commit 7aa21fec187b7bc2a55be4daad4585098e2f47df Author: Greg Kroah-Hartman Date: Fri Oct 4 16:38:57 2024 +0200 Linux 6.11.2 Link: https://lore.kernel.org/r/20241002125822.467776898@linuxfoundation.org Tested-by: Ronald Warsow Tested-by: Florian Fainelli Tested-by: Jon Hunter Tested-by: Shuah Khan Tested-by: Linux Kernel Functional Testing Tested-by: Mark Brown Tested-by: Peter Schneider Tested-by: Salvatore Bonaccorso Tested-by: Allen Pais Tested-by: Ron Economos Tested-by: Kexy Biscuit Signed-off-by: Greg Kroah-Hartman commit 338b32a232bbee39e52dd1486cbc0c9f458d4d69 Author: Mikulas Patocka Date: Wed Oct 2 15:56:18 2024 +0200 Revert: "dm-verity: restart or panic on an I/O error" commit 462763212dd71c41f092b48eaa352bc1f5ed5d66 upstream. This reverts commit e6a3531dd542cb127c8de32ab1e54a48ae19962b. The problem that the commit e6a3531dd542cb127c8de32ab1e54a48ae19962b fixes was reported as a security bug, but Google engineers working on Android and ChromeOS didn't want to change the default behavior, they want to get -EIO rather than restarting the system, so I am reverting that commit. Note also that calling machine_restart from the I/O handling code is potentially unsafe (the reboot notifiers may wait for the bio that triggered the restart), but Android uses the reboot notifiers to store the reboot reason into the PMU microcontroller, so machine_restart must be used. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Fixes: e6a3531dd542 ("dm-verity: restart or panic on an I/O error") Suggested-by: Sami Tolvanen Suggested-by: Will Drewry Signed-off-by: Greg Kroah-Hartman commit b126f1b54d55e04e3e17fe92b7f03b99663c1e89 Author: Alexander Dahl Date: Thu Sep 26 11:03:56 2024 +0200 spi: atmel-quadspi: Fix wrong register value written to MR commit 162d9b5d2308c7e48efbc97d36babbf4d73b2c61 upstream. aq->mr should go to MR, nothing else. Fixes: 329ca3eed4a9 ("spi: atmel-quadspi: Avoid overwriting delay register settings") Signed-off-by: Alexander Dahl Link: https://lore.kernel.org/linux-spi/20240926-macarena-wincing-7c4995487a29@thorsis.com/T/#u Link: https://patch.msgid.link/20240926090356.105789-1-ada@thorsis.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 2327c3f9d4f7eac4939bbe2ed3206f3a7dec48e1 Author: Damien Le Moal Date: Tue Sep 17 22:32:31 2024 +0900 block: Fix elv_iosched_local_module handling of "none" scheduler commit e3accac1a976e65491a9b9fba82ce8ddbd3d2389 upstream. Commit 734e1a860312 ("block: Prevent deadlocks when switching elevators") introduced the function elv_iosched_load_module() to allow loading an elevator module outside of elv_iosched_store() with the target device queue not frozen, to avoid deadlocks. However, the "none" scheduler does not have a module and as a result, elv_iosched_load_module() always returns an error when trying to switch to this valid scheduler. Fix this by ignoring the return value of the request_module() call done by elv_iosched_load_module(). This restores the behavior before commit 734e1a860312, which was to ignore the request_module() result and instead rely on elevator_change() to handle the "none" scheduler case. Reported-by: Shin'ichiro Kawasaki Fixes: 734e1a860312 ("block: Prevent deadlocks when switching elevators") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20240917133231.134806-1-dlemoal@kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit cdf27834c3dd5d9abf7eb8e4ee87ee9e307eb25c Author: Oleg Nesterov Date: Thu Sep 19 15:28:53 2024 +0200 bpf: Fix use-after-free in bpf_uprobe_multi_link_attach() commit 5fe6e308abaea082c20fbf2aa5df8e14495622cf upstream. If bpf_link_prime() fails, bpf_uprobe_multi_link_attach() goes to the error_free label and frees the array of bpf_uprobe's without calling bpf_uprobe_unregister(). This leaks bpf_uprobe->uprobe and worse, this frees bpf_uprobe->consumer without removing it from the uprobe->consumers list. Fixes: 89ae89f53d20 ("bpf: Add multi uprobe link") Closes: https://lore.kernel.org/all/000000000000382d39061f59f2dd@google.com/ Reported-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com Signed-off-by: Oleg Nesterov Signed-off-by: Peter Zijlstra (Intel) Acked-by: Andrii Nakryiko Acked-by: Jiri Olsa Tested-by: syzbot+f7a1c2c2711e4a780f19@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240813152524.GA7292@redhat.com Signed-off-by: Greg Kroah-Hartman commit 6e0014d2380f90910ed3d79c2c45bede7aa64610 Author: Paolo Bonzini Date: Fri Sep 27 11:45:45 2024 -0400 Documentation: KVM: fix warning in "make htmldocs" commit efbc6bd090f48ccf64f7a8dd5daea775821d57ec upstream. The warning Documentation/virt/kvm/locking.rst:31: ERROR: Unexpected indentation. is caused by incorrectly treating a line as the continuation of a paragraph, rather than as the first line in a bullet list. Fixed: 44d174596260 ("KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 1f840c48c8f4da20c0b63175b2a5227478ce66bc Author: Robert Hancock Date: Wed Sep 11 22:16:53 2024 +0200 i2c: xiic: Try re-initialization on bus busy timeout commit 1d4a1adbed2582444aaf97671858b7d12915bd05 upstream. In the event that the I2C bus was powered down when the I2C controller driver loads, or some spurious pulses occur on the I2C bus, it's possible that the controller detects a spurious I2C "start" condition. In this situation it may continue to report the bus is busy indefinitely and block the controller from working. The "single-master" DT flag can be specified to disable bus busy checks entirely, but this may not be safe to use in situations where other I2C masters may potentially exist. In the event that the controller reports "bus busy" for too long when starting a transaction, we can try reinitializing the controller to see if the busy condition clears. This allows recovering from this scenario. Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") Signed-off-by: Robert Hancock Cc: # v2.6.34+ Reviewed-by: Manikanta Guntupalli Acked-by: Michal Simek Signed-off-by: Andi Shyti Signed-off-by: Greg Kroah-Hartman commit ba6e6397e7be009d548ec6fcdb7c71993b6761ad Author: Andy Shevchenko Date: Wed Sep 11 18:39:14 2024 +0300 i2c: isch: Add missed 'else' commit 1db4da55070d6a2754efeb3743f5312fc32f5961 upstream. In accordance with the existing comment and code analysis it is quite likely that there is a missed 'else' when adapter times out. Add it. Fixes: 5bc1200852c3 ("i2c: Add Intel SCH SMBus support") Signed-off-by: Andy Shevchenko Cc: # v2.6.27+ Signed-off-by: Andi Shyti Signed-off-by: Greg Kroah-Hartman commit 9981e00c158fc7ca7405fa122afeb304c4bb3126 Author: Tommy Huang Date: Wed Sep 11 17:39:51 2024 +0800 i2c: aspeed: Update the stop sw state when the bus recovery occurs commit 93701d3b84ac5f3ea07259d4ced405c53d757985 upstream. When the i2c bus recovery occurs, driver will send i2c stop command in the scl low condition. In this case the sw state will still keep original situation. Under multi-master usage, i2c bus recovery will be called when i2c transfer timeout occurs. Update the stop command calling with aspeed_i2c_do_stop function to update master_state. Fixes: f327c686d3ba ("i2c: aspeed: added driver for Aspeed I2C") Cc: stable@vger.kernel.org # v4.13+ Signed-off-by: Tommy Huang Signed-off-by: Andi Shyti Signed-off-by: Greg Kroah-Hartman commit 958abc025c720eb4fc782d5718eb72d9589cb54e Author: Liam R. Howlett Date: Wed Sep 4 17:12:04 2024 -0700 mm/damon/vaddr: protect vma traversal in __damon_va_thre_regions() with rcu read lock commit fb497d6db7c19c797cbd694b52d1af87c4eebcc6 upstream. Traversing VMAs of a given maple tree should be protected by rcu read lock. However, __damon_va_three_regions() is not doing the protection. Hold the lock. Link: https://lkml.kernel.org/r/20240905001204.1481-1-sj@kernel.org Fixes: d0cf3dd47f0d ("damon: convert __damon_va_three_regions to use the VMA iterator") Signed-off-by: Liam R. Howlett Signed-off-by: SeongJae Park Reported-by: Guenter Roeck Closes: https://lore.kernel.org/b83651a0-5b24-4206-b860-cb54ffdf209b@roeck-us.net Tested-by: Guenter Roeck Cc: David Hildenbrand Cc: Matthew Wilcox Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 9c17a36a193bb3e75ddbabf198dbcba7223f4e2c Author: Vishal Moola (Oracle) Date: Sat Sep 14 12:41:18 2024 -0700 mm: change vmf_anon_prepare() to __vmf_anon_prepare() commit 2a058ab3286d6475b2082b90c2d2182d2fea4b39 upstream. Some callers of vmf_anon_prepare() may not want us to release the per-VMA lock ourselves. Rename vmf_anon_prepare() to __vmf_anon_prepare() and let the callers drop the lock when desired. Also, make vmf_anon_prepare() a wrapper that releases the per-VMA lock itself for any callers that don't care. This is in preparation to fix this bug reported by syzbot: https://lore.kernel.org/linux-mm/00000000000067c20b06219fbc26@google.com/ Link: https://lkml.kernel.org/r/20240914194243.245-1-vishal.moola@gmail.com Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") Reported-by: syzbot+2dab93857ee95f2eeb08@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/00000000000067c20b06219fbc26@google.com/ Signed-off-by: Vishal Moola (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 04966116d74bede9dd9e1bbbf6cb6beb4d09e97d Author: Miaohe Lin Date: Sat Sep 14 09:53:06 2024 +0800 mm/huge_memory: ensure huge_zero_folio won't have large_rmappable flag set commit 2a1b8648d9be9f37f808a36c0f74adb8c53d06e6 upstream. Ensure huge_zero_folio won't have large_rmappable flag set. So it can be reported as thp,zero correctly through stable_page_flags(). Link: https://lkml.kernel.org/r/20240914015306.3656791-1-linmiaohe@huawei.com Fixes: 5691753d73a2 ("mm: convert huge_zero_page to huge_zero_folio") Signed-off-by: Miaohe Lin Cc: David Hildenbrand Cc: Matthew Wilcox (Oracle) Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit d59ebc99dee0a2687a26df94b901eb8216dbf876 Author: Vishal Moola (Oracle) Date: Sat Sep 14 12:41:19 2024 -0700 mm/hugetlb.c: fix UAF of vma in hugetlb fault pathway commit 98b74bb4d7e96b4da5ef3126511febe55b76b807 upstream. Syzbot reports a UAF in hugetlb_fault(). This happens because vmf_anon_prepare() could drop the per-VMA lock and allow the current VMA to be freed before hugetlb_vma_unlock_read() is called. We can fix this by using a modified version of vmf_anon_prepare() that doesn't release the VMA lock on failure, and then release it ourselves after hugetlb_vma_unlock_read(). Link: https://lkml.kernel.org/r/20240914194243.245-2-vishal.moola@gmail.com Fixes: 9acad7ba3e25 ("hugetlb: use vmf_anon_prepare() instead of anon_vma_prepare()") Reported-by: syzbot+2dab93857ee95f2eeb08@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-mm/00000000000067c20b06219fbc26@google.com/ Signed-off-by: Vishal Moola (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit a5d3b9495902f0432bd79d5f3394d7259068650e Author: Kexy Biscuit Date: Mon Sep 9 20:28:30 2024 +0300 tpm: export tpm2_sessions_init() to fix ibmvtpm building commit f168c000d27f8134160d4a52dfc474a948a3d7e9 upstream. Commit 08d08e2e9f0a ("tpm: ibmvtpm: Call tpm2_sessions_init() to initialize session support") adds call to tpm2_sessions_init() in ibmvtpm, which could be built as a module. However, tpm2_sessions_init() wasn't exported, causing libmvtpm to fail to build as a module: ERROR: modpost: "tpm2_sessions_init" [drivers/char/tpm/tpm_ibmvtpm.ko] undefined! Export tpm2_sessions_init() to resolve the issue. Cc: stable@vger.kernel.org # v6.10+ Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202408051735.ZJkAPQ3b-lkp@intel.com/ Fixes: 08d08e2e9f0a ("tpm: ibmvtpm: Call tpm2_sessions_init() to initialize session support") Signed-off-by: Kexy Biscuit Signed-off-by: Mingcong Bai Reviewed-by: Stefan Berger Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit c1830f8ea1c3030dbea334d7cde4ce5434d5b71c Author: Jason Andryuk Date: Mon Sep 9 22:09:16 2024 -0400 fbdev: xen-fbfront: Assign fb_info->device commit c2af2a45560bd4046c2e109152acde029ed0acc2 upstream. Probing xen-fbfront faults in video_is_primary_device(). The passed-in struct device is NULL since xen-fbfront doesn't assign it and the memory is kzalloc()-ed. Assign fb_info->device to avoid this. This was exposed by the conversion of fb_is_primary_device() to video_is_primary_device() which dropped a NULL check for struct device. Fixes: f178e96de7f0 ("arch: Remove struct fb_info from video helpers") Reported-by: Arthur Borsboom Closes: https://lore.kernel.org/xen-devel/CALUcmUncX=LkXWeiSiTKsDY-cOe8QksWhFvcCneOKfrKd0ZajA@mail.gmail.com/ Tested-by: Arthur Borsboom CC: stable@vger.kernel.org Signed-off-by: Jason Andryuk Reviewed-by: Roger Pau Monné Reviewed-by: Thomas Zimmermann Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 9631f45b6d0a628c593194e353b440a919202fc5 Author: Dmitry Vyukov Date: Tue Jun 11 09:50:32 2024 +0200 module: Fix KCOV-ignored file name commit f34d086fb7102fec895fd58b9e816b981b284c17 upstream. module.c was renamed to main.c, but the Makefile directive was copy-pasted verbatim with the old file name. Fix up the file name. Fixes: cfc1d277891e ("module: Move all into module/") Signed-off-by: Dmitry Vyukov Signed-off-by: Thomas Gleixner Reviewed-by: Alexander Potapenko Reviewed-by: Marco Elver Reviewed-by: Andrey Konovalov Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/bc0cf790b4839c5e38e2fafc64271f620568a39e.1718092070.git.dvyukov@google.com Signed-off-by: Greg Kroah-Hartman commit c746f466ddc72aeef12326b3812bd12681d74d86 Author: Haibo Chen Date: Thu Sep 5 17:43:37 2024 +0800 spi: fspi: add support for imx8ulp commit 9228956a620553d7fd17f703a37a26c91e4d92ab upstream. The flexspi on imx8ulp only has 16 LUTs, different with others which have up to 32 LUTs. Add a separate compatible string and nxp_fspi_devtype_data to support flexspi on imx8ulp. Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node") Cc: stable@kernel.org Signed-off-by: Haibo Chen Reviewed-by: Frank Li Link: https://patch.msgid.link/20240905094338.1986871-4-haibo.chen@nxp.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a0ee26f42c8cc5619b1cc05bfd932aa7a480a805 Author: David Gow Date: Sat Aug 3 15:46:41 2024 +0800 mm: only enforce minimum stack gap size if it's sensible commit 69b50d4351ed924f29e3d46b159e28f70dfc707f upstream. The generic mmap_base code tries to leave a gap between the top of the stack and the mmap base address, but enforces a minimum gap size (MIN_GAP) of 128MB, which is too large on some setups. In particular, on arm tasks without ADDR_LIMIT_32BIT, the STACK_TOP value is less than 128MB, so it's impossible to fit such a gap in. Only enforce this minimum if MIN_GAP < MAX_GAP, as we'd prefer to honour MAX_GAP, which is defined proportionally, so scales better and always leaves us with both _some_ stack space and some room for mmap. This fixes the usercopy KUnit test suite on 32-bit arm, as it doesn't set any personality flags so gets the default (in this case 26-bit) task size. This test can be run with: ./tools/testing/kunit/kunit.py run --arch arm usercopy --make_options LLVM=1 Link: https://lkml.kernel.org/r/20240803074642.1849623-2-davidgow@google.com Fixes: dba79c3df4a2 ("arm: use generic mmap top-down layout and brk randomization") Signed-off-by: David Gow Reviewed-by: Kees Cook Cc: Alexandre Ghiti Cc: Linus Walleij Cc: Luis Chamberlain Cc: Mark Rutland Cc: Russell King Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 5e8afe345ad9b502c0e3b86a257fd305f9a5758c Author: Jeff Xu Date: Wed Aug 7 21:23:20 2024 +0000 selftest mm/mseal: fix test_seal_mremap_move_dontunmap_anyaddr commit 072cd213b75eb01fcf40eff898f8d5c008ce1457 upstream. the syscall remap accepts following: mremap(src, size, size, MREMAP_MAYMOVE | MREMAP_DONTUNMAP, dst) when the src is sealed, the call will fail with error code: EPERM Previously, the test uses hard-coded 0xdeaddead as dst, and it will fail on the system with newer glibc installed. This patch removes test's dependency on glibc for mremap(), also fix the test and remove the hardcoded address. Link: https://lkml.kernel.org/r/20240807212320.2831848-1-jeffxu@chromium.org Fixes: 4926c7a52de7 ("selftest mm/mseal memory sealing") Signed-off-by: Jeff Xu Reported-by: Pedro Falcato Cc: Dave Hansen Cc: Liam R. Howlett Cc: Lorenzo Stoakes Cc: Matthew Wilcox (Oracle) Cc: Michael Ellerman Cc: Vlastimil Babka Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit ad3ca814fd8ca4335f81949373b6b3f5b5c26284 Author: Vasily Gorbik Date: Sat Aug 24 02:14:04 2024 +0200 s390/ftrace: Avoid calling unwinder in ftrace_return_address() commit a84dd0d8ae24bdc6da341187fc4c1a0adfce2ccc upstream. ftrace_return_address() is called extremely often from performance-critical code paths when debugging features like CONFIG_TRACE_IRQFLAGS are enabled. For example, with debug_defconfig, ftrace selftests on my LPAR currently execute ftrace_return_address() as follows: ftrace_return_address(0) - 0 times (common code uses __builtin_return_address(0) instead) ftrace_return_address(1) - 2,986,805,401 times (with this patch applied) ftrace_return_address(2) - 140 times ftrace_return_address(>2) - 0 times The use of __builtin_return_address(n) was replaced by return_address() with an unwinder call by commit cae74ba8c295 ("s390/ftrace: Use unwinder instead of __builtin_return_address()") because __builtin_return_address(n) simply walks the stack backchain and doesn't check for reaching the stack top. For shallow stacks with fewer than "n" frames, this results in reads at low addresses and random memory accesses. While calling the fully functional unwinder "works", it is very slow for this purpose. Moreover, potentially following stack switches and walking past IRQ context is simply wrong thing to do for ftrace_return_address(). Reimplement return_address() to essentially be __builtin_return_address(n) with checks for reaching the stack top. Since the ftrace_return_address(n) argument is always a constant, keep the implementation in the header, allowing both GCC and Clang to unroll the loop and optimize it to the bare minimum. Fixes: cae74ba8c295 ("s390/ftrace: Use unwinder instead of __builtin_return_address()") Cc: stable@vger.kernel.org Reported-by: Sumanth Korikkar Reviewed-by: Heiko Carstens Acked-by: Sumanth Korikkar Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit b5dc3ef1a37ee7addd1c0fe00016fa267e213973 Author: Yu Zhao Date: Mon Aug 12 16:48:23 2024 -0600 mm/hugetlb_vmemmap: batch HVO work when demoting commit c0f398c3b2cf67976bca216f80668b9c93368385 upstream. Batch the HVO work, including de-HVO of the source and HVO of the destination hugeTLB folios, to speed up demotion. After commit bd225530a4c7 ("mm/hugetlb_vmemmap: fix race with speculative PFN walkers"), each request of HVO or de-HVO, batched or not, invokes synchronize_rcu() once. For example, when not batched, demoting one 1GB hugeTLB folio to 512 2MB hugeTLB folios invokes synchronize_rcu() 513 times (1 de-HVO plus 512 HVO requests), whereas when batched, only twice (1 de-HVO plus 1 HVO request). And the performance difference between the two cases is significant, e.g., echo 2048kB >/sys/kernel/mm/hugepages/hugepages-1048576kB/demote_size time echo 100 >/sys/kernel/mm/hugepages/hugepages-1048576kB/demote Before this patch: real 8m58.158s user 0m0.009s sys 0m5.900s After this patch: real 0m0.900s user 0m0.000s sys 0m0.851s Note that this patch changes the behavior of the `demote` interface when de-HVO fails. Before, the interface aborts immediately upon failure; now, it tries to finish an entire batch, meaning it can make extra progress if the rest of the batch contains folios that do not need to de-HVO. Link: https://lkml.kernel.org/r/20240812224823.3914837-1-yuzhao@google.com Fixes: bd225530a4c7 ("mm/hugetlb_vmemmap: fix race with speculative PFN walkers") Signed-off-by: Yu Zhao Reviewed-by: Muchun Song Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 331ed2c739ce656a67865f6b3ee0a478349d78cb Author: Daniel Yang Date: Mon Sep 16 16:05:06 2024 -0700 exfat: resolve memory leak from exfat_create_upcase_table() commit c290fe508eee36df1640c3cb35dc8f89e073c8a8 upstream. If exfat_load_upcase_table reaches end and returns -EINVAL, allocated memory doesn't get freed and while exfat_load_default_upcase_table allocates more memory, leading to a memory leak. Here's link to syzkaller crash report illustrating this issue: https://syzkaller.appspot.com/text?tag=CrashReport&x=1406c201980000 Reported-by: syzbot+e1c69cadec0f1a078e3d@syzkaller.appspotmail.com Fixes: a13d1a4de3b0 ("exfat: move freeing sbi, upcase table and dropping nls into rcu-delayed helper") Cc: stable@vger.kernel.org Signed-off-by: Daniel Yang Signed-off-by: Namjae Jeon Signed-off-by: Greg Kroah-Hartman commit 5eca12af7cfa96d0f7afe72e52e69112206b89bc Author: Zhiguo Niu Date: Thu Jun 20 22:54:34 2024 +0000 lockdep: fix deadlock issue between lockdep and rcu commit a6f88ac32c6e63e69c595bfae220d8641704c9b7 upstream. There is a deadlock scenario between lockdep and rcu when rcu nocb feature is enabled, just as following call stack: rcuop/x -000|queued_spin_lock_slowpath(lock = 0xFFFFFF817F2A8A80, val = ?) -001|queued_spin_lock(inline) // try to hold nocb_gp_lock -001|do_raw_spin_lock(lock = 0xFFFFFF817F2A8A80) -002|__raw_spin_lock_irqsave(inline) -002|_raw_spin_lock_irqsave(lock = 0xFFFFFF817F2A8A80) -003|wake_nocb_gp_defer(inline) -003|__call_rcu_nocb_wake(rdp = 0xFFFFFF817F30B680) -004|__call_rcu_common(inline) -004|call_rcu(head = 0xFFFFFFC082EECC28, func = ?) -005|call_rcu_zapped(inline) -005|free_zapped_rcu(ch = ?)// hold graph lock -006|rcu_do_batch(rdp = 0xFFFFFF817F245680) -007|nocb_cb_wait(inline) -007|rcu_nocb_cb_kthread(arg = 0xFFFFFF817F245680) -008|kthread(_create = 0xFFFFFF80803122C0) -009|ret_from_fork(asm) rcuop/y -000|queued_spin_lock_slowpath(lock = 0xFFFFFFC08291BBC8, val = 0) -001|queued_spin_lock() -001|lockdep_lock() -001|graph_lock() // try to hold graph lock -002|lookup_chain_cache_add() -002|validate_chain() -003|lock_acquire -004|_raw_spin_lock_irqsave(lock = 0xFFFFFF817F211D80) -005|lock_timer_base(inline) -006|mod_timer(inline) -006|wake_nocb_gp_defer(inline)// hold nocb_gp_lock -006|__call_rcu_nocb_wake(rdp = 0xFFFFFF817F2A8680) -007|__call_rcu_common(inline) -007|call_rcu(head = 0xFFFFFFC0822E0B58, func = ?) -008|call_rcu_hurry(inline) -008|rcu_sync_call(inline) -008|rcu_sync_func(rhp = 0xFFFFFFC0822E0B58) -009|rcu_do_batch(rdp = 0xFFFFFF817F266680) -010|nocb_cb_wait(inline) -010|rcu_nocb_cb_kthread(arg = 0xFFFFFF817F266680) -011|kthread(_create = 0xFFFFFF8080363740) -012|ret_from_fork(asm) rcuop/x and rcuop/y are rcu nocb threads with the same nocb gp thread. This patch release the graph lock before lockdep call_rcu. Fixes: a0b0fd53e1e6 ("locking/lockdep: Free lock classes that are no longer in use") Cc: stable@vger.kernel.org Cc: Boqun Feng Cc: Waiman Long Cc: Carlos Llamas Cc: Bart Van Assche Signed-off-by: Zhiguo Niu Signed-off-by: Xuewen Yan Reviewed-by: Waiman Long Reviewed-by: Carlos Llamas Reviewed-by: Bart Van Assche Signed-off-by: Carlos Llamas Acked-by: Paul E. McKenney Signed-off-by: Boqun Feng Link: https://lore.kernel.org/r/20240620225436.3127927-1-cmllamas@google.com Signed-off-by: Greg Kroah-Hartman commit b24bf3d766236df197aa5aff106356becb7107fb Author: Tiezhu Yang Date: Tue Sep 24 14:27:10 2024 +0800 compiler.h: specify correct attribute for .rodata..c_jump_table commit c5b1184decc819756ae549ba54c63b6790c4ddfd upstream. Currently, there is an assembler message when generating kernel/bpf/core.o under CONFIG_OBJTOOL with LoongArch compiler toolchain: Warning: setting incorrect section attributes for .rodata..c_jump_table This is because the section ".rodata..c_jump_table" should be readonly, but there is a "W" (writable) part of the flags: $ readelf -S kernel/bpf/core.o | grep -A 1 "rodata..c" [34] .rodata..c_j[...] PROGBITS 0000000000000000 0000d2e0 0000000000000800 0000000000000000 WA 0 0 8 There is no above issue on x86 due to the generated section flag is only "A" (allocatable). In order to silence the warning on LoongArch, specify the attribute like ".rodata..c_jump_table,\"a\",@progbits #" explicitly, then the section attribute of ".rodata..c_jump_table" must be readonly in the kernel/bpf/core.o file. Before: $ objdump -h kernel/bpf/core.o | grep -A 1 "rodata..c" 21 .rodata..c_jump_table 00000800 0000000000000000 0000000000000000 0000d2e0 2**3 CONTENTS, ALLOC, LOAD, RELOC, DATA After: $ objdump -h kernel/bpf/core.o | grep -A 1 "rodata..c" 21 .rodata..c_jump_table 00000800 0000000000000000 0000000000000000 0000d2e0 2**3 CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA By the way, AFAICT, maybe the root cause is related with the different compiler behavior of various archs, so to some extent this change is a workaround for LoongArch, and also there is no effect for x86 which is the only port supported by objtool before LoongArch with this patch. Link: https://lkml.kernel.org/r/20240924062710.1243-1-yangtiezhu@loongson.cn Signed-off-by: Tiezhu Yang Cc: Josh Poimboeuf Cc: Peter Zijlstra Cc: [6.9+] Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit c08128ca870569dfbf8c0c48e4bf9583cba7aed1 Author: Mikulas Patocka Date: Tue Sep 24 15:18:29 2024 +0200 dm-verity: restart or panic on an I/O error commit e6a3531dd542cb127c8de32ab1e54a48ae19962b upstream. Maxim Suhanov reported that dm-verity doesn't crash if an I/O error happens. In theory, this could be used to subvert security, because an attacker can create sectors that return error with the Write Uncorrectable command. Some programs may misbehave if they have to deal with EIO. This commit fixes dm-verity, so that if "panic_on_corruption" or "restart_on_corruption" was specified and an I/O error happens, the machine will panic or restart. This commit also changes kernel_restart to emergency_restart - kernel_restart calls reboot notifiers and these reboot notifiers may wait for the bio that failed. emergency_restart doesn't call the notifiers. Reported-by: Maxim Suhanov Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit a27c5ea2d3e36a6816dc0dcd14528ab242bceb35 Author: Song Liu Date: Tue Sep 10 22:55:08 2024 -0700 bpf: lsm: Set bpf_lsm_blob_sizes.lbs_task to 0 commit 300a90b2cb5d442879e6398920c49aebbd5c8e40 upstream. bpf task local storage is now using task_struct->bpf_storage, so bpf_lsm_blob_sizes.lbs_task is no longer needed. Remove it to save some memory. Fixes: a10787e6d58c ("bpf: Enable task local storage for tracing programs") Cc: stable@vger.kernel.org Cc: KP Singh Cc: Matt Bobrowski Signed-off-by: Song Liu Acked-by: Matt Bobrowski Link: https://lore.kernel.org/r/20240911055508.9588-1-song@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit 6033ffb6532ae3c3f6b6552ea61032372af01b7b Author: Casey Schaufler Date: Wed Jul 10 14:32:25 2024 -0700 lsm: infrastructure management of the sock security [ Upstream commit 2aff9d20d50ac45dd13a013ef5231f4fb8912356 ] Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore Reviewed-by: Kees Cook Reviewed-by: John Johansen Acked-by: Stephen Smalley Signed-off-by: Casey Schaufler [PM: subject tweak] Signed-off-by: Paul Moore Stable-dep-of: 63dff3e48871 ("lsm: add the inode_free_security_rcu() LSM implementation hook") Signed-off-by: Sasha Levin commit f9ca37239d2fda0678a68ecf5a196a121f3f3f61 Author: Rafael J. Wysocki Date: Mon Aug 26 18:21:59 2024 +0200 thermal: sysfs: Add sanity checks for trip temperature and hysteresis [ Upstream commit 874b6476fa888e79e41daf7653384c8d70927b90 ] Add sanity checks for new trip temperature and hysteresis values to trip_point_temp_store() and trip_point_hyst_store() to prevent trip point threshold from falling below THERMAL_TEMP_INVALID. However, still allow user space to pass THERMAL_TEMP_INVALID as the new trip temperature value to invalidate the trip if necessary. Also allow the hysteresis to be updated when the temperature is invalid to allow user space to avoid having to adjust hysteresis after a valid temperature has been set, but in that case just change the value and do nothing else. Fixes: be0a3600aa1e ("thermal: sysfs: Rework the handling of trip point updates") Cc: 6.8+ # 6.8+ Signed-off-by: Rafael J. Wysocki Reviewed-by: Lukasz Luba Link: https://patch.msgid.link/12528772.O9o76ZdvQC@rjwysocki.net Signed-off-by: Sasha Levin commit f149871e1c00772c0c8a3ba84030f23cd38849b7 Author: Rafael J. Wysocki Date: Mon Jul 29 18:27:25 2024 +0200 thermal: sysfs: Refine the handling of trip hysteresis changes [ Upstream commit 107280e1371f1ba183be1ac88e91ec60cad33c18 ] Change trip_point_hyst_store() and replace thermal_zone_trip_updated() with thermal_zone_set_trip_hyst() to follow the trip_point_temp_store() code pattern for more consistency. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Link: https://patch.msgid.link/5508466.Sb9uPGUboI@rjwysocki.net Stable-dep-of: 874b6476fa88 ("thermal: sysfs: Add sanity checks for trip temperature and hysteresis") Signed-off-by: Sasha Levin commit b57c30fe041d622e85b114be31999e63fa062dbd Author: Rafael J. Wysocki Date: Mon Jul 29 18:25:59 2024 +0200 thermal: sysfs: Get to trips via attribute pointers [ Upstream commit afd84fb10ced3caf53769ba734ea237bde0f69e3 ] The _store() and _show() functions for sysfs attributes corresponding to trip point parameters (type, temperature and hysteresis) read the trip ID from the attribute name and then use the trip ID as the index in the given thermal zone's trips table to get to the trip object they want. Instead of doing this, make them use the attribute pointer they get as the second argument to get to the trip object embedded in the same struct thermal_trip_desc as the struct device_attribute pointed to by it, which is much more straightforward and less overhead. Signed-off-by: Rafael J. Wysocki Link: https://patch.msgid.link/114841552.nniJfEyVGO@rjwysocki.net Stable-dep-of: 874b6476fa88 ("thermal: sysfs: Add sanity checks for trip temperature and hysteresis") Signed-off-by: Sasha Levin commit 1d698a494cc9e78ba92f3ca276ed9508380284cd Author: Rafael J. Wysocki Date: Mon Jul 29 18:25:03 2024 +0200 thermal: core: Store trip sysfs attributes in thermal_trip_desc [ Upstream commit 66b263306a86c0f2d3cdb44e3722db6cff3a32b3 ] Instead of allocating memory for trip point sysfs attributes separately, store them in struct thermal_trip_desc for each trip individually which allows a few extra memory allocations to be avoided. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Link: https://patch.msgid.link/46571375.fMDQidcC6G@rjwysocki.net Stable-dep-of: 874b6476fa88 ("thermal: sysfs: Add sanity checks for trip temperature and hysteresis") Signed-off-by: Sasha Levin commit db81a330fbdf5fba7266b7aa050cb91ed8a5b022 Author: Johan Hovold Date: Fri Sep 6 15:13:34 2024 +0200 serial: qcom-geni: fix console corruption [ Upstream commit cc4a0e5754a16bbc1e215c091349a7c83a2c5e14 ] The Qualcomm serial console implementation is broken and can lose characters when the serial port is also used for tty output. Specifically, the console code only waits for the current tx command to complete when all data has already been written to the fifo. When there are on-going longer transfers this often means that console output is lost when the console code inadvertently "hijacks" the current tx command instead of starting a new one. This can, for example, be observed during boot when console output that should have been interspersed with init output is truncated: [ 9.462317] qcom-snps-eusb2-hsphy fde000.phy: Registered Qcom-eUSB2 phy [ OK ] Found device KBG50ZNS256G KIOXIA Wi[ 9.471743ndows. [ 9.539915] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller Add a new state variable to track how much data has been written to the fifo and use it to determine when the fifo and shift register are both empty. This is needed since there is currently no other known way to determine when the shift register is empty. This in turn allows the console code to interrupt long transfers without losing data. Note that the oops-in-progress case is similarly broken as it does not cancel any active command and also waits for the wrong status flag when attempting to drain the fifo (TX_FIFO_NOT_EMPTY_EN is only set when cancelling a command leaves data in the fifo). Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Fixes: a1fee899e5be ("tty: serial: qcom_geni_serial: Fix softlock") Fixes: 9e957a155005 ("serial: qcom-geni: Don't cancel/abort if we can't get the port lock") Cc: stable@vger.kernel.org # 4.17 Reviewed-by: Douglas Anderson Tested-by: Nícolas F. R. A. Prado Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20240906131336.23625-7-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 801129b3349e0904927d7830a4e63a40449c690f Author: Douglas Anderson Date: Fri Sep 6 15:13:33 2024 +0200 serial: qcom-geni: introduce qcom_geni_serial_poll_bitfield() [ Upstream commit b26d1ad1221273c88c2c4f5b4080338b8ca23859 ] With a small modification the qcom_geni_serial_poll_bit() function could be used to poll more than just a single bit. Let's generalize it. We'll make the qcom_geni_serial_poll_bit() into just a wrapper of the general function. Signed-off-by: Douglas Anderson Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240610152420.v4.5.Ic6411eab8d9d37acc451705f583fb535cd6dadb2@changeid Tested-by: Nícolas F. R. A. Prado Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20240906131336.23625-6-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman Stable-dep-of: cc4a0e5754a1 ("serial: qcom-geni: fix console corruption") Signed-off-by: Sasha Levin commit 803cf2bda020ed859fed0324fa178513258f5a3c Author: Douglas Anderson Date: Fri Sep 6 15:13:32 2024 +0200 serial: qcom-geni: fix arg types for qcom_geni_serial_poll_bit() [ Upstream commit c2eaf5e01275ae13f1ec5b1434f6c49cfff57430 ] The "offset" passed in should be unsigned since it's always a positive offset from our memory mapped IO. The "field" should be u32 since we're anding it with a 32-bit value read from the device. Suggested-by: Stephen Boyd Signed-off-by: Douglas Anderson Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240610152420.v4.4.I24a0de52dd7336908df180fa6b698e001f3aff82@changeid Tested-by: Nícolas F. R. A. Prado Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20240906131336.23625-5-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman Stable-dep-of: cc4a0e5754a1 ("serial: qcom-geni: fix console corruption") Signed-off-by: Sasha Levin commit a85ddff25a75673b2b99f92f9677126fc9a18c36 Author: Douglas Anderson Date: Fri Sep 6 15:13:31 2024 +0200 soc: qcom: geni-se: add GP_LENGTH/IRQ_EN_SET/IRQ_EN_CLEAR registers [ Upstream commit b03ffc76b83c1a7d058454efbcf1bf0e345ef1c2 ] For UART devices the M_GP_LENGTH is the TX word count. For other devices this is the transaction word count. For UART devices the S_GP_LENGTH is the RX word count. The IRQ_EN set/clear registers allow you to set or clear bits in the IRQ_EN register without needing a read-modify-write. Acked-by: Bjorn Andersson Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20240610152420.v4.1.Ife7ced506aef1be3158712aa3ff34a006b973559@changeid Tested-by: Nícolas F. R. A. Prado Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20240906131336.23625-4-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman Stable-dep-of: cc4a0e5754a1 ("serial: qcom-geni: fix console corruption") Signed-off-by: Sasha Levin commit 2d3ff7c728c7d58b4480cf676f73081bb547e46d Author: Christian A. Ehrhardt Date: Thu Sep 12 09:41:32 2024 +0200 usb: typec: ucsi: Fix busy loop on ASUS VivoBooks [ Upstream commit 7fa6b25dfb43dafc0e16510e2fcfd63634fc95c2 ] If the busy indicator is set, all other fields in CCI should be clear according to the spec. However, some UCSI implementations do not follow this rule and report bogus data in CCI along with the busy indicator. Ignore the contents of CCI if the busy indicator is set. If a command timeout is hit it is possible that the EVENT_PENDING bit is cleared while connector work is still scheduled which can cause the EVENT_PENDING bit to go out of sync with scheduled connector work. Check and set the EVENT_PENDING bit on entry to ucsi_handle_connector_change() to fix this. Finally, check UCSI_CCI_BUSY before the return code of ->sync_control. This ensures that the command is cancelled even if ->sync_control returns an error (most likely -ETIMEDOUT). Reported-by: Anurag Bijea Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219108 Bisected-by: Christian Heusel Tested-by: Anurag Bijea Fixes: de52aca4d9d5 ("usb: typec: ucsi: Never send a lone connector change ack") Cc: stable@vger.kernel.org Signed-off-by: Christian A. Ehrhardt Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20240912074132.722855-1-lk@c--e.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 31e197cf7bb284fd8daf9a64a711f53e20d67040 Author: Heikki Krogerus Date: Fri Aug 16 16:58:58 2024 +0300 usb: typec: ucsi: Call CANCEL from single location [ Upstream commit 4f322657ade1b784bb2b1ba8761469ae87520681 ] The command cancellation can be done right after detecting that the PPM is busy. There is no need to do it separately in ucsi_read_error() and ucsi_send_command_common(). Signed-off-by: Heikki Krogerus Link: https://lore.kernel.org/r/20240816135859.3499351-6-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman Stable-dep-of: 7fa6b25dfb43 ("usb: typec: ucsi: Fix busy loop on ASUS VivoBooks") Signed-off-by: Sasha Levin commit b546d320f0dc5e409bacea5b12c2f37f6b0f6a64 Author: Krzysztof Kozlowski Date: Sun Aug 25 20:05:24 2024 +0200 soc: versatile: realview: fix soc_dev leak during device remove [ Upstream commit c774f2564c0086c23f5269fd4691f233756bf075 ] If device is unbound, the soc_dev should be unregistered to prevent memory leak. Fixes: a2974c9c1f83 ("soc: add driver for the ARM RealView") Cc: stable@vger.kernel.org Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-3-ff4b35abed83@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 43aeffd31d089f0a0a2e154d20f7b431efe823fa Author: Krzysztof Kozlowski Date: Sun Aug 25 20:05:23 2024 +0200 soc: versatile: realview: fix memory leak during device remove [ Upstream commit 1c4f26a41f9d052f334f6ae629e01f598ed93508 ] If device is unbound, the memory allocated for soc_dev_attr should be freed to prevent leaks. Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-2-ff4b35abed83@linaro.org Signed-off-by: Linus Walleij Stable-dep-of: c774f2564c00 ("soc: versatile: realview: fix soc_dev leak during device remove") Signed-off-by: Sasha Levin commit d2b36e7bff8c69d6d9217871462b802bc921e64b Author: Thomas Weißschuh Date: Thu Jul 25 18:54:18 2024 +0200 tools/nolibc: include arch.h from string.h commit 6ea2987c9a7b6c5f37d08a3eaa664c9ff7467670 upstream. string.h tests for the macros NOLIBC_ARCH_HAS_$FUNC to use the architecture-optimized function variants. However if string.h is included before arch.h header then that check does not work, leading to duplicate function definitions. Fixes: 553845eebd60 ("tools/nolibc: x86-64: Use `rep movsb` for `memcpy()` and `memmove()`") Fixes: 12108aa8c1a1 ("tools/nolibc: x86-64: Use `rep stosb` for `memset()`") Cc: stable@vger.kernel.org Acked-by: Willy Tarreau Link: https://lore.kernel.org/r/20240725-arch-has-func-v1-1-5521ed354acd@weissschuh.net Signed-off-by: Thomas Weißschuh Signed-off-by: Greg Kroah-Hartman commit 9373eafd19e876ceb2890c979f30ae15f4375606 Author: Krzysztof Kozlowski Date: Sat Aug 31 12:11:29 2024 +0200 ARM: dts: imx6ull-seeed-npi: fix fsl,pins property in tscgrp pinctrl commit 3dedd4889cfc2851444a1f7626b293c0bfd1e42c upstream. The property is "fsl,pins", not "fsl,pin". Wrong property means the pin configuration was not applied. Fixes dtbs_check warnings: imx6ull-seeed-npi-dev-board-emmc.dtb: pinctrl@20e0000: uart1grp: 'fsl,pins' is a required property imx6ull-seeed-npi-dev-board-emmc.dtb: pinctrl@20e0000: uart1grp: 'fsl,pin' does not match any of the regexes: 'pinctrl-[0-9]+' Cc: stable@vger.kernel.org Fixes: e3b5697195c8 ("ARM: dts: imx6ull: add seeed studio NPi dev board") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Parthiban Nallathambi Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 2ddcedd85e566095e9a1452e1fb92dc1f45056fe Author: Krzysztof Kozlowski Date: Sat Aug 31 12:11:28 2024 +0200 ARM: dts: imx6ul-geam: fix fsl,pins property in tscgrp pinctrl commit 1b0e32753d8550908dff8982410357b5114be78c upstream. The property is "fsl,pins", not "fsl,pin". Wrong property means the pin configuration was not applied. Fixes dtbs_check warnings: imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pins' is a required property imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pin' does not match any of the regexes: 'pinctrl-[0-9]+' Cc: stable@vger.kernel.org Fixes: a58e4e608bc8 ("ARM: dts: imx6ul-geam: Add Engicam IMX6UL GEA M6UL initial support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Michael Trimarchi Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit ce8a9f59ef0d33d6accb596e50c7be421525db18 Author: Haibo Chen Date: Thu Sep 5 17:43:35 2024 +0800 dt-bindings: spi: nxp-fspi: add imx8ulp support commit 12736adc43b7cd5cb83f274f8f37b0f89d107c97 upstream. The flexspi on imx8ulp only has 16 number of LUTs, it is different with flexspi on other imx SoC which has 32 number of LUTs. Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node") Cc: stable@kernel.org Acked-by: Krzysztof Kozlowski Signed-off-by: Haibo Chen Reviewed-by: Frank Li Link: https://patch.msgid.link/20240905094338.1986871-2-haibo.chen@nxp.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 67554d69a8f600d8b1a7e5d998a8d0676132ab3e Author: Haibo Chen Date: Thu Sep 5 17:43:36 2024 +0800 spi: fspi: involve lut_num for struct nxp_fspi_devtype_data commit 190b7e2efb1ed8435fc7431d9c7a2447d05d5066 upstream. The flexspi on different SoCs may have different number of LUTs. So involve lut_num in nxp_fspi_devtype_data to make distinguish. This patch prepare for the adding of imx8ulp. Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node") Cc: stable@kernel.org Signed-off-by: Haibo Chen Reviewed-by: Frank Li Link: https://patch.msgid.link/20240905094338.1986871-3-haibo.chen@nxp.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 51590af12f00cb03dc1b2f53230f58c85e2d41bc Author: Paul Moore Date: Tue Jul 9 19:43:06 2024 -0400 lsm: add the inode_free_security_rcu() LSM implementation hook commit 63dff3e48871b0583be5032ff8fb7260c349a18c upstream. The LSM framework has an existing inode_free_security() hook which is used by LSMs that manage state associated with an inode, but due to the use of RCU to protect the inode, special care must be taken to ensure that the LSMs do not fully release the inode state until it is safe from a RCU perspective. This patch implements a new inode_free_security_rcu() implementation hook which is called when it is safe to free the LSM's internal inode state. Unfortunately, this new hook does not have access to the inode itself as it may already be released, so the existing inode_free_security() hook is retained for those LSMs which require access to the inode. Cc: stable@vger.kernel.org Reported-by: syzbot+5446fbf332b0602ede0b@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/00000000000076ba3b0617f65cc8@google.com Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 1bd712de96ad7167fe0d608e706cd60587579f16 Author: VanGiang Nguyen Date: Fri Aug 9 06:21:42 2024 +0000 padata: use integer wrap around to prevent deadlock on seq_nr overflow commit 9a22b2812393d93d84358a760c347c21939029a6 upstream. When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list. This leads to a deadlock in the serialization process as padata_find_next cannot match padata->seq_nr and pd->processed because the padata instance with overflowed seq_nr will be selected next. To fix this, we use an unsigned integer wrap around to correctly sort padata objects in scenarios with integer overflow. Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs") Cc: Co-developed-by: Christian Gafert Signed-off-by: Christian Gafert Co-developed-by: Max Ferger Signed-off-by: Max Ferger Signed-off-by: Van Giang Nguyen Acked-by: Daniel Jordan Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c4011808c43440bca7a2103ef9bd8cfd9187e90b Author: Krzysztof Kozlowski Date: Tue Aug 20 11:40:22 2024 +0200 cpuidle: riscv-sbi: Use scoped device node handling to fix missing of_node_put commit a309320ddbac6b1583224fcb6bacd424bcf8637f upstream. Two return statements in sbi_cpuidle_dt_init_states() did not drop the OF node reference count. Solve the issue and simplify entire error handling with scoped/cleanup.h. Fixes: 6abf32f1d9c5 ("cpuidle: Add RISC-V SBI CPU idle driver") Cc: All applicable Signed-off-by: Krzysztof Kozlowski Reviewed-by: Anup Patel Link: https://patch.msgid.link/20240820094023.61155-1-krzysztof.kozlowski@linaro.org Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 5f309cba475fd9c67f185d8b409f8555f56b843c Author: Yu Kuai Date: Thu Aug 1 20:47:46 2024 +0800 md: Don't flush sync_work in md_write_start() commit 86ad4cda79e0dade87d4bb0d32e1fe541d4a63e8 upstream. Because flush sync_work may trigger mddev_suspend() if there are spares, and this should never be done in IO path because mddev_suspend() is used to wait for IO. This problem is found by code review. Fixes: bc08041b32ab ("md: suspend array in md_start_sync() if array need reconfiguration") Cc: stable@vger.kernel.org Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20240801124746.242558-1-yukuai1@huaweicloud.com Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit 271fdbc0b77580daa1c5c5e3d694b39ac8ec5997 Author: Martin Karsten Date: Tue Aug 6 12:33:01 2024 +0000 eventpoll: Annotate data-race of busy_poll_usecs commit b9ca079dd6b09e08863aa998edf5c47597806c05 upstream. A struct eventpoll's busy_poll_usecs field can be modified via a user ioctl at any time. All reads of this field should be annotated with READ_ONCE. Fixes: 85455c795c07 ("eventpoll: support busy poll per epoll instance") Cc: stable@vger.kernel.org Signed-off-by: Martin Karsten Link: https://lore.kernel.org/r/20240806123301.167557-1-jdamato@fastly.com Reviewed-by: Joe Damato Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 483397b4ba280813e4a9c161a0a85172ddb43d19 Author: Eric Dumazet Date: Thu Aug 29 14:46:39 2024 +0000 icmp: change the order of rate limits commit 8c2bd38b95f75f3d2a08c93e35303e26d480d24e upstream. ICMP messages are ratelimited : After the blamed commits, the two rate limiters are applied in this order: 1) host wide ratelimit (icmp_global_allow()) 2) Per destination ratelimit (inetpeer based) In order to avoid side-channels attacks, we need to apply the per destination check first. This patch makes the following change : 1) icmp_global_allow() checks if the host wide limit is reached. But credits are not yet consumed. This is deferred to 3) 2) The per destination limit is checked/updated. This might add a new node in inetpeer tree. 3) icmp_global_consume() consumes tokens if prior operations succeeded. This means that host wide ratelimit is still effective in keeping inetpeer tree small even under DDOS. As a bonus, I removed icmp_global.lock as the fast path can use a lock-free operation. Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited") Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") Reported-by: Keyu Man Signed-off-by: Eric Dumazet Reviewed-by: David Ahern Cc: Jesper Dangaard Brouer Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20240829144641.3880376-2-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5368c4d94f0b591ebfa768fd0387ca5941e7ed7e Author: Qiuxu Zhuo Date: Wed Aug 14 14:10:11 2024 +0800 EDAC/igen6: Fix conversion of system address to physical memory address commit 0ad875f442e95d69a1145a38aabac2fd29984fe3 upstream. The conversion of system address to physical memory address (as viewed by the memory controller) by igen6_edac is incorrect when the system address is above the TOM (Total amount Of populated physical Memory) for Elkhart Lake and Ice Lake (Neural Network Processor). Fix this conversion. Fixes: 10590a9d4f23 ("EDAC/igen6: Add EDAC driver for Intel client SoCs using IBECC") Signed-off-by: Qiuxu Zhuo Signed-off-by: Tony Luck Cc: stable@vger.kernel.org Link: https://lore.kernel.org/stable/20240814061011.43545-1-qiuxu.zhuo%40intel.com Signed-off-by: Greg Kroah-Hartman commit 3abb182d64fe9d94a71f1bd75e623b03069397e4 Author: Li Lingfeng Date: Wed Sep 4 20:34:57 2024 +0800 nfs: fix memory leak in error path of nfs4_do_reclaim commit 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 upstream. Commit c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()") separate out the freeing of the state owners from nfs4_purge_state_owners() and finish it outside the rcu lock. However, the error path is omitted. As a result, the state owners in "freeme" will not be released. Fix it by adding freeing in the error path. Fixes: c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()") Signed-off-by: Li Lingfeng Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit aba55c1ff3d6b34df2805b4484a4a6625679ae37 Author: Mickaël Salaün Date: Wed Aug 21 11:56:05 2024 +0200 fs: Fix file_set_fowner LSM hook inconsistencies commit 26f204380a3c182e5adf1a798db0724d6111b597 upstream. The fcntl's F_SETOWN command sets the process that handle SIGIO/SIGURG for the related file descriptor. Before this change, the file_set_fowner LSM hook was always called, ignoring the VFS logic which may not actually change the process that handles SIGIO (e.g. TUN, TTY, dnotify), nor update the related UID/EUID. Moreover, because security_file_set_fowner() was called without lock (e.g. f_owner.lock), concurrent F_SETOWN commands could result to a race condition and inconsistent LSM states (e.g. SELinux's fown_sid) compared to struct fown_struct's UID/EUID. This change makes sure the LSM states are always in sync with the VFS state by moving the security_file_set_fowner() call close to the UID/EUID updates and using the same f_owner.lock . Rename f_modown() to __f_setown() to simplify code. Cc: stable@vger.kernel.org Cc: Al Viro Cc: Casey Schaufler Cc: Christian Brauner Cc: James Morris Cc: Jann Horn Cc: Ondrej Mosnacek Cc: Paul Moore Cc: Serge E. Hallyn Cc: Stephen Smalley Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Mickaël Salaün Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 7a9eaf97d56625e55b31a7beb558e1ee185ca461 Author: Baokun Li Date: Mon Aug 26 19:34:04 2024 +0800 netfs: Delete subtree of 'fs/netfs' when netfs module exits commit 3c58a9575e02c2b90a3180007d57105ceaa7c246 upstream. In netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs', but in netfs_exit(), we only delete the proc entry of 'fs/netfs' without deleting its subtree. This triggers the following WARNING: ================================================================== remove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests' WARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0 Modules linked in: netfs(-) CPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860 RIP: 0010:remove_proc_entry+0x160/0x1c0 Call Trace: netfs_exit+0x12/0x620 [netfs] __do_sys_delete_module.isra.0+0x14c/0x2e0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== Therefore use remove_proc_subtree() instead of remove_proc_entry() to fix the above problem. Fixes: 7eb5b3e3a0a5 ("netfs, fscache: Move /proc/fs/fscache to /proc/fs/netfs and put in a symlink") Cc: stable@kernel.org Signed-off-by: Baokun Li Link: https://lore.kernel.org/r/20240826113404.3214786-1-libaokun@huaweicloud.com Acked-by: David Howells Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 6c857fb12b9137fee574443385d53914356bbe11 Author: Julian Sun Date: Fri Aug 23 21:07:30 2024 +0800 vfs: fix race between evice_inodes() and find_inode()&iput() commit 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 upstream. Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug. Reported-by: syzbot+67ba3c42bcbb4665d3ad@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad CC: stable@vger.kernel.org Fixes: 63997e98a3be ("split invalidate_inodes()") Signed-off-by: Julian Sun Link: https://lore.kernel.org/r/20240823130730.658881-1-sunjunchao2870@gmail.com Reviewed-by: Jan Kara Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit d686c1f4c1f80b2a4284b85519e0542171dc25dc Author: Dragan Simic Date: Mon Jul 15 19:44:20 2024 +0200 arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity commit def33fb1191207f5afa6dcb681d71fef2a6c1293 upstream. All batches of the Pine64 Pinebook Pro, except the latest batch (as of 2024) whose hardware design was revised due to the component shortage, use a 1S lithium battery whose nominal/design capacity is 10,000 mAh, according to the battery datasheet. [1][2] Let's correct the design full-charge value in the Pinebook Pro board dts, to improve the accuracy of the hardware description, and to hopefully improve the accuracy of the fuel gauge a bit on all units that don't belong to the latest batch. The above-mentioned latest batch uses a different 1S lithium battery with a slightly lower capacity, more precisely 9,600 mAh. To make the fuel gauge work reliably on the latest batch, a sample battery would need to be sent to CellWise, to obtain its proprietary battery profile, whose data goes into "cellwise,battery-profile" in the Pinebook Pro board dts. Without that data, the fuel gauge reportedly works unreliably, so changing the design capacity won't have any negative effects on the already unreliable operation of the fuel gauge in the Pinebook Pros that belong to the latest batch. According to the battery datasheet, its voltage can go as low as 2.75 V while discharging, but it's better to leave the current 3.0 V value in the dts file, because of the associated Pinebook Pro's voltage regulation issues. [1] https://wiki.pine64.org/index.php/Pinebook_Pro#Battery [2] https://files.pine64.org/doc/datasheet/pinebook/40110175P%203.8V%2010000mAh%E8%A7%84%E6%A0%BC%E4%B9%A6-14.pdf Fixes: c7c4d698cd28 ("arm64: dts: rockchip: add fuel gauge to Pinebook Pro dts") Cc: stable@vger.kernel.org Cc: Marek Kraus Signed-off-by: Dragan Simic Link: https://lore.kernel.org/r/731f8ef9b1a867bcc730d19ed277c8c0534c0842.1721065172.git.dsimic@manjaro.org Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit 48c036d3c13b6426227f4dd73ee3551e2670d63b Author: Qingqing Zhou Date: Thu Jul 25 12:51:17 2024 +0530 arm64: dts: qcom: sa8775p: Mark APPS and PCIe SMMUs as DMA coherent commit 421688265d7f5d3ff4211982e7231765378bb64f upstream. The SMMUs on sa8775p are cache-coherent. GPU SMMU is marked as such, mark the APPS and PCIe ones as well. Fixes: 603f96d4c9d0 ("arm64: dts: qcom: add initial support for qcom sa8775p-ride") Fixes: 2dba7a613a6e ("arm64: dts: qcom: sa8775p: add the pcie smmu node") Cc: stable@vger.kernel.org Reviewed-by: Konrad Dybcio Reviewed-by: Manivannan Sadhasivam Signed-off-by: Qingqing Zhou Rule: add Link: https://lore.kernel.org/stable/20240723075948.9545-1-quic_qqzhou%40quicinc.com Link: https://lore.kernel.org/r/20240725072117.22425-1-quic_qqzhou@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 7327cd8357b7e5c0b84e091528449cdde384bec6 Author: Dragan Simic Date: Sun Aug 4 23:10:24 2024 +0200 arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency commit 8c51521de18755d4112a77a598a348b38d0af370 upstream. Increase the frequency of the PWM signal that drives the LED backlight of the Pinebook Pro's panel, from about 1.35 KHz (which equals to the PWM period of 740,740 ns), to exactly 8 kHz (which equals to the PWM period of 125,000 ns). Using a higher PWM frequency for the panel backlight, which reduces the flicker, can only be beneficial to the end users' eyes. On top of that, increasing the backlight PWM signal frequency reportedly eliminates the buzzing emitted from the Pinebook Pro's built-in speakers when certain backlight levels are set, which cause some weird interference with some of the components of the Pinebook Pro's audio chain. The old value for the backlight PWM period, i.e. 740,740 ns, is pretty much an arbitrary value that was selected during the very early bring-up of the Pinebook Pro, only because that value seemed to minimize horizontal line distortion on the display, which resulted from the old X.org drivers causing screen tearing when dragging windows around. That's no longer an issue, so there are no reasons to stick with the old PWM period value. The lower and the upper backlight PWM frequency limits for the Pinebook Pro's panel, according to its datasheet, are 200 Hz and 10 kHz, respectively. [1] These changes still leave some headroom, which may have some positive effects on the lifetime expectancy of the panel's backlight LEDs. [1] https://files.pine64.org/doc/datasheet/PinebookPro/NV140FHM-N49_Rev.P0_20160804_201710235838.pdf Fixes: 5a65505a6988 ("arm64: dts: rockchip: Add initial support for Pinebook Pro") Cc: stable@vger.kernel.org Reported-by: Nikola Radojevic Signed-off-by: Dragan Simic Tested-by: Nikola Radojević Link: https://lore.kernel.org/r/2a23b6cfd8c0513e5b233b4006ee3d3ed09b824f.1722805655.git.dsimic@manjaro.org Signed-off-by: Heiko Stuebner Signed-off-by: Greg Kroah-Hartman commit 539e1954d7d6f7902c7848ec1e5abf7d9e12197c Author: Chen-Yu Tsai Date: Wed Aug 21 12:28:34 2024 +0800 arm64: dts: mediatek: mt8186-corsola: Disable DPI display interface commit 3079fb09ddac159bd8bb87f6f15b924e265f8d4d upstream. The DPI display interface feeds the external display pipeline. However the pipeline representation is currently incomplete. Efforts are still under way to come up with a way to represent the "creative" repurposing of the DP bridge chip's internal output mux, which is meant to support USB type-C orientation changes, to output to one of two type-C ports. Until that is finalized, the external display can't be fully described, and thus won't work. Even worse, the half complete graph potentially confuses the OS, breaking the internal display as well. Disable the external display interface across the whole Corsola family until the DP / USB Type-C muxing graph binding is ready. Reported-by: Alper Nebi Yasak Closes: https://lore.kernel.org/linux-mediatek/38a703a9-6efb-456a-a248-1dd3687e526d@gmail.com/ Fixes: 8855d01fb81f ("arm64: dts: mediatek: Add MT8186 Krabby platform based Tentacruel / Tentacool") Cc: Signed-off-by: Chen-Yu Tsai Tested-by: Alper Nebi Yasak Reviewed-by: Nícolas F. R. A. Prado Link: https://lore.kernel.org/r/20240821042836.2631815-1-wenst@chromium.org Signed-off-by: Matthias Brugger Signed-off-by: Greg Kroah-Hartman commit 75620914003ed127a3f05cc32f6f8d5c3e980a32 Author: D Scott Phillips Date: Tue Aug 27 14:17:01 2024 -0700 arm64: errata: Enable the AC03_CPU_38 workaround for ampere1a commit db0d8a84348b876df7c4276f0cbce5df3b769f5f upstream. The ampere1a cpu is affected by erratum AC04_CPU_10 which is the same bug as AC03_CPU_38. Add ampere1a to the AC03_CPU_38 workaround midr list. Cc: Signed-off-by: D Scott Phillips Acked-by: Oliver Upton Link: https://lore.kernel.org/r/20240827211701.2216719-1-scott@os.amperecomputing.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 783a1429fdd7729e4cea611c4fc309b0ccd2d7a2 Author: Anastasia Belova Date: Tue Sep 10 11:50:16 2024 +0300 arm64: esr: Define ESR_ELx_EC_* constants as UL commit b6db3eb6c373b97d9e433530d748590421bbeea7 upstream. Add explicit casting to prevent expantion of 32th bit of u32 into highest half of u64 in several places. For example, in inject_abt64: ESR_ELx_EC_DABT_LOW << ESR_ELx_EC_SHIFT = 0x24 << 26. This operation's result is int with 1 in 32th bit. While casting this value into u64 (esr is u64) 1 fills 32 highest bits. Found by Linux Verification Center (linuxtesting.org) with SVACE. Cc: Fixes: aa8eff9bfbd5 ("arm64: KVM: fault injection into a guest") Signed-off-by: Anastasia Belova Acked-by: Marc Zyngier Link: https://lore.kernel.org/stable/20240910085016.32120-1-abelova%40astralinux.ru Link: https://lore.kernel.org/r/20240910085016.32120-1-abelova@astralinux.ru Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 289dfb3a61fd167f60b87213beed939e68f750c0 Author: Gaosheng Cui Date: Sat Aug 3 14:49:23 2024 +0800 hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume commit 4b7acc85de14ee8a2236f54445dc635d47eceac0 upstream. Add the missing clk_disable_unprepare() before return in cctrng_resume(). Fixes: a583ed310bb6 ("hwrng: cctrng - introduce Arm CryptoCell driver") Cc: Signed-off-by: Gaosheng Cui Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 6d5b3c61214ec3880b6e253c89a89c1526e707fa Author: Gaosheng Cui Date: Sat Aug 3 14:49:22 2024 +0800 hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init commit d57e2f7cffd57fe2800332dec768ec1b67a4159f upstream. Add the missing clk_disable_unprepare() before return in bcm2835_rng_init(). Fixes: e5f9f41d5e62 ("hwrng: bcm2835 - add reset support") Cc: Signed-off-by: Gaosheng Cui Reviewed-by: Florian Fainelli Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 20842aa04bf6665056a86b6a7e8e07799435eb9d Author: Guoqing Jiang Date: Mon Aug 26 15:04:15 2024 +0800 hwrng: mtk - Use devm_pm_runtime_enable commit 78cb66caa6ab5385ac2090f1aae5f3c19e08f522 upstream. Replace pm_runtime_enable with the devres-enabled version which can trigger pm_runtime_disable. Otherwise, the below appears during reload driver. mtk_rng 1020f000.rng: Unbalanced pm_runtime_enable! Fixes: 81d2b34508c6 ("hwrng: mtk - add runtime PM support") Cc: Suggested-by: Chen-Yu Tsai Signed-off-by: Guoqing Jiang Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d6f08c88047accc6127dddb6798a3ff11321539d Author: Chao Yu Date: Wed Sep 4 11:20:47 2024 +0800 f2fs: fix to check atomic_file in f2fs ioctl interfaces commit bfe5c02654261bfb8bd9cb174a67f3279ea99e58 upstream. Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(), f2fs_move_file_range(), and f2fs_defragment_range() missed to check atomic_write status, which may cause potential race issue, fix it. Cc: stable@vger.kernel.org Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit d2352b57897f6a3349666fc318dcbec99092c6a5 Author: Shin'ichiro Kawasaki Date: Fri Aug 16 13:07:03 2024 +0900 f2fs: check discard support for conventional zones commit 43aec4d01bd2ce961817a777b3846f8318f398e4 upstream. As the helper function f2fs_bdev_support_discard() shows, f2fs checks if the target block devices support discard by calling bdev_max_discard_sectors() and bdev_is_zoned(). This check works well for most cases, but it does not work for conventional zones on zoned block devices. F2fs assumes that zoned block devices support discard, and calls __submit_discard_cmd(). When __submit_discard_cmd() is called for sequential write required zones, it works fine since __submit_discard_cmd() issues zone reset commands instead of discard commands. However, when __submit_discard_cmd() is called for conventional zones, __blkdev_issue_discard() is called even when the devices do not support discard. The inappropriate __blkdev_issue_discard() call was not a problem before the commit 30f1e7241422 ("block: move discard checks into the ioctl handler") because __blkdev_issue_discard() checked if the target devices support discard or not. If not, it returned EOPNOTSUPP. After the commit, __blkdev_issue_discard() no longer checks it. It always returns zero and sets NULL to the given bio pointer. This NULL pointer triggers f2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the commands below at the umount step, where /dev/nullb0 is a zoned null_blk with 5GB total size, 128MB zone size and 10 conventional zones. $ mkfs.f2fs -f -m /dev/nullb0 $ mount /dev/nullb0 /mnt $ for ((i=0;i<5;i++)); do dd if=/dev/zero of=/mnt/test bs=65536 count=1600 conv=fsync; done $ umount /mnt To fix the BUG, avoid the inappropriate __blkdev_issue_discard() call. When discard is requested for conventional zones, check if the device supports discard or not. If not, return EOPNOTSUPP. Fixes: 30f1e7241422 ("block: move discard checks into the ioctl handler") Cc: stable@vger.kernel.org Signed-off-by: Shin'ichiro Kawasaki Reviewed-by: Damien Le Moal Reviewed-by: Chao Yu Reviewed-by: Christoph Hellwig Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 4583290898c13c2c2e5eb8773886d153c2c5121d Author: Jann Horn Date: Tue Aug 6 16:07:16 2024 +0200 f2fs: Require FMODE_WRITE for atomic write ioctls commit 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e upstream. The F2FS ioctls for starting and committing atomic writes check for inode_owner_or_capable(), but this does not give LSMs like SELinux or Landlock an opportunity to deny the write access - if the caller's FSUID matches the inode's UID, inode_owner_or_capable() immediately returns true. There are scenarios where LSMs want to deny a process the ability to write particular files, even files that the FSUID of the process owns; but this can currently partially be bypassed using atomic write ioctls in two ways: - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can truncate an inode to size 0 - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert changes another process concurrently made to a file Fix it by requiring FMODE_WRITE for these operations, just like for F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these ioctls when intending to write into the file, that seems unlikely to break anything. Fixes: 88b88a667971 ("f2fs: support atomic writes") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Reviewed-by: Chao Yu Reviewed-by: Eric Biggers Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 03db683d389be50f50bd617df3233595c2d651e0 Author: Nikita Zhandarovich Date: Wed Jul 24 10:51:58 2024 -0700 f2fs: avoid potential int overflow in sanity_check_area_boundary() commit 50438dbc483ca6a133d2bce9d5d6747bcee38371 upstream. While calculating the end addresses of main area and segment 0, u32 may be not enough to hold the result without the danger of int overflow. Just in case, play it safe and cast one of the operands to a wider type (u64). Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: fd694733d523 ("f2fs: cover large section in sanity check of super") Cc: stable@vger.kernel.org Signed-off-by: Nikita Zhandarovich Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 17526442a0efe17a6bd4ae736be9b322161eca2b Author: Nikita Zhandarovich Date: Wed Jul 24 10:05:44 2024 -0700 f2fs: prevent possible int overflow in dir_block_index() commit 47f268f33dff4a5e31541a990dc09f116f80e61c upstream. The result of multiplication between values derived from functions dir_buckets() and bucket_blocks() *could* technically reach 2^30 * 2^2 = 2^32. While unlikely to happen, it is prudent to ensure that it will not lead to integer overflow. Thus, use mul_u32_u32() as it's more appropriate to mitigate the issue. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 3843154598a0 ("f2fs: introduce large directory support") Cc: stable@vger.kernel.org Signed-off-by: Nikita Zhandarovich Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 4f3dffe46d95c635eb9e920ba9a4819e1ee80509 Author: Nikita Zhandarovich Date: Wed Jul 24 10:28:38 2024 -0700 f2fs: fix several potential integer overflows in file offsets commit 1cade98cf6415897bf9342ee451cc5b40b58c638 upstream. When dealing with large extents and calculating file offsets by summing up according extent offsets and lengths of unsigned int type, one may encounter possible integer overflow if the values are big enough. Prevent this from happening by expanding one of the addends to (pgoff_t) type. