more fixes to address: 1. Issue reported on Juno with HDLCD clock which turned out to be yet another firmware issue. The firmware is not conformant to the spec and we now have to workaround as this may be copied to other platforms as well. The spec expects to return size of 3 for a range clock rate description while the firmware returns 1. We have other ways to validate all the 3 entries the driver reads are polpulated and we use the same to workaround this firmware bug. 2. Optee transport not setting the correct reponse length which is similar to the one reported earlier on Rockchip platform. 3. Drop the usage of the deprecated ida_simple_{get,remove} and migrate to the ida_{alloc,free} * tag 'scmi-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scmi: Remove usage of the deprecated ida_simple_xxx API firmware: arm_scmi: Fix response size warning for OPTEE transport firmware: arm_scmi: Relax CLOCK_DESCRIBE_RATES out-of-spec checks Link: https://lore.kernel.org/r/20220628133315.699803-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann commit 1ce8c443e95698cecc32cc8ed5ff4b72da61eed4 Merge: 9ee7827668c7c 62f46fc7b8c63 Author: Linus Torvalds Date: Fri Jul 1 13:00:47 2022 -0700 Merge tag 'thermal-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull thermal control fix from Rafael Wysocki: "Add a new CPU ID to the list of supported processors in the intel_tcc_cooling driver (Sumeet Pawnikar)" * tag 'thermal-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: intel_tcc_cooling: Add TCC cooling support for RaptorLake commit a49b8ce7306cf8031361a6a4f7f6bc7a775a39c8 Author: Daniel Borkmann Date: Fri Jul 1 14:47:27 2022 +0200 bpf, selftests: Add verifier test case for jmp32's jeq/jne Add a test case to trigger the verifier's incorrect conclusion in the case of jmp32's jeq/jne. Also here, make use of dead code elimination, so that we can see the verifier bailing out on unfixed kernels. Before: # ./test_verifier 724 #724/p jeq32/jne32: bounds checking FAIL Failed to load prog 'Permission denied'! R4 !read_ok verification time 8 usec stack depth 0 processed 8 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 0 Summary: 0 PASSED, 0 SKIPPED, 1 FAILED After: # ./test_verifier 724 #724/p jeq32/jne32: bounds checking OK Summary: 1 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220701124727.11153-4-daniel@iogearbox.net commit 73c4936f916de73fa3faec204a4deb37c25e18c1 Author: Daniel Borkmann Date: Fri Jul 1 14:47:26 2022 +0200 bpf, selftests: Add verifier test case for imm=0,umin=0,umax=1 scalar Add a test case to trigger the constant scalar issue which leaves the register in scalar(imm=0,umin=0,umax=1,var_off=(0x0; 0x0)) state. Make use of dead code elimination, so that we can see the verifier bailing out on unfixed kernels. For the condition, we use jle given it checks on umax bound. Before: # ./test_verifier 743 #743/p jump & dead code elimination FAIL Failed to load prog 'Permission denied'! R4 !read_ok verification time 11 usec stack depth 0 processed 13 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1 Summary: 0 PASSED, 0 SKIPPED, 1 FAILED After: # ./test_verifier 743 #743/p jump & dead code elimination OK Summary: 1 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220701124727.11153-3-daniel@iogearbox.net commit 3844d153a41adea718202c10ae91dc96b37453b5 Author: Daniel Borkmann Date: Fri Jul 1 14:47:25 2022 +0200 bpf: Fix insufficient bounds propagation from adjust_scalar_min_max_vals Kuee reported a corner case where the tnum becomes constant after the call to __reg_bound_offset(), but the register's bounds are not, that is, its min bounds are still not equal to the register's max bounds. This in turn allows to leak pointers through turning a pointer register as is into an unknown scalar via adjust_ptr_min_max_vals(). Before: func#0 @0 0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) 0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) 1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) 2: (87) r3 = -r3 ; R3_w=scalar() 3: (87) r3 = -r3 ; R3_w=scalar() 4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881) 5: (75) if r3 s>= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767) 6: (95) exit from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) 7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767) 8: (95) exit from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) 9: (07) r3 += -32767 ; R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)) <--- [*] 10: (95) exit What can be seen here is that R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) after the operation R3 += -32767 results in a 'malformed' constant, that is, R3_w=scalar(imm=0,umax=1,var_off=(0x0; 0x0)). Intersecting with var_off has not been done at that point via __update_reg_bounds(), which would have improved the umax to be equal to umin. Refactor the tnum <> min/max bounds information flow into a reg_bounds_sync() helper and use it consistently everywhere. After the fix, bounds have been corrected to R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) and thus the register is regarded as a 'proper' constant scalar of 0. After: func#0 @0 0: R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) 0: (b7) r0 = 1 ; R0_w=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) 1: (b7) r3 = 0 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) 2: (87) r3 = -r3 ; R3_w=scalar() 3: (87) r3 = -r3 ; R3_w=scalar() 4: (47) r3 |= 32767 ; R3_w=scalar(smin=-9223372036854743041,umin=32767,var_off=(0x7fff; 0xffffffffffff8000),s32_min=-2147450881) 5: (75) if r3 s>= 0x0 goto pc+1 ; R3_w=scalar(umin=9223372036854808575,var_off=(0x8000000000007fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767) 6: (95) exit from 5 to 7: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) 7: (d5) if r3 s<= 0x8000 goto pc+1 ; R3=scalar(umin=32769,umax=9223372036854775807,var_off=(0x7fff; 0x7fffffffffff8000),s32_min=-2147450881,u32_min=32767) 8: (95) exit from 7 to 9: R0=scalar(imm=1,umin=1,umax=1,var_off=(0x1; 0x0)) R1=ctx(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) R3=scalar(umin=32767,umax=32768,var_off=(0x7fff; 0x8000)) R10=fp(off=0,imm=0,umax=0,var_off=(0x0; 0x0)) 9: (07) r3 += -32767 ; R3_w=scalar(imm=0,umax=0,var_off=(0x0; 0x0)) <--- [*] 10: (95) exit Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values") Reported-by: Kuee K1r0a Signed-off-by: Daniel Borkmann Signed-off-by: Andrii Nakryiko Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220701124727.11153-2-daniel@iogearbox.net commit a12ca6277eca6aeeccf66e840c23a2b520e24c8f Author: Daniel Borkmann Date: Fri Jul 1 14:47:24 2022 +0200 bpf: Fix incorrect verifier simulation around jmp32's jeq/jne Kuee reported a quirk in the jmp32's jeq/jne simulation, namely that the register value does not match expectations for the fall-through path. For example: Before fix: 0: R1=ctx(off=0,imm=0) R10=fp0 0: (b7) r2 = 0 ; R2_w=P0 1: (b7) r6 = 563 ; R6_w=P563 2: (87) r2 = -r2 ; R2_w=Pscalar() 3: (87) r2 = -r2 ; R2_w=Pscalar() 4: (4c) w2 |= w6 ; R2_w=Pscalar(umin=563,umax=4294967295,var_off=(0x233; 0xfffffdcc),s32_min=-2147483085) R6_w=P563 5: (56) if w2 != 0x8 goto pc+1 ; R2_w=P571 <--- [*] 6: (95) exit R0 !read_ok After fix: 0: R1=ctx(off=0,imm=0) R10=fp0 0: (b7) r2 = 0 ; R2_w=P0 1: (b7) r6 = 563 ; R6_w=P563 2: (87) r2 = -r2 ; R2_w=Pscalar() 3: (87) r2 = -r2 ; R2_w=Pscalar() 4: (4c) w2 |= w6 ; R2_w=Pscalar(umin=563,umax=4294967295,var_off=(0x233; 0xfffffdcc),s32_min=-2147483085) R6_w=P563 5: (56) if w2 != 0x8 goto pc+1 ; R2_w=P8 <--- [*] 6: (95) exit R0 !read_ok As can be seen on line 5 for the branch fall-through path in R2 [*] is that given condition w2 != 0x8 is false, verifier should conclude that r2 = 8 as upper 32 bit are known to be zero. However, verifier incorrectly concludes that r2 = 571 which is far off. The problem is it only marks false{true}_reg as known in the switch for JE/NE case, but at the end of the function, it uses {false,true}_{64,32}off to update {false,true}_reg->var_off and they still hold the prior value of {false,true}_reg->var_off before it got marked as known. The subsequent __reg_combine_32_into_64() then propagates this old var_off and derives new bounds. The information between min/max bounds on {false,true}_reg from setting the register to known const combined with the {false,true}_reg->var_off based on the old information then derives wrong register data. Fix it by detangling the BPF_JEQ/BPF_JNE cases and updating relevant {false,true}_{64,32}off tnums along with the register marking to known constant. Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") Reported-by: Kuee K1r0a Signed-off-by: Daniel Borkmann Signed-off-by: Andrii Nakryiko Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220701124727.11153-1-daniel@iogearbox.net commit 9ee7827668c7c30f587b0101c4e6240672a4f429 Merge: b336ad598a3bb bc621588ff591 Author: Linus Torvalds Date: Fri Jul 1 12:55:28 2022 -0700 Merge tag 'pm-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix some issues in cpufreq drivers and some issues in devfreq: - Fix error code path issues related PROBE_DEFER handling in devfreq (Christian Marangi) - Revert an editing accident in SPDX-License line in the devfreq passive governor (Lukas Bulwahn) - Fix refcount leak in of_get_devfreq_events() in the exynos-ppmu devfreq driver (Miaoqian Lin) - Use HZ_PER_KHZ macro in the passive devfreq governor (Yicong Yang) - Fix missing of_node_put for qoriq and pmac32 driver (Liang He) - Fix issues around throttle interrupt for qcom driver (Stephen Boyd) - Add MT8186 to cpufreq-dt-platdev blocklist (AngeloGioacchino Del Regno) - Make amd-pstate enable CPPC on resume from S3 (Jinzhou Su)" * tag 'pm-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / devfreq: passive: revert an editing accident in SPDX-License line PM / devfreq: Fix kernel warning with cpufreq passive register fail PM / devfreq: Rework freq_table to be local to devfreq struct PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events PM / devfreq: passive: Use HZ_PER_KHZ macro in units.h PM / devfreq: Fix cpufreq passive unregister erroring on PROBE_DEFER PM / devfreq: Mute warning on governor PROBE_DEFER PM / devfreq: Fix kernel panic with cpu based scaling to passive gov cpufreq: Add MT8186 to cpufreq-dt-platdev blocklist cpufreq: pmac32-cpufreq: Fix refcount leak bug cpufreq: qcom-hw: Don't do lmh things without a throttle interrupt drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c cpufreq: amd-pstate: Add resume and suspend callbacks commit bc621588ff591564ea01ad107e7bae869c1c0285 Merge: 589cb2c0b8daf 049b1ed9bef1e Author: Rafael