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: d323d005ac4a ("f2fs: support file defragment") Cc: stable@vger.kernel.org Signed-off-by: Nikita Zhandarovich Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit e3db757ff9b7101ae68650ac5f6dd5743b68164e Author: Chao Yu Date: Thu Jun 27 15:17:11 2024 +0800 f2fs: fix to wait dio completion commit 96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d upstream. It should wait all existing dio write IOs before block removal, otherwise, previous direct write IO may overwrite data in the block which may be reused by other inode. Cc: stable@vger.kernel.org Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit f91f17bd30de599fa7404bf12a38499951183a0a Author: Luca Stefani Date: Mon Sep 2 13:10:53 2024 +0200 btrfs: always update fstrim_range on failure in FITRIM ioctl commit 3368597206dc3c6c3c2247ee146beada14c67380 upstream. Even in case of failure we could've discarded some data and userspace should be made aware of it, so copy fstrim_range to userspace regardless. Also make sure to update the trimmed bytes amount even if btrfs_trim_free_extents fails. CC: stable@vger.kernel.org # 5.15+ Reviewed-by: Qu Wenruo Signed-off-by: Luca Stefani Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 24f4f3259bb57ea1f51c62e969f2a9616e73ed88 Author: Qu Wenruo Date: Wed Sep 11 07:06:45 2024 +0930 btrfs: tree-checker: fix the wrong output of data backref objectid commit b0b595e61d97de61c15b379b754b2caa90e83e5c upstream. [BUG] There are some reports about invalid data backref objectids, the report looks like this: BTRFS critical (device sda): corrupt leaf: block=333654787489792 slot=110 extent bytenr=333413935558656 len=65536 invalid data ref objectid value 2543 The data ref objectid is the inode number inside the subvolume. But in above case, the value is completely sane, not really showing the problem. [CAUSE] The root cause of the problem is the deprecated feature, inode cache. This feature results a special inode number, -12ULL, and it's no longer recognized by tree-checker, triggering the error. The direct problem here is the output of data ref objectid. The value shown is in fact the dref_root (subvolume id), not the dref_objectid (inode number). [FIX] Fix the output to use dref_objectid instead. Reported-by: Neil Parton Reported-by: Archange Link: https://lore.kernel.org/linux-btrfs/CAAYHqBbrrgmh6UmW3ANbysJX9qG9Pbg3ZwnKsV=5mOpv_qix_Q@mail.gmail.com/ Link: https://lore.kernel.org/linux-btrfs/9541deea-9056-406e-be16-a996b549614d@archlinux.org/ Fixes: f333a3c7e832 ("btrfs: tree-checker: validate dref root and objectid") CC: stable@vger.kernel.org # 6.11 Reviewed-by: Filipe Manana Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 33d1310d4496e904123dab9c28b2d8d2c1800f97 Author: Filipe Manana Date: Tue Sep 3 10:55:36 2024 +0100 btrfs: fix race setting file private on concurrent lseek using same fd commit 7ee85f5515e86a4e2a2f51969795920733912bad upstream. When doing concurrent lseek(2) system calls against the same file descriptor, using multiple threads belonging to the same process, we have a short time window where a race happens and can result in a memory leak. The race happens like this: 1) A program opens a file descriptor for a file and then spawns two threads (with the pthreads library for example), lets call them task A and task B; 2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at file.c:find_desired_extent() while holding a read lock on the inode; 3) At the start of find_desired_extent(), it extracts the file's private_data pointer into a local variable named 'private', which has a value of NULL; 4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode in shared mode and enters file.c:find_desired_extent(), where it also extracts file->private_data into its local variable 'private', which has a NULL value; 5) Because it saw a NULL file private, task A allocates a private structure and assigns to the file structure; 6) Task B also saw a NULL file private so it also allocates its own file private and then assigns it to the same file structure, since both tasks are using the same file descriptor. At this point we leak the private structure allocated by task A. Besides the memory leak, there's also the detail that both tasks end up using the same cached state record in the private structure (struct btrfs_file_private::llseek_cached_state), which can result in a use-after-free problem since one task can free it while the other is still using it (only one task took a reference count on it). Also, sharing the cached state is not a good idea since it could result in incorrect results in the future - right now it should not be a problem because it end ups being used only in extent-io-tree.c:count_range_bits() where we do range validation before using the cached state. Fix this by protecting the private assignment and check of a file while holding the inode's spinlock and keep track of the task that allocated the private, so that it's used only by that task in order to prevent user-after-free issues with the cached state record as well as potentially using it incorrectly in the future. Fixes: 3c32c7212f16 ("btrfs: use cached state when looking for delalloc ranges with lseek") CC: stable@vger.kernel.org # 6.6+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 23a253d38b87ef9e43d1f350288ca0fa4d0ccced Author: Zhen Lei Date: Wed Sep 4 21:39:40 2024 +0800 debugobjects: Fix conditions in fill_pool() commit 684d28feb8546d1e9597aa363c3bfcf52fe250b7 upstream. fill_pool() uses 'obj_pool_min_free' to decide whether objects should be handed back to the kmem cache. But 'obj_pool_min_free' records the lowest historical value of the number of objects in the object pool and not the minimum number of objects which should be kept in the pool. Use 'debug_objects_pool_min_level' instead, which holds the minimum number which was scaled to the number of CPUs at boot time. [ tglx: Massage change log ] Fixes: d26bf5056fc0 ("debugobjects: Reduce number of pool_lock acquisitions in fill_pool()") Fixes: 36c4ead6f6df ("debugobjects: Add global free list and the counter") Signed-off-by: Zhen Lei Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/20240904133944.2124-3-thunder.leizhen@huawei.com Signed-off-by: Greg Kroah-Hartman commit 836509d534216c18e7680d574f35b73e44b1301a Author: Marc Aurèle La France Date: Sat Aug 10 13:25:27 2024 -0600 debugfs show actual source in /proc/mounts commit 3a987b88a42593875f6345188ca33731c7df728c upstream. After its conversion to the new mount API, debugfs displays "none" in /proc/mounts instead of the actual source. Fix this by recognising its "source" mount option. Signed-off-by: Marc Aurèle La France Link: https://lore.kernel.org/r/e439fae2-01da-234b-75b9-2a7951671e27@tuyoix.net Fixes: a20971c18752 ("vfs: Convert debugfs to use the new mount API") Cc: stable@vger.kernel.org # 6.10.x: 49abee5991e1: debugfs: Convert to new uid/gid option parsing helpers Signed-off-by: Christian Brauner Signed-off-by: Greg Kroah-Hartman commit 978d1756b3ae1b857826eb7ed8181f3c5180dce9 Author: Michael Lo Date: Mon Sep 2 17:00:54 2024 +0800 wifi: mt76: mt7925: fix a potential association failure upon resuming commit 45064d19fd3af6aeb0887b35b5564927980cf150 upstream. In multi-channel scenarios, the granted channel must be aborted before suspending. Otherwise, the firmware will be put into a wrong state, resulting in an association failure after resuming. With this patch, the granted channel will be aborted before suspending if necessary. Cc: stable@vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Michael Lo Signed-off-by: Ming Yen Hsieh Link: https://patch.msgid.link/20240902090054.15806-1-mingyen.hsieh@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit c56d287fa1dc0126431e27f8ab7a41673db75864 Author: Ma Ke Date: Thu Sep 5 09:47:53 2024 +0800 wifi: mt76: mt7615: check devm_kasprintf() returned value commit 5acdc432f832d810e0d638164c393b877291d9b4 upstream. devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. Cc: stable@vger.kernel.org Fixes: 0bb4e9187ea4 ("mt76: mt7615: fix hwmon temp sensor mem use-after-free") Signed-off-by: Ma Ke Reviewed-by: Matthias Brugger Link: https://patch.msgid.link/20240905014753.353271-1-make24@iscas.ac.cn Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit 585d381256aae9d1eb05c81f8b35d5512411c5ef Author: Bitterblue Smith Date: Tue Jul 23 22:32:59 2024 +0300 wifi: rtw88: 8703b: Fix reported RX band width commit 0129e5ff2842450f1426e312b5e580c0814e0de3 upstream. The definition of GET_RX_DESC_BW is incorrect. Fix it according to the GET_RX_STATUS_DESC_BW_8703B macro from the official driver. Tested only with RTL8812AU, which uses the same bits. Cc: stable@vger.kernel.org Fixes: 9bb762b3a957 ("wifi: rtw88: Add definitions for 8703b chip") Signed-off-by: Bitterblue Smith Tested-by: Fiona Klute Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/1cfed9d5-4304-4b96-84c5-c347f59fedb9@gmail.com Signed-off-by: Greg Kroah-Hartman commit 1619c8ff87827a6de6411a6a40a90df053906bb2 Author: Bitterblue Smith Date: Tue Jul 23 22:31:36 2024 +0300 wifi: rtw88: 8822c: Fix reported RX band width commit a71ed5898dfae68262f79277915d1dfe34586bc6 upstream. "iw dev wlp2s0 station dump" shows incorrect rx bitrate: tx bitrate: 866.7 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 2 rx bitrate: 86.7 MBit/s VHT-MCS 9 VHT-NSS 1 This is because the RX band width is calculated incorrectly. Fix the calculation according to the phydm_rxsc_2_bw() function from the official drivers. After: tx bitrate: 866.7 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 2 rx bitrate: 390.0 MBit/s VHT-MCS 9 80MHz VHT-NSS 1 It also works correctly with the AP configured for 20 MHz and 40 MHz. Tested with RTL8822CE. Cc: stable@vger.kernel.org Fixes: e3037485c68e ("rtw88: new Realtek 802.11ac driver") Signed-off-by: Bitterblue Smith Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/bca8949b-e2bd-4515-98fd-70d3049a0097@gmail.com Signed-off-by: Greg Kroah-Hartman commit 44ec7530701e2a4dffe52b99f7b523376b0f7c38 Author: Nick Morrow Date: Thu Jul 11 01:14:23 2024 +0300 wifi: rtw88: 8821cu: Remove VID/PID 0bda:c82c commit 0af8cd2822f31ed8363223329e5cff2a7ed01961 upstream. Remove VID/PID 0bda:c82c as it was inadvertently added to the device list in driver rtw8821cu. This VID/PID is for the rtw8822cu device and it is already in the appropriate place for that device. Cc: stable@vger.kernel.org Signed-off-by: Nick Morrow Signed-off-by: Bitterblue Smith Acked-by: Ping-Ke Shih Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/335d7fa1-0ba5-4b86-bba5-f98834ace1f8@gmail.com Signed-off-by: Greg Kroah-Hartman commit ba09084d81c6480bd02fd74052045e533a5e8469 Author: Ming Yen Hsieh Date: Mon Aug 19 09:53:33 2024 +0800 wifi: mt76: mt7925: fix a potential array-index-out-of-bounds issue for clc commit 9679ca7326e52282cc923c4d71d81c999cb6cd55 upstream. Due to the lack of checks on the clc array, if the firmware supports more clc configuration, it will cause illegal memory access. Cc: stable@vger.kernel.org Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips") Signed-off-by: Ming Yen Hsieh Link: https://patch.msgid.link/20240819015334.14580-1-mingyen.hsieh@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit 5608437d87137d2c640b30b48acb45a654b6b299 Author: Michal Kubiak Date: Wed Sep 4 17:47:47 2024 +0200 idpf: fix netdev Tx queue stop/wake commit e4b398dd82f5d5867bc5f442c43abc8fba30ed2c upstream. netif_txq_maybe_stop() returns -1, 0, or 1, while idpf_tx_maybe_stop_common() says it returns 0 or -EBUSY. As a result, there sometimes are Tx queue timeout warnings despite that the queue is empty or there is at least enough space to restart it. Make idpf_tx_maybe_stop_common() inline and returning true or false, handling the return of netif_txq_maybe_stop() properly. Use a correct goto in idpf_tx_maybe_stop_splitq() to avoid stopping the queue or incrementing the stops counter twice. Fixes: 6818c4d5b3c2 ("idpf: add splitq start_xmit") Fixes: a5ab9ee0df0b ("idpf: add singleq start_xmit and napi poll") Cc: stable@vger.kernel.org # 6.7+ Signed-off-by: Michal Kubiak Reviewed-by: Przemek Kitszel Signed-off-by: Alexander Lobakin Signed-off-by: Tony Nguyen Signed-off-by: Greg Kroah-Hartman commit 1afdde3b5f56217d875a543cf565075c11bbddad Author: Ma Ke Date: Tue Aug 13 16:12:42 2024 +0800 wifi: mt76: mt7996: fix NULL pointer dereference in mt7996_mcu_sta_bfer_he commit f503ae90c7355e8506e68498fe84c1357894cd5b upstream. Fix the NULL pointer dereference in mt7996_mcu_sta_bfer_he routine adding an sta interface to the mt7996 driver. Found by code review. Cc: stable@vger.kernel.org Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Signed-off-by: Ma Ke Link: https://patch.msgid.link/20240813081242.3991814-1-make24@iscas.ac.cn Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit 55e3ec1c385ba936dca72623e3d576133855c215 Author: Ma Ke Date: Tue Sep 3 09:49:55 2024 +0800 wifi: mt76: mt7915: check devm_kasprintf() returned value commit 267efeda8c55f30e0e7c5b7fd03dea4efec6916c upstream. devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. Cc: stable@vger.kernel.org Fixes: 6ae39b7c7ed4 ("wifi: mt76: mt7921: Support temp sensor") Signed-off-by: Ma Ke Reviewed-by: Matthias Brugger Link: https://patch.msgid.link/20240903014955.4145423-1-make24@iscas.ac.cn Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit c11d8526d4c568e7f07f096cac5a74756f5fd5f1 Author: Ma Ke Date: Tue Sep 3 09:44:55 2024 +0800 wifi: mt76: mt7921: Check devm_kasprintf() returned value commit 1ccc9e476ce76e8577ba4fdbd1f63cb3e3499d38 upstream. devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fix this lack and check the returned value. Found by code review. Cc: stable@vger.kernel.org Fixes: 6ae39b7c7ed4 ("wifi: mt76: mt7921: Support temp sensor") Signed-off-by: Ma Ke Reviwed-by: Matthias Brugger Link: https://patch.msgid.link/20240903014455.4144536-1-make24@iscas.ac.cn Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit 79ceab385f153ef4d56801596b7879a0e07ac61e Author: Qu Wenruo Date: Fri Aug 30 16:35:48 2024 +0930 btrfs: subpage: fix the bitmap dump which can cause bitmap corruption commit 77b0b98bb743f5d04d8f995ba1936e1143689d4a upstream. In commit 75258f20fb70 ("btrfs: subpage: dump extra subpage bitmaps for debug") an internal macro GET_SUBPAGE_BITMAP() is introduced to grab the bitmap of each attribute. But that commit is using bitmap_cut() which will do the left shift of the larger bitmap, causing incorrect values. Thankfully this bitmap_cut() is only called for debug usage, and so far it's not yet causing problem. Fix it to use bitmap_read() to only grab the desired sub-bitmap. Fixes: 75258f20fb70 ("btrfs: subpage: dump extra subpage bitmaps for debug") CC: stable@vger.kernel.org # 6.6+ Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit b59657ee200d4423bbdfad1ab58bd881ef6c4f04 Author: Adrian Hunter Date: Mon Jul 15 19:07:00 2024 +0300 perf/x86/intel/pt: Fix sampling synchronization commit d92792a4b26e50b96ab734cbe203d8a4c932a7a9 upstream. pt_event_snapshot_aux() uses pt->handle_nmi to determine if tracing needs to be stopped, however tracing can still be going because pt->handle_nmi is set to zero before tracing is stopped in pt_event_stop, whereas pt_event_snapshot_aux() requires that tracing must be stopped in order to copy a sample of trace from the buffer. Instead call pt_config_stop() always, which anyway checks config for RTIT_CTL_TRACEEN and does nothing if it is already clear. Note pt_event_snapshot_aux() can continue to use pt->handle_nmi to determine if the trace needs to be restarted afterwards. Fixes: 25e8920b301c ("perf/x86/intel/pt: Add sampling support") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20240715160712.127117-2-adrian.hunter@intel.com Signed-off-by: Greg Kroah-Hartman commit eb161ec49fce2aee269fae8a31018496292f4935 Author: Kan Liang Date: Mon Sep 9 08:58:48 2024 -0700 perf/x86/intel: Allow to setup LBR for counting event for BPF commit ef493f4b122d6b14a6de111d1acac1eab1d673b0 upstream. The BPF subsystem may capture LBR data on a counting event. However, the current implementation assumes that LBR can/should only be used with sampling events. For instance, retsnoop tool ([0]) makes an extensive use of this functionality and sets up perf event as follows: struct perf_event_attr attr; memset(&attr, 0, sizeof(attr)); attr.size = sizeof(attr); attr.type = PERF_TYPE_HARDWARE; attr.config = PERF_COUNT_HW_CPU_CYCLES; attr.sample_type = PERF_SAMPLE_BRANCH_STACK; attr.branch_sample_type = PERF_SAMPLE_BRANCH_KERNEL; To limit the LBR for a sampling event is to avoid unnecessary branch stack setup for a counting event in the sample read. Because LBR is only read in the sampling event's overflow. Although in most cases LBR is used in sampling, there is no HW limit to bind LBR to the sampling mode. Allow an LBR setup for a counting event unless in the sample read mode. Fixes: 85846b27072d ("perf/x86: Add PERF_X86_EVENT_NEEDS_BRANCH_STACK flag") Closes: https://lore.kernel.org/lkml/20240905180055.1221620-1-andrii@kernel.org/ Reported-by: Andrii Nakryiko Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Acked-by: Andrii Nakryiko Tested-by: Andrii Nakryiko Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240909155848.326640-1-kan.liang@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1a3af7a2cf46fbb360712b68501afe5777bf32db Author: Dmitry Vyukov Date: Tue Jun 11 09:50:30 2024 +0200 x86/entry: Remove unwanted instrumentation in common_interrupt() commit 477d81a1c47a1b79b9c08fc92b5dea3c5143800b upstream. common_interrupt() and related variants call kvm_set_cpu_l1tf_flush_l1d(), which is neither marked noinstr nor __always_inline. So compiler puts it out of line and adds instrumentation to it. Since the call is inside of instrumentation_begin/end(), objtool does not warn about it. The manifestation is that KCOV produces spurious coverage in kvm_set_cpu_l1tf_flush_l1d() in random places because the call happens when preempt count is not yet updated to say that the kernel is in an interrupt. Mark kvm_set_cpu_l1tf_flush_l1d() as __always_inline and move it out of the instrumentation_begin/end() section. It only calls __this_cpu_write() which is already safe to call in noinstr contexts. Fixes: 6368558c3710 ("x86/entry: Provide IDTENTRY_SYSVEC") Signed-off-by: Dmitry Vyukov Signed-off-by: Thomas Gleixner Reviewed-by: Alexander Potapenko Acked-by: Peter Zijlstra (Intel) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/all/3f9a1de9e415fcb53d07dc9e19fa8481bb021b1b.1718092070.git.dvyukov@google.com Signed-off-by: Greg Kroah-Hartman commit a27b144e23f83c9dd2d8bf91fa44444c0bcff16a Author: Artem Bityutskiy Date: Fri Sep 13 19:51:43 2024 +0300 intel_idle: fix ACPI _CST matching for newer Xeon platforms commit 4c411cca33cf1c21946b710b2eb59aca9f646703 upstream. Background ~~~~~~~~~~ The driver uses 'use_acpi = true' in C-state custom table for all Xeon platforms. The meaning of this flag is as follows. 1. If a C-state from the custom table is defined in ACPI _CST (matched by the mwait hint), then enable this C-state. 2. Otherwise, disable this C-state, unless the C-sate definition in the custom table has the 'CPUIDLE_FLAG_ALWAYS_ENABLE' flag set, in which case enabled it. The goal is to honor BIOS C6 settings - If BIOS disables C6, disable it by default in the OS too (but it can be enabled via sysfs). This works well on Xeons that expose only one flavor of C6. This are all Xeons except for the newest Granite Rapids (GNR) and Sierra Forest (SRF). The problem ~~~~~~~~~~~ GNR and SRF have 2 flavors of C6: C6/C6P on GNR, C6S/C6SP on SRF. The the "P" flavor allows for the package C6, while the "non-P" flavor allows only for core/module C6. As far as this patch is concerned, both GNR and SRF platforms are handled the same way. Therefore, further discussion is focused on GNR, but it applies to SRF as well. On Intel Xeon platforms, BIOS exposes only 2 ACPI C-states: C1 and C2. Well, depending on BIOS settings, C2 may be named as C3. But there still will be only 2 states - C1 and C3. But this is a non-essential detail, so further discussion is focused on the ACPI C1 and C2 case. On pre-GNR/SRF Xeon platforms, ACPI C1 is mapped to C1 or C1E, and ACPI C2 is mapped to C6. The 'use_acpi' flag works just fine: * If ACPI C2 enabled, enable C6. * Otherwise, disable C6. However, on GNR there are 2 flavors of C6, so BIOS maps ACPI C2 to either C6 or C6P, depending on the user settings. As a result, due to the 'use_acpi' flag, 'intel_idle' disables least one of the C6 flavors. BIOS | OS | Verdict ----------------------------------------------------|--------- ACPI C2 disabled | C6 disabled, C6P disabled | OK ACPI C2 mapped to C6 | C6 enabled, C6P disabled | Not OK ACPI C2 mapped to C6P | C6 disabled, C6P enabled | Not OK The goal of 'use_acpi' is to honor BIOS ACPI C2 disabled case, which works fine. But if ACPI C2 is enabled, the goal is to enable all flavors of C6, not just one of the flavors. This was overlooked when enabling GNR/SRF platforms. In other words, before GNR/SRF, the ACPI C2 status was binary - enabled or disabled. But it is not binary on GNR/SRF, however the goal is to continue treat it as binary. The fix ~~~~~~~ Notice, that current algorithm matches ACPI and custom table C-states by the mwait hint. However, mwait hint consists of the 'state' and 'sub-state' parts, and all C6 flavors have the same state value of 0x20, but different sub-state values. Introduce new C-state table flag - CPUIDLE_FLAG_PARTIAL_HINT_MATCH and add it to both C6 flavors of the GNR/SRF platforms. When matching ACPI _CST and custom table C-states, match only the start part if the C-state has CPUIDLE_FLAG_PARTIAL_HINT_MATCH, other wise match both state and sub-state parts (as before). With this fix, GNR C-states enabled/disabled status looks like this. BIOS | OS ---------------------------------------------------- ACPI C2 disabled | C6 disabled, C6P disabled ACPI C2 mapped to C6 | C6 enabled, C6P enabled ACPI C2 mapped to C6P | C6 enabled, C6P enabled Possible alternative ~~~~~~~~~~~~~~~~~~~~ The alternative would be to remove 'use_acpi' flag for GNR and SRF. This would be a simpler solution, but it would violate the principle of least surprise - users of Xeon platforms are used to the fact that intel_idle honors C6 enabled/disabled flag. It is more consistent user experience if GNR/SRF continue doing so. How tested ~~~~~~~~~~ Tested on GNR and SRF platform with all the 3 BIOS configurations: ACPI C2 disabled, mapped to C6/C6S, mapped to C6P/C6SP. Tested on Ice lake Xeon and Sapphire Rapids Xeon platforms with ACPI C2 enabled and disabled, just to verify that the patch does not break older Xeons. Fixes: 92813fd5b156 ("intel_idle: add Sierra Forest SoC support") Fixes: 370406bf5738 ("intel_idle: add Granite Rapids Xeon support") Cc: 6.8+ # 6.8+ Signed-off-by: Artem Bityutskiy Link: https://patch.msgid.link/20240913165143.4140073-1-dedekind1@gmail.com [ rjw: Changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit b83a585f00e14317cfcfd78a6e35849d3e0c64bb Author: Artem Bityutskiy Date: Tue Aug 6 19:03:10 2024 +0300 intel_idle: add Granite Rapids Xeon support commit 370406bf5738dade8ac95a2ee95c29299d4ac902 upstream. Add Granite Rapids Xeon C-states, which are C1, C1E, C6, and C6P. Comparing to previous Xeon Generations (e.g., Emerald Rapids), C6 requests end up only in core C6 state, and no package C-state promotion takes place even if all cores in the package are in core C6. C6P requests also end up in core C6, but if all cores have requested C6P, the SoC will enter the package C6 state. Signed-off-by: Artem Bityutskiy Link: https://patch.msgid.link/20240806160310.3719205-1-artem.bityutskiy@linux.intel.com [ rjw: Changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 2e6871a632a99d9b9e2ce3a7847acabe99e5a26e Author: Ard Biesheuvel Date: Thu Sep 12 17:45:49 2024 +0200 efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption commit 77d48d39e99170b528e4f2e9fc5d1d64cdedd386 upstream. The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using an EFI configuration table. The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved. Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic. Cc: Reported-by: Breno Leitao Tested-by: Usama Arif Reviewed-by: Ilias Apalodimas Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman commit bc2846c7ab029f0660fef1774c6d02a1ec021aaa Author: Werner Sembach Date: Tue Sep 10 11:40:06 2024 +0200 ACPI: resource: Add another DMI match for the TongFang GMxXGxx commit a98cfe6ff15b62f94a44d565607a16771c847bc6 upstream. Internal documentation suggest that the TUXEDO Polaris 15 Gen5 AMD might have GMxXGxX as the board name instead of GMxXGxx. Adding both to be on the safe side. Signed-off-by: Werner Sembach Cc: All applicable Link: https://patch.msgid.link/20240910094008.1601230-1-wse@tuxedocomputers.com Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 8ae03fcc625f68c598904f1e43d6f2fddcc70808 Author: Li Chen Date: Sat Aug 3 16:13:18 2024 +0800 ACPI: resource: Do IRQ override on MECHREV GM7XG0M commit b53f09ecd602d7b8b7da83b0890cbac500b6a9b9 upstream. Listed device need the override for the keyboard to work. Fixes: 9946e39fe8d0 ("ACPI: resource: skip IRQ override on AMD Zen platforms") Cc: All applicable Signed-off-by: Li Chen Link: https://patch.msgid.link/87y15e6n35.wl-me@linux.beauty Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit f51f711d36e61fbb87c67b524fd200e05172668d Author: Thomas Weißschuh Date: Tue Jul 9 22:37:24 2024 +0200 ACPI: sysfs: validate return type of _STR method commit 4bb1e7d027413835b086aed35bc3f0713bc0f72b upstream. Only buffer objects are valid return values of _STR. If something else is returned description_show() will access invalid memory. Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") Cc: All applicable Signed-off-by: Thomas Weißschuh Link: https://patch.msgid.link/20240709-acpi-sysfs-groups-v2-1-058ab0667fa8@weissschuh.net Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit a887c182757f300a88dfac46764c353fa7a37ef0 Author: Mikhail Lobanov Date: Mon Sep 9 09:37:36 2024 -0400 drbd: Add NULL check for net_conf to prevent dereference in state validation commit a5e61b50c9f44c5edb6e134ede6fee8806ffafa9 upstream. If the net_conf pointer is NULL and the code attempts to access its fields without a check, it will lead to a null pointer dereference. Add a NULL check before dereferencing the pointer. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 44ed167da748 ("drbd: rcu_read_lock() and rcu_dereference() for tconn->net_conf") Cc: stable@vger.kernel.org Signed-off-by: Mikhail Lobanov Link: https://lore.kernel.org/r/20240909133740.84297-1-m.lobanov@rosalinux.ru Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1a6ffeedb3a7982d4196e5f4e9f2d549a68ef66b Author: Qiu-ji Chen Date: Fri Sep 13 16:35:04 2024 +0800 drbd: Fix atomicity violation in drbd_uuid_set_bm() commit 2f02b5af3a4482b216e6a466edecf6ba8450fa45 upstream. The violation of atomicity occurs when the drbd_uuid_set_bm function is executed simultaneously with modifying the value of device->ldev->md.uuid[UI_BITMAP]. Consider a scenario where, while device->ldev->md.uuid[UI_BITMAP] passes the validity check when its value is not zero, the value of device->ldev->md.uuid[UI_BITMAP] is written to zero. In this case, the check in drbd_uuid_set_bm might refer to the old value of device->ldev->md.uuid[UI_BITMAP] (before locking), which allows an invalid value to pass the validity check, resulting in inconsistency. To address this issue, it is recommended to include the data validity check within the locked section of the function. This modification ensures that the value of device->ldev->md.uuid[UI_BITMAP] does not change during the validation process, thereby maintaining its integrity. This possible bug is found by an experimental static analysis tool developed by our team. This tool analyzes the locking APIs to extract function pairs that can be concurrently executed, and then analyzes the instructions in the paired functions to identify possible concurrency bugs including data races and atomicity violations. Fixes: 9f2247bb9b75 ("drbd: Protect accesses to the uuid set with a spinlock") Cc: stable@vger.kernel.org Signed-off-by: Qiu-ji Chen Reviewed-by: Philipp Reisner Link: https://lore.kernel.org/r/20240913083504.10549-1-chenqiuji666@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4cdbf720e9988e7f56bc5198768b94fa83c9b27e Author: Pavan Kumar Paluri Date: Thu Aug 15 07:25:00 2024 -0500 crypto: ccp - Properly unregister /dev/sev on sev PLATFORM_STATUS failure commit ce3d2d6b150ba8528f3218ebf0cee2c2c572662d upstream. In case of sev PLATFORM_STATUS failure, sev_get_api_version() fails resulting in sev_data field of psp_master nulled out. This later becomes a problem when unloading the ccp module because the device has not been unregistered (via misc_deregister()) before clearing the sev_data field of psp_master. As a result, on reloading the ccp module, a duplicate device issue is encountered as can be seen from the dmesg log below. on reloading ccp module via modprobe ccp Call Trace: dump_stack_lvl+0xd7/0xf0 dump_stack+0x10/0x20 sysfs_warn_dup+0x5c/0x70 sysfs_create_dir_ns+0xbc/0xd kobject_add_internal+0xb1/0x2f0 kobject_add+0x7a/0xe0 ? srso_alias_return_thunk+0x5/0xfbef5 ? get_device_parent+0xd4/0x1e0 ? __pfx_klist_children_get+0x10/0x10 device_add+0x121/0x870 ? srso_alias_return_thunk+0x5/0xfbef5 device_create_groups_vargs+0xdc/0x100 device_create_with_groups+0x3f/0x60 misc_register+0x13b/0x1c0 sev_dev_init+0x1d4/0x290 [ccp] psp_dev_init+0x136/0x300 [ccp] sp_init+0x6f/0x80 [ccp] sp_pci_probe+0x2a6/0x310 [ccp] ? srso_alias_return_thunk+0x5/0xfbef5 local_pci_probe+0x4b/0xb0 work_for_cpu_fn+0x1a/0x30 process_one_work+0x203/0x600 worker_thread+0x19e/0x350 ? __pfx_worker_thread+0x10/0x10 kthread+0xeb/0x120 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3c/0x60 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 kobject: kobject_add_internal failed for sev with -EEXIST, don't try to register things with the same name in the same directory. ccp 0000:22:00.1: sev initialization failed ccp 0000:22:00.1: psp initialization failed ccp 0000:a2:00.1: no command queues available ccp 0000:a2:00.1: psp enabled Address this issue by unregistering the /dev/sev before clearing out sev_data in case of PLATFORM_STATUS failure. Fixes: 200664d5237f ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support") Cc: stable@vger.kernel.org Signed-off-by: Pavan Kumar Paluri Acked-by: Tom Lendacky Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit edf0eeb1304594bac9b6e5c38f1cd77810654c2e Author: Brian Masney Date: Thu Sep 5 20:25:20 2024 -0400 crypto: qcom-rng - fix support for ACPI-based systems commit 3e87031a6ce68f13722155497cd511a00b56a2ae upstream. The qcom-rng driver supports both ACPI and device tree-based systems. ACPI support was broken when the hw_random interface support was added. Let's go ahead and fix this by adding the appropriate driver data to the ACPI match table, and change the of_device_get_match_data() call to device_get_match_data() so that it will also work on ACPI-based systems. This fix was boot tested on a Qualcomm Amberwing server (ACPI based) and on a Qualcomm SA8775p Automotive Development Board (DT based). I also verified that qcom-rng shows up in /proc/crypto on both systems. Fixes: f29cd5bb64c2 ("crypto: qcom-rng - Add hw_random interface support") Reported-by: Ernesto A. Fernández Closes: https://lore.kernel.org/linux-arm-msm/20240828184019.GA21181@eaf/ Cc: stable@vger.kernel.org Signed-off-by: Brian Masney Reviewed-by: Dmitry Baryshkov Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 05f7a949febc3e492e8336cd9782033af4827fa6 Author: Johan Hovold Date: Fri Sep 6 15:13:30 2024 +0200 serial: qcom-geni: fix false console tx restart commit f97cdbbf187fefcf1fe19689cd9fdca11fe9c3eb upstream. Commit 663abb1a7a7f ("tty: serial: qcom_geni_serial: Fix UART hang") addressed an issue with stalled tx after the console code interrupted the last bytes of a tx command by reenabling the watermark interrupt if there is data in write buffer. This can however break software flow control by re-enabling tx after the user has stopped it. Address the original issue by not clearing the CMD_DONE flag after polling for command completion. This allows the interrupt handler to start another transfer when the CMD_DONE interrupt has not been disabled due to flow control. Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Fixes: 663abb1a7a7f ("tty: serial: qcom_geni_serial: Fix UART hang") Cc: stable@vger.kernel.org # 4.17 Reviewed-by: Douglas Anderson Tested-by: Nícolas F. R. A. Prado Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20240906131336.23625-3-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman commit 5343fe02d903051d889200841c73d272c1351a6d Author: Johan Hovold Date: Fri Sep 6 15:13:29 2024 +0200 serial: qcom-geni: fix fifo polling timeout commit c80ee36ac8f9e9c27d8e097a2eaaf198e7534c83 upstream. The qcom_geni_serial_poll_bit() can be used to wait for events like command completion and is supposed to wait for the time it takes to clear a full fifo before timing out. As noted by Doug, the current implementation does not account for start, stop and parity bits when determining the timeout. The helper also does not currently account for the shift register and the two-word intermediate transfer register. A too short timeout can specifically lead to lost characters when waiting for a transfer to complete as the transfer is cancelled on timeout. Instead of determining the poll timeout on every call, store the fifo timeout when updating it in set_termios() and make sure to take the shift and intermediate registers into account. Note that serial core has already added a 20 ms margin to the fifo timeout. Also note that the current uart_fifo_timeout() interface does unnecessary calculations on every call and did not exist in earlier kernels so only store its result once. This facilitates backports too as earlier kernels can derive the timeout from uport->timeout, which has since been removed. Fixes: c4f528795d1a ("tty: serial: msm_geni_serial: Add serial driver support for GENI based QUP") Cc: stable@vger.kernel.org # 4.17 Reported-by: Douglas Anderson Tested-by: Nícolas F. R. A. Prado Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20240906131336.23625-2-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman commit 4ee4a4cac87d73b2303f4d4070ec2b5706f4b1da Author: Mathias Nyman Date: Thu Sep 5 17:32:59 2024 +0300 xhci: Set quirky xHC PCI hosts to D3 _after_ stopping and freeing them. commit f81dfa3b57c624c56f2bff171c431bc7f5b558f2 upstream. PCI xHC host should be stopped and xhci driver memory freed before putting host to PCI D3 state during PCI remove callback. Hosts with XHCI_SPURIOUS_WAKEUP quirk did this the wrong way around and set the host to D3 before calling usb_hcd_pci_remove(dev), which will access the host to stop it, and then free xhci. Fixes: f1f6d9a8b540 ("xhci: don't dereference a xhci member after removing xhci") Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20240905143300.1959279-12-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 811615fe6382c1a1a1c3c737e1ceef8906664289 Author: Jiri Slaby (SUSE) Date: Mon Aug 5 12:20:36 2024 +0200 serial: don't use uninitialized value in uart_poll_init() commit d0009a32c9e4e083358092f3c97e3c6e803a8930 upstream. Coverity reports (as CID 1536978) that uart_poll_init() passes uninitialized pm_state to uart_change_pm(). It is in case the first 'if' takes the true branch (does "goto out;"). Fix this and simplify the function by simple guard(mutex). The code needs no labels after this at all. And it is pretty clear that the code has not fiddled with pm_state at that point. Signed-off-by: Jiri Slaby (SUSE) Fixes: 5e227ef2aa38 (serial: uart_poll_init() should power on the UART) Cc: stable@vger.kernel.org Cc: Douglas Anderson Cc: Greg Kroah-Hartman Reviewed-by: Ilpo Järvinen Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20240805102046.307511-4-jirislaby@kernel.org Signed-off-by: Greg Kroah-Hartman commit ccbf09d70b99b961fc15ce0b3c2aaceaac6a9af9 Author: Ma Ke Date: Wed Aug 28 21:18:14 2024 +0800 pps: add an error check in parport_attach commit 62c5a01a5711c8e4be8ae7b6f0db663094615d48 upstream. In parport_attach, the return value of ida_alloc is unchecked, witch leads to the use of an invalid index value. To address this issue, index should be checked. When the index value is abnormal, the device should be freed. Found by code review, compile tested only. Cc: stable@vger.kernel.org Fixes: fb56d97df70e ("pps: client: use new parport device model") Signed-off-by: Ma Ke Acked-by: Rodolfo Giometti Link: https://lore.kernel.org/r/20240828131814.3034338-1-make24@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman commit b59ba1cbef4f4f6216f5ae328fa3aa8b627071f8 Author: Florian Fainelli Date: Fri Sep 6 15:54:33 2024 -0700 tty: rp2: Fix reset with non forgiving PCIe host bridges commit f16dd10ba342c429b1e36ada545fb36d4d1f0e63 upstream. The write to RP2_GLOBAL_CMD followed by an immediate read of RP2_GLOBAL_CMD in rp2_reset_asic() is intented to flush out the write, however by then the device is already in reset and cannot respond to a memory cycle access. On platforms such as the Raspberry Pi 4 and others using the pcie-brcmstb.c driver, any memory access to a device that cannot respond is met with a fatal system error, rather than being substituted with all 1s as is usually the case on PC platforms. Swapping the delay and the read ensures that the device has finished resetting before we attempt to read from it. Fixes: 7d9f49afa451 ("serial: rp2: New driver for Comtrol RocketPort 2 cards") Cc: stable Suggested-by: Jim Quinlan Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20240906225435.707837-1-florian.fainelli@broadcom.com Signed-off-by: Greg Kroah-Hartman commit 6c4e13fdfcab34811c3143a0a03c05fec4e870ec Author: Jann Horn Date: Wed Aug 28 01:45:48 2024 +0200 firmware_loader: Block path traversal commit f0e5311aa8022107d63c54e2f03684ec097d1394 upstream. Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously. Cc: stable@vger.kernel.org Reviewed-by: Danilo Krummrich Fixes: abb139e75c2c ("firmware: teach the kernel to load firmware files directly from the filesystem") Signed-off-by: Jann Horn Acked-by: Luis Chamberlain Link: https://lore.kernel.org/r/20240828-firmware-traversal-v3-1-c76529c63b5f@google.com Signed-off-by: Greg Kroah-Hartman commit 727e5374e887554055de9166f93df0f20c922a71 Author: Fabio Porcedda Date: Tue Aug 20 10:04:39 2024 +0200 bus: mhi: host: pci_generic: Fix the name for the Telit FE990A commit bfc5ca0fd1ea7aceae0b682fa4bd8079c52f96c8 upstream. Add a mhi_pci_dev_info struct specific for the Telit FE990A modem in order to use the correct product name. Cc: stable@vger.kernel.org # 6.1+ Fixes: 0724869ede9c ("bus: mhi: host: pci_generic: add support for Telit FE990 modem") Signed-off-by: Fabio Porcedda Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20240820080439.837666-1-fabio.porcedda@gmail.com Signed-off-by: Manivannan Sadhasivam Signed-off-by: Greg Kroah-Hartman commit 15dacea632a6cf3d6d59de22143fa476fb1aec0a Author: Slark Xiao Date: Thu Jul 25 10:29:40 2024 +0800 bus: mhi: host: pci_generic: Update EDL firmware path for Foxconn modems commit a7bc66fe8093b48e86386cf73dd601feaaa7949c upstream. Foxconn uses a unique firmware for their MHI based modems. So the generic firmware from Qcom won't work. Hence, update the EDL firmware path to include the 'foxconn' subdirectory based on the modem SoC so that the Foxconn specific firmware could be used. Respective firmware will be upstreamed to linux-firmware repo. Cc: stable@vger.kernel.org # 6.11 Fixes: bf30a75e6e00 ("bus: mhi: host: Add support for Foxconn SDX72 modems") Signed-off-by: Slark Xiao Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20240725022941.65948-1-slark_xiao@163.com [mani: Reworded the subject and description] Signed-off-by: Manivannan Sadhasivam Signed-off-by: Greg Kroah-Hartman commit 123d11e2e9432cadfcfee11a6c660819ec9a3f18 Author: Krzysztof Kozlowski Date: Mon Aug 26 07:49:34 2024 +0200 bus: integrator-lm: fix OF node leak in probe() commit 15a62b81175885b5adfcaf49870466e3603f06c7 upstream. Driver code is leaking OF node reference from of_find_matching_node() in probe(). Fixes: ccea5e8a5918 ("bus: Add driver for Integrator/AP logic modules") Cc: stable@vger.kernel.org Signed-off-by: Krzysztof Kozlowski Acked-by: Liviu Dudau Link: https://lore.kernel.org/20240826054934.10724-2-krzysztof.kozlowski@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit e385c948aa25bf6f432a141a7ae112f71410b302 Author: Tomas Marek Date: Fri Sep 6 07:50:25 2024 +0200 usb: dwc2: drd: fix clock gating on USB role switch commit 2c6b6afa59e78bebcb65bbc8a76b3459f139547c upstream. The dwc2_handle_usb_suspend_intr() function disables gadget clocks in USB peripheral mode when no other power-down mode is available (introduced by commit 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.")). However, the dwc2_drd_role_sw_set() USB role update handler attempts to read DWC2 registers if the USB role has changed while the USB is in suspend mode (when the clocks are gated). This causes the system to hang. Release the gadget clocks before handling the USB role update. Fixes: 0112b7ce68ea ("usb: dwc2: Update dwc2_handle_usb_suspend_intr function.") Cc: stable@vger.kernel.org Signed-off-by: Tomas Marek Link: https://lore.kernel.org/r/20240906055025.25057-1-tomas.marek@elrest.cz Signed-off-by: Greg Kroah-Hartman commit 32898cd08118c60b14e1e63dcd527b3d996a7879 Author: Andrey Konovalov Date: Wed Sep 4 03:30:51 2024 +0200 usb: gadget: dummy_hcd: execute hrtimer callback in softirq context commit 9313d139aa25e572d860f6f673b73a20f32d7f93 upstream. Commit a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler") switched dummy_hcd to use hrtimer and made the timer's callback be executed in the hardirq context. With that change, __usb_hcd_giveback_urb now gets executed in the hardirq context, which causes problems for KCOV and KMSAN. One problem is that KCOV now is unable to collect coverage from the USB code that gets executed from the dummy_hcd's timer callback, as KCOV cannot collect coverage in the hardirq context. Another problem is that the dummy_hcd hrtimer might get triggered in the middle of a softirq with KCOV remote coverage collection enabled, and that causes a WARNING in KCOV, as reported by syzbot. (I sent a separate patch to shut down this WARNING, but that doesn't fix the other two issues.) Finally, KMSAN appears to ignore tracking memory copying operations that happen in the hardirq context, which causes false positive kernel-infoleaks, as reported by syzbot. Change the hrtimer in dummy_hcd to execute the callback in the softirq context. Reported-by: syzbot+2388cdaeb6b10f0c13ac@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2388cdaeb6b10f0c13ac Reported-by: syzbot+17ca2339e34a1d863aad@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=17ca2339e34a1d863aad Reported-by: syzbot+c793a7eca38803212c61@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c793a7eca38803212c61 Reported-by: syzbot+1e6e0b916b211bee1bd6@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=1e6e0b916b211bee1bd6 Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202406141323.413a90d2-lkp@intel.com Fixes: a7f3813e589f ("usb: gadget: dummy_hcd: Switch to hrtimer transfer scheduler") Cc: stable@vger.kernel.org Acked-by: Marcello Sylvester Bauer Signed-off-by: Andrey Konovalov Reported-by: syzbot+edd9fe0d3a65b14588d5@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=edd9fe0d3a65b14588d5 Link: https://lore.kernel.org/r/20240904013051.4409-1-andrey.konovalov@linux.dev Signed-off-by: Greg Kroah-Hartman commit 72f77ded61be2fb80fbb62b16e2f311de8afecb7 Author: WangYuli Date: Thu Sep 5 12:09:16 2024 +0800 usb: xHCI: add XHCI_RESET_ON_RESUME quirk for Phytium xHCI host commit 118ecef16cc221a23f96617016f7a205b070109f upstream. The resume operation of Phytium Px210 xHCI host would failed to restore state. Use the XHCI_RESET_ON_RESUME quirk to skip it and reset the controller after resume. Co-developed-by: Chen Baozi Signed-off-by: Chen Baozi Co-developed-by: Wang Zhimin Signed-off-by: Wang Zhimin Co-developed-by: Chen Zhenhua Signed-off-by: Chen Zhenhua Co-developed-by: Wang Yinfeng Signed-off-by: Wang Yinfeng Co-developed-by: Jiakun Shuai Signed-off-by: Jiakun Shuai Signed-off-by: WangYuli Link: https://lore.kernel.org/r/2C1FDC3BB34715BE+20240905040916.63199-1-wangyuli@uniontech.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 4a0638e3b0e2f8680318703621b25bb1a34a2067 Author: Pawel Laszczak Date: Fri Sep 6 06:48:54 2024 +0000 usb: cdnsp: Fix incorrect usb_request status commit 1702bec4477cc7d31adb4a760d14d33fac928b7a upstream. Fix changes incorrect usb_request->status returned during disabling endpoints. Before fix the status returned during dequeuing requests while disabling endpoint was ECONNRESET. Patch change it to ESHUTDOWN. Patch fixes issue detected during testing UVC gadget. During stopping streaming the class starts dequeuing usb requests and controller driver returns the -ECONNRESET status. After completion requests the class or application "uvc-gadget" try to queue this request again. Changing this status to ESHUTDOWN cause that UVC assumes that endpoint is disabled, or device is disconnected and stops re-queuing usb requests. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: stable@vger.kernel.org Signed-off-by: Pawel Laszczak Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/PH7PR07MB9538E8CA7A2096AAF6A3718FDD9E2@PH7PR07MB9538.namprd07.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit 776042003a622469b531c494006a5d13b863a4ce Author: Pawel Laszczak Date: Thu Sep 5 07:03:28 2024 +0000 usb: xhci: fix loss of data on Cadence xHC commit e5fa8db0be3e8757e8641600c518425a4589b85c upstream. Streams should flush their TRB cache, re-read TRBs, and start executing TRBs from the beginning of the new dequeue pointer after a 'Set TR Dequeue Pointer' command. Cadence controllers may fail to start from the beginning of the dequeue TRB as it doesn't clear the Opaque 'RsvdO' field of the stream context during 'Set TR Dequeue' command. This stream context area is where xHC stores information about the last partially executed TD when a stream is stopped. xHC uses this information to resume the transfer where it left mid TD, when the stream is restarted. Patch fixes this by clearing out all RsvdO fields before initializing new Stream transfer using a 'Set TR Dequeue Pointer' command. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: stable@vger.kernel.org Signed-off-by: Pawel Laszczak Reviewed-by: Peter Chen Link: https://lore.kernel.org/r/PH7PR07MB95386A40146E3EC64086F409DD9D2@PH7PR07MB9538.namprd07.prod.outlook.com Signed-off-by: Greg Kroah-Hartman commit 6c634c5fb455487ec083c02f0c9609a546de31d7 Author: Oliver Neukum Date: Thu Sep 12 15:21:22 2024 +0200 USB: misc: yurex: fix race between read and write commit 93907620b308609c72ba4b95b09a6aa2658bb553 upstream. The write code path touches the bbu member in a non atomic manner without taking the spinlock. Fix it. The bug is as old as the driver. Signed-off-by: Oliver Neukum CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240912132126.1034743-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 19e3f47a6526ec0a1b8438d44df8bd4388e3201f Author: Oliver Neukum Date: Thu Sep 12 16:19:06 2024 +0200 USB: class: CDC-ACM: fix race between get_serial and set_serial commit b41c1fa155ba56d125885b0191aabaf3c508d0a3 upstream. TIOCGSERIAL is an ioctl. Thus it must be atomic. It returns two values. Racing with set_serial it can return an inconsistent result. The mutex must be taken. In terms of logic the bug is as old as the driver. In terms of code it goes back to the conversion to the get_serial and set_serial methods. Signed-off-by: Oliver Neukum Cc: stable Fixes: 99f75a1fcd865 ("cdc-acm: switch to ->[sg]et_serial()") Link: https://lore.kernel.org/r/20240912141916.1044393-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 479e34c0c8a53d40034ef3a6fad1024f6c907e74 Author: Oliver Neukum Date: Thu Sep 12 14:54:43 2024 +0200 USB: misc: cypress_cy7c63: check for short transfer commit 49cd2f4d747eeb3050b76245a7f72aa99dbd3310 upstream. As we process the second byte of a control transfer, transfers of less than 2 bytes must be discarded. This bug is as old as the driver. SIgned-off-by: Oliver Neukum CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240912125449.1030536-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit d4ed302e60ab834fc9258158e2dd2e4d7268b456 Author: Oliver Neukum Date: Thu Sep 12 14:32:59 2024 +0200 USB: appledisplay: close race between probe and completion handler commit 8265d06b7794493d82c5c21a12d7ba43eccc30cb upstream. There is a small window during probing when IO is running but the backlight is not registered. Processing events during that time will crash. The completion handler needs to check for a backlight before scheduling work. The bug is as old as the driver. Signed-off-by: Oliver Neukum CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240912123317.1026049-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 4d786aa8cac9d5b4b8cff2f9e602c9e285ce265c Author: Chen-Yu Tsai Date: Wed Jul 31 11:44:09 2024 +0800 arm64: dts: mediatek: mt8395-nio-12l: Mark USB 3.0 on xhci1 as disabled commit be985531a5dd9ca50fc9f3f85b8adeb2a4a75a58 upstream. USB 3.0 on xhci1 is not used, as the controller shares the same PHY as pcie1. The latter is enabled to support the M.2 PCIe WLAN card on this design. Mark USB 3.0 as disabled on this controller using the "mediatek,u3p-dis-msk" property. Fixes: 96564b1e2ea4 ("arm64: dts: mediatek: Introduce the MT8395 Radxa NIO 12L board") Cc: stable@vger.kernel.org Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20240731034411.371178-3-wenst@chromium.org Signed-off-by: AngeloGioacchino Del Regno Signed-off-by: Greg Kroah-Hartman commit 598cfa441b59103392eb0b6f34ffd1338a94455e Author: Chen-Yu Tsai Date: Wed Jul 31 11:44:08 2024 +0800 arm64: dts: mediatek: mt8195-cherry: Mark USB 3.0 on xhci1 as disabled commit 09d385679487c58f0859c1ad4f404ba3df2f8830 upstream. USB 3.0 on xhci1 is not used, as the controller shares the same PHY as pcie1. The latter is enabled to support the M.2 PCIe WLAN card on this design. Mark USB 3.0 as disabled on this controller using the "mediatek,u3p-dis-msk" property. Reported-by: Nícolas F. R. A. Prado #KernelCI Closes: https://lore.kernel.org/all/9fce9838-ef87-4d1b-b3df-63e1ddb0ec51@notapiano/ Fixes: b6267a396e1c ("arm64: dts: mediatek: cherry: Enable T-PHYs and USB XHCI controllers") Cc: stable@vger.kernel.org Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20240731034411.371178-2-wenst@chromium.org Signed-off-by: AngeloGioacchino Del Regno Signed-off-by: Greg Kroah-Hartman commit 54671d731f4977fb3c0c26f2840655b5204e4437 Author: Oliver Neukum Date: Thu Sep 19 14:33:42 2024 +0200 usbnet: fix cyclical race on disconnect with work queue commit 04e906839a053f092ef53f4fb2d610983412b904 upstream. The work can submit URBs and the URBs can schedule the work. This cycle needs to be broken, when a device is to be stopped. Use a flag to do so. This is a design issue as old as the driver. Signed-off-by: Oliver Neukum Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") CC: stable@vger.kernel.org Link: https://patch.msgid.link/20240919123525.688065-1-oneukum@suse.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit ba6ebd42b6c0f6bc83ff6d539c2c563bb3b18525 Author: Bitterblue Smith Date: Wed Aug 21 16:11:03 2024 +0300 wifi: rtw88: Fix USB/SDIO devices not transmitting beacons commit faa2e484b393c56bc1243dca6676a70bc485f775 upstream. All USB devices supported by rtw88 have the same problem: they don't transmit beacons in AP mode. (Some?) SDIO devices are also affected. The cause appears to be clearing BIT_EN_BCNQ_DL of REG_FWHW_TXQ_CTRL before uploading the beacon reserved page, so don't clear the bit for USB and SDIO devices. Tested with RTL8811CU and RTL8723DU. Cc: # 6.6.x Signed-off-by: Bitterblue Smith Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/49de73b5-698f-4865-ab63-100e28dfc4a1@gmail.com Signed-off-by: Greg Kroah-Hartman commit df3c63c5982d47701a1338f552b4fd11f4875944 Author: Stefan Mätje Date: Thu Sep 5 00:27:40 2024 +0200 can: esd_usb: Remove CAN_CTRLMODE_3_SAMPLES for CAN-USB/3-FD commit 75b3189540578f96b4996e4849b6649998f49455 upstream. Remove the CAN_CTRLMODE_3_SAMPLES announcement for CAN-USB/3-FD devices because these devices don't support it. The hardware has a Microchip SAM E70 microcontroller that uses a Bosch MCAN IP core as CAN FD controller. But this MCAN core doesn't support triple sampling. Fixes: 80662d943075 ("can: esd_usb: Add support for esd CAN-USB/3") Cc: stable@vger.kernel.org Signed-off-by: Stefan Mätje Reviewed-by: Vincent Mailhol Link: https://patch.msgid.link/20240904222740.2985864-2-stefan.maetje@esd.eu Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit c48f14050b44e5a249335e9c560dd09396e94b67 Author: Finn Thain Date: Wed Aug 7 13:36:28 2024 +1000 scsi: mac_scsi: Disallow bus errors during PDMA send commit 5551bc30e4a69ad86d0d008e2f56cd59b6583476 upstream. SD cards can produce write latency spikes on the order of a hundred milliseconds. If the target firmware does not hide that latency during DATA IN and OUT phases it can cause the PDMA circuitry to raise a processor bus fault which in turn leads to an unreliable byte count and a DMA overrun. The Last Byte Sent flag is used to detect the overrun but this mechanism is unreliable on some systems. Instead, set a DID_ERROR result whenever there is a bus fault during a PDMA send, unless the cause was a phase mismatch. Cc: stable@vger.kernel.org # 5.15+ Reported-and-tested-by: Stan Johnson Fixes: 7c1f3e3447a1 ("scsi: mac_scsi: Treat Last Byte Sent time-out as failure") Signed-off-by: Finn Thain Link: https://lore.kernel.org/r/cc38df687ace2c4ffc375a683b2502fc476b600d.1723001788.git.fthain@linux-m68k.org Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7705c232423686da549f400dde2e322464fe9eaf Author: Finn Thain Date: Wed Aug 7 13:36:28 2024 +1000 scsi: mac_scsi: Refactor polling loop commit 5545c3165cbc98615fe65a44f41167cbb557e410 upstream. Before the error handling can be revised, some preparation is needed. Refactor the polling loop with a new function, macscsi_wait_for_drq(). This function will gain more call sites in the next patch. Cc: stable@vger.kernel.org # 5.15+ Tested-by: Stan Johnson Signed-off-by: Finn Thain Link: https://lore.kernel.org/r/6a5ffabb4290c0d138c6d285fda8fa3902e926f0.1723001788.git.fthain@linux-m68k.org Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 5235bab91f9a30f759255955f75b315594f30cff Author: Finn Thain Date: Wed Aug 7 13:36:28 2024 +1000 scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages commit 5ec4f820cb9766e4583df947150a6febce8da794 upstream. After a bus fault, capture and log the chip registers immediately, if the NDEBUG_PSEUDO_DMA macro is defined. Remove some printk(KERN_DEBUG ...) messages that aren't needed any more. Don't skip the debug message when bytes == 0. Show all of the byte counters in the debug messages. Cc: stable@vger.kernel.org # 5.15+ Tested-by: Stan Johnson Signed-off-by: Finn Thain Link: https://lore.kernel.org/r/7573c79f4e488fc00af2b8a191e257ca945e0409.1723001788.git.fthain@linux-m68k.org Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 0788a6677d74a168c77a1b4720f7e9336d1e34b4 Author: Justin Tee Date: Thu Sep 12 16:24:42 2024 -0700 scsi: lpfc: Restrict support for 32 byte CDBs to specific HBAs commit 05ab4e7846f1103377133c00295a9a910cc6dfc2 upstream. An older generation of HBAs are failing FCP discovery due to usage of an outdated field in FCP command WQEs. Fix by checking the SLI Interface Type register for applicable support of 32 Byte CDB commands, and restore a setting for a WQE path using normal 16 byte CDBs. Fixes: af20bb73ac25 ("scsi: lpfc: Add support for 32 byte CDBs") Cc: stable@vger.kernel.org # v6.10+ Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20240912232447.45607-4-justintee8345@gmail.com Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 2eabd51273d047cf7cb81ca1db1a88dc07e58a99 Author: Manish Pandey Date: Tue Sep 3 12:07:09 2024 +0530 scsi: ufs: qcom: Update MODE_MAX cfg_bw value commit 0c40f079f1c808e7e480c795a79009f200366eb1 upstream. Commit 8db8f6ce556a ("scsi: ufs: qcom: Add missing interconnect bandwidth values for Gear 5") updated the ufs_qcom_bw_table for Gear 5. However, it missed updating the cfg_bw value for the max mode. Hence update the cfg_bw value for the max mode for UFS 4.x devices. Fixes: 8db8f6ce556a ("scsi: ufs: qcom: Add missing interconnect bandwidth values for Gear 5") Cc: stable@vger.kernel.org Signed-off-by: Manish Pandey Link: https://lore.kernel.org/r/20240903063709.4335-1-quic_mapa@quicinc.com Reviewed-by: Manivannan Sadhasivam Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 413df704f149dec585df07466d2401bbd1f490a0 Author: Martin Wilck Date: Thu Sep 12 15:43:08 2024 +0200 scsi: sd: Fix off-by-one error in sd_read_block_characteristics() commit f81eaf08385ddd474a2f41595a7757502870c0eb upstream. Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8. Fixes: 7fb019c46eee ("scsi: sd: Switch to using scsi_device VPD pages") Cc: stable@vger.kernel.org Signed-off-by: Martin Wilck Link: https://lore.kernel.org/r/20240912134308.282824-1-mwilck@suse.com Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 32fbc1401270831666676e405343f1a6c0b88d41 Author: Damien Le Moal Date: Mon Sep 23 18:14:36 2024 +0900 ata: libata-scsi: Fix ata_msense_control() CDL page reporting commit 0e9a2990a93f27daa643b6fa73cfa47b128947a7 upstream. When the user requests the ALL_SUB_MPAGES mode sense page, ata_msense_control() adds the CDL_T2A_SUB_MPAGE twice instead of adding the CDL_T2A_SUB_MPAGE and CDL_T2B_SUB_MPAGE pages information. Correct the second call to ata_msense_control_spgt2() to report the CDL_T2B_SUB_MPAGE page. Fixes: 673b2fe6ff1d ("scsi: ata: libata-scsi: Add support for CDL pages mode sense") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Reviewed-by: Hannes Reinecke Signed-off-by: Greg Kroah-Hartman commit c1e27b70e79050530c671b9dab688386c86f039a Author: Namjae Jeon Date: Sun Sep 8 15:23:48 2024 +0900 ksmbd: handle caseless file creation commit c5a709f08d40b1a082e44ffcde1aea4d2822ddd5 upstream. Ray Zhang reported ksmbd can not create file if parent filename is caseless. Y:\>mkdir A Y:\>echo 123 >a\b.txt The system cannot find the path specified. Y:\>echo 123 >A\b.txt This patch convert name obtained by caseless lookup to parent name. Cc: stable@vger.kernel.org # v5.15+ Reported-by: Ray Zhang Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 59b8ccc4dee25a3f1e70ff269b0ed55593aaf886 Author: Namjae Jeon Date: Tue Sep 3 20:26:33 2024 +0900 ksmbd: allow write with FILE_APPEND_DATA commit 2fb9b5dc80cabcee636a6ccd020740dd925b4580 upstream. Windows client write with FILE_APPEND_DATA when using git. ksmbd should allow write it with this flags. Z:\test>git commit -m "test" fatal: cannot update the ref 'HEAD': unable to append to '.git/logs/HEAD': Bad file descriptor Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers") Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit ef010de059c9ab744a9b167881b2690fa25c80f6 Author: Hobin Woo Date: Wed Sep 4 13:36:35 2024 +0900 ksmbd: make __dir_empty() compatible with POSIX commit ca4974ca954561e79f8871d220bb08f14f64f57c upstream. Some file systems may not provide dot (.) and dot-dot (..) as they are optional in POSIX. ksmbd can misjudge emptiness of a directory in those file systems, since it assumes there are always at least two entries: dot and dot-dot. Just don't count dot and dot-dot. Cc: stable@vger.kernel.org # v6.1+ Signed-off-by: Hobin Woo Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit b15fbf0a3f81de10658ffa3a9e644521615c0414 Author: Michael Ellerman Date: Mon Sep 16 22:05:10 2024 +1000 powerpc/atomic: Use YZ constraints for DS-form instructions commit 39190ac7cff1fd15135fa8e658030d9646fdb5f2 upstream. The 'ld' and 'std' instructions require a 4-byte aligned displacement because they are DS-form instructions. But the "m" asm constraint doesn't enforce that. That can lead to build errors if the compiler chooses a non-aligned displacement, as seen with GCC 14: /tmp/ccuSzwiR.s: Assembler messages: /tmp/ccuSzwiR.s:2579: Error: operand out of domain (39 is not a multiple of 4) make[5]: *** [scripts/Makefile.build:229: net/core/page_pool.o] Error 1 Dumping the generated assembler shows: ld 8,39(8) # MEM[(const struct atomic64_t *)_29].counter, t Use the YZ constraints to tell the compiler either to generate a DS-form displacement, or use an X-form instruction, either of which prevents the build error. See commit 2d43cc701b96 ("powerpc/uaccess: Fix build errors seen with GCC 13/14") for more details on the constraint letters. Fixes: 9f0cbea0d8cc ("[POWERPC] Implement atomic{, 64}_{read, write}() without volatile") Cc: stable@vger.kernel.org # v2.6.24+ Reported-by: Stephen Rothwell Closes: https://lore.kernel.org/all/20240913125302.0a06b4c7@canb.auug.org.au Tested-by: Mina Almasry Reviewed-by: Segher Boessenkool Signed-off-by: Michael Ellerman Link: https://msgid.link/20240916120510.2017749-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman commit 0d3b0706ada15c333e6f9faf19590ff715e45d1e Author: Roman Smirnov Date: Tue Sep 17 18:54:53 2024 +0300 KEYS: prevent NULL pointer dereference in find_asymmetric_key() commit 70fd1966c93bf3bfe3fe6d753eb3d83a76597eef upstream. In find_asymmetric_key(), if all NULLs are passed in the id_{0,1,2} arguments, the kernel will first emit WARN but then have an oops because id_2 gets dereferenced anyway. Add the missing id_2 check and move WARN_ON() to the final else branch to avoid duplicate NULL checks. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool. Cc: stable@vger.kernel.org # v5.17+ Fixes: 7d30198ee24f ("keys: X.509 public key issuer lookup without AKID") Suggested-by: Sergey Shtylyov Signed-off-by: Roman Smirnov Reviewed-by: Sergey Shtylyov Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit bca2e29f7e26ce7c3522f8b324c0bd85612f68e3 Author: Alexey Gladkov (Intel) Date: Fri Sep 13 19:05:56 2024 +0200 x86/tdx: Fix "in-kernel MMIO" check commit d4fc4d01471528da8a9797a065982e05090e1d81 upstream. TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not. However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if userspace can point a syscall to an MMIO address, syscall does get_user() or put_user() on it, triggering MMIO #VE. The kernel will treat the #VE as in-kernel MMIO. Ensure that the target MMIO address is within the kernel before decoding instruction. Fixes: 31d58c4e557d ("x86/tdx: Handle in-kernel MMIO") Signed-off-by: Alexey Gladkov (Intel) Signed-off-by: Dave Hansen Reviewed-by: Kirill A. Shutemov Acked-by: Dave Hansen Cc:stable@vger.kernel.org Link: https://lore.kernel.org/all/565a804b80387970460a4ebc67c88d1380f61ad1.1726237595.git.legion%40kernel.org Signed-off-by: Greg Kroah-Hartman commit 27055b822a18172a326c7f7a212e13da1826da59 Author: Tiezhu Yang Date: Tue Sep 17 22:23:09 2024 +0800 objtool: Handle frame pointer related instructions commit da5b2ad1c2f18834cb1ce429e2e5a5cf5cbdf21b upstream. After commit a0f7085f6a63 ("LoongArch: Add RANDOMIZE_KSTACK_OFFSET support"), there are three new instructions "addi.d $fp, $sp, 32", "sub.d $sp, $sp, $t0" and "addi.d $sp, $fp, -32" for the secondary stack in do_syscall(), then there is a objtool warning "return with modified stack frame" and no handle_syscall() which is the previous frame of do_syscall() in the call trace when executing the command "echo l > /proc/sysrq-trigger". objdump shows something like this: 0000000000000000 : 0: 02ff8063 addi.d $sp, $sp, -32 4: 29c04076 st.d $fp, $sp, 16 8: 29c02077 st.d $s0, $sp, 8 c: 29c06061 st.d $ra, $sp, 24 10: 02c08076 addi.d $fp, $sp, 32 ... 74: 0011b063 sub.d $sp, $sp, $t0 ... a8: 4c000181 jirl $ra, $t0, 0 ... dc: 02ff82c3 addi.d $sp, $fp, -32 e0: 28c06061 ld.d $ra, $sp, 24 e4: 28c04076 ld.d $fp, $sp, 16 e8: 28c02077 ld.d $s0, $sp, 8 ec: 02c08063 addi.d $sp, $sp, 32 f0: 4c000020 jirl $zero, $ra, 0 The instruction "sub.d $sp, $sp, $t0" changes the stack bottom and the new stack size is a random value, in order to find the return address of do_syscall() which is stored in the original stack frame after executing "jirl $ra, $t0, 0", it should use fp which points to the original stack top. At the beginning, the thought is tended to decode the secondary stack instruction "sub.d $sp, $sp, $t0" and set it as a label, then check this label for the two frame pointer instructions to change the cfa base and cfa offset during the period of secondary stack in update_cfi_state(). This is valid for GCC but invalid for Clang due to there are different secondary stack instructions for ClangBuiltLinux on LoongArch, something like this: 0000000000000000 : ... 88: 00119064 sub.d $a0, $sp, $a0 8c: 00150083 or $sp, $a0, $zero ... Actually, it equals to a single instruction "sub.d $sp, $sp, $a0", but there is no proper condition to check it as a label like GCC, and so the beginning thought is not a good way. Essentially, there are two special frame pointer instructions which are "addi.d $fp, $sp, imm" and "addi.d $sp, $fp, imm", the first one points fp to the original stack top and the second one restores the original stack bottom from fp. Based on the above analysis, in order to avoid adding an arch-specific update_cfi_state(), we just add a member "frame_pointer" in the "struct symbol" as a label to avoid affecting the current normal case, then set it as true only if there is "addi.d $sp, $fp, imm". The last is to check this label for the two frame pointer instructions to change the cfa base and cfa offset in update_cfi_state(). Tested with the following two configs: (1) CONFIG_RANDOMIZE_KSTACK_OFFSET=y && CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=n (2) CONFIG_RANDOMIZE_KSTACK_OFFSET=y && CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y By the way, there is no effect for x86 with this patch, tested on the x86 machine with Fedora 40 system. Cc: stable@vger.kernel.org # 6.9+ Signed-off-by: Tiezhu Yang Signed-off-by: Huacai Chen Signed-off-by: Greg Kroah-Hartman commit 02b9770bfd622b40497b06ff26c44aaa6c1e4d76 Author: Roman Li Date: Thu Sep 5 14:22:30 2024 -0400 drm/amd/display: Update IPS default mode for DCN35/DCN351 commit 199888aa25b3a3315360224bda9134a9b58c9306 upstream. [WHY] RCG state of IPX in idle is more stable for DCN351 and some variants of DCN35 than IPS2. [HOW] Rework dm_get_default_ips_mode() to specify default per ASIC and update DCN35/DCN351 defaults accordingly. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Sun peng Li Signed-off-by: Roman Li Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit ffd6a1c2a77d1b162655a15de25a53ebe19264c6 Author: Aurabindo Pillai Date: Tue Sep 3 10:10:44 2024 -0400 drm/amd/display: Fix underflow when setting underscan on DCN401 commit f510dd5c210bf8cc22e4be48cbbda3cb754219f5 upstream. [WHY & HOW] When underscan is set through xrandr, it causes the stream destination rect to change in a way it becomes complicated to handle the calculations for subvp. Since this is a corner case, disable subvp when underscan is set. Fix the existing check that is supposed to catch this corner case by adding a check based on the parameters in the stream Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Dillon Varone Reviewed-by: Rodrigo Siqueira Signed-off-by: Aurabindo Pillai Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 5d705be9eac3ec14ead99ed2dd9a54d3860bfded Author: Zhikai Zhai Date: Tue Aug 27 14:06:01 2024 +0800 drm/amd/display: Skip to enable dsc if it has been off commit 4bdc5b504af7de1f649004cfdd37445d36db6703 upstream. [WHY] It makes DSC enable when we commit the stream which need keep power off, and then it will skip to disable DSC if pipe reset at this situation as power has been off. It may cause the DSC unexpected enable on the pipe with the next new stream which doesn't support DSC. [HOW] Check the DSC used on current pipe status when update stream. Skip to enable if it has been off. The operation enable DSC should happen when set power on. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Wenjing Liu Signed-off-by: Zhikai Zhai Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 58487cc9f93e116562d24c5a62278dba32214068 Author: Yihan Zhu Date: Mon Aug 26 14:44:04 2024 -0400 drm/amd/display: Enable DML2 override_det_buffer_size_kbytes commit f57b77d667dc6bd2b114d08d04b03869539209f6 upstream. [WHY] Corrupted screen will be observed when 4k144 DP/HDMI display and 4k144 eDP are connected, changing eDP refresh rate from 60Hz to 144Hz. [HOW] override_det_buffer_size_kbytes should be true for DCN35/DCN351. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Roman Li Reviewed-by: Nicholas Kazlauskas Signed-off-by: Yihan Zhu Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit d3f1d4523bdd09552ec806917594a3633a85ecf3 Author: Nicholas Kazlauskas Date: Tue Aug 27 14:13:10 2024 -0400 drm/amd/display: Block dynamic IPS2 on DCN35 for incompatible FW versions commit 401c90c4d64f2227fc2f4c02d2ad23296bf5ca6f upstream. [WHY] Hangs with Z8 can occur if running an older unfixed PMFW version. [HOW] Fallback to RCG only for dynamic IPS2 states if it's not newer than 93.12. Limit to DCN35. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Charlene Liu Signed-off-by: Nicholas Kazlauskas Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 13ef80e2dd010ade932a6920a6be113ac6784f4c Author: Sung Joon Kim Date: Tue Aug 27 14:49:44 2024 -0400 drm/amd/display: Disable SYMCLK32_LE root clock gating commit ae5100805f98641ea4112241e350485c97936bbe upstream. [WHY & HOW] On display on sequence, enabling SYMCLK32_LE root clock gating causes issue in link training so disabling it is needed. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Nicholas Kazlauskas Signed-off-by: Sung Joon Kim Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 872b8f14d77296fb3d1f1a17cd36a124ba93e74c Author: Mario Limonciello Date: Fri Sep 13 13:00:39 2024 -0500 drm/amd/display: Validate backlight caps are sane commit 327e62f47eb57ae5ff63de82b0815557104e439a upstream. Currently amdgpu takes backlight caps provided by the ACPI tables on systems as is. If the firmware sets maximums that are too low this means that users don't get a good experience. To avoid having to maintain a quirk list of such systems, do a sanity check on the values. Check that the spread is at least half of the values that amdgpu would use if no ACPI table was found and if not use the amdgpu defaults. Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3020 Reviewed-by: Harry Wentland Signed-off-by: Mario Limonciello Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 709a8996d8388ca2547a167990b5eb7c1d441119 Author: Dillon Varone Date: Mon Aug 26 17:08:33 2024 -0400 drm/amd/display: Block timing sync for different output formats in pmo commit 0765b2afc1118a6ab5fee624e206c782d70db28a upstream. [WHY & HOW] If the output format is different for HDMI TMDS signals, they are not synchronizable. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Alvin Lee Signed-off-by: Dillon Varone Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 9437d60dd00f3caa15e71f84dd5eb3404b141372 Author: Martin Tsai Date: Mon Jul 22 14:12:25 2024 +0800 drm/amd/display: Clean up dsc blocks in accelerated mode commit 3766a840e093d30e1a2522f650d8a6ac892a8719 upstream. [WHY] DSC on eDP could be enabled during VBIOS post. The enabled DSC may not be disabled when enter to OS, once the system was in second screen only mode before entering to S4. In this case, OS will not send setTimings to reset eDP path again. The enabled DSC HW will make a new stream without DSC cannot output normally if it reused this pipe with enabled DSC. [HOW] In accelerated mode, to clean up DSC blocks if eDP is on link but not active when we are not in fast boot and seamless boot. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Charlene Liu Signed-off-by: Martin Tsai Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit ab05197ff9a7ba45b7bbfe14ffb47b2a32eb5f91 Author: Robin Chen Date: Fri Aug 23 15:00:28 2024 +0800 drm/amd/display: Round calculated vtotal commit c03fca619fc687338a3b6511fdbed94096abdf79 upstream. [WHY] The calculated vtotal may has 1 line deviation. To get precisely vtotal number, round the vtotal result. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Anthony Koo Signed-off-by: Robin Chen Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 2fe6a062c6d257424e6e5fa0d70883412b0cc93c Author: Leo Ma Date: Mon Aug 19 13:25:27 2024 -0400 drm/amd/display: Add HDMI DSC native YCbCr422 support commit 07bfa9cdbf3cd2daadfaaba0601f126f45951ffa upstream. [WHY && HOW] For some HDMI OVT timing, YCbCr422 encoding fails at the DSC bandwidth check. The root cause is our DSC policy for timing doesn't account for HDMI YCbCr422 native support. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Chris Park Signed-off-by: Leo Ma Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 6ee87d0e6384c843486cd44ee0e8f32aa342e6a8 Author: David Belanger Date: Wed Sep 11 11:16:50 2024 -0400 drm/amdgpu: Fix selfring initialization sequence on soc24 commit 03b5038c0ad069380fab7e251d2bf3f1540d20f4 upstream. Move enable_doorbell_selfring_aperture from common_hw_init to common_late_init in soc24, otherwise selfring aperture is initialized with an incorrect doorbell aperture base. Port changes from this commit from soc21 to soc24: commit 1c312e816c40 ("drm/amdgpu: Enable doorbell selfring after resize FB BAR") Signed-off-by: David Belanger Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit 5468918f1aa7ff94397c93504d8e4cdfd7fa6f0b Author: Jack Xiao Date: Wed Sep 11 16:24:35 2024 +0800 drm/amdgpu/mes12: switch SET_SHADER_DEBUGGER pkt to mes schq pipe commit 3c75518cf27aa5a7e22e1f8f33339ded3779079b upstream. The SET_SHADER_DEBUGGER packet must work with the added hardware queue, switch the packet submitting to mes schq pipe. Signed-off-by: Jack Xiao Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit a30ced61e365f361485424170165e852fe773cc1 Author: Alex Deucher Date: Fri Sep 6 13:51:06 2024 -0400 drm/amdgpu: bump driver version for cleared VRAM commit 34ad56a467c320d07db22146cfb99ee01704a5de upstream. Driver now clears VRAM on allocation. Bump the driver version so mesa knows when it will get cleared vram by default. Reviewed-by: Marek Olšák Reviewed-by: Rajneesh Bhardwaj Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit 6911a8a2f0f58964a9bfc54e9f36bd88a08eda7c Author: Frank Min Date: Wed Sep 25 11:39:06 2024 +0800 drm/amdgpu: fix PTE copy corruption for sdma 7 commit 3cb576bc6dfb8940228b8130638860b631dd428a upstream. Without setting dcc bit, there is ramdon PTE copy corruption on sdma 7. so add this bit and update the packet format accordingly. Acked-by: Alex Deucher Signed-off-by: Frank Min Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit 1b6db624f9ff839e30c6aa7ce95832c8c3d2df5e Author: Kenneth Feng Date: Fri Sep 20 19:05:37 2024 +0800 drm/amd/pm: update workload mask after the setting commit d7d2688bf4ea58734d73e18edcbf4684b1496d30 upstream. update workload mask after the setting. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3625 Signed-off-by: Kenneth Feng Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit bbcfdc856a54c1e4ffad4a694fe0c0bc667c7e00 Author: Saleemkhan Jamadar Date: Fri Sep 20 18:40:18 2024 +0530 drm/amdgpu/vcn: enable AV1 on both instances commit 8048e5ade8224969023902b0b3f64470f9c250a7 upstream. v1 - remove cs parse code (Christian) On VCN v4_0_6 AV1 is supported on both the instances. Remove cs IB parse code since explict handling of AV1 schedule is not required. Signed-off-by: Saleemkhan Jamadar Reviewed-by: Leo Liu Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 24a4ebab8562875cb5c984e805915f0e7e1e667e Author: Jack Xiao Date: Wed Sep 18 17:07:13 2024 +0800 drm/amdgpu/mes12: set enable_level_process_quantum_check commit 4771d2ecb7b9e4c2c73ede2908d7e7c989460981 upstream. enable_level_process_quantum_check is requried to enable process quantum based scheduling. Signed-off-by: Jack Xiao Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit 07d981b8b93326f73d90fa9ea5393e29ee4d0d8e Author: Frank Min Date: Wed Sep 4 10:50:33 2024 +0800 drm/amdgpu: update golden regs for gfx12 commit 7b6df1d73290961ff0a00fd0022f28dd19e37181 upstream. update golden regs for gfx12 Signed-off-by: Frank Min Reviewed-by: Likun Gao Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit 5a76fd0410881fa6d4d410664a0273b1fbbc7ea8 Author: Sreekant Somasekharan Date: Fri Sep 20 01:53:17 2024 -0400 drm/amdkfd: Add SDMA queue quantum support for GFX12 commit d52ac79053a2f3eba04c1e7b56334df84d1d289f upstream. program SDMAx_QUEUEx_SCHEDULE_CNTL for context switch due to quantum in KFD for GFX12. Signed-off-by: Sreekant Somasekharan Reviewed-by: Harish Kasiviswanathan Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit f5cb15061b493bbef7ed3904c709842eb9102f2f Author: Alex Deucher Date: Mon Sep 16 10:52:24 2024 -0400 drm/amdgpu/mes11: reduce timeout commit 856265caa94a3c78feaa23ec1acd799fe1989201 upstream. The firmware timeout is 2s. Reduce the driver timeout to 2.1 seconds to avoid back pressure on queue submissions. Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3627 Fixes: f7c161a4c250 ("drm/amdgpu: increase mes submission timeout") Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 2bc70e72cc9ea986f1007cf3d9a99aa9b21ea773 Author: Alex Deucher Date: Wed Sep 18 09:37:31 2024 -0400 drm/amdgpu/mes12: reduce timeout commit 84f76408abe989809de19d02e476b044fd985adc upstream. The firmware timeout is 2s. Reduce the driver timeout to 2.1 seconds to avoid back pressure on queue submissions. Fixes: 94b51a3d01ed ("drm/amdgpu/mes12: increase mes submission timeout") Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 6.11.x Signed-off-by: Greg Kroah-Hartman commit d45c64d933586d409d3f1e0ecaca4da494b1d9c6 Author: Fangzhi Zuo Date: Fri Jul 12 16:30:03 2024 -0400 drm/amd/display: Skip Recompute DSC Params if no Stream on Link commit 8151a6c13111b465dbabe07c19f572f7cbd16fef upstream. [why] Encounter NULL pointer dereference uner mst + dsc setup. BUG: kernel NULL pointer dereference, address: 0000000000000008 PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 4 PID: 917 Comm: sway Not tainted 6.3.9-arch1-1 #1 124dc55df4f5272ccb409f39ef4872fc2b3376a2 Hardware name: LENOVO 20NKS01Y00/20NKS01Y00, BIOS R12ET61W(1.31 ) 07/28/2022 RIP: 0010:drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper] Code: 01 00 00 48 8b 85 60 05 00 00 48 63 80 88 00 00 00 3b 43 28 0f 8d 2e 01 00 00 48 8b 53 30 48 8d 04 80 48 8d 04 c2 48 8b 40 18 <48> 8> RSP: 0018:ffff960cc2df77d8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff8afb87e81280 RCX: 0000000000000224 RDX: ffff8afb9ee37c00 RSI: ffff8afb8da1a578 RDI: ffff8afb87e81280 RBP: ffff8afb83d67000 R08: 0000000000000001 R09: ffff8afb9652f850 R10: ffff960cc2df7908 R11: 0000000000000002 R12: 0000000000000000 R13: ffff8afb8d7688a0 R14: ffff8afb8da1a578 R15: 0000000000000224 FS: 00007f4dac35ce00(0000) GS:ffff8afe30b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000010ddc6000 CR4: 00000000003506e0 Call Trace: ? __die+0x23/0x70 ? page_fault_oops+0x171/0x4e0 ? plist_add+0xbe/0x100 ? exc_page_fault+0x7c/0x180 ? asm_exc_page_fault+0x26/0x30 ? drm_dp_atomic_find_time_slots+0x5e/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] ? drm_dp_atomic_find_time_slots+0x28/0x260 [drm_display_helper 0e67723696438d8e02b741593dd50d80b44c2026] compute_mst_dsc_configs_for_link+0x2ff/0xa40 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] ? fill_plane_buffer_attributes+0x419/0x510 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] compute_mst_dsc_configs_for_state+0x1e1/0x250 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] amdgpu_dm_atomic_check+0xecd/0x1190 [amdgpu 62e600d2a75e9158e1cd0a243bdc8e6da040c054] drm_atomic_check_only+0x5c5/0xa40 drm_mode_atomic_ioctl+0x76e/0xbc0 [how] dsc recompute should be skipped if no mode change detected on the new request. If detected, keep checking whether the stream is already on current state or not. Cc: Mario Limonciello Cc: Alex Deucher Cc: stable@vger.kernel.org Reviewed-by: Rodrigo Siqueira Signed-off-by: Fangzhi Zuo Signed-off-by: Wayne Lin Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 760a196e6dcb29580e468b44b5400171dae184d8 Author: Sean Christopherson Date: Thu Aug 29 21:35:51 2024 -0700 KVM: Use dedicated mutex to protect kvm_usage_count to avoid deadlock commit 44d17459626052a2390457e550a12cb973506b2f upstream. Use a dedicated mutex to guard kvm_usage_count to fix a potential deadlock on x86 due to a chain of locks and SRCU synchronizations. Translating the below lockdep splat, CPU1 #6 will wait on CPU0 #1, CPU0 #8 will wait on CPU2 #3, and CPU2 #7 will wait on CPU1 #4 (if there's a writer, due to the fairness of r/w semaphores). CPU0 CPU1 CPU2 1 lock(&kvm->slots_lock); 2 lock(&vcpu->mutex); 3 lock(&kvm->srcu); 4 lock(cpu_hotplug_lock); 5 lock(kvm_lock); 6 lock(&kvm->slots_lock); 7 lock(cpu_hotplug_lock); 8 sync(&kvm->srcu); Note, there are likely more potential deadlocks in KVM x86, e.g. the same pattern of taking cpu_hotplug_lock outside of kvm_lock likely exists with __kvmclock_cpufreq_notifier(): cpuhp_cpufreq_online() | -> cpufreq_online() | -> cpufreq_gov_performance_limits() | -> __cpufreq_driver_target() | -> __target_index() | -> cpufreq_freq_transition_begin() | -> cpufreq_notify_transition() | -> ... __kvmclock_cpufreq_notifier() But, actually triggering such deadlocks is beyond rare due to the combination of dependencies and timings involved. E.g. the cpufreq notifier is only used on older CPUs without a constant TSC, mucking with the NX hugepage mitigation while VMs are running is very uncommon, and doing so while also onlining/offlining a CPU (necessary to generate contention on cpu_hotplug_lock) would be even more unusual. The most robust solution to the general cpu_hotplug_lock issue is likely to switch vm_list to be an RCU-protected list, e.g. so that x86's cpufreq notifier doesn't to take kvm_lock. For now, settle for fixing the most blatant deadlock, as switching to an RCU-protected list is a much more involved change, but add a comment in locking.rst to call out that care needs to be taken when walking holding kvm_lock and walking vm_list. ====================================================== WARNING: possible circular locking dependency detected 6.10.0-smp--c257535a0c9d-pip #330 Tainted: G S O ------------------------------------------------------ tee/35048 is trying to acquire lock: ff6a80eced71e0a8 (&kvm->slots_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x179/0x1e0 [kvm] but task is already holding lock: ffffffffc07abb08 (kvm_lock){+.+.}-{3:3}, at: set_nx_huge_pages+0x14a/0x1e0 [kvm] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (kvm_lock){+.+.}-{3:3}: __mutex_lock+0x6a/0xb40 mutex_lock_nested+0x1f/0x30 kvm_dev_ioctl+0x4fb/0xe50 [kvm] __se_sys_ioctl+0x7b/0xd0 __x64_sys_ioctl+0x21/0x30 x64_sys_call+0x15d0/0x2e60 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #2 (cpu_hotplug_lock){++++}-{0:0}: cpus_read_lock+0x2e/0xb0 static_key_slow_inc+0x16/0x30 kvm_lapic_set_base+0x6a/0x1c0 [kvm] kvm_set_apic_base+0x8f/0xe0 [kvm] kvm_set_msr_common+0x9ae/0xf80 [kvm] vmx_set_msr+0xa54/0xbe0 [kvm_intel] __kvm_set_msr+0xb6/0x1a0 [kvm] kvm_arch_vcpu_ioctl+0xeca/0x10c0 [kvm] kvm_vcpu_ioctl+0x485/0x5b0 [kvm] __se_sys_ioctl+0x7b/0xd0 __x64_sys_ioctl+0x21/0x30 x64_sys_call+0x15d0/0x2e60 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&kvm->srcu){.+.+}-{0:0}: __synchronize_srcu+0x44/0x1a0 synchronize_srcu_expedited+0x21/0x30 kvm_swap_active_memslots+0x110/0x1c0 [kvm] kvm_set_memslot+0x360/0x620 [kvm] __kvm_set_memory_region+0x27b/0x300 [kvm] kvm_vm_ioctl_set_memory_region+0x43/0x60 [kvm] kvm_vm_ioctl+0x295/0x650 [kvm] __se_sys_ioctl+0x7b/0xd0 __x64_sys_ioctl+0x21/0x30 x64_sys_call+0x15d0/0x2e60 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (&kvm->slots_lock){+.+.