J. Wysocki Date: Fri Jul 1 21:43:08 2022 +0200 Merge branch 'pm-cpufreq' Merge cpufreq fixes for 5.19-rc5, including ARM cpufreq fixes and the following one: - Make amd-pstate enable CPPC on resume from S3 (Jinzhou Su). * pm-cpufreq: cpufreq: Add MT8186 to cpufreq-dt-platdev blocklist cpufreq: pmac32-cpufreq: Fix refcount leak bug cpufreq: qcom-hw: Don't do lmh things without a throttle interrupt drivers: cpufreq: Add missing of_node_put() in qoriq-cpufreq.c cpufreq: amd-pstate: Add resume and suspend callbacks commit b336ad598a3bbeddfdb71d86349b9d4024bddefe Merge: d0f67adb79069 d0e51022a025c Author: Linus Torvalds Date: Fri Jul 1 12:05:27 2022 -0700 Merge tag 'hwmon-for-v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - Fix error handling in ibmaem driver initialization - Fix bad data reported by occ driver after setting power cap - Fix typos in pmbus/ucd9200 driver comments * tag 'hwmon-for-v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails hwmon: (pmbus/ucd9200) fix typos in comments hwmon: (occ) Prevent power cap command overwriting poll response commit 887371066039011144b4a94af97d9328df6869a2 Author: Rafael J. Wysocki Date: Thu Jun 30 21:16:41 2022 +0200 PM: runtime: Fix supplier device management during consumer probe Because pm_runtime_get_suppliers() bumps up the rpm_active counter of each device link to a supplier of the given device in addition to bumping up the supplier's PM-runtime usage counter, a runtime suspend of the consumer device may case the latter to go down to 0 when pm_runtime_put_suppliers() is running on a remote CPU. If that happens after pm_runtime_put_suppliers() has released power.lock for the consumer device, and a runtime resume of that device takes place immediately after it, before pm_runtime_put() is called for the supplier, that pm_runtime_put() call may cause the supplier to be suspended even though the consumer is active. To prevent that from happening, modify pm_runtime_get_suppliers() to call pm_runtime_get_sync() for the given device's suppliers without touching the rpm_active counters of the involved device links Accordingly, modify pm_runtime_put_suppliers() to call pm_runtime_put() for the given device's suppliers without looking at the rpm_active counters of the device links at hand. [This is analogous to what happened before commit 4c06c4e6cf63 ("driver core: Fix possible supplier PM-usage counter imbalance").] Since pm_runtime_get_suppliers() sets supplier_preactivated for each device link where the supplier's PM-runtime usage counter has been incremented and pm_runtime_put_suppliers() calls pm_runtime_put() for the suppliers whose device links have supplier_preactivated set, the PM-runtime usage counter is balanced for each supplier and this is independent of the runtime suspend and resume of the consumer device. However, in case a device link with DL_FLAG_PM_RUNTIME set is dropped during the consumer device probe, so pm_runtime_get_suppliers() bumps up the supplier's PM-runtime usage counter, but it cannot be dropped by pm_runtime_put_suppliers(), make device_link_release_fn() take care of that. Fixes: 4c06c4e6cf63 ("driver core: Fix possible supplier PM-usage counter imbalance") Reported-by: Peter Wang Signed-off-by: Rafael J. Wysocki Reviewed-by: Greg Kroah-Hartman Reviewed-by: Peter Wang Cc: 5.1+ # 5.1+ commit 07358194badf73e267289b40b761f5dc56928eab Author: Rafael J. Wysocki Date: Mon Jun 27 20:42:18 2022 +0200 PM: runtime: Redefine pm_runtime_release_supplier() Instead of passing an extra bool argument to pm_runtime_release_supplier(), make its callers take care of triggering a runtime-suspend of the supplier device as needed. No expected functional impact. Suggested-by: Greg Kroah-Hartman Signed-off-by: Rafael J. Wysocki Reviewed-by: Greg Kroah-Hartman Cc: 5.1+ # 5.1+ commit d0e51022a025ca5350fafb8e413a6fe5d4baf833 Author: Yang Yingliang Date: Fri Jul 1 15:41:53 2022 +0800 hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails If platform_device_add() fails, it no need to call platform_device_del(), split platform_device_unregister() into platform_device_del/put(), so platform_device_put() can be called separately. Fixes: 8808a793f052 ("ibmaem: new driver for power/energy/temp meters in IBM System X hardware") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20220701074153.4021556-1-yangyingliang@huawei.com Signed-off-by: Guenter Roeck commit d0f67adb790698017030365e90e9e394de7cac7c Merge: cec84e7547d3f 4109823037729 Author: Linus Torvalds Date: Fri Jul 1 11:23:21 2022 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Catalin Marinas: "Restore TLB invalidation for the 'break-before-make' rule on contiguous ptes (missed in a recent clean-up)" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: hugetlb: Restore TLB invalidation for BBM on contiguous ptes commit cec84e7547d3f95b3fa4ded1618cb43d5d98a76a Merge: 76ff294e16192 d7d488f41b41a Author: Linus Torvalds Date: Fri Jul 1 11:19:14 2022 -0700 Merge tag 's390-5.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Alexander Gordeev: - Fix purgatory build process so bin2c tool does not get built unnecessarily and the Makefile is more consistent with other architectures. - Return earlier simple design of arch_get_random_seed_long|int() and arch_get_random_long|int() callbacks as result of changes in generic RNG code. - Fix minor comment typos and spelling mistakes. * tag 's390-5.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/qdio: Fix spelling mistake s390/sclp: Fix typo in comments s390/archrandom: simplify back to earlier design and initialize earlier s390/purgatory: remove duplicated build rule of kexec-purgatory.o s390/purgatory: hard-code obj-y in Makefile s390: remove unneeded 'select BUILD_BIN2C' commit 76ff294e161921e9867ad68775ba95a210eb5ec3 Merge: 6f8693ea2bfe8 4f40a5b554461 Author: Linus Torvalds Date: Fri Jul 1 11:11:32 2022 -0700 Merge tag 'nfs-for-5.19-3' of git://git.linux-nfs.org/projects/anna/linux-nfs Pull NFS client fixes from Anna Schumaker: - Allocate a fattr for _nfs4_discover_trunking() - Fix module reference count leak in nfs4_run_state_manager() * tag 'nfs-for-5.19-3' of git://git.linux-nfs.org/projects/anna/linux-nfs: NFSv4: Add an fattr allocation to _nfs4_discover_trunking() NFS: restore module put when manager exits. commit 6f8693ea2bfe8c10a859841b907bc7c8f41dbd55 Merge: 8300d380309a4 8692969e9164c Author: Linus Torvalds Date: Fri Jul 1 11:06:21 2022 -0700 Merge tag 'ceph-for-5.19-rc5' of https://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A ceph filesystem fix, marked for stable. There appears to be a deeper issue on the MDS side, but for now we are going with this one-liner to avoid busy looping and potential soft lockups" * tag 'ceph-for-5.19-rc5' of https://github.com/ceph/ceph-client: ceph: wait on async create before checking caps for syncfs commit 8300d380309a47b4f960379667278bcfa4d901e1 Merge: 0a35d1622d5cd 617b365872a24 Author: Linus Torvalds Date: Fri Jul 1 10:58:39 2022 -0700 Merge tag 'for-5.19/dm-fixes-5' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: "Three fixes for invalid memory accesses discovered by using KASAN while running the lvm2 testsuite's dm-raid tests. Includes changes to MD's raid5.c given the dependency dm-raid has on the MD code" * tag 'for-5.19/dm-fixes-5' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm raid: fix KASAN warning in raid5_add_disks dm raid: fix KASAN warning in raid5_remove_disk dm raid: fix accesses beyond end of raid member array commit 0a35d1622d5cd7693d75b7124913c75a7e3fabd0 Merge: d516e221e2fb8 09007af2b627f Author: Linus Torvalds Date: Fri Jul 1 10:52:01 2022 -0700 Merge tag 'io_uring-5.19-2022-07-01' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: "Two minor tweaks: - While we still can, adjust the send/recv based flags to be in ->ioprio rather than in ->addr2. This is consistent with eg accept, and also doesn't waste a full 64-bit field for flags (Pavel) - 5.18-stable fix for re-importing provided buffers. Not much real world relevance here as it'll only impact non-pollable files gone async, which is more of a practical test case rather than something that is used in the wild (Dylan)" * tag 'io_uring-5.19-2022-07-01' of git://git.kernel.dk/linux-block: io_uring: fix provided buffer import io_uring: keep sendrecv flags in ioprio commit d516e221e2fb88cd31c7ea29d743045efc4e69dd Merge: 067c227379c0e f3163d8567adb Author: Linus Torvalds Date: Fri Jul 1 10:42:10 2022 -0700 Merge tag 'block-5.19-2022-07-01' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: - Fix for batch getting of tags in sbitmap (wuchi) - NVMe pull request via Christoph: - More quirks (Lamarque Vieira Souza, Pablo Greco) - Fix a fabrics disconnect regression (Ruozhu Li) - Fix a nvmet-tcp data_digest calculation regression (Sagi Grimberg) - Fix nvme-tcp send failure handling (Sagi Grimberg) - Fix a regression with nvmet-loop and passthrough controllers (Alan Adamson) * tag 'block-5.19-2022-07-01' of git://git.kernel.dk/linux-block: nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA IM2P33F8ABR1 nvmet: add a clear_ids attribute for passthru targets nvme: fix regression when disconnect a recovering ctrl nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G) nvme-tcp: always fail a request when sending it failed nvmet-tcp: fix regression in data_digest calculation lib/sbitmap: Fix invalid loop in __sbitmap_queue_get_batch() commit 067c227379c0ec96cb19ed9aacea6b1281982368 Merge: 690685ffcdcec fce54ed027577 Author: Linus Torvalds Date: Fri Jul 1 10:38:17 2022 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "One simple driver fix for a dma overrun" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: hisi_sas: Limit max hw sectors for v3 HW commit 690685ffcdcec3975f45eafe3dcf4bff29aa1676 Merge: 9650910d05a31 32788beb103f7 Author: Linus Torvalds Date: Fri Jul 1 10:31:44 2022 -0700 Merge tag 'ata-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata Pull ATA fix from Damien Le Moal: - Fix a compilation warning with some versions of gcc/sparse when compiling the pata_cs5535 driver, from John. * tag 'ata-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata: ata: pata_cs5535: Fix W=1 warnings commit 410982303772993a86bb7a9cfa7ece34522b2636 Author: Will Deacon Date: Wed Jun 29 10:53:49 2022 +0100 arm64: hugetlb: Restore TLB invalidation for BBM on contiguous ptes Commit fb396bb459c1 ("arm64/hugetlb: Drop TLB flush from get_clear_flush()") removed TLB invalidation from get_clear_flush() [now get_clear_contig()] on the basis that the core TLB invalidation code is aware of hugetlb mappings backed by contiguous page-table