}-{3:3}: __lock_acquire+0x15ef/0x2e30 lock_acquire+0xe0/0x260 __mutex_lock+0x6a/0xb40 mutex_lock_nested+0x1f/0x30 set_nx_huge_pages+0x179/0x1e0 [kvm] param_attr_store+0x93/0x100 module_attr_store+0x22/0x40 sysfs_kf_write+0x81/0xb0 kernfs_fop_write_iter+0x133/0x1d0 vfs_write+0x28d/0x380 ksys_write+0x70/0xe0 __x64_sys_write+0x1f/0x30 x64_sys_call+0x281b/0x2e60 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e Cc: Chao Gao Fixes: 0bf50497f03b ("KVM: Drop kvm_count_lock and instead protect kvm_usage_count with kvm_lock") Cc: stable@vger.kernel.org Reviewed-by: Kai Huang Acked-by: Kai Huang Tested-by: Farrah Chen Signed-off-by: Sean Christopherson Message-ID: <20240830043600.127750-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit d99fbdccf1b102564f733e5a43613959d44fb1e5 Author: Sean Christopherson Date: Fri Jul 19 16:51:00 2024 -0700 KVM: x86: Re-split x2APIC ICR into ICR+ICR2 for AMD (x2AVIC) commit 73b42dc69be8564d4951a14d00f827929fe5ef79 upstream. Re-introduce the "split" x2APIC ICR storage that KVM used prior to Intel's IPI virtualization support, but only for AMD. While not stated anywhere in the APM, despite stating the ICR is a single 64-bit register, AMD CPUs store the 64-bit ICR as two separate 32-bit values in ICR and ICR2. When IPI virtualization (IPIv on Intel, all AVIC flavors on AMD) is enabled, KVM needs to match CPU behavior as some ICR ICR writes will be handled by the CPU, not by KVM. Add a kvm_x86_ops knob to control the underlying format used by the CPU to store the x2APIC ICR, and tune it to AMD vs. Intel regardless of whether or not x2AVIC is enabled. If KVM is handling all ICR writes, the storage format for x2APIC mode doesn't matter, and having the behavior follow AMD versus Intel will provide better test coverage and ease debugging. Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode") Cc: stable@vger.kernel.org Cc: Maxim Levitsky Cc: Suravee Suthikulpanit Link: https://lore.kernel.org/r/20240719235107.3023592-4-seanjc@google.com Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman commit d94b64e10cff85b6b1420ce6eb6e715ca4534a02 Author: Sean Christopherson Date: Fri Jul 19 16:50:59 2024 -0700 KVM: x86: Move x2APIC ICR helper above kvm_apic_write_nodecode() commit d33234342f8b468e719e05649fd26549fb37ef8a upstream. Hoist kvm_x2apic_icr_write() above kvm_apic_write_nodecode() so that a local helper to _read_ the x2APIC ICR can be added and used in the nodecode path without needing a forward declaration. No functional change intended. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240719235107.3023592-3-seanjc@google.com Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman commit cac6e4da54c2d028ba67482fe7ffac9d8396aa0f Author: Sean Christopherson Date: Fri Jul 19 16:50:58 2024 -0700 KVM: x86: Enforce x2APIC's must-be-zero reserved ICR bits commit 71bf395a276f0578d19e0ae137a7d1d816d08e0e upstream. Inject a #GP on a WRMSR(ICR) that attempts to set any reserved bits that are must-be-zero on both Intel and AMD, i.e. any reserved bits other than the BUSY bit, which Intel ignores and basically says is undefined. KVM's xapic_state_test selftest has been fudging the bug since commit 4b88b1a518b3 ("KVM: selftests: Enhance handling WRMSR ICR register in x2APIC mode"), which essentially removed the testcase instead of fixing the bug. WARN if the nodecode path triggers a #GP, as the CPU is supposed to check reserved bits for ICR when it's partially virtualized. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240719235107.3023592-2-seanjc@google.com Signed-off-by: Sean Christopherson Signed-off-by: Greg Kroah-Hartman commit 6e678c715067da86cb7c0456eb320dfd9a75ff04 Author: Snehal Koukuntla Date: Mon Sep 9 18:01:54 2024 +0000 KVM: arm64: Add memory length checks and remove inline in do_ffa_mem_xfer commit f26a525b77e040d584e967369af1e018d2d59112 upstream. When we share memory through FF-A and the description of the buffers exceeds the size of the mapped buffer, the fragmentation API is used. The fragmentation API allows specifying chunks of descriptors in subsequent FF-A fragment calls and no upper limit has been established for this. The entire memory region transferred is identified by a handle which can be used to reclaim the transferred memory. To be able to reclaim the memory, the description of the buffers has to fit in the ffa_desc_buf. Add a bounds check on the FF-A sharing path to prevent the memory reclaim from failing. Also do_ffa_mem_xfer() does not need __always_inline, except for the BUILD_BUG_ON() aspect, which gets moved to a macro. [maz: fixed the BUILD_BUG_ON() breakage with LLVM, thanks to Wei-Lin Chang for the timely report] Fixes: 634d90cf0ac65 ("KVM: arm64: Handle FFA_MEM_LEND calls from the host") Cc: stable@vger.kernel.org Reviewed-by: Sebastian Ene Signed-off-by: Snehal Koukuntla Reviewed-by: Oliver Upton Link: https://lore.kernel.org/r/20240909180154.3267939-1-snehalreddy@google.com Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 562bdfffd5ac6fadfd786e93dac98841c07195a7 Author: Werner Sembach Date: Tue Sep 10 11:40:07 2024 +0200 Input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line commit 01eed86d50af9fab27d876fd677b86259ebe9de3 upstream. There might be devices out in the wild where the board name is GMxXGxx instead of GMxXGxX. Adding both to be on the safe side. Signed-off-by: Werner Sembach Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240910094008.1601230-2-wse@tuxedocomputers.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 7220b935bc978ace6047404f1ad2c6beb6fdf0eb Author: Werner Sembach Date: Tue Sep 10 11:40:08 2024 +0200 Input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table commit 3870e2850b56306d1d1e435c5a1ccbccd7c59291 upstream. The Gen6 devices have the same problem and the same Solution as the Gen5 ones. Some TongFang barebones have touchpad and/or keyboard issues after suspend, fixable with nomux + reset + noloop + nopnp. Luckily, none of them have an external PS/2 port so this can safely be set for all of them. I'm not entirely sure if every device listed really needs all four quirks, but after testing and production use, no negative effects could be observed when setting all four. Signed-off-by: Werner Sembach Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240910094008.1601230-3-wse@tuxedocomputers.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit b7bd90a21ef655f094c0f5f0ebfced79c996e905 Author: Werner Sembach Date: Thu Sep 5 18:48:51 2024 +0200 Input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table commit e06edf96dea065dd1d9df695bf8b92784992333e upstream. Some TongFang barebones have touchpad and/or keyboard issues after suspend, fixable with nomux + reset + noloop + nopnp. Luckily, none of them have an external PS/2 port so this can safely be set for all of them. I'm not entirely sure if every device listed really needs all four quirks, but after testing and production use, no negative effects could be observed when setting all four. Signed-off-by: Werner Sembach Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20240905164851.771578-1-wse@tuxedocomputers.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 698f8e07ce2a479e65bf52cdc8872c7294485475 Author: Nuno Sa Date: Fri Sep 20 09:22:52 2024 +0200 Input: adp5588-keys - fix check on return code commit eb017f4ea13b1a5ad7f4332279f2e4c67b44bdea upstream. During adp5588_setup(), we read all the events to clear the event FIFO. However, adp5588_read() just calls i2c_smbus_read_byte_data() which returns the byte read in case everything goes well. Hence, we need to explicitly check for a negative error code instead of checking for something different than 0. Fixes: e960309ce318 ("Input: adp5588-keys - bail out on returned error") Cc: stable@vger.kernel.org Signed-off-by: Nuno Sa Link: https://lore.kernel.org/r/20240920-fix-adp5588-err-check-v1-1-81f6e957ef24@analog.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 72b78287ce92802e8ba678181a34b84ae844a112 Author: Jason Gunthorpe Date: Tue Aug 27 13:46:45 2024 -0300 iommufd: Protect against overflow of ALIGN() during iova allocation commit 8f6887349b2f829a4121c518aeb064fc922714e4 upstream. Userspace can supply an iova and uptr such that the target iova alignment becomes really big and ALIGN() overflows which corrupts the selected area range during allocation. CONFIG_IOMMUFD_TEST can detect this: WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline] WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352 Modules linked in: CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline] RIP: 0010:iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352 Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 <0f> 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38 RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293 RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00 RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000 RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942 R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010 R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00 FS: 000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: iommufd_ioas_copy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274 iommufd_fops_ioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Cap the automatic alignment to the huge page size, which is probably a better idea overall. Huge automatic alignments can fragment and chew up the available IOVA space without any reason. Link: https://patch.msgid.link/r/0-v1-8009738b9891+1f7-iommufd_align_overflow_jgg@nvidia.com Cc: stable@vger.kernel.org Fixes: 51fe6141f0f6 ("iommufd: Data structure to provide IOVA to PFN mapping") Reviewed-by: Nicolin Chen Reported-by: syzbot+16073ebbc4c64b819b47@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/000000000000388410061a74f014@google.com Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit e5be9fef6865ddfe2aac19cff40dd98135746a1b Author: Eliav Bar-ilan Date: Tue Sep 10 16:44:16 2024 -0300 iommu/amd: Fix argument order in amd_iommu_dev_flush_pasid_all() commit 8386207f37e98453e1de3f51e50eeeea089103f9 upstream. An incorrect argument order calling amd_iommu_dev_flush_pasid_pages() causes improper flushing of the IOMMU, leaving the old value of GCR3 from a previous process attached to the same PASID. The function has the signature: void amd_iommu_dev_flush_pasid_pages(struct iommu_dev_data *dev_data, ioasid_t pasid, u64 address, size_t size) Correct the argument order. Cc: stable@vger.kernel.org Fixes: 474bf01ed9f0 ("iommu/amd: Add support for device based TLB invalidation") Signed-off-by: Eliav Bar-ilan Signed-off-by: Jason Gunthorpe Reviewed-by: Vasant Hegde Link: https://lore.kernel.org/r/0-v1-fc6bc37d8208+250b-amd_pasid_flush_jgg@nvidia.com Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 1b1f3191592eea291878865ec556977e3192a4d6 Author: Roman Smirnov Date: Tue Jul 16 12:10:40 2024 +0300 Revert "media: tuners: fix error return code of hybrid_tuner_request_state()" commit e25cc4be4616fcf5689622b3226d648aab253cdb upstream. This reverts commit b9302fa7ed979e84b454e4ca92192cf485a4ed41. As Fedor Pchelkin pointed out, this commit violates the convention of using the macro return value, which causes errors. For example, in functions tda18271_attach(), xc5000_attach(), simple_tuner_attach(). Link: https://lore.kernel.org/linux-media/20240424202031.syigrtrtipbq5f2l@fpc/ Suggested-by: Fedor Pchelkin Signed-off-by: Roman Smirnov Signed-off-by: Hans Verkuil Signed-off-by: Greg Kroah-Hartman commit a0850bd0c4c3f9375cdf1a53bcfb1e9987d942ce Author: Krzysztof Kozlowski Date: Sun Aug 25 20:05:22 2024 +0200 soc: versatile: integrator: fix OF node leak in probe() error path commit 874c5b601856adbfda10846b9770a6c66c41e229 upstream. Driver is leaking OF node reference obtained from of_find_matching_node(). Fixes: f956a785a282 ("soc: move SoC driver for the ARM Integrator") Cc: stable@vger.kernel.org Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/20240825-soc-dev-fixes-v1-1-ff4b35abed83@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit d383db5b4d5a69c50b6da31c9836d069270a190b Author: Herve Codina Date: Thu Aug 8 09:10:56 2024 +0200 soc: fsl: cpm1: tsa: Fix tsa_write8() commit 47a347bae9a491b467ab3543e4725a3e4fbe30f5 upstream. The tsa_write8() parameter is an u32 value. This is not consistent with the function itself. Indeed, tsa_write8() writes an 8bits value. Be consistent and use an u8 parameter value. Fixes: 1d4ba0b81c1c ("soc: fsl: cpm1: Add support for TSA") Cc: stable@vger.kernel.org Signed-off-by: Herve Codina Reviewed-by: Christophe Leroy Link: https://lore.kernel.org/r/20240808071132.149251-4-herve.codina@bootlin.com Signed-off-by: Christophe Leroy Signed-off-by: Greg Kroah-Hartman commit 89d7fff78fc755b4604fbd6c389f9f6baf3cd2e9 Author: Herve Codina Date: Thu Aug 8 09:10:54 2024 +0200 soc: fsl: cpm1: qmc: Update TRNSYNC only in transparent mode commit c3cc3e69b33fee3d276895e0e2d1a8fb37ea5d0e upstream. The TRNSYNC feature is available (and enabled) only in transparent mode. Since commit 7cc9bda9c163 ("soc: fsl: cpm1: qmc: Handle timeslot entries at channel start() and stop()") TRNSYNC register is updated in transparent and hdlc mode. In hdlc mode, the address of the TRNSYNC register is used by the QMC for other internal purpose. Even if no weird results were observed in hdlc mode, touching this register in this mode is wrong. Update TRNSYNC only in transparent mode. Fixes: 7cc9bda9c163 ("soc: fsl: cpm1: qmc: Handle timeslot entries at channel start() and stop()") Cc: stable@vger.kernel.org Signed-off-by: Herve Codina Reviewed-by: Christophe Leroy Link: https://lore.kernel.org/r/20240808071132.149251-2-herve.codina@bootlin.com Signed-off-by: Christophe Leroy Signed-off-by: Greg Kroah-Hartman commit a2bbbdb491472d9238835c4c462ea8dbe77b27cc Author: Ma Ke Date: Fri Aug 30 22:31:54 2024 +0800 ASoC: rt5682: Return devm_of_clk_add_hw_provider to transfer the error commit fcca6d05ef49d5650514ea1dcfd12e4ae3ff2be6 upstream. Return devm_of_clk_add_hw_provider() in order to transfer the error, if it fails due to resource allocation failure or device tree clock provider registration failure. Cc: stable@vger.kernel.org Fixes: ebbfabc16d23 ("ASoC: rt5682: Add CCF usage for providing I2S clks") Signed-off-by: Ma Ke Link: https://patch.msgid.link/20240830143154.3448004-1-make24@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 54b1319e7c8bf20dab3833d8922ee5bf038d42f6 Author: Dmitry Baryshkov Date: Mon Jul 29 22:52:14 2024 +0300 Revert "soc: qcom: smd-rpm: Match rpmsg channel instead of compatible" commit b17155133391d7f6dd18d3fb94a7d492fdec18fa upstream. The rpm_requests device nodes have the compatible node. As such the rpmsg core uses OF modalias instead of a native rpmsg modalias. Thus if smd-rpm is built as a module, it doesn't get autoloaded for the device. Revert the commit bcabe1e09135 ("soc: qcom: smd-rpm: Match rpmsg channel instead of compatible") Fixes: bcabe1e09135 ("soc: qcom: smd-rpm: Match rpmsg channel instead of compatible") Cc: stable@vger.kernel.org Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20240729-fix-smd-rpm-v2-1-0776408a94c5@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit ed857be045b1c286e16f104a7ce3fd20bbb2a442 Author: Siddharth Vadapalli Date: Tue Aug 27 17:54:22 2024 +0530 PCI: dra7xx: Fix error handling when IRQ request fails in probe commit 4d60f6d4b8fa4d7bad4aeb2b3ee5c10425bc60a4 upstream. Commit d4c7d1a089d6 ("PCI: dwc: dra7xx: Push request_irq() call to the bottom of probe") moved the IRQ request for "dra7xx-pcie-main" towards the end of dra7xx_pcie_probe(). However, the error handling does not take into account the initialization performed by either dra7xx_add_pcie_port() or dra7xx_add_pcie_ep(), depending on the mode of operation. Fix the error handling to address this. Fixes: d4c7d1a089d6 ("PCI: dwc: dra7xx: Push request_irq() call to the bottom of probe") Link: https://lore.kernel.org/linux-pci/20240827122422.985547-3-s-vadapalli@ti.com Tested-by: Udit Kumar Signed-off-by: Siddharth Vadapalli [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Kevin Hilman Reviewed-by: Manivannan Sadhasivam Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit ff8578a01adb7271d94e6b304382171bd5c4a1f6 Author: Sean Anderson Date: Fri May 31 12:13:32 2024 -0400 PCI: xilinx-nwl: Fix off-by-one in INTx IRQ handler commit 0199d2f2bd8cd97b310f7ed82a067247d7456029 upstream. MSGF_LEG_MASK is laid out with INTA in bit 0, INTB in bit 1, INTC in bit 2, and INTD in bit 3. Hardware IRQ numbers start at 0, and we register PCI_NUM_INTX IRQs. So to enable INTA (aka hwirq 0) we should set bit 0. Remove the subtraction of one. This bug would cause INTx interrupts not to be delivered, as enabling INTB would actually enable INTA, and enabling INTA wouldn't enable anything at all. It is likely that this got overlooked for so long since most PCIe hardware uses MSIs. This fixes the following UBSAN error: UBSAN: shift-out-of-bounds in ../drivers/pci/controller/pcie-xilinx-nwl.c:389:11 shift exponent 18446744073709551615 is too large for 32-bit type 'int' CPU: 1 PID: 61 Comm: kworker/u10:1 Not tainted 6.6.20+ #268 Hardware name: xlnx,zynqmp (DT) Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace (arch/arm64/kernel/stacktrace.c:235) show_stack (arch/arm64/kernel/stacktrace.c:242) dump_stack_lvl (lib/dump_stack.c:107) dump_stack (lib/dump_stack.c:114) __ubsan_handle_shift_out_of_bounds (lib/ubsan.c:218 lib/ubsan.c:387) nwl_unmask_leg_irq (drivers/pci/controller/pcie-xilinx-nwl.c:389 (discriminator 1)) irq_enable (kernel/irq/internals.h:234 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345) __irq_startup (kernel/irq/internals.h:239 kernel/irq/chip.c:180 kernel/irq/chip.c:250) irq_startup (kernel/irq/chip.c:270) __setup_irq (kernel/irq/manage.c:1800) request_threaded_irq (kernel/irq/manage.c:2206) pcie_pme_probe (include/linux/interrupt.h:168 drivers/pci/pcie/pme.c:348) Fixes: 9a181e1093af ("PCI: xilinx-nwl: Modify IRQ chip for legacy interrupts") Link: https://lore.kernel.org/r/20240531161337.864994-3-sean.anderson@linux.dev Signed-off-by: Sean Anderson Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 3b411d35cbbdeec981fcfb80a0205a36af54cb9a Author: Maciej W. Rozycki Date: Fri Aug 9 14:25:02 2024 +0100 PCI: Use an error code with PCIe failed link retraining commit 59100eb248c0b15585affa546c7f6834b30eb5a4 upstream. Given how the call place in pcie_wait_for_link_delay() got structured now, and that pcie_retrain_link() returns a potentially useful error code, convert pcie_failed_link_retrain() to return an error code rather than a boolean status, fixing handling at the call site mentioned. Update the other call site accordingly. Fixes: 1abb47390350 ("Merge branch 'pci/enumeration'") Link: https://lore.kernel.org/r/alpine.DEB.2.21.2408091156530.61955@angie.orcam.me.uk Reported-by: Ilpo Järvinen Link: https://lore.kernel.org/r/aa2d1c4e-9961-d54a-00c7-ddf8e858a9b0@linux.intel.com/ Signed-off-by: Maciej W. Rozycki Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Reviewed-by: Ilpo Järvinen Cc: # v6.5+ Signed-off-by: Greg Kroah-Hartman commit 6651e3ba87bcd793edf3ece946ab07795f2d76fa Author: Maciej W. Rozycki Date: Fri Aug 9 14:24:56 2024 +0100 PCI: Correct error reporting with PCIe failed link retraining commit 712e49c967064a3a7a5738c6f65ac540a3f6a1df upstream. Only return successful completion status from pcie_failed_link_retrain() if retraining has actually been done, preventing excessive delays from being triggered at call sites in a hope that communication will finally be established with the downstream device where in fact nothing has been done about the link in question that would justify such a hope. Fixes: a89c82249c37 ("PCI: Work around PCIe link training failures") Link: https://lore.kernel.org/r/alpine.DEB.2.21.2408091133260.61955@angie.orcam.me.uk Reported-by: Ilpo Järvinen Link: https://lore.kernel.org/r/aa2d1c4e-9961-d54a-00c7-ddf8e858a9b0@linux.intel.com/ Signed-off-by: Maciej W. Rozycki Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Reviewed-by: Ilpo Järvinen Cc: # v6.5+ Signed-off-by: Greg Kroah-Hartman commit 58804098bc928ecdf901a90dc3e61c131f99022e Author: Richard Zhu Date: Mon Jul 29 16:18:09 2024 -0400 PCI: imx6: Fix i.MX8MP PCIe EP's occasional failure to trigger MSI commit 5cb3aa92c7cf182940ae575c3f450d3708af087c upstream. Correct occasional MSI triggering failures in i.MX8MP PCIe EP by applying the correct hardware outbound alignment requirement. The i.MX platform has a restriction about outbound address translation. The pci-epc-mem uses page_size to manage it. Set the correct page_size for i.MX platform to meet the hardware requirement, which is the same as inbound address alignment. Thus, align it with epc_features::align. Fixes: 1bd0d43dcf3b ("PCI: imx6: Clean up addr_space retrieval code") Link: https://lore.kernel.org/linux-pci/20240729-pci2_upstream-v8-2-b68ee5ef2b4d@nxp.com Signed-off-by: Richard Zhu Signed-off-by: Frank Li [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Manivannan Sadhasivam Acked-by: Jason Liu Cc: # 6.9+ Signed-off-by: Greg Kroah-Hartman commit 12d7ac6b73fe535b37f2c6a7485569ae8b365384 Author: Richard Zhu Date: Mon Jul 29 16:18:08 2024 -0400 PCI: imx6: Fix establish link failure in EP mode for i.MX8MM and i.MX8MP commit 5214ff221a14cadab1e2ee29499750fd5e884feb upstream. Add IMX6_PCIE_FLAG_HAS_APP_RESET flag to IMX8MM_EP and IMX8MP_EP drvdata. This flag was overlooked during code restructuring. It is crucial to release the app-reset from the System Reset Controller before initiating LTSSM to rectify the issue. Fixes: 0c9651c21f2a ("PCI: imx6: Simplify reset handling by using *_FLAG_HAS_*_RESET") Link: https://lore.kernel.org/linux-pci/20240729-pci2_upstream-v8-1-b68ee5ef2b4d@nxp.com Signed-off-by: Richard Zhu Signed-off-by: Frank Li [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Manivannan Sadhasivam Cc: # 6.9+ Signed-off-by: Greg Kroah-Hartman commit 1ade5b2ce4be102f360c92dcdf50b37b90f9a188 Author: Frank Li Date: Mon Jul 29 16:18:10 2024 -0400 PCI: imx6: Fix missing call to phy_power_off() in error handling commit 5b04d44d5c74e4d8aab1678496b84700b4b343fe upstream. Fix missing call to phy_power_off() in the error path of imx6_pcie_host_init(). Remove unnecessary check for imx6_pcie->phy as the PHY API already handles NULL pointers. Fixes: cbcf8722b523 ("phy: freescale: imx8m-pcie: Fix the wrong order of phy_init() and phy_power_on()") Link: https://lore.kernel.org/linux-pci/20240729-pci2_upstream-v8-3-b68ee5ef2b4d@nxp.com Signed-off-by: Frank Li [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Manivannan Sadhasivam Cc: # 6.1+ Signed-off-by: Greg Kroah-Hartman commit 29cc2c2383f8e68170d1652feb6077f4e3684a59 Author: Siddharth Vadapalli Date: Tue Aug 27 17:54:21 2024 +0530 PCI: dra7xx: Fix threaded IRQ request for "dra7xx-pcie-main" IRQ commit 03f84b3baba7836bdfc162c19288d5ce1aa92890 upstream. Commit da87d35a6e51 ("PCI: dra7xx: Use threaded IRQ handler for "dra7xx-pcie-main" IRQ") switched from devm_request_irq() to devm_request_threaded_irq() for the "dra7xx-pcie-main" interrupt. Since the primary handler was set to NULL, the "IRQF_ONESHOT" flag should have also been set. Fix this. Fixes: da87d35a6e51 ("PCI: dra7xx: Use threaded IRQ handler for "dra7xx-pcie-main" IRQ") Suggested-by: Vignesh Raghavendra Link: https://lore.kernel.org/linux-pci/20240827122422.985547-2-s-vadapalli@ti.com Reported-by: Udit Kumar Signed-off-by: Siddharth Vadapalli Signed-off-by: Krzysztof Wilczyński Reviewed-by: Kevin Hilman Reviewed-by: Manivannan Sadhasivam Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 58633dea804f9338831f148564cfe255af4de184 Author: Maciej W. Rozycki Date: Fri Aug 9 14:24:46 2024 +0100 PCI: Clear the LBMS bit after a link retrain commit 8037ac08c2bbb3186f83a5a924f52d1048dbaec5 upstream. The LBMS bit, where implemented, is set by hardware either in response to the completion of retraining caused by writing 1 to the Retrain Link bit or whenever hardware has changed the link speed or width in attempt to correct unreliable link operation. It is never cleared by hardware other than by software writing 1 to the bit position in the Link Status register and we never do such a write. We currently have two places, namely apply_bad_link_workaround() and pcie_failed_link_retrain() in drivers/pci/controller/dwc/pcie-tegra194.c and drivers/pci/quirks.c respectively where we check the state of the LBMS bit and neither is interested in the state of the bit resulting from the completion of retraining, both check for a link fault. And in particular pcie_failed_link_retrain() causes issues consequently, by trying to retrain a link where there's no downstream device anymore and the state of 1 in the LBMS bit has been retained from when there was a device downstream that has since been removed. Clear the LBMS bit then at the conclusion of pcie_retrain_link(), so that we have a single place that controls it and that our code can track link speed or width changes resulting from unreliable link operation. Fixes: a89c82249c37 ("PCI: Work around PCIe link training failures") Link: https://lore.kernel.org/r/alpine.DEB.2.21.2408091133140.61955@angie.orcam.me.uk Reported-by: Matthew W Carlis Link: https://lore.kernel.org/r/20240806000659.30859-1-mattc@purestorage.com/ Link: https://lore.kernel.org/r/20240722193407.23255-1-mattc@purestorage.com/ Signed-off-by: Maciej W. Rozycki Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Cc: # v6.5+ Signed-off-by: Greg Kroah-Hartman commit 365b473ccb7a25bee8b53531f79c82176652214a Author: Maciej W. Rozycki Date: Fri Aug 9 14:24:51 2024 +0100 PCI: Revert to the original speed after PCIe failed link retraining commit f68dea13405c94381d08f42dbf0416261622bdad upstream. When `pcie_failed_link_retrain' has failed to retrain the link by hand it leaves the link speed restricted to 2.5GT/s, which will then affect any device that has been plugged in later on, which may not suffer from the problem that caused the speed restriction to have been attempted. Consequently such a downstream device will suffer from an unnecessary communication throughput limitation and therefore performance loss. Remove the speed restriction then and revert the Link Control 2 register to its original state if link retraining with the speed restriction in place has failed. Retrain the link again afterwards so as to remove any residual state, waiting on LT rather than DLLLA to avoid an excessive delay and ignoring the result as this training is supposed to fail anyway. Fixes: a89c82249c37 ("PCI: Work around PCIe link training failures") Link: https://lore.kernel.org/linux-pci/alpine.DEB.2.21.2408251412590.30766@angie.orcam.me.uk Reported-by: Matthew W Carlis Link: https://lore.kernel.org/r/20240806000659.30859-1-mattc@purestorage.com/ Link: https://lore.kernel.org/r/20240722193407.23255-1-mattc@purestorage.com/ Signed-off-by: Maciej W. Rozycki Signed-off-by: Bjorn Helgaas Signed-off-by: Krzysztof Wilczyński Reviewed-by: Ilpo Järvinen Cc: # v6.5+ Signed-off-by: Greg Kroah-Hartman commit 869411bb157ccac152893af5755fca0e360bc528 Author: Laurent Pinchart Date: Mon Jul 29 18:57:38 2024 +0300 Remove *.orig pattern from .gitignore commit 76be4f5a784533c71afbbb1b8f2963ef9e2ee258 upstream. Commit 3f1b0e1f2875 (".gitignore update") added *.orig and *.rej patterns to .gitignore in v2.6.23. The commit message didn't give a rationale. Later on, commit 1f5d3a6b6532 ("Remove *.rej pattern from .gitignore") removed the *.rej pattern in v2.6.26, on the rationale that *.rej files indicated something went really wrong and should not be ignored. The *.rej files are now shown by `git status`, which helps located conflicts when applying patches and lowers the probability that they will go unnoticed. It is however still easy to overlook the *.orig files which slowly polute the source tree. That's not as big of a deal as not noticing a conflict, but it's still not nice. Drop the *.orig pattern from .gitignore to avoid this and help keep the source tree clean. Signed-off-by: Laurent Pinchart [masahiroy@kernel.org: I do not have a strong opinion about this. Perhaps some people may have a different opinion. If you are someone who wants to ignore *.orig, it is likely you would want to do so across all projects. Then, $XDG_CONFIG_HOME/git/ignore would be more suitable for your needs. gitignore(5) suggests, "Patterns which a user wants Git to ignore in all situations generally go into a file specified by core.excludesFile in the user's ~/.gitconfig". Please note that you cannot do the opposite; if *.orig is ignored by the project's .gitignore, you cannot override the decision because $XDG_CONFIG_HOME/git/ignore has a lower priority. If *.orig is sitting on the fence, I'd leave it to the users. ] Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 895bc6e38bb842e76ff827fc6044378f4eb59f5c Author: Eduard Zingerman Date: Tue Aug 20 03:23:50 2024 -0700 selftests/bpf: correctly move 'log' upon successful match commit d0a29cdb6ef95d8a175e09ab2d1334271f047e60 upstream. Suppose log="foo bar buz" and msg->substr="bar". In such case current match processing logic would update 'log' as follows: log += strlen(msg->substr); -> log += 3 -> log=" bar". However, the intent behind the 'log' update is to make it point after the successful match, e.g. to make log=" buz" in the example above. Fixes: 4ef5d6af4935 ("selftests/bpf: no need to track next_match_pos in struct test_loader") Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240820102357.3372779-3-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman commit b2b224d272524d3a1e3588bbbcb88eb4ae10dcb4 Author: Felix Moessbauer Date: Mon Sep 16 13:11:50 2024 +0200 io_uring/sqpoll: do not put cpumask on stack commit 7f44beadcc11adb98220556d2ddbe9c97aa6d42d upstream. Putting the cpumask on the stack is deprecated for a long time (since 2d3854a37e8), as these can be big. Given that, change the on-stack allocation of allowed_mask to be dynamically allocated. Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside of cpuset") Signed-off-by: Felix Moessbauer Link: https://lore.kernel.org/r/20240916111150.1266191-1-felix.moessbauer@siemens.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit d035c9107f4e5ba8962c4395d294436d0fa5136b Author: Matthew Auld Date: Mon Aug 12 15:13:32 2024 +0100 drm/xe: fix engine_class bounds check again commit 23ab1cb6591dba7c97b65eb407cd71147bd878b8 upstream. This was fixed in commit b7dce525c4fc ("drm/xe/queue: fix engine_class bounds check"), but then re-introduced in commit 6f20fc09936e ("drm/xe: Move and export xe_hw_engine lookup.") which should only be simple code movement of the existing function. Fixes: 6f20fc09936e ("drm/xe: Move and export xe_hw_engine lookup.") Signed-off-by: Matthew Auld Cc: Dominik Grzegorzek Cc: Mika Kuoppala Cc: Matthew Brost Reviewed-by: Jonathan Cavitt Reviewed-by: Lucas De Marchi Link: https://patchwork.freedesktop.org/patch/msgid/20240812141331.729843-2-matthew.auld@intel.com Signed-off-by: Lucas De Marchi Signed-off-by: Greg Kroah-Hartman commit f11d89477f3cfc07a1ec78b240cc4fc7c5a6e3b5 Author: Alex Hung Date: Thu Jun 27 16:45:39 2024 -0600 drm/amd/display: disable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it commit d925c04d974c657d10471c0c2dba3bc9c7d994ee upstream. [WHAT & HOW] Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res without initializing hpo_dp_link_enc and it is necessary to check for null before dereferencing. This fixes 1 FORWARD_NULL issue reported by Coverity. Fixes: 0beca868cde8 ("drm/amd/display: Check link_res->hpo_dp_link_enc before using it") Reviewed-by: Rodrigo Siqueira Signed-off-by: Alex Hung Signed-off-by: Aurabindo Pillai Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit e6e1554322549f9785989029cb639b85eb211ccb Author: Jens Axboe Date: Mon Sep 16 02:58:06 2024 -0600 io_uring/sqpoll: retain test for whether the CPU is valid commit a09c17240bdf2e9fa6d0591afa9448b59785f7d4 upstream. A recent commit ensured that SQPOLL cannot be setup with a CPU that isn't in the current tasks cpuset, but it also dropped testing whether the CPU is valid in the first place. Without that, if a task passes in a CPU value that is too high, the following KASAN splat can get triggered: BUG: KASAN: stack-out-of-bounds in io_sq_offload_create+0x858/0xaa4 Read of size 8 at addr ffff800089bc7b90 by task wq-aff.t/1391 CPU: 4 UID: 1000 PID: 1391 Comm: wq-aff.t Not tainted 6.11.0-rc7-00227-g371c468f4db6 #7080 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xcc/0xe0 show_stack+0x14/0x1c dump_stack_lvl+0x58/0x74 print_report+0x16c/0x4c8 kasan_report+0x9c/0xe4 __asan_report_load8_noabort+0x1c/0x24 io_sq_offload_create+0x858/0xaa4 io_uring_setup+0x1394/0x17c4 __arm64_sys_io_uring_setup+0x6c/0x180 invoke_syscall+0x6c/0x260 el0_svc_common.constprop.0+0x158/0x224 do_el0_svc+0x3c/0x5c el0_svc+0x34/0x70 el0t_64_sync_handler+0x118/0x124 el0t_64_sync+0x168/0x16c The buggy address belongs to stack of task wq-aff.t/1391 and is located at offset 48 in frame: io_sq_offload_create+0x0/0xaa4 This frame has 1 object: [32, 40) 'allowed_mask' The buggy address belongs to the virtual mapping at [ffff800089bc0000, ffff800089bc9000) created by: kernel_clone+0x124/0x7e0 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000d740af80 pfn:0x11740a memcg:ffff0000c2706f02 flags: 0xbffe00000000000(node=0|zone=2|lastcpupid=0x1fff) raw: 0bffe00000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff0000d740af80 0000000000000000 00000001ffffffff ffff0000c2706f02 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800089bc7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff800089bc7b00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 >ffff800089bc7b80: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff800089bc7c00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 ffff800089bc7c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202409161632.cbeeca0d-lkp@intel.com Fixes: f011c9cf04c0 ("io_uring/sqpoll: do not allow pinning outside of cpuset") Tested-by: Felix Moessbauer Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 682a0e2c4e52dbe08a94e8b0df1d47c398b17fa3 Author: Juergen Gross Date: Fri Aug 9 17:52:55 2024 +0200 xen: allow mapping ACPI data using a different physical address commit 9221222c717dbddac1e3c49906525475d87a3a44 upstream. When running as a Xen PV dom0 the system needs to map ACPI data of the host using host physical addresses, while those addresses can conflict with the guest physical addresses of the loaded linux kernel. The same problem might apply in case a PV guest is configured to use the host memory map. This conflict can be solved by mapping the ACPI data to a different guest physical address, but mapping the data via acpi_os_ioremap() must still be possible using the host physical address, as this address might be generated by AML when referencing some of the ACPI data. When configured to support running as a Xen PV domain, have an implementation of acpi_os_ioremap() being aware of the possibility to need above mentioned translation of a host physical address to the guest physical address. This modification requires to #include linux/acpi.h in some sources which need to include asm/acpi.h directly. Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 5e3228742814cb96e37e49f7b959aeef846b9abb Author: Juergen Gross Date: Tue Aug 6 09:56:48 2024 +0200 xen: move checks for e820 conflicts further up commit c4498ae316da5b5786ccd448fc555f3339b8e4ca upstream. Move the checks for e820 memory map conflicts using the xen_chk_is_e820_usable() helper further up in order to prepare resolving some of the possible conflicts by doing some e820 map modifications, which must happen before evaluating the RAM layout. Signed-off-by: Juergen Gross Tested-by: Marek Marczykowski-Górecki Reviewed-by: Jan Beulich Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 54519af879126803b975f78cd811405a204961ac Author: Fangzhi Zuo Date: Tue Aug 27 16:08:13 2024 -0400 drm/amdgpu/display: Fix a mistake in revert commit commit 7745a1dee0a687044888179e6e7fcd6d704992a9 upstream. [why] It is to fix in try_disable_dsc() due to misrevert of commit 338567d17627 ("drm/amd/display: Fix MST BW calculation Regression") [How] Fix restoring minimum compression bw by 'max_kbps', instead of native bw 'stream_kbps' Signed-off-by: Fangzhi Zuo Reviewed-by: Aurabindo Pillai Signed-off-by: Alex Deucher Cc: Mario Limonciello Signed-off-by: Greg Kroah-Hartman commit 6b598a82ec34fb2e12800d415d28dd28be185816 Author: Fangzhi Zuo Date: Fri Aug 2 15:03:39 2024 -0400 drm/amd/display: Add DSC Debug Log commit 3715112c1b35036039e8c4f75868a0b56a71a51d upstream. Add DSC log in each critical routines to facilitate debugging. Reviewed-by: Rodrigo Siqueira Signed-off-by: Fangzhi Zuo Signed-off-by: Zaeem Mohamed Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Cc: Mario Limonciello Signed-off-by: Greg Kroah-Hartman commit e84575d8d3301d751ae4f251538ab5c4f1f0b437 Author: Fangzhi Zuo Date: Mon Aug 12 12:13:44 2024 -0400 drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination commit 4437936c6b696b98f3fe1d8679a2788c41b4df77 upstream. Synaptics Cascaded Panamera topology needs to unconditionally acquire root aux for dsc decoding. Reviewed-by: Roman Li Signed-off-by: Fangzhi Zuo Signed-off-by: Zaeem Mohamed Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Cc: Mario Limonciello Signed-off-by: Greg Kroah-Hartman commit ce14f38d6ee9e88e37ec28427b4b93a7c33c70d3 Author: Shu Han Date: Tue Sep 17 17:41:04 2024 +0800 mm: call the security_mmap_file() LSM hook in remap_file_pages() commit ea7e2d5e49c05e5db1922387b09ca74aa40f46e2 upstream. The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) Link: https://project-zero.issues.chromium.org/issues/42452389 [1] Cc: stable@vger.kernel.org Signed-off-by: Shu Han Acked-by: Stephen Smalley [PM: subject line tweaks] Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 229e9e527cde52dbad5e1da4d3eed5bbd15433c1 Author: Jeongjun Park Date: Tue Sep 24 22:00:53 2024 +0900 mm: migrate: annotate data-race in migrate_folio_unmap() commit 8001070cfbec5cd4ea00b8b48ea51df91122f265 upstream. I found a report from syzbot [1] This report shows that the value can be changed, but in reality, the value of __folio_set_movable() cannot be changed because it holds the folio refcount. Therefore, it is appropriate to add an annotate to make KCSAN ignore that data-race. [1] ================================================================== BUG: KCSAN: data-race in __filemap_remove_folio / migrate_pages_batch write to 0xffffea0004b81dd8 of 8 bytes by task 6348 on cpu 0: page_cache_delete mm/filemap.c:153 [inline] __filemap_remove_folio+0x1ac/0x2c0 mm/filemap.c:233 filemap_remove_folio+0x6b/0x1f0 mm/filemap.c:265 truncate_inode_folio+0x42/0x50 mm/truncate.c:178 shmem_undo_range+0x25b/0xa70 mm/shmem.c:1028 shmem_truncate_range mm/shmem.c:1144 [inline] shmem_evict_inode+0x14d/0x530 mm/shmem.c:1272 evict+0x2f0/0x580 fs/inode.c:731 iput_final fs/inode.c:1883 [inline] iput+0x42a/0x5b0 fs/inode.c:1909 dentry_unlink_inode+0x24f/0x260 fs/dcache.c:412 __dentry_kill+0x18b/0x4c0 fs/dcache.c:615 dput+0x5c/0xd0 fs/dcache.c:857 __fput+0x3fb/0x6d0 fs/file_table.c:439 ____fput+0x1c/0x30 fs/file_table.c:459 task_work_run+0x13a/0x1a0 kernel/task_work.c:228 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xbe/0x130 kernel/entry/common.c:218 do_syscall_64+0xd6/0x1c0 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f read to 0xffffea0004b81dd8 of 8 bytes by task 6342 on cpu 1: __folio_test_movable include/linux/page-flags.h:699 [inline] migrate_folio_unmap mm/migrate.c:1199 [inline] migrate_pages_batch+0x24c/0x1940 mm/migrate.c:1797 migrate_pages_sync mm/migrate.c:1963 [inline] migrate_pages+0xff1/0x1820 mm/migrate.c:2072 do_mbind mm/mempolicy.c:1390 [inline] kernel_mbind mm/mempolicy.c:1533 [inline] __do_sys_mbind mm/mempolicy.c:1607 [inline] __se_sys_mbind+0xf76/0x1160 mm/mempolicy.c:1603 __x64_sys_mbind+0x78/0x90 mm/mempolicy.c:1603 x64_sys_call+0x2b4d/0x2d60 arch/x86/include/generated/asm/syscalls_64.h:238 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xc9/0x1c0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f value changed: 0xffff888127601078 -> 0x0000000000000000 Link: https://lkml.kernel.org/r/20240924130053.107490-1-aha310510@gmail.com Fixes: 7e2a5e5ab217 ("mm: migrate: use __folio_test_movable()") Signed-off-by: Jeongjun Park Reported-by: syzbot Acked-by: David Hildenbrand Cc: Kefeng Wang Cc: Matthew Wilcox Cc: Zi Yan Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 4e181761ffec67307157a7e8a78d58ee4130cf00 Author: yangyun Date: Sat Sep 14 16:51:31 2024 +0800 fuse: use exclusive lock when FUSE_I_CACHE_IO_MODE is set commit 2f3d8ff457982f4055fe8f7bf19d3821ba22c376 upstream. This may be a typo. The comment has said shared locks are not allowed when this bit is set. If using shared lock, the wait in `fuse_file_cached_io_open` may be forever. Fixes: 205c1d802683 ("fuse: allow parallel dio writes with FUSE_DIRECT_IO_ALLOW_MMAP") CC: stable@vger.kernel.org # v6.9 Signed-off-by: yangyun Reviewed-by: Bernd Schubert Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit ee224a8017acbe09af002e2a7cbd245cccbbc410 Author: Jens Axboe Date: Wed Sep 18 11:58:19 2024 -0600 io_uring: check for presence of task_work rather than TIF_NOTIFY_SIGNAL commit 04beb6e0e08c30c6f845f50afb7d7953603d7a6f upstream. If some part of the kernel adds task_work that needs executing, in terms of signaling it'll generally use TWA_SIGNAL or TWA_RESUME. Those two directly translate to TIF_NOTIFY_SIGNAL or TIF_NOTIFY_RESUME, and can be used for a variety of use case outside of task_work. However, io_cqring_wait_schedule() only tests explicitly for TIF_NOTIFY_SIGNAL. This means it can miss if task_work got added for the task, but used a different kind of signaling mechanism (or none at all). Normally this doesn't matter as any task_work will be run once the task exits to userspace, except if: 1) The ring is setup with DEFER_TASKRUN 2) The local work item may generate normal task_work For condition 2, this can happen when closing a file and it's the final put of that file, for example. This can cause stalls where a task is waiting to make progress inside io_cqring_wait(), but there's nothing else that will wake it up. Hence change the "should we schedule or loop around" check to check for the presence of task_work explicitly, rather than just TIF_NOTIFY_SIGNAL as the mechanism. While in there, also change the ordering of what type of task_work first in terms of ordering, to both make it consistent with other task_work runs in io_uring, but also to better handle the case of defer task_work generating normal task_work, like in the above example. Reported-by: Jan Hendrik Farr Link: https://github.com/axboe/liburing/issues/1235 Cc: stable@vger.kernel.org Fixes: 846072f16eed ("io_uring: mimimise io_cqring_wait_schedule") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 043fcaf30ace13dfac01b0807d57a5108a88989f Author: Jens Axboe Date: Tue Sep 10 08:30:57 2024 -0600 io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN commit c0a9d496e0fece67db777bd48550376cf2960c47 upstream. Some file systems, ocfs2 in this case, will return -EOPNOTSUPP for an IOCB_NOWAIT read/write attempt. While this can be argued to be correct, the usual return value for something that requires blocking issue is -EAGAIN. A refactoring io_uring commit dropped calling kiocb_done() for negative return values, which is otherwise where we already do that transformation. To ensure we catch it in both spots, check it in __io_read() itself as well. Reported-by: Robert Sander Link: https://fosstodon.org/@gurubert@mastodon.gurubert.de/113112431889638440 Cc: stable@vger.kernel.org Fixes: a08d195b586a ("io_uring/rw: split io_read() into a helper") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 8324b1a738514dd58eb0136ad3a3f0633d387da9 Author: Felix Moessbauer Date: Mon Sep 9 17:00:36 2024 +0200 io_uring/sqpoll: do not allow pinning outside of cpuset commit f011c9cf04c06f16b24f583d313d3c012e589e50 upstream. The submit queue polling threads are userland threads that just never exit to the userland. When creating the thread with IORING_SETUP_SQ_AFF, the affinity of the poller thread is set to the cpu specified in sq_thread_cpu. However, this CPU can be outside of the cpuset defined by the cgroup cpuset controller. This violates the rules defined by the cpuset controller and is a potential issue for realtime applications. In b7ed6d8ffd6 we fixed the default affinity of the poller thread, in case no explicit pinning is required by inheriting the one of the creating task. In case of explicit pinning, the check is more complicated, as also a cpu outside of the parent cpumask is allowed. We implemented this by using cpuset_cpus_allowed (that has support for cgroup cpusets) and testing if the requested cpu is in the set. Fixes: 37d1e2e3642e ("io_uring: move SQPOLL thread io-wq forked worker") Cc: stable@vger.kernel.org # 6.1+ Signed-off-by: Felix Moessbauer Link: https://lore.kernel.org/r/20240909150036.55921-1-felix.moessbauer@siemens.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 5d7b450370c65a7c81d9c05b4b794d552b9660a2 Author: Phil Sutter Date: Thu Sep 19 14:40:00 2024 +0200 selftests: netfilter: Avoid hanging ipvs.sh [ Upstream commit fc786304ad9803e8bb86b8599bc64d1c1746c75f ] If the client can't reach the server, the latter remains listening forever. Kill it after 5s of waiting. Fixes: 867d2190799a ("selftests: netfilter: add ipvs test script") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit a8c12f69039039b8ebcf94c47d6ac87dd5bb692d Author: Pablo Neira Ayuso Date: Wed Sep 18 14:19:45 2024 +0200 netfilter: nf_tables: missing objects with no memcg accounting [ Upstream commit 69e687cea79fc99a17dfb0116c8644b9391b915e ] Several ruleset objects are still not using GFP_KERNEL_ACCOUNT for memory accounting, update them. This includes: - catchall elements - compat match large info area - log prefix - meta secctx - numgen counters - pipapo set backend datastructure - tunnel private objects Fixes: 33758c891479 ("memcg: enable accounting for nft objects") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 2223aa83c718acdbf9753fe6ad250070de11000c Author: Pablo Neira Ayuso Date: Tue Sep 17 23:07:46 2024 +0200 netfilter: nf_tables: use rcu chain hook list iterator from netlink dump path [ Upstream commit 4ffcf5ca81c3b83180473eb0d3c010a1a7c6c4de ] Lockless iteration over hook list is possible from netlink dump path, use rcu variant to iterate over the hook list as is done with flowtable hooks. Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") Reported-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 81a33144aa45fdbc81ba9fa87cbbfe2dd97db186 Author: Simon Horman Date: Mon Sep 16 16:14:41 2024 +0100 netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS [ Upstream commit e1f1ee0e9ad8cbe660f5c104e791c5f1a7cf4c31 ] Only provide ctnetlink_label_size when it is used, which is when CONFIG_NF_CONNTRACK_EVENTS is configured. Flagged by clang-18 W=1 builds as: .../nf_conntrack_netlink.c:385:19: warning: unused function 'ctnetlink_label_size' [-Wunused-function] 385 | static inline int ctnetlink_label_size(const struct nf_conn *ct) | ^~~~~~~~~~~~~~~~~~~~ The condition on CONFIG_NF_CONNTRACK_LABELS being removed by this patch guards compilation of non-trivial implementations of ctnetlink_dump_labels() and ctnetlink_label_size(). However, this is not necessary as each of these functions will always return 0 if CONFIG_NF_CONNTRACK_LABELS is not defined as each function starts with the equivalent of: struct nf_conn_labels *labels = nf_ct_labels_find(ct); if (!labels) return 0; And nf_ct_labels_find always returns NULL if CONFIG_NF_CONNTRACK_LABELS is not enabled. So I believe that the compiler optimises the code away in such cases anyway. Found by inspection. Compile tested only. Originally splitted in two patches, Pablo Neira Ayuso collapsed them and added Fixes: tag. Fixes: 0ceabd83875b ("netfilter: ctnetlink: deliver labels to userspace") Link: https://lore.kernel.org/netfilter-devel/20240909151712.GZ2097826@kernel.org/ Signed-off-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 628a5a3d2fa9aa89683c405bc98da0fc91ad0e0b Author: Phil Sutter Date: Thu Sep 12 14:21:33 2024 +0200 netfilter: nf_tables: Keep deleted flowtable hooks until after RCU [ Upstream commit 642c89c475419b4d0c0d90e29d9c1a0e4351f379 ] Documentation of list_del_rcu() warns callers to not immediately free the deleted list item. While it seems not necessary to use the RCU-variant of list_del() here in the first place, doing so seems to require calling kfree_rcu() on the deleted item as well. Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 83a95292ddd927eb373f3311c15e13ae9d55588e Author: Furong Xu <0x1207@gmail.com> Date: Thu Sep 19 20:10:28 2024 +0800 net: stmmac: set PP_FLAG_DMA_SYNC_DEV only if XDP is enabled [ Upstream commit b514c47ebf41a6536551ed28a05758036e6eca7c ] Commit 5fabb01207a2 ("net: stmmac: Add initial XDP support") sets PP_FLAG_DMA_SYNC_DEV flag for page_pool unconditionally, page_pool_recycle_direct() will call page_pool_dma_sync_for_device() on every page even the page is not going to be reused by XDP program. When XDP is not enabled, the page which holds the received buffer will be recycled once the buffer is copied into new SKB by skb_copy_to_linear_data(), then the MAC core will never reuse this page any longer. Always setting PP_FLAG_DMA_SYNC_DEV wastes CPU cycles on unnecessary calling of page_pool_dma_sync_for_device(). After this patch, up to 9% noticeable performance improvement was observed on certain platforms. Fixes: 5fabb01207a2 ("net: stmmac: Add initial XDP support") Signed-off-by: Furong Xu <0x1207@gmail.com> Link: https://patch.msgid.link/20240919121028.1348023-1-0x1207@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit f142d59b59e6eedc66fb8d7ae94cece17cd4902f Author: Wenbo Li Date: Thu Sep 19 16:13:51 2024 +0800 virtio_net: Fix mismatched buf address when unmapping for small packets [ Upstream commit c11a49d58ad229a1be1ebe08a2b68fedf83db6c8 ] Currently, the virtio-net driver will perform a pre-dma-mapping for small or mergeable RX buffer. But for small packets, a mismatched address without VIRTNET_RX_PAD and xdp_headroom is used for unmapping. That will result in unsynchronized buffers when SWIOTLB is enabled, for example, when running as a TDX guest. This patch unifies the address passed to the virtio core as the address of the virtnet header and fixes the mismatched buffer address. Changes from v2: unify the buf that passed to the virtio core in small and merge mode. Changes from v1: Use ctx to get xdp_headroom. Fixes: 295525e29a5b ("virtio_net: merge dma operations when filling mergeable buffers") Signed-off-by: Wenbo Li Signed-off-by: Jiahui Cen Signed-off-by: Ying Fang Reviewed-by: Xuan Zhuo Link: https://patch.msgid.link/20240919081351.51772-1-liwenbo.martin@bytedance.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 57b5fba55c6f8b1d83312a34bd656166fcd95658 Author: Jiwon Kim Date: Wed Sep 18 14:06:02 2024 +0000 bonding: Fix unnecessary warnings and logs from bond_xdp_get_xmit_slave() [ Upstream commit 0cbfd45fbcf0cb26d85c981b91c62fe73cdee01c ] syzbot reported a WARNING in bond_xdp_get_xmit_slave. To reproduce this[1], one bond device (bond1) has xdpdrv, which increases bpf_master_redirect_enabled_key. Another bond device (bond0) which is unsupported by XDP but its slave (veth3) has xdpgeneric that returns XDP_TX. This triggers WARN_ON_ONCE() from the xdp_master_redirect(). To reduce unnecessary warnings and improve log management, we need to delete the WARN_ON_ONCE() and add ratelimit to the netdev_err(). [1] Steps to reproduce: # Needs tx_xdp with return XDP_TX; ip l add veth0 type veth peer veth1 ip l add veth3 type veth peer veth4 ip l add bond0 type bond mode 6 # BOND_MODE_ALB, unsupported by XDP ip l add bond1 type bond # BOND_MODE_ROUNDROBIN by default ip l set veth0 master bond1 ip l set bond1 up # Increases bpf_master_redirect_enabled_key ip l set dev bond1 xdpdrv object tx_xdp.o section xdp_tx ip l set veth3 master bond0 ip l set bond0 up ip l set veth4 up # Triggers WARN_ON_ONCE() from the xdp_master_redirect() ip l set veth3 xdpgeneric object tx_xdp.o section xdp_tx Reported-by: syzbot+c187823a52ed505b2257@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c187823a52ed505b2257 Fixes: 9e2ee5c7e7c3 ("net, bonding: Add XDP support to the bonding driver") Signed-off-by: Jiwon Kim Signed-off-by: Nikolay Aleksandrov Link: https://patch.msgid.link/20240918140602.18644-1-jiwonaid0@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 281dc872979ab93452c6d23e1bc98dac37a972ca Author: Paul Barker Date: Wed Sep 18 09:18:39 2024 +0100 net: ravb: Fix R-Car RX frame size limit [ Upstream commit ec8234717db8589078d08b17efa528a235c61f4f ] The RX frame size limit should not be based on the current MTU setting. Instead it should be based on the hardware capabilities. While we're here, improve the description of the receive frame length setting as suggested by Niklas. Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Reviewed-by: Sergey Shtylyov Reviewed-by: Niklas Söderlund Signed-off-by: Paul Barker Reviewed-by: Simon Horman Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 0e76a200d121323cb38f69f348d15b1362d172b0 Author: Paul Barker Date: Wed Sep 18 09:18:38 2024 +0100 net: ravb: Fix maximum TX frame size for GbEth devices [ Upstream commit 1d63864299cafa7c8cbde56491c9932afdbff7ea ] The datasheets for all SoCs using the GbEth IP specify a maximum transmission frame size of 1.5 kByte. I've confirmed through internal discussions that support for 1522 byte frames has been validated, which allows us to support the default MTU of 1500 bytes after reserving space for the Ethernet header, frame checksums and an optional VLAN tag. Fixes: 2e95e08ac009 ("ravb: Add rx_max_buf_size to struct ravb_hw_info") Reviewed-by: Niklas Söderlund Reviewed-by: Sergey Shtylyov Signed-off-by: Paul Barker Reviewed-by: Simon Horman Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit fb3ab8741b6641845340fd8a967f9e0d7794691e Author: Daniel Golle Date: Tue Sep 17 14:49:55 2024 +0100 net: phy: aquantia: fix applying active_low bit after reset [ Upstream commit 6f9defaf99122d1af9c2562181c77bc99be0672d ] for_each_set_bit was used wrongly in aqr107_config_init() when iterating over LEDs. Drop misleading 'index' variable and call aqr_phy_led_active_low_set() for each set bit representing an LED which is driven by VDD instead of GND pin. Fixes: 61578f679378 ("net: phy: aquantia: add support for PHY LEDs") Signed-off-by: Daniel Golle Reviewed-by: Russell King (Oracle) Link: https://patch.msgid.link/9b1f0cd91f4cda54c8be56b4fe780480baf4aa0f.1726580902.git.daniel@makrotopia.org Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 67b32026a11937b499bb42292bb447c5809c7b89 Author: Daniel Golle Date: Tue Sep 17 14:49:40 2024 +0100 net: phy: aquantia: fix setting active_low bit [ Upstream commit d2b366c43443a21d9bcf047f3ee1f09cf9792dc4 ] phy_modify_mmd was used wrongly in aqr_phy_led_active_low_set() resulting in a no-op instead of setting the VEND1_GLOBAL_LED_DRIVE_VDD bit. Correctly set VEND1_GLOBAL_LED_DRIVE_VDD bit. Fixes: 61578f679378 ("net: phy: aquantia: add support for PHY LEDs") Signed-off-by: Daniel Golle Reviewed-by: Russell King (Oracle) Link: https://patch.msgid.link/ab963584b0a7e3b4dac39472a4b82ca264d79630.1726580902.git.daniel@makrotopia.org Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 84d0bb912dbfa98b32d2ab97be20381d8b3ad77e Author: Youssef Samir Date: Mon Sep 16 19:08:58 2024 +0200 net: qrtr: Update packets cloning when broadcasting [ Upstream commit f011b313e8ebd5b7abd8521b5119aecef403de45 ] When broadcasting data to multiple nodes via MHI, using skb_clone() causes all nodes to receive the same header data. This can result in packets being discarded by endpoints, leading to lost data. This issue occurs when a socket is closed, and a QRTR_TYPE_DEL_CLIENT packet is broadcasted. All nodes receive the same destination node ID, causing the node connected to the client to discard the packet and remain unaware of the client's deletion. Replace skb_clone() with pskb_copy(), to create a separate copy of the header for each sk_buff. Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") Signed-off-by: Youssef Samir Reviewed-by: Jeffery Hugo Reviewed-by: Carl Vanderlip Reviewed-by: Chris Lew Link: https://patch.msgid.link/20240916170858.2382247-1-quic_yabdulra@quicinc.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 09aea49fbc7e755a915c405644f347137cdb62b0 Author: Josh Hunt Date: Tue Sep 10 15:08:22 2024 -0400 tcp: check skb is non-NULL in tcp_rto_delta_us() [ Upstream commit c8770db2d54437a5f49417ae7b46f7de23d14db6 ] We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic kernel that are running ceph and recently hit a null ptr dereference in tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also saw it getting hit from the RACK case as well. Here are examples of the oops messages we saw in each of those cases: Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020 Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0 Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554 Jul 26 15:05:02 rx [11061395.916786] Call Trace: Jul 26 15:05:02 rx [11061395.919488] Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9 Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380 Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0 Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20 Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450 Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220 Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240 Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0 Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240 Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_event+0x21/0x30 Jul 26 15:05:02 rx [11061396.021984] ? clockevents_program_event+0x8f/0xe0 Jul 26 15:05:02 rx [11061396.027035] run_timer_softirq+0x2a/0x50 Jul 26 15:05:02 rx [11061396.031212] __do_softirq+0xd1/0x2c1 Jul 26 15:05:02 rx [11061396.035044] do_softirq_own_stack+0x2a/0x40 Jul 26 15:05:02 rx [11061396.039480] Jul 26 15:05:02 rx [11061396.041840] do_softirq.part.0+0x46/0x50 Jul 26 15:05:02 rx [11061396.046022] __local_bh_enable_ip+0x50/0x60 Jul 26 15:05:02 rx [11061396.050460] _raw_spin_unlock_bh+0x1e/0x20 Jul 26 15:05:02 rx [11061396.054817] nf_conntrack_tcp_packet+0x29e/0xbe0 [nf_conntrack] Jul 26 15:05:02 rx [11061396.060994] ? get_l4proto+0xe7/0x190 [nf_conntrack] Jul 26 15:05:02 rx [11061396.066220] nf_conntrack_in+0xe9/0x670 [nf_conntrack] Jul 26 15:05:02 rx [11061396.071618] ipv6_conntrack_local+0x14/0x20 [nf_conntrack] Jul 26 15:05:02 rx [11061396.077356] nf_hook_slow+0x45/0xb0 Jul 26 15:05:02 rx [11061396.081098] ip6_xmit+0x3f0/0x5d0 Jul 26 15:05:02 rx [11061396.084670] ? ipv6_anycast_cleanup+0x50/0x50 Jul 26 15:05:02 rx [11061396.089282] ? __sk_dst_check+0x38/0x70 Jul 26 15:05:02 rx [11061396.093381] ? inet6_csk_route_socket+0x13b/0x200 Jul 26 15:05:02 rx [11061396.098346] inet6_csk_xmit+0xa7/0xf0 Jul 26 15:05:02 rx [11061396.102263] __tcp_transmit_skb+0x550/0xb30 Jul 26 15:05:02 rx [11061396.106701] tcp_write_xmit+0x3c6/0xc20 Jul 26 15:05:02 rx [11061396.110792] ? __alloc_skb+0x98/0x1d0 Jul 26 15:05:02 rx [11061396.114708] __tcp_push_pending_frames+0x37/0x100 Jul 26 15:05:02 rx [11061396.119667] tcp_push+0xfd/0x100 Jul 26 15:05:02 rx [11061396.123150] tcp_sendmsg_locked+0xc70/0xdd0 Jul 26 15:05:02 rx [11061396.127588] tcp_sendmsg+0x2d/0x50 Jul 26 15:05:02 rx [11061396.131245] inet6_sendmsg+0x43/0x70 Jul 26 15:05:02 rx [11061396.135075] __sock_sendmsg+0x48/0x70 Jul 26 15:05:02 rx [11061396.138994] ____sys_sendmsg+0x212/0x280 Jul 26 15:05:02 rx [11061396.143172] ___sys_sendmsg+0x88/0xd0 Jul 26 15:05:02 rx [11061396.147098] ? __seccomp_filter+0x7e/0x6b0 Jul 26 15:05:02 rx [11061396.151446] ? __switch_to+0x39c/0x460 Jul 26 15:05:02 rx [11061396.155453] ? __switch_to_asm+0x42/0x80 Jul 26 15:05:02 rx [11061396.159636] ? __switch_to_asm+0x5a/0x80 Jul 26 15:05:02 rx [11061396.163816] __sys_sendmsg+0x5c/0xa0 Jul 26 15:05:02 rx [11061396.167647] __x64_sys_sendmsg+0x1f/0x30 Jul 26 15:05:02 rx [11061396.171832] do_syscall_64+0x57/0x190 Jul 26 15:05:02 rx [11061396.175748] entry_SYSCALL_64_after_hwframe+0x5c/0xc1 Jul 26 15:05:02 rx [11061396.181055] RIP: 0033:0x7f1ef692618d Jul 26 15:05:02 rx [11061396.184893] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48 Jul 26 15:05:02 rx [11061396.203889] RSP: 002b:00007f1ef4a26aa0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e Jul 26 15:05:02 rx [11061396.211708] RAX: ffffffffffffffda RBX: 000000000000084b RCX: 00007f1ef692618d Jul 26 15:05:02 rx [11061396.219091] RDX: 0000000000004000 RSI: 00007f1ef4a26b10 RDI: 0000000000000275 Jul 26 15:05:02 rx [11061396.226475] RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000020 Jul 26 15:05:02 rx [11061396.233859] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000084b Jul 26 15:05:02 rx [11061396.241243] R13: 00007f1ef4a26b10 R14: 0000000000000275 R15: 000055592030f1e8 Jul 26 15:05:02 rx [11061396.248628] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler nft_ct sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 mlx5_core hid_generic pci_hyperv_intf crc32_pclmul tls usbhid ahci mlxfw bnxt_en libahci hid nvme i2c_piix4 nvme_core wmi Jul 26 15:05:02 rx [11061396.324334] CR2: 0000000000000020 Jul 26 15:05:02 rx [11061396.327944] ---[ end trace 68a2b679d1cfb4f1 ]--- Jul 26 15:05:02 rx [11061396.433435] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061396.438137] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 Jul 26 15:05:02 rx [11061396.457144] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 Jul 26 15:05:02 rx [11061396.462629] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 Jul 26 15:05:02 rx [11061396.470012] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 Jul 26 15:05:02 rx [11061396.477396] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 Jul 26 15:05:02 rx [11061396.484779] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 Jul 26 15:05:02 rx [11061396.492164] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 Jul 26 15:05:02 rx [11061396.499547] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 Jul 26 15:05:02 rx [11061396.507886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 26 15:05:02 rx [11061396.513884] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 Jul 26 15:05:02 rx [11061396.521267] PKRU: 55555554 Jul 26 15:05:02 rx [11061396.524230] Kernel panic - not syncing: Fatal exception in interrupt Jul 26 15:05:02 rx [11061396.530885] Kernel Offset: 0x1b200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Jul 26 15:05:03 rx [11061396.660181] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- After we hit this we disabled TLP by setting tcp_early_retrans to 0 and then hit the crash in the RACK case: Aug 7 07:26:16 rx [1006006.265582] BUG: kernel NULL pointer dereference, address: 0000000000000020 Aug 7 07:26:16 rx [1006006.272719] #PF: supervisor read access in kernel mode Aug 7 07:26:16 rx [1006006.278030] #PF: error_code(0x0000) - not-present page Aug 7 07:26:16 rx [1006006.283343] PGD 0 P4D 0 Aug 7 07:26:16 rx [1006006.286057] Oops: 0000 [#1] SMP NOPTI Aug 7 07:26:16 rx [1006006.289896] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.4.0-174-generic #193-Ubuntu Aug 7 07:26:16 rx [1006006.299107] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Aug 7 07:26:16 rx [1006006.309970] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Aug 7 07:26:16 rx [1006006.314584] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 Aug 7 07:26:16 rx [1006006.333499] RSP: 0018:ffffb42600a50960 EFLAGS: 00010246 Aug 7 07:26:16 rx [1006006.338895] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 Aug 7 07:26:16 rx [1006006.346193] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff92d687ed8160 Aug 7 07:26:16 rx [1006006.353489] RBP: ffffb42600a50978 R08: 0000000000000000 R09: 00000000cd896dcc Aug 7 07:26:16 rx [1006006.360786] R10: ffff92dc3404f400 R11: 0000000000000001 R12: ffff92d687ed8000 Aug 7 07:26:16 rx [1006006.368084] R13: ffff92d687ed8160 R14: 00000000cd896dcc R15: 00000000cd8fca81 Aug 7 07:26:16 rx [1006006.375381] FS: 0000000000000000(0000) GS:ffff93158ad40000(0000) knlGS:0000000000000000 Aug 7 07:26:16 rx [1006006.383632] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Aug 7 07:26:16 rx [1006006.389544] CR2: 0000000000000020 CR3: 0000003e775ce006 CR4: 0000000000760ee0 Aug 7 07:26:16 rx [1006006.396839] PKRU: 55555554 Aug 7 07:26:16 rx [1006006.399717] Call Trace: Aug 7 07:26:16 rx [1006006.402335] Aug 7 07:26:16 rx [1006006.404525] ? show_regs.cold+0x1a/0x1f Aug 7 07:26:16 rx [1006006.408532] ? __die+0x90/0xd9 Aug 7 07:26:16 rx [1006006.411760] ? no_context+0x196/0x380 Aug 7 07:26:16 rx [1006006.415599] ? __bad_area_nosemaphore+0x50/0x1a0 Aug 7 07:26:16 rx [1006006.420392] ? _raw_spin_lock+0x1e/0x30 Aug 7 07:26:16 rx [1006006.424401] ? bad_area_nosemaphore+0x16/0x20 Aug 7 07:26:16 rx [1006006.428927] ? do_user_addr_fault+0x267/0x450 Aug 7 07:26:16 rx [1006006.433450] ? __do_page_fault+0x58/0x90 Aug 7 07:26:16 rx [1006006.437542] ? do_page_fault+0x2c/0xe0 Aug 7 07:26:16 rx [1006006.441470] ? page_fault+0x34/0x40 Aug 7 07:26:16 rx [1006006.445134] ? tcp_rearm_rto+0xe4/0x160 Aug 7 07:26:16 rx [1006006.449145] tcp_ack+0xa32/0xb30 Aug 7 07:26:16 rx [1006006.452542] tcp_rcv_established+0x13c/0x670 Aug 7 07:26:16 rx [1006006.456981] ? sk_filter_trim_cap+0x48/0x220 Aug 7 07:26:16 rx [1006006.461419] tcp_v6_do_rcv+0xdb/0x450 Aug 7 07:26:16 rx [1006006.465257] tcp_v6_rcv+0xc2b/0xd10 Aug 7 07:26:16 rx [1006006.468918] ip6_protocol_deliver_rcu+0xd3/0x4e0 Aug 7 07:26:16 rx [1006006.473706] ip6_input_finish+0x15/0x20 Aug 7 07:26:16 rx [1006006.477710] ip6_input+0xa2/0xb0 Aug 7 07:26:16 rx [1006006.481109] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 Aug 7 07:26:16 rx [1006006.486151] ip6_sublist_rcv_finish+0x3d/0x50 Aug 7 07:26:16 rx [1006006.490679] ip6_sublist_rcv+0x1aa/0x250 Aug 7 07:26:16 rx [1006006.494779] ? ip6_rcv_finish_core.isra.0+0xa0/0xa0 Aug 7 07:26:16 rx [1006006.499828] ipv6_list_rcv+0x112/0x140 Aug 7 07:26:16 rx [1006006.503748] __netif_receive_skb_list_core+0x1a4/0x250 Aug 7 07:26:16 rx [1006006.509057] netif_receive_skb_list_internal+0x1a1/0x2b0 Aug 7 07:26:16 rx [1006006.514538] gro_normal_list.part.0+0x1e/0x40 Aug 7 07:26:16 rx [1006006.519068] napi_complete_done+0x91/0x130 Aug 7 07:26:16 rx [1006006.523352] mlx5e_napi_poll+0x18e/0x610 [mlx5_core] Aug 7 07:26:16 rx [1006006.528481] net_rx_action+0x142/0x390 Aug 7 07:26:16 rx [1006006.532398] __do_softirq+0xd1/0x2c1 Aug 7 07:26:16 rx [1006006.536142] irq_exit+0xae/0xb0 Aug 7 07:26:16 rx [1006006.539452] do_IRQ+0x5a/0xf0 Aug 7 07:26:16 rx [1006006.542590] common_interrupt+0xf/0xf Aug 7 07:26:16 rx [1006006.546421] Aug 7 07:26:16 rx [1006006.548695] RIP: 0010:native_safe_halt+0xe/0x10 Aug 7 07:26:16 rx [1006006.553399] Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65 Aug 7 07:26:16 rx [1006006.572309] RSP: 0018:ffffb42600177e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc2 Aug 7 07:26:16 rx [1006006.580040] RAX: ffffffff8ed08b20 RBX: 0000000000000005 RCX: 0000000000000001 Aug 7 07:26:16 rx [1006006.587337] RDX: 00000000f48eeca2 RSI: 0000000000000082 RDI: 0000000000000082 Aug 7 07:26:16 rx [1006006.594635] RBP: ffffb42600177e90 R08: 0000000000000000 R09: 000000000000020f Aug 7 07:26:16 rx [1006006.601931] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000005 Aug 7 07:26:16 rx [1006006.609229] R13: ffff93157deb5f00 R14: 0000000000000000 R15: 0000000000000000 Aug 7 07:26:16 rx [1006006.616530] ? __cpuidle_text_start+0x8/0x8 Aug 7 07:26:16 rx [1006006.620886] ? default_idle+0x20/0x140 Aug 7 07:26:16 rx [1006006.624804] arch_cpu_idle+0x15/0x20 Aug 7 07:26:16 rx [1006006.628545] default_idle_call+0x23/0x30 Aug 7 07:26:16 rx [1006006.632640] do_idle+0x1fb/0x270 Aug 7 07:26:16 rx [1006006.636035] cpu_startup_entry+0x20/0x30 Aug 7 07:26:16 rx [1006006.640126] start_secondary+0x178/0x1d0 Aug 7 07:26:16 rx [1006006.644218] secondary_startup_64+0xa4/0xb0 Aug 7 07:26:17 rx [1006006.648568] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet ast mii drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 hid_generic mlx5_core pci_hyperv_intf crc32_pclmul usbhid ahci tls mlxfw bnxt_en hid libahci nvme i2c_piix4 nvme_core wmi [last unloaded: cpuid] Aug 7 07:26:17 rx [1006006.726180] CR2: 0000000000000020 Aug 7 07:26:17 rx [1006006.729718] ---[ end trace e0e2e37e4e612984 ]--- Prior to seeing the first crash and on other machines we also see the warning in tcp_send_loss_probe() where packets_out is non-zero, but both transmit and retrans queues are empty so we know the box is seeing some accounting issue in this area: Jul 26 09:15:27 kernel: ------------[ cut here ]------------ Jul 26 09:15:27 kernel: invalid inflight: 2 state 1 cwnd 68 mss 8988 Jul 26 09:15:27 kernel: WARNING: CPU: 16 PID: 0 at net/ipv4/tcp_output.c:2605 tcp_send_loss_probe+0x214/0x220 Jul 26 09:15:27 kernel: Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif joydev input_leds rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_he> Jul 26 09:15:27 kernel: CPU: 16 PID: 0 Comm: swapper/16 Not tainted 5.4.0-174-generic #193-Ubuntu Jul 26 09:15:27 kernel: Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Jul 26 09:15:27 kernel: RIP: 0010:tcp_send_loss_probe+0x214/0x220 Jul 26 09:15:27 kernel: Code: 08 26 01 00 75 e2 41 0f b6 54 24 12 41 8b 8c 24 c0 06 00 00 45 89 f0 48 c7 c7 e0 b4 20 a7 c6 05 8d 08 26 01 01 e8 4a c0 0f 00 <0f> 0b eb ba 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41 Jul 26 09:15:27 kernel: RSP: 0018:ffffb7838088ce00 EFLAGS: 00010286 Jul 26 09:15:27 kernel: RAX: 0000000000000000 RBX: ffff9b84b5630430 RCX: 0000000000000006 Jul 26 09:15:27 kernel: RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9b8e4621c8c0 Jul 26 09:15:27 kernel: RBP: ffffb7838088ce18 R08: 0000000000000927 R09: 0000000000000004 Jul 26 09:15:27 kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9b84b5630000 Jul 26 09:15:27 kernel: R13: 0000000000000000 R14: 000000000000231c R15: ffff9b84b5630430 Jul 26 09:15:27 kernel: FS: 0000000000000000(0000) GS:ffff9b8e46200000(0000) knlGS:0000000000000000 Jul 26 09:15:27 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 26 09:15:27 kernel: CR2: 000056238cec2380 CR3: 0000003e49ede005 CR4: 0000000000760ee0 Jul 26 09:15:27 kernel: PKRU: 55555554 Jul 26 09:15:27 kernel: Call Trace: Jul 26 09:15:27 kernel: Jul 26 09:15:27 kernel: ? show_regs.cold+0x1a/0x1f Jul 26 09:15:27 kernel: ? __warn+0x98/0xe0 Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 Jul 26 09:15:27 kernel: ? report_bug+0xd1/0x100 Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0 Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50 Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30 Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240 Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0 Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240 Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130 Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280 Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0 Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90 Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0 Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50 Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30 Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220 Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240 Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0 Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240 Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130 Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280 Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0 Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90 Jul 26 09:15:27 kernel: ? recalibrate_cpu_khz+0x10/0x10 Jul 26 09:15:27 kernel: ? ktime_get+0x3e/0xa0 Jul 26 09:15:27 kernel: ? native_x2apic_icr_write+0x30/0x30 Jul 26 09:15:27 kernel: run_timer_softirq+0x2a/0x50 Jul 26 09:15:27 kernel: __do_softirq+0xd1/0x2c1 Jul 26 09:15:27 kernel: irq_exit+0xae/0xb0 Jul 26 09:15:27 kernel: smp_apic_timer_interrupt+0x7b/0x140 Jul 26 09:15:27 kernel: apic_timer_interrupt+0xf/0x20 Jul 26 09:15:27 kernel: Jul 26 09:15:27 kernel: RIP: 0010:native_safe_halt+0xe/0x10 Jul 26 09:15:27 kernel: Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65 Jul 26 09:15:27 kernel: RSP: 0018:ffffb783801cfe70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 Jul 26 09:15:27 kernel: RAX: ffffffffa6908b20 RBX: 0000000000000010 RCX: 0000000000000001 Jul 26 09:15:27 kernel: RDX: 000000006fc0c97e RSI: 0000000000000082 RDI: 0000000000000082 Jul 26 09:15:27 kernel: RBP: ffffb783801cfe90 R08: 0000000000000000 R09: 0000000000000225 Jul 26 09:15:27 kernel: R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000010 Jul 26 09:15:27 kernel: R13: ffff9b8e390b0000 R14: 0000000000000000 R15: 0000000000000000 Jul 26 09:15:27 kernel: ? __cpuidle_text_start+0x8/0x8 Jul 26 09:15:27 kernel: ? default_idle+0x20/0x140 Jul 26 09:15:27 kernel: arch_cpu_idle+0x15/0x20 Jul 26 09:15:27 kernel: default_idle_call+0x23/0x30 Jul 26 09:15:27 kernel: do_idle+0x1fb/0x270 Jul 26 09:15:27 kernel: cpu_startup_entry+0x20/0x30 Jul 26 09:15:27 kernel: start_secondary+0x178/0x1d0 Jul 26 09:15:27 kernel: secondary_startup_64+0xa4/0xb0 Jul 26 09:15:27 kernel: ---[ end trace e7ac822987e33be1 ]--- The NULL ptr deref is coming from tcp_rto_delta_us() attempting to pull an skb off the head of the retransmit queue and then dereferencing that skb to get the skb_mstamp_ns value via tcp_skb_timestamp_us(skb). The crash is the same one that was reported a # of years ago here: https://lore.kernel.org/netdev/86c0f836-9a7c-438b-d81a-839be45f1f58@gmail.com/T/#t and the kernel we're running has the fix which was added to resolve this issue. Unfortunately we've been unsuccessful so far in reproducing this problem in the lab and do not have the luxury of pushing out a new kernel to try and test if newer kernels resolve this issue at the moment. I realize this is a report against both an Ubuntu kernel and also an older 5.4 kernel. I have reported this issue to Ubuntu here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077657 however I feel like since this issue has possibly cropped up again it makes sense to build in some protection in this path (even on the latest kernel versions) since the code in question just blindly assumes there's a valid skb without testing if it's NULL b/f it looks at the timestamp. Given we have seen crashes in this path before and now this case it seems like we should protect ourselves for when packets_out accounting is incorrect. While we should fix that root cause we should also just make sure the skb is not NULL before dereferencing it. Also add a warn once here to capture some information if/when the problem case is hit again. Fixes: e1a10ef7fa87 ("tcp: introduce tcp_rto_delta_us() helper for xmit timer fix") Signed-off-by: Josh Hunt Acked-by: Neal Cardwell Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ba7e76c73a355a8efa4da9177a0dd20155493437 Author: Thomas Weißschuh Date: Mon Sep 16 20:57:13 2024 +0200 net: ipv6: select DST_CACHE from IPV6_RPL_LWTUNNEL [ Upstream commit 93c21077bb9ba08807c459982d440dbbee4c7af3 ] The rpl sr tunnel code contains calls to dst_cache_*() which are only present when the dst cache is built. Select DST_CACHE to build the dst cache, similar to other kconfig options in the same file. Compiling the rpl sr tunnel without DST_CACHE will lead to linker errors. Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel") Signed-off-by: Thomas Weißschuh Reviewed-by: Simon Horman Tested-by: Simon Horman # build-tested Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 77a77331cef0a219b8dd91361435eeef04cb741c Author: Kaixin Wang Date: Sun Sep 15 22:40:46 2024 +0800 net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition [ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ] In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove. Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()") Signed-off-by: Kaixin Wang Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@m.fudan.edu.cn Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 10210658f827ad45061581cbfc05924b723e8922 Author: Eric Dumazet Date: Fri Sep 13 17:06:15 2024 +0000 netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() [ Upstream commit 9c778fe48d20ef362047e3376dee56d77f8500d4 ] syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x2ca/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:231 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 Uninit was created at: slab_post_alloc_hook mm/slub.c:3998 [inline] slab_alloc_node mm/slub.c:4041 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4084 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674 alloc_skb include/linux/skbuff.h:1320 [inline] nf_send_reset6+0x98d/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:327 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules") Reported-by: syzbot Signed-off-by: Eric Dumazet Reviewed-by: Simon Horman Reviewed-by: Pablo Neira Ayuso Link: https://patch.msgid.link/20240913170615.3670897-1-edumazet@google.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 017c5f929a1412bf47fd040af818966fecac8de9 Author: Sean Anderson Date: Fri Sep 13 10:51:56 2024 -0400 net: xilinx: axienet: Fix packet counting [ Upstream commit 5a6caa2cfabb559309b5ce29ee7c8e9ce1a9a9df ] axienet_free_tx_chain returns the number of DMA descriptors it's handled. However, axienet_tx_poll treats the return as the number of packets. When scatter-gather SKBs are enabled, a single packet may use multiple DMA descriptors, which causes incorrect packet counts. Fix this by explicitly keepting track of the number of packets processed as separate from the DMA descriptors. Budget does not affect the number of Tx completions we can process for NAPI, so we use the ring size as the limit instead of budget. As we no longer return the number of descriptors processed to axienet_tx_poll, we now update tx_bd_ci in axienet_free_tx_chain. Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Sean Anderson Link: https://patch.msgid.link/20240913145156.2283067-1-sean.anderson@linux.dev Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 35dce3932612fe970453e7e4457252ea517f838a Author: Sean Anderson Date: Fri Sep 13 10:57:11 2024 -0400 net: xilinx: axienet: Schedule NAPI in two steps [ Upstream commit ba0da2dc934ec5ac32bbeecbd0670da16ba03565 ] As advised by Documentation/networking/napi.rst, masking IRQs after calling napi_schedule can be racy. Avoid this by only masking/scheduling if napi_schedule_prep returns true. Fixes: 9e2bc267e780 ("net: axienet: Use NAPI for TX completion path") Fixes: cc37610caaf8 ("net: axienet: implement NAPI and GRO receive") Signed-off-by: Sean Anderson Reviewed-by: Shannon Nelson Reviewed-by: Eric Dumazet Link: https://patch.msgid.link/20240913145711.2284295-1-sean.anderson@linux.dev Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit f9d10b6abe0d249b2bdbbbc50bd3fe16365c874e Author: Vladimir Oltean Date: Fri Sep 13 15:12:30 2024 +0300 net: phy: aquantia: fix -ETIMEDOUT PHY probe failure when firmware not present [ Upstream commit 194ef9d0de9021df4a0ba8b112f91e56adaddd22 ] The author of the blamed commit apparently did not notice something about aqr_wait_reset_complete(): it polls the exact same register - MDIO_MMD_VEND1:VEND1_GLOBAL_FW_ID - as aqr_firmware_load(). Thus, the entire logic after the introduction of aqr_wait_reset_complete() is now completely side-stepped, because if aqr_wait_reset_complete() succeeds, MDIO_MMD_VEND1:VEND1_GLOBAL_FW_ID could have only been a non-zero value. The handling of the case where the register reads as 0 is dead code, due to the previous -ETIMEDOUT having stopped execution and returning a fatal error to the caller. We never attempt to load new firmware if no firmware is present. Based on static code analysis, I guess we should simply introduce a switch/case statement based on the return code from aqr_wait_reset_complete(), to determine whether to load firmware or not. I am not intending to change the procedure through which the driver determines whether to load firmware or not, as I am unaware of alternative possibilities. At the same time, Russell King suggests that if aqr_wait_reset_complete() is expected to return -ETIMEDOUT as part of normal operation and not just catastrophic failure, the use of phy_read_mmd_poll_timeout() is improper, since that has an embedded print inside. Just open-code a call to read_poll_timeout() to avoid printing -ETIMEDOUT, but continue printing actual read errors from the MDIO bus. Fixes: ad649a1fac37 ("net: phy: aquantia: wait for FW reset before checking the vendor ID") Reported-by: Clark Wang Reported-by: Jon Hunter Closes: https://lore.kernel.org/netdev/8ac00a45-ac61-41b4-9f74-d18157b8b6bf@nvidia.com/ Reported-by: Hans-Frieder Vogt Closes: https://lore.kernel.org/netdev/c7c1a3ae-be97-4929-8d89-04c8aa870209@gmx.net/ Signed-off-by: Vladimir Oltean Tested-by: Bartosz Golaszewski Tested-by: Hans-Frieder Vogt Link: https://patch.msgid.link/20240913121230.2620122-1-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 3133824923a0e5fff84164cdfcc5f49779c09eef Author: Mikulas Patocka Date: Fri Sep 13 15:05:18 2024 +0200 Revert "dm: requeue IO if mapping table not yet available" [ Upstream commit c8691cd0fc11197515ed148de0780d927bfca38b ] This reverts commit fa247089de9936a46e290d4724cb5f0b845600f5. The following sequence of commands causes a livelock - there will be workqueue process looping and consuming 100% CPU: dmsetup create --notable test truncate -s 1MiB testdata losetup /dev/loop0 testdata dmsetup load test --table '0 2048 linear /dev/loop0 0' dd if=/dev/zero of=/dev/dm-0 bs=16k count=1 conv=fdatasync The livelock is caused by the commit fa247089de99. The commit claims that it fixes a race condition, however, it is unknown what the actual race condition is and what program is involved in the race condition. When the inactive table is loaded, the nodes /dev/dm-0 and /sys/block/dm-0 are created. /dev/dm-0 has zero size at this point. When the device is suspended and resumed, the nodes /dev/mapper/test and /dev/disk/* are created. If some program opens a block device before it is created by dmsetup or lvm, the program is buggy, so dm could just report an error as it used to do before. Reported-by: Zdenek Kabelac Signed-off-by: Mikulas Patocka Fixes: fa247089de99 ("dm: requeue IO if mapping table not yet available") Signed-off-by: Sasha Levin commit 18998de2808b8eb52b56d34fec6794e9b866ad9c Author: Johannes Berg Date: Tue Jul 23 14:24:56 2024 +0200 um: remove ARCH_NO_PREEMPT_DYNAMIC [ Upstream commit 64dcf0b8779363ca07dfb5649a4cc71f9fdf390b ] There's no such symbol and we currently don't have any of the mechanisms to make boot-time selection cheap enough, so we can't have HAVE_PREEMPT_DYNAMIC_CALL or HAVE_PREEMPT_DYNAMIC_KEY. Remove the select statement. Reported-by: Lukas Bulwahn Fixes: cd01672d64a3 ("um: Enable preemption in UML") Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit ae59eaf36a1ad396e9f657ec9b8b52da6206ed5f Author: Dan Carpenter Date: Wed Sep 11 10:39:15 2024 +0300 ep93xx: clock: Fix off by one in ep93xx_div_recalc_rate() [ Upstream commit c7f06284a6427475e3df742215535ec3f6cd9662 ] The psc->div[] array has psc->num_div elements. These values come from when we call clk_hw_register_div(). It's adc_divisors and ARRAY_SIZE(adc_divisors)) and so on. So this condition needs to be >= instead of > to prevent an out of bounds read. Fixes: 9645ccc7bd7a ("ep93xx: clock: convert in-place to COMMON_CLK") Signed-off-by: Dan Carpenter Acked-by: Alexander Sverdlin Reviewed-by: Nikita Shubin Signed-off-by: Alexander Sverdlin Link: https://lore.kernel.org/r/1caf01ad4c0a8069535813c26c7f0b8ea011155e.camel@linaro.org Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 7cf2fb51175cafe01df8c43fa15a06194a59c6e2 Author: Jason Wang Date: Fri Aug 16 11:19:00 2024 +0800 vhost_vdpa: assign irq bypass producer token correctly [ Upstream commit 02e9e9366fefe461719da5d173385b6685f70319 ] We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set. Reported-by: Dragos Tatulea Tested-by: Dragos Tatulea Reviewed-by: Dragos Tatulea Fixes: 2cf1ba9a4d15 ("vhost_vdpa: implement IRQ offloading in vhost_vdpa") Signed-off-by: Jason Wang Message-Id: <20240816031900.18013-1-jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit 5fe351def237df1ad29aa8af574350bc5340b4cf Author: Dragos Tatulea Date: Tue Aug 27 19:08:08 2024 +0300 vdpa/mlx5: Fix invalid mr resource destroy [ Upstream commit dc12502905b7a3de9097ea6b98870470c2921e09 ] Certain error paths from mlx5_vdpa_dev_add() can end up releasing mr resources which never got initialized in the first place. This patch adds the missing check in mlx5_vdpa_destroy_mr_resources() to block releasing non-initialized mr resources. Reference trace: mlx5_core 0000:08:00.2: mlx5_vdpa_dev_add:3274:(pid 2700) warning: No mac address provisioned? BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 140216067 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 8 PID: 2700 Comm: vdpa Kdump: loaded Not tainted 5.14.0-496.el9.x86_64 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb] Code: [...] RSP: 0018:ff1c823ac23077f0 EFLAGS: 00010246 RAX: ffffffffc1a21a60 RBX: ffffffff899567a0 RCX: 0000000000000000 RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff1bda1f7c21e800 R08: 0000000000000000 R09: ff1c823ac2307670 R10: ff1c823ac2307668 R11: ffffffff8a9e7b68 R12: 0000000000000000 R13: 0000000000000000 R14: ff1bda1f43e341a0 R15: 00000000ffffffea FS: 00007f56eba7c740(0000) GS:ff1bda269f800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000104d90001 CR4: 0000000000771ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa] ? __die_body.cold+0x8/0xd ? page_fault_oops+0x134/0x170 ? __irq_work_queue_local+0x2b/0xc0 ? irq_work_queue+0x2c/0x50 ? exc_page_fault+0x62/0x150 ? asm_exc_page_fault+0x22/0x30 ? __pfx_mlx5_vdpa_free+0x10/0x10 [mlx5_vdpa] ? vhost_iotlb_del_range+0xf/0xe0 [vhost_iotlb] mlx5_vdpa_free+0x3d/0x150 [mlx5_vdpa] vdpa_release_dev+0x1e/0x50 [vdpa] device_release+0x31/0x90 kobject_cleanup+0x37/0x130 mlx5_vdpa_dev_add+0x2d2/0x7a0 [mlx5_vdpa] vdpa_nl_cmd_dev_add_set_doit+0x277/0x4c0 [vdpa] genl_family_rcv_msg_doit+0xd9/0x130 genl_family_rcv_msg+0x14d/0x220 ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa] ? _copy_to_user+0x1a/0x30 ? move_addr_to_user+0x4b/0xe0 genl_rcv_msg+0x47/0xa0 ? __import_iovec+0x46/0x150 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x245/0x370 netlink_sendmsg+0x206/0x440 __sys_sendto+0x1dc/0x1f0 ? do_read_fault+0x10c/0x1d0 ? do_pte_missing+0x10d/0x190 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x5c/0xf0 ? __count_memcg_events+0x4f/0xb0 ? mm_account_fault+0x6c/0x100 ? handle_mm_fault+0x116/0x270 ? do_user_addr_fault+0x1d6/0x6a0 ? do_syscall_64+0x6b/0xf0 ? clear_bhb_loop+0x25/0x80 ? clear_bhb_loop+0x25/0x80 ? clear_bhb_loop+0x25/0x80 ? clear_bhb_loop+0x25/0x80 ? clear_bhb_loop+0x25/0x80 entry_SYSCALL_64_after_hwframe+0x78/0x80 Fixes: 512c0cdd80c1 ("vdpa/mlx5: Decouple cvq iotlb handling from hw mapping code") Signed-off-by: Dragos Tatulea Reviewed-by: Cosmin Ratiu Message-Id: <20240827160808.2448017-2-dtatulea@nvidia.com> Signed-off-by: Michael S. Tsirkin Reviewed-by: Si-Wei Liu Acked-by: Jason Wang Reviewed-by: Shannon Nelson Signed-off-by: Sasha Levin commit b8674ab56d2dbb7993101cf24b81987afa82dabc Author: Yanfei Xu Date: Wed Aug 28 16:42:28 2024 +0800 cxl/pci: Fix to record only non-zero ranges [ Upstream commit 55e268694e8b07026c88191f9b6949b6887d9ce3 ] The function cxl_dvsec_rr_decode() retrieves and records DVSEC ranges into info->dvsec_range[], regardless of whether it is non-zero range, and the variable info->ranges indicates the number of non-zero ranges. However, in cxl_hdm_decode_init(), the validation for info->dvsec_range[] occurs in a for loop that iterates based on info->ranges. It may result in zero range to be validated but non-zero range not be validated, in turn, the number of allowed ranges is to be 0. Address it by only record non-zero ranges. This fix is not urgent as it requires a configuration that zeroes out the first dvsec range while populating the second. This has not been observed, but it is theoretically possible. If this gets picked up for -stable, no harm done, but there is no urgency to backport. Fixes: 560f78559006 ("cxl/pci: Retrieve CXL DVSEC memory info") Reviewed-by: Jonathan Cameron Signed-off-by: Yanfei Xu Reviewed-by: Alison Schofield Link: https://patch.msgid.link/20240828084231.1378789-2-yanfei.xu@intel.com Signed-off-by: Dave Jiang Signed-off-by: Sasha Levin commit 756492529d7c274f32cf917e5feb298784f62f97 Author: Mikulas Patocka Date: Tue Sep 3 11:50:11 2024 +0200 dm integrity: fix gcc 5 warning [ Upstream commit a8fa6483b40943a6c8feea803a2dc8e9982cc766 ] This commit fixes gcc 5 warning "logical not is only applied to the left hand side of comparison" Reported-by: Geert Uytterhoeven Fixes: fb0987682c62 ("dm-integrity: introduce the Inline mode") Signed-off-by: Mikulas Patocka Signed-off-by: Sasha Levin commit b82de568214f748033e6cfc1d25f5c7aebffbbea Author: Dmitry Baryshkov Date: Sun Aug 4 08:40:12 2024 +0300 interconnect: qcom: sm8250: Enable sync_state [ Upstream commit d3681b30214eb5885092ce4586f07237dc3c522f ] Enable the generic icc sync_state callback to ensure interconnect votes are actually taken into account, instead of being forced to the maximum value. Fixes: b95b668eaaa2 ("interconnect: qcom: icc-rpmh: Add BCMs to commit list in pre_aggregate") Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-8-1149dd8399fe@linaro.org Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit 5c78b3fad622bf13f183fac70da71d075dde4cf6 Author: Kees Cook Date: Tue Jul 16 14:48:23 2024 -0700 interconnect: icc-clk: Add missed num_nodes initialization [ Upstream commit c801ed86840ec38b2a9bcafeee3d7c9e14c743f3 ] With the new __counted_by annotation, the "num_nodes" struct member must be set before accessing the "nodes" array. This initialization was done in other places where a new struct icc_onecell_data is allocated, but this case in icc_clk_register() was missed. Set "num_nodes" after allocation. Fixes: dd4904f3b924 ("interconnect: qcom: Annotate struct icc_onecell_data with __counted_by") Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20240716214819.work.328-kees@kernel.org Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit 66ad170823ba4191827b22a1d8900d07fb2e2724 Author: Suzuki K Poulose Date: Tue Jul 2 14:28:46 2024 +0100 coresight: tmc: sg: Do not leak sg_table [ Upstream commit c58dc5a1f886f2fcc1133746d0cbaa1fe7fd44ff ] Running perf with cs_etm on Juno triggers the following kmemleak warning ! :~# cat /sys/kernel/debug/kmemleak unreferenced object 0xffffff8806b6d720 (size 96): comm "perf", pid 562, jiffies 4297810960 hex dump (first 32 bytes): 38 d8 13 07 88 ff ff ff 00 d0 9e 85 c0 ff ff ff 8............... 00 10 00 88 c0 ff ff ff 00 f0 ff f7 ff 00 00 00 ................ backtrace (crc 1dbf6e00): [] kmemleak_alloc+0xbc/0xd8 [] kmalloc_trace_noprof+0x220/0x2e8 [] tmc_alloc_sg_table+0x48/0x208 [coresight_tmc] [] tmc_etr_alloc_sg_buf+0xac/0x240 [coresight_tmc] [] tmc_alloc_etr_buf.constprop.0+0x1f0/0x260 [coresight_tmc] [] alloc_etr_buf.constprop.0.isra.0+0x74/0xa8 [coresight_tmc] [] tmc_alloc_etr_buffer+0x110/0x260 [coresight_tmc] [] etm_setup_aux+0x204/0x3b0 [coresight] [] rb_alloc_aux+0x20c/0x318 [] perf_mmap+0x2e4/0x7a0 [] mmap_region+0x3b0/0xa08 [] do_mmap+0x3a0/0x500 [] vm_mmap_pgoff+0x100/0x1d0 [] ksys_mmap_pgoff+0xb8/0x110 [] __arm64_sys_mmap+0x38/0x58 [] invoke_syscall.constprop.0+0x58/0x100 This due to the fact that we do not free the "sg_table" itself while freeing up the SG table and data pages. Fix this by freeing the sg_table in tmc_free_sg_table(). Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework") Cc: Mike Leach Cc: James Clark Signed-off-by: Suzuki K Poulose Reviewed-by: Anshuman Khandual Link: https://lore.kernel.org/r/20240702132846.1677261-1-suzuki.poulose@arm.com Signed-off-by: Sasha Levin commit eb52ae23468e5efd481987de410f265f1dd6e394 Author: Jie Gan Date: Mon Aug 12 12:28:44 2024 +0800 Coresight: Set correct cs_mode for dummy source to fix disable issue [ Upstream commit e6b64cda393efd84709ab3df2e42d36d36d7553e ] The coresight_disable_source_sysfs function should verify the mode of the coresight device before disabling the source. However, the mode for the dummy source device is always set to CS_MODE_DISABLED, resulting in the check consistently failing. As a result, dummy source cannot be properly disabled. Configure CS_MODE_SYSFS/CS_MODE_PERF during the enablement. Configure CS_MODE_DISABLED during the disablement. Fixes: 9d3ba0b6c056 ("Coresight: Add coresight dummy driver") Signed-off-by: Jie Gan Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20240812042844.2890115-1-quic_jiegan@quicinc.com Signed-off-by: Sasha Levin commit 03b2956ce10a4a19c2225d16ece7e345f9cdb562 Author: Jie Gan Date: Mon Aug 12 12:30:43 2024 +0800 Coresight: Set correct cs_mode for TPDM to fix disable issue [ Upstream commit 14f5fa9b5fcbe2b3d5098893aba6ad62254d2ef6 ] The coresight_disable_source_sysfs function should verify the mode of the coresight device before disabling the source. However, the mode for the TPDM device is always set to CS_MODE_DISABLED, resulting in the check consistently failing. As a result, TPDM cannot be properly disabled. Configure CS_MODE_SYSFS/CS_MODE_PERF during the enablement. Configure CS_MODE_DISABLED during the disablement. Fixes: b3c71626a933 ("Coresight: Add coresight TPDM source driver") Signed-off-by: Jie Gan Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20240812043043.2890694-1-quic_jiegan@quicinc.com Signed-off-by: Sasha Levin commit ca6c500b598b7715e5ecb26780b245d98483e1ba Author: Markus Schneider-Pargmann Date: Wed Aug 7 16:12:25 2024 +0200 serial: 8250: omap: Cleanup on error in request_irq [ Upstream commit 35e648a16018b747897be2ccc3ce95ff23237bb5 ] If devm_request_irq fails, the code does not cleanup many things that were setup before. Instead of directly returning ret we should jump to err. Fixes: fef4f600319e ("serial: 8250: omap: Fix life cycle issues for interrupt handlers") Signed-off-by: Markus Schneider-Pargmann Reviewed-by: Kevin Hilman Tested-by: Kevin Hilman Link: https://lore.kernel.org/r/20240807141227.1093006-4-msp@baylibre.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit dcb9d581dee4c23f2378b6650511ece80dda4e2f Author: Jinjie Ruan Date: Mon Aug 12 16:06:58 2024 +0800 driver core: Fix a potential null-ptr-deref in module_add_driver() [ Upstream commit 18ec12c97b39ff6aa15beb8d2b25d15cd44b87d8 ] Inject fault while probing of-fpga-region, if kasprintf() fails in module_add_driver(), the second sysfs_remove_link() in exit path will cause null-ptr-deref as below because kernfs_name_hash() will call strlen() with NULL driver_name. Fix it by releasing resources based on the exit path sequence. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfffffc000000000] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: of_fpga_region(+) fpga_region fpga_bridge cfg80211 rfkill 8021q garp mrp stp llc ipv6 [last unloaded: of_fpga_region] CPU: 2 UID: 0 PID: 2036 Comm: modprobe Not tainted 6.11.0-rc2-g6a0e38264012 #295 Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : strlen+0x24/0xb0 lr : kernfs_name_hash+0x1c/0xc4 sp : ffffffc081f97380 x29: ffffffc081f97380 x28: ffffffc081f97b90 x27: ffffff80c821c2a0 x26: ffffffedac0be418 x25: 0000000000000000 x24: ffffff80c09d2000 x23: 0000000000000000 x22: 0000000000000000 x21: 0000000000000000 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000001840 x17: 0000000000000000 x16: 0000000000000000 x15: 1ffffff8103f2e42 x14: 00000000f1f1f1f1 x13: 0000000000000004 x12: ffffffb01812d61d x11: 1ffffff01812d61c x10: ffffffb01812d61c x9 : dfffffc000000000 x8 : 0000004fe7ed29e4 x7 : ffffff80c096b0e7 x6 : 0000000000000001 x5 : ffffff80c096b0e0 x4 : 1ffffffdb990efa2 x3 : 0000000000000000 x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000000 Call trace: strlen+0x24/0xb0 kernfs_name_hash+0x1c/0xc4 kernfs_find_ns+0x118/0x2e8 kernfs_remove_by_name_ns+0x80/0x100 sysfs_remove_link+0x74/0xa8 module_add_driver+0x278/0x394 bus_add_driver+0x1f0/0x43c driver_register+0xf4/0x3c0 __platform_driver_register+0x60/0x88 of_fpga_region_init+0x20/0x1000 [of_fpga_region] do_one_initcall+0x110/0x788 do_init_module+0x1dc/0x5c8 load_module+0x3c38/0x4cac init_module_from_file+0xd4/0x128 idempotent_init_module+0x2cc/0x528 __arm64_sys_finit_module+0xac/0x100 invoke_syscall+0x6c/0x258 el0_svc_common.constprop.0+0x160/0x22c do_el0_svc+0x44/0x5c el0_svc+0x48/0xb8 el0t_64_sync_handler+0x13c/0x158 el0t_64_sync+0x190/0x194 Code: f2fbffe1 a90157f4 12000802 aa0003f5 (38e16861) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception Fixes: 85d2b0aa1703 ("module: don't ignore sysfs_create_link() failures") Signed-off-by: Jinjie Ruan Link: https://lore.kernel.org/r/20240812080658.2791982-1-ruanjinjie@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a5c79834350f7b01a9cadca82b71b6d73e1bbe9c Author: Krzysztof Kozlowski Date: Tue Aug 6 07:30:16 2024 +0200 dt-bindings: iio: asahi-kasei,ak8975: drop incorrect AK09116 compatible [ Upstream commit c7668ac67bc21aebdd8e2d7f839bfffba31b7713 ] All compatibles in this binding without prefixes were deprecated, so adding a new deprecated one after some time is not allowed, because it defies the core logic of deprecating things. Drop the AK09916 vendorless compatible. Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Conor Dooley Link: https://patch.msgid.link/20240806053016.6401-2-krzysztof.kozlowski@linaro.org Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 2c6715aaf634836debfd0e86410ce087bf691425 Author: Krzysztof Kozlowski Date: Tue Aug 6 07:30:15 2024 +0200 iio: magnetometer: ak8975: drop incorrect AK09116 compatible [ Upstream commit da6e3160df230692bbd48a6d52318035f19595e2 ] All compatibles in this binding without prefixes were deprecated, so adding a new deprecated one after some time is not allowed, because it defies the core logic of deprecating things. Drop the AK09916 vendorless compatible. Fixes: 76e28aa97fa0 ("iio: magnetometer: ak8975: add AK09116 support") Signed-off-by: Krzysztof Kozlowski Link: https://patch.msgid.link/20240806053016.6401-1-krzysztof.kozlowski@linaro.org Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 75b26b526b299bbdddeb4fcf5803a411c0d09e41 Author: Vasileios Amoiridis Date: Mon Jun 10 01:38:12 2024 +0200 iio: chemical: bme680: Fix read/write ops to device by adding mutexes [ Upstream commit 77641e5a477d428335cd094b88ac54e09ccb70f4 ] Add mutexes in the {read/write}_raw() functions of the device to guard the read/write of data from/to the device. This is necessary because for any operation other than temperature, multiple reads need to take place from the device. Even though regmap has a locking by itself, it won't protect us from multiple applications trying to read at the same time temperature and pressure since the pressure reading includes an internal temperature reading and there is nothing to ensure that this temperature+pressure reading will happen sequentially without any other operation interfering in the meantime. Fixes: 1b3bd8592780 ("iio: chemical: Add support for Bosch BME680 sensor") Signed-off-by: Vasileios Amoiridis Link: https://patch.msgid.link/20240609233826.330516-2-vassilisamir@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 3fd547ad1ab7db6e37369ea47b323966e667eb56 Author: Antoniu Miclaus Date: Tue Jul 2 11:18:50 2024 +0300 ABI: testing: fix admv8818 attr description [ Upstream commit 7d34b4ad8cd2867b130b5b8d7d76d0d6092bd019 ] Fix description of the filter_mode_available attribute by pointing to the correct name of the attribute that can be written with valid values. Fixes: bf92d87d7c67 ("iio:filter:admv8818: Add sysfs ABI documentation") Signed-off-by: Antoniu Miclaus Link: https://patch.msgid.link/20240702081851.4663-1-antoniu.miclaus@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit d33f0ab8943a1d171b35713c896007088f70c781 Author: Zijun Hu Date: Mon Jul 22 22:48:10 2024 +0800 driver core: Fix error handling in driver API device_rename() [ Upstream commit 6d8249ac29bc23260dfa9747eb398ce76012d73c ] For class-device, device_rename() failure maybe cause unexpected link name within its class folder as explained below: /sys/class/.../old_name -> /sys/devices/.../old_name device_rename(..., new_name) and failed /sys/class/.../new_name -> /sys/devices/.../old_name Fixed by undoing renaming link if renaming kobject failed. Fixes: f349cf34731c ("driver core: Implement ns directory support for device classes.") Signed-off-by: Zijun Hu Link: https://lore.kernel.org/r/20240722-device_rename_fix-v2-1-77de1a6c6495@quicinc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7d7e4a39c815c46766ca292510e03d9a8aba7ceb Author: Guillaume Stols Date: Tue Jul 2 17:34:11 2024 +0000 iio: adc: ad7606: fix standby gpio state to match the documentation [ Upstream commit 059fe4f8bbdf5cad212e1aeeb3e8968c80b9ff3b ] The binding's documentation specifies that "As the line is active low, it should be marked GPIO_ACTIVE_LOW". However, in the driver, it was handled the opposite way. This commit sets the driver's behaviour in sync with the documentation Fixes: 722407a4e8c0 ("staging:iio:ad7606: Use GPIO descriptor API") Signed-off-by: Guillaume Stols Reviewed-by: Nuno Sa Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 129d8d1d56bc67d60a7f527977f283f314d3dfe6 Author: Guillaume Stols Date: Tue Jul 2 17:34:10 2024 +0000 iio: adc: ad7606: fix oversampling gpio array [ Upstream commit 8dc4594b54dbaaba40dc8884ad3d42083de39434 ] gpiod_set_array_value was misused here: the implementation relied on the assumption that an unsigned long was required for each gpio, while the function expects a bit array stored in "as much unsigned long as needed for storing one bit per GPIO", i.e it is using a bit field. This leaded to incorrect parameter passed to gpiod_set_array_value, that would set 1 value instead of 3. It also prevents to select the software mode correctly for the AD7606B. Fixes: d2a415c86c6b ("iio: adc: ad7606: Add support for AD7606B ADC") Fixes: 41f71e5e7daf ("staging: iio: adc: ad7606: Use find_closest() macro") Signed-off-by: Guillaume Stols Reviewed-by: Nuno Sa Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit c99bc082f56829034b5b5dee507210deb55a0d3b Author: Hannes Reinecke Date: Sat Sep 14 14:01:22 2024 +0200 nvme-multipath: system fails to create generic nvme device [ Upstream commit 63bcf9014e95a7d279d10d8e2caa5d88db2b1855 ] NVME_NSHEAD_DISK_LIVE is a flag for struct nvme_ns_head, not nvme_ns. The current code has a typo causing NVME_NSHEAD_DISK_LIVE never to be cleared once device_add_disk_fails, causing the system never to create the 'generic' character device. Even several rescan attempts will change the situation and the system has to be rebooted to fix the issue. Fixes: 11384580e332 ("nvme-multipath: add error handling support for add_disk()") Signed-off-by: Hannes Reinecke Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Sasha Levin commit b54031de65151fded343f29607ef15a2888c0204 Author: Roi Azarzar Date: Sun Sep 15 10:27:35 2024 +0000 NFSv4.2: Fix detection of "Proxying of Times" server support [ Upstream commit 615e693b14ba22e1332c3bd5a4e038284bbc3e07 ] According to draft-ietf-nfsv4-delstid-07: If a server informs the client via the fattr4_open_arguments attribute that it supports OPEN_ARGS_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS and it returns a valid delegation stateid for an OPEN operation which sets the OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS flag, then it MUST query the client via a CB_GETATTR for the fattr4_time_deleg_access (see Section 5.2) attribute and fattr4_time_deleg_modify attribute (see Section 5.2). Thus, we should look that the server supports proxying of times via OPEN4_SHARE_ACCESS_WANT_DELEG_TIMESTAMPS. We want to be extra pedantic and continue to check that FATTR4_TIME_DELEG_ACCESS and FATTR4_TIME_DELEG_MODIFY are set. The server needs to expose both for the client to correctly detect "Proxying of Times" support. Signed-off-by: Roi Azarzar Reviewed-by: Jeff Layton Fixes: dcb3c20f7419 ("NFSv4: Add a capability for delegated attributes") Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit e2c5d581a7ccf85f02306977309db226a0390db2 Author: Alexander Dahl Date: Wed Sep 18 10:27:43 2024 +0200 spi: atmel-quadspi: Avoid overwriting delay register settings [ Upstream commit 329ca3eed4a9a161515a8714be6ba182321385c7 ] Previously the MR and SCR registers were just set with the supposedly required values, from cached register values (cached reg content initialized to zero). All parts fixed here did not consider the current register (cache) content, which would make future support of cs_setup, cs_hold, and cs_inactive impossible. Setting SCBR in atmel_qspi_setup() erases a possible DLYBS setting from atmel_qspi_set_cs_timing(). The DLYBS setting is applied by ORing over the current setting, without resetting the bits first. All writes to MR did not consider possible settings of DLYCS and DLYBCT. Signed-off-by: Alexander Dahl Fixes: f732646d0ccd ("spi: atmel-quadspi: Add support for configuring CS timing") Link: https://patch.msgid.link/20240918082744.379610-2-ada@thorsis.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fe7f10bbc0bbce38ca7024ae6eda19b14c28fc5e Author: Lorenzo Bianconi Date: Thu Sep 19 18:57:16 2024 +0200 spi: airoha: remove read cache in airoha_snand_dirmap_read() [ Upstream commit fffca269e4f31c3633c6d810833ba1b184407915 ] Current upstream driver reports errors running mtd_oobtest kernel module test: root@OpenWrt:/# insmod mtd_test.ko root@OpenWrt:/# insmod mtd_oobtest.ko dev=5 [ 7023.730584] ================================================= [ 7023.736399] mtd_oobtest: MTD device: 5 [ 7023.740160] mtd_oobtest: MTD device size 3670016, eraseblock size 131072, page size 2048, count of eraseblocks 28, pages per eraseblock 64, OOB size 128 [ 7023.753837] mtd_test: scanning for bad eraseblocks [ 7023.758636] mtd_test: scanned 28 eraseblocks, 0 are bad [ 7023.763861] mtd_oobtest: test 1 of 5 [ 7024.042076] mtd_oobtest: writing OOBs of whole device [ 7024.682069] mtd_oobtest: written up to eraseblock 0 [ 7041.962077] mtd_oobtest: written 28 eraseblocks [ 7041.966626] mtd_oobtest: verifying all eraseblocks [ 7041.972276] mtd_oobtest: error @addr[0x0:0x0] 0xff -> 0xe diff 0xf1 [ 7041.978550] mtd_oobtest: error @addr[0x0:0x1] 0xff -> 0x10 diff 0xef [ 7041.984932] mtd_oobtest: error @addr[0x0:0x2] 0xff -> 0x82 diff 0x7d [ 7041.991293] mtd_oobtest: error @addr[0x0:0x3] 0xff -> 0x10 diff 0xef [ 7041.997659] mtd_oobtest: error @addr[0x0:0x4] 0xff -> 0x0 diff 0xff [ 7042.003942] mtd_oobtest: error @addr[0x0:0x5] 0xff -> 0x8a diff 0x75 [ 7042.010294] mtd_oobtest: error @addr[0x0:0x6] 0xff -> 0x20 diff 0xdf [ 7042.016659] mtd_oobtest: error @addr[0x0:0x7] 0xff -> 0x1 diff 0xfe [ 7042.022935] mtd_oobtest: error @addr[0x0:0x8] 0xff -> 0x2e diff 0xd1 [ 7042.029295] mtd_oobtest: error @addr[0x0:0x9] 0xff -> 0x40 diff 0xbf [ 7042.035661] mtd_oobtest: error @addr[0x0:0xa] 0xff -> 0x0 diff 0xff [ 7042.041935] mtd_oobtest: error @addr[0x0:0xb] 0xff -> 0x89 diff 0x76 [ 7042.048300] mtd_oobtest: error @addr[0x0:0xc] 0xff -> 0x82 diff 0x7d [ 7042.054662] mtd_oobtest: error @addr[0x0:0xd] 0xff -> 0x15 diff 0xea [ 7042.061014] mtd_oobtest: error @addr[0x0:0xe] 0xff -> 0x90 diff 0x6f [ 7042.067380] mtd_oobtest: error @addr[0x0:0xf] 0xff -> 0x0 diff 0xff .... [ 7432.421369] mtd_oobtest: error @addr[0x237800:0x36] 0xff -> 0x5f diff 0xa0 [ 7432.428242] mtd_oobtest: error @addr[0x237800:0x37] 0xff -> 0x21 diff 0xde [ 7432.435118] mtd_oobtest: error: verify failed at 0x237800 [ 7432.440510] mtd_oobtest: error: too many errors [ 7432.445053] mtd_oobtest: error -1 occurred The above errors are due to the buggy logic in the 'read cache' available in airoha_snand_dirmap_read() routine since there are some corner cases where we are missing data updates. Since we do not get any read/write speed improvement using the cache (according to the mtd_speedtest kernel module test), in order to fix the mtd_oobtest test, remove the 'read cache' in airoha_snand_dirmap_read routine. Now the driver is passing all the tests available in mtd_test suite. Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver") Tested-by: Christian Marangi Signed-off-by: Lorenzo Bianconi Link: https://patch.msgid.link/20240919-airoha-spi-fixes-v2-1-cb0f0ed9920a@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 61bc8a4d1f37fc93aff8fa898c591c03f48a948c Author: Ming Lei Date: Thu Sep 19 10:17:09 2024 +0800 lib/sbitmap: define swap_lock as raw_spinlock_t [ Upstream commit 65f666c6203600053478ce8e34a1db269a8701c9 ] When called from sbitmap_queue_get(), sbitmap_deferred_clear() may be run with preempt disabled. In RT kernel, spin_lock() can sleep, then warning of "BUG: sleeping function called from invalid context" can be triggered. Fix it by replacing it with raw_spin_lock. Cc: Yang Yang Fixes: 72d04bdcf3f7 ("sbitmap: fix io hung due to race on sbitmap_word::cleared") Signed-off-by: Ming Lei Reviewed-by: Yang Yang Link: https://lore.kernel.org/r/20240919021709.511329-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4b7d16f46ef7762746c46fec9316ce5a89626e3a Author: Jinjie Ruan Date: Fri Sep 6 10:12:51 2024 +0800 spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time [ Upstream commit 3b577de206d52dbde9428664b6d823d35a803d75 ] It's important to undo pm_runtime_use_autosuspend() with pm_runtime_dont_use_autosuspend() at driver exit time unless driver initially enabled pm_runtime with devm_pm_runtime_enable() (which handles it for you). Hence, call pm_runtime_dont_use_autosuspend() at driver exit time to fix it. Fixes: 944c01a889d9 ("spi: lpspi: enable runtime pm for lpspi") Signed-off-by: Jinjie Ruan Link: https://patch.msgid.link/20240906021251.610462-1-ruanjinjie@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e6c05bdc85602cd115636e6e82971af0b4af86a2 Author: Jinjie Ruan Date: Fri Sep 6 10:39:56 2024 +0800 spi: atmel-quadspi: Undo runtime PM changes at driver exit time [ Upstream commit 438efb23f9581659495b85f1f6c7d5946200660c ] It's important to undo pm_runtime_use_autosuspend() with pm_runtime_dont_use_autosuspend() at driver exit time unless driver initially enabled pm_runtime with devm_pm_runtime_enable() (which handles it for you). Hence, call pm_runtime_dont_use_autosuspend() at driver exit time to fix it. Fixes: 4a2f83b7f780 ("spi: atmel-quadspi: add runtime pm support") Signed-off-by: Jinjie Ruan Link: https://patch.msgid.link/20240906023956.1004440-1-ruanjinjie@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2838ebfdb82eb1214f7ed756a99c75460e4727d6 Author: Lorenzo Bianconi Date: Fri Sep 13 23:07:14 2024 +0200 spi: airoha: fix airoha_snand_{write,read}_data data_len estimation [ Upstream commit 0e58637eb968c636725dcd6c7055249b4e5326fb ] Fix data length written and read in airoha_snand_write_data and airoha_snand_read_data routines respectively if it is bigger than SPI_MAX_TRANSFER_SIZE. Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver") Tested-by: Christian Marangi Signed-off-by: Lorenzo Bianconi Link: https://patch.msgid.link/20240913-airoha-spi-fixes-v1-2-de2e74ed4664@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 079fd66bac7eed4d5335e13e02118106548c331f Author: Lorenzo Bianconi Date: Fri Sep 13 23:07:13 2024 +0200 spi: airoha: fix dirmap_{read,write} operations [ Upstream commit 2e6bbfe7b0c0607001b784082c2685b134174fac ] SPI_NFI_READ_FROM_CACHE_DONE bit must be written at the end of dirmap_read operation even if it is already set. In the same way, SPI_NFI_LOAD_TO_CACHE_DONE bit must be written at the end of dirmap_write operation even if it is already set. For this reason use regmap_write_bits() instead of regmap_set_bits(). This patch fixes mtd_pagetest kernel module test. Fixes: a403997c1201 ("spi: airoha: add SPI-NAND Flash controller driver") Tested-by: Christian Marangi Signed-off-by: Lorenzo Bianconi Link: https://patch.msgid.link/20240913-airoha-spi-fixes-v1-1-de2e74ed4664@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1f63f405c1a1a64b9c310388aad7055fb86b245c Author: Chao Yu Date: Tue Sep 10 11:07:13 2024 +0800 f2fs: fix to don't set SB_RDONLY in f2fs_handle_critical_error() [ Upstream commit 930c6ab93492c4b15436524e704950b364b2930c ] syzbot reports a f2fs bug as below: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 58 at kernel/rcu/sync.c:177 rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177 CPU: 1 UID: 0 PID: 58 Comm: kworker/1:2 Not tainted 6.10.0-syzkaller-12562-g1722389b0d86 #0 Workqueue: events destroy_super_work RIP: 0010:rcu_sync_dtor+0xcd/0x180 kernel/rcu/sync.c:177 Call Trace: percpu_free_rwsem+0x41/0x80 kernel/locking/percpu-rwsem.c:42 destroy_super_work+0xec/0x130 fs/super.c:282 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 As Christian Brauner pointed out [1]: the root cause is f2fs sets SB_RDONLY flag in internal function, rather than setting the flag covered w/ sb->s_umount semaphore via remount procedure, then below race condition causes this bug: - freeze_super() - sb_wait_write(sb, SB_FREEZE_WRITE) - sb_wait_write(sb, SB_FREEZE_PAGEFAULT) - sb_wait_write(sb, SB_FREEZE_FS) - f2fs_handle_critical_error - sb->s_flags |= SB_RDONLY - thaw_super - thaw_super_locked - sb_rdonly() is true, so it skips sb_freeze_unlock(sb, SB_FREEZE_FS) - deactivate_locked_super Since f2fs has almost the same logic as ext4 [2] when handling critical error in filesystem if it mounts w/ errors=remount-ro option: - set CP_ERROR_FLAG flag which indicates filesystem is stopped - record errors to superblock - set SB_RDONLY falg Once we set CP_ERROR_FLAG flag, all writable interfaces can detect the flag and stop any further updates on filesystem. So, it is safe to not set SB_RDONLY flag, let's remove the logic and keep in line w/ ext4 [3]. [1] https://lore.kernel.org/all/20240729-himbeeren-funknetz-96e62f9c7aee@brauner [2] https://lore.kernel.org/all/20240729132721.hxih6ehigadqf7wx@quack3 [3] https://lore.kernel.org/linux-ext4/20240805201241.27286-1-jack@suse.cz Fixes: b62e71be2110 ("f2fs: support errors=remount-ro|continue|panic mountoption") Reported-by: syzbot+20d7e439f76bbbd863a7@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000b90a8e061e21d12f@google.com/ Cc: Jan Kara Cc: Christian Brauner Signed-off-by: Chao Yu Reviewed-by: Christian Brauner Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit bcefd0b0611f35b560d0a7281d87529fbe7a1e32 Author: Chao Yu Date: Fri Sep 6 14:27:24 2024 +0800 f2fs: get rid of online repaire on corrupted directory [ Upstream commit 884ee6dc85b959bc152f15bca80c30f06069e6c4 ] syzbot reports a f2fs bug as below: kernel BUG at fs/f2fs/inode.c:896! RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Call Trace: evict+0x532/0x950 fs/inode.c:704 dispose_list fs/inode.c:747 [inline] evict_inodes+0x5f9/0x690 fs/inode.c:797 generic_shutdown_super+0x9d/0x2d0 fs/super.c:627 kill_block_super+0x44/0x90 fs/super.c:1696 kill_f2fs_super+0x344/0x690 fs/f2fs/super.c:4898 deactivate_locked_super+0xc4/0x130 fs/super.c:473 cleanup_mnt+0x41f/0x4b0 fs/namespace.c:1373 task_work_run+0x24f/0x310 kernel/task_work.c:228 ptrace_notify+0x2d2/0x380 kernel/signal.c:2402 ptrace_report_syscall include/linux/ptrace.h:415 [inline] ptrace_report_syscall_exit include/linux/ptrace.h:477 [inline] syscall_exit_work+0xc6/0x190 kernel/entry/common.c:173 syscall_exit_to_user_mode_prepare kernel/entry/common.c:200 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:205 [inline] syscall_exit_to_user_mode+0x279/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0010:f2fs_evict_inode+0x1598/0x15c0 fs/f2fs/inode.c:896 Online repaire on corrupted directory in f2fs_lookup() can generate dirty data/meta while racing w/ readonly remount, it may leave dirty inode after filesystem becomes readonly, however, checkpoint() will skips flushing dirty inode in a state of readonly mode, result in above panic. Let's get rid of online repaire in f2fs_lookup(), and leave the work to fsck.f2fs. Fixes: 510022a85839 ("f2fs: add F2FS_INLINE_DOTS to recover missing dot dentries") Reported-by: syzbot+ebea2790904673d7c618@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/000000000000a7b20f061ff2d56a@google.com Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit b6fe637ee93dd7ce1df31cd5497f53a7b3272e67 Author: Daeho Jeong Date: Wed Sep 4 08:33:06 2024 -0700 f2fs: prevent atomic file from being dirtied before commit [ Upstream commit fccaa81de87e80b1809906f7e438e5766fbdc172 ] Keep atomic file clean while updating and make it dirtied during commit in order to avoid unnecessary and excessive inode updates in the previous fix. Fixes: 4bf78322346f ("f2fs: mark inode dirty for FI_ATOMIC_COMMITTED flag") Signed-off-by: Daeho Jeong Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit bed7ac6634791bf73f60d691721160abffc0618a Author: Yeongjin Gil Date: Mon Aug 19 17:34:30 2024 +0900 f2fs: compress: don't redirty sparse cluster during {,de}compress [ Upstream commit f785cec298c95d00058560c0715233294a04b8f3 ] In f2fs_do_write_data_page, when the data block is NULL_ADDR, it skips writepage considering that it has been already truncated. This results in an infinite loop as the PAGECACHE_TAG_TOWRITE tag is not cleared during the writeback process for a compressed file including NULL_ADDR in compress_mode=user. This is the reproduction process: 1. dd if=/dev/zero bs=4096 count=1024 seek=1024 of=testfile 2. f2fs_io compress testfile 3. dd if=/dev/zero bs=4096 count=1 conv=notrunc of=testfile 4. f2fs_io decompress testfile To prevent the problem, let's check whether the cluster is fully allocated before redirty its pages. Fixes: 5fdb322ff2c2 ("f2fs: add F2FS_IOC_DECOMPRESS_FILE and F2FS_IOC_COMPRESS_FILE") Reviewed-by: Sungjong Seo Reviewed-by: Sunmin Jeong Tested-by: Jaewook Kim Signed-off-by: Yeongjin Gil Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit d79343cd66343709e409d96b2abb139a0a55ce34 Author: Chao Yu Date: Tue Jul 30 09:08:55 2024 +0800 f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() [ Upstream commit c7f114d864ac91515bb07ac271e9824a20f5ed95 ] syzbot reports a f2fs bug as below: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 print_report+0xe8/0x550 mm/kasan/report.c:491 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:184 [inline] __refcount_inc include/linux/refcount.h:241 [inline] refcount_inc include/linux/refcount.h:258 [inline] get_task_struct include/linux/sched/task.h:118 [inline] kthread_stop+0xca/0x630 kernel/kthread.c:704 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline] __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is below race condition, it may cause use-after-free issue in sbi->gc_th pointer. - remount - f2fs_remount - f2fs_stop_gc_thread - kfree(gc_th) - f2fs_ioc_shutdown - f2fs_do_shutdown - f2fs_stop_gc_thread - kthread_stop(gc_th->f2fs_gc_task) : sbi->gc_thread = NULL; We will call f2fs_do_shutdown() in two paths: - for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore for fixing. - for f2fs_shutdown() path, it's safe since caller has already grabbed sb->s_umount semaphore. Reported-by: syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-f2fs-devel/0000000000005c7ccb061e032b9b@google.com Fixes: 7950e9ac638e ("f2fs: stop gc/discard thread after fs shutdown") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 4cdaa2492afe920c9e26fa28ed20e9b33b4cffd1 Author: Chao Yu Date: Wed Aug 7 18:24:35 2024 +0800 f2fs: atomic: fix to truncate pagecache before on-disk metadata truncation [ Upstream commit ebd3309aec6271c4616573b0cb83ea25e623070a ] We should always truncate pagecache while truncating on-disk data. Fixes: a46bebd502fe ("f2fs: synchronize atomic write aborts") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 8364b39827fc946f84f67049aaffa9e3050469ed Author: Chao Yu Date: Mon Aug 12 22:12:42 2024 +0800 f2fs: fix to wait page writeback before setting gcing flag [ Upstream commit a4d7f2b3238fd5f76b9e6434a0bd5d2e29049cff ] Soft IRQ Thread - f2fs_write_end_io - f2fs_defragment_range - set_page_private_gcing - type = WB_DATA_TYPE(page, false); : assign type w/ F2FS_WB_CP_DATA due to page_private_gcing() is true - dec_page_count() w/ wrong type - end_page_writeback() Value of F2FS_WB_CP_DATA reference count may become negative under above race condition, the root cause is we missed to wait page writeback before setting gcing page private flag, let's fix it. Fixes: 2d1fe8a86bf5 ("f2fs: fix to tag gcing flag on page during file defragment") Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 255141e479207cc33950bc266374231182e3908c Author: Yeongjin Gil Date: Tue Aug 13 16:32:44 2024 +0900 f2fs: Create COW inode from parent dentry for atomic write [ Upstream commit 8c1b787938fd86bab27a1492fa887408c75fec2b ] The i_pino in f2fs_inode_info has the previous parent's i_ino when inode was renamed, which may cause f2fs_ioc_start_atomic_write to fail. If file_wrong_pino is true and i_nlink is 1, then to find a valid pino, we should refer to the dentry from inode. To resolve this issue, let's get parent inode using parent dentry directly. Fixes: 3db1de0e582c ("f2fs: change the current atomic write way") Reviewed-by: Sungjong Seo Reviewed-by: Sunmin Jeong Signed-off-by: Yeongjin Gil Reviewed-by: Daeho Jeong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit fde7655bbae5b4f8706242acae6e049fd839cb5e Author: Chao Yu Date: Thu Jun 27 15:15:21 2024 +0800 f2fs: fix to avoid racing in between read and OPU dio write [ Upstream commit 0cac51185e65dc2a20686184e02f3cafc99eb202 ] If lfs mode is on, buffered read may race w/ OPU dio write as below, it may cause buffered read hits unwritten data unexpectly, and for dio read, the race condition exists as well. Thread A Thread B - f2fs_file_write_iter - f2fs_dio_write_iter - __iomap_dio_rw - f2fs_iomap_begin - f2fs_map_blocks - __allocate_data_block - allocated blkaddr #x - iomap_dio_submit_bio - f2fs_file_read_iter - filemap_read - f2fs_read_data_folio - f2fs_mpage_readpages - f2fs_map_blocks : get blkaddr #x - f2fs_submit_read_bio IRQ - f2fs_read_end_io : read IO on blkaddr #x complete IRQ - iomap_dio_bio_end_io : direct write IO on blkaddr #x complete In LFS mode, if there is inflight dio, let's wait for its completion, this policy won't cover all race cases, however it is a tradeoff which avoids abusing lock around IO paths. Fixes: f847c699cff3 ("f2fs: allow out-place-update for direct IO in LFS mode") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit ed2380e2358243f8f2f9c40716fa80d61578eddf Author: Chao Yu Date: Wed Jun 26 09:47:27 2024 +0800 f2fs: reduce expensive checkpoint trigger frequency [ Upstream commit aaf8c0b9ae042494cb4585883b15c1332de77840 ] We may trigger high frequent checkpoint for below case: 1. mkdir /mnt/dir1; set dir1 encrypted 2. touch /mnt/file1; fsync /mnt/file1 3. mkdir /mnt/dir2; set dir2 encrypted 4. touch /mnt/file2; fsync /mnt/file2 ... Although, newly created dir and file are not related, due to commit bbf156f7afa7 ("f2fs: fix lost xattrs of directories"), we will trigger checkpoint whenever fsync() comes after a new encrypted dir created. In order to avoid such performance regression issue, let's record an entry including directory's ino in global cache whenever we update directory's xattr data, and then triggerring checkpoint() only if xattr metadata of target file's parent was updated. This patch updates to cover below no encryption case as well: 1) parent is checkpointed 2) set_xattr(dir) w/ new xnid 3) create(file) 4) fsync(file) Fixes: bbf156f7afa7 ("f2fs: fix lost xattrs of directories") Reported-by: wangzijie Reported-by: Zhiguo Niu Tested-by: Zhiguo Niu Reported-by: Yunlei He Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 8d2e73e21dd5c232f7e59c3e0b3c6ea5b800e273 Author: Chao Yu Date: Tue Jun 25 11:13:48 2024 +0800 f2fs: atomic: fix to avoid racing w/ GC [ Upstream commit 1a0bd289a5db1df8df8fab949633a0b8d3f235ee ] Case #1: SQLite App GC Thread Kworker Shrinker - f2fs_ioc_start_atomic_write - f2fs_ioc_commit_atomic_write - f2fs_commit_atomic_write - filemap_write_and_wait_range : write atomic_file's data to cow_inode echo 3 > drop_caches to drop atomic_file's cache. - f2fs_gc - gc_data_segment - move_data_page - set_page_dirty - writepages - f2fs_do_write_data_page : overwrite atomic_file's data to cow_inode - f2fs_down_write(&fi->i_gc_rwsem[WRITE]) - __f2fs_commit_atomic_write - f2fs_up_write(&fi->i_gc_rwsem[WRITE]) Case #2: SQLite App GC Thread Kworker - f2fs_ioc_start_atomic_write - __writeback_single_inode - do_writepages - f2fs_write_cache_pages - f2fs_write_single_data_page - f2fs_do_write_data_page : write atomic_file's data to cow_inode - f2fs_gc - gc_data_segment - move_data_page - set_page_dirty - writepages - f2fs_do_write_data_page : overwrite atomic_file's data to cow_inode - f2fs_ioc_commit_atomic_write In above cases racing in between atomic_write and GC, previous data in atomic_file may be overwrited to cow_file, result in data corruption. This patch introduces PAGE_PRIVATE_ATOMIC_WRITE bit flag in page.private, and use it to indicate that there is last dirty data in atomic file, and the data should be writebacked into cow_file, if the flag is not tagged in page, we should never write data across files. Fixes: 3db1de0e582c ("f2fs: change the current atomic write way") Cc: Daeho Jeong Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 82e71e93891d25a3425cac93428c8b8dc9d01ea7 Author: Danny Tsen Date: Thu Sep 19 07:36:37 2024 -0400 crypto: powerpc/p10-aes-gcm - Disable CRYPTO_AES_GCM_P10 [ Upstream commit 44ac4625ea002deecd0c227336c95b724206c698 ] Data mismatch found when testing ipsec tunnel with AES/GCM crypto. Disabling CRYPTO_AES_GCM_P10 in Kconfig for this feature. Fixes: fd0e9b3e2ee6 ("crypto: p10-aes-gcm - An accelerated AES/GCM stitched implementation") Fixes: cdcecfd9991f ("crypto: p10-aes-gcm - Glue code for AES/GCM stitched implementation") Fixes: 45a4672b9a6e2 ("crypto: p10-aes-gcm - Update Kconfig and Makefile") Signed-off-by: Danny Tsen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 28f72e1296a76eb3cec32f41c878a345fd8e26c3 Author: Herbert Xu Date: Thu Sep 12 17:57:13 2024 +0800 crypto: caam - Pad SG length when allocating hash edesc [ Upstream commit 5124bc96162667766f6120b19f57a640c2eccb2a ] Because hardware will read in multiples of 4 SG entries, ensure the allocated length is always padded. This was already done by some callers of ahash_edesc_alloc, but ahash_digest was conspicuously missing. In any case, doing it in the allocation function ensures that the memory is always there. Reported-by: Guangwu Zhang Fixes: a5e5c13398f3 ("crypto: caam - fix S/G table passing page boundary") Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit dfbe943b75bb333eb2463f64f3300617ddeb0368 Author: Jeff Layton Date: Mon Sep 9 10:40:53 2024 -0400 nfsd: fix initial getattr on write delegation [ Upstream commit bf92e5008b17f935a6de8b708551e02c2294121c ] At this point in compound processing, currentfh refers to the parent of the file, not the file itself. Get the correct dentry from the delegation stateid instead. Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation") Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit f7f6e7fe135d6d5f10ac7bde918521f199accb9a Author: NeilBrown Date: Thu Aug 29 09:26:40 2024 -0400 nfsd: untangle code in nfsd4_deleg_getattr_conflict() [ Upstream commit a078a7dc0eaa9db288ae45319f7f7503968af546 ] The code in nfsd4_deleg_getattr_conflict() is convoluted and buggy. With this patch we: - properly handle non-nfsd leases. We must not assume flc_owner is a delegation unless fl_lmops == &nfsd_lease_mng_ops - move the main code out of the for loop - have a single exit which calls nfs4_put_stid() (and other exits which don't need to call that) [ jlayton: refactored on top of Neil's other patch: nfsd: fix nfsd4_deleg_getattr_conflict in presence of third party lease ] Fixes: c5967721e106 ("NFSD: handle GETATTR conflict with write delegation") Signed-off-by: NeilBrown Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 1ff8be8d008b9ddc8e7043fbddd37d5d451b271b Author: Li Lingfeng Date: Tue Sep 3 19:14:46 2024 +0800 nfsd: return -EINVAL when namelen is 0 [ Upstream commit 22451a16b7ab7debefce660672566be887db1637 ] When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen. Signed-off-by: Li Lingfeng Fixes: 74725959c33c ("nfsd: un-deprecate nfsdcld") Reviewed-by: Jeff Layton Reviewed-by: Scott Mayhew Tested-by: Scott Mayhew Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 8d0765f86135e27f0bb5c950c136495719b4c834 Author: Guoqing Jiang Date: Wed Aug 21 22:03:18 2024 +0800 nfsd: call cache_put if xdr_reserve_space returns NULL [ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ] If not enough buffer space available, but idmap_lookup has triggered lookup_fn which calls cache_get and returns successfully. Then we missed to call cache_put here which pairs with cache_get. Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding") Signed-off-by: Guoqing Jiang Reviwed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 507bc31cf3dd16f8b591b8b608149b099b1d70b1 Author: Dave Jiang Date: Thu Sep 5 14:22:07 2024 -0700 ntb: Force physically contiguous allocation of rx ring buffers [ Upstream commit 061a785a114f159e990ea8ed8d1b7dca4b41120f ] Physical addresses under IOVA on x86 platform are mapped contiguously as a side effect before the patch that removed CONFIG_DMA_REMAP. The NTB rx buffer ring is a single chunk DMA buffer that is allocated against the NTB PCI device. If the receive side is using a DMA device, then the buffers are remapped against the DMA device before being submitted via the dmaengine API. This scheme becomes a problem when the physical memory is discontiguous. When dma_map_page() is called on the kernel virtual address from the dma_alloc_coherent() call, the new IOVA mapping no longer points to all the physical memory allocated due to being discontiguous. Change dma_alloc_coherent() to dma_alloc_attrs() in order to force DMA_ATTR_FORCE_CONTIGUOUS attribute. This is the best fix for the circumstance. A potential future solution may be having the DMA mapping API providing a way to alias an existing IOVA mapping to a new device perhaps. This fix is not to fix the patch pointed to by the fixes tag, but to fix the issue arised in the ntb_transport driver on x86 platforms after the said patch is applied. Reported-by: Jerry Dai Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") Tested-by: Jerry Dai Signed-off-by: Dave Jiang Signed-off-by: Jon Mason Signed-off-by: Sasha Levin commit 02824c51037004ed093367cef9c72758676deea4 Author: Max Hawking Date: Sun Oct 8 20:45:16 2023 -0700 ntb_perf: Fix printk format [ Upstream commit 1501ae7479c8d0f66efdbfdc9ae8d6136cefbd37 ] The correct printk format is %pa or %pap, but not %pa[p]. Fixes: 99a06056124d ("NTB: ntb_perf: Fix address err in perf_copy_chunk") Signed-off-by: Max Hawking Signed-off-by: Jon Mason Signed-off-by: Sasha Levin commit babba8595d1e5d57313a6187f3e51aceacc6881a Author: Jinjie Ruan Date: Thu Aug 31 20:39:27 2023 +0800 ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() [ Upstream commit e229897d373a87ee09ec5cc4ecd4bb2f895fc16b ] The debugfs_create_dir() function returns error pointers. It never returns NULL. So use IS_ERR() to check it. Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") Signed-off-by: Jinjie Ruan Reviewed-by: Dave Jiang Signed-off-by: Jon Mason Signed-off-by: Sasha Levin commit d1c00a89f2824a5f5bbb16da8f43848d8ef00f82 Author: Vitaliy Shevtsov Date: Mon Sep 16 21:58:05 2024 +0500 RDMA/irdma: fix error message in irdma_modify_qp_roce() [ Upstream commit 9f0eafe86ea0a589676209d0cff1a1ed49a037d3 ] Use a correct field max_dest_rd_atomic instead of max_rd_atomic for the error output. Found by Linux Verification Center (linuxtesting.org) with Svace. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Vitaliy Shevtsov Link: https://lore.kernel.org/stable/20240916165817.14691-1-v.shevtsov%40maxima.ru Link: https://patch.msgid.link/20240916165817.14691-1-v.shevtsov@maxima.ru Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b9c94c8ba5a713817cffd74c4bacc05187469624 Author: Mikhail Lobanov Date: Thu Sep 12 10:58:39 2024 -0400 RDMA/cxgb4: Added NULL check for lookup_atid [ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ] The lookup_atid() function can return NULL if the ATID is invalid or does not exist in the identifier table, which could lead to dereferencing a null pointer without a check in the `act_establish()` and `act_open_rpl()` functions. Add a NULL check to prevent null pointer dereferencing. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC") Signed-off-by: Mikhail Lobanov Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b80767de7c050a6b73d151d000e6e5311e2e3af8 Author: Junxian Huang Date: Thu Sep 12 19:57:00 2024 +0800 RDMA/hns: Fix ah error counter in sw stat not increasing [ Upstream commit 39c047d4047a1242aeefa87513174b56a91080ab ] There are several error cases where hns_roce_create_ah() returns directly without jumping to sw stat path, thus leading to a problem that the ah error counter does not increase. Fixes: ee20cc17e9d8 ("RDMA/hns: Support DSCP") Fixes: eb7854d63db5 ("RDMA/hns: Support SW stats with debugfs") Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240912115700.2016443-1-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 86161e615a5ea62e34f800b6eb4d64d831f0b57a Author: Jinjie Ruan Date: Mon Jul 8 11:28:46 2024 +0800 riscv: Fix fp alignment bug in perf_callchain_user() [ Upstream commit 22ab08955ea13be04a8efd20cc30890e0afaa49c ] The standard RISC-V calling convention said: "The stack grows downward and the stack pointer is always kept 16-byte aligned". So perf_callchain_user() should check whether 16-byte aligned for fp. Link: https://riscv.org/wp-content/uploads/2015/01/riscv-calling.pdf Fixes: dbeb90b0c1eb ("riscv: Add perf callchain support") Signed-off-by: Jinjie Ruan Cc: Björn Töpel Link: https://lore.kernel.org/r/20240708032847.2998158-2-ruanjinjie@huawei.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit d0f1b4734baed35e23a1701f7d4d9333693f8d66 Author: Manivannan Sadhasivam Date: Fri Aug 30 13:53:19 2024 +0530 PCI: qcom-ep: Enable controller resources like PHY only after refclk is available [ Upstream commit d3745e3ae6c0eec517d431be926742b6e8b9b64a ] qcom_pcie_enable_resources() is called by qcom_pcie_ep_probe() and it enables the controller resources like clocks, regulator, PHY. On one of the new unreleased Qcom SoC, PHY enablement depends on the active refclk. And on all of the supported Qcom endpoint SoCs, refclk comes from the host (RC). So calling qcom_pcie_enable_resources() without refclk causes the NoC (Network On Chip) error in the endpoint SoC and in turn results in a whole SoC crash and rebooting into EDL (Emergency Download) mode which is an unrecoverable state. But qcom_pcie_enable_resources() is already called by qcom_pcie_perst_deassert() when PERST# is deasserted, and refclk is available at that time. Hence, remove the unnecessary call to qcom_pcie_enable_resources() from qcom_pcie_ep_probe() to prevent the above mentioned crash. It should be noted that this commit prevents the crash only under normal working condition (booting endpoint before host), but the crash may also occur if PERST# assert happens at the wrong time. For avoiding the crash completely, it is recommended to use SRIS mode which allows the endpoint SoC to generate its own refclk. The driver is not supporting SRIS mode currently, but will be added in the future. Fixes: 869bc5253406 ("PCI: dwc: ep: Fix DBI access failure for drivers requiring refclk from host") Link: https://lore.kernel.org/linux-pci/20240830082319.51387-1-manivannan.sadhasivam@linaro.org Tested-by: Dmitry Baryshkov Signed-off-by: Manivannan Sadhasivam Signed-off-by: Krzysztof Wilczyński Signed-off-by: Sasha Levin commit d10c2b002db975f47d29ef61a04dbc8af7767931 Author: Mark Bloch Date: Mon Sep 9 20:30:20 2024 +0300 RDMA/mlx5: Obtain upper net device only when needed [ Upstream commit 3ed7f9e239938a0cfaf3689e2f545229ecabec06 ] Report the upper device's state as the RDMA port state only in RoCE LAG or switchdev LAG. Fixes: 27f9e0ccb6da ("net/mlx5: Lag, Add single RDMA device in multiport mode") Signed-off-by: Mark Bloch Signed-off-by: Michael Guralnik Link: https://patch.msgid.link/20240909173025.30422-3-michaelgur@nvidia.com Reviewed-by: Kalesh AP Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit fbac323513a600d74f779ce685c87d5da2878580 Author: David Lechner Date: Tue Sep 10 16:58:47 2024 -0500 Input: ims-pcu - fix calling interruptible mutex [ Upstream commit 82abef590eb31d373e632743262ee7c42f49c289 ] Fix calling scoped_cond_guard() with mutex instead of mutex_intr. scoped_cond_guard(mutex, ...) will call mutex_lock() instead of mutex_lock_interruptible(). Fixes: 703f12672e1f ("Input: ims-pcu - switch to using cleanup functions") Signed-off-by: David Lechner Link: https://lore.kernel.org/r/20240910-input-misc-ims-pcu-fix-mutex-intr-v1-1-bdd983685c43@baylibre.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit d6b5024009d919af092aaeaa7f8864fc062f56a4 Author: Junxian Huang Date: Mon Sep 9 14:53:31 2024 +0800 RDMA/hns: Fix restricted __le16 degrades to integer issue [ Upstream commit f4ccc0a2a0c5977540f519588636b5bc81aae2db ] Fix sparse warnings: restricted __le16 degrades to integer. Fixes: 5a87279591a1 ("RDMA/hns: Support hns HW stats") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202409080508.g4mNSLwy-lkp@intel.com/ Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240909065331.3950268-1-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 53f7439f8a0f810b3cc238d1eda1bfa2a4441e01 Author: Junxian Huang Date: Fri Sep 6 17:34:43 2024 +0800 RDMA/hns: Optimize hem allocation performance [ Upstream commit fe51f6254d81f5a69c31df16353d6539b2b51630 ] When allocating MTT hem, for each hop level of each hem that is being allocated, the driver iterates the hem list to find out whether the bt page has been allocated in this hop level. If not, allocate a new one and splice it to the list. The time complexity is O(n^2) in worst cases. Currently the allocation for-loop uses 'unit' as the step size. This actually has taken into account the reuse of last-hop-level MTT bt pages by multiple buffer pages. Thus pages of last hop level will never have been allocated, so there is no need to iterate the hem list in last hop level. Removing this unnecessary iteration can reduce the time complexity to O(n). Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing") Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240906093444.3571619-9-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit ca75c4093c4f23f2de13ace56c5787c51b86ada0 Author: Chengchang Tang Date: Fri Sep 6 17:34:42 2024 +0800 RDMA/hns: Fix 1bit-ECC recovery address in non-4K OS [ Upstream commit ce196f6297c7f3ab7780795e40efd6c521f60c8b ] The 1bit-ECC recovery address read from HW only contain bits 64:12, so it should be fixed left-shifted 12 bits when used. Currently, the driver will shift the address left by PAGE_SHIFT when used, which is wrong in non-4K OS. Fixes: 2de949abd6a5 ("RDMA/hns: Recover 1bit-ECC error of RAM on chip") Signed-off-by: Chengchang Tang Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240906093444.3571619-8-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 350fb152568a14fc358d090f9e32aac99009748c Author: Junxian Huang Date: Fri Sep 6 17:34:41 2024 +0800 RDMA/hns: Fix VF triggering PF reset in abnormal interrupt handler [ Upstream commit 4321feefa5501a746ebf6a7d8b59e6b955ae1860 ] In abnormal interrupt handler, a PF reset will be triggered even if the device is a VF. It should be a VF reset. Fixes: 2b9acb9a97fe ("RDMA/hns: Add the process of AEQ overflow for hip08") Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240906093444.3571619-7-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit a1a3403bb1826c8ec787f0d60c3e7b54f419129e Author: Chengchang Tang Date: Fri Sep 6 17:34:40 2024 +0800 RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled [ Upstream commit 74d315b5af180220d561684d15897730135733a6 ] Fix missuse of spin_lock_irq()/spin_unlock_irq() when spin_lock_irqsave()/spin_lock_irqrestore() was hold. This was discovered through the lock debugging, and the corresponding log is as follows: raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40 ... Call trace: warn_bogus_irq_restore+0x30/0x40 _raw_spin_unlock_irqrestore+0x84/0xc8 add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2] hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2] hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2] create_qp+0x138/0x258 ib_create_qp_kernel+0x50/0xe8 create_mad_qp+0xa8/0x128 ib_mad_port_open+0x218/0x448 ib_mad_init_device+0x70/0x1f8 add_client_context+0xfc/0x220 enable_device_and_get+0xd0/0x140 ib_register_device.part.0+0xf4/0x1c8 ib_register_device+0x34/0x50 hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2] hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2] hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2] Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Signed-off-by: Chengchang Tang Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240906093444.3571619-6-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 5bc35dd5c85cd67e52d3098cfba1cc3eb697e927 Author: wenglianfa Date: Fri Sep 6 17:34:39 2024 +0800 RDMA/hns: Fix the overflow risk of hem_list_calc_ba_range() [ Upstream commit d586628b169d14bbf36be64d2b3ec9d9d2fe0432 ] The max value of 'unit' and 'hop_num' is 2^24 and 2, so the value of 'step' may exceed the range of u32. Change the type of 'step' to u64. Fixes: 38389eaa4db1 ("RDMA/hns: Add mtr support for mixed multihop addressing") Signed-off-by: wenglianfa Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240906093444.3571619-5-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 60595923371c2ebe7faf82536c47eb0c967e3425 Author: wenglianfa Date: Fri Sep 6 17:34:37 2024 +0800 RDMA/hns: Fix Use-After-Free of rsv_qp on HIP08 [ Upstream commit fd8489294dd2beefb70f12ec4f6132aeec61a4d0 ] Currently rsv_qp is freed before ib_unregister_device() is called on HIP08. During the time interval, users can still dereg MR and rsv_qp will be used in this process, leading to a UAF. Move the release of rsv_qp after calling ib_unregister_device() to fix it. Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT") Signed-off-by: wenglianfa Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240906093444.3571619-3-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 8d8c624d9231ae0ce87cb9f87858444313d5e9e5 Author: Junxian Huang Date: Fri Sep 6 17:34:36 2024 +0800 RDMA/hns: Don't modify rq next block addr in HIP09 QPC [ Upstream commit 6928d264e328e0cb5ee7663003a6e46e4cba0a7e ] The field 'rq next block addr' in QPC can be updated by driver only on HIP08. On HIP09 HW updates this field while driver is not allowed. Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") Signed-off-by: Junxian Huang Link: https://patch.msgid.link/20240906093444.3571619-2-huangjunxian6@hisilicon.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b69079e76d59d28f5647d7c4cd4e9deac444561c Author: Jonas Blixt Date: Thu Aug 1 14:18:45 2024 +0200 watchdog: imx_sc_wdt: Don't disable WDT in suspend [ Upstream commit 2d9d6d300fb0a4ae4431bb308027ac9385746d42 ] Parts of the suspend and resume chain is left unprotected if we disable the WDT here. >From experiments we can see that the SCU disables and re-enables the WDT when we enter and leave suspend to ram. By not touching the WDT here we are protected by the WDT all the way to the SCU. Signed-off-by: Jonas Blixt CC: Anson Huang Fixes: 986857acbc9a ("watchdog: imx_sc: Add i.MX system controller watchdog support") Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20240801121845.1465765-1-jonas.blixt@actia.se Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit 913b0573cafd8b6fe148f32f8d20f4c8456ce5ee Author: Michael Guralnik Date: Tue Sep 3 14:24:50 2024 +0300 RDMA/mlx5: Fix MR cache temp entries cleanup [ Upstream commit 7ebb00cea49db641b458edef0ede389f7004821d ] Fix the cleanup of the temp cache entries that are dynamically created in the MR cache. The cleanup of the temp cache entries is currently scheduled only when a new entry is created. Since in the cleanup of the entries only the mkeys are destroyed and the cache entry stays in the cache, subsequent registrations might reuse the entry and it will eventually be filled with new mkeys without cleanup ever getting scheduled again. On workloads that register and deregister MRs with a wide range of properties we see the cache ends up holding many cache entries, each holding the max number of mkeys that were ever used through it. Additionally, as the cleanup work is scheduled to run over the whole cache, any mkey that is returned to the cache after the cleanup was scheduled will be held for less than the intended 30 seconds timeout. Solve both issues by dropping the existing remove_ent_work and reusing the existing per-entry work to also handle the temp entries cleanup. Schedule the work to run with a 30 seconds delay every time we push an mkey to a clean temp entry. This ensures the cleanup runs on each entry only 30 seconds after the first mkey was pushed to an empty entry. As we have already been distinguishing between persistent and temp entries when scheduling the cache_work_func, it is not being scheduled in any other flows for the temp entries. Another benefit from moving to a per-entry cleanup is we now not required to hold the rb_tree mutex, thus enabling other flow to run concurrently. Fixes: dd1b913fb0d0 ("RDMA/mlx5: Cache all user cacheable mkeys on dereg MR flow") Signed-off-by: Michael Guralnik Link: https://patch.msgid.link/e4fa4bb03bebf20dceae320f26816cd2dde23a26.1725362530.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit da7742882dd4fea52fc068af7391887b4560cd1f Author: Michael Guralnik Date: Tue Sep 3 14:24:47 2024 +0300 RDMA/mlx5: Drop redundant work canceling from clean_keys() [ Upstream commit 30e6bd8d3b5639f8f4261e5e6c0917ce264b8dc2 ] The canceling of dealyed work in clean_keys() is a leftover from years back and was added to prevent races in the cleanup process of MR cache. The cleanup process was rewritten a few years ago and the canceling of delayed work and flushing of workqueue was added before the call to clean_keys(). Signed-off-by: Michael Guralnik Link: https://patch.msgid.link/943d21f5a9dba7b98a3e1d531e3561ffe9745d71.1725362530.git.leon@kernel.org Signed-off-by: Leon Romanovsky Stable-dep-of: 7ebb00cea49d ("RDMA/mlx5: Fix MR cache temp entries cleanup") Signed-off-by: Sasha Levin commit 73cfd0d3e609e42701f95d76c73618e825d33042 Author: Michael Guralnik Date: Tue Sep 3 14:24:49 2024 +0300 RDMA/mlx5: Limit usage of over-sized mkeys from the MR cache [ Upstream commit ee6d57a2e13d11ce9050cfc3e3b69ef707a44a63 ] When searching the MR cache for suitable cache entries, don't use mkeys larger than twice the size required for the MR. This should ensure the usage of mkeys closer to the minimal required size and reduce memory waste. On driver init we create entries for mkeys with clear attributes and powers of 2 sizes from 4 to the max supported size. This solves the issue for anyone using mkeys that fit these requirements. In the use case where an MR is registered with different attributes, like an access flag we can't UMR, we'll create a new cache entry to store it upon dereg. Without this fix, any later registration with same attributes and smaller size will use the newly created cache entry and it's mkeys, disregarding the memory waste of using mkeys larger than required. For example, one worst-case scenario can be when registering and deregistering a 1GB mkey with ATS enabled which will cause the creation of a new cache entry to hold those type of mkeys. A user registering a 4k MR with ATS will end up using the new cache entry and an mkey that can support a 1GB MR, thus wasting x250k memory than actually needed in the HW. Additionally, allow all small registration to use the smallest size cache entry that is initialized on driver load even if size is larger than twice the required size. Fixes: 73d09b2fe833 ("RDMA/mlx5: Introduce mlx5r_cache_rb_key") Signed-off-by: Michael Guralnik Link: https://patch.msgid.link/8ba3a6e3748aace2026de8b83da03aba084f78f4.1725362530.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 9d016e5f16705791afe9923142bba7f6a936de0f Author: Michael Guralnik Date: Tue Sep 3 14:24:48 2024 +0300 RDMA/mlx5: Fix counter update on MR cache mkey creation [ Upstream commit 6f5cd6ac9a4201e4ba6f10b76a9da8044d6e38b0 ] After an mkey is created, update the counter for pending mkeys before reshceduling the work that is filling the cache. Rescheduling the work with a full MR cache entry and a wrong 'pending' counter will cause us to miss disabling the fill_to_high_water flag. Thus leaving the cache full but with an indication that it's still needs to be filled up to it's full size (2 * limit). Next time an mkey will be taken from the cache, we'll unnecessarily continue the process of filling the cache to it's full size. Fixes: 57e7071683ef ("RDMA/mlx5: Implement mkeys management via LIFO queue") Signed-off-by: Michael Guralnik Link: https://patch.msgid.link/0f44f462ba22e45f72cb3d0ec6a748634086b8d0.1725362530.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit c77d8160326522d704aafd12f0601fe833ff950b Author: Cheng Xu Date: Mon Sep 2 19:29:20 2024 +0800 RDMA/erdma: Return QP state in erdma_query_qp [ Upstream commit e77127ff6416b17e0b3e630ac46ee5c9a6570f57 ] Fix qp_state and cur_qp_state to return correct values in struct ib_qp_attr. Fixes: 155055771704 ("RDMA/erdma: Add verbs implementation") Signed-off-by: Cheng Xu Link: https://patch.msgid.link/20240902112920.58749-4-chengyou@linux.alibaba.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit aeb0335971806e15ac91e838ca471936c8e7efd5 Author: Alexandra Diupina Date: Tue Sep 3 14:58:23 2024 +0300 PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port() [ Upstream commit c500a86693a126c9393e602741e348f80f1b0fc5 ] Within kirin_pcie_parse_port(), the pcie->num_slots is compared to pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead to an overflow. Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move pcie->num_slots increment below the if-statement to avoid out-of-bounds array access. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b22dbbb24571 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge") Link: https://lore.kernel.org/linux-pci/20240903115823.30647-1-adiupina@astralinux.ru Signed-off-by: Alexandra Diupina [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fc08c1fa438656371af05a7214f7b6bcd2bdbb3e Author: Jason Gunthorpe Date: Thu Aug 29 10:19:59 2024 -0300 iommufd: Check the domain owner of the parent before creating a nesting domain [ Upstream commit 73183ad6ea51029d04b098286dcee98d715015f1 ] This check was missed, before we can pass a struct iommu_domain to a driver callback we need to validate that the domain was created by that driver. Fixes: bd529dbb661d ("iommufd: Add a nested HW pagetable object") Link: https://patch.msgid.link/r/0-v1-c8770519edde+1a-iommufd_nesting_ops_jgg@nvidia.com Reviewed-by: Nicolin Chen Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f15611fc1a2f0805937b98c5b72a7ba8063205b6 Author: Frank Li Date: Mon Aug 26 17:38:32 2024 -0400 dt-bindings: PCI: layerscape-pci: Replace fsl,lx2160a-pcie with fsl,lx2160ar2-pcie [ Upstream commit 1a1bf58897d20fc38b454dfecd2771e142d36966 ] The fsl,lx2160a-pcie compatible is used for mobivel according to the Documentation/devicetree/bindings/pci/layerscape-pcie-gen4.txt file. Whereas the fsl,layerscape-pcie is used for DesignWare PCIe controller binding. So change it to fsl,lx2160ar2-pcie and allow a fall back to fsl,ls2088a-pcie. While at it, sort compatible string. Fixes: 24cd7ecb3886 ("dt-bindings: PCI: layerscape-pci: Convert to YAML format") Link: https://lore.kernel.org/linux-pci/20240826-2160r2-v1-1-106340d538d6@nxp.com Signed-off-by: Frank Li [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Rob Herring (Arm) Signed-off-by: Sasha Levin commit 290fe42fe0165205c4451334d8833a9202ae1d52 Author: Patrisious Haddad Date: Mon Sep 2 13:36:33 2024 +0300 IB/core: Fix ib_cache_setup_one error flow cleanup [ Upstream commit 1403c8b14765eab805377dd3b75e96ace8747aed ] When ib_cache_update return an error, we exit ib_cache_setup_one instantly with no proper cleanup, even though before this we had already successfully done gid_table_setup_one, that results in the kernel WARN below. Do proper cleanup using gid_table_cleanup_one before returning the err in order to fix the issue. WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0 Modules linked in: CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:gid_table_release_one+0x181/0x1a0 Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41 RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527 RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001 RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631 R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001 R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001 FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? show_regs+0x94/0xa0 ? __warn+0x9e/0x1c0 ? gid_table_release_one+0x181/0x1a0 ? report_bug+0x1f9/0x340 ? gid_table_release_one+0x181/0x1a0 ? handle_bug+0xa2/0x110 ? exc_invalid_op+0x31/0xa0 ? asm_exc_invalid_op+0x16/0x20 ? __warn_printk+0xc7/0x180 ? __warn_printk+0xd4/0x180 ? gid_table_release_one+0x181/0x1a0 ib_device_release+0x71/0xe0 ? __pfx_ib_device_release+0x10/0x10 device_release+0x44/0xd0 kobject_put+0x135/0x3d0 put_device+0x20/0x30 rxe_net_add+0x7d/0xa0 rxe_newlink+0xd7/0x190 nldev_newlink+0x1b0/0x2a0 ? __pfx_nldev_newlink+0x10/0x10 rdma_nl_rcv_msg+0x1ad/0x2e0 rdma_nl_rcv_skb.constprop.0+0x176/0x210 netlink_unicast+0x2de/0x400 netlink_sendmsg+0x306/0x660 __sock_sendmsg+0x110/0x120 ____sys_sendmsg+0x30e/0x390 ___sys_sendmsg+0x9b/0xf0 ? kstrtouint+0x6e/0xa0 ? kstrtouint_from_user+0x7c/0xb0 ? get_pid_task+0xb0/0xd0 ? proc_fail_nth_write+0x5b/0x140 ? __fget_light+0x9a/0x200 ? preempt_count_add+0x47/0xa0 __sys_sendmsg+0x61/0xd0 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fixes: 1901b91f9982 ("IB/core: Fix potential NULL pointer dereference in pkey cache") Signed-off-by: Patrisious Haddad Reviewed-by: Maher Sanalla Link: https://patch.msgid.link/79137687d829899b0b1c9835fcb4b258004c439a.1725273354.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 99e2de5942b0390ddc24efada71edc6593e23f05 Author: Chris Mi Date: Mon Sep 2 13:35:40 2024 +0300 IB/mlx5: Fix UMR pd cleanup on error flow of driver init [ Upstream commit 112e6e83a894260cc7efe79a1fc47d4d51461742 ] The cited commit moves the pd allocation from function mlx5r_umr_resource_cleanup() to a new function mlx5r_umr_cleanup(). So the fix in commit [1] is broken. In error flow, will hit panic [2]. Fix it by checking pd pointer to avoid panic if it is NULL; [1] RDMA/mlx5: Fix UMR cleanup on error flow of driver init [2] [ 347.567063] infiniband mlx5_0: Couldn't register device with driver model [ 347.591382] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 347.593438] #PF: supervisor read access in kernel mode [ 347.595176] #PF: error_code(0x0000) - not-present page [ 347.596962] PGD 0 P4D 0 [ 347.601361] RIP: 0010:ib_dealloc_pd_user+0x12/0xc0 [ib_core] [ 347.604171] RSP: 0018:ffff888106293b10 EFLAGS: 00010282 [ 347.604834] RAX: 0000000000000000 RBX: 000000000000000e RCX: 0000000000000000 [ 347.605672] RDX: ffff888106293ad0 RSI: 0000000000000000 RDI: 0000000000000000 [ 347.606529] RBP: 0000000000000000 R08: ffff888106293ae0 R09: ffff888106293ae0 [ 347.607379] R10: 0000000000000a06 R11: 0000000000000000 R12: 0000000000000000 [ 347.608224] R13: ffffffffa0704dc0 R14: 0000000000000001 R15: 0000000000000001 [ 347.609067] FS: 00007fdc720cd9c0(0000) GS:ffff88852c880000(0000) knlGS:0000000000000000 [ 347.610094] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 347.610727] CR2: 0000000000000020 CR3: 0000000103012003 CR4: 0000000000370eb0 [ 347.611421] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 347.612113] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 347.612804] Call Trace: [ 347.613130] [ 347.613417] ? __die+0x20/0x60 [ 347.613793] ? page_fault_oops+0x150/0x3e0 [ 347.614243] ? free_msg+0x68/0x80 [mlx5_core] [ 347.614840] ? cmd_exec+0x48f/0x11d0 [mlx5_core] [ 347.615359] ? exc_page_fault+0x74/0x130 [ 347.615808] ? asm_exc_page_fault+0x22/0x30 [ 347.616273] ? ib_dealloc_pd_user+0x12/0xc0 [ib_core] [ 347.616801] mlx5r_umr_cleanup+0x23/0x90 [mlx5_ib] [ 347.617365] mlx5_ib_stage_pre_ib_reg_umr_cleanup+0x36/0x40 [mlx5_ib] [ 347.618025] __mlx5_ib_add+0x96/0xd0 [mlx5_ib] [ 347.618539] mlx5r_probe+0xe9/0x310 [mlx5_ib] [ 347.619032] ? kernfs_add_one+0x107/0x150 [ 347.619478] ? __mlx5_ib_add+0xd0/0xd0 [mlx5_ib] [ 347.619984] auxiliary_bus_probe+0x3e/0x90 [ 347.620448] really_probe+0xc5/0x3a0 [ 347.620857] __driver_probe_device+0x80/0x160 [ 347.621325] driver_probe_device+0x1e/0x90 [ 347.621770] __driver_attach+0xec/0x1c0 [ 347.622213] ? __device_attach_driver+0x100/0x100 [ 347.622724] bus_for_each_dev+0x71/0xc0 [ 347.623151] bus_add_driver+0xed/0x240 [ 347.623570] driver_register+0x58/0x100 [ 347.623998] __auxiliary_driver_register+0x6a/0xc0 [ 347.624499] ? driver_register+0xae/0x100 [ 347.624940] ? 0xffffffffa0893000 [ 347.625329] mlx5_ib_init+0x16a/0x1e0 [mlx5_ib] [ 347.625845] do_one_initcall+0x4a/0x2a0 [ 347.626273] ? gcov_event+0x2e2/0x3a0 [ 347.626706] do_init_module+0x8a/0x260 [ 347.627126] init_module_from_file+0x8b/0xd0 [ 347.627596] __x64_sys_finit_module+0x1ca/0x2f0 [ 347.628089] do_syscall_64+0x4c/0x100 Fixes: 638420115cc4 ("IB/mlx5: Create UMR QP just before first reg_mr occurs") Signed-off-by: Chris Mi Reviewed-by: Jianbo Liu Link: https://patch.msgid.link/778c40c60287992da5d6ec92bb07b67f7bb5e6ef.1725273295.git.leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 3e7ed3367d12fb68d08ef699eeaefcefb48c09ef Author: Wang Jianzheng Date: Thu Aug 29 14:48:23 2024 +0800 pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function [ Upstream commit c25478419f6fd3f74c324a21ec007cf14f2688d7 ] When an error occurs during the execution of the function __devinit_dove_pinctrl_probe, the clk is not properly disabled. Fix this by calling clk_disable_unprepare before return. Fixes: ba607b6238a1 ("pinctrl: mvebu: make pdma clock on dove mandatory") Signed-off-by: Wang Jianzheng Link: https://lore.kernel.org/20240829064823.19808-1-wangjianzheng@vivo.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 4d482fc8cf00ca0ee58f675655ccb42880b90c4f Author: Jeff Layton Date: Wed Jul 10 09:05:32 2024 -0400 nfsd: fix refcount leak when file is unhashed after being found [ Upstream commit 8a7926176378460e0d91e02b03f0ff20a8709a60 ] If we wait_for_construction and find that the file is no longer hashed, and we're going to retry the open, the old nfsd_file reference is currently leaked. Put the reference before retrying. Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error") Signed-off-by: Jeff Layton Tested-by: Youzhong Yang Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 2067aaa7c62f8e3996bc41f34b04b2d9311608a0 Author: Jeff Layton Date: Thu Jul 11 15:11:13 2024 -0400 nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire [ Upstream commit 81a95c2b1d605743220f28db04b8da13a65c4059 ] Given that we do the search and insertion while holding the i_lock, I don't think it's possible for us to get EEXIST here. Remove this case. Fixes: c6593366c0bf ("nfsd: don't kill nfsd_files because of lease break error") Signed-off-by: Jeff Layton Tested-by: Youzhong Yang Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 8f596915a540b662ca3e215cf18903ef53e22480 Author: Alexander Shiyan Date: Thu Aug 29 08:28:20 2024 +0300 clk: rockchip: rk3588: Fix 32k clock name for pmu_24m_32k_100m_src_p [ Upstream commit 0d02e8d284a45bfa8997ebe8764437b8eb6b108b ] The 32kHz input clock is named "xin32k" in the driver, so the name "32k" appears to be a typo in this case. Lets fix this. Signed-off-by: Alexander Shiyan Reviewed-by: Dragan Simic Fixes: f1c506d152ff ("clk: rockchip: add clock controller for the RK3588") Link: https://lore.kernel.org/r/20240829052820.3604-1-eagle.alexander923@gmail.com Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit c876c07273523cc412f9cf4f9832ee3ed03eabf7 Author: Yuntao Liu Date: Thu Aug 15 09:38:53 2024 +0000 clk: starfive: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage [ Upstream commit 55c312c1b2be6d43e39c280ad6ab4b711e545b89 ] We need to call pm_runtime_put_noidle() when pm_runtime_get_sync() fails, so use pm_runtime_resume_and_get() instead. this function will handle this. Fixes: dae5448a327ed ("clk: starfive: Add StarFive JH7110 Video-Output clock driver") Signed-off-by: Yuntao Liu Link: https://lore.kernel.org/r/20240815093853.757487-1-liuyuntao12@huawei.com Reviewed-by: Xingyu Wu Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 50b83f798198618ec233523ed0aa0f7d594ef21b Author: David Lechner Date: Mon Aug 26 10:35:29 2024 -0500 clk: ti: dra7-atl: Fix leak of of_nodes [ Upstream commit 9d6e9f10e2e031fb7bfb3030a7d1afc561a28fea ] This fix leaking the of_node references in of_dra7_atl_clk_probe(). The docs for of_parse_phandle_with_args() say that the caller must call of_node_put() on the returned node. This adds the missing of_node_put() to fix the leak. Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)") Signed-off-by: David Lechner Link: https://lore.kernel.org/r/20240826-clk-fix-leak-v1-1-f55418a13aa6@baylibre.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit c8b7f3d9fada0d4b4b7db86bf7345cd61f1d972e Author: Md Haris Iqbal Date: Wed Aug 21 13:22:12 2024 +0200 RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds [ Upstream commit 3e4289b29e216a55d08a89e126bc0b37cbad9f38 ] In the function init_conns(), after the create_con() and create_cm() for loop if something fails. In the cleanup for loop after the destroy tag, we access out of bound memory because cid is set to clt_path->s.con_num. This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds in the cleanup loop later. Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") Signed-off-by: Md Haris Iqbal Signed-off-by: Jack Wang Signed-off-by: Grzegorz Prajsner Link: https://patch.msgid.link/20240821112217.41827-7-haris.iqbal@ionos.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit af79cda0633309c0d7eb709f8017bc091fd25957 Author: Jack Wang Date: Wed Aug 21 13:22:10 2024 +0200 RDMA/rtrs: Reset hb_missed_cnt after receiving other traffic from peer [ Upstream commit 3258cbbd86deaa2675e1799bc3d18bd1ef472641 ] Reset hb_missed_cnt after receiving traffic from other peer, so hb is more robust again high load on host or network. Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") Signed-off-by: Jack Wang Signed-off-by: Md Haris Iqbal Signed-off-by: Grzegorz Prajsner Link: https://patch.msgid.link/20240821112217.41827-5-haris.iqbal@ionos.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b16a37f2a77f0624d73fe2c7b2aeea2255d31288 Author: Geert Uytterhoeven Date: Mon Jul 22 17:25:53 2024 +0200 media: imagination: VIDEO_E5010_JPEG_ENC should depend on ARCH_K3 [ Upstream commit afe6ec667e8846c8470d32789cebbc435588972d ] Currently, the Imagination E5010 JPEG Encoder is only present on Texas Instruments K3 SoCs. Hence add a dependency on ARCH_K3, to prevent asking the user about this driver when configuring a kernel without TI K3 SoC support. The dependency can be relaxed if/when the encoder appears on other SoC families. Fixes: a1e294045885 ("media: imagination: Add E5010 JPEG Encoder driver") Signed-off-by: Geert Uytterhoeven Signed-off-by: Sebastian Fricke Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 790d1848fac5ac3b1c474f66162598ab07a20c21 Author: Yunfei Dong Date: Thu Jun 13 17:33:57 2024 +0800 media: mediatek: vcodec: Fix H264 stateless decoder smatch warning [ Upstream commit 7878d3a385efab560dce793b595447867fb163f2 ] Fix a smatch static checker warning on vdec_h264_req_if.c. Which leads to a kernel crash when fb is NULL. Fixes: 06fa5f757dc5 ("media: mtk-vcodec: vdec: support stateless H.264 decoding") Signed-off-by: Yunfei Dong Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Sebastian Fricke Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 3167aa42941b68405a092df114453ef0f1b09c2c Author: Yunfei Dong Date: Thu Jun 13 17:33:56 2024 +0800 media: mediatek: vcodec: Fix VP8 stateless decoder smatch warning [ Upstream commit b113bc7c0e83b32f4dd2d291a2b6c4803e0a2c44 ] Fix a smatch static checker warning on vdec_vp8_req_if.c. Which leads to a kernel crash when fb is NULL. Fixes: 7a7ae26fd458 ("media: mediatek: vcodec: support stateless VP8 decoding") Signed-off-by: Yunfei Dong Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Sebastian Fricke Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 301f7778263116388c20521a1a641067647ab31c Author: Yunfei Dong Date: Thu Jun 13 17:33:55 2024 +0800 media: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning [ Upstream commit 9be85491619f1953b8a29590ca630be571941ffa ] Fix a smatch static checker warning on vdec_h264_req_multi_if.c. Which leads to a kernel crash when fb is NULL. Fixes: 397edc703a10 ("media: mediatek: vcodec: add h264 decoder driver for mt8186") Signed-off-by: Yunfei Dong Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Sebastian Fricke Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 8b983974e91f5bb8e68d50189f78e6e03fb11513 Author: Selvin Xavier Date: Sun Aug 18 21:47:25 2024 -0700 RDMA/bnxt_re: Fix the table size for PSN/MSN entries [ Upstream commit b930d0bac9c671c053dd66229010ca9298e84aab ] HW MSN table size is always a power of 2. So the pages should be mapped accordingly. Use the power of two calculation while get the number of PSN/MSN entries. Fixes: 6f6bfbc595fb ("RDMA/bnxt_re: Expose the MSN table capability for user library") Link: https://patch.msgid.link/r/1724042847-1481-4-git-send-email-selvin.xavier@broadcom.com Signed-off-by: Selvin Xavier Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 504b55364d9e2d8c1c48a4d69e2c33361cec40a5 Author: Jason Gunthorpe Date: Thu Aug 22 11:47:09 2024 -0300 iommufd/selftest: Fix buffer read overrrun in the dirty test [ Upstream commit 79ea4a496ab5c970a3a793d863ed8893b1af107c ] test_bit() is used to read the memory storing the bitmap, however test_bit() always uses a unsigned long 8 byte access. If the bitmap is not an aligned size of 64 bits this will now trigger a KASAN warning reading past the end of the buffer. Properly round the buffer allocation to an unsigned long size. Continue to copy_from_user() using a byte granularity. Fixes: 9560393b830b ("iommufd/selftest: Fix iommufd_test_dirty() to handle Reviewed-by: Kevin Tian Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f2d57fe612cb2b9a6f73c5de41a9ebf146acb35b Author: Claudiu Beznea Date: Sun Jul 14 17:13:15 2024 +0300 clk: at91: sama7g5: Allocate only the needed amount of memory for PLLs [ Upstream commit 2d6e9ee7cb3e79b1713783c633b13af9aeffc90c ] The maximum number of PLL components on SAMA7G5 is 3 (one fractional part and 2 dividers). Allocate the needed amount of memory for sama7g5_plls 2d array. Previous code used to allocate 7 array entries for each PLL. While at it, replace 3 with PLL_COMPID_MAX in the loop which parses the sama7g5_plls 2d array. Fixes: cb783bbbcf54 ("clk: at91: sama7g5: add clock support for sama7g5") Acked-by: Stephen Boyd Link: https://lore.kernel.org/r/20240714141315.19480-1-claudiu.beznea@tuxon.dev Signed-off-by: Claudiu Beznea Signed-off-by: Sasha Levin commit 4809b546d611d5b02d8cfca8bf2f0915c85d477e Author: Yang Yingliang Date: Mon Aug 19 10:46:25 2024 +0800 pinctrl: single: fix missing error code in pcs_probe() [ Upstream commit cacd8cf79d7823b07619865e994a7916fcc8ae91 ] If pinctrl_enable() fails in pcs_probe(), it should return the error code. Fixes: 8f773bfbdd42 ("pinctrl: single: fix possible memory leak when pinctrl_enable() fails") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/20240819024625.154441-1-yangyingliang@huaweicloud.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit a09dc967b3c58899e259c0aea092f421d22a0b04 Author: Zhu Yanjun Date: Tue Aug 20 13:33:36 2024 +0200 RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency [ Upstream commit 86dfdd8288907f03c18b7fb462e0e232c4f98d89 ] In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function flush_workqueue is invoked to flush the work queue iwcm_wq. But at that time, the work queue iwcm_wq was created via the function alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM. Because the current process is trying to flush the whole iwcm_wq, if iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current process is not reclaiming memory or running on a workqueue which doesn't have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to a deadlock. The call trace is as below: [ 125.350876][ T1430] Call Trace: [ 125.356281][ T1430] [ 125.361285][ T1430] ? __warn (kernel/panic.c:693) [ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219) [ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239) [ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) [ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970) [ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151) [ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm [ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910) [ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) [ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm [ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma [ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma [ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231) [ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393) [ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339) [ 125.531837][ T1430] kthread (kernel/kthread.c:389) [ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147) [ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 125.566487][ T1430] [ 125.566488][ T1430] ---[ end trace 0000000000000000 ]--- Fixes: aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") Link: https://patch.msgid.link/r/20240820113336.19860-1-yanjun.zhu@linux.dev Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202408151633.fc01893c-oliver.sang@intel.com Tested-by: kernel test robot Signed-off-by: Zhu Yanjun Reviewed-by: Bart Van Assche Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 72bca0313a820af7b013a27a0ef1d6ed06e6ce57 Author: Biju Das Date: Wed Jul 31 17:49:32 2024 +0100 media: platform: rzg2l-cru: rzg2l-csi2: Add missing MODULE_DEVICE_TABLE [ Upstream commit 07668fb0f867388bfdac0b60dbf51a4ad789f8e7 ] The rzg2l-csi2 driver can be compiled as a module, but lacks MODULE_DEVICE_TABLE() and will therefore not be loaded automatically. Fix this. Fixes: 51e8415e39a9 ("media: platform: Add Renesas RZ/G2L MIPI CSI-2 receiver driver") Signed-off-by: Biju Das Reviewed-by: Laurent Pinchart Link: https://lore.kernel.org/r/20240731164935.308994-1-biju.das.jz@bp.renesas.com Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin commit 62329c829003286af7209aa842bbb9b7e74b5e2a Author: Kees Cook Date: Tue Jul 16 14:24:59 2024 -0700 leds: gpio: Set num_leds after allocation [ Upstream commit 045391a02bd971d431c83ad03f7cc51b6e2fe331 ] With the new __counted_by annotation, the "num_leds" variable needs to valid for accesses to the "leds" array. This requirement is not met in gpio_leds_create(), since "num_leds" starts at "0", so "leds" index "0" will not be considered valid (num_leds would need to be "1" to access index "0"). Fix this by setting the allocation size after allocation, and then update the final count based on how many were actually added to the array. Fixes: 52cd75108a42 ("leds: gpio: Annotate struct gpio_leds_priv with __counted_by") Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20240716212455.work.809-kees@kernel.org Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit b215026c30cb31624a2618e0676bc17d582f3b2f Author: Sean Anderson Date: Fri May 31 12:13:35 2024 -0400 PCI: xilinx-nwl: Clean up clock on probe failure/removal [ Upstream commit cfd67903977b13f63340a4eb5a1cc890994f2c62 ] Make sure we turn off the clock on probe failure and device removal. Fixes: de0a01f52966 ("PCI: xilinx-nwl: Enable the clock through CCF") Link: https://lore.kernel.org/r/20240531161337.864994-6-sean.anderson@linux.dev Signed-off-by: Sean Anderson Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 6762b859d97c2f2c85c48abf680161a11dcf7960 Author: Sean Anderson Date: Fri May 31 12:13:33 2024 -0400 PCI: xilinx-nwl: Fix register misspelling [ Upstream commit a437027ae1730b8dc379c75fa0dd7d3036917400 ] MSIC -> MISC Fixes: c2a7ff18edcd ("PCI: xilinx-nwl: Expand error logging") Link: https://lore.kernel.org/r/20240531161337.864994-4-sean.anderson@linux.dev Signed-off-by: Sean Anderson Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit cdf0dfb3d183bbe0d0b6a6622c53d105074ad384 Author: Li Zhijian Date: Mon Aug 19 14:20:44 2024 +0800 nvdimm: Fix devs leaks in scan_labels() [ Upstream commit 62c2aa6b1f565d2fc1ec11a6e9e8336ce37a6426 ] scan_labels() leaks memory when label scanning fails and it falls back to just creating a default "seed" namespace for userspace to configure. Root can force the kernel to leak memory. Allocate the minimum resources unconditionally and release them when unneeded to avoid the memory leak. A kmemleak reports: unreferenced object 0xffff88800dda1980 (size 16): comm "kworker/u10:5", pid 69, jiffies 4294671781 hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<00000000c5dea560>] __kmalloc+0x32c/0x470 [<000000009ed43c83>] nd_region_register_namespaces+0x6fb/0x1120 [libnvdimm] [<000000000e07a65c>] nd_region_probe+0xfe/0x210 [libnvdimm] [<000000007b79ce5f>] nvdimm_bus_probe+0x7a/0x1e0 [libnvdimm] [<00000000a5f3da2e>] really_probe+0xc6/0x390 [<00000000129e2a69>] __driver_probe_device+0x78/0x150 [<000000002dfed28b>] driver_probe_device+0x1e/0x90 [<00000000e7048de2>] __device_attach_driver+0x85/0x110 [<0000000032dca295>] bus_for_each_drv+0x85/0xe0 [<00000000391c5a7d>] __device_attach+0xbe/0x1e0 [<0000000026dabec0>] bus_probe_device+0x94/0xb0 [<00000000c590d936>] device_add+0x656/0x870 [<000000003d69bfaa>] nd_async_device_register+0xe/0x50 [libnvdimm] [<000000003f4c52a4>] async_run_entry_fn+0x2e/0x110 [<00000000e201f4b0>] process_one_work+0x1ee/0x600 [<000000006d90d5a9>] worker_thread+0x183/0x350 Cc: Dave Jiang Cc: Ira Weiny Fixes: 1b40e09a1232 ("libnvdimm: blk labels and namespace instantiation") Suggested-by: Dan Williams Signed-off-by: Li Zhijian Reviewed-by: Dan Williams Reviewed-by: Ira Weiny Link: https://patch.msgid.link/20240819062045.1481298-1-lizhijian@fujitsu.com Signed-off-by: Ira Weiny Signed-off-by: Sasha Levin commit b7fcb4e0067125f3ac287c7ddb8b54867b2e047b Author: Samasth Norway Ananda Date: Mon Aug 12 13:26:59 2024 -0700 x86/PCI: Check pcie_find_root_port() return for NULL [ Upstream commit dbc3171194403d0d40e4bdeae666f6e76e428b53 ] If pcie_find_root_port() is unable to locate a Root Port, it will return NULL. Check the pointer for NULL before dereferencing it. This particular case is in a quirk for devices that are always below a Root Port, so this won't avoid a problem and doesn't need to be backported, but check as a matter of style and to prevent copy/paste mistakes. Link: https://lore.kernel.org/r/20240812202659.1649121-1-samasth.norway.ananda@oracle.com Signed-off-by: Samasth Norway Ananda [bhelgaas: drop Fixes: and explain why there's no problem in this case] Signed-off-by: Bjorn Helgaas Reviewed-by: Mario Limonciello Signed-off-by: Sasha Levin commit 689daba8dce00412931d781eb70dfce8d0647945 Author: Javier Carrasco Date: Wed Aug 7 15:37:03 2024 +0200 leds: pca995x: Fix device child node usage in pca995x_probe() [ Upstream commit 82c5ada1f9d05902a4ccb926c7ce34e2fe699283 ] The current implementation accesses the `child` fwnode handle outside of device_for_each_child_node() without incrementing its refcount. Add the missing call to `fwnode_handle_get(child)`. The cleanup process where `child` is accessed is not right either because a single call to `fwnode_handle_put()` is carried out in case of an error, ignoring unasigned nodes at the point when the error happens. Keep `child` inside of the first loop, and use the helper pointer that receives references via `fwnode_handle_get()` to handle the child nodes within the second loop. Keeping `child` inside the first node has also the advantage that the scoped version of the loop can be used. Fixes: ee4e80b2962e ("leds: pca995x: Add support for PCA995X chips") Signed-off-by: Javier Carrasco Link: https://lore.kernel.org/r/20240807-leds-pca995x-fix-fwnode-usage-v1-1-8057c84dc583@gmail.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit affb3e45450e17d797e9ff85827c05b2c8870e48 Author: Javier Carrasco Date: Mon Aug 5 16:49:45 2024 +0200 leds: pca995x: Use device_for_each_child_node() to access device child nodes [ Upstream commit 6eefd65ba6ae29ab801f6461e59c10f93dd496f8 ] The iterated nodes are direct children of the device node, and the `device_for_each_child_node()` macro accounts for child node availability. `fwnode_for_each_available_child_node()` is meant to access the child nodes of an fwnode, and therefore not direct child nodes of the device node. Use `device_for_each_child_node()` to indicate device's direct child nodes. Signed-off-by: Javier Carrasco Reviewed-by: Jonathan Cameron Link: https://lore.kernel.org/r/20240805-device_for_each_child_node-available-v3-2-48243a4aa5c0@gmail.com Signed-off-by: Lee Jones Stable-dep-of: 82c5ada1f9d0 ("leds: pca995x: Fix device child node usage in pca995x_probe()") Signed-off-by: Sasha Levin commit 93214e827c1434d895a53e33d2a7b854a1dc4ed0 Author: Dmitry Baryshkov Date: Sun Aug 4 08:40:06 2024 +0300 clk: qcom: dispcc-sm8250: use special function for Lucid 5LPE PLL [ Upstream commit 362be5cbaec2a663eb86b7105313368b4a71fc1e ] According to msm-5.10 the lucid 5lpe PLLs have require slightly different configuration that trion / lucid PLLs, it doesn't set PLL_UPDATE_BYPASS bit. Add corresponding function and use it for the display clock controller on Qualcomm SM8350 platform. Fixes: 205737fe3345 ("clk: qcom: add support for SM8350 DISPCC") Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-2-1149dd8399fe@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit c9beb754bc5747fc73d492720174512f56a0dec2 Author: Varadarajan Narayanan Date: Tue Jul 30 11:18:15 2024 +0530 clk: qcom: ipq5332: Register gcc_qdss_tsctr_clk_src [ Upstream commit 0e1ac23dfa3f635e486fdeb08206b981cb0a2a6b ] gcc_qdss_tsctr_clk_src (enabled in the boot loaders and dependent on gpll4_main) was not registered as one of the ipq5332 clocks. Hence clk_disable_unused() disabled 'gpll4_main' assuming there were no consumers for 'gpll4_main' resulting in system freeze or reboots. Reviewed-by: Dmitry Baryshkov Fixes: 3d89d52970fd ("clk: qcom: add Global Clock controller (GCC) driver for IPQ5332 SoC") Signed-off-by: Varadarajan Narayanan Link: https://lore.kernel.org/r/20240730054817.1915652-4-quic_varada@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 6537ec3b18313d9dddd8ec6cbd4d118ffe342e93 Author: Uwe Kleine-König Date: Wed Apr 24 16:02:48 2024 +0200 media: staging: media: starfive: camss: Drop obsolete return value documentation [ Upstream commit 044fcf738a56d915514e2d651333395b3f8daa62 ] Recently the function stfcamss_remove() was changed to not return a value. Drop the documentation of the return value in the kernel doc. Fixes: b1f3677aebe5 ("media: staging: media: starfive: camss: Convert to platform remove callback returning void") Signed-off-by: Uwe Kleine-König Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 2171c5cb2fbc3e03af7e8116cd58736c09328655 Author: Dan Carpenter Date: Fri Jul 19 18:53:26 2024 -0500 PCI: keystone: Fix if-statement expression in ks_pcie_quirk() [ Upstream commit 6188a1c762eb9bbd444f47696eda77a5eae6207a ] This code accidentally uses && where || was intended. It potentially results in a NULL dereference. Thus, fix the if-statement expression to use the correct condition. Fixes: 86f271f22bbb ("PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)") Link: https://lore.kernel.org/linux-pci/1b762a93-e1b2-4af3-8c04-c8843905c279@stanley.mountain Signed-off-by: Dan Carpenter [kwilczynski: commit log] Signed-off-by: Krzysztof Wilczyński Reviewed-by: Manivannan Sadhasivam Reviewed-by: Siddharth Vadapalli Signed-off-by: Sasha Levin commit 8372bb25c3fe2d76b66756dd5ae3f4945e72bad0 Author: Takashi Sakamoto Date: Sat Aug 10 16:04:03 2024 +0900 firewire: core: correct range of block for case of switch statement [ Upstream commit ebb9d3ca8f7efc1b6a2f1750d1058eda444883d0 ] A commit d8527cab6c31 ("firewire: cdev: implement new event to notify response subaction with time stamp") adds an additional case, FW_CDEV_EVENT_RESPONSE2, into switch statement in complete_transaction(). However, the range of block is beyond to the case label and reaches neibour default label. This commit corrects the range of block. Fortunately, it has few impacts in practice since the local variable in the scope under the label is not used in codes under default label. Fixes: d8527cab6c31 ("firewire: cdev: implement new event to notify response subaction with time stamp") Link: https://lore.kernel.org/r/20240810070403.36801-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Sakamoto Signed-off-by: Sasha Levin commit 6a0d096b108162b6a75380292f4d45c91361330f Author: Ilpo Järvinen Date: Thu Aug 8 15:17:07 2024 +0300 PCI: Wait for Link before restoring Downstream Buses [ Upstream commit 3e40aa29d47e231a54640addf6a09c1f64c5b63f ] __pci_reset_bus() calls pci_bridge_secondary_bus_reset() to perform the reset and also waits for the Secondary Bus to become again accessible. __pci_reset_bus() then calls pci_bus_restore_locked() that restores the PCI devices connected to the bus, and if necessary, recursively restores also the subordinate buses and their devices. The logic in pci_bus_restore_locked() does not take into account that after restoring a device on one level, there might be another Link Downstream that can only start to come up after restore has been performed for its Downstream Port device. That is, the Link may require additional wait until it becomes accessible. Similarly, pci_slot_restore_locked() lacks wait. Amend pci_bus_restore_locked() and pci_slot_restore_locked() to wait for the Secondary Bus before recursively performing the restore of that bus. Fixes: 090a3c5322e9 ("PCI: Add pci_reset_slot() and pci_reset_bus()") Link: https://lore.kernel.org/r/20240808121708.2523-1-ilpo.jarvinen@linux.intel.com Signed-off-by: Ilpo Järvinen Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 952033f431a6ce2fc97546750214be2da2687503 Author: Geert Uytterhoeven Date: Mon Jul 22 17:28:28 2024 +0200 media: raspberrypi: VIDEO_RASPBERRYPI_PISP_BE should depend on ARCH_BCM2835 [ Upstream commit c8ad75010c5bafe014860f33fc73a887ab561209 ] Currently, the Raspberry Pi PiSP Backend (BE) ISP is only present on the Broadcom BCM2712-based Raspberry Pi 5. Hence add a dependency on ARCH_BCM2835, to prevent asking the user about this driver when configuring a kernel without Broadcom BCM2835 family support. The dependency can be relaxed if/when the encoder appears on other SoC families. Fixes: 12187bd5d4f8 ("media: raspberrypi: Add support for PiSP BE") Signed-off-by: Geert Uytterhoeven Acked-by: FLorian Fainelli Acked-by: Jacopo Mondi Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 042b101d7bf70616c4967c286ffa6fcca65babfb Author: Junlin Li Date: Wed Jul 3 01:50:23 2024 +0800 drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error [ Upstream commit 46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14 ] Ensure index in rtl2830_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. Fixes: df70ddad81b4 ("[media] rtl2830: implement PID filter") Signed-off-by: Junlin Li Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit bedd42e07988dbdd124b23e758ffef7a681b9c60 Author: Junlin Li Date: Tue Jul 2 21:24:13 2024 +0800 drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error [ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ] Ensure index in rtl2832_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. Signed-off-by: Junlin Li Signed-off-by: Hans Verkuil Fixes: 4b01e01a81b6 ("[media] rtl2832: implement PID filter") [hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg] Signed-off-by: Sasha Levin commit 2f96a08e270be49ee2a8118ddf39f0e2763a96c0 Author: Emanuele Ghidoli Date: Mon Aug 5 10:55:11 2024 +0200 Input: ilitek_ts_i2c - add report id message validation [ Upstream commit 208989744a6f01bed86968473312d4e650e600b3 ] Ensure that the touchscreen response has correct "report id" byte before processing the touch data and discard other messages. Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series") Signed-off-by: Emanuele Ghidoli Signed-off-by: Francesco Dolcini Link: https://lore.kernel.org/r/20240805085511.43955-3-francesco@dolcini.it Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit f2ad4e12abd064ce5d49182351bc8becb8578652 Author: Emanuele Ghidoli Date: Mon Aug 5 10:55:10 2024 +0200 Input: ilitek_ts_i2c - avoid wrong input subsystem sync [ Upstream commit 7d0b18cd5dc7429917812963611d961fd93cb44d ] For different reasons i2c transaction may fail or report id in the message may be wrong. Avoid closing the frame in this case as it will result in all contacts being dropped, indicating that nothing is touching the screen anymore, while usually it is not the case. Fixes: 42370681bd46 ("Input: Add support for ILITEK Lego Series") Signed-off-by: Emanuele Ghidoli Signed-off-by: Francesco Dolcini Link: https://lore.kernel.org/r/20240805085511.43955-2-francesco@dolcini.it Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit e88add73e1b2c8d309ef32d60b0a989c21d557be Author: Cristian Ciocaltea Date: Thu Jun 20 03:36:22 2024 +0300 phy: phy-rockchip-samsung-hdptx: Explicitly include pm_runtime.h [ Upstream commit 1b369ff94bc36d2e16c8a91c0ea8ebd329555976 ] Driver makes use of helpers from pm_runtime.h, but relies on the header file being implicitly included. Explicitly pull the header in to avoid potential build failures in some configurations. Fixes: 553be2830c5f ("phy: rockchip: Add Samsung HDMI/eDP Combo PHY driver") Reviewed-by: Heiko Stuebner Signed-off-by: Cristian Ciocaltea Link: https://lore.kernel.org/r/20240620-rk3588-hdmiphy-clkprov-v2-1-6a2d2164e508@collabora.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a69def698af273f0f89cfd783cc2b683468fd00f Author: Christophe JAILLET Date: Tue Jul 9 22:37:43 2024 +0200 pinctrl: ti: ti-iodelay: Fix some error handling paths [ Upstream commit a9f2b249adeef2b9744a884355fa8f5e581d507f ] In the probe, if an error occurs after the ti_iodelay_pinconf_init_dev() call, it is likely that ti_iodelay_pinconf_deinit_dev() should be called, as already done in the remove function. Also in ti_iodelay_pinconf_init_dev(), if an error occurs after the first regmap_update_bits() call, it is also likely that the deinit() function should be called. The easier way to fix it is to add a devm_add_action_or_reset() at the rigtht place to have ti_iodelay_pinconf_deinit_dev() called when needed. Doing so, the .remove() function can be removed, and the associated platform_set_drvdata() call in the probe as well. Fixes: 003910ebc83b ("pinctrl: Introduce TI IOdelay configuration driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/0220fa5b925bd08e361be8206a5438f6229deaac.1720556038.git.christophe.jaillet@wanadoo.fr Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit b6c01b4dbe209f051e23e51e57658a57b9cfc1ab Author: Lad Prabhakar Date: Tue Jul 23 17:47:44 2024 +0100 pinctrl: renesas: rzg2l: Return -EINVAL if the pin doesn't support PIN_CFG_OEN [ Upstream commit d56abfed1c02814b5ee96b0ed1f989ea9d7f6cbb ] Update the rzg2l_pinctrl_pinconf_get() function to return -EINVAL for PIN_CONFIG_OUTPUT_ENABLE config if the pin doesn't support the PIN_CFG_OEN configuration. -EINVAL is a valid error when dumping the pin configurations. Returning -EOPNOTSUPP for a pin that does not support PIN_CFG_OEN resulted in the message 'ERROR READING CONFIG SETTING 16' being printed during dumping pinconf-pins. For consistency do similar change in rzg2l_pinctrl_pinconf_set() for PIN_CONFIG_OUTPUT_ENABLE config. Fixes: a9024a323af2 ("pinctrl: renesas: rzg2l: Clean up and refactor OEN read/write functions") Signed-off-by: Lad Prabhakar Tested-by: Claudiu Beznea Reviewed-by: Paul Barker Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/20240723164744.505233-1-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit e8af3b59fdc6b12ed1051d3a27fb2f73e553e29e Author: Javier Carrasco Date: Sun Jul 21 17:19:03 2024 +0200 leds: bd2606mvv: Fix device child node usage in bd2606mvv_probe() [ Upstream commit ffbf1fcb421429916a861cfc25dfe0c6387dda75 ] The current implementation accesses the `child` fwnode handle outside of fwnode_for_each_available_child_node() without incrementing its refcount. Add the missing call to `fwnode_handle_get(child)`. The cleanup process where `child` is accessed is not right either because a single call to `fwnode_handle_put()` is carried out in case of an error, ignoring unasigned nodes at the point when the error happens. Keep `child` inside of the first loop, and use the helper pointer that receives references via `fwnode_handle_get()` to handle the child nodes within the second loop. Moreover, the iterated nodes are direct children of the device node, and the `device_for_each_child_node()` macro accounts for child node availability. By restricting `child` to live within that loop, the scoped version of it can be used to simplify the error handling. `fwnode_for_each_available_child_node()` is meant to access the child nodes of an fwnode, and therefore not direct child nodes of the device node. Use `device_for_each_child_node_scoped()` to indicate device's direct child nodes. Fixes: 8325642d2757 ("leds: bd2606mvv: Driver for the Rohm 6 Channel i2c LED driver") Signed-off-by: Javier Carrasco Link: https://lore.kernel.org/r/20240721-device_for_each_child_node-available-v2-3-f33748fd8b2d@gmail.com Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 40e3ddd27689c63b3ad8ade6917dcd2b25982802 Author: Dmitry Baryshkov Date: Wed Jul 17 13:04:32 2024 +0300 clk: qcom: dispcc-sm8550: use rcg2_shared_ops for ESC RCGs [ Upstream commit c8bee3ff6c9220092b646ff929f9c832c1adab6d ] Follow the recommendations and park disp_cc_mdss_esc[01]_clk_src to the XO instead of disabling the clocks by using the clk_rcg2_shared_ops. Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") Signed-off-by: Dmitry Baryshkov Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-5-5c4a3128c40b@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit d2cc2c6870fbb0b7cc5b9342b2e90269d0f9b043 Author: Dmitry Baryshkov Date: Wed Jul 17 13:04:31 2024 +0300 clk: qcom: dispcc-sm8650: Update the GDSC flags [ Upstream commit 7de10ddbdb9d03651cff5fbdc8cf01837c698526 ] Add missing POLL_CFG_GDSCR to the MDSS GDSC flags. Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") Signed-off-by: Dmitry Baryshkov Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-4-5c4a3128c40b@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 7b8e98b6ba59d8b6895a78c612a0891f2e1a9fc3 Author: Dmitry Baryshkov Date: Wed Jul 17 13:04:29 2024 +0300 clk: qcom: dispcc-sm8550: use rcg2_ops for mdss_dptx1_aux_clk_src [ Upstream commit cb4c00698f2f27d99a69adcce659370ca286cf2a ] clk_dp_ops should only be used for DisplayPort pixel clocks. Use clk_rcg2_ops for disp_cc_mdss_dptx1_aux_clk_src. Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") Signed-off-by: Dmitry Baryshkov Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-2-5c4a3128c40b@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit bc646f1c5bbf423018d8c7755ea59bb08d340cd1 Author: Dmitry Baryshkov Date: Wed Jul 17 13:04:28 2024 +0300 clk: qcom: dispcc-sm8550: fix several supposed typos [ Upstream commit 7b6a4b907297b28727933493b9e0c95494504634 ] Fix seveal odd-looking places in SM8550's dispcc driver: - duplicate entries in disp_cc_parent_map_4 and disp_cc_parent_map_5 - using &disp_cc_mdss_dptx0_link_div_clk_src as a source for disp_cc_mdss_dptx1_usb_router_link_intf_clk The SM8650 driver has been used as a reference. Fixes: 90114ca11476 ("clk: qcom: add SM8550 DISPCC driver") Signed-off-by: Dmitry Baryshkov Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20240717-dispcc-sm8550-fixes-v2-1-5c4a3128c40b@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 3ad7ffecf2f9d302b78534fce5ccb325661195e6 Author: Jonas Karlman Date: Sat Jun 15 17:03:53 2024 +0000 clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228 [ Upstream commit 1d34b9757523c1ad547bd6d040381f62d74a3189 ] Similar to DCLK_LCDC on RK3328, the DCLK_VOP on RK3228 is typically parented by the hdmiphy clk and it is expected that the DCLK_VOP and hdmiphy clk rate are kept in sync. Use CLK_SET_RATE_PARENT and CLK_SET_RATE_NO_REPARENT flags, same as used on RK3328, to make full use of all possible supported display modes. Fixes: 0a9d4ac08ebc ("clk: rockchip: set the clock ids for RK3228 VOP") Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228") Signed-off-by: Jonas Karlman Link: https://lore.kernel.org/r/20240615170417.3134517-3-jonas@kwiboo.se Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit cc9253bf9c86e69eae27a61cbbdff0ef04ddf4ba Author: Peng Fan Date: Fri Jul 19 16:36:13 2024 +0800 remoteproc: imx_rproc: Initialize workqueue earlier [ Upstream commit 858e57c1d3dd7b92cc0fa692ba130a0a5d57e49d ] Initialize workqueue before requesting mailbox channel, otherwise if mailbox interrupt comes before workqueue ready, the imx_rproc_rx_callback will trigger issue. Fixes: 2df7062002d0 ("remoteproc: imx_proc: enable virtio/mailbox") Signed-off-by: Peng Fan Reviewed-by: Daniel Baluta Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-3-10d0268c7eb1@nxp.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit 939d0af7727ba764f61fa6a473e424e7a4602195 Author: Peng Fan Date: Fri Jul 19 16:36:11 2024 +0800 remoteproc: imx_rproc: Correct ddr alias for i.MX8M [ Upstream commit c901f817792822eda9cec23814a4621fa3e66695 ] The DDR Alias address should be 0x40000000 according to RM, so correct it. Fixes: 4ab8f9607aad ("remoteproc: imx_rproc: support i.MX8MQ/M") Reported-by: Terry Lv Reviewed-by: Iuliana Prodan Signed-off-by: Peng Fan Reviewed-by: Daniel Baluta Link: https://lore.kernel.org/r/20240719-imx_rproc-v2-1-10d0268c7eb1@nxp.com Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit a35ac2720e647ba5cecadf7d5e4dc2488a5f12cf Author: Kemeng Shi Date: Mon Jul 15 21:05:31 2024 +0800 quota: avoid missing put_quota_format when DQUOT_SUSPENDED is passed [ Upstream commit d16a5f852025be546b6e4ceef15899db3490f4d7 ] Avoid missing put_quota_format when DQUOT_SUSPENDED is passed to dquot_load_quota_sb. Link: https://patch.msgid.link/20240715130534.2112678-2-shikemeng@huaweicloud.com Signed-off-by: Kemeng Shi Fixes: d44c57663723 ("quota: Remove BUG_ON in dquot_load_quota_sb()") Reviewed-by: Joseph Qi Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 3ce2892d94e1a968e3fe1ad3714967a2c06f7145 Author: Peng Fan Date: Fri Jun 7 21:33:46 2024 +0800 clk: imx: imx8qxp: Parent should be initialized earlier than the clock [ Upstream commit 766c386c16c9899461b83573a06380d364c6e261 ] The initialization order of SCU clocks affects the sequence of SCU clock resume. If there are no other effects, the earlier the initialization, the earlier the resume. During SCU clock resume, the clock rate is restored. As SCFW guidelines, configure the parent clock rate before configuring the child rate. Fixes: babfaa9556d7 ("clk: imx: scu: add more scu clocks") Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20240607133347.3291040-15-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 48881f73cfab0cfb5fb4620f0c4b01538d0674af Author: Peng Fan Date: Fri Jun 7 21:33:45 2024 +0800 clk: imx: imx8qxp: Register dc0_bypass0_clk before disp clk [ Upstream commit e61352d5ecdc0da2e7253121c15d9a3e040f78a1 ] The initialization order of SCU clocks affects the sequence of SCU clock resume. If there are no other effects, the earlier the initialization, the earlier the resume. During SCU clock resume, the clock rate is restored. As SCFW guidelines, configure the parent clock rate before configuring the child rate. Fixes: 91e916771de0 ("clk: imx: scu: remove legacy scu clock binding support") Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20240607133347.3291040-14-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 630edd889d93a3f3fd08f85d8a800a2aaf7128d0 Author: Zhipeng Wang Date: Fri Jun 7 21:33:38 2024 +0800 clk: imx: imx8mp: fix clock tree update of TF-A managed clocks [ Upstream commit 3d29036853b9cb07ac49e8261fca82a940be5c41 ] On the i.MX8M*, the TF-A exposes a SiP (Silicon Provider) service for DDR frequency scaling. The imx8m-ddrc-devfreq driver calls the SiP and then does clk_set_parent on the DDR muxes to synchronize the clock tree. since commit 936c383673b9 ("clk: imx: fix composite peripheral flags"), these TF-A managed muxes have SET_PARENT_GATE set, which results in imx8m-ddrc-devfreq's clk_set_parent after SiP failing with -EBUSY: clk_set_parent(dram_apb_src, sys1_pll_40m);(busfreq-imx8mq.c) commit 926bf91248dd ("clk: imx8m: fix clock tree update of TF-A managed clocks") adds this method and enables 8mm, 8mn and 8mq. i.MX8MP also needs it. This is safe to do, because updating the Linux clock tree to reflect reality will always be glitch-free. Another reason to this patch is that powersave image BT music requires dram to be 400MTS, so clk_set_parent(dram_alt_src, sys1_pll_800m); is required. Without this patch, it will not succeed. Fixes: 936c383673b9 ("clk: imx: fix composite peripheral flags") Signed-off-by: Zhipeng Wang Reviewed-by: Ahmad Fatoum Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20240607133347.3291040-7-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 851e6d6692e1a700bd4d0f29f5a1205d995ff8a0 Author: Pengfei Li Date: Fri Jun 7 21:33:36 2024 +0800 clk: imx: fracn-gppll: fix fractional part of PLL getting lost [ Upstream commit 7622f888fca125ae46f695edf918798ebc0506c5 ] Fractional part of PLL gets lost after re-enabling the PLL. the MFN can NOT be automatically loaded when doing frac PLL enable/disable, So when re-enable PLL, configure mfn explicitly. Fixes: 1b26cb8a77a4 ("clk: imx: support fracn gppll") Signed-off-by: Pengfei Li Reviewed-by: Jacky Bai Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20240607133347.3291040-5-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit e2f77be25ba38062073e56b25726f7c2c1a4b5b4 Author: Ye Li Date: Fri Jun 7 21:33:35 2024 +0800 clk: imx: composite-7ulp: Check the PCC present bit [ Upstream commit 4717ccadb51e2630790dddd222830702de17f090 ] When some module is disabled by fuse, its PCC PR bit is default 0 and PCC is not operational. Any write to this PCC will cause SError. Fixes: b40ba8065347 ("clk: imx: Update the compsite driver to support imx8ulp") Reviewed-by: Peng Fan Signed-off-by: Ye Li Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20240607133347.3291040-4-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit a5dea7295c87213ee911c9268852b51335ee5170 Author: Jacky Bai Date: Fri Jun 7 21:33:34 2024 +0800 clk: imx: composite-93: keep root clock on when mcore enabled [ Upstream commit d342df11726bfac9c3a9d2037afa508ac0e9e44e ] Previously we assumed that the root clock slice is enabled by default when kernel boot up. But the bootloader may disable the clocks before jump into kernel. The gate ops should be registered rather than NULL to make sure the disabled clock can be enabled when kernel boot up. Refine the code to skip disable the clock if mcore booted. Fixes: a740d7350ff7 ("clk: imx: imx93: add mcore_booted module paratemter") Signed-off-by: Jacky Bai Reviewed-by: Peng Fan Tested-by: Chancel Liu Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20240607133347.3291040-3-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 44222c2563ebe61dc7226c02eff5ea6f68bc5a12 Author: Peng Fan Date: Fri Jun 7 21:33:33 2024 +0800 clk: imx: composite-8m: Enable gate clk with mcore_booted [ Upstream commit 8f32e9dd0916eb3fd4bcf550ed1d04542a65cb9e ] Bootloader might disable some CCM ROOT Slices. So if mcore_booted set with display CCM ROOT disabled by Bootloader, kernel display BLK CTRL driver imx8m_blk_ctrl_driver_init may hang the system because the BUS clk is disabled. Add back gate ops, but with disable doing nothing, then the CCM ROOT will be enabled when used. Fixes: bb7e897b002a ("clk: imx8m: check mcore_booted before register clk") Reviewed-by: Ye Li Reviewed-by: Jacky Bai Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20240607133347.3291040-2-peng.fan@oss.nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit ebff099957757bddbc3611142b9fa40a3e131099 Author: Sebastien Laveze Date: Tue May 28 17:14:33 2024 +0200 clk: imx: imx6ul: fix default parent for enet*_ref_sel [ Upstream commit e52fd71333b4ed78fd5bb43094bdc46476614d25 ] The clk_set_parent for "enet1_ref_sel" and "enet2_ref_sel" are incorrect, therefore the original requirements to have "enet_clk_ref" as output sourced by iMX ENET PLL as a default config is not met. Only "enet[1,2]_ref_125m" "enet[1,2]_ref_pad" are possible parents for "enet1_ref_sel" and "enet2_ref_sel". This was observed as a regression using a custom device tree which was expecting this default config. This can be fixed at the device tree level but having a default config matching the original behavior (before refclock mux) will avoid breaking existing configs. Fixes: 4e197ee880c2 ("clk: imx6ul: add ethernet refclock mux support") Link: https://lore.kernel.org/lkml/20230306020226.GC143566@dragon/T/ Signed-off-by: Sebastien Laveze Reviewed-by: Oleksij Rempel Link: https://lore.kernel.org/r/20240528151434.227602-1-slaveze@smartandconnective.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 0f01208e166b64be250ac72adb24075cf2559234 Author: Shengjiu Wang Date: Fri Jun 14 15:42:03 2024 +0800 clk: imx: clk-audiomix: Correct parent clock for earc_phy and audpll [ Upstream commit d40371a1c963db688b37826adaf5ffdafb0862a1 ] According to Reference Manual of i.MX8MP The parent clock of "earc_phy" is "sai_pll_out_div2", The parent clock of "audpll" is "osc_24m". Add CLK_GATE_PARENT() macro for usage of specifying parent clock. Fixes: 6cd95f7b151c ("clk: imx: imx8mp: Add audiomix block control") Signed-off-by: Shengjiu Wang Reviewed-by: Peng Fan Link: https://lore.kernel.org/r/1718350923-21392-6-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 3db5917e61081a748ce43fa4e63c00193b419886 Author: Kan Liang Date: Thu Sep 5 10:07:36 2024 -0700 perf mem: Fix missed p-core mem events on ADL and RPL [ Upstream commit 5ad7db2c3f941cde3045ce38a9c4c40b0c7d56b9 ] The p-core mem events are missed when launching 'perf mem record' on ADL and RPL. root@number:~# perf mem record sleep 1 Memory events are enabled on a subset of CPUs: 16-27 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.032 MB perf.data ] root@number:~# perf evlist cpu_atom/mem-loads,ldlat=30/P cpu_atom/mem-stores/P dummy:u A variable 'record' in the 'struct perf_mem_event' is to indicate whether a mem event in a mem_events[] should be recorded. The current code only configure the variable for the first eligible PMU. It's good enough for a non-hybrid machine or a hybrid machine which has the same mem_events[]. However, if a different mem_events[] is used for different PMUs on a hybrid machine, e.g., ADL or RPL, the 'record' for the second PMU never get a chance to be set. The mem_events[] of the second PMU are always ignored. 'perf mem' doesn't support the per-PMU configuration now. A per-PMU mem_events[] 'record' variable doesn't make sense. Make it global. That could also avoid searching for the per-PMU mem_events[] via perf_pmu__mem_events_ptr every time. Committer testing: root@number:~# perf evlist -g cpu_atom/mem-loads,ldlat=30/P cpu_atom/mem-stores/P {cpu_core/mem-loads-aux/,cpu_core/mem-loads,ldlat=30/} cpu_core/mem-stores/P dummy:u root@number:~# The :S for '{cpu_core/mem-loads-aux/,cpu_core/mem-loads,ldlat=30/}' is not being added by 'perf evlist -g', to be checked. Fixes: abbdd79b786e036e ("perf mem: Clean up perf_mem_events__name()") Reported-by: Arnaldo Carvalho de Melo Signed-off-by: Kan Liang Tested-by: Arnaldo Carvalho de Melo Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Closes: https://lore.kernel.org/lkml/Zthu81fA3kLC2CS2@x1/ Link: https://lore.kernel.org/r/20240905170737.4070743-2-kan.liang@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 3eb711fc3fbd5252bc6758ad9b37a4a48e6f766a Author: Kan Liang Date: Thu Sep 5 10:07:35 2024 -0700 perf mem: Check mem_events for all eligible PMUs [ Upstream commit 6e05d28ff232cf445cc6ae59336b7f2081ef9b96 ] The current perf_pmu__mem_events_init() only checks the availability of the mem_events for the first eligible PMU. It works for non-hybrid machines and hybrid machines that have the same mem_events. However, it may bring issues if a hybrid machine has a different mem_events on different PMU, e.g., Alder Lake and Raptor Lake. A mem-loads-aux event is only required for the p-core. The mem_events on both e-core and p-core should be checked and marked. The issue was not found, because it's hidden by another bug, which only records the mem-events for the e-core. The wrong check for the p-core events didn't yell. Fixes: abbdd79b786e036e ("perf mem: Clean up perf_mem_events__name()") Signed-off-by: Kan Liang Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Link: https://lore.kernel.org/r/20240905170737.4070743-1-kan.liang@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit bacfd44472e33cade608fb91f0d2f77db4cbd181 Author: Ian Rogers Date: Sat Aug 31 00:04:11 2024 -0700 perf time-utils: Fix 32-bit nsec parsing [ Upstream commit 38e2648a81204c9fc5b4c87a8ffce93a6ed91b65 ] The "time utils" test fails in 32-bit builds: ... parse_nsec_time("18446744073.709551615") Failed. ptime 4294967295709551615 expected 18446744073709551615 ... Switch strtoul to strtoull as an unsigned long in 32-bit build isn't 64-bits. Fixes: c284d669a20d408b ("perf tools: Move parse_nsec_time to time-utils.c") Signed-off-by: Ian Rogers Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Athira Rajeev Cc: Chaitanya S Prakash Cc: Colin Ian King Cc: David Ahern Cc: Dominique Martinet Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: John Garry Cc: Junhao He Cc: Kan Liang Cc: Mark Rutland Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Yang Jihong Link: https://lore.kernel.org/r/20240831070415.506194-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit f1a436bc9b4c58347b8ef5617df153a6c5b0b7bb Author: Yang Jihong Date: Mon Aug 19 10:47:20 2024 +0800 perf sched timehist: Fixed timestamp error when unable to confirm event sched_in time [ Upstream commit 39c243411bdb8fb35777adf49ee32549633c4e12 ] If sched_in event for current task is not recorded, sched_in timestamp will be set to end_time of time window interest, causing an error in timestamp show. In this case, we choose to ignore this event. Test scenario: perf[1229608] does not record the first sched_in event, run time and sch delay are both 0 # perf sched timehist Samples of sched_switch event do not have callchains. time cpu task name wait time sch delay run time [tid/pid] (msec) (msec) (msec) --------------- ------ ------------------------------ --------- --------- --------- 2090450.763231 [0000] perf[1229608] 0.000 0.000 0.000 2090450.763235 [0000] migration/0[15] 0.000 0.001 0.003 2090450.763263 [0001] perf[1229608] 0.000 0.000 0.000 2090450.763268 [0001] migration/1[21] 0.000 0.001 0.004 2090450.763302 [0002] perf[1229608] 0.000 0.000 0.000 2090450.763309 [0002] migration/2[27] 0.000 0.001 0.007 2090450.763338 [0003] perf[1229608] 0.000 0.000 0.000 2090450.763343 [0003] migration/3[33] 0.000 0.001 0.004 Before: arbitrarily specify a time window of interest, timestamp will be set to an incorrect value # perf sched timehist --time 100,200 Samples of sched_switch event do not have callchains. time cpu task name wait time sch delay run time [tid/pid] (msec) (msec) (msec) --------------- ------ ------------------------------ --------- --------- --------- 200.000000 [0000] perf[1229608] 0.000 0.000 0.000 200.000000 [0001] perf[1229608] 0.000 0.000 0.000 200.000000 [0002] perf[1229608] 0.000 0.000 0.000 200.000000 [0003] perf[1229608] 0.000 0.000 0.000 200.000000 [0004] perf[1229608] 0.000 0.000 0.000 200.000000 [0005] perf[1229608] 0.000 0.000 0.000 200.000000 [0006] perf[1229608] 0.000 0.000 0.000 200.000000 [0007] perf[1229608] 0.000 0.000 0.000 After: # perf sched timehist --time 100,200 Samples of sched_switch event do not have callchains. time cpu task name wait time sch delay run time [tid/pid] (msec) (msec) (msec) --------------- ------ ------------------------------ --------- --------- --------- Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest") Signed-off-by: Yang Jihong Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Alexander Shishkin Cc: David Ahern Cc: Ian Rogers Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240819024720.2405244-1-yangjihong@bytedance.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 2229e657672bd75856b41c055eb392612cf9deea Author: Kan Liang Date: Tue Aug 20 11:32:02 2024 -0700 perf hist: Don't set hpp_fmt_value for members in --no-group [ Upstream commit 4f3affe0abf5d5910dc469a1f63257629605d3c3 ] Perf crashes as below when applying --no-group # perf record -e "{cache-misses,branches"} -b sleep 1 # perf report --stdio --no-group free(): invalid next size (fast) Aborted (core dumped) # In the __hpp__fmt(), only 1 hpp_fmt_value is allocated for the current event when --no-group is applied. However, the current implementation tries to assign the hists from all members to the hpp_fmt_value, which exceeds the allocated memory. Fixes: 8f6071a3dce40e69 ("perf hist: Simplify __hpp_fmt() using hpp_fmt_data") Signed-off-by: Kan Liang Acked-by: Namhyung Kim Cc: Ian Rogers Cc: Ingo Molnar Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240820183202.3174323-1-kan.liang@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 74a64f57f3cbcb36bba42c328d0dbd454ef5c853 Author: Namhyung Kim Date: Wed Aug 21 16:26:25 2024 -0700 perf dwarf-aux: Handle bitfield members from pointer access [ Upstream commit a11b4222bb579dcf9646f3c4ecd2212ae762a2c8 ] The __die_find_member_offset_cb() missed to handle bitfield members which don't have DW_AT_data_member_location. Like in adding member types in __add_member_cb() it should fallback to check the bit offset when it resolves the member type for an offset. Fixes: 437683a9941891c1 ("perf dwarf-aux: Handle type transfer for memory access") Signed-off-by: Namhyung Kim Cc: Adrian Hunter Cc: Athira Rajeev Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240821232628.353177-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 032b81ea8093b4882564a9d537a63d27c586dc3a Author: Namhyung Kim Date: Fri Aug 16 16:58:32 2024 -0700 perf annotate-data: Fix off-by-one in location range check [ Upstream commit 3ab0b8b238b5130ae3fa37ddaa329fc0e93b6b9a ] The location list will have entries with half-open addressing like [start, end) which means it doesn't include the end address. So it should skip entries at the end address and match to the next entry. An example location list looks like this (from readelf -wo): 00237876 ffffffff8110d32b (base address) 0023787f v000000000000000 v000000000000002 views at 00237868 for: ffffffff8110d32b ffffffff8110d4eb (DW_OP_reg3 (rbx)) <<<--- 1 00237885 v000000000000002 v000000000000000 views at 0023786a for: ffffffff8110d4eb ffffffff8110d50b (DW_OP_reg14 (r14)) <<<--- 2 0023788c v000000000000000 v000000000000001 views at 0023786c for: ffffffff8110d50b ffffffff8110d7c4 (DW_OP_reg3 (rbx)) 00237893 v000000000000000 v000000000000000 views at 0023786e for: ffffffff8110d806 ffffffff8110d854 (DW_OP_reg3 (rbx)) 0023789a v000000000000000 v000000000000000 views at 00237870 for: ffffffff8110d876 ffffffff8110d88e (DW_OP_reg3 (rbx)) The first entry at 0023787f has [8110d32b, 8110d4eb) (omitting the ffffffff at the beginning), and the second one has [8110d4eb, 8110d50b). Fixes: 2bc3cf575a162a2c ("perf annotate-data: Improve debug message with location info") Reviewed-by: Masami Hiramatsu Signed-off-by: Namhyung Kim Cc: Adrian Hunter Cc: Athira Rajeev Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240816235840.2754937-3-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 1ba1e69990622a0b6d527693097edbd3be757b21 Author: Namhyung Kim Date: Fri Aug 16 16:58:31 2024 -0700 perf dwarf-aux: Check allowed location expressions when collecting variables [ Upstream commit e8bb03ed6850c6ed4ce2f1600ea73401fc2ebd95 ] It missed to call check_allowed_ops() in __die_collect_vars_cb() so it can take variables with complex location expression incorrectly. For example, I found some variable has this expression. 015d8df8 ffffffff81aacfb3 (base address) 015d8e01 v000000000000004 v000000000000000 views at 015d8df2 for: ffffffff81aacfb3 ffffffff81aacfd2 (DW_OP_fbreg: -176; DW_OP_deref; DW_OP_plus_uconst: 332; DW_OP_deref_size: 4; DW_OP_lit1; DW_OP_shra; DW_OP_const1u: 64; DW_OP_minus; DW_OP_stack_value) 015d8e14 v000000000000000 v000000000000000 views at 015d8df4 for: ffffffff81aacfd2 ffffffff81aacfd7 (DW_OP_reg3 (rbx)) 015d8e19 v000000000000000 v000000000000000 views at 015d8df6 for: ffffffff81aacfd7 ffffffff81aad020 (DW_OP_fbreg: -176; DW_OP_deref; DW_OP_plus_uconst: 332; DW_OP_deref_size: 4; DW_OP_lit1; DW_OP_shra; DW_OP_const1u: 64; DW_OP_minus; DW_OP_stack_value) 015d8e2c It looks like '((int *)(-176(%rbp) + 332) >> 1) - 64' but the current code thought it's just -176(%rbp) and processed the variable incorrectly. It should reject such a complex expression if check_allowed_ops() doesn't like it. :) Fixes: 932dcc2c39aedf54 ("perf dwarf-aux: Add die_collect_vars()") Signed-off-by: Namhyung Kim Acked-by: Masami Hiramatsu Cc: Adrian Hunter Cc: Athira Rajeev Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240816235840.2754937-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 13cb5ca62a844b99df8c35d882c1c46116415d63 Author: Yicong Yang Date: Fri Aug 2 14:58:00 2024 +0800 perf stat: Display iostat headers correctly [ Upstream commit 2615639352420e6e3115952c5b8f46846e1c6d0e ] Currently we'll only print metric headers for metric leader in aggregration mode. This will make `perf iostat` header not shown since it'll aggregrated globally but don't have metric events: root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000 Performance counter stats for 'system wide': port 0000:00 0 0 0 0 0000:80 0 0 0 0 [...] Fix this by excluding the iostat in the check of printing metric headers. Then we can see the headers: root@ubuntu204:/home/yang/linux/tools/perf# ./perf stat --iostat --timeout 1000 Performance counter stats for 'system wide': port Inbound Read(MB) Inbound Write(MB) Outbound Read(MB) Outbound Write(MB) 0000:00 0 0 0 0 0000:80 0 0 0 0 [...] Fixes: 193a9e30207f5477 ("perf stat: Don't display metric header for non-leader uncore events") Signed-off-by: Yicong Yang Acked-by: Namhyung Kim Cc: Ian Rogers Cc: Ingo Molnar Cc: Jonathan Cameron Cc: Junhao He Cc: linuxarm@huawei.com Cc: Mark Rutland Cc: Peter Zijlstra Cc: Shameerali Kolothum Thodi Cc: Zeng Tao Link: https://lore.kernel.org/r/20240802065800.48774-1-yangyicong@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 2d67c1ac020146300afd269fbe4ebf22e2cd8e51 Author: Yang Jihong Date: Tue Aug 6 10:35:33 2024 +0800 perf sched timehist: Fix missing free of session in perf_sched__timehist() [ Upstream commit 6bdf5168b6fb19541b0c1862bdaa596d116c7bfb ] When perf_time__parse_str() fails in perf_sched__timehist(), need to free session that was previously created, fix it. Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest") Signed-off-by: Yang Jihong Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Alexander Shishkin Cc: David Ahern Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240806023533.1316348-1-yangjihong@bytedance.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit bd3cf038261edb1d94f0ce6b562f2b2f5348cedf Author: Arnaldo Carvalho de Melo Date: Wed Aug 14 10:36:24 2024 -0300 perf build: Fix up broken capstone feature detection fast path [ Upstream commit 4c55560f23d19051adc7e76818687a88448bef83 ] The capstone devel headers define 'struct bpf_insn' in a way that clashes with what is in the libbpf devel headers, so we so far need to avoid including both. This is happening on the tools/build/feature/test-all.c file, where we try building all the expected set of libraries to be normally available on a system: ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output In file included from test-bpf.c:3, from test-all.c:150: /home/acme/git/perf-tools-next/tools/include/uapi/linux/bpf.h:77:8: error: ‘bpf_insn’ defined as wrong kind of tag 77 | struct bpf_insn { | ^~~~~~~~ ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output When doing so there is a trick where we define main to be main_test_libcapstone, then include the individual tools/build/feture/test-libcapstone.c capability query test, and then we undef 'main' because we'll do it all over again with the next expected library to be tested (at this time 'lzma'). To complete this mechanism we need to, in test-all.c 'main' routine, to call main_test_libcapstone(), which isn't being done, so the effect of adding references to capstone in test-all.c are not achieved. The only thing that is happening is that test-all.c is failing to build and thus all the tests will have to be done individually, which nullifies the test-all.c single build speedup. So lets remove references to capstone from test-all.c to see if this makes it build again so that we get faster builds or go on fixing up whatever is preventing us to get that benefit. Nothing: after this fix we get a clean test-all.c build and get the build speedup back: ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all. test-all.bin test-all.d test-all.make.output ⬢[acme@toolbox perf-tools-next]$ cat /tmp/build/perf-tools-next/feature/test-all.make.output ⬢[acme@toolbox perf-tools-next]$ ldd /tmp/build/perf-tools-next/feature/test-all.bin linux-vdso.so.1 (0x00007f13277a1000) libpython3.12.so.1.0 => /lib64/libpython3.12.so.1.0 (0x00007f1326e00000) libm.so.6 => /lib64/libm.so.6 (0x00007f13274be000) libtraceevent.so.1 => /lib64/libtraceevent.so.1 (0x00007f1327496000) libtracefs.so.1 => /lib64/libtracefs.so.1 (0x00007f132746f000) libcrypto.so.3 => /lib64/libcrypto.so.3 (0x00007f1326800000) libunwind-x86_64.so.8 => /lib64/libunwind-x86_64.so.8 (0x00007f1327452000) libunwind.so.8 => /lib64/libunwind.so.8 (0x00007f1327436000) liblzma.so.5 => /lib64/liblzma.so.5 (0x00007f1327403000) libdw.so.1 => /lib64/libdw.so.1 (0x00007f1326d6f000) libz.so.1 => /lib64/libz.so.1 (0x00007f13273e2000) libelf.so.1 => /lib64/libelf.so.1 (0x00007f1326d53000) libnuma.so.1 => /lib64/libnuma.so.1 (0x00007f13273d4000) libslang.so.2 => /lib64/libslang.so.2 (0x00007f1326400000) libperl.so.5.38 => /lib64/libperl.so.5.38 (0x00007f1326000000) libc.so.6 => /lib64/libc.so.6 (0x00007f1325e0f000) libzstd.so.1 => /lib64/libzstd.so.1 (0x00007f1326741000) /lib64/ld-linux-x86-64.so.2 (0x00007f13277a3000) libbz2.so.1 => /lib64/libbz2.so.1 (0x00007f1326d3f000) libcrypt.so.2 => /lib64/libcrypt.so.2 (0x00007f1326d07000) ⬢[acme@toolbox perf-tools-next]$ And when having capstone-devel installed we get it detected and linked with perf, allowing us to benefit from the features that it enables: ⬢[acme@toolbox perf-tools-next]$ rpm -q capstone-devel capstone-devel-5.0.1-3.fc40.x86_64 ⬢[acme@toolbox perf-tools-next]$ ldd /tmp/build/perf-tools-next/perf | grep capstone libcapstone.so.5 => /lib64/libcapstone.so.5 (0x00007fe6a5c00000) ⬢[acme@toolbox perf-tools-next]$ /tmp/build/perf-tools-next/perf -vv | grep cap libcapstone: [ on ] # HAVE_LIBCAPSTONE_SUPPORT ⬢[acme@toolbox perf-tools-next]$ Fixes: 8b767db3309595a2 ("perf: build: introduce the libcapstone") Cc: Adrian Hunter Cc: Andi Kleen Cc: Changbin Du Cc: Ian Rogers Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Link: https://lore.kernel.org/lkml/Zry0sepD5Ppa5YKP@x1 Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit b4d404ac7c7309e13b2a4285ee001cf22d5ba6ae Author: Kan Liang Date: Tue Aug 13 09:02:00 2024 -0700 perf report: Fix --total-cycles --stdio output error [ Upstream commit 3ef44458071a19e5b5832cdfe6f75273aa521b6e ] The --total-cycles may output wrong information with the --stdio. For example: # perf record -e "{cycles,instructions}",cache-misses -b sleep 1 # perf report --total-cycles --stdio The total cycles output of {cycles,instructions} and cache-misses are almost the same. # Samples: 938 of events 'anon group { cycles, instructions }' # Event count (approx.): 938 # # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] # ............... .............. ........... .......... ..................................................> # 11.19% 2.6K 0.10% 21 [perf_iterate_ctx+48 -> > 5.79% 1.4K 0.45% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_> 5.11% 1.2K 0.33% 71 [native_write_msr+0 ->> # Samples: 293 of event 'cache-misses' # Event count (approx.): 293 # # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] # ............... .............. ........... .......... ..................................................> # 11.19% 2.6K 0.13% 21 [perf_iterate_ctx+48 -> > 5.79% 1.4K 0.59% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_> 5.11% 1.2K 0.43% 71 [native_write_msr+0 ->> With the symbol_conf.event_group, the 'perf report' should only report the block information of the leader event in a group. However, the current implementation retrieves the next event's block information, rather than the next group leader's block information. Make sure the index is updated even if the event is skipped. With the patch, # Samples: 293 of event 'cache-misses' # Event count (approx.): 293 # # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] # ............... .............. ........... .......... ..................................................> # 37.98% 9.0K 4.05% 299 [perf_event_addr_filters_exec+0 -> perf_event_a> 11.19% 2.6K 0.28% 21 [perf_iterate_ctx+48 -> > 5.79% 1.4K 1.32% 97 [__intel_pmu_enable_all.constprop.0+80 -> __intel_> Fixes: 6f7164fa231a5f36 ("perf report: Sort by sampled cycles percent per block for stdio") Reviewed-by: Andi Kleen Signed-off-by: Kan Liang Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Ian Rogers Cc: Ingo Molnar Cc: Jin Yao Cc: Peter Zijlstra Cc: Stephane Eranian Link: https://lore.kernel.org/r/20240813160208.2493643-2-kan.liang@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 8b230c729a243926a1e8636e8ddbd3dd4e6827b7 Author: Ian Rogers Date: Mon Jul 29 15:06:20 2024 -0700 perf inject: Fix leader sampling inserting additional samples [ Upstream commit 79bcd34e0f3da39fda841406ccc957405e724852 ] The processing of leader samples would turn an individual sample with a group of read values into multiple samples. 'perf inject' would pass through the additional samples increasing the output data file size: $ perf record -g -e "{instructions,cycles}:S" -o perf.orig.data true $ perf script -D -i perf.orig.data | sed -e 's/perf.orig.data/perf.data/g' > orig.txt $ perf inject -i perf.orig.data -o perf.new.data $ perf script -D -i perf.new.data | sed -e 's/perf.new.data/perf.data/g' > new.txt $ diff -u orig.txt new.txt --- orig.txt 2024-07-29 14:29:40.606576769 -0700 +++ new.txt 2024-07-29 14:30:04.142737434 -0700 ... -0xc550@perf.data [0x30]: event: 3 +0xc550@perf.data [0xd0]: event: 9 +. +. ... raw event: size 208 bytes +. 0000: 09 00 00 00 01 00 d0 00 fc 72 01 86 ff ff ff ff .........r...... +. 0010: 74 7d 2c 00 74 7d 2c 00 fb c3 79 f9 ba d5 05 00 t},.t},...y..... +. 0020: e6 cb 1a 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ +. 0030: 02 00 00 00 00 00 00 00 76 01 00 00 00 00 00 00 ........v....... +. 0040: e6 cb 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +. 0050: 62 18 00 00 00 00 00 00 f6 cb 1a 00 00 00 00 00 b............... +. 0060: 00 00 00 00 00 00 00 00 0c 00 00 00 00 00 00 00 ................ +. 0070: 80 ff ff ff ff ff ff ff fc 72 01 86 ff ff ff ff .........r...... +. 0080: f3 0e 6e 85 ff ff ff ff 0c cb 7f 85 ff ff ff ff ..n............. +. 0090: bc f2 87 85 ff ff ff ff 44 af 7f 85 ff ff ff ff ........D....... +. 00a0: bd be 7f 85 ff ff ff ff 26 d0 7f 85 ff ff ff ff ........&....... +. 00b0: 6d a4 ff 85 ff ff ff ff ea 00 20 86 ff ff ff ff m......... ..... +. 00c0: 00 fe ff ff ff ff ff ff 57 14 4f 43 fc 7e 00 00 ........W.OC.~.. + +1642373909693435 0xc550 [0xd0]: PERF_RECORD_SAMPLE(IP, 0x1): 2915700/2915700: 0xffffffff860172fc period: 1 addr: 0 +... FP chain: nr:12 +..... 0: ffffffffffffff80 +..... 1: ffffffff860172fc +..... 2: ffffffff856e0ef3 +..... 3: ffffffff857fcb0c +..... 4: ffffffff8587f2bc +..... 5: ffffffff857faf44 +..... 6: ffffffff857fbebd +..... 7: ffffffff857fd026 +..... 8: ffffffff85ffa46d +..... 9: ffffffff862000ea +..... 10: fffffffffffffe00 +..... 11: 00007efc434f1457 +... sample_read: +.... group nr 2 +..... id 00000000001acbe6, value 0000000000000176, lost 0 +..... id 00000000001acbf6, value 0000000000001862, lost 0 + +0xc620@perf.data [0x30]: event: 3 ... This behavior is incorrect as in the case above 'perf inject' should have done nothing. Fix this behavior by disabling separating samples for a tool that requests it. Only request this for `perf inject` so as to not affect other perf tools. With the patch and the test above there are no differences between the orig.txt and new.txt. Fixes: e4caec0d1af3d608 ("perf evsel: Add PERF_SAMPLE_READ sample related processing") Signed-off-by: Ian Rogers Acked-by: Namhyung Kim Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Andi Kleen Cc: Ingo Molnar Cc: Jiri Olsa Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240729220620.2957754-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit f18c08ee58402a106ae274f8a0e855c654703a0e Author: Ian Rogers Date: Sat Aug 10 21:20:04 2024 -0700 perf vendor events: SKX, CLX, SNR uncore cache event fixes [ Upstream commit 7a75c6c23a2ea8dd22d90805b3a42bd65c53830e ] Cache home agent (CHA) events were setting the low rather than high config1 bits. SNR was using CLX CHA events, however its CHA is similar to ICX so remove the events. Incorporate the updates in: https://github.com/intel/perfmon/pull/215 https://github.com/intel/perfmon/pull/216 Fixes: 4cc49942444e958b ("perf vendor events: Update cascadelakex events/metrics") Closes: https://lore.kernel.org/linux-perf-users/CAPhsuW4nem9XZP+b=sJJ7kqXG-cafz0djZf51HsgjCiwkGBA+A@mail.gmail.com/ Reported-by: Song Liu Reviewed-by: Kan Liang Co-authored-by: Weilin Wang Signed-off-by: Ian Rogers Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240811042004.421869-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 679780406f18a9f073658099b60b2cc110cde3ed Author: Namhyung Kim Date: Mon Aug 12 10:25:33 2024 -0700 perf lock contention: Change stack_id type to s32 [ Upstream commit 040c0f887fdcfe747a3f63c94e9cd29e9ed0b872 ] The bpf_get_stackid() helper returns a signed type to check whether it failed to get a stacktrace or not. But it saved the result in u32 and checked if the value is negative. 