entries and will cover the correct virtual address range. However, this change also resulted in the TLB invalidation being removed from the "break" step in the break-before-make (BBM) sequence used internally by huge_ptep_set_{access_flags,wrprotect}(), therefore making the BBM sequence unsafe irrespective of later invalidation. Although the architecture is desperately unclear about how exactly contiguous ptes should be updated in a live page-table, restore TLB invalidation to our BBM sequence under the assumption that BBM is the right thing to be doing in the first place. Fixes: fb396bb459c1 ("arm64/hugetlb: Drop TLB flush from get_clear_flush()") Cc: Ard Biesheuvel Cc: Steve Capper Cc: Anshuman Khandual Cc: Mike Kravetz Cc: Marc Zyngier Signed-off-by: Will Deacon Reviewed-by: Catalin Marinas Reviewed-by: Anshuman Khandual Link: https://lore.kernel.org/r/20220629095349.25748-1-will@kernel.org Signed-off-by: Catalin Marinas commit 9650910d05a31d62f562f90ca15ece685a4c1b9c Merge: a175eca0f3d74 a79e69c8714f4 Author: Linus Torvalds Date: Fri Jul 1 10:01:32 2022 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Two small fixes - Initialize a spinlock in the stm32 reset code - Add dt bindings to the clk maintainer filepattern" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: MAINTAINERS: add include/dt-bindings/clock to COMMON CLK FRAMEWORK clk: stm32: rcc_reset: Fix missing spin_lock_init() commit 09f7b80fac3e588b282ad26aabd7336d7d293efd Author: Sascha Hauer Date: Fri Jun 17 13:50:42 2022 +0200 dmaengine: imx-sdma: only restart cyclic channel when enabled An interrupt for a channel might be pending even after struct dma_device::device_terminate_all has been called. In that case the recently introduced warning message "restart cyclic channel..." triggers and the channel will be restarted. This is not desired as the channel has just been stopped. Only restart the channel when we still have a descriptor set for it (which will be set to NULL in sdma_terminate_all()). Fixes: 5b215c28b9235 ("dmaengine: imx-sdma: restart cyclic channel if needed") Cc: stable@vger.kernel.org Signed-off-by: Sascha Hauer Link: https://lore.kernel.org/r/20220617115042.4004062-1-s.hauer@pengutronix.de Signed-off-by: Vinod Koul commit 7561cea5dbb97fecb952548a0fb74fb105bf4664 Author: Darrick J. Wong Date: Fri Jul 1 09:08:33 2022 -0700 xfs: prevent a UAF when log IO errors race with unmount KASAN reported the following use after free bug when running generic/475: XFS (dm-0): Mounting V5 Filesystem XFS (dm-0): Starting recovery (logdev: internal) XFS (dm-0): Ending recovery (logdev: internal) Buffer I/O error on dev dm-0, logical block 20639616, async page read Buffer I/O error on dev dm-0, logical block 20639617, async page read XFS (dm-0): log I/O error -5 XFS (dm-0): Filesystem has been shut down due to log error (0x2). XFS (dm-0): Unmounting Filesystem XFS (dm-0): Please unmount the filesystem and rectify the problem(s). ================================================================== BUG: KASAN: use-after-free in do_raw_spin_lock+0x246/0x270 Read of size 4 at addr ffff888109dd84c4 by task 3:1H/136 CPU: 3 PID: 136 Comm: 3:1H Not tainted 5.19.0-rc4-xfsx #rc4 8e53ab5ad0fddeb31cee5e7063ff9c361915a9c4 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Workqueue: xfs-log/dm-0 xlog_ioend_work [xfs] Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x2b8/0x661 ? do_raw_spin_lock+0x246/0x270 kasan_report+0xab/0x120 ? do_raw_spin_lock+0x246/0x270 do_raw_spin_lock+0x246/0x270 ? rwlock_bug.part.0+0x90/0x90 xlog_force_shutdown+0xf6/0x370 [xfs 4ad76ae0d6add7e8183a553e624c31e9ed567318] xlog_ioend_work+0x100/0x190 [xfs 4ad76ae0d6add7e8183a553e624c31e9ed567318] process_one_work+0x672/0x1040 worker_thread+0x59b/0xec0 ? __kthread_parkme+0xc6/0x1f0 ? process_one_work+0x1040/0x1040 ? process_one_work+0x1040/0x1040 kthread+0x29e/0x340 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Allocated by task 154099: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kmem_alloc+0x8d/0x2e0 [xfs] xlog_cil_init+0x1f/0x540 [xfs] xlog_alloc_log+0xd1e/0x1260 [xfs] xfs_log_mount+0xba/0x640 [xfs] xfs_mountfs+0xf2b/0x1d00 [xfs] xfs_fs_fill_super+0x10af/0x1910 [xfs] get_tree_bdev+0x383/0x670 vfs_get_tree+0x7d/0x240 path_mount+0xdb7/0x1890 __x64_sys_mount+0x1fa/0x270 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 154151: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 ____kasan_slab_free+0x110/0x190 slab_free_freelist_hook+0xab/0x180 kfree+0xbc/0x310 xlog_dealloc_log+0x1b/0x2b0 [xfs] xfs_unmountfs+0x119/0x200 [xfs] xfs_fs_put_super+0x6e/0x2e0 [xfs] generic_shutdown_super+0x12b/0x3a0 kill_block_super+0x95/0xd0 deactivate_locked_super+0x80/0x130 cleanup_mnt+0x329/0x4d0 task_work_run+0xc5/0x160 exit_to_user_mode_prepare+0xd4/0xe0 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This appears to be a race between the unmount process, which frees the CIL and waits for in-flight iclog IO; and the iclog IO completion. When generic/475 runs, it starts fsstress in the background, waits a few seconds, and substitutes a dm-error device to simulate a disk falling out of a machine. If the fsstress encounters EIO on a pure data write, it will exit but the filesystem will still be online. The next thing the test does is unmount the filesystem, which tries to clean the log, free the CIL, and wait for iclog IO completion. If an iclog was being written when the dm-error switch occurred, it can race with log unmounting as follows: Thread 1 Thread 2 xfs_log_unmount xfs_log_clean xfs_log_quiesce xlog_ioend_work xlog_force_shutdown test_and_set_bit(XLOG_IOERROR) xfs_log_force xfs_log_umount_write xlog_dealloc_log xlog_cil_destroy spin_lock(&log->l_cilp->xc_push_lock) Therefore, free the CIL after waiting for the iclogs to complete. I /think/ this race has existed for quite a few years now, though I don't remember the ~2014 era logging code well enough to know if it was a real threat then or if the actual race was exposed only more recently. Fixes: ac983517ec59 ("xfs: don't sleep in xlog_cil_force_lsn on shutdown") Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner commit 1357d2a65601bc0afb221672d5a8f1649063a141 Author: Wei Yongjun Date: Sat Jun 18 07:28:24 2022 +0000 irqchip/apple-aic: Make symbol 'use_fast_ipi' static The sparse tool complains as follows: drivers/irqchip/irq-apple-aic.c:231:1: warning: symbol 'use_fast_ipi' was not declared. Should it be static? This symbol is not used outside of irq-apple-aic.c, so marks it static. Fixes: 2cf68211664a ("irqchip/apple-aic: Add Fast IPI support") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Reviewed-by: Hector Martin Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220618072824.562350-1-weiyongjun1@huawei.com commit fd31000d58f41588fa10128278efdab8474f5ce8 Author: Jamie Iles Date: Thu Jun 30 12:10:08 2022 +0100 irqchip/xilinx: Add explicit dependency on OF_ADDRESS Commit b84dc7f0e364 ("irqchip/xilinx: Remove microblaze+zynq dependency") relaxed the dependencies on the Xilinx interrupt controller to be OF only, but some OF architectures (s390 for example) do not support OF_ADDRESS and so a build of the driver will result in undefined references to of_iomap/iounmap and friends. Fixes: b84dc7f0e364 ("irqchip/xilinx: Remove microblaze+zynq dependency") Reported-by: kernel test robot Signed-off-by: Jamie Iles Acked-by: Michal Simek Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220630111008.3838307-1-jamie@jamieiles.com commit 1f66f63c7312ee085dc989b3c5fa4b3d09fe9d52 Merge: a38dbb4f2028f 8630354f42bef Author: Arnd Bergmann Date: Fri Jul 1 15:15:21 2022 +0200 Merge tag 'imx-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 5.19, round 2: - Fix the SDIO description for imx7d-smegw01 board to ensure there is no communication made at 1.8V. - Fix pgc_ispdwp power-domain clock, which should be IMX8MP_CLK_MEDIA_ISP_ROOT. - Re-enable framebuffer support in mxs_defconfig to fix a Kconfig regression. - A series from Peng Fan (and Sherry Sun) fixing various pads on i.MX8MP based boards to leave reserved bits untouched. * tag 'imx-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: arm64: dts: imx8mp-icore-mx8mp-edim2.2: correct pad settings arm64: dts: imx8mp-phyboard-pollux-rdk: correct i2c2 & mmc settings arm64: dts: imx8mp-phyboard-pollux-rdk: correct eqos pad settings arm64: dts: imx8mp-phyboard-pollux-rdk: correct uart pad settings arm64: dts: imx8mp-venice-gw74xx: correct pad settings arm64: dts: imx8mp-evk: correct I2C3 pad settings arm64: dts: imx8mp-evk: correct I2C1 pad settings arm64: dts: imx8mp-evk: correct I2C5 pad settings arm64: dts: imx8mp-evk: correct vbus pad settings arm64: dts: imx8mp-evk: correct eqos pad settings arm64: dts: imx8mp-evk: correct vbus pad settings arm64: dts: imx8mp-evk: correct gpio-led pad settings arm64: dts: imx8mp-evk: correct the uart2 pinctl value arm64: dts: imx8mp-evk: correct mmc pad settings ARM: mxs_defconfig: Enable the framebuffer arm64: dts: imx8mp: correct clock of pgc_ispdwp ARM: dts: imx7d-smegw01: Fix the SDIO description Link: https://lore.kernel.org/r/20220629021244.GL819983@dragon Signed-off-by: Arnd Bergmann commit a38dbb4f2028f4b9418855239a4c82466ecb935b Merge: 620f83b8326ce 91d60e259c0f5 Author: Arnd Bergmann Date: Fri Jul 1 15:15:07 2022 +0200 Merge tag 'at91-fixes-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/at91/linux into arm/fixes AT91 fixes for 5.19 It contains 3 SoC fixes and 2 DT fixes: SoC: - fix the wakeup from RTC and RTT for ULP1 mode - fix section mismatch warning - fix SAM9X60 SiP detection DT: - fixes the EEPROMs compatibles for sama5d2_icp and sam9x60ek and EEPROM size for sam9x60ek * tag 'at91-fixes-5.19' of git://git.kernel.org/pub/scm/linux/kernel/git/at91/linux: ARM: at91: pm: Mark at91_pm_secure_init as __init ARM: at91: fix soc detection for SAM9X60 SiPs ARM: dts: at91: sama5d2_icp: fix eeprom compatibles ARM: dts: at91: sam9x60ek: fix eeprom compatible and size ARM: at91: pm: use proper compatibles for sama7g5's rtc and rtt ARM: at91: pm: use proper compatibles for sam9x60's rtc and rtt ARM: at91: pm: use proper compatible for sama5d2's rtc Link: https://lore.kernel.org/r/20220628135130.3114878-1-claudiu.beznea@microchip.com Signed-off-by: Arnd Bergmann commit 620f83b8326ce9706b1118334f0257ae028ce045 Author: Linus Walleij Date: Sun Jun 26 09:43:15 2022 +0200 soc: ixp4xx/npe: Fix unused match warning The kernel test robot found this inconsistency: drivers/soc/ixp4xx/ixp4xx-npe.c:737:34: warning: 'ixp4xx_npe_of_match' defined but not used [-Wunused-const-variable=] 737 | static const struct of_device_id ixp4xx_npe_of_match[] = { This is because the match is enclosed in the of_match_ptr() which compiles into NULL when OF is disabled and this is unnecessary. Fix it by dropping of_match_ptr() around the match. Signed-off-by: Linus Walleij Link: https://lore.kernel.org/r/20220626074315.61209-1-linus.walleij@linaro.org' Signed-off-by: Arnd Bergmann commit 8dfeee9dc52cb979cf520f6b345e7baa6b29ecb4 Author: Li kunyu Date: Fri Jul 1 14:47:23 2022 +0800 net: usb: Fix typo in code Remove the repeated ';' from code. Signed-off-by: Li kunyu Signed-off-by: David S. Miller commit 49db68d45bdcad06e28a420d5d911e4178389666 Author: Emil Renner Berthing Date: Mon Jun 27 11:09:39 2022 +0200 dmaengine: dw-axi-dmac: Fix RMW on channel suspend register When the DMA is configured for more than 8 channels the bits controlling suspend moves to another register. However when adding support for this the new register would be completely overwritten in one case and overwritten with values from the old register in another case. Found by comparing the parallel implementation of more than 8 channel support for the StarFive JH7100 SoC by Samin. Fixes: 824351668a41 ("dmaengine: dw-axi-dmac: support DMAX_NUM_CHANNELS > 8") Co-developed-by: Samin Guo Signed-off-by: Samin Guo Signed-off-by: Emil Renner Berthing Link: https://lore.kernel.org/r/20220627090939.1775717-1-emil.renner.berthing@canonical.com Signed-off-by: Vinod Koul commit 44c4237cf3436bda2b185ff728123651ad133f69 Author: Dave Jiang Date: Tue Jun 28 16:00:56 2022 -0700 dmaengine: idxd: force wq context cleanup on device disable path Testing shown that when a wq mode is setup to be dedicated and then torn down and reconfigured to shared, the wq configured end up being dedicated anyays. The root cause is when idxd_device_wqs_clear_state() gets called during idxd_driver removal, idxd_wq_disable_cleanup() does not get called vs when the wq driver is removed first. The check of wq state being "enabled" causes the cleanup to be bypassed. However, idxd_driver->remove() releases all wq drivers. So the wqs goes to "disabled" state and will never be "enabled". By that point, the driver has no idea if the wq was previously configured or clean. So force call idxd_wq_disable_cleanup() on all wqs always to make sure everything gets cleaned up. Reported-by: Tony Zhu Tested-by: Tony Zhu Fixes: 0dcfe41e9a4c ("dmanegine: idxd: cleanup all device related bits after disabling device") Signed-off-by: Dave Jiang Co-developed-by: Fenghua Yu Signed-off-by: Fenghua Yu Link: https://lore.kernel.org/r/20220628230056.2527816-1-fenghua.yu@intel.com Signed-off-by: Vinod Koul commit 0ac9c3dd0d6fe293cd5044cfad10bec27d171e4e Author: Caleb Connolly Date: Wed Jun 29 15:06:00 2022 +0100 dmaengine: qcom: bam_dma: fix runtime PM underflow Commit dbad41e7bb5f ("dmaengine: qcom: bam_dma: check if the runtime pm enabled") caused unbalanced pm_runtime_get/put() calls when the bam is controlled remotely. This commit reverts it and just enables pm_runtime in all cases, the clk_* functions already just nop when the clock is NULL. Also clean up a bit by removing unnecessary bamclk null checks. Suggested-by: Stephan Gerhold Fixes: dbad41e7bb5f ("dmaengine: qcom: bam_dma: check if the runtime pm enabled") Signed-off-by: Caleb Connolly Link: https://lore.kernel.org/r/20220629140559.118537-1-caleb.connolly@linaro.org Signed-off-by: Vinod Koul commit 71560d98e7f18eb316a17cf12dc139eacb5b490f Merge: 5e8379351dbde fed0d9f13266a Author: David S. Miller Date: Fri Jul 1 11:25:20 2022 +0100 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2022-06-30 This series contains updates to i40e driver only. Lukasz adds reporting of packets dropped for being too large into the Rx dropped statistics. Norbert clears VF filter and MAC address to resolve issue with older VFs being unable to change their MAC address. ==================== Signed-off-by: David S. Miller commit 7e09ac27f43b382f5fe9bb7c7f4c465ece1f8a23 Author: Juergen Gross Date: Thu Jun 30 09:14:41 2022 +0200 x86: Fix .brk attribute in linker script Commit in Fixes added the "NOLOAD" attribute to the .brk section as a "failsafe" measure. Unfortunately, this leads to the linker no longer covering the .brk section in a program header, resulting in the kernel loader not knowing that the memory for the .brk section must be reserved. This has led to crashes when loading the kernel as PV dom0 under Xen, but other scenarios could be hit by the same problem (e.g. in case an uncompressed kernel is used and the initrd is placed directly behind it). So drop the "NOLOAD" attribute. This has been verified to correctly cover the .brk section by a program header of the resulting ELF file. Fixes: e32683c6f7d2 ("x86/mm: Fix RESERVE_BRK() for older binutils") Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov Reviewed-by: Josh Poimboeuf Link: https://lore.kernel.org/r/20220630071441.28576-4-jgross@suse.com commit 38fa5479b41376dc9d7f57e71c83514285a25ca0 Author: Juergen Gross Date: Thu Jun 30 09:14:40 2022 +0200 x86: Clear .brk area at early boot The .brk section has the same properties as .bss: it is an alloc-only section and should be cleared before being used. Not doing so is especially a problem for Xen PV guests, as the hypervisor will validate page tables (check for writable page tables and hypervisor private bits) before accepting them to be used. Make sure .brk is initially zero by letting clear_bss() clear the brk area, too. Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20220630071441.28576-3-jgross@suse.com commit 96e8fc5818686d4a1591bb6907e7fdb64ef29884 Author: Juergen Gross Date: Thu Jun 30 09:14:39 2022 +0200 x86/xen: Use clear_bss() for Xen PV guests Instead of clearing the bss area in assembly code, use the clear_bss() function. This requires to pass the start_info address as parameter to xen_start_kernel() in order to avoid the xen_start_info being zeroed again. Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov Reviewed-by: Jan Beulich Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20220630071441.28576-2-jgross@suse.com commit 144248515246e52a3706de1ee928af29a63794b8 Author: Hans de Goede Date: Thu Jun 23 13:27:10 2022 +0200 drm: panel-orientation-quirks: Add quirk for the Lenovo Yoga Tablet 2 830 The Lenovo Yoga Tablet 2 830F / 830L use a panel which has been mounted 90 degrees rotated. Add a quirk for this. Signed-off-by: Hans de Goede Reviewed-by: Javier Martinez Canillas Link: https://patchwork.freedesktop.org/patch/msgid/20220623112710.15693-1-hdegoede@redhat.com commit b75cd218274e01d026dc5240e86fdeb44bbed0c8 Author: Oleksandr Tyshchenko Date: Fri Jul 1 08:57:44 2022 +0200 xen/arm: Fix race in RB-tree based P2M accounting During the PV driver life cycle the mappings are added to the RB-tree by set_foreign_p2m_mapping(), which is called from gnttab_map_refs() and are removed by clear_foreign_p2m_mapping() which is called from gnttab_unmap_refs(). As both functions end up calling __set_phys_to_machine_multi() which updates the RB-tree, this function can be called concurrently. There is already a "p2m_lock" to protect against concurrent accesses, but the problem is that the first read of "phys_to_mach.rb_node" in __set_phys_to_machine_multi() is not covered by it, so this might lead to the incorrect mappings update (removing in our case) in RB-tree. In my environment the related issue happens rarely and only when PV net backend is running, the xen_add_phys_to_mach_entry() claims that it cannot add new pfn <-> mfn mapping to the tree since it is already exists which results in a failure when mapping foreign pages. But there might be other bad consequences related to the non-protected root reads such use-after-free, etc. While at it, also fix the similar usage in __pfn_to_mfn(), so initialize "struct rb_node *n" with the "p2m_lock" held in both functions to avoid possible bad consequences. This is CVE-2022-33744 / XSA-406. Signed-off-by: Oleksandr Tyshchenko Reviewed-by: Stefano Stabellini Signed-off-by: Juergen Gross commit f63c2c2032c2e3caad9add3b82cc6e91c376fd26 Author: Jan Beulich Date: Fri Jul 1 08:56:52 2022 +0200 xen-netfront: restore __skb_queue_tail() positioning in xennet_get_responses() The commit referenced below moved the invocation past the "next" label, without any explanation. In fact this allows misbehaving backends undue control over the domain the frontend runs in, as earlier detected errors require the skb to not be freed (it may be retained for later processing via xennet_move_rx_slot(), or it may simply be unsafe to have it freed). This is CVE-2022-33743 / XSA-405. Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront") Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross commit 2400617da7eebf9167d71a46122828bc479d64c9 Author: Roger Pau Monne Date: Thu Apr 7 13:04:24 2022 +0200 xen/blkfront: force data bouncing when backend is untrusted Split the current bounce buffering logic used with persistent grants into it's own option, and allow enabling it independently of persistent grants. This allows to reuse the same code paths to perform the bounce buffering required to avoid leaking contiguous data in shared pages not part of the request fragments. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33742, part of XSA-403. Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross commit 4491001c2e0fa69efbb748c96ec96b100a5cdb7e Author: Roger Pau Monne Date: Thu Apr 7 12:20:06 2022 +0200 xen/netfront: force data bouncing when backend is untrusted Bounce all data on the skbs to be transmitted into zeroed pages if the backend is untrusted. This avoids leaking data present in the pages shared with the backend but not part of the skb fragments. This requires introducing a new helper in order to allocate skbs with a size multiple of XEN_PAGE_SIZE so we don't leak contiguous data on the granted pages. Reporting whether the backend is to be trusted can be done using a module parameter, or from the xenstore frontend path as set by the toolstack when adding the device. This is CVE-2022-33741, part of XSA-403. Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross commit 307c8de2b02344805ebead3440d8feed28f2f010 Author: Roger Pau Monne Date: Wed Apr 6 17:38:04 2022 +0200 xen/netfront: fix leaking data in shared pages When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-33740, part of XSA-403. Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross commit ee6c6e7342471d468096a16bee9f89b5a6c1e39d Author: Davidlohr Bueso Date: Wed Jun 29 09:52:25 2022 -0700 staging/wlan-ng: get the correct struct hfa384x in work callback hfa384x_usbctlx_completion_task() is bogusly using the reaper BH when in fact this is the completion_bh. This was reflected when trying to acquire the hw->ctlxq.lock and getting a failed lockdep class initialized to it. Fixes: 9442e81d7e7c ("staging/wlan-ng, prism2usb: replace completion_bh tasklet with work") Reported-by: syzbot+ce3408364c4a234dd90c@syzkaller.appspotmail.com Signed-off-by: Davidlohr Bueso Link: https://lore.kernel.org/r/20220629165225.3436822-1-dave@stgolabs.net Signed-off-by: Greg Kroah-Hartman commit 3776c78559853fd151be7c41e369fd076fb679d5 Author: Shuah Khan Date: Thu Jun 30 20:32:56 2022 -0600 misc: rtsx_usb: use separate command and response buffers rtsx_usb uses same buffer for command and response. There could be a potential conflict using the same buffer for both especially if retries and timeouts are involved. Use separate command and response buffers to avoid conflicts. Signed-off-by: Shuah Khan Cc: stable Link: https://lore.kernel.org/r/07e3721804ff07aaab9ef5b39a5691d0718b9ade.1656642167.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit eb7f8e28420372787933eec079735c35034bda7d Author: Shuah Khan Date: Thu Jun 30 20:32:55 2022 -0600 misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer rtsx_usb driver allocates coherent dma buffer for urb transfers. This buffer is passed to usb_bulk_msg() and usb core tries to map already mapped buffer running into a dma mapping error. xhci_hcd 0000:01:00.0: rejecting DMA map of vmalloc memory WARNING: CPU: 1 PID: 279 at include/linux/dma-mapping.h:326 usb_ hcd_map_urb_for_dma+0x7d6/0x820 ... xhci_map_urb_for_dma+0x291/0x4e0 usb_hcd_submit_urb+0x199/0x12b0 ... usb_submit_urb+0x3b8/0x9e0 usb_start_wait_urb+0xe3/0x2d0 usb_bulk_msg+0x115/0x240 rtsx_usb_transfer_data+0x185/0x1a8 [rtsx_usb] rtsx_usb_send_cmd+0xbb/0x123 [rtsx_usb] rtsx_usb_write_register+0x12c/0x143 [rtsx_usb] rtsx_usb_probe+0x226/0x4b2 [rtsx_usb] Fix it to use kmalloc() to get DMA-able memory region instead. Signed-off-by: Shuah Khan Cc: stable Link: https://lore.kernel.org/r/667d627d502e1ba9ff4f9b94966df3299d2d3c0d.1656642167.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 2f446ffe9d737e9a844b97887919c4fda18246e7 Author: Roger Pau Monne Date: Fri Jul 1 08:23:54 2022 +0200 xen/blkfront: fix leaking data in shared pages When allocating pages to be used for shared communication with the backend always zero them, this avoids leaking unintended data present on the pages. This is CVE-2022-26365, part of XSA-403. Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Reviewed-by: Juergen Gross Signed-off-by: Juergen Gross commit 03110b46c99bb0c712f46bec660b1c3f674ce100 Author: Luca Weiss Date: Mon Jun 6 18:04:21 2022 +0200 ARM: dts: qcom: msm8974: re-add missing pinctrl As part of a recent cleanup commit, the pinctrl for a few uart and i2c nodes was removed. Adjust the names and/or add it back and assign it to the uart and i2c nodes. Fixes: 1dfe967ec7cf ("ARM: dts: qcom-msm8974*: Consolidate I2C/UART/SDHCI") Signed-off-by: Luca Weiss Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220606160421.1641778-1-luca@z3ntu.xyz commit a175eca0f3d747599f1fdfac04cc9195b71ec996 Merge: 5e8379351dbde b8f0009bc9edf Author: Linus Torvalds Date: Thu Jun 30 17:19:19 2022 -0700 Merge tag 'drm-fixes-2022-07-01' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Bit quieter this week, the main thing is it pulls in the fixes for the sysfb resource issue you were seeing. these had been queued for next so should have had some decent testing. Otherwise amdgpu, i915 and msm each have a few fixes, and vc4 has one. fbdev: - sysfb fixes/conflicting fb fixes amdgpu: - GPU recovery fix - Fix integer type usage in fourcc header for AMD modifiers - KFD TLB flush fix for gfx9 APUs - Display fix i915: - Fix ioctl argument error return - Fix d3cold disable to allow PCI upstream bridge D3 transition - Fix setting cache_dirty for dma-buf objects on discrete msm: - Fix to increment vsync_cnt before calling drm_crtc_handle_vblank so that userspace sees the value *after* it is incremented if waiting for vblank events - Fix to reset drm_dev to NULL in dp_display_unbind to avoid a crash in probe/bind error paths - Fix to resolve the smatch error of de-referencing before NULL check in dpu_encoder_phys_wb.c - Fix error return to userspace if fence-id allocation fails in submit ioctl vc4: - NULL ptr dereference fix" * tag 'drm-fixes-2022-07-01' of git://anongit.freedesktop.org/drm/drm: Revert "drm/amdgpu/display: set vblank_disable_immediate for DC" drm/amdgpu: To flush tlb for MMHUB of RAVEN series drm/fourcc: fix integer type usage in uapi header drm/amdgpu: fix adev variable used in amdgpu_device_gpu_recover() fbdev: Disable sysfb device registration when removing conflicting FBs firmware: sysfb: Add sysfb_disable() helper function firmware: sysfb: Make sysfb_create_simplefb() return a pdev pointer drm/msm/gem: Fix error return on fence id alloc fail drm/i915: tweak the ordering in cpu_write_needs_clflush drm/i915/dgfx: Disable d3cold at gfx root port drm/i915/gem: add missing else drm/vc4: perfmon: Fix variable dereferenced before check drm/msm/dpu: Fix variable dereferenced before check drm/msm/dp: reset drm_dev to NULL at dp_display_unbind() drm/msm/dpu: Increment vsync_cnt before waking up userspace commit b8f0009bc9edf9186b20ae2a9e442ef0af93040e Merge: 078a3be79325e ee7a69aa38d87 Author: Dave Airlie Date: Fri Jul 1 09:27:28 2022 +1000 Merge tag 'drm-misc-fixes-2022-06-30' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes A NULL pointer dereference fix for vc4, and 3 patches to improve the sysfb device behaviour when removing conflicting framebuffers Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20220630072404.2fa4z3nk5h5q34ci@houat commit 5e8379351dbde61ea383e514f0f9ecb2c047cf4e Merge: 868f9f2f8e004 58bf4db695287 Author: Linus Torvalds Date: Thu Jun 30 15:26:55 2022 -0700 Merge tag 'net-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from netfilter. Current release - new code bugs: - clear msg_get_inq in __sys_recvfrom() and __copy_msghdr_from_user() - mptcp: - invoke MP_FAIL response only when needed - fix shutdown vs fallback race - consistent map handling on failure - octeon_ep: use bitwise AND Previous releases - regressions: - tipc: move bc link creation back to tipc_node_create, fix NPD Previous releases - always broken: - tcp: add a missing nf_reset_ct() in 3WHS handling to prevent socket buffered skbs from keeping refcount on the conntrack module - ipv6: take care of disable_policy when restoring routes - tun: make sure to always disable and unlink NAPI instances - phy: don't trigger state machine while in suspend - netfilter: nf_tables: avoid skb access on nf_stolen - asix: fix "can't send until first packet is send" issue - usb: asix: do not force pause frames support - nxp-nci: don't issue a zero length i2c_master_read() Misc: - ncsi: allow use of proper "mellanox" DT vendor prefix - act_api: add a message for user space if any actions were already flushed before the error was hit" * tag 'net-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (55 commits) net: dsa: felix: fix race between reading PSFP stats and port stats selftest: tun: add test for NAPI dismantle net: tun: avoid disabling NAPI twice net: sparx5: mdb add/del handle non-sparx5 devices net: sfp: fix memory leak in sfp_probe() mlxsw: spectrum_router: Fix rollback in tunnel next hop init net: rose: fix UAF bugs caused by timer handler net: usb: ax88179_178a: Fix packet receiving net: bonding: fix use-after-free after 802.3ad slave unbind ipv6: fix lockdep splat in in6_dump_addrs() net: phy: ax88772a: fix lost pause advertisement configuration net: phy: Don't trigger state machine while in suspend usbnet: fix memory allocation in helpers selftests net: fix kselftest net fatal error NFC: nxp-nci: don't print header length mismatch on i2c error NFC: nxp-nci: Don't issue a zero length i2c_master_read() net: tipc: fix possible refcount leak in tipc_sk_create() nfc: nfcmrvl: Fix irq_of_parse_and_map() return value net: ipv6: unexport __init-annotated seg6_hmac_net_init() ipv6/sit: fix ipip6_tunnel_get_prl return value ... commit 868f9f2f8e004bfe0d3935b1976f625b2924893b Author: Amir Goldstein Date: Thu Jun 30 22:58:49 2022 +0300 vfs: fix copy_file_range() regression in cross-fs copies A regression has been reported by Nicolas Boichat, found while using the copy_file_range syscall to copy a tracefs file. Before commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across devices") the kernel would return -EXDEV to userspace when trying to copy a file across different filesystems. After this commit, the syscall doesn't fail anymore and instead returns zero (zero bytes copied), as this file's content is generated on-the-fly and thus reports a size of zero. Another regression has been reported by He Zhe - the assertion of WARN_ON_ONCE(ret == -EOPNOTSUPP) can be triggered from userspace when copying from a sysfs file whose read operation may return -EOPNOTSUPP. Since we do not have test coverage for copy_file_range() between any two types of filesystems, the best way to avoid these sort of issues in the future is for the kernel to be more picky about filesystems that are allowed to do copy_file_range(). This patch restores some cross-filesystem copy restrictions that existed prior to commit 5dae222a5ff0 ("vfs: allow copy_file_range to copy across devices"), namely, cross-sb copy is not allowed for filesystems that do not implement ->copy_file_range(). Filesystems that do implement ->copy_file_range() have full control of the result - if this method returns an error, the error is returned to the user. Before this change this was only true for fs that did not implement the ->remap_file_range() operation (i.e. nfsv3). Filesystems that do not implement ->copy_file_range() still fall-back to the generic_copy_file_range() implementation when the copy is within the same sb. This helps the kernel can maintain a more consistent story about which filesystems support copy_file_range(). nfsd and ksmbd servers are modified to fall-back to the generic_copy_file_range() implementation in case vfs_copy_file_range() fails with -EOPNOTSUPP or -EXDEV, which preserves behavior of server-side-copy. fall-back to generic_copy_file_range() is not implemented for the smb operation FSCTL_DUPLICATE_EXTENTS_TO_FILE, which is arguably a correct change of behavior. Fixes: 5dae222a5ff0 ("vfs: allow copy_file_range to copy across devices") Link: https://lore.kernel.org/linux-fsdevel/20210212044405.4120619-1-drinkcat@chromium.org/ Link: https://lore.kernel.org/linux-fsdevel/CANMq1KDZuxir2LM5jOTm0xx+BnvW=ZmpsG47CyHFJwnw7zSX6Q@mail.gmail.com/ Link: https://lore.kernel.org/linux-fsdevel/20210126135012.1.If45b7cdc3ff707bc1efa17f5366057d60603c45f@changeid/ Link: https://lore.kernel.org/linux-fsdevel/20210630161320.29006-1-lhenriques@suse.de/ Reported-by: Nicolas Boichat Reported-by: kernel test robot Signed-off-by: Luis Henriques Fixes: 64bf5ff58dff ("vfs: no fallback for ->copy_file_range") Link: https://lore.kernel.org/linux-fsdevel/20f17f64-88cb-4e80-07c1-85cb96c83619@windriver.com/ Reported-by: He Zhe Tested-by: Namjae Jeon Tested-by: Luis Henriques Signed-off-by: Amir Goldstein Signed-off-by: Linus Torvalds commit a23dd544debcda4ee4a549ec7de59e85c3c8345c Author: Chuck Lever Date: Thu Jun 30 16:48:18 2022 -0400 SUNRPC: Fix READ_PLUS crasher Looks like there are still cases when "space_left - frag1bytes" can legitimately exceed PAGE_SIZE. Ensure that xdr->end always remains within the current encode buffer. Reported-by: Bruce Fields Reported-by: Zorro Lang Link: https://bugzilla.kernel.org/show_bug.cgi?id=216151 Fixes: 6c254bf3b637 ("SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()") Signed-off-by: Chuck Lever commit 4f40a5b5544618b096d1611a18219dd91fd57f80 Author: Scott Mayhew Date: Mon Jun 27 17:31:29 2022 -0400 NFSv4: Add an fattr allocation to _nfs4_discover_trunking() This was missed in c3ed222745d9 ("NFSv4: Fix free of uninitialized nfs4_label on referral lookup.") and causes a panic when mounting with '-o trunkdiscovery': PID: 1604 TASK: ffff93dac3520000 CPU: 3 COMMAND: "mount.nfs" #0 [ffffb79140f738f8] machine_kexec at ffffffffaec64bee #1 [ffffb79140f73950] __crash_kexec at ffffffffaeda67fd #2 [ffffb79140f73a18] crash_kexec at ffffffffaeda76ed #3 [ffffb79140f73a30] oops_end at ffffffffaec2658d #4 [ffffb79140f73a50] general_protection at ffffffffaf60111e [exception RIP: nfs_fattr_init+0x5] RIP: ffffffffc0c18265 RSP: ffffb79140f73b08 RFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff93dac304a800 RCX: 0000000000000000 RDX: ffffb79140f73bb0 RSI: ffff93dadc8cbb40 RDI: d03ee11cfaf6bd50 RBP: ffffb79140f73be8 R8: ffffffffc0691560 R9: 0000000000000006 R10: ffff93db3ffd3df8 R11: 0000000000000000 R12: ffff93dac4040000 R13: ffff93dac2848e00 R14: ffffb79140f73b60 R15: ffffb79140f73b30 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #5 [ffffb79140f73b08] _nfs41_proc_get_locations at ffffffffc0c73d53 [nfsv4] #6 [ffffb79140f73bf0] nfs4_proc_get_locations at ffffffffc0c83e90 [nfsv4] #7 [ffffb79140f73c60] nfs4_discover_trunking at ffffffffc0c83fb7 [nfsv4] #8 [ffffb79140f73cd8] nfs_probe_fsinfo at ffffffffc0c0f95f [nfs] #9 [ffffb79140f73da0] nfs_probe_server at ffffffffc0c1026a [nfs] RIP: 00007f6254fce26e RSP: 00007ffc69496ac8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f6254fce26e RDX: 00005600220a82a0 RSI: 00005600220a64d0 RDI: 00005600220a6520 RBP: 00007ffc69496c50 R8: 00005600220a8710 R9: 003035322e323231 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc69496c50 R13: 00005600220a8440 R14: 0000000000000010 R15: 0000560020650ef9 ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b Fixes: c3ed222745d9 ("NFSv4: Fix free of uninitialized nfs4_label on referral lookup.") Signed-off-by: Scott Mayhew Signed-off-by: Anna Schumaker commit 080abad71e99d2becf38c978572982130b927a28 Author: NeilBrown Date: Thu Jun 23 14:47:34 2022 +1000 NFS: restore module put when manager exits. Commit f49169c97fce ("NFSD: Remove svc_serv_ops::svo_module") removed calls to module_put_and_kthread_exit() from threads that acted as SUNRPC servers and had a related svc_serv_ops structure. This was correct. It ALSO removed the module_put_and_kthread_exit() call from nfs4_run_state_manager() which is NOT a SUNRPC service. Consequently every time the NFSv4 state manager runs the module count increments and won't be decremented. So the nfsv4 module cannot be unloaded. So restore the module_put_and_kthread_exit() call. Fixes: f49169c97fce ("NFSD: Remove svc_serv_ops::svo_module") Signed-off-by: NeilBrown Signed-off-by: Anna Schumaker commit fed0d9f13266a22ce1fc9a97521ef9cdc6271a23 Author: Norbert Zulinski Date: Wed Jun 8 11:10:56 2022 +0200 i40e: Fix VF's MAC Address change on VM Clear VF MAC from parent PF and remove VF filter from VSI when both conditions are true: -VIRTCHNL_VF_OFFLOAD_USO is not used -VM MAC was not set from PF level It affects older version of IAVF and it allow them to change MAC Address on VM, newer IAVF won't change their behaviour. Previously it wasn't possible to change VF's MAC Address on VM because there is flag on IAVF driver that won't allow to change MAC Address if this address is given from PF driver. Fixes: 155f0ac2c96b ("iavf: allow permanent MAC address to change") Signed-off-by: Norbert Zulinski Signed-off-by: Jan Sokolowski Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen commit 1adb1563e7b7ec659379a18e607e8bc3522d8a78 Author: Lukasz Cieplicki Date: Tue May 31 12:54:20 2022 +0200 i40e: Fix dropped jumbo frames statistics Dropped packets caused by too large frames were not included in dropped RX packets statistics. Issue was caused by not reading the GL_RXERR1 register. That register stores count of packet which was have been dropped due to too large size. Fix it by reading GL_RXERR1 register for each interface. Repro steps: Send a packet larger than the set MTU to SUT Observe rx statists: ethtool -S | grep rx | grep -v ": 0" Fixes: 41a9e55c89be ("i40e: add missing VSI statistics") Signed-off-by: Lukasz Cieplicki Signed-off-by: Jedrzej Jagielski Tested-by: Gurucharan (A Contingent worker at Intel) Signed-off-by: Tony Nguyen commit f3163d8567adbfebe574fb22c647ce5b829c5971 Merge: fbb564a557809 e1c70d7934635 Author: Jens Axboe Date: Thu Jun 30 14:00:11 2022 -0600 Merge tag 'nvme-5.19-2022-06-30' of git://git.infradead.org/nvme into block-5.19 Pull NVMe fixes from Christoph: "nvme fixes for Linux 5.19 - more quirks (Lamarque Vieira Souza, Pablo Greco) - fix a fabrics disconnect regression (Ruozhu Li) - fix a nvmet-tcp data_digest calculation regression (Sagi Grimberg) - fix nvme-tcp send failure handling (Sagi Grimberg) - fix a regression with nvmet-loop and passthrough controllers (Alan Adamson)" * tag 'nvme-5.19-2022-06-30' of git://git.infradead.org/nvme: nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA IM2P33F8ABR1 nvmet: add a clear_ids attribute for passthru targets nvme: fix regression when disconnect a recovering ctrl nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG SX6000LNP (AKA SPECTRIX S40G) nvme-tcp: always fail a request when sending it failed nvmet-tcp: fix regression in data_digest calculation commit 58bf4db695287c4bb2a5fc9fc12c78fdd4c36894 Author: Vladimir Oltean Date: Wed Jun 29 21:30:07 2022 +0300 net: dsa: felix: fix race between reading PSFP stats and port stats Both PSFP stats and the port stats read by ocelot_check_stats_work() are indirectly read through the same mechanism - write to STAT_CFG:STAT_VIEW, read from SYS:STAT:CNT[n]. It's just that for port stats, we write STAT_VIEW with the index of the port, and for PSFP stats, we write STAT_VIEW with the filter index. So if we allow them to run concurrently, ocelot_check_stats_work() may change the view from vsc9959_psfp_counters_get(), and vice versa. Fixes: 7d4b564d6add ("net: dsa: felix: support psfp filter on vsc9959") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220629183007.3808130-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit 839b92fede7ba308f1a475aa00fea55f63b7fccf Author: Jakub Kicinski Date: Wed Jun 29 11:19:11 2022 -0700 selftest: tun: add test for NAPI dismantle Being lazy does not pay, add the test for various ordering of tun queue close / detach / destroy. Link: https://lore.kernel.org/r/20220629181911.372047-2-kuba@kernel.org Signed-off-by: Jakub Kicinski commit ff1fa2081d173b01cebe2fbf0a2d0f1cee9ce4b5 Author: Jakub Kicinski Date: Wed Jun 29 11:19:10 2022 -0700 net: tun: avoid disabling NAPI twice Eric reports that syzbot made short work out of my speculative fix. Indeed when queue gets detached its tfile->tun remains, so we would try to stop NAPI twice with a detach(), close() sequence. Alternative fix would be to move tun_napi_disable() to tun_detach_all() and let the NAPI run after the queue has been detached. Fixes: a8fc8cb5692a ("net: tun: stop NAPI when detaching queues") Reported-by: syzbot Reported-by: Eric Dumazet Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220629181911.372047-1-kuba@kernel.org Signed-off-by: Jakub Kicinski commit 9c5de246c1dbe785268fc2e83c88624b92e4ec93 Author: Casper Andersson Date: Thu Jun 30 14:22:26 2022 +0200 net: sparx5: mdb add/del handle non-sparx5 devices When adding/deleting mdb entries on other net_devices, eg., tap interfaces, it should not crash. Fixes: 3bacfccdcb2d ("net: sparx5: Add mdb handlers") Signed-off-by: Casper Andersson Reviewed-by: Steen Hegelund Link: https://lore.kernel.org/r/20220630122226.316812-1-casper.casan@gmail.com Signed-off-by: Jakub Kicinski commit 62f46fc7b8c639bc97cc9c69e063c40970b6e14c Author: Sumeet Pawnikar Date: Fri May 6 19:20:09 2022 +0530 thermal: intel_tcc_cooling: Add TCC cooling support for RaptorLake Add RaptorLake to the list of processor models supported by the Intel TCC cooling driver. Signed-off-by: Sumeet Pawnikar [ rjw: Subject edits, new changelog ] Signed-off-by: Rafael J. Wysocki commit d7d488f41b41a1b7a1df3c74f2f65eb4585f5d55 Author: Zhang Jiaming Date: Thu Jun 23 14:05:43 2022 +0800 s390/qdio: Fix spelling mistake Change 'defineable' to 'definable'. Change 'paramater' to 'parameter'. Signed-off-by: Zhang Jiaming Reviewed-by: Benjamin Block Link: https://lore.kernel.org/r/20220623060543.12870-1-jiaming@nfschina.com Signed-off-by: Alexander Gordeev commit d608f45ed3cfd411a409cec93fa64232181752ff Author: Jiang Jian Date: Wed Jun 22 22:27:13 2022 +0800 s390/sclp: Fix typo in comments Remove the repeated word 'and' from comments Signed-off-by: Jiang Jian Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20220622142713.14187-1-jiangjian@cdjrlc.com Signed-off-by: Alexander Gordeev commit e4f74400308cb8abde5fdc9cad609c2aba32110c Author: Jason A. Donenfeld Date: Sat Jun 11 00:20:23 2022 +0200 s390/archrandom: simplify back to earlier design and initialize earlier s390x appears to present two RNG interfaces: - a "TRNG" that gathers entropy using some hardware function; and - a "DRBG" that takes in a seed and expands it. Previously, the TRNG was wired up to arch_get_random_{long,int}(), but it was observed that this was being called really frequently, resulting in high overhead. So it was changed to be wired up to arch_get_random_ seed_{long,int}(), which was a reasonable decision. Later on, the DRBG was then wired up to arch_get_random_{long,int}(), with a