376 if (needs_callstack) { 377 pelem->stack_id = bpf_get_stackid(ctx, &stacks, 378 BPF_F_FAST_STACK_CMP | stack_skip); --> 379 if (pelem->stack_id < 0) ./tools/perf/util/bpf_skel/lock_contention.bpf.c:379 contention_begin() warn: unsigned 'pelem->stack_id' is never less than zero. Let's change the type to s32 instead. Fixes: 6d499a6b3d90277d ("perf lock: Print the number of lost entries for BPF") Reported-by: Dan Carpenter Signed-off-by: Namhyung Kim Cc: Adrian Hunter Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20240812172533.2015291-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 1a782ed21729c6899146e9becb4f746f27148ff7 Author: Namhyung Kim Date: Wed Jul 31 16:55:01 2024 -0700 perf mem: Free the allocated sort string, fixing a leak [ Upstream commit 3da209bb1177462b6fe8e3021a5527a5a49a9336 ] The get_sort_order() returns either a new string (from strdup) or NULL but it never gets freed. Signed-off-by: Namhyung Kim Fixes: 2e7f545096f954a9 ("perf mem: Factor out a function to generate sort order") Cc: Adrian Hunter Cc: Athira Rajeev Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Cc: Stephane Eranian Link: https://lore.kernel.org/r/20240731235505.710436-3-namhyung@kernel.org [ Added Fixes tag ] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit c4a7d861e3c0d6e02db6cd52827eb5a645354b66 Author: Arnaldo Carvalho de Melo Date: Wed Jul 31 11:58:56 2024 -0300 perf bpf: Move BPF disassembly routines to separate file to avoid clash with capstone bpf headers [ Upstream commit ea59b70a8418a313d6f2ab48a957de015fc33018 ] There is a clash of the libbpf and capstone libraries, that ends up with: In file included from /usr/include/capstone/capstone.h:325, from util/disasm.c:1513: /usr/include/capstone/bpf.h:94:14: error: ‘bpf_insn’ defined as wrong kind of tag 94 | typedef enum bpf_insn { So far we're just trying to avoid this by not having both headers included in the same .c or .h file, do it one more time by moving the BPF diassembly routines from util/disasm.c to util/disasm_bpf.c. This is only being hit when building with BUILD_NONDISTRO=1, i.e. building with binutils-devel, that isn't the in the default build due to a licencing clash. We need to reimplement what is now isolated in util/disasm_bpf.c using some other library to have BPF annotation feature that now only is available with BUILD_NONDISTRO=1. Fixes: 6d17edc113de1e21 ("perf annotate: Use libcapstone to disassemble") Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Link: https://lore.kernel.org/lkml/ZqpUSKPxMwaQKORr@x1 Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 56591a618a0518c4103793b7ef61bbff89b3e333 Author: James Clark Date: Tue Jul 23 14:28:58 2024 +0100 perf scripts python cs-etm: Restore first sample log in verbose mode [ Upstream commit ae8e4f4048b839c1cb333d9e3d20e634b430139e ] The linked commit moved the early return on the first sample to before the verbose log, so move the log earlier too. Now the first sample is also logged and not skipped. Fixes: 2d98dbb4c9c5b09c ("perf scripts python arm-cs-trace-disasm.py: Do not ignore disam first sample") Reviewed-by: Leo Yan Signed-off-by: James Clark Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Benjamin Gray Cc: coresight@lists.linaro.org Cc: gankulkarni@os.amperecomputing.com Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Mike Leach Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Ruidong Tian Cc: Suzuki Poulouse Link: https://lore.kernel.org/r/20240723132858.12747-1-james.clark@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 594a9f5a8d2de2573a856e506f77ba7dd2cefc6a Author: Daniel Borkmann Date: Fri Sep 13 21:17:50 2024 +0200 bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error [ Upstream commit 4b3786a6c5397dc220b1483d8e2f4867743e966f ] For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input arguments, zero the value for the case of an error as otherwise it could leak memory. For tracing, it is not needed given CAP_PERFMON can already read all kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped in here. Also, the MTU helpers mtu_len pointer value is being written but also read. Technically, the MEM_UNINIT should not be there in order to always force init. Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now implies two things actually: i) write into memory, ii) memory does not have to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory, ii) memory must be initialized. This means that for bpf_*_check_mtu() we're readding the issue we're trying to fix, that is, it would then be able to write back into things like .rodata BPF maps. Follow-up work will rework the MEM_UNINIT semantics such that the intent can be better expressed. For now just clear the *mtu_len on error path which can be lifted later again. Fixes: 8a67f2de9b1d ("bpf: expose bpf_strtol and bpf_strtoul to all program types") Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers") Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/e5edd241-59e7-5e39-0ee5-a51e31b6840a@iogearbox.net Link: https://lore.kernel.org/r/20240913191754.13290-5-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 2913328ae9e59340cea442d618929ffd4a5f5e47 Author: Daniel Borkmann Date: Fri Sep 13 21:17:49 2024 +0200 bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types [ Upstream commit 18752d73c1898fd001569195ba4b0b8c43255f4a ] When checking malformed helper function signatures, also take other argument types into account aside from just ARG_PTR_TO_UNINIT_MEM. This concerns (formerly) ARG_PTR_TO_{INT,LONG} given uninitialized memory can be passed there, too. The func proto sanity check goes back to commit 435faee1aae9 ("bpf, verifier: add ARG_PTR_TO_RAW_STACK type"), and its purpose was to detect wrong func protos which had more than just one MEM_UNINIT-tagged type as arguments. The reason more than one is currently not supported is as we mark stack slots with STACK_MISC in check_helper_call() in case of raw mode based on meta.access_size to allow uninitialized stack memory to be passed to helpers when they just write into the buffer. Probing for base type as well as MEM_UNINIT tagging ensures that other types do not get missed (as it used to be the case for ARG_PTR_TO_{INT,LONG}). Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types") Reported-by: Shung-Hsi Yu Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Acked-by: Shung-Hsi Yu Link: https://lore.kernel.org/r/20240913191754.13290-4-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 1e75d25133158b525e0456876e9bcfd6b2993fd5 Author: Daniel Borkmann Date: Fri Sep 13 21:17:48 2024 +0200 bpf: Fix helper writes to read-only maps [ Upstream commit 32556ce93bc45c730829083cb60f95a2728ea48b ] Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments. In check_func_arg() when the argument is as mentioned, the meta->raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds. The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway. However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via * = val. The .arg*_size has been initialized reflecting the actual sizeof(*). MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write * = val. Fixes: 57c3bb725a3d ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types") Reported-by: Lonial Con Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Acked-by: Shung-Hsi Yu Link: https://lore.kernel.org/r/20240913191754.13290-3-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit ae909d106358f19be8e910fc8ae0c433e658e8fd Author: Daniel Borkmann Date: Fri Sep 13 21:17:46 2024 +0200 bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit [ Upstream commit cfe69c50b05510b24e26ccb427c7cc70beafd6c1 ] The bpf_strtol() and bpf_strtoul() helpers are currently broken on 32bit: The argument type ARG_PTR_TO_LONG is BPF-side "long", not kernel-side "long" and therefore always considered fixed 64bit no matter if 64 or 32bit underlying architecture. This contract breaks in case of the two mentioned helpers since their BPF_CALL definition for the helpers was added with {unsigned,}long *res. Meaning, the transition from BPF-side "long" (BPF program) to kernel-side "long" (BPF helper) breaks here. Both helpers call __bpf_strtoll() with "long long" correctly, but later assigning the result into 32-bit "*(long *)" on 32bit architectures. From a BPF program point of view, this means upper bits will be seen as uninitialised. Therefore, fix both BPF_CALL signatures to {s,u}64 types to fix this situation. Now, changing also uapi/bpf.h helper documentation which generates bpf_helper_defs.h for BPF programs is tricky: Changing signatures there to __{s,u}64 would trigger compiler warnings (incompatible pointer types passing 'long *' to parameter of type '__s64 *' (aka 'long long *')) for existing BPF programs. Leaving the signatures as-is would be fine as from BPF program point of view it is still BPF-side "long" and thus equivalent to __{s,u}64 on 64 or 32bit underlying architectures. Note that bpf_strtol() and bpf_strtoul() are the only helpers with this issue. Fixes: d7a4cb9b6705 ("bpf: Introduce bpf_strtol and bpf_strtoul helpers") Reported-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/481fcec8-c12c-9abb-8ecb-76c71c009959@iogearbox.net Link: https://lore.kernel.org/r/20240913191754.13290-1-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 2fb7d183bc34882ce6de87433f063c467042e83c Author: Chen Yu Date: Tue Aug 27 19:26:07 2024 +0800 sched/pelt: Use rq_clock_task() for hw_pressure [ Upstream commit 84d265281d6cea65353fc24146280e0d86ac50cb ] commit 97450eb90965 ("sched/pelt: Remove shift of thermal clock") removed the decay_shift for hw_pressure. This commit uses the sched_clock_task() in sched_tick() while it replaces the sched_clock_task() with rq_clock_pelt() in __update_blocked_others(). This could bring inconsistence. One possible scenario I can think of is in ___update_load_sum(): u64 delta = now - sa->last_update_time 'now' could be calculated by rq_clock_pelt() from __update_blocked_others(), and last_update_time was calculated by rq_clock_task() previously from sched_tick(). Usually the former chases after the latter, it cause a very large 'delta' and brings unexpected behavior. Fixes: 97450eb90965 ("sched/pelt: Remove shift of thermal clock") Signed-off-by: Chen Yu Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Hongyan Xia Reviewed-by: Vincent Guittot Link: https://lkml.kernel.org/r/20240827112607.181206-1-yu.c.chen@intel.com Signed-off-by: Sasha Levin commit c4cbcc64bb31e67e02940ce060cc77f7180564cf Author: Ryusuke Konishi Date: Wed Sep 4 17:13:09 2024 +0900 nilfs2: fix potential oob read in nilfs_btree_check_delete() [ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ] The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case. Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") Signed-off-by: Ryusuke Konishi Cc: Lizhi Xu Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 02eb712f513aaab88f59b60b2b2c47706750aac5 Author: Ryusuke Konishi Date: Wed Sep 4 17:13:08 2024 +0900 nilfs2: determine empty node blocks as corrupted [ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ] Due to the nature of b-trees, nilfs2 itself and admin tools such as mkfs.nilfs2 will never create an intermediate b-tree node block with 0 child nodes, nor will they delete (key, pointer)-entries that would result in such a state. However, it is possible that a b-tree node block is corrupted on the backing device and is read with 0 child nodes. Because operation is not guaranteed if the number of child nodes is 0 for intermediate node blocks other than the root node, modify nilfs_btree_node_broken(), which performs sanity checks when reading a b-tree node block, so that such cases will be judged as metadata corruption. Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") Signed-off-by: Ryusuke Konishi Cc: Lizhi Xu Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 3644554d308ddf2669e459a1551a7edf60b2d62b Author: Ryusuke Konishi Date: Wed Sep 4 17:13:07 2024 +0900 nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() [ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ] Patch series "nilfs2: fix potential issues with empty b-tree nodes". This series addresses three potential issues with empty b-tree nodes that can occur with corrupted filesystem images, including one recently discovered by syzbot. This patch (of 3): If a b-tree is broken on the device, and the b-tree height is greater than 2 (the level of the root node is greater than 1) even if the number of child nodes of the b-tree root is 0, a NULL pointer dereference occurs in nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert(). This is because, when the number of child nodes of the b-tree root is 0, nilfs_btree_do_lookup() does not set the block buffer head in any of path[x].bp_bh, leaving it as the initial value of NULL, but if the level of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(), which accesses the buffer memory of path[x].bp_bh, is called. Fix this issue by adding a check to nilfs_btree_root_broken(), which performs sanity checks when reading the root node from the device, to detect this inconsistency. Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause early on. Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping") Signed-off-by: Ryusuke Konishi Reported-by: syzbot+9bff4c7b992038a7409f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=9bff4c7b992038a7409f Cc: Lizhi Xu Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 10ddbd28c8b7ddc32cdf3f6ef835b63ef5b54358 Author: Yujie Liu Date: Tue Aug 27 19:29:58 2024 +0800 sched/numa: Fix the vma scan starving issue [ Upstream commit f22cde4371f3c624e947a35b075c06c771442a43 ] Problem statement: Since commit fc137c0ddab2 ("sched/numa: enhance vma scanning logic"), the Numa vma scan overhead has been reduced a lot. Meanwhile, the reducing of the vma scan might create less Numa page fault information. The insufficient information makes it harder for the Numa balancer to make decision. Later, commit b7a5b537c55c08 ("sched/numa: Complete scanning of partial VMAs regardless of PID activity") and commit 84db47ca7146d7 ("sched/numa: Fix mm numa_scan_seq based unconditional scan") are found to bring back part of the performance. Recently when running SPECcpu omnetpp_r on a 320 CPUs/2 Sockets system, a long duration of remote Numa node read was observed by PMU events: A few cores having ~500MB/s remote memory access for ~20 seconds. It causes high core-to-core variance and performance penalty. After the investigation, it is found that many vmas are skipped due to the active PID check. According to the trace events, in most cases, vma_is_accessed() returns false because the history access info stored in pids_active array has been cleared. Proposal: The main idea is to adjust vma_is_accessed() to let it return true easier. Thus compare the diff between mm->numa_scan_seq and vma->numab_state->prev_scan_seq. If the diff has exceeded the threshold, scan the vma. This patch especially helps the cases where there are small number of threads, like the process-based SPECcpu. Without this patch, if the SPECcpu process access the vma at the beginning, then sleeps for a long time, the pid_active array will be cleared. A a result, if this process is woken up again, it never has a chance to set prot_none anymore. Because only the first 2 times of access is granted for vma scan: (current->mm->numa_scan_seq) - vma->numab_state->start_scan_seq) < 2 to be worse, no other threads within the task can help set the prot_none. This causes information lost. Raghavendra helped test current patch and got the positive result on the AMD platform: autonumabench NUMA01 base patched Amean syst-NUMA01 194.05 ( 0.00%) 165.11 * 14.92%* Amean elsp-NUMA01 324.86 ( 0.00%) 315.58 * 2.86%* Duration User 380345.36 368252.04 Duration System 1358.89 1156.23 Duration Elapsed 2277.45 2213.25 autonumabench NUMA02 Amean syst-NUMA02 1.12 ( 0.00%) 1.09 * 2.93%* Amean elsp-NUMA02 3.50 ( 0.00%) 3.56 * -1.84%* Duration User 1513.23 1575.48 Duration System 8.33 8.13 Duration Elapsed 28.59 29.71 kernbench Amean user-256 22935.42 ( 0.00%) 22535.19 * 1.75%* Amean syst-256 7284.16 ( 0.00%) 7608.72 * -4.46%* Amean elsp-256 159.01 ( 0.00%) 158.17 * 0.53%* Duration User 68816.41 67615.74 Duration System 21873.94 22848.08 Duration Elapsed 506.66 504.55 Intel 256 CPUs/2 Sockets: autonuma benchmark also shows improvements: v6.10-rc5 v6.10-rc5 +patch Amean syst-NUMA01 245.85 ( 0.00%) 230.84 * 6.11%* Amean syst-NUMA01_THREADLOCAL 205.27 ( 0.00%) 191.86 * 6.53%* Amean syst-NUMA02 18.57 ( 0.00%) 18.09 * 2.58%* Amean syst-NUMA02_SMT 2.63 ( 0.00%) 2.54 * 3.47%* Amean elsp-NUMA01 517.17 ( 0.00%) 526.34 * -1.77%* Amean elsp-NUMA01_THREADLOCAL 99.92 ( 0.00%) 100.59 * -0.67%* Amean elsp-NUMA02 15.81 ( 0.00%) 15.72 * 0.59%* Amean elsp-NUMA02_SMT 13.23 ( 0.00%) 12.89 * 2.53%* v6.10-rc5 v6.10-rc5 +patch Duration User 1064010.16 1075416.23 Duration System 3307.64 3104.66 Duration Elapsed 4537.54 4604.73 The SPECcpu remote node access issue disappears with the patch applied. Link: https://lkml.kernel.org/r/20240827112958.181388-1-yu.c.chen@intel.com Fixes: fc137c0ddab2 ("sched/numa: enhance vma scanning logic") Signed-off-by: Chen Yu Co-developed-by: Chen Yu Signed-off-by: Yujie Liu Reported-by: Xiaoping Zhou Reviewed-and-tested-by: Raghavendra K T Acked-by: Mel Gorman Cc: "Chen, Tim C" Cc: Ingo Molnar Cc: Juri Lelli Cc: Peter Zijlstra Cc: Raghavendra K T Cc: Vincent Guittot Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit a31b712f75445d52fc0451dc54fd7b16a552cb7c Author: Ojaswin Mujoo Date: Fri Aug 30 12:50:57 2024 +0530 ext4: check stripe size compatibility on remount as well [ Upstream commit ee85e0938aa8f9846d21e4d302c3cf6a2a75110d ] We disable stripe size in __ext4_fill_super if it is not a multiple of the cluster ratio however this check is missed when trying to remount. This can leave us with cases where stripe < cluster_ratio after remount:set making EXT4_B2C(sbi->s_stripe) become 0 that can cause some unforeseen bugs like divide by 0. Fix that by adding the check in remount path as well. Reported-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com Tested-by: syzbot+1ad8bac5af24d01e2cbd@syzkaller.appspotmail.com Reviewed-by: Kemeng Shi Reviewed-by: Ritesh Harjani (IBM) Fixes: c3defd99d58c ("ext4: treat stripe in block unit") Signed-off-by: Ojaswin Mujoo Link: https://patch.msgid.link/3a493bb503c3598e25dcfbed2936bb2dff3fece7.1725002410.git.ojaswin@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit ccb8c18076e2e630fea23fbec583cdad61787fc5 Author: Thadeu Lima de Souza Cascardo Date: Wed Aug 21 12:23:24 2024 -0300 ext4: avoid OOB when system.data xattr changes underneath the filesystem [ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ] When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem. Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79 Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data") Signed-off-by: Thadeu Lima de Souza Cascardo Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit f9b2db09ebf4be6ae2b1e0f79766a1e40f5cfbc6 Author: Thadeu Lima de Souza Cascardo Date: Wed Aug 21 12:23:22 2024 -0300 ext4: return error on ext4_find_inline_entry [ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ] In case of errors when reading an inode from disk or traversing inline directory entries, return an error-encoded ERR_PTR instead of returning NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns such encoded errors. Signed-off-by: Thadeu Lima de Souza Cascardo Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com Signed-off-by: Theodore Ts'o Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem") Signed-off-by: Sasha Levin commit 7477aa1db493a81df619be4856863e40e8e63bff Author: Kemeng Shi Date: Tue Aug 20 21:22:30 2024 +0800 ext4: avoid negative min_clusters in find_group_orlov() [ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ] min_clusters is signed integer and will be converted to unsigned integer when compared with unsigned number stats.free_clusters. If min_clusters is negative, it will be converted to a huge unsigned value in which case all groups may not meet the actual desired free clusters. Set negative min_clusters to 0 to avoid unexpected behavior. Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3") Signed-off-by: Kemeng Shi Link: https://patch.msgid.link/20240820132234.2759926-4-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 8b174a51d6d7c175d4973675807d8933b5d76992 Author: Kemeng Shi Date: Tue Aug 20 21:22:29 2024 +0800 ext4: avoid potential buffer_head leak in __ext4_new_inode() [ Upstream commit 227d31b9214d1b9513383cf6c7180628d4b3b61f ] If a group is marked EXT4_GROUP_INFO_IBITMAP_CORRUPT after it's inode bitmap buffer_head was successfully verified, then __ext4_new_inode() will get a valid inode_bitmap_bh of a corrupted group from ext4_read_inode_bitmap() in which case inode_bitmap_bh misses a release. Hnadle "IS_ERR(inode_bitmap_bh)" and group corruption separately like how ext4_free_inode() does to avoid buffer_head leak. Fixes: 9008a58e5dce ("ext4: make the bitmap read routines return real error codes") Signed-off-by: Kemeng Shi Link: https://patch.msgid.link/20240820132234.2759926-3-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit ed63f13bd5a83e0a7e7c1d96836b31f36f46c4f4 Author: Kemeng Shi Date: Tue Aug 20 21:22:28 2024 +0800 ext4: avoid buffer_head leak in ext4_mark_inode_used() [ Upstream commit 5e5b2a56c57def1b41efd49596621504d7bcc61c ] Release inode_bitmap_bh from ext4_read_inode_bitmap() in ext4_mark_inode_used() to avoid buffer_head leak. By the way, remove unneeded goto for invalid ino when inode_bitmap_bh is NULL. Fixes: 8016e29f4362 ("ext4: fast commit recovery path") Signed-off-by: Kemeng Shi Link: https://patch.msgid.link/20240820132234.2759926-2-shikemeng@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 59c1ec3c8d8bde538389de6fa518973cfe3704c3 Author: Jiawei Ye Date: Mon Sep 2 08:47:26 2024 +0000 smackfs: Use rcu_assign_pointer() to ensure safe assignment in smk_set_cipso [ Upstream commit 2749749afa071f8a0e405605de9da615e771a7ce ] In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat` field is directly assigned to a new value without using the appropriate RCU pointer assignment functions. According to RCU usage rules, this is illegal and can lead to unpredictable behavior, including data inconsistencies and impossible-to-diagnose memory corruption issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the assignment is now done using rcu_assign_pointer(), which ensures that the pointer assignment is done safely, with the necessary memory barriers and synchronization. This change prevents potential RCU dereference issues by ensuring that the `cat` field is safely updated while still adhering to RCU's requirements. Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()") Signed-off-by: Jiawei Ye Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin commit e01b7859a728392f080934063639a97105b0a4e4 Author: Huang Shijie Date: Thu Aug 29 11:11:11 2024 +0800 sched/deadline: Fix schedstats vs deadline servers [ Upstream commit 9c602adb799e72ee537c0c7ca7e828c3fe2acad6 ] In dl_server_start(), when schedstats is enabled, the following happens: dl_server_start() dl_se->dl_server = 1; enqueue_dl_entity() update_stats_enqueue_dl() __schedstats_from_dl_se() dl_task_of() BUG_ON(dl_server(dl_se)); Since only tasks have schedstats and internal entries do not, avoid trying to update stats in this case. Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers") Signed-off-by: Huang Shijie Signed-off-by: Peter Zijlstra (Intel) Acked-by: Juri Lelli Link: https://lkml.kernel.org/r/20240829031111.12142-1-shijie@os.amperecomputing.com Signed-off-by: Sasha Levin commit 0f46f1da0116a5e9d3f365c198d7a3db1c08d756 Author: Mykyta Yatsenko Date: Mon Sep 2 18:17:21 2024 +0100 bpftool: Fix handling enum64 in btf dump sorting [ Upstream commit b0222d1d9e6f8551a056b89b0bff38f515f3c9b5 ] Wrong function is used to access the first enum64 element. Substituting btf_enum(t) with btf_enum64(t) for BTF_KIND_ENUM64. Fixes: 94133cf24bb3 ("bpftool: Introduce btf c dump sorting") Signed-off-by: Mykyta Yatsenko Signed-off-by: Daniel Borkmann Acked-by: Quentin Monnet Link: https://lore.kernel.org/bpf/20240902171721.105253-1-mykyta.yatsenko5@gmail.com Signed-off-by: Sasha Levin commit c1ddb967bae8c0b956fac435857839192c6934f2 Author: yangerkun Date: Sat Aug 17 16:55:10 2024 +0800 ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard [ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ] Commit 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info") speed up fstrim by skipping trim trimmed group. We also has the chance to clear trimmed once there exists some block free for this group(mount without discard), and the next trim for this group will work well too. For mount with discard, we will issue dicard when we free blocks, so leave trimmed flag keep alive to skip useless trim trigger from userspace seems reasonable. But for some case like ext4 build on dm-thinpool(ext4 blocksize 4K, pool blocksize 128K), discard from ext4 maybe unaligned for dm thinpool, and thinpool will just finish this discard(see process_discard_bio when begein equals to end) without actually process discard. For this case, trim from userspace can really help us to free some thinpool block. So convert to clear trimmed flag for all case no matter mounted with discard or not. Fixes: 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info") Signed-off-by: yangerkun Reviewed-by: Jan Kara Link: https://patch.msgid.link/20240817085510.2084444-1-yangerkun@huaweicloud.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit abb9f3ad79c20dcf3235f60bd8d2e943d7f0b57d Author: Chen Yu Date: Tue Aug 27 19:23:08 2024 +0800 kthread: fix task state in kthread worker if being frozen [ Upstream commit e16c7b07784f3fb03025939c4590b9a7c64970a7 ] When analyzing a kernel waring message, Peter pointed out that there is a race condition when the kworker is being frozen and falls into try_to_freeze() with TASK_INTERRUPTIBLE, which could trigger a might_sleep() warning in try_to_freeze(). Although the root cause is not related to freeze()[1], it is still worthy to fix this issue ahead. One possible race scenario: CPU 0 CPU 1 ----- ----- // kthread_worker_fn set_current_state(TASK_INTERRUPTIBLE); suspend_freeze_processes() freeze_processes static_branch_inc(&freezer_active); freeze_kernel_threads pm_nosig_freezing = true; if (work) { //false __set_current_state(TASK_RUNNING); } else if (!freezing(current)) //false, been frozen freezing(): if (static_branch_unlikely(&freezer_active)) if (pm_nosig_freezing) return true; schedule() } // state is still TASK_INTERRUPTIBLE try_to_freeze() might_sleep() <--- warning Fix this by explicitly set the TASK_RUNNING before entering try_to_freeze(). Link: https://lore.kernel.org/lkml/Zs2ZoAcUsZMX2B%2FI@chenyu5-mobl2/ [1] Link: https://lkml.kernel.org/r/20240827112308.181081-1-yu.c.chen@intel.com Fixes: b56c0d8937e6 ("kthread: implement kthread_worker") Signed-off-by: Chen Yu Suggested-by: Peter Zijlstra Suggested-by: Andrew Morton Cc: Andreas Gruenbacher Cc: David Gow Cc: Mateusz Guzik Cc: Mickaël Salaün Cc: Tejun Heo Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 67a74c1053fa8ce947cee2b61c14fcd660551068 Author: Lasse Collin Date: Sun Jul 21 16:36:24 2024 +0300 xz: cleanup CRC32 edits from 2018 [ Upstream commit 2ee96abef214550d9e92f5143ee3ac1fd1323e67 ] In 2018, a dependency on was added to avoid duplicating the same constant in multiple files. Two months later it was found to be a bad idea and the definition of CRC32_POLY_LE macro was moved into xz_private.h to avoid including . xz_private.h is a wrong place for it too. Revert back to the upstream version which has the poly in xz_crc32_init() in xz_crc32.c. Link: https://lkml.kernel.org/r/20240721133633.47721-10-lasse.collin@tukaani.org Fixes: faa16bc404d7 ("lib: Use existing define with polynomial") Fixes: 242cdad873a7 ("lib/xz: Put CRC32_POLY_LE in xz_private.h") Signed-off-by: Lasse Collin Reviewed-by: Sam James Tested-by: Michael Ellerman (powerpc) Cc: Krzysztof Kozlowski Cc: Herbert Xu Cc: Joel Stanley Cc: Albert Ou Cc: Catalin Marinas Cc: Emil Renner Berthing Cc: Greg Kroah-Hartman Cc: Jonathan Corbet Cc: Jubin Zhong Cc: Jules Maselbas Cc: Palmer Dabbelt Cc: Paul Walmsley Cc: Randy Dunlap Cc: Rui Li Cc: Simon Glass Cc: Thomas Gleixner Cc: Will Deacon Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 7e456a3a37706f94cfdbda911deb07c4832c75e9 Author: Tony Ambardar Date: Fri Aug 30 02:51:50 2024 -0700 libbpf: Ensure new BTF objects inherit input endianness [ Upstream commit da18bfa59d403040d8bcba1284285916fe9e4425 ] New split BTF needs to preserve base's endianness. Similarly, when creating a distilled BTF, we need to preserve original endianness. Fix by updating libbpf's btf__distill_base() and btf_new_empty() to retain the byte order of any source BTF objects when creating new ones. Fixes: ba451366bf44 ("libbpf: Implement basic split BTF support") Fixes: 58e185a0dc35 ("libbpf: Add btf__distill_base() creating split BTF with distilled base BTF") Reported-by: Song Liu Reported-by: Eduard Zingerman Suggested-by: Eduard Zingerman Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Tested-by: Alan Maguire Acked-by: Eduard Zingerman Link: https://lore.kernel.org/bpf/6358db36c5f68b07873a0a5be2d062b1af5ea5f8.camel@gmail.com/ Link: https://lore.kernel.org/bpf/20240830095150.278881-1-tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 2f6d5b50ed1d4bba5108ad1af9933e9754b8ca5b Author: Harald Freudenberger Date: Wed Aug 28 14:25:08 2024 +0200 s390/ap: Fix deadlock caused by recursive lock of the AP bus scan mutex [ Upstream commit 56199bb956c3ea82e39c72d2972ebf8c18c6a8c0 ] There is a possibility to deadlock with an recursive lock of the AP bus scan mutex ap_scan_bus_mutex: ... kernel: ============================================ ... kernel: WARNING: possible recursive locking detected ... kernel: 5.14.0-496.el9.s390x #3 Not tainted ... kernel: -------------------------------------------- ... kernel: kworker/12:1/130 is trying to acquire lock: ... kernel: 0000000358bc1510 (ap_scan_bus_mutex){+.+.}-{3:3}, at: ap_bus_force_rescan+0x92/0x108 ... kernel: but task is already holding lock: ... kernel: 0000000358bc1510 (ap_scan_bus_mutex){+.+.}-{3:3}, at: ap_scan_bus_wq_callback+0x28/0x60 ... kernel: other info that might help us debug this: ... kernel: Possible unsafe locking scenario: ... kernel: CPU0 ... kernel: ---- ... kernel: lock(ap_scan_bus_mutex); ... kernel: lock(ap_scan_bus_mutex); ... kernel: *** DEADLOCK *** Here is how the callstack looks like: ... [<00000003576fe9ce>] process_one_work+0x2a6/0x748 ... [<0000000358150c00>] ap_scan_bus_wq_callback+0x40/0x60 <- mutex locked ... [<00000003581506e2>] ap_scan_bus+0x5a/0x3b0 ... [<000000035815037c>] ap_scan_adapter+0x5b4/0x8c0 ... [<000000035814fa34>] ap_scan_domains+0x2d4/0x668 ... [<0000000357d989b4>] device_add+0x4a4/0x6b8 ... [<0000000357d9bb54>] bus_probe_device+0xb4/0xc8 ... [<0000000357d9daa8>] __device_attach+0x120/0x1b0 ... [<0000000357d9a632>] bus_for_each_drv+0x8a/0xd0 ... [<0000000357d9d548>] __device_attach_driver+0xc0/0x140 ... [<0000000357d9d3d8>] driver_probe_device+0x40/0xf0 ... [<0000000357d9cec2>] really_probe+0xd2/0x460 ... [<000000035814d7b0>] ap_device_probe+0x150/0x208 ... [<000003ff802a5c46>] zcrypt_cex4_queue_probe+0xb6/0x1c0 [zcrypt_cex4] ... [<000003ff7fb2d36e>] zcrypt_queue_register+0xe6/0x1b0 [zcrypt] ... [<000003ff7fb2c8ac>] zcrypt_rng_device_add+0x94/0xd8 [zcrypt] ... [<0000000357d7bc52>] hwrng_register+0x212/0x228 ... [<0000000357d7b8c2>] add_early_randomness+0x102/0x110 ... [<000003ff7fb29c94>] zcrypt_rng_data_read+0x94/0xb8 [zcrypt] ... [<0000000358150aca>] ap_bus_force_rescan+0x92/0x108 ... [<0000000358177572>] mutex_lock_interruptible_nested+0x32/0x40 <- lock again Note this only happens when the very first random data providing crypto card appears via hot plug in the system AND is in disabled state ("deconfig"). Then the initial pull of random data fails and a re-scan of the AP bus is triggered while already in the middle of an AP bus scan caused by the appearing new hardware. The fix is relatively simple once the scenario us understood: The AP bus force rescan function will immediately return if there is currently an AP bus scan running with the very same thread id. Fixes: eacf5b3651c5 ("s390/ap: introduce mutex to lock the AP bus scan") Signed-off-by: Harald Freudenberger Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 3537a47e97f08d68f38098b5af36d3de29be56c6 Author: Andrii Nakryiko Date: Tue Aug 27 13:37:21 2024 -0700 libbpf: Fix bpf_object__open_skeleton()'s mishandling of options [ Upstream commit c634d6f4e12d00c954410ba11db45799a8c77b5b ] We do an ugly copying of options in bpf_object__open_skeleton() just to be able to set object name from skeleton's recorded name (while still allowing user to override it through opts->object_name). This is not just ugly, but it also is broken due to memcpy() that doesn't take into account potential skel_opts' and user-provided opts' sizes differences due to backward and forward compatibility. This leads to copying over extra bytes and then failing to validate options properly. It could, technically, lead also to SIGSEGV, if we are unlucky. So just get rid of that memory copy completely and instead pass default object name into bpf_object_open() directly, simplifying all this significantly. The rule now is that obj_name should be non-NULL for bpf_object_open() when called with in-memory buffer, so validate that explicitly as well. We adopt bpf_object__open_mem() to this as well and generate default name (based on buffer memory address and size) outside of bpf_object_open(). Fixes: d66562fba1ce ("libbpf: Add BPF object skeleton support") Reported-by: Daniel Müller Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Reviewed-by: Daniel Müller Acked-by: Eduard Zingerman Link: https://lore.kernel.org/bpf/20240827203721.1145494-1-andrii@kernel.org Signed-off-by: Sasha Levin commit 3ca83e3b68034a23065ad980d90f34ca26bed948 Author: Hao Ge Date: Tue Aug 20 10:36:22 2024 +0800 selftests/bpf: Fix incorrect parameters in NULL pointer checking [ Upstream commit c264487e5410e5a72db8a414566ab7d144223e6c ] Smatch reported the following warning: ./tools/testing/selftests/bpf/testing_helpers.c:455 get_xlated_program() warn: variable dereferenced before check 'buf' (see line 454) It seems correct,so let's modify it based on it's suggestion. Actually,commit b23ed4d74c4d ("selftests/bpf: Fix invalid pointer check in get_xlated_program()") fixed an issue in the test_verifier.c once,but it was reverted this time. Let's solve this issue with the minimal changes possible. Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/1eb3732f-605a-479d-ba64-cd14250cbf91@stanley.mountain/ Fixes: b4b7a4099b8c ("selftests/bpf: Factor out get_xlated_program() helper") Signed-off-by: Hao Ge Link: https://lore.kernel.org/r/20240820023622.29190-1-hao.ge@linux.dev Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit e7e9c5b2dda29067332df2a85b0141a92b41f218 Author: Eduard Zingerman Date: Thu Aug 22 01:01:23 2024 -0700 bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos [ Upstream commit 3d2786d65aaa954ebd3fcc033ada433e10da21c4 ] In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference. Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space. Simplest reproducer is a program: r0 = 0 exit With a single relocation record: .insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL, See the link for original reproducer or next commit for a test case. Fixes: 74753e1462e7 ("libbpf: Replace btf__type_by_id() with btf_type_by_id().") Reported-by: Liu RuiTong Closes: https://lore.kernel.org/bpf/CAK55_s6do7C+DVwbwY_7nKfUz0YLDoiA1v6X3Y9+p0sWzipFSA@mail.gmail.com/ Acked-by: Andrii Nakryiko Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240822080124.2995724-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit c13d21f6eeee95377b63d3f8ac1066dfce71e5ff Author: Eduard Zingerman Date: Tue Aug 20 03:23:51 2024 -0700 selftests/bpf: fix to avoid __msg tag de-duplication by clang [ Upstream commit f00bb757ed630affc951691ddaff206039cbb7ee ] __msg, __regex and __xlated tags are based on __attribute__((btf_decl_tag("..."))) annotations. Clang de-duplicates such annotations, e.g. the following two sequences of tags are identical in final BTF: /* seq A */ /* seq B */ __tag("foo") __tag("foo") __tag("bar") __tag("bar") __tag("foo") Fix this by adding a unique suffix for each tag using __COUNTER__ pre-processor macro. E.g. here is a new definition for __msg: #define __msg(msg) \ __attribute__((btf_decl_tag("comment:test_expect_msg=" XSTR(__COUNTER__) "=" msg))) Using this definition the "seq A" from example above is translated to BTF as follows: [..] DECL_TAG 'comment:test_expect_msg=0=foo' type_id=X component_idx=-1 [..] DECL_TAG 'comment:test_expect_msg=1=bar' type_id=X component_idx=-1 [..] DECL_TAG 'comment:test_expect_msg=2=foo' type_id=X component_idx=-1 Surprisingly, this bug affects a single existing test: verifier_spill_fill/old_stack_misc_vs_cur_ctx_ptr, where sequence of identical messages was expected in the log. Fixes: 537c3f66eac1 ("selftests/bpf: add generic BPF program tester-loader") Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240820102357.3372779-4-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 7e2c1d5119b23c7edaf3cceecf79cdfd43876fe7 Author: Eduard Zingerman Date: Mon Jul 22 16:38:43 2024 -0700 selftests/bpf: __arch_* macro to limit test cases to specific archs [ Upstream commit ee7fe84468b1732fe65c5af3836437d54ac4c419 ] Add annotations __arch_x86_64, __arch_arm64, __arch_riscv64 to specify on which architecture the test case should be tested. Several __arch_* annotations could be specified at once. When test case is not run on current arch it is marked as skipped. For example, the following would be tested only on arm64 and riscv64: SEC("raw_tp") __arch_arm64 __arch_riscv64 __xlated("1: *(u64 *)(r10 - 16) = r1") __xlated("2: call") __xlated("3: r1 = *(u64 *)(r10 - 16);") __success __naked void canary_arm64_riscv64(void) { asm volatile ( "r1 = 1;" "*(u64 *)(r10 - 16) = r1;" "call %[bpf_get_smp_processor_id];" "r1 = *(u64 *)(r10 - 16);" "exit;" : : __imm(bpf_get_smp_processor_id) : __clobber_all); } On x86 it would be skipped: #467/2 verifier_nocsr/canary_arm64_riscv64:SKIP Acked-by: Andrii Nakryiko Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240722233844.1406874-10-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang") Signed-off-by: Sasha Levin commit 8916c4d1c948e788d513917fd3d43d3622952696 Author: Eduard Zingerman Date: Mon Jul 22 16:38:42 2024 -0700 selftests/bpf: allow checking xlated programs in verifier_* tests [ Upstream commit 9c9f7339131030949a8ef111080427ff1a8085b5 ] Add a macro __xlated("...") for use with test_loader tests. When such annotations are present for the test case: - bpf_prog_get_info_by_fd() is used to get BPF program after all rewrites are applied by verifier. - the program is disassembled and patterns specified in __xlated are searched for in the disassembly text. __xlated matching follows the same mechanics as __msg: each subsequent pattern is matched from the point where previous pattern ended. This allows to write tests like below, where the goal is to verify the behavior of one of the of the transformations applied by verifier: SEC("raw_tp") __xlated("1: w0 = ") __xlated("2: r0 = &(void __percpu *)(r0)") __xlated("3: r0 = *(u32 *)(r0 +0)") __xlated("4: exit") __success __naked void simple(void) { asm volatile ( "call %[bpf_get_smp_processor_id];" "exit;" : : __imm(bpf_get_smp_processor_id) : __clobber_all); } Acked-by: Andrii Nakryiko Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240722233844.1406874-9-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang") Signed-off-by: Sasha Levin commit 67bda2c777683b8eeb26e7217e0059b98e2b898d Author: Eduard Zingerman Date: Mon Jul 22 16:38:41 2024 -0700 selftests/bpf: extract test_loader->expect_msgs as a data structure [ Upstream commit 64f01e935ddb26f48baec71883c27878ac4231dc ] Non-functional change: use a separate data structure to represented expected messages in test_loader. This would allow to use the same functionality for expected set of disassembled instructions in the follow-up commit. Acked-by: Andrii Nakryiko Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240722233844.1406874-8-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang") Signed-off-by: Sasha Levin commit 12183dcdd8edc9e1e2d9ecf58a6aa1eb433ad3bc Author: Eduard Zingerman Date: Mon Jul 22 16:38:40 2024 -0700 selftests/bpf: no need to track next_match_pos in struct test_loader [ Upstream commit 4ef5d6af493558124b7a6c13cace58b938fe27d4 ] The call stack for validate_case() function looks as follows: - test_loader__run_subtests() - process_subtest() - run_subtest() - prepare_case(), which does 'tester->next_match_pos = 0'; - validate_case(), which increments tester->next_match_pos. Hence, each subtest is run with next_match_pos freshly set to zero. Meaning that there is no need to persist this variable in the struct test_loader, use local variable instead. Acked-by: Andrii Nakryiko Signed-off-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240722233844.1406874-7-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Stable-dep-of: f00bb757ed63 ("selftests/bpf: fix to avoid __msg tag de-duplication by clang") Signed-off-by: Sasha Levin commit 86ad94542de77040d65809ee342218f0da93e273 Author: Jiangshan Yi Date: Thu Aug 15 21:55:24 2024 +0800 samples/bpf: Fix compilation errors with cf-protection option [ Upstream commit fdf1c728fac541891ef1aa773bfd42728626769c ] Currently, compiling the bpf programs will result the compilation errors with the cf-protection option as follows in arm64 and loongarch64 machine when using gcc 12.3.1 and clang 17.0.6. This commit fixes the compilation errors by limited the cf-protection option only used in x86 platform. [root@localhost linux]# make M=samples/bpf ...... CLANG-bpf samples/bpf/xdp2skb_meta_kern.o error: option 'cf-protection=return' cannot be specified on this target error: option 'cf-protection=branch' cannot be specified on this target 2 errors generated. CLANG-bpf samples/bpf/syscall_tp_kern.o error: option 'cf-protection=return' cannot be specified on this target error: option 'cf-protection=branch' cannot be specified on this target 2 errors generated. ...... Fixes: 34f6e38f58db ("samples/bpf: fix warning with ignored-attributes") Reported-by: Jiangshan Yi Signed-off-by: Jiangshan Yi Signed-off-by: Andrii Nakryiko Tested-by: Qiang Wang Link: https://lore.kernel.org/bpf/20240815135524.140675-1-13667453960@163.com Signed-off-by: Sasha Levin commit 8718b404e7fb942d5b5acaa90c3f4085c59ebc58 Author: Alan Maguire Date: Sat Aug 10 10:35:04 2024 +0100 libbpf: Fix license for btf_relocate.c [ Upstream commit 4a4c013d3385b0db85dc361203dc42ff048b6fd6 ] License should be // SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) ...as with other libbpf files. Fixes: 19e00c897d50 ("libbpf: Split BTF relocation") Reported-by: Neill Kapron Signed-off-by: Alan Maguire Signed-off-by: Andrii Nakryiko Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20240810093504.2111134-1-alan.maguire@oracle.com Signed-off-by: Sasha Levin commit beaad8a3f8473c2ad886b3d7887766eabc3214cc Author: Heiko Carstens Date: Wed Jul 31 15:26:00 2024 +0200 s390/entry: Make early program check handler relocated lowcore aware [ Upstream commit f101b305a7b9513a8042a2cf09018de4ff371af2 ] Add the missing pieces so the early program check handler also works with a relocated lowcore. Right now the result of an early program check in case of a relocated lowcore would be a program check loop. Fixes: 8f1e70adb1a3 ("s390/boot: Add cmdline option to relocate lowcore") Reviewed-by: Sven Schnelle Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit b5c6e76197a77e8cd2c6c63e0494400d1dabe0dd Author: Heiko Carstens Date: Wed Jul 31 15:25:59 2024 +0200 s390/entry: Move early program check handler to entry.S [ Upstream commit f2bb5b97b51ce5425e8f59f899643ce4eadba667 ] Have all program check handlers in one file to make future changes easy. Reviewed-by: Alexander Gordeev Reviewed-by: Sven Schnelle Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Stable-dep-of: f101b305a7b9 ("s390/entry: Make early program check handler relocated lowcore aware") Signed-off-by: Sasha Levin commit 8397743487bd4c68689a400390e011148a9f3962 Author: Tony Ambardar Date: Mon Jul 29 02:24:24 2024 -0700 selftests/bpf: Fix error compiling tc_redirect.c with musl libc [ Upstream commit 21c5f4f55da759c7444a1ef13e90b6e6f674eeeb ] Linux 5.1 implemented 64-bit time types and related syscalls to address the Y2038 problem generally across archs. Userspace handling of Y2038 varies with the libc however. While musl libc uses 64-bit time across all 32-bit and 64-bit platforms, GNU glibc uses 64-bit time on 64-bit platforms but defaults to 32-bit time on 32-bit platforms unless they "opt-in" to 64-bit time or explicitly use 64-bit syscalls and time structures. One specific area is the standard setsockopt() call, SO_TIMESTAMPNS option used for timestamping, and the related output 'struct timespec'. GNU glibc defaults as above, also exposing the SO_TIMESTAMPNS_NEW flag to explicitly use a 64-bit call and 'struct __kernel_timespec'. Since these are not exposed or needed with musl libc, their use in tc_redirect.c leads to compile errors building for mips64el/musl: tc_redirect.c: In function 'rcv_tstamp': tc_redirect.c:425:32: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'? 425 | cmsg->cmsg_type == SO_TIMESTAMPNS_NEW) | ^~~~~~~~~~~~~~~~~~ | SO_TIMESTAMPNS tc_redirect.c:425:32: note: each undeclared identifier is reported only once for each function it appears in tc_redirect.c: In function 'test_inet_dtime': tc_redirect.c:491:49: error: 'SO_TIMESTAMPNS_NEW' undeclared (first use in this function); did you mean 'SO_TIMESTAMPNS'? 491 | err = setsockopt(listen_fd, SOL_SOCKET, SO_TIMESTAMPNS_NEW, | ^~~~~~~~~~~~~~~~~~ | SO_TIMESTAMPNS However, using SO_TIMESTAMPNS_NEW isn't strictly needed, nor is Y2038 being explicitly tested. The timestamp checks in tc_redirect.c are simple: the packet receive timestamp is non-zero and processed/handled in less than 5 seconds. Switch to using the standard setsockopt() call and SO_TIMESTAMPNS option to ensure compatibility across glibc and musl libc. In the worst-case, there is a 5-second window 14 years from now where tc_redirect tests may fail on 32-bit systems. However, we should reasonably expect glibc to adopt a 64-bit mandate rather than the current "opt-in" policy before the Y2038 roll-over. Fixes: ce6f6cffaeaa ("selftests/bpf: Wait for the netstamp_needed_key static key to be turned on") Fixes: c803475fd8dd ("bpf: selftests: test skb->tstamp in redirect_neigh") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/031d656c058b4e55ceae56ef49c4e1729b5090f3.1722244708.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 9d8ddbd0a2e7789ede116992ddc226b82cbe96c8 Author: Tony Ambardar Date: Mon Jul 29 02:24:22 2024 -0700 selftests/bpf: Fix compile if backtrace support missing in libc [ Upstream commit c9a83e76b5a96801a2c7ea0a79ca77c356d8b38d ] Include GNU header only with glibc and provide weak, stubbed backtrace functions as a fallback in test_progs.c. This allows for non-GNU replacements while avoiding compile errors (e.g. with musl libc) like: test_progs.c:13:10: fatal error: execinfo.h: No such file or directory 13 | #include /* backtrace */ | ^~~~~~~~~~~~ test_progs.c: In function 'crash_handler': test_progs.c:1034:14: error: implicit declaration of function 'backtrace' [-Werror=implicit-function-declaration] 1034 | sz = backtrace(bt, ARRAY_SIZE(bt)); | ^~~~~~~~~ test_progs.c:1045:9: error: implicit declaration of function 'backtrace_symbols_fd' [-Werror=implicit-function-declaration] 1045 | backtrace_symbols_fd(bt, sz, STDERR_FILENO); | ^~~~~~~~~~~~~~~~~~~~ Fixes: 9fb156bb82a3 ("selftests/bpf: Print backtrace on SIGSEGV in test_progs") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/aa6dc8e23710cb457b278039d0081de7e7b4847d.1722244708.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit c2e6ddf3dc455c850d999936c6134104719f5d32 Author: Tony Ambardar Date: Mon Jul 29 02:24:21 2024 -0700 selftests/bpf: Fix redefinition errors compiling lwt_reroute.c [ Upstream commit 16b795cc59528cf280abc79af3c70bda42f715b9 ] Compiling lwt_reroute.c with GCC 12.3 for mips64el/musl-libc yields errors: In file included from .../include/arpa/inet.h:9, from ./test_progs.h:18, from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:11, from tools/testing/selftests/bpf/prog_tests/lwt_reroute.c:52: .../include/netinet/in.h:23:8: error: redefinition of 'struct in6_addr' 23 | struct in6_addr { | ^~~~~~~~ In file included from .../include/linux/icmp.h:24, from tools/testing/selftests/bpf/prog_tests/lwt_helpers.h:9: .../include/linux/in6.h:33:8: note: originally defined here 33 | struct in6_addr { | ^~~~~~~~ .../include/netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6' 34 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../include/linux/in6.h:50:8: note: originally defined here 50 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../include/netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq' 42 | struct ipv6_mreq { | ^~~~~~~~~ .../include/linux/in6.h:60:8: note: originally defined here 60 | struct ipv6_mreq { | ^~~~~~~~~ These errors occur because is included before , bypassing the Linux uapi/libc compat mechanism's partial musl support. As described in [1] and [2], fix these errors by including in lwt_reroute.c before any uapi headers. [1]: commit c0bace798436 ("uapi libc compat: add fallback for unsupported libcs") [2]: https://git.musl-libc.org/cgit/musl/commit/?id=04983f227238 Fixes: 6c77997bc639 ("selftests/bpf: Add lwt_xmit tests for BPF_REROUTE") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/bd2908aec0755ba8b75f5dc41848b00585f5c73e.1722244708.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 2fa967d35fa90540efba5d7120491f5fdc4ee728 Author: Tony Ambardar Date: Mon Jul 29 02:24:20 2024 -0700 selftests/bpf: Fix C++ compile error from missing _Bool type [ Upstream commit aa95073fd290b5b3e45f067fa22bb25e59e1ff7c ] While building, bpftool makes a skeleton from test_core_extern.c, which itself includes and uses the 'bool' type. However, the skeleton test_core_extern.skel.h generated *does not* include or use the 'bool' type, instead using the C-only '_Bool' type. Compiling test_cpp.cpp with g++ 12.3 for mips64el/musl-libc then fails with error: In file included from test_cpp.cpp:9: test_core_extern.skel.h:45:17: error: '_Bool' does not name a type 45 | _Bool CONFIG_BOOL; | ^~~~~ This was likely missed previously because glibc uses a GNU extension for with C++ (#define _Bool bool), not supported by musl libc. Normally, a C fragment would include and use the 'bool' type, and thus cleanly work after import by C++. The ideal fix would be for 'bpftool gen skeleton' to output the correct type/include supporting C++, but in the meantime add a conditional define as above. Fixes: 7c8dce4b1661 ("bpftool: Make skeleton C code compilable with C++ compiler") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/6fc1dd28b8bda49e51e4f610bdc9d22f4455632d.1722244708.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit a64a843ac510445d55289a36a810ef21d358fece Author: Tony Ambardar Date: Mon Jul 29 02:24:19 2024 -0700 selftests/bpf: Fix error compiling test_lru_map.c [ Upstream commit cacf2a5a78cd1f5f616eae043ebc6f024104b721 ] Although the post-increment in macro 'CPU_SET(next++, &cpuset)' seems safe, the sequencing can raise compile errors, so move the increment outside the macro. This avoids an error seen using gcc 12.3.0 for mips64el/musl-libc: In file included from test_lru_map.c:11: test_lru_map.c: In function 'sched_next_online': test_lru_map.c:129:29: error: operation on 'next' may be undefined [-Werror=sequence-point] 129 | CPU_SET(next++, &cpuset); | ^ cc1: all warnings being treated as errors Fixes: 3fbfadce6012 ("bpf: Fix test_lru_sanity5() in test_lru_map.c") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/22993dfb11ccf27925a626b32672fd3324cb76c4.1722244708.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit ff856a2d2d80a9fe9ad106c51b3fb3b71b1b0a53 Author: Tony Ambardar Date: Mon Jul 29 02:24:18 2024 -0700 selftests/bpf: Fix arg parsing in veristat, test_progs [ Upstream commit 03bfcda1fbc37ef34aa21d2b9e09138335afc6ee ] Current code parses arguments with strtok_r() using a construct like char *state = NULL; while ((next = strtok_r(state ? NULL : input, ",", &state))) { ... } where logic assumes the 'state' var can distinguish between first and subsequent strtok_r() calls, and adjusts parameters accordingly. However, 'state' is strictly internal context for strtok_r() and no such assumptions are supported in the man page. Moreover, the exact behaviour of 'state' depends on the libc implementation, making the above code fragile. Indeed, invoking "./test_progs -t " on mips64el/musl will hang, with the above code in an infinite loop. Similarly, we see strange behaviour running 'veristat' on mips64el/musl: $ ./veristat -e file,prog,verdict,insns -C two-ok add-failure Can't specify more than 9 stats Rewrite code using a counter to distinguish between strtok_r() calls. Fixes: 61ddff373ffa ("selftests/bpf: Improve by-name subtest selection logic in prog_tests") Fixes: 394169b079b5 ("selftests/bpf: add comparison mode to veristat") Fixes: c8bc5e050976 ("selftests/bpf: Add veristat tool for mass-verifying BPF object files") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/392d8bf5559f85fa37926c1494e62312ef252c3d.1722244708.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit d075f456c2eb1c3c1913f44cd3bb8a2e54982939 Author: David Vernet Date: Wed Jul 24 12:14:58 2024 -0500 libbpf: Don't take direct pointers into BTF data from st_ops [ Upstream commit 04a94133f1b3cccb19e056c26f056c50b4e5b3b1 ] In struct bpf_struct_ops, we have take a pointer to a BTF type name, and a struct btf_type. This was presumably done for convenience, but can actually result in subtle and confusing bugs given that BTF data can be invalidated before a program is loaded. For example, in sched_ext, we may sometimes resize a data section after a skeleton has been opened, but before the struct_ops scheduler map has been loaded. This may cause the BTF data to be realloc'd, which can then cause a UAF when loading the program because the struct_ops map has pointers directly into the BTF data. We're already storing the BTF type_id in struct bpf_struct_ops. Because type_id is stable, we can therefore just update the places where we were looking at those pointers to instead do the lookups we need from the type_id. Fixes: 590a00888250 ("bpf: libbpf: Add STRUCT_OPS support") Signed-off-by: David Vernet Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20240724171459.281234-1-void@manifault.com Signed-off-by: Sasha Levin commit acfec3f22e2d92710b06d93b2b546bf4780a9ca7 Author: Tony Ambardar Date: Mon Jul 22 22:54:46 2024 -0700 selftests/bpf: Fix errors compiling cg_storage_multi.h with musl libc [ Upstream commit 730561d3c08d4a327cceaabf11365958a1c00cec ] Remove a redundant include of '', whose needed definitions are already included (via '') in cg_storage_multi_egress_only.c, cg_storage_multi_isolated.c, and cg_storage_multi_shared.c. This avoids redefinition errors seen compiling for mips64el/musl-libc like: In file included from progs/cg_storage_multi_egress_only.c:13: In file included from progs/cg_storage_multi.h:6: In file included from /usr/mips64el-linux-gnuabi64/include/asm/types.h:23: /usr/include/asm-generic/int-l64.h:29:25: error: typedef redefinition with different types ('long' vs 'long long') 29 | typedef __signed__ long __s64; | ^ /usr/include/asm-generic/int-ll64.h:30:44: note: previous definition is here 30 | __extension__ typedef __signed__ long long __s64; | ^ Fixes: 9e5bd1f7633b ("selftests/bpf: Test CGROUP_STORAGE map can't be used by multiple progs") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/4f4702e9f6115b7f84fea01b2326ca24c6df7ba8.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 8ba0e414bd91635d877bb224521b231b61c049ae Author: Tony Ambardar Date: Mon Jul 22 22:54:45 2024 -0700 selftests/bpf: Fix errors compiling crypto_sanity.c with musl libc [ Upstream commit 9822be702fe6e1c3e0933ef4b68a8c56683d930d ] Remove a redundant include of '', whose needed definitions are already provided by 'test_progs.h'. This avoids errors seen compiling for mips64el/musl-libc: In file included from .../arpa/inet.h:9, from ./test_progs.h:17, from prog_tests/crypto_sanity.c:10: .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr' 23 | struct in6_addr { | ^~~~~~~~ In file included from crypto_sanity.c:7: .../linux/in6.h:33:8: note: originally defined here 33 | struct in6_addr { | ^~~~~~~~ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6' 34 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../linux/in6.h:50:8: note: originally defined here 50 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq' 42 | struct ipv6_mreq { | ^~~~~~~~~ .../linux/in6.h:60:8: note: originally defined here 60 | struct ipv6_mreq { | ^~~~~~~~~ Fixes: 91541ab192fc ("selftests: bpf: crypto skcipher algo selftests") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Reviewed-by: Vadim Fedorenko Link: https://lore.kernel.org/bpf/911293968f424ad7b462d8805aeb3baee8f4985b.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit a87b30dc55cf6b3257ce04ffa326cb4229dcc30a Author: Tony Ambardar Date: Mon Jul 22 22:54:44 2024 -0700 selftests/bpf: Fix errors compiling decap_sanity.c with musl libc [ Upstream commit 1b00f355130a5dfc38a01ad02458ae2cb2ebe609 ] Remove a redundant include of '', whose needed definitions are already provided by 'test_progs.h'. This avoids errors seen compiling for mips64el/musl-libc: In file included from .../arpa/inet.h:9, from ./test_progs.h:17, from prog_tests/decap_sanity.c:9: .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr' 23 | struct in6_addr { | ^~~~~~~~ In file included from decap_sanity.c:7: .../linux/in6.h:33:8: note: originally defined here 33 | struct in6_addr { | ^~~~~~~~ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6' 34 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../linux/in6.h:50:8: note: originally defined here 50 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq' 42 | struct ipv6_mreq { | ^~~~~~~~~ .../linux/in6.h:60:8: note: originally defined here 60 | struct ipv6_mreq { | ^~~~~~~~~ Fixes: 70a00e2f1dba ("selftests/bpf: Test bpf_skb_adjust_room on CHECKSUM_PARTIAL") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/e986ba2d7edccd254b54f7cd049b98f10bafa8c3.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 54362445a1d16088765eb9292751b0c208967582 Author: Tony Ambardar Date: Mon Jul 22 22:54:43 2024 -0700 selftests/bpf: Fix errors compiling lwt_redirect.c with musl libc [ Upstream commit 27c4797ce51c8dd51e35e68e9024a892f62d78b2 ] Remove a redundant include of '' which is already provided in 'lwt_helpers.h'. This avoids errors seen compiling for mips64el/musl-libc: In file included from .../arpa/inet.h:9, from lwt_redirect.c:51: .../netinet/in.h:23:8: error: redefinition of 'struct in6_addr' 23 | struct in6_addr { | ^~~~~~~~ In file included from .../linux/icmp.h:24, from lwt_redirect.c:50: .../linux/in6.h:33:8: note: originally defined here 33 | struct in6_addr { | ^~~~~~~~ .../netinet/in.h:34:8: error: redefinition of 'struct sockaddr_in6' 34 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../linux/in6.h:50:8: note: originally defined here 50 | struct sockaddr_in6 { | ^~~~~~~~~~~~ .../netinet/in.h:42:8: error: redefinition of 'struct ipv6_mreq' 42 | struct ipv6_mreq { | ^~~~~~~~~ .../linux/in6.h:60:8: note: originally defined here 60 | struct ipv6_mreq { | ^~~~~~~~~ Fixes: 43a7c3ef8a15 ("selftests/bpf: Add lwt_xmit tests for BPF_REDIRECT") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/3869dda876d5206d2f8d4dd67331c739ceb0c7f8.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit fc8caee4ccc108cd114a3d4b6db8fa833b8af574 Author: Tony Ambardar Date: Mon Jul 22 22:54:42 2024 -0700 selftests/bpf: Fix compiling core_reloc.c with musl-libc [ Upstream commit debfa4f628f271f72933bf38d581cc53cfe1def5 ] The type 'loff_t' is a GNU extension and not exposed by the musl 'fcntl.h' header unless _GNU_SOURCE is defined. Add this definition to fix errors seen compiling for mips64el/musl-libc: In file included from tools/testing/selftests/bpf/prog_tests/core_reloc.c:4: ./bpf_testmod/bpf_testmod.h:10:9: error: unknown type name 'loff_t' 10 | loff_t off; | ^~~~~~ ./bpf_testmod/bpf_testmod.h:16:9: error: unknown type name 'loff_t' 16 | loff_t off; | ^~~~~~ Fixes: 6bcd39d366b6 ("selftests/bpf: Add CO-RE relocs selftest relying on kernel module BTF") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/11c3af75a7eb6bcb7ad9acfae6a6f470c572eb82.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit b1da858f8a9f45517cc7e019a349f03cbe84337c Author: Tony Ambardar Date: Mon Jul 22 22:54:41 2024 -0700 selftests/bpf: Fix compiling tcp_rtt.c with musl-libc [ Upstream commit 18826fb0b79c3c3cd1fe765d85f9c6f1a902c722 ] The GNU version of 'struct tcp_info' in 'netinet/tcp.h' is not exposed by musl headers unless _GNU_SOURCE is defined. Add this definition to fix errors seen compiling for mips64el/musl-libc: tcp_rtt.c: In function 'wait_for_ack': tcp_rtt.c:24:25: error: storage size of 'info' isn't known 24 | struct tcp_info info; | ^~~~ tcp_rtt.c:24:25: error: unused variable 'info' [-Werror=unused-variable] cc1: all warnings being treated as errors Fixes: 1f4f80fed217 ("selftests/bpf: test_progs: convert test_tcp_rtt") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/f2329767b15df206f08a5776d35a47c37da855ae.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 5257814a5f747354af96acb15400cf8f2cbacc53 Author: Tony Ambardar Date: Mon Jul 22 22:54:40 2024 -0700 selftests/bpf: Fix compiling flow_dissector.c with musl-libc [ Upstream commit 5e4c43bcb85973243d7274e0058b6e8f5810e4f7 ] The GNU version of 'struct tcphdr' has members 'doff', 'source' and 'dest', which are not exposed by musl libc headers unless _GNU_SOURCE is defined. Add this definition to fix errors seen compiling for mips64el/musl-libc: flow_dissector.c:118:30: error: 'struct tcphdr' has no member named 'doff' 118 | .tcp.doff = 5, | ^~~~ flow_dissector.c:119:30: error: 'struct tcphdr' has no member named 'source' 119 | .tcp.source = 80, | ^~~~~~ flow_dissector.c:120:30: error: 'struct tcphdr' has no member named 'dest' 120 | .tcp.dest = 8080, | ^~~~ Fixes: ae173a915785 ("selftests/bpf: support BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/8f7ab21a73f678f9cebd32b26c444a686e57414d.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 92e47cbf61dca165932658ba5ffe118edeb366c4 Author: Tony Ambardar Date: Mon Jul 22 22:54:39 2024 -0700 selftests/bpf: Fix compiling kfree_skb.c with musl-libc [ Upstream commit bae9a5ce7d3a9b3a9e07b31ab9e9c58450e3e9fd ] The GNU version of 'struct tcphdr' with member 'doff' is not exposed by musl headers unless _GNU_SOURCE is defined. Add this definition to fix errors seen compiling for mips64el/musl-libc: In file included from kfree_skb.c:2: kfree_skb.c: In function 'on_sample': kfree_skb.c:45:30: error: 'struct tcphdr' has no member named 'doff' 45 | if (CHECK(pkt_v6->tcp.doff != 5, "check_tcp", | ^ Fixes: 580d656d80cf ("selftests/bpf: Add kfree_skb raw_tp test") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/e2d8cedc790959c10d6822a51f01a7a3616bea1b.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 43c0a8201f517e07bae5ae9524583c909cab6b81 Author: Tony Ambardar Date: Mon Jul 22 22:54:38 2024 -0700 selftests/bpf: Fix compiling parse_tcp_hdr_opt.c with musl-libc [ Upstream commit 4c329b99ef9c118343379bde9f97e8ce5cac9fc9 ] The GNU version of 'struct tcphdr', with members 'doff' and 'urg_ptr', is not exposed by musl headers unless _GNU_SOURCE is defined. Add this definition to fix errors seen compiling for mips64el/musl-libc: parse_tcp_hdr_opt.c:18:21: error: 'struct tcphdr' has no member named 'urg_ptr' 18 | .pk6_v6.tcp.urg_ptr = 123, | ^~~~~~~ parse_tcp_hdr_opt.c:19:21: error: 'struct tcphdr' has no member named 'doff' 19 | .pk6_v6.tcp.doff = 9, /* 16 bytes of options */ | ^~~~ Fixes: cfa7b011894d ("selftests/bpf: tests for using dynptrs to parse skb and xdp buffers") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/ac5440213c242c62cb4e0d9e0a9cd5058b6a31f6.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit f3fa49a40e127b173a810a3fd5b2b9857157bb68 Author: Tony Ambardar Date: Mon Jul 22 22:54:37 2024 -0700 selftests/bpf: Fix include of [ Upstream commit 21f0b0af977203220ad58aff95e372151288ec47 ] Update ns_current_pid_tgid.c to use '#include ' and avoid compile error against mips64el/musl libc: In file included from .../prog_tests/ns_current_pid_tgid.c:14: .../include/sys/fcntl.h:1:2: error: #warning redirecting incorrect #include to [-Werror=cpp] 1 | #warning redirecting incorrect #include to | ^~~~~~~ cc1: all warnings being treated as errors Fixes: 09c02d553c49 ("bpf, selftests: Fold test_current_pid_tgid_new_ns into test_progs.") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/8bdc869749177b575025bf69600a4ce591822609.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 7d3016e503eebae37a697d4f6264c7bba354d5da Author: Tony Ambardar Date: Mon Jul 22 22:54:36 2024 -0700 selftests/bpf: Fix missing BUILD_BUG_ON() declaration [ Upstream commit 6495eb79ca7d15bd87c38d77307e8f9b6b7bf4ef ] Explicitly include '' to fix errors seen compiling with gcc targeting mips64el/musl-libc: user_ringbuf.c: In function 'test_user_ringbuf_loop': user_ringbuf.c:426:9: error: implicit declaration of function 'BUILD_BUG_ON' [-Werror=implicit-function-declaration] 426 | BUILD_BUG_ON(total_samples <= c_max_entries); | ^~~~~~~~~~~~ cc1: all warnings being treated as errors Fixes: e5a9df51c746 ("selftests/bpf: Add selftests validating the user ringbuf") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/b28575f9221ec54871c46a2e87612bb4bbf46ccd.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit c84c78a4c8ba8d73f3f655d3e55874e0da467e60 Author: Tony Ambardar Date: Mon Jul 22 22:54:35 2024 -0700 selftests/bpf: Fix missing UINT_MAX definitions in benchmarks [ Upstream commit a2c155131b710959beb508ca6a54769b6b1bd488 ] Include in 'bench.h' to provide a UINT_MAX definition and avoid multiple compile errors against mips64el/musl-libc like: benchs/bench_local_storage.c: In function 'parse_arg': benchs/bench_local_storage.c:40:38: error: 'UINT_MAX' undeclared (first use in this function) 40 | if (ret < 1 || ret > UINT_MAX) { | ^~~~~~~~ benchs/bench_local_storage.c:11:1: note: 'UINT_MAX' is defined in header ''; did you forget to '#include '? 10 | #include +++ |+#include 11 | seen with bench_local_storage.c, bench_local_storage_rcu_tasks_trace.c, and bench_bpf_hashmap_lookup.c. Fixes: 73087489250d ("selftests/bpf: Add benchmark for local_storage get") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/8f64a9d9fcff40a7fca090a65a68a9b62a468e16.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 464f6273995d169680110aae08807ca3bf34d6ea Author: Tony Ambardar Date: Mon Jul 22 22:54:34 2024 -0700 selftests/bpf: Fix missing ARRAY_SIZE() definition in bench.c [ Upstream commit d44c93fc2f5a0c47b23fa03d374e45259abd92d2 ] Add a "bpf_util.h" include to avoid the following error seen compiling for mips64el with musl libc: bench.c: In function 'find_benchmark': bench.c:590:25: error: implicit declaration of function 'ARRAY_SIZE' [-Werror=implicit-function-declaration] 590 | for (i = 0; i < ARRAY_SIZE(benchs); i++) { | ^~~~~~~~~~ cc1: all warnings being treated as errors Fixes: 8e7c2a023ac0 ("selftests/bpf: Add benchmark runner infrastructure") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/bc4dde77dfcd17a825d8f28f72f3292341966810.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 8faf3589430fe797fef648cb9a0c2ed042dce6fd Author: Tony Ambardar Date: Mon Jul 22 22:54:31 2024 -0700 selftests/bpf: Drop unneeded error.h includes [ Upstream commit 69f409469c9b1515a5db40d5a36fda372376fa2d ] The addition of general support for unprivileged tests in test_loader.c breaks building test_verifier on non-glibc (e.g. musl) systems, due to the inclusion of glibc extension '' in 'unpriv_helpers.c'. However, the header is actually not needed, so remove it to restore building. Similarly for sk_lookup.c and flow_dissector.c, error.h is not necessary and causes problems, so drop them. Fixes: 1d56ade032a4 ("selftests/bpf: Unprivileged tests for test_loader.c") Fixes: 0ab5539f8584 ("selftests/bpf: Tests for BPF_SK_LOOKUP attach point") Fixes: 0905beec9f52 ("selftests/bpf: run flow dissector tests in skb-less mode") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/5664367edf5fea4f3f4b4aec3b182bcfc6edff9c.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 4458166583033f8a4ecedbbc7090dd38d77dc57a Author: Tony Ambardar Date: Mon Jul 22 22:54:30 2024 -0700 selftests/bpf: Fix error compiling bpf_iter_setsockopt.c with musl libc [ Upstream commit 7b10f0c227ce3fa055d601f058dc411092a62a78 ] Existing code calls getsockname() with a 'struct sockaddr_in6 *' argument where a 'struct sockaddr *' argument is declared, yielding compile errors when building for mips64el/musl-libc: bpf_iter_setsockopt.c: In function 'get_local_port': bpf_iter_setsockopt.c:98:30: error: passing argument 2 of 'getsockname' from incompatible pointer type [-Werror=incompatible-pointer-types] 98 | if (!getsockname(fd, &addr, &addrlen)) | ^~~~~ | | | struct sockaddr_in6 * In file included from .../netinet/in.h:10, from .../arpa/inet.h:9, from ./test_progs.h:17, from bpf_iter_setsockopt.c:5: .../sys/socket.h:391:23: note: expected 'struct sockaddr * restrict' but argument is of type 'struct sockaddr_in6 *' 391 | int getsockname (int, struct sockaddr *__restrict, socklen_t *__restrict); | ^ cc1: all warnings being treated as errors This compiled under glibc only because the argument is declared to be a "funky" transparent union which includes both types above. Explicitly cast the argument to allow compiling for both musl and glibc. Fixes: eed92afdd14c ("bpf: selftest: Test batching and bpf_(get|set)sockopt in bpf tcp iter") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Acked-by: Geliang Tang Link: https://lore.kernel.org/bpf/f41def0f17b27a23b1709080e4e3f37f4cc11ca9.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 7972e282b74563cf47725c5ae2c56f9376710423 Author: Tony Ambardar Date: Mon Jul 22 22:54:29 2024 -0700 selftests/bpf: Fix compile error from rlim_t in sk_storage_map.c [ Upstream commit d393f9479d4aaab0fa4c3caf513f28685e831f13 ] Cast 'rlim_t' argument to match expected type of printf() format and avoid compile errors seen building for mips64el/musl-libc: In file included from map_tests/sk_storage_map.c:20: map_tests/sk_storage_map.c: In function 'test_sk_storage_map_stress_free': map_tests/sk_storage_map.c:414:56: error: format '%lu' expects argument of type 'long unsigned int', but argument 2 has type 'rlim_t' {aka 'long long unsigned int'} [-Werror=format=] 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", | ^~~~~~~~~~~~~~~~~~~~~~~ 415 | rlim_new.rlim_cur, errno); | ~~~~~~~~~~~~~~~~~ | | | rlim_t {aka long long unsigned int} ./test_maps.h:12:24: note: in definition of macro 'CHECK' 12 | printf(format); \ | ^~~~~~ map_tests/sk_storage_map.c:414:68: note: format string is defined here 414 | CHECK(err, "setrlimit(RLIMIT_NOFILE)", "rlim_new:%lu errno:%d", | ~~^ | | | long unsigned int | %llu cc1: all warnings being treated as errors Fixes: 51a0e301a563 ("bpf: Add BPF_MAP_TYPE_SK_STORAGE test to test_maps") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/1e00a1fa7acf91b4ca135c4102dc796d518bad86.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit a73afe5bef96b65da20d42a28951fa28926685ee Author: Tony Ambardar Date: Mon Jul 22 22:54:28 2024 -0700 selftests/bpf: Use pid_t consistently in test_progs.c [ Upstream commit ec4fe2f0fa12fd2d0115df7e58414dc26899cc5e ] Use pid_t rather than __pid_t when allocating memory for 'worker_pids' in 'struct test_env', as this is its declared type and also avoids compile errors seen building against musl libc on mipsel64: test_progs.c:1738:49: error: '__pid_t' undeclared (first use in this function); did you mean 'pid_t'? 1738 | env.worker_pids = calloc(sizeof(__pid_t), env.workers); | ^~~~~~~ | pid_t test_progs.c:1738:49: note: each undeclared identifier is reported only once for each function it appears in Fixes: 91b2c0afd00c ("selftests/bpf: Add parallelism to test_progs") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Acked-by: Geliang Tang Link: https://lore.kernel.org/bpf/c6447da51a94babc1931711a43e2ceecb135c93d.1721713597.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit f09757fe97a225ae505886eac572e4cbfba96537 Author: Yonghong Song Date: Tue Jul 23 08:34:39 2024 -0700 bpf: Fail verification for sign-extension of packet data/data_end/data_meta [ Upstream commit 92de36080c93296ef9005690705cba260b9bd68a ] syzbot reported a kernel crash due to commit 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses"). The reason is due to sign-extension of 32-bit load for packet data/data_end/data_meta uapi field. The original code looks like: r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ r3 = *(u32 *)(r1 + 80) /* load __sk_buff->data_end */ r0 = r2 r0 += 8 if r3 > r0 goto +1 ... Note that __sk_buff->data load has 32-bit sign extension. After verification and convert_ctx_accesses(), the final asm code looks like: r2 = *(u64 *)(r1 +208) r2 = (s32)r2 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 ... Note that 'r2 = (s32)r2' may make the kernel __sk_buff->data address invalid which may cause runtime failure. Currently, in C code, typically we have void *data = (void *)(long)skb->data; void *data_end = (void *)(long)skb->data_end; ... and it will generate r2 = *(u64 *)(r1 +208) r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 If we allow sign-extension, void *data = (void *)(long)(int)skb->data; void *data_end = (void *)(long)skb->data_end; ... the generated code looks like r2 = *(u64 *)(r1 +208) r2 <<= 32 r2 s>>= 32 r3 = *(u64 *)(r1 +80) r0 = r2 r0 += 8 if r3 > r0 goto pc+1 and this will cause verification failure since "r2 <<= 32" is not allowed as "r2" is a packet pointer. To fix this issue for case r2 = *(s32 *)(r1 + 76) /* load __sk_buff->data */ this patch added additional checking in is_valid_access() callback function for packet data/data_end/data_meta access. If those accesses are with sign-extenstion, the verification will fail. [1] https://lore.kernel.org/bpf/000000000000c90eee061d236d37@google.com/ Reported-by: syzbot+ad9ec60c8eaf69e6f99c@syzkaller.appspotmail.com Fixes: 1f1e864b6555 ("bpf: Handle sign-extenstin ctx member accesses") Acked-by: Eduard Zingerman Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20240723153439.2429035-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Signed-off-by: Sasha Levin commit 9adc4dc96722be0a05f3e362edee2713b0d95486 Author: Tony Ambardar Date: Mon Jul 22 17:30:45 2024 -0700 tools/runqslower: Fix LDFLAGS and add LDLIBS support [ Upstream commit f86601c3661946721e8f260bdd812b759854ac22 ] Actually use previously defined LDFLAGS during build and add support for LDLIBS to link extra standalone libraries e.g. 