complicated buffer filling thread, to control overhead and rate. Fortunately, none of the performance issues matter much now. The RNG always attempts to use arch_get_random_seed_{long,int}() first, which means a complicated implementation of arch_get_random_{long,int}() isn't really valuable or useful to have around. And it's only used when reseeding, which means it won't hit the high throughput complications that were faced before. So this commit returns to an earlier design of just calling the TRNG in arch_get_random_seed_{long,int}(), and returning false in arch_get_ random_{long,int}(). Part of what makes the simplification possible is that the RNG now seeds itself using the TRNG at bootup. But this only works if the TRNG is detected early in boot, before random_init() is called. So this commit also causes that check to happen in setup_arch(). Cc: stable@vger.kernel.org Cc: Harald Freudenberger Cc: Ingo Franzki Cc: Juergen Christ Cc: Heiko Carstens Signed-off-by: Jason A. Donenfeld Link: https://lore.kernel.org/r/20220610222023.378448-1-Jason@zx2c4.com Reviewed-by: Harald Freudenberger Acked-by: Heiko Carstens Signed-off-by: Alexander Gordeev commit 09007af2b627f0f195c6c53c4829b285cc3990ec Author: Dylan Yudaken Date: Thu Jun 30 06:20:06 2022 -0700 io_uring: fix provided buffer import io_import_iovec uses the s pointer, but this was changed immediately after the iovec was re-imported and so it was imported into the wrong place. Change the ordering. Fixes: 2be2eb02e2f5 ("io_uring: ensure reads re-import for selected buffers") Signed-off-by: Dylan Yudaken Link: https://lore.kernel.org/r/20220630132006.2825668-1-dylany@fb.com [axboe: ensure we don't half-import as well] Signed-off-by: Jens Axboe commit 1a0e93df1e107dc766fdf86ae88076efd9f376e6 Merge: 9fb3bb25d1532 0fe3dbbefb74a Author: Linus Torvalds Date: Thu Jun 30 10:03:22 2022 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "Three minor bug fixes: - qedr not setting the QP timeout properly toward userspace - Memory leak on error path in ib_cm - Divide by 0 in RDMA interrupt moderation" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: linux/dim: Fix divide by 0 in RDMA DIM RDMA/cm: Fix memory leak in ib_cm_insert_listen RDMA/qedr: Fix reporting QP timeout attribute commit 9fb3bb25d15326464e2183a5eb4b1ea8725d560c Merge: f5da5ddf81ad0 8698e3bab4dd7 Author: Linus Torvalds Date: Thu Jun 30 09:57:18 2022 -0700 Merge tag 'fsnotify_for_v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull fanotify fix from Jan Kara: "A fix for recently added fanotify API to have stricter checks and refuse some invalid flag combinations to make our life easier in the future" * tag 'fsnotify_for_v5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: fanotify: refine the validation checks on non-dir inode mask commit f5da5ddf81ad0bfb91fa5e7d087e2ad96f26b7b7 Merge: d9b2ba67917c1 87d044096ea62 Author: Linus Torvalds Date: Thu Jun 30 09:45:42 2022 -0700 Merge tag 'v5.19-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fix from Herbert Xu: "Fix a regression that breaks the ccp driver" * tag 'v5.19-p3' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: ccp - Fix device IRQ counting by using platform_irq_count() commit b941e487152e0909ef43faacae6eeee266d9b378 Author: Biju Das Date: Thu Jun 30 09:39:09 2022 +0100 serial: 8250: dw: Fix the macro RZN1_UART_xDMACR_8_WORD_BURST As per RZ/N1 peripheral user manual(r01uh0752ej0100-rzn1-peripheral.pdf) rev 1.0.0 Mar,2019, the value for 8_WORD_BURST is 4(b2,b1=2’b10). This patch fixes the macro as per the user manual. Fixes: aa63d786cea2 ("serial: 8250: dw: Add support for DMA flow controlling devices") Reviewed-by: Phil Edworthy Signed-off-by: Biju Das Link: https://lore.kernel.org/r/20220630083909.4294-1-biju.das.jz@bp.renesas.com Signed-off-by: Greg Kroah-Hartman commit 39cdb68c64d84e71a4a717000b6e5de208ee60cc Author: Yangxi Xiang Date: Tue Jun 28 17:33:22 2022 +0800 vt: fix memory overlapping when deleting chars in the buffer A memory overlapping copy occurs when deleting a long line. This memory overlapping copy can cause data corruption when scr_memcpyw is optimized to memcpy because memcpy does not ensure its behavior if the destination buffer overlaps with the source buffer. The line buffer is not always broken, because the memcpy utilizes the hardware acceleration, whose result is not deterministic. Fix this problem by using replacing the scr_memcpyw with scr_memmovew. Fixes: 81732c3b2fed ("tty vt: Fix line garbage in virtual console on command line edition") Cc: stable Signed-off-by: Yangxi Xiang Link: https://lore.kernel.org/r/20220628093322.5688-1-xyangxi5@gmail.com Signed-off-by: Greg Kroah-Hartman commit 4f532c1e25319e42996ec18a1f473fd50c8e575d Author: Pali Rohár Date: Tue Jun 28 12:09:22 2022 +0200 serial: mvebu-uart: correctly report configured baudrate value Functions tty_termios_encode_baud_rate() and uart_update_timeout() should be called with the baudrate value which was set to hardware. Linux then report exact values via ioctl(TCGETS2) to userspace. Change mvebu_uart_baud_rate_set() function to return baudrate value which was set to hardware and propagate this value to above mentioned functions. With this change userspace would see precise value in termios c_ospeed field. Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") Cc: stable Reviewed-by: Ilpo Järvinen Signed-off-by: Pali Rohár Link: https://lore.kernel.org/r/20220628100922.10717-1-pali@kernel.org Signed-off-by: Greg Kroah-Hartman commit f9b11229b79c0fb2100b5bb4628a101b1d37fbf6 Author: Ilpo Järvinen Date: Wed Jun 29 12:48:41 2022 +0300 serial: 8250: Fix PM usage_count for console handover When console is enabled, univ8250_console_setup() calls serial8250_console_setup() before .dev is set to uart_port. Therefore, it will not call pm_runtime_get_sync(). Later, when the actual driver is going to take over univ8250_console_exit() is called. As .dev is already set, serial8250_console_exit() makes pm_runtime_put_sync() call with usage count being zero triggering PM usage count warning (extra debug for univ8250_console_setup(), univ8250_console_exit(), and serial8250_register_ports()): [ 0.068987] univ8250_console_setup ttyS0 nodev [ 0.499670] printk: console [ttyS0] enabled [ 0.717955] printk: console [ttyS0] printing thread started [ 1.960163] serial8250_register_ports assigned dev for ttyS0 [ 1.976830] printk: console [ttyS0] disabled [ 1.976888] printk: console [ttyS0] printing thread stopped [ 1.977073] univ8250_console_exit ttyS0 usage:0 [ 1.977075] serial8250 serial8250: Runtime PM usage count underflow! [ 1.977429] dw-apb-uart.6: ttyS0 at MMIO 0x4010006000 (irq = 33, base_baud = 115200) is a 16550A [ 1.977812] univ8250_console_setup ttyS0 usage:2 [ 1.978167] printk: console [ttyS0] printing thread started [ 1.978203] printk: console [ttyS0] enabled To fix the issue, call pm_runtime_get_sync() in serial8250_register_ports() as soon as .dev is set for an uart_port if it has console enabled. This problem became apparent only recently because 82586a721595 ("PM: runtime: Avoid device usage count underflows") added the warning printout. I confirmed this problem also occurs with v5.18 (w/o the warning printout, obviously). Fixes: bedb404e91bb ("serial: 8250_port: Don't use power management for kernel console") Cc: stable Tested-by: Tony Lindgren Reviewed-by: Andy Shevchenko Reviewed-by: Tony Lindgren Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/b4f428e9-491f-daf2-2232-819928dc276e@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 6e690d54cfa802f939cefbd2fa2c91bd0b8bd1b6 Author: Yi Yang Date: Tue Jun 28 16:35:15 2022 +0800 serial: 8250: fix return error code in serial8250_request_std_resource() If port->mapbase = NULL in serial8250_request_std_resource() , it need return a error code instead of 0. If uart_set_info() fail to request new regions by serial8250_request_std_resource() but the return value of serial8250_request_std_resource() is 0, The system incorrectly considers that the resource application is successful and does not attempt to restore the old setting. A null pointer reference is triggered when the port resource is later invoked. Signed-off-by: Yi Yang Cc: stable Link: https://lore.kernel.org/r/20220628083515.64138-1-yiyang13@huawei.com Signed-off-by: Greg Kroah-Hartman commit 5c5f44e36217de5ead789ff25da71c31c2331c96 Author: Ilpo Järvinen Date: Mon Jun 27 18:07:52 2022 +0300 serial: stm32: Clear prev values before setting RTS delays The code lacks clearing of previous DEAT/DEDT values. Thus, changing values on the fly results in garbage delays tending towards the maximum value as more and more bits are ORed together. (Leaving RS485 mode would have cleared the old values though). Fixes: 1bcda09d2910 ("serial: stm32: add support for RS485 hardware control mode") Cc: stable Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220627150753.34510-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 589cb2c0b8daf4fd03e7012c00a52804769e7699 Merge: 03c765b0e3b4c f08fe6fcbe13f Author: Rafael J. Wysocki Date: Thu Jun 30 15:30:30 2022 +0200 Merge tag 'devfreq-fixes-for-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/chanwoo/linux Pull devfreq fixes for 5.19-rc5 from Chanwoo Choi: "1. Fix devfreq passive governor issue when cpufreq policies are not ready during kernel boot because some CPUs turn on after kernel booting or others. - Re-initialize the vairables of struct devfreq_passive_data when PROBE_DEFER happens when cpufreq_get() returns NULL. - Use dev_err_probe to mute warning when PROBE_DEFER. - Fix cpufreq passive unregister erroring on PROBE_DEFER by using the allocated parent_cpu_data list to free resouce instead of for_each_possible_cpu(). - Remove duplicate cpufreq passive unregister and warning when PROBE_DEFER. - Use HZ_PER_KZH macro in units.h. - Fix wrong indentation in SPDX-License line. 2. Fix reference count leak in exynos-ppmu.c by using of_node_put(). 3. Rework freq_table to be local to devfreq struct - struct devfreq_dev_profile includes freq_table array to store the supported frequencies. If devfreq driver doesn't initialize the freq_table, devfreq core allocates the memory and initializes the freq_table. On a devfreq PROBE_DEFER, the freq_table in the driver profile struct is never reset and may be left in an undefined state. To fix this and correctly handle PROBE_DEFER, use a local freq_table and max_state in the devfreq struct." * tag 'devfreq-fixes-for-5.