'argp' which is not provided by musl libc. Fixes: 585bf4640ebe ("tools: runqslower: Add EXTRA_CFLAGS and EXTRA_LDFLAGS support") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Acked-by: Ilya Leoshkevich Link: https://lore.kernel.org/bpf/20240723003045.2273499-1-tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 03115c7e194d34e17992aa0597faaf49a2ca17c4 Author: Tony Ambardar Date: Fri Jul 19 22:25:35 2024 -0700 selftests/bpf: Fix wrong binary in Makefile log output [ Upstream commit 3ece93a4087b2db7b99ebb2412bd60cf26bbbb51 ] Make log output incorrectly shows 'test_maps' as the binary name for every 'CLNG-BPF' build step, apparently picking up the last value defined for the $(TRUNNER_BINARY) variable. Update the 'CLANG_BPF_BUILD_RULE' variants to fix this confusing output. Current output: CLNG-BPF [test_maps] access_map_in_map.bpf.o GEN-SKEL [test_progs] access_map_in_map.skel.h ... CLNG-BPF [test_maps] access_map_in_map.bpf.o GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h ... CLNG-BPF [test_maps] access_map_in_map.bpf.o GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h After fix: CLNG-BPF [test_progs] access_map_in_map.bpf.o GEN-SKEL [test_progs] access_map_in_map.skel.h ... CLNG-BPF [test_progs-no_alu32] access_map_in_map.bpf.o GEN-SKEL [test_progs-no_alu32] access_map_in_map.skel.h ... CLNG-BPF [test_progs-cpuv4] access_map_in_map.bpf.o GEN-SKEL [test_progs-cpuv4] access_map_in_map.skel.h Fixes: a5d0c26a2784 ("selftests/bpf: Add a cpuv4 test runner for cpu=v4 testing") Fixes: 89ad7420b25c ("selftests/bpf: Drop the need for LLVM's llc") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Acked-by: Eduard Zingerman Link: https://lore.kernel.org/bpf/20240720052535.2185967-1-tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit 1ff3455214d30e4c68fed466725a8aaf2b978383 Author: Tony Ambardar Date: Mon Jul 22 17:13:29 2024 -0700 selftests/bpf: Fix error linking uprobe_multi on mips [ Upstream commit a5f40d596bff182b4b47547712f540885e8fb17b ] Linking uprobe_multi.c on mips64el fails due to relocation overflows, when the GOT entries required exceeds the default maximum. Add a specific CFLAGS (-mxgot) for uprobe_multi.c on MIPS that allows using a larger GOT and avoids errors such as: /tmp/ccBTNQzv.o: in function `bench': uprobe_multi.c:49:(.text+0x1d7720): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08188' uprobe_multi.c:49:(.text+0x1d7730): relocation truncated to fit: R_MIPS_GOT_DISP against `uprobe_multi_func_08189' ... collect2: error: ld returned 1 exit status Fixes: 519dfeaf5119 ("selftests/bpf: Add uprobe_multi test program") Signed-off-by: Tony Ambardar Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/14eb7b70f8ccef9834874d75eb373cb9292129da.1721692479.git.tony.ambardar@gmail.com Signed-off-by: Sasha Levin commit a5dea0b93b3019f5369be7ed75d48689c0785d6f Author: Alexei Starovoitov Date: Mon Jul 22 19:08:15 2024 -0700 selftests/bpf: Workaround strict bpf_lsm return value check. [ Upstream commit aa8ebb270c66cea1f56a25d0f938036e91ad085a ] test_progs-no_alu32 -t libbpf_get_fd_by_id_opts is being rejected by the verifier with the following error due to compiler optimization: 6: (67) r0 <<= 62 ; R0_w=scalar(smax=0x4000000000000000,umax=0xc000000000000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xc000000000000000)) 7: (c7) r0 s>>= 63 ; R0_w=scalar(smin=smin32=-1,smax=smax32=0) ; @ test_libbpf_get_fd_by_id_opts.c:0 8: (57) r0 &= -13 ; R0_w=scalar(smax=0x7ffffffffffffff3,umax=0xfffffffffffffff3,smax32=0x7ffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3)) ; int BPF_PROG(check_access, struct bpf_map *map, fmode_t fmode) @ test_libbpf_get_fd_by_id_opts.c:27 9: (95) exit At program exit the register R0 has smax=9223372036854775795 should have been in [-4095, 0] Workaround by adding barrier(). Eventually the verifier will be able to recognize it. Fixes: 5d99e198be27 ("bpf, lsm: Add check for BPF LSM return value") Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Signed-off-by: Sasha Levin commit 89937e23fcc20045cf10c9f368037d0a83a121a0 Author: Xu Kuohai Date: Fri Jul 19 19:00:54 2024 +0800 bpf: Fix compare error in function retval_range_within [ Upstream commit 763aa759d3b2c4f95b11855e3d37b860860107e2 ] After checking lsm hook return range in verifier, the test case "test_progs -t test_lsm" failed, and the failure log says: libbpf: prog 'test_int_hook': BPF program load failed: Invalid argument libbpf: prog 'test_int_hook': -- BEGIN PROG LOAD LOG -- 0: R1=ctx() R10=fp0 ; int BPF_PROG(test_int_hook, struct vm_area_struct *vma, @ lsm.c:89 0: (79) r0 = *(u64 *)(r1 +24) ; R0_w=scalar(smin=smin32=-4095,smax=smax32=0) R1=ctx() [...] 24: (b4) w0 = -1 ; R0_w=0xffffffff ; int BPF_PROG(test_int_hook, struct vm_area_struct *vma, @ lsm.c:89 25: (95) exit At program exit the register R0 has smin=4294967295 smax=4294967295 should have been in [-4095, 0] It can be seen that instruction "w0 = -1" zero extended -1 to 64-bit register r0, setting both smin and smax values of r0 to 4294967295. This resulted in a false reject when r0 was checked with range [-4095, 0]. Given bpf lsm does not return 64-bit values, this patch fixes it by changing the compare between r0 and return range from 64-bit operation to 32-bit operation for bpf lsm. Fixes: 8fa4ecd49b81 ("bpf: enforce exact retval range on subprog/callback exit") Signed-off-by: Xu Kuohai Acked-by: Shung-Hsi Yu Link: https://lore.kernel.org/r/20240719110059.797546-5-xukuohai@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Signed-off-by: Sasha Levin commit 27ca3e20fe80be85a92b10064dfeb56cb2564b1c Author: Xu Kuohai Date: Fri Jul 19 19:00:52 2024 +0800 bpf, lsm: Add check for BPF LSM return value [ Upstream commit 5d99e198be279045e6ecefe220f5c52f8ce9bfd5 ] A bpf prog returning a positive number attached to file_alloc_security hook makes kernel panic. This happens because file system can not filter out the positive number returned by the LSM prog using IS_ERR, and misinterprets this positive number as a file pointer. Given that hook file_alloc_security never returned positive number before the introduction of BPF LSM, and other BPF LSM hooks may encounter similar issues, this patch adds LSM return value check in verifier, to ensure no unexpected value is returned. Fixes: 520b7aa00d8c ("bpf: lsm: Initialize the BPF LSM hooks") Reported-by: Xin Liu Signed-off-by: Xu Kuohai Acked-by: Eduard Zingerman Link: https://lore.kernel.org/r/20240719110059.797546-3-xukuohai@huaweicloud.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Signed-off-by: Sasha Levin commit ffe19d48b0c3230b678a2f66d10233b3699e95b0 Author: Leon Hwang Date: Sun Jul 14 20:39:01 2024 +0800 bpf, arm64: Fix tailcall hierarchy [ Upstream commit 66ff4d61dc124eafe9efaeaef696a09b7f236da2 ] This patch fixes a tailcall issue caused by abusing the tailcall in bpf2bpf feature on arm64 like the way of "bpf, x64: Fix tailcall hierarchy". On arm64, when a tail call happens, it uses tail_call_cnt_ptr to increment tail_call_cnt, too. At the prologue of main prog, it has to initialize tail_call_cnt and prepare tail_call_cnt_ptr. At the prologue of subprog, it pushes x26 register twice, and does not initialize tail_call_cnt. At the epilogue, it pops x26 twice, no matter whether it is main prog or subprog. Fixes: d4609a5d8c70 ("bpf, arm64: Keep tail call count across bpf2bpf calls") Acked-by: Puranjay Mohan Signed-off-by: Leon Hwang Link: https://lore.kernel.org/r/20240714123902.32305-3-hffilwlqm@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Signed-off-by: Sasha Levin commit 83021fb1a0dfa54297e372a046f7935396ad1907 Author: Leon Hwang Date: Sun Jul 14 20:39:00 2024 +0800 bpf, x64: Fix tailcall hierarchy [ Upstream commit 116e04ba1459fc08f80cf27b8c9f9f188be0fcb2 ] This patch fixes a tailcall issue caused by abusing the tailcall in bpf2bpf feature. As we know, tail_call_cnt propagates by rax from caller to callee when to call subprog in tailcall context. But, like the following example, MAX_TAIL_CALL_CNT won't work because of missing tail_call_cnt back-propagation from callee to caller. \#include \#include \#include "bpf_legacy.h" struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); __uint(max_entries, 1); __uint(key_size, sizeof(__u32)); __uint(value_size, sizeof(__u32)); } jmp_table SEC(".maps"); int count = 0; static __noinline int subprog_tail1(struct __sk_buff *skb) { bpf_tail_call_static(skb, &jmp_table, 0); return 0; } static __noinline int subprog_tail2(struct __sk_buff *skb) { bpf_tail_call_static(skb, &jmp_table, 0); return 0; } SEC("tc") int entry(struct __sk_buff *skb) { volatile int ret = 1; count++; subprog_tail1(skb); subprog_tail2(skb); return ret; } char __license[] SEC("license") = "GPL"; At run time, the tail_call_cnt in entry() will be propagated to subprog_tail1() and subprog_tail2(). But, when the tail_call_cnt in subprog_tail1() updates when bpf_tail_call_static(), the tail_call_cnt in entry() won't be updated at the same time. As a result, in entry(), when tail_call_cnt in entry() is less than MAX_TAIL_CALL_CNT and subprog_tail1() returns because of MAX_TAIL_CALL_CNT limit, bpf_tail_call_static() in suprog_tail2() is able to run because the tail_call_cnt in subprog_tail2() propagated from entry() is less than MAX_TAIL_CALL_CNT. So, how many tailcalls are there for this case if no error happens? From top-down view, does it look like hierarchy layer and layer? With this view, there will be 2+4+8+...+2^33 = 2^34 - 2 = 17,179,869,182 tailcalls for this case. How about there are N subprog_tail() in entry()? There will be almost N^34 tailcalls. Then, in this patch, it resolves this case on x86_64. In stead of propagating tail_call_cnt from caller to callee, it propagates its pointer, tail_call_cnt_ptr, tcc_ptr for short. However, where does it store tail_call_cnt? It stores tail_call_cnt on the stack of main prog. When tail call happens in subprog, it increments tail_call_cnt by tcc_ptr. Meanwhile, it stores tail_call_cnt_ptr on the stack of main prog, too. And, before jump to tail callee, it has to pop tail_call_cnt and tail_call_cnt_ptr. Then, at the prologue of subprog, it must not make rax as tail_call_cnt_ptr again. It has to reuse tail_call_cnt_ptr from caller. As a result, at run time, it has to recognize rax is tail_call_cnt or tail_call_cnt_ptr at prologue by: 1. rax is tail_call_cnt if rax is <= MAX_TAIL_CALL_CNT. 2. rax is tail_call_cnt_ptr if rax is > MAX_TAIL_CALL_CNT, because a pointer won't be <= MAX_TAIL_CALL_CNT. Here's an example to dump JITed. struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); __uint(max_entries, 1); __uint(key_size, sizeof(__u32)); __uint(value_size, sizeof(__u32)); } jmp_table SEC(".maps"); int count = 0; static __noinline int subprog_tail(struct __sk_buff *skb) { bpf_tail_call_static(skb, &jmp_table, 0); return 0; } SEC("tc") int entry(struct __sk_buff *skb) { int ret = 1; count++; subprog_tail(skb); subprog_tail(skb); return ret; } When bpftool p d j id 42: int entry(struct __sk_buff * skb): bpf_prog_0c0f4c2413ef19b1_entry: ; int entry(struct __sk_buff *skb) 0: endbr64 4: nopl (%rax,%rax) 9: xorq %rax, %rax ;; rax = 0 (tail_call_cnt) c: pushq %rbp d: movq %rsp, %rbp 10: endbr64 14: cmpq $33, %rax ;; if rax > 33, rax = tcc_ptr 18: ja 0x20 ;; if rax > 33 goto 0x20 ---+ 1a: pushq %rax ;; [rbp - 8] = rax = 0 | 1b: movq %rsp, %rax ;; rax = rbp - 8 | 1e: jmp 0x21 ;; ---------+ | 20: pushq %rax ;; <--------|---------------+ 21: pushq %rax ;; <--------+ [rbp - 16] = rax 22: pushq %rbx ;; callee saved 23: movq %rdi, %rbx ;; rbx = skb (callee saved) ; count++; 26: movabsq $-82417199407104, %rdi 30: movl (%rdi), %esi 33: addl $1, %esi 36: movl %esi, (%rdi) ; subprog_tail(skb); 39: movq %rbx, %rdi ;; rdi = skb 3c: movq -16(%rbp), %rax ;; rax = tcc_ptr 43: callq 0x80 ;; call subprog_tail() ; subprog_tail(skb); 48: movq %rbx, %rdi ;; rdi = skb 4b: movq -16(%rbp), %rax ;; rax = tcc_ptr 52: callq 0x80 ;; call subprog_tail() ; return ret; 57: movl $1, %eax 5c: popq %rbx 5d: leave 5e: retq int subprog_tail(struct __sk_buff * skb): bpf_prog_3a140cef239a4b4f_subprog_tail: ; int subprog_tail(struct __sk_buff *skb) 0: endbr64 4: nopl (%rax,%rax) 9: nopl (%rax) ;; do not touch tail_call_cnt c: pushq %rbp d: movq %rsp, %rbp 10: endbr64 14: pushq %rax ;; [rbp - 8] = rax (tcc_ptr) 15: pushq %rax ;; [rbp - 16] = rax (tcc_ptr) 16: pushq %rbx ;; callee saved 17: pushq %r13 ;; callee saved 19: movq %rdi, %rbx ;; rbx = skb ; asm volatile("r1 = %[ctx]\n\t" 1c: movabsq $-105487587488768, %r13 ;; r13 = jmp_table 26: movq %rbx, %rdi ;; 1st arg, skb 29: movq %r13, %rsi ;; 2nd arg, jmp_table 2c: xorl %edx, %edx ;; 3rd arg, index = 0 2e: movq -16(%rbp), %rax ;; rax = [rbp - 16] (tcc_ptr) 35: cmpq $33, (%rax) 39: jae 0x4e ;; if *tcc_ptr >= 33 goto 0x4e --------+ 3b: jmp 0x4e ;; jmp bypass, toggled by poking | 40: addq $1, (%rax) ;; (*tcc_ptr)++ | 44: popq %r13 ;; callee saved | 46: popq %rbx ;; callee saved | 47: popq %rax ;; undo rbp-16 push | 48: popq %rax ;; undo rbp-8 push | 49: nopl (%rax,%rax) ;; tail call target, toggled by poking | ; return 0; ;; | 4e: popq %r13 ;; restore callee saved <--------------+ 50: popq %rbx ;; restore callee saved 51: leave 52: retq Furthermore, when trampoline is the caller of bpf prog, which is tail_call_reachable, it is required to propagate rax through trampoline. Fixes: ebf7d1f508a7 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT") Fixes: e411901c0b77 ("bpf: allow for tailcalls in BPF subprograms for x64 JIT") Reviewed-by: Eduard Zingerman Signed-off-by: Leon Hwang Link: https://lore.kernel.org/r/20240714123902.32305-2-hffilwlqm@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Andrii Nakryiko Signed-off-by: Sasha Levin commit 21191f29bfa2f1d505970a6e7201bb062a6ca4dd Author: Tianchen Ding Date: Wed Jun 26 10:35:05 2024 +0800 sched/fair: Make SCHED_IDLE entity be preempted in strict hierarchy [ Upstream commit faa42d29419def58d3c3e5b14ad4037f0af3b496 ] Consider the following cgroup: root | ------------------------ | | normal_cgroup idle_cgroup | | SCHED_IDLE task_A SCHED_NORMAL task_B According to the cgroup hierarchy, A should preempt B. But current check_preempt_wakeup_fair() treats cgroup se and task separately, so B will preempt A unexpectedly. Unify the wakeup logic by {c,p}se_is_idle only. This makes SCHED_IDLE of a task a relative policy that is effective only within its own cgroup, similar to the behavior of NICE. Also fix se_is_idle() definition when !CONFIG_FAIR_GROUP_SCHED. Fixes: 304000390f88 ("sched: Cgroup SCHED_IDLE support") Signed-off-by: Tianchen Ding Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Josh Don Reviewed-by: Vincent Guittot Link: https://lkml.kernel.org/r/20240626023505.1332596-1-dtcccc@linux.alibaba.com Signed-off-by: Sasha Levin commit 3f9f72d843c92fb6f4ff7460d774413cde7f254c Author: Jonathan McDowell Date: Fri Aug 16 12:55:46 2024 +0100 tpm: Clean up TPM space after command failure [ Upstream commit e3aaebcbb7c6b403416f442d1de70d437ce313a7 ] tpm_dev_transmit prepares the TPM space before attempting command transmission. However if the command fails no rollback of this preparation is done. This can result in transient handles being leaked if the device is subsequently closed with no further commands performed. Fix this by flushing the space in the event of command transmission failure. Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") Signed-off-by: Jonathan McDowell Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 09d14a974d904148f3a652fc785df9b8b6323d0f Author: Juergen Gross Date: Sun Sep 15 13:06:44 2024 +0200 xen/swiotlb: fix allocated size [ Upstream commit c3dea3d54f4d399f8044547f0f1abdccbdfb0fee ] The allocated size in xen_swiotlb_alloc_coherent() and xen_swiotlb_free_coherent() is calculated wrong for the case of XEN_PAGE_SIZE not matching PAGE_SIZE. Fix that. Fixes: 7250f422da04 ("xen-swiotlb: use actually allocated size on check physical continuous") Reported-by: Jan Beulich Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Reviewed-by: Stefano Stabellini Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 0bd642a683d1d0867b61ae58baaede972077cf7d Author: Juergen Gross Date: Fri Sep 13 12:05:02 2024 +0200 xen/swiotlb: add alignment check for dma buffers [ Upstream commit 9f40ec84a7976d95c34e7cc070939deb103652b0 ] When checking a memory buffer to be consecutive in machine memory, the alignment needs to be checked, too. Failing to do so might result in DMA memory not being aligned according to its requested size, leading to error messages like: 4xxx 0000:2b:00.0: enabling device (0140 -> 0142) 4xxx 0000:2b:00.0: Ring address not aligned 4xxx 0000:2b:00.0: Failed to initialise service qat_crypto 4xxx 0000:2b:00.0: Resetting device qat_dev0 4xxx: probe of 0000:2b:00.0 failed with error -14 Fixes: 9435cce87950 ("xen/swiotlb: Add support for 64KB page granularity") Signed-off-by: Juergen Gross Reviewed-by: Stefano Stabellini Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit c63ab2581ebc4cba16628dae3c1a92d970b358e3 Author: Dafna Hirschfeld Date: Sun Sep 1 07:42:27 2024 +0300 drm/xe: fix missing 'xe_vm_put' [ Upstream commit 2efba0c095419f93f8913f1cbae8bf3fb030db20 ] Fix memleak caused by missing xe_vm_put Fixes: 852856e3b6f6 ("drm/xe: Use reserved copy engine for user binds on faulting devices") Signed-off-by: Dafna Hirschfeld Reviewed-by: Nirmoy Das Link: https://patchwork.freedesktop.org/patch/msgid/20240901044227.1177211-1-dhirschfeld@habana.ai Signed-off-by: Rodrigo Vivi (cherry picked from commit 249df8cbecf0ab4877eab66cae857748631831a9) Signed-off-by: Lucas De Marchi Signed-off-by: Sasha Levin commit 3daee8f67015642dd347496edd4a1296e0258025 Author: Juergen Gross Date: Fri Aug 2 20:14:22 2024 +0200 xen: tolerate ACPI NVS memory overlapping with Xen allocated memory [ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ] In order to minimize required special handling for running as Xen PV dom0, the memory layout is modified to match that of the host. This requires to have only RAM at the locations where Xen allocated memory is living. Unfortunately there seem to be some machines, where ACPI NVS is located at 64 MB, resulting in a conflict with the loaded kernel or the initial page tables built by Xen. Avoid this conflict by swapping the ACPI NVS area in the memory map with unused RAM. This is possible via modification of the dom0 P2M map. Accesses to the ACPI NVS area are done either for saving and restoring it across suspend operations (this will work the same way as before), or by ACPI code when NVS memory is referenced from other ACPI tables. The latter case is handled by a Xen specific indirection of acpi_os_ioremap(). While the E820 map can (and should) be modified right away, the P2M map can be updated only after memory allocation is working, as the P2M map might need to be extended. Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout") Signed-off-by: Juergen Gross Tested-by: Marek Marczykowski-Górecki Reviewed-by: Jan Beulich Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit c1b1c19a98539eedf42a4b922ca96a82e7078db3 Author: Juergen Gross Date: Wed Aug 14 16:47:25 2024 +0200 xen: add capability to remap non-RAM pages to different PFNs [ Upstream commit d05208cf7f05420ad10cc7f9550f91d485523659 ] When running as a Xen PV dom0 it can happen that the kernel is being loaded to a guest physical address conflicting with the host memory map. In order to be able to resolve this conflict, add the capability to remap non-RAM areas to different guest PFNs. A function to use this remapping information for other purposes than doing the remap will be added when needed. As the number of conflicts should be rather low (currently only machines with max. 1 conflict are known), save the remap data in a small statically allocated array. Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Signed-off-by: Juergen Gross Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") Signed-off-by: Sasha Levin commit cf4b1a3a5cbb04a6c3ede2f132c95e544afa9c21 Author: Juergen Gross Date: Tue Aug 6 10:24:41 2024 +0200 xen: move max_pfn in xen_memory_setup() out of function scope [ Upstream commit 43dc2a0f479b9cd30f6674986d7a40517e999d31 ] Instead of having max_pfn as a local variable of xen_memory_setup(), make it a static variable in setup.c instead. This avoids having to pass it to subfunctions, which will be needed in more cases in future. Rename it to ini_nr_pages, as the value denotes the currently usable number of memory pages as passed from the hypervisor at boot time. Signed-off-by: Juergen Gross Tested-by: Marek Marczykowski-Górecki Reviewed-by: Jan Beulich Signed-off-by: Juergen Gross Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") Signed-off-by: Sasha Levin commit 95abc168a9ba1338642c4b38515721905201bd0b Author: Juergen Gross Date: Fri Aug 2 14:11:06 2024 +0200 xen: introduce generic helper checking for memory map conflicts [ Upstream commit ba88829706e2c5b7238638fc2b0713edf596495e ] When booting as a Xen PV dom0 the memory layout of the dom0 is modified to match that of the host, as this requires less changes in the kernel for supporting Xen. There are some cases, though, which are problematic, as it is the Xen hypervisor selecting the kernel's load address plus some other data, which might conflict with the host's memory map. These conflicts are detected at boot time and result in a boot error. In order to support handling at least some of these conflicts in future, introduce a generic helper function which will later gain the ability to adapt the memory layout when possible. Add the missing check for the xen_start_info area. Note that possible p2m map and initrd memory conflicts are handled already by copying the data to memory areas not conflicting with the memory map. The initial stack allocated by Xen doesn't need to be checked, as early boot code is switching to the statically allocated initial kernel stack. Initial page tables and the kernel itself will be handled later. Signed-off-by: Juergen Gross Tested-by: Marek Marczykowski-Górecki Reviewed-by: Jan Beulich Signed-off-by: Juergen Gross Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory") Signed-off-by: Sasha Levin commit ad2ecda8363e4f02fd152d8f57bb639aec86272f Author: Niklas Cassel Date: Mon Sep 9 17:42:38 2024 +0200 ata: libata: Clear DID_TIME_OUT for ATA PT commands with sense data [ Upstream commit e5dd410acb34c7341a0a93b429dcf3dabf9e3323 ] When ata_qc_complete() schedules a command for EH using ata_qc_schedule_eh(), blk_abort_request() will be called, which leads to req->q->mq_ops->timeout() / scsi_timeout() being called. scsi_timeout(), if the LLDD has no abort handler (libata has no abort handler), will set host byte to DID_TIME_OUT, and then call scsi_eh_scmd_add() to add the command to EH. Thus, when commands first enter libata's EH strategy_handler, all the commands that have been added to EH will have DID_TIME_OUT set. libata has its own flag (AC_ERR_TIMEOUT), that it sets for commands that have not received a completion at the time of entering EH. Thus, libata doesn't really care about DID_TIME_OUT at all, and currently clears the host byte at the end of EH, in ata_scsi_qc_complete(), before scsi_eh_finish_cmd() is called. However, this clearing in ata_scsi_qc_complete() is currently only done for commands that are not ATA passthrough commands. Since the host byte is visible in the completion that we return to user space for ATA passthrough commands, for ATA passthrough commands that got completed via EH (commands with sense data), the user will incorrectly see: ATA pass-through(16): transport error: Host_status=0x03 [DID_TIME_OUT] Fix this by moving the clearing of the host byte (which is currently only done for commands that are not ATA passthrough commands) from ata_scsi_qc_complete() to the start of EH (regardless if the command is ATA passthrough or not). While at it, use the proper helper function to clear the host byte, rather than open coding the clearing. This will make sure that we: -Correctly clear DID_TIME_OUT for both ATA passthrough commands and commands that are not ATA passthrough commands. -Do not needlessly clear the host byte for commands that did not go via EH. ata_scsi_qc_complete() is called both for commands that are completed normally (without going via EH), and for commands that went via EH, however, only commands that went via EH will have DID_TIME_OUT set. Fixes: 24aeebbf8ea9 ("scsi: ata: libata: Change ata_eh_request_sense() to not set CHECK_CONDITION") Reported-by: Igor Pylypiv Closes: https://lore.kernel.org/linux-ide/ZttIN8He8TOZ7Lct@google.com/ Signed-off-by: Niklas Cassel Tested-by: Igor Pylypiv Reviewed-by: Hannes Reinecke Signed-off-by: Damien Le Moal Signed-off-by: Sasha Levin commit 7af286ca1b3f533cbc64ffad68def77ae6786c28 Author: Jason Gerecke Date: Mon Sep 9 13:32:08 2024 -0700 HID: wacom: Do not warn about dropped packets for first packet [ Upstream commit 84aecf2d251a3359bc78b7c8e58f54b9fc966e89 ] The driver currently assumes that the first sequence number it will see is going to be 0. This is not a realiable assumption and can break if, for example, the tablet has already been running for some time prior to the kernel driver connecting to the device. This commit initializes the expected sequence number to -1 and will only print the "Dropped" warning the it has been updated to a non-negative value. Signed-off-by: Jason Gerecke Tested-by: Joshua Dickens Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages") Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 5f14af36b1535da0fd8c18573e288874aacc9496 Author: Jason Gerecke Date: Mon Sep 9 13:32:07 2024 -0700 HID: wacom: Support sequence numbers smaller than 16-bit [ Upstream commit 359673ea3a203611b4f6d0f28922a4b9d2cfbcc8 ] The current dropped packet reporting assumes that all sequence numbers are 16 bits in length. This results in misleading "Dropped" messages if the hardware uses fewer bits. For example, if a tablet uses only 8 bits to store its sequence number, once it rolls over from 255 -> 0, the driver will still be expecting a packet "256". This patch adjusts the logic to reset the next expected packet to logical_minimum whenever it overflows beyond logical_maximum. Signed-off-by: Jason Gerecke Tested-by: Joshua Dickens Fixes: 6d09085b38e5 ("HID: wacom: Adding Support for new usages") Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit d9ab6bb136adacc3c25de2032baf89bbad6ca7f8 Author: Juergen Gross Date: Sat Aug 3 08:01:22 2024 +0200 xen: use correct end address of kernel for conflict checking [ Upstream commit fac1bceeeb04886fc2ee952672e6e6c85ce41dca ] When running as a Xen PV dom0 the kernel is loaded by the hypervisor using a different memory map than that of the host. In order to minimize the required changes in the kernel, the kernel adapts its memory map to that of the host. In order to do that it is checking for conflicts of its load address with the host memory map. Unfortunately the tested memory range does not include the .brk area, which might result in crashes or memory corruption when this area does conflict with the memory map of the host. Fix the test by using the _end label instead of __bss_stop. Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout") Signed-off-by: Juergen Gross Tested-by: Marek Marczykowski-Górecki Reviewed-by: Jan Beulich Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 08d576b6b9af039d7ca52414b36288bc3872f9e8 Author: Lang Yu Date: Sun Sep 1 08:56:07 2024 -0400 drm/amdgpu: fix invalid fence handling in amdgpu_vm_tlb_flush [ Upstream commit 4453808d9eab0461dea338e89372ffc4a3c50acc ] CPU based update doesn't produce a fence, handle such cases properly. Fixes: d8a3f0a0348d ("drm/amdgpu: implement TLB flush fence") Signed-off-by: Lang Yu Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 68e3b296058d80b992840dad1ba376a146fe5411 Author: Yuesong Li Date: Thu Aug 22 17:09:27 2024 +0800 drivers:drm:exynos_drm_gsc:Fix wrong assignment in gsc_bind() [ Upstream commit 94ebc3d3235c5c516f67315059ce657e5090e94b ] cocci reported a double assignment problem. Upon reviewing previous commits, it appears this may actually be an incorrect assignment. Fixes: 8b9550344d39 ("drm/ipp: clean up debug messages") Signed-off-by: Yuesong Li Signed-off-by: Inki Dae Signed-off-by: Sasha Levin commit 150f7b44565314b59016c3d48b7b432e1b635a2d Author: Nícolas F. R. A. Prado Date: Mon Jul 29 16:56:02 2024 -0400 kselftest: dt: Ignore nodes that have ancestors disabled [ Upstream commit 05144ab7b7eaf531fc728fcb79dcf36b621ff42d ] Filter out nodes that have one of its ancestors disabled as they aren't expected to probe. This removes the following false-positive failures on the sc7180-trogdor-lazor-limozeen-nots-r5 platform: /soc@0/geniqup@8c0000/i2c@894000/proximity@28 /soc@0/geniqup@ac0000/spi@a90000/ec@0 /soc@0/remoteproc@62400000/glink-edge/apr /soc@0/remoteproc@62400000/glink-edge/apr/service@3 /soc@0/remoteproc@62400000/glink-edge/apr/service@4 /soc@0/remoteproc@62400000/glink-edge/apr/service@4/clock-controller /soc@0/remoteproc@62400000/glink-edge/apr/service@4/dais /soc@0/remoteproc@62400000/glink-edge/apr/service@7 /soc@0/remoteproc@62400000/glink-edge/apr/service@7/dais /soc@0/remoteproc@62400000/glink-edge/apr/service@8 /soc@0/remoteproc@62400000/glink-edge/apr/service@8/routing /soc@0/remoteproc@62400000/glink-edge/fastrpc /soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@3 /soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@4 /soc@0/remoteproc@62400000/glink-edge/fastrpc/compute-cb@5 /soc@0/spmi@c440000/pmic@0/pon@800/pwrkey Fixes: 14571ab1ad21 ("kselftest: Add new test for detecting unprobed Devicetree devices") Signed-off-by: Nícolas F. R. A. Prado Link: https://lore.kernel.org/r/20240729-dt-kselftest-parent-disabled-v2-1-d7a001c4930d@collabora.com Signed-off-by: Rob Herring (Arm) Signed-off-by: Sasha Levin commit 5ce111f71aab0ee08c549a058a33b66c9aee2189 Author: Andy Shevchenko Date: Thu Aug 29 19:50:32 2024 +0300 platform/x86: ideapad-laptop: Make the scope_guard() clear of its scope [ Upstream commit a093cb667c3ff5eadd4b23ddf996d9ccae9b7ac6 ] First of all, it's a bit counterintuitive to have something like int err; ... scoped_guard(...) err = foo(...); if (err) return err; Second, with a particular kernel configuration and compiler version in one of such cases the objtool is not happy: ideapad-laptop.o: warning: objtool: .text.fan_mode_show: unexpected end of section I'm not an expert on all this, but the theory is that compiler and linker in this case can't understand that 'result' variable will be always initialized as long as no error has been returned. Assigning 'result' to a dummy value helps with this. Note, that fixing the scoped_guard() scope (as per above) does not make issue gone. That said, assign dummy value and make the scope_guard() clear of its scope. For the sake of consistency do it in the entire file. Fixes: 7cc06e729460 ("platform/x86: ideapad-laptop: add a mutex to synchronize VPC commands") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202408290219.BrPO8twi-lkp@intel.com/ Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20240829165105.1609180-1-andriy.shevchenko@linux.intel.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 849a6842ad57d2d212710b5be65062290dcfd976 Author: Sherry Yang Date: Tue Aug 27 09:53:37 2024 -0700 drm/msm: fix %s null argument error [ Upstream commit 25b85075150fe8adddb096db8a4b950353045ee1 ] The following build error was triggered because of NULL string argument: BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c: In function 'mdp5_smp_dump': BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=] BUILDSTDERR: 352 | drm_printf(p, "%s:%d\t%d\t%s\n", BUILDSTDERR: | ^~ BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=] This happens from the commit a61ddb4393ad ("drm: enable (most) W=1 warnings by default across the subsystem"). Using "(null)" instead to fix it. Fixes: bc5289eed481 ("drm/msm/mdp5: add debugfs to show smp block status") Signed-off-by: Sherry Yang Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/611071/ Link: https://lore.kernel.org/r/20240827165337.1075904-1-sherry.yang@oracle.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 92ef4324e1d44db455d53d74d0137efec5abed62 Author: Dmitry Baryshkov Date: Sun Aug 4 08:40:07 2024 +0300 drm/msm/dsi: correct programming sequence for SM8350 / SM8450 [ Upstream commit 1328cb7c34bf6d056df9ff694ee5194537548258 ] According to the display-drivers, 5nm DSI PLL (v4.2, v4.3) have different boundaries for pll_clock_inverters programming. Follow the vendor code and use correct values. Fixes: 2f9ae4e395ed ("drm/msm/dsi: add support for DSI-PHY on SM8350 and SM8450") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/606947/ Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-3-1149dd8399fe@linaro.org Signed-off-by: Sasha Levin commit a800569d0bff7c80bcb984775672c8ff57d65530 Author: Abhinav Kumar Date: Tue Jul 30 12:50:11 2024 -0700 drm/msm/dp: enable widebus on all relevant chipsets [ Upstream commit c7c412202623951dcfc22316f5255fd84fd56186 ] Hardware document indicates that widebus is recommended on DP on all MDSS chipsets starting version 5.x.x and above. Follow the guideline and mark widebus support on all relevant chipsets for DP. Fixes: 766f705204a0 ("drm/msm/dp: Remove now unused connector_type from desc") Fixes: 1b2d98bdd7b7 ("drm/msm/dp: Add DisplayPort controller for SM8650") Signed-off-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Fixes: 757a2f36ab09 ("drm/msm/dp: enable widebus feature for display port") Fixes: 1b2d98bdd7b7 ("drm/msm/dp: Add DisplayPort controller for SM8650") Patchwork: https://patchwork.freedesktop.org/patch/606556/ Link: https://lore.kernel.org/r/20240730195012.2595980-1-quic_abhinavk@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 1bf1156be7a229caf34572315744867aaf02365e Author: Wolfram Sang Date: Sun Sep 1 11:02:11 2024 +0200 ipmi: docs: don't advertise deprecated sysfs entries [ Upstream commit 64dce81f8c373c681e62d5ffe0397c45a35d48a2 ] "i2c-adapter" class entries are deprecated since 2009. Switch to the proper location. Reported-by: Heiner Kallweit Closes: https://lore.kernel.org/r/80c4a898-5867-4162-ac85-bdf7c7c68746@gmail.com Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)") Signed-off-by: Wolfram Sang Message-Id: <20240901090211.3797-2-wsa+renesas@sang-engineering.com> Signed-off-by: Corey Minyard Signed-off-by: Sasha Levin commit ac6bb1c6305f5a1d61e0c1f67e4e8c18f80c03b3 Author: Vladimir Lypak Date: Sun Sep 1 13:54:03 2024 +0000 drm/msm/a5xx: workaround early ring-buffer emptiness check [ Upstream commit a30f9f65b5ac82d4390548c32ed9c7f05de7ddf5 ] There is another cause for soft lock-up of GPU in empty ring-buffer: race between GPU executing last commands and CPU checking ring for emptiness. On GPU side IRQ for retire is triggered by CACHE_FLUSH_TS event and RPTR shadow (which is used to check ring emptiness) is updated a bit later from CP_CONTEXT_SWITCH_YIELD. Thus if GPU is executing its last commands slow enough or we check that ring too fast we will miss a chance to trigger switch to lower priority ring because current ring isn't empty just yet. This can escalate to lock-up situation described in previous patch. To work-around this issue we keep track of last submit sequence number for each ring and compare it with one written to memptrs from GPU during execution of CACHE_FLUSH_TS event. Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") Signed-off-by: Vladimir Lypak Patchwork: https://patchwork.freedesktop.org/patch/612047/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 8b2f02e8102d9f50bcaec2e44606651c06d58ae1 Author: Vladimir Lypak Date: Sun Sep 1 13:54:02 2024 +0000 drm/msm/a5xx: fix races in preemption evaluation stage [ Upstream commit ce050f307ad93bcc5958d0dd35fc276fd394d274 ] On A5XX GPUs when preemption is used it's invietable to enter a soft lock-up state in which GPU is stuck at empty ring-buffer doing nothing. This appears as full UI lockup and not detected as GPU hang (because it's not). This happens due to not triggering preemption when it was needed. Sometimes this state can be recovered by some new submit but generally it won't happen because applications are waiting for old submits to retire. One of the reasons why this happens is a race between a5xx_submit and a5xx_preempt_trigger called from IRQ during submit retire. Former thread updates ring->cur of previously empty and not current ring right after latter checks it for emptiness. Then both threads can just exit because for first one preempt_state wasn't NONE yet and for second one all rings appeared to be empty. To prevent such situations from happening we need to establish guarantee for preempt_trigger to make decision after each submit or retire. To implement this we serialize preemption initiation using spinlock. If switch is already in progress we need to re-trigger preemption when it finishes. Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") Signed-off-by: Vladimir Lypak Patchwork: https://patchwork.freedesktop.org/patch/612045/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit bc4b146ea21a4f60588f2dc7e6270b123532116f Author: Vladimir Lypak Date: Sun Sep 1 13:54:01 2024 +0000 drm/msm/a5xx: properly clear preemption records on resume [ Upstream commit 64fd6d01a52904bdbda0ce810a45a428c995a4ca ] Two fields of preempt_record which are used by CP aren't reset on resume: "data" and "info". This is the reason behind faults which happen when we try to switch to the ring that was active last before suspend. In addition those faults can't be recovered from because we use suspend and resume to do so (keeping values of those fields again). Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets") Signed-off-by: Vladimir Lypak Reviewed-by: Konrad Dybcio Patchwork: https://patchwork.freedesktop.org/patch/612043/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 3d755a5c142522c0eb88c5125b5df08d643dbccb Author: Vladimir Lypak Date: Sun Sep 1 13:54:00 2024 +0000 drm/msm/a5xx: disable preemption in submits by default [ Upstream commit db9dec2db76146d65e1cfbb6afb2e2bd5dab67f8 ] Fine grain preemption (switching from/to points within submits) requires extra handling in command stream of those submits, especially when rendering with tiling (using GMEM). However this handling is missing at this point in mesa (and always was). For this reason we get random GPU faults and hangs if more than one priority level is used because local preemption is enabled prior to executing command stream from submit. With that said it was ahead of time to enable local preemption by default considering the fact that even on downstream kernel it is only enabled if requested via UAPI. Fixes: a7a4c19c36de ("drm/msm/a5xx: fix setting of the CP_PREEMPT_ENABLE_LOCAL register") Signed-off-by: Vladimir Lypak Patchwork: https://patchwork.freedesktop.org/patch/612041/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 840bc524ac8e9a9971765bf6cc0cfcbed72d6fa2 Author: Aleksandr Mishin Date: Fri Jul 5 12:13:12 2024 +0300 drm/msm: Fix incorrect file name output in adreno_request_fw() [ Upstream commit e19366911340c2313a1abbb09c54eaf9bdea4f58 ] In adreno_request_fw() when debugging information is printed to the log after firmware load, an incorrect filename is printed. 'newname' is used instead of 'fwname', so prefix "qcom/" is being added to filename. Looks like "copy-paste" mistake. Fix this mistake by replacing 'newname' with 'fwname'. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 2c41ef1b6f7d ("drm/msm/adreno: deal with linux-firmware fw paths") Signed-off-by: Aleksandr Mishin Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/602382/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 4b9f811aafd04875467e34ebdd7b7b53a3664744 Author: Connor Abbott Date: Wed Aug 7 13:34:29 2024 +0100 drm/msm: Fix CP_BV_DRAW_STATE_ADDR name [ Upstream commit a47cfb688d78217983c4a0051449aa88e2ff5ebb ] This was missed because we weren't using the a750-specific indexed regs. Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750") Signed-off-by: Connor Abbott Reviewed-by: Akhil P Oommen Patchwork: https://patchwork.freedesktop.org/patch/607394/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 8ea2ae94444230e3a2536464dc32e96933ed1fba Author: Connor Abbott Date: Wed Aug 7 13:34:28 2024 +0100 drm/msm: Dump correct dbgahb clusters on a750 [ Upstream commit d8c17d7aadc2463a395f9340f44c7c34399f1d48 ] This was missed thanks to the family mixup fixed in the previous commit. Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750") Signed-off-by: Connor Abbott Patchwork: https://patchwork.freedesktop.org/patch/607393/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 0230ebec84416dec160ab4642baf399f0d31b906 Author: Connor Abbott Date: Wed Aug 7 13:34:27 2024 +0100 drm/msm: Use a7xx family directly in gpu_state [ Upstream commit db75ef03d72ea75515f5282fe8a4925ae8373fe1 ] With a7xx, we need to import a new header for each new generation and switch to a different list of registers, instead of making backwards-compatible changes. Using the helpers inadvertently made a750 use the a740 list of registers, instead use the family directly to fix this. Fixes: f3f8207d8aed ("drm/msm: Add devcoredump support for a750") Signed-off-by: Connor Abbott Patchwork: https://patchwork.freedesktop.org/patch/607392/ Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 59ed2e7a2063a2aeb00d7bafb4995e90539886d1 Author: Christophe Leroy Date: Thu Aug 22 10:00:29 2024 +0200 powerpc/vdso: Inconditionally use CFUNC macro [ Upstream commit 65948b0e716a47382731889ee6bbb18642b8b003 ] During merge of commit 4e991e3c16a3 ("powerpc: add CFUNC assembly label annotation") a fallback version of CFUNC macro was added at the last minute, so it can be used inconditionally. Fixes: 4e991e3c16a3 ("powerpc: add CFUNC assembly label annotation") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://msgid.link/0fa863f2f69b2ca4094ae066fcf1430fb31110c9.1724313540.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 1aaa3c92e7ca7b2e9da731c717d1a3ccc8020e30 Author: Christophe Leroy Date: Tue Aug 20 19:23:46 2024 +0200 powerpc/8xx: Fix kernel vs user address comparison [ Upstream commit 65a82e117ffeeab0baf6f871a1cab11a28ace183 ] Since commit 9132a2e82adc ("powerpc/8xx: Define a MODULE area below kernel text"), module exec space is below PAGE_OFFSET so not only space above PAGE_OFFSET, but space above TASK_SIZE need to be seen as kernel space. Until now the problem went undetected because by default TASK_SIZE is 0x8000000 which means address space is determined by just checking upper address bit. But when TASK_SIZE is over 0x80000000, PAGE_OFFSET is used for comparison, leading to thinking module addresses are part of user space. Fix it by using TASK_SIZE instead of PAGE_OFFSET for address comparison. Fixes: 9132a2e82adc ("powerpc/8xx: Define a MODULE area below kernel text") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://msgid.link/3f574c9845ff0a023b46cb4f38d2c45aecd769bd.1724173828.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 4fd7068c9389ff977eb2966b878d02d8ad556d5b Author: Christophe Leroy Date: Tue Aug 20 19:23:45 2024 +0200 powerpc/8xx: Fix initial memory mapping [ Upstream commit f9f2bff64c2f0dbee57be3d8c2741357ad3d05e6 ] Commit cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages") introduced an initial mapping of kernel TEXT using PAGE_KERNEL_TEXT, but the pages that contain kernel TEXT may also contain kernel RODATA, and depending on selected debug options PAGE_KERNEL_TEXT may be either RWX or ROX. RODATA must be writable during init because it also contains ro_after_init data. So use PAGE_KERNEL_X instead to be sure it is RWX. Fixes: cf209951fa7f ("powerpc/8xx: Map linear memory with huge pages") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://msgid.link/dac7a828d8497c4548c91840575a706657baa4f1.1724173828.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 7479518f204d2d10d93586a49b0442ca2c02f0c4 Author: Fei Shao Date: Wed Aug 28 18:14:47 2024 +0800 drm/mediatek: Use spin_lock_irqsave() for CRTC event lock [ Upstream commit be03b30b7aa99aca876fbc7c1c1b73b2d0339321 ] Use the state-aware spin_lock_irqsave() and spin_unlock_irqrestore() to avoid unconditionally re-enabling the local interrupts. Fixes: 411f5c1eacfe ("drm/mediatek: handle events when enabling/disabling crtc") Signed-off-by: Fei Shao Link: https://patchwork.kernel.org/project/dri-devel/patch/20240828101511.3269822-1-fshao@chromium.org/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit cadb5ac9c06d38bf52a0fba5c2b7d58cc7e85845 Author: Jason-JH.Lin Date: Tue Aug 27 22:55:19 2024 +0800 drm/mediatek: Fix missing configuration flags in mtk_crtc_ddp_config() [ Upstream commit fe30bae552ce27b9fefe0b12db1544e73d07325f ] In mtk_crtc_ddp_config(), mtk_crtc will use some configuration flags to generate instructions to cmdq_handle, such as: state->pending_config mtk_crtc->pending_planes plane_state->pending.config mtk_crtc->pending_async_planes plane_state->pending.async_config These configuration flags may be set to false when a GCE IRQ comes calling ddp_cmdq_cb(). This may result in missing prepare instructions, especially if mtk_crtc_update_config() with the flase need_vblank (no need to wait for vblank) cases. Therefore, the mtk_crtc->config_updating flag is set at the beginning of mtk_crtc_update_config() to ensure that these configuration flags won't be changed when the mtk_crtc_ddp_config() is preparing instructions. But somehow the ddp_cmdq_cb() didn't use the mtk_crtc->config_updating flag to prevent those pending config flags from being cleared. To avoid missing the configuration when generating the config instruction, the config_updating flag should be added into ddp_cmdq_cb() and be protected with spin_lock. Fixes: 7f82d9c43879 ("drm/mediatek: Clear pending flag when cmdq packet is done") Signed-off-by: Jason-JH.Lin Reviewed-by: CK Hu Reviewed-by: Fei Shao Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-1-4761005211ec@mediatek.com/ Link: https://patchwork.kernel.org/project/dri-devel/patch/20240827-drm-fixup-0819-v3-2-4761005211ec@mediatek.com/ Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 96855f40e152989c9e7c20c4691ace5581098acc Author: Jeongjun Park Date: Mon Aug 19 13:05:46 2024 +0900 jfs: fix out-of-bounds in dbNextAG() and diAlloc() [ Upstream commit e63866a475562810500ea7f784099bfe341e761a ] In dbNextAG() , there is no check for the case where bmp->db_numag is greater or same than MAXAG due to a polluted image, which causes an out-of-bounds. Therefore, a bounds check should be added in dbMount(). And in dbNextAG(), a check for the case where agpref is greater than bmp->db_numag should be added, so an out-of-bounds exception should be prevented. Additionally, a check for the case where agno is greater or same than MAXAG should be added in diAlloc() to prevent out-of-bounds. Reported-by: Jeongjun Park Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jeongjun Park Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit 98752fcd076a8cbc978016eae7125b4971be1eec Author: Dan Carpenter Date: Thu Aug 15 14:29:05 2024 +0300 scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() [ Upstream commit 2e4b02fad094976763af08fec2c620f4f8edd9ae ] The kref_put() function will call nport->release if the refcount drops to zero. The nport->release release function is _efc_nport_free() which frees "nport". But then we dereference "nport" on the next line which is a use after free. Re-order these lines to avoid the use after free. Fixes: fcd427303eb9 ("scsi: elx: libefc: SLI and FC PORT state machine interfaces") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/b666ab26-6581-4213-9a3d-32a9147f0399@stanley.mountain Reviewed-by: Daniel Wagner Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8bec0f1e829a792660cfca285b164de6f70bcebb Author: Stefan Wahren Date: Wed Aug 21 23:40:45 2024 +0200 drm/vc4: hdmi: Handle error case of pm_runtime_resume_and_get [ Upstream commit f1a54e860b1bc8d824925b5a77f510913880e8d6 ] The commit 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is powered in detect") introduced the necessary power management handling to avoid register access while controller is powered down. Unfortunately it just print a warning if pm_runtime_resume_and_get() fails and proceed anyway. This could happen during suspend to idle. So we must assume it is unsafe to access the HDMI register. So bail out properly. Fixes: 0f5251339eda ("drm/vc4: hdmi: Make sure the controller is powered in detect") Signed-off-by: Stefan Wahren Reviewed-by: Maíra Canal Acked-by: Maxime Ripard Signed-off-by: Maíra Canal Link: https://patchwork.freedesktop.org/patch/msgid/20240821214052.6800-3-wahrenst@gmx.net Signed-off-by: Sasha Levin commit ecf264933f8cc031e611c893b3e23a28e47643b2 Author: Liu Ying Date: Tue Aug 13 17:16:37 2024 +0800 drm/bridge: lontium-lt8912b: Validate mode in drm_bridge_funcs::mode_valid() [ Upstream commit fe828fbd87786238b30f44cafd698d975d956c97 ] If the bridge is attached with the DRM_BRIDGE_ATTACH_NO_CONNECTOR flag set, this driver won't initialize a connector and hence display mode won't be validated in drm_connector_helper_funcs::mode_valid(). So, move the mode validation from drm_connector_helper_funcs::mode_valid() to drm_bridge_funcs::mode_valid(), because the mode validation is always done for the bridge. Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge") Signed-off-by: Liu Ying Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20240813091637.1054586-1-victor.liu@nxp.com Signed-off-by: Sasha Levin commit 439fc1e569c57669dbb842d0a77c7ba0a82a9f5d Author: Matthew Brost Date: Thu Aug 15 20:40:33 2024 -0700 drm/xe: Use reserved copy engine for user binds on faulting devices [ Upstream commit 852856e3b6f679c694dd5ec41e5a3c11aa46640b ] User binds map to engines with can fault, faults depend on user binds completion, thus we can deadlock. Avoid this by using reserved copy engine for user binds on faulting devices. While we are here, normalize bind queue creation with a helper. v2: - Pass in extensions to bind queue creation (CI) v3: - s/resevered/reserved (Lucas) - Fix NULL hwe check (Jonathan) Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs") Cc: Thomas Hellström Signed-off-by: Matthew Brost Reviewed-by: Jonathan Cavitt Link: https://patchwork.freedesktop.org/patch/msgid/20240816034033.53837-1-matthew.brost@intel.com Signed-off-by: Sasha Levin commit ab12bbe9233d91263151c95876539c9457bc45de Author: Dominik Grzegorzek Date: Mon Jul 29 16:01:52 2024 +0300 drm/xe: Move and export xe_hw_engine lookup. [ Upstream commit 6f20fc09936e786a4ba18f5514fe185e0451ada9 ] Move and export xe_hw_engine lookup. This is in preparation to use this in eudebug code where we want to find active engine. v2: s/tile/gt due to uapi changes (Mika) Signed-off-by: Dominik Grzegorzek Signed-off-by: Mika Kuoppala Reviewed-by: Matthew Brost Signed-off-by: Matthew Brost Link: https://patchwork.freedesktop.org/patch/msgid/20240729130152.100130-1-mika.kuoppala@linux.intel.com Stable-dep-of: 852856e3b6f6 ("drm/xe: Use reserved copy engine for user binds on faulting devices") Signed-off-by: Sasha Levin commit afcba5ff9b38ee45cddfe04f875540e38b55e77e Author: Nikita Zhandarovich Date: Tue Aug 6 10:19:04 2024 -0700 drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets [ Upstream commit 3fbaf475a5b8361ebee7da18964db809e37518b7 ] Several cs track offsets (such as 'track->db_s_read_offset') either are initialized with or plainly take big enough values that, once shifted 8 bits left, may be hit with integer overflow if the resulting values end up going over u32 limit. Same goes for a few instances of 'surf.layer_size * mslice' multiplications that are added to 'offset' variable - they may potentially overflow as well and need to be validated properly. While some debug prints in this code section take possible overflow issues into account, simply casting to (unsigned long) may be erroneous in its own way, as depending on CPU architecture one is liable to get different results. Fix said problems by: - casting 'offset' to fixed u64 data type instead of ambiguous unsigned long. - casting one of the operands in vulnerable to integer overflow cases to u64. - adjust format specifiers in debug prints to properly represent 'offset' values. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11") Signed-off-by: Nikita Zhandarovich Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a1ca6b84157cedbda36aa47a2a38f2f46100924d Author: Jonas Karlman Date: Sat Jun 15 17:03:55 2024 +0000 drm/rockchip: dw_hdmi: Fix reading EDID when using a forced mode [ Upstream commit a5d024541ec466f428e6c514577d511a40779c7b ] EDID cannot be read on RK3328 until after read_hpd has been called and correct io voltage has been configured based on connection status. When a forced mode is used, e.g. video=1920x1080@60e, the connector detect ops, that in turn normally calls the read_hpd, never gets called. This result in reading EDID to fail in connector get_modes ops. Call dw_hdmi_rk3328_read_hpd at end of dw_hdmi_rk3328_setup_hpd to correct io voltage and allow reading EDID after setup_hpd. Fixes: 1c53ba8f22a1 ("drm/rockchip: dw_hdmi: add dw-hdmi support for the rk3328") Signed-off-by: Jonas Karlman Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-5-jonas@kwiboo.se Signed-off-by: Sasha Levin commit 390f2d9017eb0f1f43987b26f736514d7d1a674a Author: Alex Bee Date: Sat Jun 15 17:03:54 2024 +0000 drm/rockchip: vop: Allow 4096px width scaling [ Upstream commit 0ef968d91a20b5da581839f093f98f7a03a804f7 ] There is no reason to limit VOP scaling to 3840px width, the limit of RK3288, when there are newer VOP versions that support 4096px width. Change to enforce a maximum of 4096px width plane scaling, the maximum supported output width of the VOP versions supported by this driver. Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale") Signed-off-by: Alex Bee Signed-off-by: Jonas Karlman Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-4-jonas@kwiboo.se Signed-off-by: Sasha Levin commit 3f14141e4f2728b740178ebdff21db01365679b2 Author: Rodrigo Siqueira Date: Mon Jul 29 11:59:25 2024 -0600 drm/amd/display: Improve FAM control for DCN401 [ Upstream commit 17b6527dcfb3249401e037734ed3fd0f4752572f ] [why & how] When the commit 5324e2b205a2 ("drm/amd/display: Add driver support for future FAMS versions") was introduced, it missed some of the FAM2 code. This commit introduces the code that control the FAM enable and disable. Fixes: 5324e2b205a2 ("drm/amd/display: Add driver support for future FAMS versions") Acked-by: Wayne Lin Signed-off-by: Rodrigo Siqueira Signed-off-by: Tom Chung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 5a784b5d5e1ef6b3086e39be583acb5e9f793edb Author: WangYuli Date: Wed Jul 31 12:10:40 2024 +0800 drm/amd/amdgpu: Properly tune the size of struct [ Upstream commit 0cee47cde41e22712c034ae961076067d4ac13a0 ] The struct assertion is failed because sparse cannot parse `#pragma pack(push, 1)` and `#pragma pack(pop)` correctly. GCC's output is still 1-byte-aligned. No harm to memory layout. The error can be filtered out by sparse-diff, but sometimes multiple lines queezed into one, making the sparse-diff thinks its a new error. I'm trying to aviod this by fixing errors. Link: https://lore.kernel.org/all/20230620045919.492128-1-suhui@nfschina.com/ Link: https://lore.kernel.org/all/93d10611-9fbb-4242-87b8-5860b2606042@suswa.mountain/ Fixes: 1721bc1b2afa ("drm/amdgpu: Update VF2PF interface") Cc: Dan Carpenter Cc: wenlunpeng Reported-by: Su Hui Signed-off-by: WangYuli Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 78bdf8b7ff19fa3de4dbebccbccaacd30d9a7448 Author: Finn Thain Date: Wed Aug 7 13:36:28 2024 +1000 scsi: NCR5380: Check for phase match during PDMA fixup [ Upstream commit 5768718da9417331803fc4bc090544c2a93b88dc ] It's not an error for a target to change the bus phase during a transfer. Unfortunately, the FLAG_DMA_FIXUP workaround does not allow for that -- a phase change produces a DRQ timeout error and the device borken flag will be set. Check the phase match bit during FLAG_DMA_FIXUP processing. Don't forget to decrement the command residual. While we are here, change shost_printk() into scmd_printk() for better consistency with other DMA error messages. Tested-by: Stan Johnson Fixes: 55181be8ced1 ("ncr5380: Replace redundant flags with FLAG_NO_DMA_FIXUP") Signed-off-by: Finn Thain Link: https://lore.kernel.org/r/99dc7d1f4c825621b5b120963a69f6cd3e9ca659.1723001788.git.fthain@linux-m68k.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 533489fc659d383be290dd383b5fb95c301e90e8 Author: John Garry Date: Mon Aug 5 11:33:15 2024 +0000 scsi: block: Don't check REQ_ATOMIC for reads [ Upstream commit ea6787c695ab7595d851c3506f67c157f3b593c0 ] We check in submit_bio_noacct() if flag REQ_ATOMIC is set for both read and write operations, and then validate the atomic operation if set. Flag REQ_ATOMIC can only be set for writes, so don't bother checking for reads. Fixes: 9da3d1e912f3 ("block: Add core atomic write support") Signed-off-by: John Garry Link: https://lore.kernel.org/r/20240805113315.1048591-3-john.g.garry@oracle.com Reviewed-by: Kanchan Joshi Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e747cd4acd7e3148f2552d7ab41c07650935981c Author: John Garry Date: Mon Aug 5 11:33:14 2024 +0000 scsi: sd: Don't check if a write for REQ_ATOMIC [ Upstream commit 0c150b30d3d51a8c2e09fadd004a640fa12985c6 ] Flag REQ_ATOMIC can only be set for writes, so don't check if the operation is also a write in sd_setup_read_write_cmnd(). Fixes: bf4ae8f2e640 ("scsi: sd: Atomic write support") Signed-off-by: John Garry Link: https://lore.kernel.org/r/20240805113315.1048591-2-john.g.garry@oracle.com Reviewed-by: Kanchan Joshi Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 51c91613b13e2d995457c96fd1dc284e82dc138e Author: Gilbert Wu Date: Thu Jul 11 14:47:02 2024 -0500 scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly [ Upstream commit f1393d52e6cda9c20f12643cbecf1e1dc357e0e2 ] Correct a rare multipath failure issue by reverting commit 94a68c814328 ("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer") [1]. Reason for revert: The patch propagated the path failure to SML quickly when one of the path fails during IO and AIO path gets disabled for a multipath device. But it created a new issue: when creating a volume on an encryption-enabled controller, the firmware reports the AIO path is disabled, which cause the driver to report a path failure to SML for a multipath device. There will be a new fix to handle "Illegal request" and "Invalid field in parameter list" on RAID path when the AIO path is disabled on a multipath device. [1] https://lore.kernel.org/all/164375209313.440833.9992416628621839233.stgit@brunhilda.pdev.net/ Fixes: 94a68c814328 ("scsi: smartpqi: Quickly propagate path failures to SCSI midlayer") Reviewed-by: Scott Benesh Reviewed-by: Scott Teel Reviewed-by: Mike McGowen Signed-off-by: Gilbert Wu Signed-off-by: Don Brace Link: https://lore.kernel.org/r/20240711194704.982400-4-don.brace@microchip.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4cf6707d17f9b0871c818d3433d9053c1c43520c Author: Tom Chung Date: Fri Jul 12 17:29:07 2024 +0800 drm/amd/display: Reset VRR config during resume [ Upstream commit df18a4de9e77ad92c472fd1eb0fb1255d52dd4cd ] [Why] After resume the system, the new_crtc_state->vrr_infopacket does not synchronize with the current state. It will affect the update_freesync_state_on_stream() does not update the state correctly. The previous patch causes a PSR SU regression that cannot let panel go into self-refresh mode. [How] Reset the VRR config during resume to force update the VRR config later. Fixes: eb6dfbb7a9c6 ("drm/amd/display: Reset freesync config before update new state") Signed-off-by: Tom Chung Reviewed-by: Sun peng Li Tested-by: Daniel Wheeler Signed-off-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 79f53b16f1e9563c45ceff832d2fb8a501b9fb00 Author: Alex Deucher Date: Tue Jul 23 13:31:58 2024 -0400 drm/radeon: properly handle vbios fake edid sizing [ Upstream commit 17c6baff3d5f65c8da164137a58742541a060b2f ] The comment in the vbios structure says: // = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128 This fake edid struct has not been used in a long time, so I'm not sure if there were actually any boards out there with a non-128 byte EDID, but align the code with the comment. Reviewed-by: Thomas Weißschuh Reported-by: Thomas Weißschuh Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html Fixes: c324acd5032f ("drm/radeon/kms: parse the extended LCD info block") Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 05161e37d054e6f2d27eef67f3ff994a42e469cf Author: Alex Deucher Date: Tue Jul 23 13:23:56 2024 -0400 drm/amdgpu: properly handle vbios fake edid sizing [ Upstream commit 8155566a26b8d6c1dd914f06a0c652e4e2f2adf1 ] The comment in the vbios structure says: // = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128 This fake edid struct has not been used in a long time, so I'm not sure if there were actually any boards out there with a non-128 byte EDID, but align the code with the comment. Reviewed-by: Thomas Weißschuh Reported-by: Thomas Weißschuh Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 72ee32d0907364104fbcf4f68dd5ae63cd8eae9e Author: Srinivasan Shanmugam Date: Mon Jul 22 17:18:17 2024 +0530 drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func [ Upstream commit 08ae395ea22fb3d9b318c8bde28c0dfd2f5fa4d2 ] This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null. To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function. This fix prevents a potential null pointer dereference error. drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* program OGAM or 3DLUT only for the top pipe*/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /*program rmu shaper and 3dlut in MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL) 388 params = &stream->out_transfer_func.pwl; 389 else if (pipe_ctx->stream->out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS && 391 cm3_helper_translate_curve_to_hw_format( 392 &stream->out_transfer_func, 393 &mpc->blender_params, false)) 394 params = &mpc->blender_params; 395 /* there are no ROM LUTs in OUTGAM */ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash 402 return ret; 403 } Fixes: d99f13878d6f ("drm/amd/display: Add DCN3 HWSEQ") Reported-by: Dan Carpenter Cc: Tom Chung Cc: Rodrigo Siqueira Cc: Roman Li Cc: Hersen Wu Cc: Alex Hung Cc: Aurabindo Pillai Cc: Harry Wentland Cc: Hamza Mahfooz Signed-off-by: Srinivasan Shanmugam Reviewed-by: Tom Chung Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0508a4e95ac1aefd851ceb97ea050d8abb93262c Author: Alex Hung Date: Thu Jun 27 16:45:39 2024 -0600 drm/amd/display: Check link_res->hpo_dp_link_enc before using it [ Upstream commit 0beca868cde8742240cd0038141c30482d2b7eb8 ] [WHAT & HOW] Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res without initializing hpo_dp_link_enc and it is necessary to check for null before dereferencing. This fixes 2 FORWARD_NULL issues reported by Coverity. Reviewed-by: Rodrigo Siqueira Signed-off-by: Jerry Zuo Signed-off-by: Alex Hung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 43ebd0faec24652cb529ceefd594c61897059f90 Author: Aurabindo Pillai Date: Wed Jul 3 16:41:52 2024 -0400 drm/amd/display: free bo used for dmub bounding box [ Upstream commit f59549c7e705be0087d08bc116ccc767b86d8362 ] fix a memleak introduced by not removing the buffer object for use with early dmub bounding box value storage Fixes: 234e94555800 ("drm/amd/display: Enable copying of bounding box data from VBIOS DMUB") Reviewed-by: Rodrigo Siqueira Reviewed-by: Alex Hung Signed-off-by: Jerry Zuo Signed-off-by: Aurabindo Pillai Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 57cf228cac893ebfa4d7235185fdc6c09c330b65 Author: Claudiu Beznea Date: Wed May 31 10:28:54 2023 +0300 drm/stm: ltdc: check memory returned by devm_kzalloc() [ Upstream commit fd39730c58890cd7f0a594231e19bb357f28877c ] devm_kzalloc() can fail and return NULL pointer. Check its return status. Identified with Coccinelle (kmerr.cocci script). Fixes: 484e72d3146b ("drm/stm: ltdc: add support of ycbcr pixel formats") Signed-off-by: Claudiu Beznea Acked-by: Raphael Gallais-Pou Link: https://patchwork.freedesktop.org/patch/msgid/20230531072854.142629-1-claudiu.beznea@microchip.com Signed-off-by: Raphael Gallais-Pou Signed-off-by: Sasha Levin commit 7972a3ecf9b4e9d0632aecbb0850e87293a86f09 Author: Christophe JAILLET Date: Sat Jan 6 17:54:32 2024 +0100 drm/stm: Fix an error handling path in stm_drm_platform_probe() [ Upstream commit ce7c90bfda2656418c69ba0dd8f8a7536b8928d4 ] If drm_dev_register() fails, a call to drv_load() must be undone, as already done in the remove function. Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver") Signed-off-by: Christophe JAILLET Acked-by: Raphael Gallais-Pou Link: https://patchwork.freedesktop.org/patch/msgid/20fff7f853f20a48a96db8ff186124470ec4d976.1704560028.git.christophe.jaillet@wanadoo.fr Signed-off-by: Raphael Gallais-Pou Signed-off-by: Sasha Levin commit e11294bd68f9060857a7e634f7f09aca9cdee474 Author: Geert Uytterhoeven Date: Wed Sep 4 16:30:46 2024 +0200 pmdomain: core: Fix "managed by" alignment in debug summary [ Upstream commit 987a43e89ec67cc68518c0558db42ba542581597 ] The "performance" column contains variable-width values. Hence when their printed values contain more than one digit, all values in successive columns become misaligned. Fix this by formatting it as a fixed-width field. Adjust successive spaces and field widths to retain the exiting layout. Fixes: 0155aaf95a2a ("PM: domains: Add the domain HW-managed mode to the summary") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/e004f9d2a75e9a49c269507bb8a4514001751e85.1725459707.git.geert+renesas@glider.be Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 1f127d84e4023b34d4406d664d4f56e370dcd9dd Author: Geert Uytterhoeven Date: Wed Sep 4 16:30:45 2024 +0200 pmdomain: core: Harden inter-column space in debug summary [ Upstream commit 692c20c4d075bd452acfbbc68200fc226c7c9496 ] The inter-column space in the debug summary is two spaces. However, in one case, the extra space is handled implicitly in a field width specifier. Make inter-column space explicit to ease future maintenance. Fixes: 45fbc464b047 ("PM: domains: Add "performance" column to debug summary") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/ae61eb363621b981edde878e1e74d701702a579f.1725459707.git.geert+renesas@glider.be Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 4c5df236558b784736a13f0cd3ef2f26c0737ad3 Author: Dmitry Baryshkov Date: Sat Sep 7 21:48:12 2024 +0300 iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660 [ Upstream commit 19eb465c969f3d6ed1b98506d3e470e863b41e16 ] The Qualcomm SDM630 / SDM660 platform requires the same kind of workaround as MSM8998: some IOMMUs have context banks reserved by firmware / TZ, touching those banks resets the board. Apply the num_context_bank workaround to those two SMMU devices in order to allow them to be used by Linux. Fixes: b812834b5329 ("iommu: arm-smmu-qcom: Add sdm630/msm8998 compatibles for qcom quirks") Signed-off-by: Dmitry Baryshkov Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20240907-sdm660-wifi-v1-1-e316055142f8@linaro.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit e656dfe46ad5b8b7e9efa21058d820e653ac037e Author: Konrad Dybcio Date: Sat Aug 24 01:12:01 2024 +0200 iommu/arm-smmu-qcom: Work around SDM845 Adreno SMMU w/ 16K pages [ Upstream commit 2d42d3ba443706c9164fa0bef4e5fd1c36bc1bd9 ] SDM845's Adreno SMMU is unique in that it actually advertizes support for 16K (and 32M) pages, which doesn't hold for newer SoCs. This however, seems either broken in the hardware implementation, the hypervisor middleware that abstracts the SMMU, or there's a bug in the Linux kernel somewhere down the line that nobody managed to track down. Booting SDM845 with 16K page sizes and drm/msm results in: *** gpu fault: ttbr0=0000000000000000 iova=000100000000c000 dir=READ type=TRANSLATION source=CP (0,0,0,0) right after loading the firmware. The GPU then starts spitting out illegal intstruction errors, as it's quite obvious that it got a bogus pointer. Moreover, it seems like this issue also concerns other implementations of SMMUv2 on Qualcomm SoCs, such as the one on SC7180. Hide 16K support on such instances to work around this. Reported-by: Sumit Semwal Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240824-topic-845_gpu_smmu-v2-1-a302b8acc052@quicinc.com Signed-off-by: Will Deacon Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660") Signed-off-by: Sasha Levin commit 92407a5b355fa546dadf7b4336c4d8eebd96cbbb Author: Marc Gonzalez Date: Tue Aug 20 15:27:19 2024 +0200 iommu/arm-smmu-qcom: hide last LPASS SMMU context bank from linux [ Upstream commit 3a8990b8a778219327c5f8ecf10b5d81377b925a ] On qcom msm8998, writing to the last context bank of lpass_q6_smmu (base address 0x05100000) produces a system freeze & reboot. The hardware/hypervisor reports 13 context banks for the LPASS SMMU on msm8998, but only the first 12 are accessible... Override the number of context banks [ 2.546101] arm-smmu 5100000.iommu: probing hardware configuration... [ 2.552439] arm-smmu 5100000.iommu: SMMUv2 with: [ 2.558945] arm-smmu 5100000.iommu: stage 1 translation [ 2.563627] arm-smmu 5100000.iommu: address translation ops [ 2.568923] arm-smmu 5100000.iommu: non-coherent table walk [ 2.574566] arm-smmu 5100000.iommu: (IDR0.CTTW overridden by FW configuration) [ 2.580220] arm-smmu 5100000.iommu: stream matching with 12 register groups [ 2.587263] arm-smmu 5100000.iommu: 13 context banks (0 stage-2 only) [ 2.614447] arm-smmu 5100000.iommu: Supported page sizes: 0x63315000 [ 2.621358] arm-smmu 5100000.iommu: Stage-1: 36-bit VA -> 36-bit IPA [ 2.627772] arm-smmu 5100000.iommu: preserved 0 boot mappings Specifically, the crashes occur here: qsmmu->bypass_cbndx = smmu->num_context_banks - 1; arm_smmu_cb_write(smmu, qsmmu->bypass_cbndx, ARM_SMMU_CB_SCTLR, 0); and here: arm_smmu_write_context_bank(smmu, i); arm_smmu_cb_write(smmu, i, ARM_SMMU_CB_FSR, ARM_SMMU_CB_FSR_FAULT); It is likely that FW reserves the last context bank for its own use, thus a simple work-around is: DON'T USE IT in Linux. If we decrease the number of context banks, last one will be "hidden". Signed-off-by: Marc Gonzalez Reviewed-by: Caleb Connolly Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20240820-smmu-v3-1-2f71483b00ec@freebox.fr Signed-off-by: Will Deacon Stable-dep-of: 19eb465c969f ("iommu/arm-smmu-qcom: apply num_context_bank fixes for SDM630 / SDM660") Signed-off-by: Sasha Levin commit 356934bbff1b54ddb5601201de9368088a117933 Author: Miquel Raynal Date: Mon Aug 26 17:30:19 2024 +0200 mtd: rawnand: mtk: Fix init error path [ Upstream commit 2073ae37d550ea32e8545edaa94ef10b4fef7235 ] Reviewing a series converting the for_each_chil_of_node() loops into their _scoped variants made me realize there was no cleanup of the already registered NAND devices upon error which may leak memory on systems with more than a chip when this error occurs. We should call the _nand_chips_cleanup() function when this happens. Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") Signed-off-by: Miquel Raynal Reviewed-by: Pratyush Yadav Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-2-miquel.raynal@bootlin.com Signed-off-by: Sasha Levin commit 0c167b804bd55497b77ba8f52cf7a52adbbbbf5d Author: Miquel Raynal Date: Mon Aug 26 17:30:18 2024 +0200 mtd: rawnand: mtk: Factorize out the logic cleaning mtk chips [ Upstream commit 81cb3be3261e766a1f8efab9e3154a4f4fd9d03d ] There are some un-freed resources in one of the error path which would benefit from a helper going through all the registered mtk chips one by one and perform all the necessary cleanup. This is precisely what the remove path does, so let's extract the logic in a helper. There is no functional change. Signed-off-by: Miquel Raynal Reviewed-by: Pratyush Yadav Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/linux-mtd/20240826153019.67106-1-miquel.raynal@bootlin.com Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path") Signed-off-by: Sasha Levin commit 38d6b521766a24ba058dd0e767a1de79724e4605 Author: Jinjie Ruan Date: Mon Aug 26 17:43:25 2024 +0800 mtd: rawnand: mtk: Use for_each_child_of_node_scoped() [ Upstream commit 8795952679494b111b7b2ba08bb54ac408daca3b ] Avoids the need for manual cleanup of_node_put() in early exits from the loop. Signed-off-by: Jinjie Ruan Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20240826094328.2991664-8-ruanjinjie@huawei.com Stable-dep-of: 2073ae37d550 ("mtd: rawnand: mtk: Fix init error path") Signed-off-by: Sasha Levin commit 00a611229bfad075660181c53e054ff544d3ac34 Author: Frederic Weisbecker Date: Wed Aug 14 00:56:40 2024 +0200 rcu/nocb: Fix RT throttling hrtimer armed from offline CPU [ Upstream commit 9139f93209d1ffd7f489ab19dee01b7c3a1a43d2 ] After a CPU is marked offline and until it reaches its final trip to idle, rcuo has several opportunities to be woken up, either because a callback has been queued in the meantime or because rcutree_report_cpu_dead() has issued the final deferred NOCB wake up. If RCU-boosting is enabled, RCU kthreads are set to SCHED_FIFO policy. And if RT-bandwidth is enabled, the related hrtimer might be armed. However this then happens after hrtimers have been migrated at the CPUHP_AP_HRTIMERS_DYING stage, which is broken as reported by the following warning: Call trace: enqueue_hrtimer+0x7c/0xf8 hrtimer_start_range_ns+0x2b8/0x300 enqueue_task_rt+0x298/0x3f0 enqueue_task+0x94/0x188 ttwu_do_activate+0xb4/0x27c try_to_wake_up+0x2d8/0x79c wake_up_process+0x18/0x28 __wake_nocb_gp+0x80/0x1a0 do_nocb_deferred_wakeup_common+0x3c/0xcc rcu_report_dead+0x68/0x1ac cpuhp_report_idle_dead+0x48/0x9c do_idle+0x288/0x294 cpu_startup_entry+0x34/0x3c secondary_start_kernel+0x138/0x158 Fix this with waking up rcuo using an IPI if necessary. Since the existing API to deal with this situation only handles swait queue, rcuo is only woken up from offline CPUs if it's not already waiting on a grace period. In the worst case some callbacks will just wait for a grace period to complete before being assigned to a subsequent one. Reported-by: "Cheng-Jui Wang (王正睿)" Fixes: 5c0930ccaad5 ("hrtimers: Push pending hrtimers away from outgoing CPU earlier") Signed-off-by: Frederic Weisbecker Signed-off-by: Neeraj Upadhyay Signed-off-by: Sasha Levin commit 4ec6475b2dbd73601ba99d0040be0535b9e7406c Author: Charles Han Date: Wed Aug 28 17:24:27 2024 +0800 mtd: powernv: Add check devm_kasprintf() returned value [ Upstream commit 395999829880a106bb95f0ce34e6e4c2b43c6a5d ] devm_kasprintf() can return a NULL pointer on failure but this returned value is not checked. Fixes: acfe63ec1c59 ("mtd: Convert to using %pOFn instead of device_node.name") Signed-off-by: Charles Han Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20240828092427.128177-1-hanchunchao@inspur.com Signed-off-by: Sasha Levin commit 23c1b46f074ecdd9a45f7ba6aae3ee600e4442a4 Author: Jason Gunthorpe Date: Thu Aug 29 21:06:23 2024 -0300 iommu/amd: Do not set the D bit on AMD v2 table entries [ Upstream commit 2910a7fa1be090fc7637cef0b2e70bcd15bf5469 ] The manual says that bit 6 is IGN for all Page-Table Base Address pointers, don't set it. Fixes: aaac38f61487 ("iommu/amd: Initial support for AMD IOMMU v2 page table") Reviewed-by: Vasant Hegde Signed-off-by: Jason Gunthorpe Link: https://lore.kernel.org/r/14-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 73e624c35dfa44d79642671836b5100d225fafef Author: Jason Gunthorpe Date: Thu Aug 29 21:06:12 2024 -0300 iommu/amd: Set the pgsize_bitmap correctly [ Upstream commit 7a41dcb52f9de6079621fc31c3b84c7fc290934b ] When using io_pgtable the correct pgsize_bitmap is stored in the cfg, both v1_alloc_pgtable() and v2_alloc_pgtable() set it correctly. This fixes a bug where the v2 pgtable had the wrong pgsize as protection_domain_init_v2() would set it and then do_iommu_domain_alloc() immediately resets it. Remove the confusing ops.pgsize_bitmap since that is not used if the driver sets domain.pgsize_bitmap. Fixes: 134288158a41 ("iommu/amd: Add domain_alloc_user based domain allocation") Reviewed-by: Vasant Hegde Signed-off-by: Jason Gunthorpe Link: https://lore.kernel.org/r/3-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit a161ee307b432c8ab846388fe021623dfb61d7ee Author: Jason Gunthorpe Date: Thu Aug 29 21:06:10 2024 -0300 iommu/amd: Move allocation of the top table into v1_alloc_pgtable [ Upstream commit 8d00b77a52ef4b2091696ca25753d0ab95e4d839 ] All the page table memory should be allocated/free within the io_pgtable struct. The v2 path is already doing this, make it consistent. It is hard to see but the free of the root in protection_domain_free() is a NOP on the success path because v1_free_pgtable() does amd_iommu_domain_clr_pt_root(). The root memory is already freed because free_sub_pt() put it on the freelist. The free path in protection_domain_free() is only used during error unwind of protection_domain_alloc(). Reviewed-by: Vasant Hegde Signed-off-by: Jason Gunthorpe Link: https://lore.kernel.org/r/1-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com Signed-off-by: Joerg Roedel Stable-dep-of: 7a41dcb52f9d ("iommu/amd: Set the pgsize_bitmap correctly") Signed-off-by: Sasha Levin commit 9a89f01316a5abbfc1274aec9ea04a18ef4e5600 Author: Jason Gunthorpe Date: Thu Aug 29 21:06:11 2024 -0300 iommu/amd: Allocate the page table root using GFP_KERNEL [ Upstream commit b0a6c883bcd42eeb0850135e529b34b64d57673c ] Domain allocation is always done under a sleepable context, the v1 path and other drivers use GFP_KERNEL already. Fix the v2 path to also use GFP_KERNEL. Fixes: 0d571dcbe7c6 ("iommu/amd: Allocate page table using numa locality info") Reviewed-by: Vasant Hegde Signed-off-by: Jason Gunthorpe Link: https://lore.kernel.org/r/2-v2-831cdc4d00f3+1a315-amd_iopgtbl_jgg@nvidia.