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/chanwoo/linux: PM / devfreq: passive: revert an editing accident in SPDX-License line PM / devfreq: Fix kernel warning with cpufreq passive register fail PM / devfreq: Rework freq_table to be local to devfreq struct PM / devfreq: exynos-ppmu: Fix refcount leak in of_get_devfreq_events PM / devfreq: passive: Use HZ_PER_KHZ macro in units.h PM / devfreq: Fix cpufreq passive unregister erroring on PROBE_DEFER PM / devfreq: Mute warning on governor PROBE_DEFER PM / devfreq: Fix kernel panic with cpu based scaling to passive gov commit 29c1ac230e6056b26846c66881802b581a78ad72 Author: Pavel Begunkov Date: Thu Jun 30 13:25:57 2022 +0100 io_uring: keep sendrecv flags in ioprio We waste a u64 SQE field for flags even though we don't need as many bits and it can be used for something more useful later. Store io_uring specific send/recv flags in sqe->ioprio instead of ->addr2. Signed-off-by: Pavel Begunkov Fixes: 0455d4ccec54 ("io_uring: add POLL_FIRST support for send/sendmsg and recv/recvmsg") [axboe: change comment in io_uring.h as well] Signed-off-by: Jens Axboe commit 20159e287a031bd6a28429675ccc66b06372fa3c Author: Masahiro Yamada Date: Tue Jun 14 02:09:02 2022 +0900 s390/purgatory: remove duplicated build rule of kexec-purgatory.o This is equivalent to the pattern rule in scripts/Makefile.build. Having the dependency on $(obj)/purgatory.ro is enough. Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20220613170902.1775211-3-masahiroy@kernel.org Signed-off-by: Alexander Gordeev commit b9a56c113f907b19b91dc5c2383b0169831e15a4 Author: Masahiro Yamada Date: Tue Jun 14 02:09:01 2022 +0900 s390/purgatory: hard-code obj-y in Makefile The purgatory/ directory is entirely guarded in arch/s390/Kbuild. CONFIG_ARCH_HAS_KEXEC_PURGATORY is bool type. $(CONFIG_ARCH_HAS_KEXEC_PURGATORY) is always 'y' when Kbuild visits this Makefile for building. Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20220613170902.1775211-2-masahiroy@kernel.org Signed-off-by: Alexander Gordeev commit 25deecb21c18ee29e3be8ac6177b2a9504c33d2d Author: Masahiro Yamada Date: Tue Jun 14 02:09:00 2022 +0900 s390: remove unneeded 'select BUILD_BIN2C' Since commit 4c0f032d4963 ("s390/purgatory: Omit use of bin2c"), s390 builds the purgatory without using bin2c. Remove 'select BUILD_BIN2C' to avoid the unneeded build of bin2c. Fixes: 4c0f032d4963 ("s390/purgatory: Omit use of bin2c") Signed-off-by: Masahiro Yamada Link: https://lore.kernel.org/r/20220613170902.1775211-1-masahiroy@kernel.org Signed-off-by: Alexander Gordeev commit 0a18d802d65cf662644fd1d369c86d84a5630652 Author: Jianglei Nie Date: Wed Jun 29 15:55:50 2022 +0800 net: sfp: fix memory leak in sfp_probe() sfp_probe() allocates a memory chunk from sfp with sfp_alloc(). When devm_add_action() fails, sfp is not freed, which leads to a memory leak. We should use devm_add_action_or_reset() instead of devm_add_action(). Signed-off-by: Jianglei Nie Reviewed-by: Russell King (Oracle) Link: https://lore.kernel.org/r/20220629075550.2152003-1-niejianglei2021@163.com Signed-off-by: Paolo Abeni commit 665030fd0c1ed9f505932e6e73e7a2c788787a0a Author: Petr Machata Date: Wed Jun 29 10:02:05 2022 +0300 mlxsw: spectrum_router: Fix rollback in tunnel next hop init In mlxsw_sp_nexthop6_init(), a next hop is always added to the router linked list, and mlxsw_sp_nexthop_type_init() is invoked afterwards. When that function results in an error, the next hop will not have been removed from the linked list. As the error is propagated upwards and the caller frees the next hop object, the linked list ends up holding an invalid object. A similar issue comes up with mlxsw_sp_nexthop4_init(), where rollback block does exist, however does not include the linked list removal. Both IPv6 and IPv4 next hops have a similar issue with next-hop counter rollbacks. As these were introduced in the same patchset as the next hop linked list, include the cleanup in this patch. Fixes: dbe4598c1e92 ("mlxsw: spectrum_router: Keep nexthops in a linked list") Fixes: a5390278a5eb ("mlxsw: spectrum: Add support for setting counters on nexthops") Signed-off-by: Petr Machata Reviewed-by: Amit Cohen Signed-off-by: Ido Schimmel Link: https://lore.kernel.org/r/20220629070205.803952-1-idosch@nvidia.com Signed-off-by: Paolo Abeni commit 9cc02ede696272c5271a401e4f27c262359bc2f6 Author: Duoming Zhou Date: Wed Jun 29 08:26:40 2022 +0800 net: rose: fix UAF bugs caused by timer handler There are UAF bugs in rose_heartbeat_expiry(), rose_timer_expiry() and rose_idletimer_expiry(). The root cause is that del_timer() could not stop the timer handler that is running and the refcount of sock is not managed properly. One of the UAF bugs is shown below: (thread 1) | (thread 2) | rose_bind | rose_connect | rose_start_heartbeat rose_release | (wait a time) case ROSE_STATE_0 | rose_destroy_socket | rose_heartbeat_expiry rose_stop_heartbeat | sock_put(sk) | ... sock_put(sk) // FREE | | bh_lock_sock(sk) // USE The sock is deallocated by sock_put() in rose_release() and then used by bh_lock_sock() in rose_heartbeat_expiry(). Although rose_destroy_socket() calls rose_stop_heartbeat(), it could not stop the timer that is running. The KASAN report triggered by POC is shown below: BUG: KASAN: use-after-free in _raw_spin_lock+0x5a/0x110 Write of size 4 at addr ffff88800ae59098 by task swapper/3/0 ... Call Trace: dump_stack_lvl+0xbf/0xee print_address_description+0x7b/0x440 print_report+0x101/0x230 ? irq_work_single+0xbb/0x140 ? _raw_spin_lock+0x5a/0x110 kasan_report+0xed/0x120 ? _raw_spin_lock+0x5a/0x110 kasan_check_range+0x2bd/0x2e0 _raw_spin_lock+0x5a/0x110 rose_heartbeat_expiry+0x39/0x370 ? rose_start_heartbeat+0xb0/0xb0 call_timer_fn+0x2d/0x1c0 ? rose_start_heartbeat+0xb0/0xb0 expire_timers+0x1f3/0x320 __run_timers+0x3ff/0x4d0 run_timer_softirq+0x41/0x80 __do_softirq+0x233/0x544 irq_exit_rcu+0x41/0xa0 sysvec_apic_timer_interrupt+0x8c/0xb0 asm_sysvec_apic_timer_interrupt+0x1b/0x20 RIP: 0010:default_idle+0xb/0x10 RSP: 0018:ffffc9000012fea0 EFLAGS: 00000202 RAX: 000000000000bcae RBX: ffff888006660f00 RCX: 000000000000bcae RDX: 0000000000000001 RSI: ffffffff843a11c0 RDI: ffffffff843a1180 RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed100da36d46 R10: dfffe9100da36d47 R11: ffffffff83cf0950 R12: 0000000000000000 R13: 1ffff11000ccc1e0 R14: ffffffff8542af28 R15: dffffc0000000000 ... Allocated by task 146: __kasan_kmalloc+0xc4/0xf0 sk_prot_alloc+0xdd/0x1a0 sk_alloc+0x2d/0x4e0 rose_create+0x7b/0x330 __sock_create+0x2dd/0x640 __sys_socket+0xc7/0x270 __x64_sys_socket+0x71/0x80 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 152: kasan_set_track+0x4c/0x70 kasan_set_free_info+0x1f/0x40 ____kasan_slab_free+0x124/0x190 kfree+0xd3/0x270 __sk_destruct+0x314/0x460 rose_release+0x2fa/0x3b0 sock_close+0xcb/0x230 __fput+0x2d9/0x650 task_work_run+0xd6/0x160 exit_to_user_mode_loop+0xc7/0xd0 exit_to_user_mode_prepare+0x4e/0x80 syscall_exit_to_user_mode+0x20/0x40 do_syscall_64+0x4f/0x90 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This patch adds refcount of sock when we use functions such as rose_start_heartbeat() and so on to start timer, and decreases the refcount of sock when timer is finished or deleted by functions such as rose_stop_heartbeat() and so on. As a result, the UAF bugs could be mitigated. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Duoming Zhou Tested-by: Duoming Zhou Link: https://lore.kernel.org/r/20220629002640.5693-1-duoming@zju.edu.cn Signed-off-by: Paolo Abeni commit f8ebb3ac881b17712e1d5967c97ab1806b16d3d6 Author: Jose Alonso Date: Tue Jun 28 12:13:02 2022 -0300 net: usb: ax88179_178a: Fix packet receiving This patch corrects packet receiving in ax88179_rx_fixup. - problem observed: ifconfig shows allways a lot of 'RX Errors' while packets are received normally. This occurs because ax88179_rx_fixup does not recognise properly the usb urb received. The packets are normally processed and at the end, the code exits with 'return 0', generating RX Errors. (pkt_cnt==-2 and ptk_hdr over field rx_hdr trying to identify another packet there) This is a usb urb received by "tcpdump -i usbmon2 -X" on a little-endian CPU: 0x0000: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ^ packet 1 start (pkt_len = 0x05ec) ^^^^ IP alignment pseudo header ^ ethernet packet start last byte ethernet packet v padding (8-bytes aligned) vvvv vvvv 0x05e0: c92d d444 1420 8a69 83dd 272f e82b 9811 0x05f0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ... ^ packet 2 0x0be0: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ... 0x1130: 9d41 9171 8a38 0ec5 eeee f8e3 3b19 87a0 ... 0x1720: 8cfc 15ff 5e4c e85c eeee f8e3 3b19 87a0 ... 0x1d10: ecfa 2a3a 19ab c78c eeee f8e3 3b19 87a0 ... 0x2070: eeee f8e3 3b19 87a0 94de 80e3 daac 0800 ... ^ packet 7 0x2120: 7c88 4ca5 5c57 7dcc 0d34 7577 f778 7e0a 0x2130: f032 e093 7489 0740 3008 ec05 0000 0080 ====1==== ====2==== hdr_off ^ pkt_len = 0x05ec ^^^^ AX_RXHDR_*=0x00830 ^^^^ ^ pkt_len = 0 ^^^^ AX_RXHDR_DROP_ERR=0x80000000 ^^^^ ^ 0x2140: 3008 ec05 0000 0080 3008 5805 0000 0080 0x2150: 3008 ec05 0000 0080 3008 ec05 0000 0080 0x2160: 3008 5803 0000 0080 3008 c800 0000 0080 ===11==== ===12==== ===13==== ===14==== 0x2170: 0000 0000 0e00 3821 ^^^^ ^^^^ rx_hdr ^^^^ pkt_cnt=14 ^^^^ hdr_off=0x2138 ^^^^ ^^^^ padding The dump shows that pkt_cnt is the number of entrys in the per-packet metadata. It is "2 * packet count". Each packet have two entrys. The first have a valid value (pkt_len and AX_RXHDR_*) and the second have a dummy-header 0x80000000 (pkt_len=0 with AX_RXHDR_DROP_ERR). Why exists dummy-header for each packet?!? My guess is that this was done probably to align the entry for each packet to 64-bits and maintain compatibility with old firmware. There is also a padding (0x00000000) before the rx_hdr to align the end of rx_hdr to 64-bit. Note that packets have a alignment of 64-bits (8-bytes). This patch assumes that the dummy-header and the last padding are optional. So it preserves semantics and recognises the same valid packets as the current code. This patch was made using only the dumpfile information and tested with only one device: 0b95:1790 ASIX Electronics Corp. AX88179 Gigabit Ethernet Fixes: 57bc3d3ae8c1 ("net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup") Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") Signed-off-by: Jose Alonso Acked-by: Paolo Abeni Link: https://lore.kernel.org/r/d6970bb04bf67598af4d316eaeb1792040b18cfd.camel@gmail.com Signed-off-by: Paolo Abeni commit e1c70d79346356bb1ede3f79436df80917845ab9 Author: Lamarque Vieira Souza Date: Wed Jun 29 21:30:53 2022 -0300 nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA IM2P33F8ABR1 ADATA IM2P33F8ABR1 reports bogus eui64 values that appear to be the same across all drives. Q