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 12d19582b139a5979f7604aeec7b11aa27e9fe43 Author: Vasant Hegde Date: Wed Aug 28 11:10:25 2024 +0000 iommu/amd: Handle error path in amd_iommu_probe_device() [ Upstream commit 293aa9ec694e633bff83ab93715a2684e15fe214 ] Do not try to set max_pasids in error path as dev_data is not allocated. Fixes: a0c47f233e68 ("iommu/amd: Introduce iommu_dev_data.max_pasids") Signed-off-by: Vasant Hegde Reviewed-by: Suravee Suthikulpanit Link: https://lore.kernel.org/r/20240828111029.5429-5-vasant.hegde@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 115f3f14546bc08038ad41d8410e1f694f1bbf29 Author: Christophe JAILLET Date: Thu Aug 1 22:34:39 2024 +0200 fbdev: hpfb: Fix an error handling path in hpfb_dio_probe() [ Upstream commit aa578e897520f32ae12bec487f2474357d01ca9c ] If an error occurs after request_mem_region(), a corresponding release_mem_region() should be called, as already done in the remove function. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Christophe JAILLET Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 0fec9c72c53789e28446ad469a474b70a5c9a3c4 Author: Artur Weber Date: Sat Aug 17 12:51:14 2024 +0200 power: supply: max17042_battery: Fix SOC threshold calc w/ no current sense [ Upstream commit 3a3acf839b2cedf092bdd1ff65b0e9895df1656b ] Commit 223a3b82834f ("power: supply: max17042_battery: use VFSOC for capacity when no rsns") made it so that capacity on systems without current sensing would be read from VFSOC instead of RepSOC. However, the SOC threshold calculation still read RepSOC to get the SOC regardless of the current sensing option state. Fix this by applying the same conditional to determine which register should be read. This also seems to be the intended behavior as per the datasheet - SOC alert config value in MiscCFG on setups without current sensing is set to a value of 0b11, indicating SOC alerts being generated based on VFSOC, instead of 0b00 which indicates SOC alerts being generated based on RepSOC. This fixes an issue on the Galaxy S3/Midas boards, where the alert interrupt would be constantly retriggered, causing high CPU usage on idle (around ~12%-15%). Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC") Signed-off-by: Artur Weber Reviewed-by: Henrik Grimler Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20240817-max17042-soc-threshold-fix-v1-1-72b45899c3cc@gmail.com Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 0f76d03c15cf047a7bdfeee360cc0cd822e44ecf Author: Chris Morgan Date: Wed Aug 21 16:54:43 2024 -0500 power: supply: axp20x_battery: Remove design from min and max voltage [ Upstream commit 61978807b00f8a1817b0e5580981af1cd2f428a5 ] The POWER_SUPPLY_PROP_VOLTAGE_MIN_DESIGN and POWER_SUPPLY_PROP_VOLTAGE_MAX_DESIGN values should be immutable properties of the battery, but for this driver they are writable values and used as the minimum and maximum values for charging. Remove the DESIGN designation from these values. Fixes: 46c202b5f25f ("power: supply: add battery driver for AXP20X and AXP22X PMICs") Suggested-by: Chen-Yu Tsai Signed-off-by: Chris Morgan Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20240821215456.962564-3-macroalpha82@gmail.com Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 98cac40f3a0d63ca5a14992a900737fc1f11ea4d Author: Yuntao Liu Date: Thu Aug 15 08:30:21 2024 +0000 hwmon: (ntc_thermistor) fix module autoloading [ Upstream commit b6964d66a07a9003868e428a956949e17ab44d7e ] Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded based on the alias from of_device_id table. Fixes: 9e8269de100d ("hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver") Signed-off-by: Yuntao Liu Message-ID: <20240815083021.756134-1-liuyuntao12@huawei.com> Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 8e85b08097510f909a13155890bed562bd21e4aa Author: Mirsad Todorovac Date: Fri Jul 12 01:43:20 2024 +0200 mtd: slram: insert break after errors in parsing the map [ Upstream commit 336c218dd7f0588ed8a7345f367975a00a4f003f ] GCC 12.3.0 compiler on linux-next next-20240709 tree found the execution path in which, due to lazy evaluation, devlength isn't initialised with the parsed string: 289 while (map) { 290 devname = devstart = devlength = NULL; 291 292 if (!(devname = strsep(&map, ","))) { 293 E("slram: No devicename specified.\n"); 294 break; 295 } 296 T("slram: devname = %s\n", devname); 297 if ((!map) || (!(devstart = strsep(&map, ",")))) { 298 E("slram: No devicestart specified.\n"); 299 } 300 T("slram: devstart = %s\n", devstart); → 301 if ((!map) || (!(devlength = strsep(&map, ",")))) { 302 E("slram: No devicelength / -end specified.\n"); 303 } → 304 T("slram: devlength = %s\n", devlength); 305 if (parse_cmdline(devname, devstart, devlength) != 0) { 306 return(-EINVAL); 307 } Parsing should be finished after map == NULL, so a break is best inserted after each E("slram: ... \n") error message. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-mtd@lists.infradead.org Signed-off-by: Mirsad Todorovac Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20240711234319.637824-1-mtodorovac69@gmail.com Signed-off-by: Sasha Levin commit 544808f2bb02a0811091340550b708fc98df2e52 Author: Dan Carpenter Date: Thu Aug 15 14:25:00 2024 +0300 iommu/arm-smmu-v3: Fix a NULL vs IS_ERR() check [ Upstream commit af048ec9c05178206e845a88bfd3cb2884a43da7 ] The arm_smmu_domain_alloc() function returns error pointers on error. It doesn't return NULL. Update the error checking to match. Fixes: 52acd7d8a413 ("iommu/arm-smmu-v3: Add support for domain_alloc_user fn") Signed-off-by: Dan Carpenter Reviewed-by: Shameer Kolothum Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/9208cd0d-8105-40df-93e9-bdcdf0d55eec@stanley.mountain Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit f4678eeaf5804d82d2da25827266e786023fbba9 Author: Rob Clark Date: Fri Aug 9 10:27:14 2024 -0700 iommu/arm-smmu: Un-demote unhandled-fault msg [ Upstream commit 98db56e4900837e4d5d3892b332dca76c8c9f68a ] Previously this was dev_err_ratelimited() but it got changed to a ratelimited dev_dbg(). Change it back to dev_err(). Fixes: d525b0af0c3b ("iommu/arm-smmu: Pretty-print context fault related regs") Signed-off-by: Rob Clark Reviewed-by: Pranjal Shrivastava Link: https://lore.kernel.org/r/20240809172716.10275-1-robdclark@gmail.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit a5fa0e6652189b552584a921c4d6e2e179b21316 Author: Guenter Roeck Date: Sun Jul 21 06:41:17 2024 -0700 hwmon: (max16065) Fix alarm attributes [ Upstream commit 119abf7d1815f098f7f91ae7abc84324a19943d7 ] Chips reporting overcurrent alarms report it in the second alarm register. That means the second alarm register has to be read, even if the chip only supports 8 or fewer ADC channels. MAX16067 and MAX16068 report undervoltage and overvoltage alarms in separate registers. Fold register contents together to report both with the existing alarm attribute. This requires actually storing the chip type in struct max16065_data. Rename the variable 'chip' to match the variable name used in the probe function. Reviewed-by: Tzung-Bi Shih Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit cf4f3c91773280b6b944d10abea28face6f43ec4 Author: Guenter Roeck Date: Thu Jul 18 09:52:01 2024 -0700 hwmon: (max16065) Fix overflows seen when writing limits [ Upstream commit 744ec4477b11c42e2c8de9eb8364675ae7a0bd81 ] Writing large limits resulted in overflows as reported by module tests. in0_lcrit: Suspected overflow: [max=5538, read 0, written 2147483647] in0_crit: Suspected overflow: [max=5538, read 0, written 2147483647] in0_min: Suspected overflow: [max=5538, read 0, written 2147483647] Fix the problem by clamping prior to multiplications and the use of DIV_ROUND_CLOSEST, and by using consistent variable types. Reviewed-by: Tzung-Bi Shih Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 492af645d133b8d59eb41156ee91e02a3eb2c9ab Author: Xiu Jianfeng Date: Tue Jul 30 03:29:20 2024 +0000 cgroup/pids: Avoid spurious event notification [ Upstream commit d72a00a8485d1cb11ac1a57bf89b02cbd3a405bf ] Currently when a process in a group forks and fails due to it's parent's max restriction, all the cgroups from 'pids_forking' to root will generate event notifications but only the cgroups from 'pids_over_limit' to root will increase the counter of PIDCG_MAX. Consider this scenario: there are 4 groups A, B, C,and D, the relationships are as follows, and user is watching on C.pids.events. root->A->B->C->D When a process in D forks and fails due to B.max restriction, the user will get a spurious event notification because when he wakes up and reads C.pids.events, he will find that the content has not changed. To address this issue, only the cgroups from 'pids_over_limit' to root will have their PIDCG_MAX counters increased and event notifications generated. Fixes: 385a635cacfe ("cgroup/pids: Make event counters hierarchical") Signed-off-by: Xiu Jianfeng Signed-off-by: Tejun Heo Signed-off-by: Sasha Levin commit 63687e4ba9d77a2de9c9444a44855e981a0aa2d3 Author: Shuah Khan Date: Thu Sep 5 12:02:31 2024 -0600 selftests:resctrl: Fix build failure on archs without __cpuid_count() [ Upstream commit 7beaf1da074f7ea25454d6c11da142c3892d3c4e ] When resctrl is built on architectures without __cpuid_count() support, build fails. resctrl uses __cpuid_count() defined in kselftest.h. Even though the problem is seen while building resctrl on aarch64, this error can be seen on any platform that doesn't support CPUID. CPUID is a x86/x86-64 feature and code paths with CPUID asm commands will fail to build on all other architectures. All others tests call __cpuid_count() do so from x86/x86_64 code paths when _i386__ or __x86_64__ are defined. resctrl is an exception. Fix the problem by defining __cpuid_count() only when __i386__ or __x86_64__ are defined in kselftest.h and changing resctrl to call __cpuid_count() only when __i386__ or __x86_64__ are defined. In file included from resctrl.h:24, from cat_test.c:11: In function ‘arch_supports_noncont_cat’, inlined from ‘noncont_cat_run_test’ at cat_test.c:326:6: ../kselftest.h:74:9: error: impossible constraint in ‘asm’ 74 | __asm__ __volatile__ ("cpuid\n\t" \ | ^~~~~~~ cat_test.c:304:17: note: in expansion of macro ‘__cpuid_count’ 304 | __cpuid_count(0x10, 1, eax, ebx, ecx, edx); | ^~~~~~~~~~~~~ ../kselftest.h:74:9: error: impossible constraint in ‘asm’ 74 | __asm__ __volatile__ ("cpuid\n\t" \ | ^~~~~~~ cat_test.c:306:17: note: in expansion of macro ‘__cpuid_count’ 306 | __cpuid_count(0x10, 2, eax, ebx, ecx, edx); Fixes: ae638551ab64 ("selftests/resctrl: Add non-contiguous CBMs CAT test") Reported-by: Muhammad Usama Anjum Closes: https://lore.kernel.org/lkml/20240809071059.265914-1-usama.anjum@collabora.com/ Reported-by: Ilpo Järvinen Signed-off-by: Shuah Khan Acked-by: Reinette Chatre Reviewed-by: Muhammad Usama Anjum Reviewed-by: Ilpo Järvinen Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit c3fe7f7f894383b84fcf959edf8ef118a38d4506 Author: Masami Hiramatsu (Google) Date: Thu Sep 5 00:30:21 2024 +0900 selftests/ftrace: Fix eventfs ownership testcase to find mount point [ Upstream commit f0a6ecebd858658df213d114b0530f8f0b96e396 ] Fix eventfs ownership testcase to find mount point if stat -c "%m" failed. This can happen on the system based on busybox. In this case, this will try to use the current working directory, which should be a tracefs top directory (and eventfs is mounted as a part of tracefs.) If it does not work, the test is skipped as UNRESOLVED because of the environmental problem. Fixes: ee9793be08b1 ("tracing/selftests: Add ownership modification tests for eventfs") Signed-off-by: Masami Hiramatsu (Google) Acked-by: Steven Rostedt (Google) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 3e9be210f365b98a1226fcb2572819d45409730a Author: tangbin Date: Tue Sep 3 17:06:20 2024 +0800 ASoC: loongson: fix error release [ Upstream commit 97688a9c5b1fd2b826c682cdfa36d411a5c99828 ] In function loongson_card_parse_of(), when get device_node 'codec' failed, the function of_node_put(codec) should not be invoked, thus fix error release. Fixes: d24028606e76 ("ASoC: loongson: Add Loongson ASoC Sound Card Support") Signed-off-by: tangbin Link: https://patch.msgid.link/20240903090620.6276-1-tangbin@cmss.chinamobile.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 305d41c5020fba4706e01d8955c98f305cb54eb3 Author: Finn Thain Date: Sun Aug 11 10:12:29 2024 +1000 m68k: Fix kernel_clone_args.flags in m68k_clone() [ Upstream commit 09b3d870faa7bc3e96c0978ab3cf4e96e4b15571 ] Stan Johnson recently reported a failure from the 'dump' command: DUMP: Date of this level 0 dump: Fri Aug 9 23:37:15 2024 DUMP: Dumping /dev/sda (an unlisted file system) to /dev/null DUMP: Label: none DUMP: Writing 10 Kilobyte records DUMP: mapping (Pass I) [regular files] DUMP: mapping (Pass II) [directories] DUMP: estimated 3595695 blocks. DUMP: Context save fork fails in parent 671 The dump program uses the clone syscall with the CLONE_IO flag, that is, flags == 0x80000000. When that value is promoted from long int to u64 by m68k_clone(), it undergoes sign-extension. The new value includes CLONE_INTO_CGROUP so the validation in cgroup_css_set_fork() fails and the syscall returns -EBADF. Avoid sign-extension by casting to u32. Reported-by: Stan Johnson Closes: https://lists.debian.org/debian-68k/2024/08/msg00000.html Fixes: 6aabc1facdb2 ("m68k: Implement copy_thread_tls()") Signed-off-by: Finn Thain Reviewed-by: Geert Uytterhoeven Link: https://lore.kernel.org/3463f1e5d4e95468dc9f3368f2b78ffa7b72199b.1723335149.git.fthain@linux-m68k.org Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 770586394c2163d352cb8e26141e8eca5692ffe7 Author: Uros Bizjak Date: Mon Aug 19 10:33:13 2024 +0200 x86/boot/64: Strip percpu address space when setting up GDT descriptors [ Upstream commit b51207dc02ec3aeaa849e419f79055d7334845b6 ] init_per_cpu_var() returns a pointer in the percpu address space while rip_rel_ptr() expects a pointer in the generic address space. When strict address space checks are enabled, GCC's named address space checks fail: asm.h:124:63: error: passing argument 1 of 'rip_rel_ptr' from pointer to non-enclosed address space Add a explicit cast to remove address space of the returned pointer. Fixes: 11e36b0f7c21 ("x86/boot/64: Load the final kernel GDT during early boot directly, remove startup_gdt[]") Signed-off-by: Uros Bizjak Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/all/20240819083334.148536-1-ubizjak@gmail.com Signed-off-by: Sasha Levin commit 0cf6ed3eddfdc7695186a0de43d30bf05c340a7a Author: Steven Rostedt (Google) Date: Wed May 15 01:36:20 2024 -0400 selftests/ftrace: Fix test to handle both old and new kernels [ Upstream commit c049acee3c71cfc26c739f82617a84e13e471a45 ] The function "scheduler_tick" was renamed to "sched_tick" and a selftest that used that function for testing function trace filtering used that function as part of the test. But the change causes it to fail when run on older kernels. As tests should not fail on older kernels, add a check to see which name is available before testing. Fixes: 86dd6c04ef9f ("sched/balancing: Rename scheduler_tick() => sched_tick()") Signed-off-by: Steven Rostedt (Google) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit ca5fc966ceeaa3a741fed9b19a8d07f170826724 Author: Yuntao Liu Date: Thu Aug 15 09:13:12 2024 +0000 ALSA: hda: cs35l41: fix module autoloading [ Upstream commit 48f1434a4632c7da1a6a94e159512ebddbe13392 ] Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded based on the alias from spi_device_id table. Fixes: 7b2f3eb492da ("ALSA: hda: cs35l41: Add support for CS35L41 in HDA systems") Signed-off-by: Yuntao Liu Link: https://patch.msgid.link/20240815091312.757139-1-liuyuntao12@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit ceb4d5b6b90d5979cd367116001df578b31ea483 Author: Masami Hiramatsu (Google) Date: Thu Jun 13 07:12:10 2024 +0900 selftests/ftrace: Add required dependency for kprobe tests [ Upstream commit 41f37c852ac3fbfd072a00281b60dc7ba056be8c ] kprobe_args_{char,string}.tc are using available_filter_functions file which is provided by function tracer. Thus if function tracer is disabled, these tests are failed on recent kernels because tracefs_create_dir is not raised events by adding a dynamic event. Add available_filter_functions to requires line. Fixes: 7c1130ea5cae ("test: ftrace: Fix kprobe test for eventfs") Signed-off-by: Masami Hiramatsu (Google) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 5ce437c9507a5b505e805e2565a7b1b6e062fa08 Author: Linus Walleij Date: Wed Aug 7 17:02:33 2024 +0200 ASoC: tas2781-i2c: Get the right GPIO line [ Upstream commit 1c4b509edad15192bfb64c81d3c305bbae8070db ] The code is obtaining a GPIO reset using the reset GPIO name "reset-gpios", but the gpiolib is already adding the suffix "-gpios" to anything passed to this function and will be looking for "reset-gpios-gpios" which is most certainly not what the author desired. Fix it up. Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") Signed-off-by: Linus Walleij Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-2-bd0f2705d58b@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0f2c25112ed6745b9241983cf62ba94ed2d8065b Author: Linus Walleij Date: Wed Aug 7 17:02:32 2024 +0200 ASoC: tas2781-i2c: Drop weird GPIO code [ Upstream commit c2c0b67dca3cb3b3cea0dd60075a1c5ba77e2fcd ] The tas2781-i2c driver gets an IRQ from either ACPI or device tree, then proceeds to check if the IRQ has a corresponding GPIO and in case it does enforce the GPIO as input and set a label on it. This is abuse of the API: - First we cannot guarantee that the numberspaces of the GPIOs and the IRQs are the same, i.e that an IRQ number corresponds to a GPIO number like that. - Second, GPIO chips and IRQ chips should be treated as orthogonal APIs, the irqchip needs to ascertain that the backing GPIO line is set to input etc just using the irqchip. - Third it is using the legacy API which should not be used in new code yet this was added just a year ago. Delete the offending code. If this creates problems the GPIO and irqchip maintainers can help to fix the issues. It *should* not create any problems, because the irq isn't used anywhere in the driver, it's just obtained and then left unused. Fixes: ef3bcde75d06 ("ASoC: tas2781: Add tas2781 driver") Signed-off-by: Linus Walleij Link: https://patch.msgid.link/20240807-asoc-tas-gpios-v2-1-bd0f2705d58b@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c2f8fb6f8a85ae6ca6164038cbae3cfd8e97bfb2 Author: Shenghao Ding Date: Fri Aug 2 15:20:52 2024 +0800 ASoC: tas2781: Fix a compiling warning reported by robot kernel test due to adding tas2563_dvc_table [ Upstream commit 92b796845a4a8789c2d9434c6a77baa88a99121e ] Move tas2563_dvc_table into a separate Header file, as only tas2781 codec driver use this table, and hda side codec driver won't use it. Fixes: 75ed63a5ab5d ("ASoC: tas2781: Add new Kontrol to set tas2563 digital Volume") Signed-off-by: Shenghao Ding Link: https://patch.msgid.link/20240802072055.1462-1-shenghao-ding@ti.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3e0f1cefda98e3ed44e8a55211ed318cd4a0124f Author: Ma Ke Date: Wed Jul 17 19:54:36 2024 +0800 ASoC: rt5682s: Return devm_of_clk_add_hw_provider to transfer the error [ Upstream commit 3ff810b9bebe5578a245cfa97c252ab602e703f1 ] Return devm_of_clk_add_hw_provider() in order to transfer the error, if it fails due to resource allocation failure or device tree clock provider registration failure. Fixes: bdd229ab26be ("ASoC: rt5682s: Add driver for ALC5682I-VS codec") Signed-off-by: Ma Ke Link: https://patch.msgid.link/20240717115436.3449492-1-make24@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2a8d55fcf8cf30253319919c915734579065873d Author: Yosry Ahmed Date: Tue Jul 2 13:21:37 2024 +0000 x86/mm: Use IPIs to synchronize LAM enablement [ Upstream commit 3b299b99556c1753923f8d9bbd9304bcd139282f ] LAM can only be enabled when a process is single-threaded. But _kernel_ threads can temporarily use a single-threaded process's mm. If LAM is enabled by a userspace process while a kthread is using its mm, the kthread will not observe LAM enablement (i.e. LAM will be disabled in CR3). This could be fine for the kthread itself, as LAM only affects userspace addresses. However, if the kthread context switches to a thread in the same userspace process, CR3 may or may not be updated because the mm_struct doesn't change (based on pending TLB flushes). If CR3 is not updated, the userspace thread will run incorrectly with LAM disabled, which may cause page faults when using tagged addresses. Example scenario: CPU 1 CPU 2 /* kthread */ kthread_use_mm() /* user thread */ prctl_enable_tagged_addr() /* LAM enabled on CPU 2 */ /* LAM disabled on CPU 1 */ context_switch() /* to CPU 1 */ /* Switching to user thread */ switch_mm_irqs_off() /* CR3 not updated */ /* LAM is still disabled on CPU 1 */ Synchronize LAM enablement by sending an IPI to all CPUs running with the mm_struct to enable LAM. This makes sure LAM is enabled on CPU 1 in the above scenario before prctl_enable_tagged_addr() returns and userspace starts using tagged addresses, and before it's possible to run the userspace process on CPU 1. In switch_mm_irqs_off(), move reading the LAM mask until after mm_cpumask() is updated. This ensures that if an outdated LAM mask is written to CR3, an IPI is received to update it right after IRQs are re-enabled. [ dhansen: Add a LAM enabling helper and comment it ] Fixes: 82721d8b25d7 ("x86/mm: Handle LAM on context switch") Suggested-by: Andy Lutomirski Signed-off-by: Yosry Ahmed Signed-off-by: Dave Hansen Reviewed-by: Kirill A. Shutemov Link: https://lore.kernel.org/all/20240702132139.3332013-2-yosryahmed%40google.com Signed-off-by: Sasha Levin commit 70cab41c9c956ee40ed83ea53c71fee725449243 Author: Chen-Yu Tsai Date: Fri Aug 2 15:09:50 2024 +0800 arm64: dts: mediatek: mt8195: Correct clock order for dp_intf* [ Upstream commit 51bc68debab9e30b50c6352315950f3cfc309b32 ] The clocks for dp_intf* device nodes are given in the wrong order, causing the binding validation to fail. Fixes: 6c2503b5856a ("arm64: dts: mt8195: Add dp-intf nodes") Signed-off-by: Chen-Yu Tsai Reviewed-by: Nícolas F. R. A. Prado Link: https://lore.kernel.org/r/20240802070951.1086616-1-wenst@chromium.org Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 7b59c8c3949cdefcba12bfdc4a5e7815919945ed Author: Ankit Agrawal Date: Sat Jul 13 15:27:13 2024 +0530 clocksource/drivers/qcom: Add missing iounmap() on errors in msm_dt_timer_init() [ Upstream commit ca140a0dc0a18acd4653b56db211fec9b2339986 ] Add the missing iounmap() when clock frequency fails to get read by the of_property_read_u32() call, or if the call to msm_timer_init() fails. Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer") Signed-off-by: Ankit Agrawal Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240713095713.GA430091@bnew-VirtualBox Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit abd73ba40c4b4d0d408a97a65e91345b1aec966c Author: Dan Carpenter Date: Thu Sep 5 16:16:53 2024 +0300 platform: cznic: turris-omnia-mcu: Fix error check in omnia_mcu_register_trng() [ Upstream commit 2d516b8fc0f18ce9c0347a1aea6edb3d8ca1d692 ] The gpiod_to_irq() function never returns zero. It returns negative error codes or a positive IRQ number. Update the checking to check for negatives. Fixes: 41bb142a4028 ("platform: cznic: turris-omnia-mcu: Add support for MCU provided TRNG") Signed-off-by: Dan Carpenter Reviewed-by: Marek Behún Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit b72a896571ef252b037bb1acad8cd5c938e7b7a1 Author: Krzysztof Kozlowski Date: Sun Aug 25 16:14:25 2024 +0200 reset: k210: fix OF node leak in probe() error path [ Upstream commit b14e40f5dc7cd0dd7e958010e6ca9ad32ff2ddad ] Driver is leaking OF node reference on memory allocation failure. Acquire the OF node reference after memory allocation to fix this and keep it simple. Fixes: 5a2308da9f60 ("riscv: Add Canaan Kendryte K210 reset controller") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Damien Le Moal Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-2-03f6d834f8c0@linaro.org Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit fcf0b7125b19bbc0d8b199af96a3e01f2852444e Author: Krzysztof Kozlowski Date: Sun Aug 25 16:14:24 2024 +0200 reset: berlin: fix OF node leak in probe() error path [ Upstream commit 5f58a88cc91075be38cec69b7cb70aaa4ba69e8b ] Driver is leaking OF node reference on memory allocation failure. Acquire the OF node reference after memory allocation to fix this and keep it simple. Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Damien Le Moal Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-1-03f6d834f8c0@linaro.org Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin commit c58569526e49457910176ca7299c8befb4e7683e Author: Krzysztof Kozlowski Date: Mon Aug 26 07:49:33 2024 +0200 ARM: versatile: fix OF node leak in CPUs prepare [ Upstream commit f2642d97f2105ed17b2ece0c597450f2ff95d704 ] Machine code is leaking OF node reference from of_find_matching_node() in realview_smp_prepare_cpus(). Fixes: 5420b4b15617 ("ARM: realview: add an DT SMP boot method") Signed-off-by: Krzysztof Kozlowski Acked-by: Liviu Dudau Link: https://lore.kernel.org/20240826054934.10724-1-krzysztof.kozlowski@linaro.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 55cada3d138c41d748e8cbe3b58cb480ceccd63e Author: MD Danish Anwar Date: Fri Aug 30 16:40:00 2024 +0530 arm64: dts: ti: k3-am654-idk: Fix dtbs_check warning in ICSSG dmas [ Upstream commit 2bea7920da8001172f54359395700616269ccb70 ] ICSSG doesn't use mgmnt rsp dmas. But these are added in the dmas for icssg1-eth and icssg0-eth node. These mgmnt rsp dmas result in below dtbs_check warnings. /workdir/arch/arm64/boot/dts/ti/k3-am654-idk.dtb: icssg1-eth: dmas: [[39, 49664], [39, 49665], [39, 49666], [39, 49667], [39, 49668], [39, 49669], [39, 49670], [39, 49671], [39, 16896], [39, 16897], [39, 16898], [39, 16899]] is too long from schema $id: http://devicetree.org/schemas/net/ti,icssg-prueth.yaml# /workdir/arch/arm64/boot/dts/ti/k3-am654-idk.dtb: icssg0-eth: dmas: [[39, 49408], [39, 49409], [39, 49410], [39, 49411], [39, 49412], [39, 49413], [39, 49414], [39, 49415], [39, 16640], [39, 16641], [39, 16642], [39, 16643]] is too long from schema $id: http://devicetree.org/schemas/net/ti,icssg-prueth.yaml# Fix these warnings by removing mgmnt rsp dmas from icssg1-eth and icssg0-eth nodes. Fixes: a4d5bc3214eb ("arm64: dts: ti: k3-am654-idk: Add ICSSG Ethernet ports") Signed-off-by: MD Danish Anwar Reviewed-by: Roger Quadros Link: https://lore.kernel.org/r/20240830111000.232028-1-danishanwar@ti.com Signed-off-by: Nishanth Menon Signed-off-by: Sasha Levin commit 88e167afb85d5161f586d918cc435ff2366f86eb Author: Krzysztof Kozlowski Date: Wed Aug 28 11:56:36 2024 +0200 ARM: dts: imx7d-zii-rmu2: fix Ethernet PHY pinctrl property [ Upstream commit 0e49cfe364dea4345551516eb2fe53135a10432b ] There is no "fsl,phy" property in pin controller pincfg nodes: imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,pins' is a required property imx7d-zii-rmu2.dtb: pinctrl@302c0000: enet1phyinterruptgrp: 'fsl,phy' does not match any of the regexes: 'pinctrl-[0-9]+' Fixes: f496e6750083 ("ARM: dts: Add ZII support for ZII i.MX7 RMU2 board") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit caa4069c60a7fafc3c647a4a50a98ddf4ec7ecbf Author: Claudiu Beznea Date: Mon Aug 26 19:53:20 2024 +0300 ARM: dts: microchip: sama7g5: Fix RTT clock [ Upstream commit 867bf1923200e6ad82bad0289f43bf20b4ac7ff9 ] According to datasheet, Chapter 34. Clock Generator, section 34.2, Embedded characteristics, source clock for RTT is the TD_SLCK, registered with ID 1 by the slow clock controller driver. Fix RTT clock. Fixes: 7540629e2fc7 ("ARM: dts: at91: add sama7g5 SoC DT and sama7g5-ek") Link: https://lore.kernel.org/r/20240826165320.3068359-1-claudiu.beznea@tuxon.dev Signed-off-by: Claudiu Beznea Signed-off-by: Sasha Levin commit a549e3fe2865b30ee1f892099073a667a39e171c Author: Abel Vesa Date: Thu Aug 29 15:03:28 2024 +0300 arm64: dts: qcom: x1e80100: Fix PHY for DP2 [ Upstream commit ba728bda663b0e812cb20450d18af5d0edd803a2 ] The actual PHY used by MDSS DP2 is the USB SS2 QMP one. So switch to it instead. This is needed to get external DP support on boards like CRD where the 3rd Type-C USB port (right-hand side) is connected to DP2. Fixes: 1940c25eaa63 ("arm64: dts: qcom: x1e80100: Add display nodes") Signed-off-by: Abel Vesa Reviewed-by: Konrad Dybcio Link: https://lore.kernel.org/r/20240829-x1e80100-dts-dp2-use-qmpphy-ss2-v1-1-9ba3dca61ccc@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 2f8bd211e9d97a784f4d58f37af555b8bff5ff00 Author: Jinjie Ruan Date: Mon Aug 26 20:49:02 2024 +0800 spi: bcmbca-hsspi: Fix missing pm_runtime_disable() [ Upstream commit 4439a2e92cb89028b22c5d7ba1b99e75d7d889f6 ] The pm_runtime_disable() is missing in remove function, use devm_pm_runtime_enable() to fix it. So the pm_runtime_disable() in the probe error path can also be removed. Fixes: a38a2233f23b ("spi: bcmbca-hsspi: Add driver for newer HSSPI controller") Signed-off-by: Jinjie Ruan Reviewed-by: William Zhang Link: https://patch.msgid.link/20240826124903.3429235-2-ruanjinjie@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 00155fd09200d20af5c26091308956b73eadf76a Author: Andrew Davis Date: Thu Aug 1 13:12:32 2024 -0500 arm64: dts: ti: k3-j721e-beagleboneai64: Fix reversed C6x carveout locations [ Upstream commit 1a314099b7559690fe23cdf3300dfff6e830ecb1 ] The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at 0xa7000000. These are reversed in DT. While both C6x can access either region, so this is not normally a problem, but if we start restricting the memory each core can access (such as with firewalls) the cores accessing the regions for the wrong core will not work. Fix this here. Fixes: fae14a1cb8dd ("arm64: dts: ti: Add k3-j721e-beagleboneai64") Signed-off-by: Andrew Davis Link: https://lore.kernel.org/r/20240801181232.55027-2-afd@ti.com Signed-off-by: Nishanth Menon Signed-off-by: Sasha Levin commit 8bd64c6e1ae2682d2268c17a44d35cd3034d8daf Author: Andrew Davis Date: Thu Aug 1 13:12:31 2024 -0500 arm64: dts: ti: k3-j721e-sk: Fix reversed C6x carveout locations [ Upstream commit 9f3814a7c06b7c7296cf8c1622078ad71820454b ] The DMA carveout for the C6x core 0 is at 0xa6000000 and core 1 is at 0xa7000000. These are reversed in DT. While both C6x can access either region, so this is not normally a problem, but if we start restricting the memory each core can access (such as with firewalls) the cores accessing the regions for the wrong core will not work. Fix this here. Fixes: f46d16cf5b43 ("arm64: dts: ti: k3-j721e-sk: Add DDR carveout memory nodes") Signed-off-by: Andrew Davis Link: https://lore.kernel.org/r/20240801181232.55027-1-afd@ti.com Signed-off-by: Nishanth Menon Signed-off-by: Sasha Levin commit 0d3f571236b9ef311215984a49bea9134f479ea2 Author: Jonas Karlman Date: Tue Aug 27 21:18:16 2024 +0000 arm64: dts: rockchip: Correct vendor prefix for Hardkernel ODROID-M1 [ Upstream commit 735065e774dcfc62e38df01a535862138b6c92ed ] The vendor prefix for Hardkernel ODROID-M1 is incorrectly listed as rockchip. Use the proper hardkernel vendor prefix for this board, while at it also drop the redundant soc prefix. Fixes: fd3583267703 ("arm64: dts: rockchip: Add Hardkernel ODROID-M1 board") Reviewed-by: Aurelien Jarno Signed-off-by: Jonas Karlman Link: https://lore.kernel.org/r/20240827211825.1419820-3-jonas@kwiboo.se Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 6e9a1501917e177d90a1750d6a1f2fa005519f41 Author: Jon Hunter Date: Fri Jul 12 14:20:20 2024 +0100 arm64: tegra: Correct location of power-sensors for IGX Orin [ Upstream commit b93679b8f165467e1584f9b23055db83f45c32ce ] The power-sensors are located on the carrier board and not the module board and so update the IGX Orin device-tree files to fix this. Fixes: 9152ed09309d ("arm64: tegra: Add power-sensors for Tegra234 boards") Signed-off-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 38e67ea273473d1d1708ace4f08855a85646bb6a Author: Alexander Dahl Date: Wed Aug 21 07:51:36 2024 +0200 ARM: dts: microchip: sam9x60: Fix rtc/rtt clocks [ Upstream commit d355c895fa4ddd8bec15569eee540baeed7df8c5 ] The RTC and RTT peripherals use the timing domain slow clock (TD_SLCK), sourced from the 32.768 kHz crystal oscillator or slow rc oscillator. The previously used Monitoring domain slow clock (MD_SLCK) is sourced from an internal RC oscillator which is most probably not precise enough for real time clock purposes. Fixes: 1e5f532c2737 ("ARM: dts: at91: sam9x60: add device tree for soc and board") Fixes: 5f6b33f46346 ("ARM: dts: sam9x60: add rtt") Signed-off-by: Alexander Dahl Link: https://lore.kernel.org/r/20240821055136.6858-1-ada@thorsis.com [claudiu.beznea: removed () around the last commit description paragraph, removed " in front of "timing domain slow clock", described that TD_SLCK can also be sourced from slow rc oscillator] Signed-off-by: Claudiu Beznea Signed-off-by: Sasha Levin commit cbcd8021fb906a5c77bc3f888e529afb18c46df7 Author: Lad Prabhakar Date: Tue Jul 30 13:24:36 2024 +0100 arm64: dts: renesas: r9a07g044: Correct GICD and GICR sizes [ Upstream commit 833948fb2b63155847ab691a54800f801555429b ] The RZ/G2L(C) SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU. Fixes: 68a45525297b2 ("arm64: dts: renesas: Add initial DTSI for RZ/G2{L,LC} SoC's") Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/20240730122436.350013-5-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 3f63bbd6ccf6098f38dc0587313e12f94b81c089 Author: Lad Prabhakar Date: Tue Jul 30 13:24:35 2024 +0100 arm64: dts: renesas: r9a07g054: Correct GICD and GICR sizes [ Upstream commit 45afa9eacb59b258d2e53c7f63430ea1e8344803 ] The RZ/V2L SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU. Fixes: 7c2b8198f4f32 ("arm64: dts: renesas: Add initial DTSI for RZ/V2L SoC") Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/20240730122436.350013-4-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit fcb97670da94ceb0de00e625e57773c5bffcb9b5 Author: Lad Prabhakar Date: Tue Jul 30 13:24:34 2024 +0100 arm64: dts: renesas: r9a07g043u: Correct GICD and GICR sizes [ Upstream commit ab39547f739236e7f16b8b0a51fdca95cc9cadd3 ] The RZ/G2UL SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU. Despite the RZ/G2UL SoC being single-core, it has two instances of GICR. Fixes: cf40c9689e510 ("arm64: dts: renesas: Add initial DTSI for RZ/G2UL SoC") Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/20240730122436.350013-3-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit b8d282aa221e0a66fd2e3c2869ea3781d07fd293 Author: Lad Prabhakar Date: Tue Jul 30 13:24:33 2024 +0100 arm64: dts: renesas: r9a08g045: Correct GICD and GICR sizes [ Upstream commit ec9532628eb9d82282b8e52fd9c4a3800d87feec ] The RZ/G3S SoC is equipped with the GIC-600. The GICD is 64KiB + 64KiB for the MBI alias (in total 128KiB), and the GICR is 128KiB per CPU. Despite the RZ/G3S SoC being single-core, it has two instances of GICR. Fixes: e20396d65b959 ("arm64: dts: renesas: Add initial DTSI for RZ/G3S SoC") Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/20240730122436.350013-2-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 342f98ec3e6a9f7d44637a13d17c2e8a50a6dd11 Author: Chen-Yu Tsai Date: Thu Aug 22 15:20:45 2024 +0800 regulator: Return actual error in of_regulator_bulk_get_all() [ Upstream commit 395a41a1d3e377462f3eea8a205ee72be8885ff6 ] If regulator_get() in of_regulator_bulk_get_all() returns an error, that error gets overridden and -EINVAL is always passed out. This masks probe deferral requests and likely won't work properly in all cases. Fix this by letting of_regulator_bulk_get_all() return the original error code. Fixes: 27b9ecc7a9ba ("regulator: Add of_regulator_bulk_get_all") Signed-off-by: Chen-Yu Tsai Link: https://patch.msgid.link/20240822072047.3097740-3-wenst@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ce6277d123735d083dbc70ab20e8134248be9457 Author: Mukesh Ojha Date: Mon Jul 8 21:23:32 2024 +0530 firmware: qcom: scm: Disable SDI and write no dump to dump mode [ Upstream commit 79cb2cb8d89b7eca87e8dac031dadea4aeafeaa7 ] SDI is enabled for most of the Qualcomm SoCs and as per commit ff4aa3bc9825 ("firmware: qcom_scm: disable SDI if required") it was recommended to disable SDI by mentioning it in device tree to avoid hang during watchdog or during reboot. However, for some cases if download mode tcsr register already configured from boot firmware to collect dumps and if SDI is disabled via means of mentioning it in device tree we could still end up with dump collection. Disabling SDI alone is not completely enough to disable dump mode and we also need to zero out the bits download bits from tcsr register. Current commit now, unconditionally call qcom_scm_set_download_mode() based on download_mode flag, at max if TCSR register is not mentioned or available for a SoC it will fallback to legacy way of setting download mode through command which may be no-ops or return error in case current firmware does not implements QCOM_SCM_INFO_IS_CALL_AVAIL so, at worst it does nothing if it fails. It also does to call SDI disable call if dload mode is disabled, which looks fine to do as intention is to disable dump collection even if system crashes. Fixes: ff4aa3bc9825 ("firmware: qcom_scm: disable SDI if required") Signed-off-by: Mukesh Ojha Link: https://lore.kernel.org/r/20240708155332.4056479-1-quic_mojha@quicinc.com Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 1fd6999480591d448527f0f27ec972d4250f7ac6 Author: Andy Shevchenko Date: Wed Aug 14 17:45:12 2024 +0300 spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ [ Upstream commit 7781f1d120fec8624fc654eda900fc8748262082 ] 0 is incorrect error code when failed to parse and map IRQ. Replace OF specific old API for IRQ retrieval with a generic one to fix this issue. Fixes: 0f245463b01e ("spi: ppc4xx: handle irq_of_parse_and_map() errors") Signed-off-by: Andy Shevchenko Link: https://patch.msgid.link/20240814144525.2648450-1-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit aef6ae124bb3cc12e34430fed91fbb7efd7a444d Author: Cristian Marussi Date: Mon Aug 12 18:33:32 2024 +0100 firmware: arm_scmi: Fix double free in OPTEE transport [ Upstream commit e98dba934b2fc587eafb83f47ad64d9053b18ae0 ] Channels can be shared between protocols, avoid freeing the same channel descriptors twice when unloading the stack. Fixes: 5f90f189a052 ("firmware: arm_scmi: Add optee transport") Signed-off-by: Cristian Marussi Tested-by: Peng Fan #i.MX95 19x19 EVK Reviewed-by: Peng Fan Tested-by: Florian Fainelli Message-Id: <20240812173340.3912830-2-cristian.marussi@arm.com> Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit 88469ce1d8fb1c4e88ba9b9bccb15ee2304108fd Author: AngeloGioacchino Del Regno Date: Thu Jul 25 09:22:43 2024 +0200 arm64: dts: mediatek: mt8186: Fix supported-hw mask for GPU OPPs [ Upstream commit 2317d018b835842df0501d8f9e9efa843068a101 ] The speedbin eFuse reads a value 'x' from 0 to 7 and, in order to make that compatible with opp-supported-hw, it gets post processed as BIT(x). Change all of the 0x30 supported-hw to 0x20 to avoid getting duplicate OPPs for speedbin 4, and also change all of the 0x8 to 0xcf because speedbins different from 4 and 5 do support 900MHz, 950MHz, 1000MHz with the higher voltage of 850mV, 900mV, 950mV respectively. Fixes: f38ea593ad0d ("arm64: dts: mediatek: mt8186: Wire up GPU voltage/frequency scaling") Link: https://lore.kernel.org/r/20240725072243.173104-1-angelogioacchino.delregno@collabora.com Signed-off-by: AngeloGioacchino Del Regno Signed-off-by: Sasha Levin commit 1d963d0010389686399212121e2714ff2cc90134 Author: David Virag Date: Sat Jul 13 19:58:32 2024 +0200 arm64: dts: exynos: exynos7885-jackpotlte: Correct RAM amount to 4GB [ Upstream commit d281814b8f7a710a75258da883fb0dfe1329c031 ] All known jackpotlte variants have 4GB of RAM, let's use it all. RAM was set to 3GB from a mistake in the vendor provided DTS file. Fixes: 06874015327b ("arm64: dts: exynos: Add initial device tree support for Exynos7885 SoC") Signed-off-by: David Virag Reviewed-by: Sam Protsenko Link: https://lore.kernel.org/r/20240713180607.147942-3-virag.david003@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 3f84b4f5afb78ea0f9d57e2a4b8af566e1b23296 Author: Ma Ke Date: Wed Jul 24 16:40:47 2024 +0800 spi: ppc4xx: handle irq_of_parse_and_map() errors [ Upstream commit 0f245463b01ea254ae90e1d0389e90b0e7d8dc75 ] Zero and negative number is not a valid IRQ for in-kernel code and the irq_of_parse_and_map() function returns zero on error. So this check for valid IRQs should only accept values > 0. Fixes: 44dab88e7cc9 ("spi: add spi_ppc4xx driver") Signed-off-by: Ma Ke Link: https://patch.msgid.link/20240724084047.1506084-1-make24@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit afe53ea9b378c376101d99d216f13b6256f75189 Author: Riyan Dhiman Date: Wed Sep 11 18:59:54 2024 +0530 block: fix potential invalid pointer dereference in blk_add_partition [ Upstream commit 26e197b7f9240a4ac301dd0ad520c0c697c2ea7d ] The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls. Fixes: b72053072c0b (block: allow partitions on host aware zone devices) Signed-off-by: Riyan Dhiman Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20240911132954.5874-1-riyandhiman14@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 5c172c89d54f3f660609b71fe3fde10f6036fdd5 Author: Felix Moessbauer Date: Tue Sep 10 19:11:57 2024 +0200 io_uring/io-wq: inherit cpuset of cgroup in io worker [ Upstream commit 84eacf177faa605853c58e5b1c0d9544b88c16fd ] The io worker threads are userland threads that just never exit to the userland. By that, they are also assigned to a cgroup (the group of the creating task). When creating a new io worker, this worker should inherit the cpuset of the cgroup. Fixes: da64d6db3bd3 ("io_uring: One wqe per wq") Signed-off-by: Felix Moessbauer Link: https://lore.kernel.org/r/20240910171157.166423-3-felix.moessbauer@siemens.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8feded705c52a87449cbc5976b545f6ee1a06078 Author: Felix Moessbauer Date: Tue Sep 10 19:11:56 2024 +0200 io_uring/io-wq: do not allow pinning outside of cpuset [ Upstream commit 0997aa5497c714edbb349ca366d28bd550ba3408 ] The io worker threads are userland threads that just never exit to the userland. By that, they are also assigned to a cgroup (the group of the creating task). When changing the affinity of the io_wq thread via syscall, we must only allow cpumasks within the limits defined by the cpuset controller of the cgroup (if enabled). Fixes: da64d6db3bd3 ("io_uring: One wqe per wq") Signed-off-by: Felix Moessbauer Link: https://lore.kernel.org/r/20240910171157.166423-2-felix.moessbauer@siemens.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 054e3cdfc77dc6950745b9bc802e91c52c81b68e Author: Yu Kuai Date: Mon Sep 9 21:41:49 2024 +0800 block, bfq: fix procress reference leakage for bfqq in merge chain [ Upstream commit 73aeab373557fa6ee4ae0b742c6211ccd9859280 ] Original state: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \--------------\ \-------------\ \-------------\| V V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 1 2 4 After commit 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()"), if P1 issues a new IO: Without the patch: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \------------------------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 bfqq3 will be used to handle IO from P1, this is not expected, IO should be redirected to bfqq4; With the patch: ------------------------------------------- | | Process 1 Process 2 Process 3 | Process 4 (BIC1) (BIC2) (BIC3) | (BIC4) | | | | \-------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 2 4 IO is redirected to bfqq4, however, procress reference of bfqq3 is still 2, while there is only P2 using it. Fix the problem by calling bfq_merge_bfqqs() for each bfqq in the merge chain. Also change bfqq_merge_bfqqs() to return new_bfqq to simplify code. Fixes: 0e456dba86c7 ("block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator()") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20240909134154.954924-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit cae58d19121a70329cf971359e2518c93fec04fe Author: Yu Kuai Date: Mon Sep 9 21:41:48 2024 +0800 block, bfq: fix uaf for accessing waker_bfqq after splitting [ Upstream commit 1ba0403ac6447f2d63914fb760c44a3b19c44eaf ] After commit 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()"), if the current procress is the last holder of bfqq, the bfqq can be freed after bfq_split_bfqq(). Hence recored the bfqq and then access bfqq->waker_bfqq may trigger UAF. What's more, the waker_bfqq may in the merge chain of bfqq, hence just recored waker_bfqq is still not safe. Fix the problem by adding a helper bfq_waker_bfqq() to check if bfqq->waker_bfqq is in the merge chain, and current procress is the only holder. Fixes: 42c306ed7233 ("block, bfq: don't break merge chain in bfq_split_bfqq()") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20240909134154.954924-2-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9cfa199bcbbbba31cbf97b2786f44f4464f3f29a Author: Gao Xiang Date: Tue Sep 10 15:08:47 2024 +0800 erofs: handle overlapped pclusters out of crafted images properly [ Upstream commit 9e2f9d34dd12e6e5b244ec488bcebd0c2d566c50 ] syzbot reported a task hang issue due to a deadlock case where it is waiting for the folio lock of a cached folio that will be used for cache I/Os. After looking into the crafted fuzzed image, I found it's formed with several overlapped big pclusters as below: Ext: logical offset | length : physical offset | length 0: 0.. 16384 | 16384 : 151552.. 167936 | 16384 1: 16384.. 32768 | 16384 : 155648.. 172032 | 16384 2: 32768.. 49152 | 16384 : 537223168.. 537239552 | 16384 ... Here, extent 0/1 are physically overlapped although it's entirely _impossible_ for normal filesystem images generated by mkfs. First, managed folios containing compressed data will be marked as up-to-date and then unlocked immediately (unlike in-place folios) when compressed I/Os are complete. If physical blocks are not submitted in the incremental order, there should be separate BIOs to avoid dependency issues. However, the current code mis-arranges z_erofs_fill_bio_vec() and BIO submission which causes unexpected BIO waits. Second, managed folios will be connected to their own pclusters for efficient inter-queries. However, this is somewhat hard to implement easily if overlapped big pclusters exist. Again, these only appear in fuzzed images so let's simply fall back to temporary short-lived pages for correctness. Additionally, it justifies that referenced managed folios cannot be truncated for now and reverts part of commit 2080ca1ed3e4 ("erofs: tidy up `struct z_erofs_bvec`") for simplicity although it shouldn't be any difference. Reported-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com Reported-by: syzbot+de04e06b28cfecf2281c@syzkaller.appspotmail.com Reported-by: syzbot+c8c8238b394be4a1087d@syzkaller.appspotmail.com Tested-by: syzbot+4fc98ed414ae63d1ada2@syzkaller.appspotmail.com Closes: https://lore.kernel.org/r/0000000000002fda01061e334873@google.com Fixes: 8e6c8fa9f2e9 ("erofs: enable big pcluster feature") Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20240910070847.3356592-1-hsiangkao@linux.alibaba.com Signed-off-by: Sasha Levin commit 82f86682c78fe829e1a8ec83af7d34fe07df7c0e Author: Sandeep Dhavale Date: Wed Sep 4 23:00:25 2024 -0700 erofs: fix error handling in z_erofs_init_decompressor [ Upstream commit 3fc3e45fcdeaad4b7660b560fcbc827eb733f58e ] If we get a failure at the first decompressor init (i = 0), the clean up while loop could enter infinite loop due to wrong while check. Check the value of i now to see if we need any clean up at all. Fixes: 5a7cce827ee9 ("erofs: refine z_erofs_{init,exit}_subsystem()") Reported-by: liujinbao1 Signed-off-by: Sandeep Dhavale Reviewed-by: Gao Xiang Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/20240905060027.2388893-1-dhavale@google.com Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit c0c047ef73460a0e27c2a6ae0b25c5b98c2a98a7 Author: Gao Xiang Date: Mon Sep 9 11:19:11 2024 +0800 erofs: fix incorrect symlink detection in fast symlink [ Upstream commit 9ed50b8231e37b1ae863f5dec8153b98d9f389b4 ] Fast symlink can be used if the on-disk symlink data is stored in the same block as the on-disk inode, so we don’t need to trigger another I/O for symlink data. However, currently fs correction could be reported _incorrectly_ if inode xattrs are too large. In fact, these should be valid images although they cannot be handled as fast symlinks. Many thanks to Colin for reporting this! Reported-by: Colin Walters Reported-by: https://honggfuzz.dev/ Link: https://lore.kernel.org/r/bb2dd430-7de0-47da-ae5b-82ab2dd4d945@app.fastmail.com Fixes: 431339ba9042 ("staging: erofs: add inode operations") [ Note that it's a runtime misbehavior instead of a security issue. ] Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20240909031911.1174718-1-hsiangkao@linux.alibaba.com Signed-off-by: Sasha Levin commit 8afddcdfb9ec918dbb69e9d952c45f06de2b6f13 Author: Wouter Verhelst Date: Mon Aug 12 15:20:42 2024 +0200 nbd: correct the maximum value for discard sectors [ Upstream commit 296dbc72d29085d5fc34430d0760423071e9e81d ] The version of the NBD protocol implemented by the kernel driver currently has a 32 bit field for length values. As the NBD protocol uses bytes as a unit of length, length values larger than 2^32 bytes cannot be expressed. Update the max_hw_discard_sectors field to match that. Signed-off-by: Wouter Verhelst Fixes: 268283244c0f ("nbd: use the atomic queue limits API in nbd_set_size") Reviewed-by: Damien Le Moal Cc: Eric Blake Link: https://lore.kernel.org/r/20240812133032.115134-8-w@uter.be Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 436bc8c4a85f6a58dd79ca592f819d71b85e7ee0 Author: David Howells Date: Tue Jul 23 15:35:29 2024 +0100 cachefiles: Fix non-taking of sb_writers around set/removexattr [ Upstream commit 80887f31672970abae3aaa9cf62ac72a124e7c89 ] Unlike other vfs_xxxx() calls, vfs_setxattr() and vfs_removexattr() don't take the sb_writers lock, so the caller should do it for them. Fix cachefiles to do this. Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") Signed-off-by: David Howells cc: Christian Brauner cc: Gao Xiang cc: netfs@lists.linux.dev cc: linux-erofs@lists.ozlabs.org cc: linux-fsdevel@vger.kernel.org Link: https://lore.kernel.org/r/20240814203850.2240469-3-dhowells@redhat.com/ # v2 Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 4780f50ea50cfe8e89fc3747bf3dd155488433bb Author: Yu Kuai Date: Mon Sep 2 21:03:28 2024 +0800 block, bfq: don't break merge chain in bfq_split_bfqq() [ Upstream commit 42c306ed723321af4003b2a41bb73728cab54f85 ] Consider the following scenario: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \-------------\ \-------------\ \--------------\| V V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 1 2 4 If Process 1 issue a new IO and bfqq2 is found, and then bfq_init_rq() decide to spilt bfqq2 by bfq_split_bfqq(). Howerver, procress reference of bfqq2 is 1 and bfq_split_bfqq() just clear the coop flag, which will break the merge chain. Expected result: caller will allocate a new bfqq for BIC1 Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) | | | \-------------\ \--------------\| V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 ref 0 0 1 3 Since the condition is only used for the last bfqq4 when the previous bfqq2 and bfqq3 are already splited. Fix the problem by checking if bfqq is the last one in the merge chain as well. Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20240902130329.3787024-4-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit dd6ab49f017b5336185e74fc8b4225e91e6ad55b Author: Yu Kuai Date: Mon Sep 2 21:03:27 2024 +0800 block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() [ Upstream commit 0e456dba86c7f9a19792204a044835f1ca2c8dbb ] Consider the following merge chain: Process 1 Process 2 Process 3 Process 4 (BIC1) (BIC2) (BIC3) (BIC4) Λ | | | \--------------\ \-------------\ \-------------\| V V V bfqq1--------->bfqq2---------->bfqq3----------->bfqq4 IO from Process 1 will get bfqf2 from BIC1 first, then bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then handle this IO from bfqq3. However, the merge chain can be much deeper and bfqq3 can be merged to other bfqq as well. Fix this problem by iterating to the last bfqq in bfq_setup_cooperator(). Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6d130db286ad0ea392c96ebb2551acf0d7308048 Author: Yu Kuai Date: Mon Sep 2 21:03:26 2024 +0800 block, bfq: fix possible UAF for bfqq->bic with merge chain [ Upstream commit 18ad4df091dd5d067d2faa8fce1180b79f7041a7 ] 1) initial state, three tasks: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | Λ | Λ | Λ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1 2) bfqq1 merged to bfqq2: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | Λ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1 3) bfqq2 merged to bfqq3: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> Λ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3 In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1. bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq -> handle IO by bfqq3 Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible): ================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline] bfq_insert_request block/bfq-iosched.c:6254 [inline] bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3458 [inline] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline] ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436 bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812 blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403 __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517 blk_mq_get_new_requests block/blk-mq.c:2940 [inline] blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042 __submit_bio+0x331/0x6f0 block/blk-core.c:624 __submit_bio_noacct_mq block/blk-core.c:703 [inline] submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732 submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826 xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958 xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619 xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 Freed by task 946: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1815 [inline] slab_free_freelist_hook mm/slub.c:1841 [inline] slab_free mm/slub.c:3786 [inline] kmem_cache_free+0x118/0x6f0 mm/slub.c:3808 rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189 rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462 __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553 Last potentially related work creation: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 __call_rcu_common kernel/rcu/tree.c:2712 [inline] call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826 ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105 ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 __call_rcu_common kernel/rcu/tree.c:2712 [inline] call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826 ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105 ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 The buggy address belongs to the object at ffff888123839d68 which belongs to the cache bfq_io_cq of size 1360 The buggy address is located 336 bytes inside of freed 1360-byte region [ffff888123839d68, ffff88812383a2b8) The buggy address belongs to the physical page: page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838 head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488 raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20240902130329.3787024-2-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9a74c3e6c0d686c26ba2aab66d15ddb89dc139cc Author: Ming Lei Date: Fri Aug 30 11:41:45 2024 +0800 nbd: fix race between timeout and normal completion [ Upstream commit c9ea57c91f03bcad415e1a20113bdb2077bcf990 ] If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue. Cc: Josef Bacik Cc: Yu Kuai Fixes: 2895f1831e91 ("nbd: don't clear 'NBD_CMD_INFLIGHT' flag if request is not completed") Signed-off-by: Ming Lei Reviewed-by: Yu Kuai Link: https://lore.kernel.org/r/20240830034145.1827742-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit aeef136bc54bbc8a19895ef6d66d74e3ee38281d Author: Ming Lei Date: Mon Aug 12 09:36:24 2024 +0800 ublk: move zone report data out of request pdu [ Upstream commit 9327b51c9a9c864f5177127e09851da9d78b4943 ] ublk zoned takes 16 bytes in each request pdu just for handling REPORT_ZONE operation, this way does waste memory since request pdu is allocated statically. Store the transient zone report data into one global xarray, and remove it after the report zone request is completed. This way is reasonable since report zone is run in slow code path. Fixes: 29802d7ca33b ("ublk: enable zoned storage support") Cc: Damien Le Moal Cc: Andreas Hindborg Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20240812013624.587587-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 08409e401622e2896b4313be9f781bde8a2a6a53 Author: Eric Dumazet Date: Fri Sep 13 08:31:47 2024 +0000 ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() [ Upstream commit 04ccecfa959d3b9ae7348780d8e379c6486176ac ] Blamed commit accidentally removed a check for rt->rt6i_idev being NULL, as spotted by syzbot: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline] RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914 Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06 RSP: 0018:ffffc900047374e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0 RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18 R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930 FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856 addrconf_notify+0x3cb/0x1020 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352 unregister_netdevice_many net/core/dev.c:11414 [inline] unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289 unregister_netdevice include/linux/netdevice.h:3129 [inline] __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685 tun_detach drivers/net/tun.c:701 [inline] tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:882 do_group_exit+0x207/0x2c0 kernel/exit.c:1031 __do_sys_exit_group kernel/exit.c:1042 [inline] __se_sys_exit_group kernel/exit.c:1040 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1acc77def9 Code: Unable to access opcode bytes at 0x7f1acc77decf. RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043 RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline] RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914 Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06 RSP: 0018:ffffc900047374e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0 RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18 R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930 FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Fixes: e332bc67cf5e ("ipv6: Don't call with rt6_uncached_list_flush_dev") Signed-off-by: Eric Dumazet Reviewed-by: Simon Horman Reviewed-by: David Ahern Acked-by: Martin KaFai Lau Link: https://patch.msgid.link/20240913083147.3095442-1-edumazet@google.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit bad973f05f0cbce3b7ad2a575a3e3b47c9a7cece Author: Su Hui Date: Thu Sep 12 19:01:20 2024 +0800 net: tipc: avoid possible garbage value [ Upstream commit 99655a304e450baaae6b396cb942b9e47659d644 ] Clang static checker (scan-build) warning: net/tipc/bcast.c:305:4: The expression is an uninitialized value. The computed value will also be garbage [core.uninitialized.Assign] 305 | (*cong_link_cnt)++; | ^~~~~~~~~~~~~~~~~~ tipc_rcast_xmit() will increase cong_link_cnt's value, but cong_link_cnt is uninitialized. Although it won't really cause a problem, it's better to fix it. Fixes: dca4a17d24ee ("tipc: fix potential hanging after b/rcast changing") Signed-off-by: Su Hui Reviewed-by: Justin Stitt Link: https://patch.msgid.link/20240912110119.2025503-1-suhui@nfschina.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8d3cbe74061e5e692c520b9a974c1d31ec1ee27e Author: Brett Creeley Date: Thu Sep 12 10:49:22 2024 -0700 fbnic: Set napi irq value after calling netif_napi_add [ Upstream commit 9f3e7f11f21ac83cd99428390165177d4953b005 ] The driver calls netif_napi_set_irq() and then calls netif_napi_add(), which calls netif_napi_add_weight(). At the end of netif_napi_add_weight() is a call to netif_napi_set_irq(napi, -1), which clears the previously set napi->irq value. Fix this by calling netif_napi_set_irq() after calling netif_napi_add(). This was found when reviewing another patch and I have no way to test this, but the fix seemed relatively straight forward. Fixes: bc6107771bb4 ("eth: fbnic: Allocate a netdevice and napi vectors with queues") Signed-off-by: Brett Creeley Reviewed-by: Joe Damato Reviewed-by: Vadim Fedorenko Link: https://patch.msgid.link/20240912174922.10550-1-brett.creeley@amd.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8f588cd7448385c514cec0bbd082a02479d4139e Author: Justin Iurman Date: Wed Sep 11 19:45:57 2024 +0200 net: ipv6: rpl_iptunnel: Fix memory leak in rpl_input [ Upstream commit 2c84b0aa28b9e73e8c4b4ce038269469434ae372 ] Free the skb before returning from rpl_input when skb_cow_head() fails. Use a "drop" label and goto instructions. Fixes: a7a29f9c361f ("net: ipv6: add rpl sr tunnel") Signed-off-by: Justin Iurman Reviewed-by: Simon Horman Link: https://patch.msgid.link/20240911174557.11536-1-justin.iurman@uliege.be Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 6960475b15b8c98d628f9a3783131227b99bf567 Author: Heiner Kallweit Date: Wed Sep 11 15:51:11 2024 +0200 r8169: disable ALDPS per default for RTL8125 [ Upstream commit b9c7ac4fe22c608acf6153a3329df2b6b6cd416c ] En-Wei reported that traffic breaks if cable is unplugged for more than 3s and then re-plugged. This was supposed to be fixed by 621735f59064 ("r8169: fix rare issue with broken rx after link-down on RTL8125"). But apparently this didn't fix the issue for everybody. The 3s threshold rang a bell, as this is the delay after which ALDPS kicks in. And indeed disabling ALDPS fixes the issue for this user. Maybe this fixes the issue in general. In a follow-up step we could remove the first fix attempt and see whether anybody complains. Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125") Tested-by: En-Wei WU Signed-off-by: Heiner Kallweit Link: https://patch.msgid.link/778b9d86-05c4-4856-be59-cde4487b9e52@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 182c6fed8c7f62cddce0126ec1fc0da2b700fb11 Author: Breno Leitao Date: Thu Sep 12 08:56:19 2024 -0700 netkit: Assign missing bpf_net_context [ Upstream commit 157f29152b61ca41809dd7ead29f5733adeced19 ] During the introduction of struct bpf_net_context handling for XDP-redirect, the netkit driver has been missed, which also requires it because NETKIT_REDIRECT invokes skb_do_redirect() which is accessing the per-CPU variables. Otherwise we see the following crash: BUG: kernel NULL pointer dereference, address: 0000000000000038 bpf_redirect() netkit_xmit() dev_hard_start_xmit() Set the bpf_net_context before invoking netkit_xmit() program within the netkit driver. Fixes: 401cb7dae813 ("net: Reference bpf_redirect_info via task_struct on PREEMPT_RT.") Signed-off-by: Breno Leitao Acked-by: Daniel Borkmann Reviewed-by: Sebastian Andrzej Siewior Reviewed-by: Toke Høiland-Jørgensen Acked-by: Nikolay Aleksandrov Acked-by: Martin KaFai Lau Link: https://patch.msgid.link/20240912155620.1334587-1-leitao@debian.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7506e560fc5c8d1a56c3d102e864ecc43ac1ef36 Author: Maciej Fijalkowski Date: Wed Sep 11 21:10:19 2024 +0200 xsk: fix batch alloc API on non-coherent systems [ Upstream commit 4144a1059b47e821c82c3c82eb23a4c7312dce3a ] In cases when synchronizing DMA operations is necessary, xsk_buff_alloc_batch() returns a single buffer instead of the requested count. This puts the pressure on drivers that use batch API as they have to check for this corner case on their side and take care of allocations by themselves, which feels counter productive. Let us improve the core by looping over xp_alloc() @max times when slow path needs to be taken. Another issue with current interface, as spotted and fixed by Dries, was that when driver called xsk_buff_alloc_batch() with @max == 0, for slow path case it still allocated and returned a single buffer, which should not happen. By introducing the logic from first paragraph we kill two birds with one stone and address this problem as well. Fixes: 47e4075df300 ("xsk: Batched buffer allocation for the pool") Reported-and-tested-by: Dries De Winter Co-developed-by: Dries De Winter Signed-off-by: Dries De Winter Signed-off-by: Maciej Fijalkowski Acked-by: Magnus Karlsson Acked-by: Alexei Starovoitov Link: https://patch.msgid.link/20240911191019.296480-1-maciej.fijalkowski@intel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c0814acc25b36cb63ee88c6c07dc7ba03495b298 Author: Herbert Xu Date: Tue Sep 10 17:30:24 2024 +0800 crypto: n2 - Set err to EINVAL if snprintf fails for hmac [ Upstream commit ce212d2afca47acd366a2e74c76fe82c31f785ab ] Return EINVAL if the snprintf check fails when constructing the algorithm names. Fixes: 8c20982caca4 ("crypto: n2 - Silence gcc format-truncation false positive warnings") Reported-by: kernel test robot Reported-by: Dan Carpenter Closes: https://lore.kernel.org/r/202409090726.TP0WfY7p-lkp@intel.com/ Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4d8ac762516f53b3aca5de9d1bcca6e317715801 Author: Jinjie Ruan Date: Wed Sep 11 17:44:44 2024 +0800 net: enetc: Use IRQF_NO_AUTOEN flag in request_irq() [ Upstream commit 799a9225997799f7b1b579bc50a93b78b4fb2a01 ] disable_irq() after request_irq() still has a time gap in which interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will disable IRQ auto-enable when request IRQ. Fixes: bbb96dc7fa1a ("enetc: Factor out the traffic start/stop procedures") Signed-off-by: Jinjie Ruan Link: https://patch.msgid.link/20240911094445.1922476-3-ruanjinjie@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit df9c37dd1933e22de95346c2403af5b26d398279 Author: Guillaume Nault Date: Wed Sep 11 11:21:05 2024 +0200 bareudp: Pull inner IP header on xmit. [ Upstream commit c471236b2359e6b27388475dd04fff0a5e2bf922 ] Both bareudp_xmit_skb() and bareudp6_xmit_skb() read their skb's inner IP header to get its ECN value (with ip_tunnel_ecn_encap()). Therefore we need to ensure that the inner IP header is part of the skb's linear data. Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") Signed-off-by: Guillaume Nault Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/267328222f0a11519c6de04c640a4f87a38ea9ed.1726046181.git.gnault@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit eb1272cd34aa7e13fd168a36c97f7ca56a409936 Author: Guillaume Nault Date: Wed Sep 11 11:20:58 2024 +0200 bareudp: Pull inner IP header in bareudp_udp_encap_recv(). [ Upstream commit 45fa29c85117170b0508790f878b13ec6593c888 ] Bareudp reads the inner IP header to get the ECN value. Therefore, it needs to ensure that it's part of the skb's linear data. This is similar to the vxlan and geneve fixes for that same problem: * commit f7789419137b ("vxlan: Pull inner IP header in vxlan_rcv().") * commit 1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()") Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") Signed-off-by: Guillaume Nault Reviewed-by: Willem de Bruijn Link: https://patch.msgid.link/5205940067c40218a70fbb888080466b2fc288db.1726046181.git.gnault@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8603daa4300b84abb3c68e48f3b607d7d5a2a207 Author: Luiz Augusto von Dentz Date: Mon Sep 9 16:51:52 2024 -0400 Bluetooth: btusb: Fix not handling ZPL/short-transfer [ Upstream commit 7b05933340f4490ef5b09e84d644d12484b05fdf ] Requesting transfers of the exact same size of wMaxPacketSize may result in ZPL/short-transfer since the USB stack cannot handle it as we are limiting the buffer size to be the same as wMaxPacketSize. Also, in terms of throughput this change has the same effect to interrupt endpoint as 290ba200815f "Bluetooth: Improve USB driver throughput by increasing the frame size" had for the bulk endpoint, so users of the advertisement bearer (e.g. BT Mesh) may benefit from this change. Fixes: 5e23b923da03 ("[Bluetooth] Add generic driver for Bluetooth USB devices") Signed-off-by: Luiz Augusto von Dentz Tested-by: Kiran K Signed-off-by: Sasha Levin commit ad089dde9c96bc65cc94f253a41d3dfeaa283341 Author: Marc Kleine-Budde Date: Mon Sep 9 15:07:41 2024 +0200 can: m_can: m_can_close(): stop clocks after device has been shut down [ Upstream commit 2c09b50efcad985cf920ca88baa9aa52b1999dcc ] After calling m_can_stop() an interrupt may be pending or NAPI might still be executed. This means the driver might still touch registers of the IP core after the clocks have been disabled. This is not good practice and might lead to aborts depending on the SoC integration. To avoid these potential problems, make m_can_close() symmetric to m_can_open(), i.e. stop the clocks at the end, right before shutting down the transceiver. Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-2-6c1720ba45ce@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 6f8840428d191f91adb96d66b30075465a747a83 Author: Jake Hamby Date: Fri Sep 6 23:19:51 2024 +0000 can: m_can: enable NAPI before enabling interrupts [ Upstream commit 801ad2f87b0c6d0c34a75a4efd6bfd3a2d9f9298 ] If an interrupt (RX-complete or error flag) is set when bringing up the CAN device, e.g. due to CAN bus traffic before initializing the device, when m_can_start() is called and interrupts are enabled, m_can_isr() is called immediately, which disables all CAN interrupts and calls napi_schedule(). Because napi_enable() isn't called until later in m_can_open(), the call to napi_schedule() never schedules the m_can_poll() callback and the device is left with interrupts disabled and can't receive any CAN packets until rebooted. This can be verified by running "cansend" from another device before setting the bitrate and calling "ip link set up can0" on the test device. Adding debug lines to m_can_isr() shows it's called with flags (IR_EP | IR_EW | IR_CRCE), which calls m_can_disable_all_interrupts() and napi_schedule(), and then m_can_poll() is never called. Move the call to napi_enable() above the call to m_can_start() to enable any initial interrupt flags to be handled by m_can_poll() so that interrupts are reenabled. Add a call to napi_disable() in the error handling section of m_can_open(), to handle the case where later functions return errors. Also, in m_can_close(), move the call to napi_disable() below the call to m_can_stop() to ensure all interrupts are handled when bringing down the device. This race condition is much less likely to occur. Tested on a Microchip SAMA7G54 MPU. The fix should be applicable to any SoC with a Bosch M_CAN controller. Signed-off-by: Jake Hamby Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Link: https://patch.msgid.link/20240910-can-m_can-fix-ifup-v3-1-6c1720ba45ce@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit b02ed2f01240b226570b4a19b5041d61f5125784 Author: Kuniyuki Iwashima Date: Wed Sep 4 18:22:37 2024 -0700 can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). [ Upstream commit 94b0818fa63555a65f6ba107080659ea6bcca63e ] syzbot reported a warning in bcm_release(). [0] The blamed change fixed another warning that is triggered when connect() is issued again for a socket whose connect()ed device has been unregistered. However, if the socket is just close()d without the 2nd connect(), the remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry() in bcm_release(). Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify(). [0] name '4986' WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 Modules linked in: CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07 RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246 RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640 R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: bcm_release+0x250/0x880 net/can/bcm.c:1578 __sock_release net/socket.c:659 [inline] sock_close+0xbc/0x240 net/socket.c:1421 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:882 do_group_exit+0x207/0x2c0 kernel/exit.c:1031 __do_sys_exit_group kernel/exit.c:1042 [inline] __se_sys_exit_group kernel/exit.c:1040 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcfb51ee969 Code: Unable to access opcode bytes at 0x7fcfb51ee93f. RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0 R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160 Fixes: 76fe372ccb81 ("can: bcm: Remove proc entry when dev is unregistered.") Reported-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=0532ac7a06fb1a03187e Tested-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com Signed-off-by: Kuniyuki Iwashima Reviewed-by: Vincent Mailhol Link: https://patch.msgid.link/20240905012237.79683-1-kuniyu@amazon.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit cd10abf41bae55c9d2b93f34a516dbf52626bcb7 Author: Eric Dumazet Date: Fri Sep 6 15:44:49 2024 +0000 sock_map: Add a cond_resched() in sock_hash_free() [ Upstream commit b1339be951ad31947ae19bc25cb08769bf255100 ] Several syzbot soft lockup reports all have in common sock_hash_free() If a map with a large number of buckets is destroyed, we need to yield the cpu when needed. Fixes: 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free") Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20240906154449.3742932-1-edumazet@google.com Signed-off-by: Sasha Levin commit 846a6fc7860119ee72737391856497b3fcf7c2b5 Author: Luiz Augusto von Dentz Date: Wed Aug 16 12:05:00 2023 -0700 Bluetooth: hci_sync: Ignore errors from HCI_OP_REMOTE_NAME_REQ_CANCEL [ Upstream commit cfbfeee61582e638770a1a10deef866c9adb38f5 ] This ignores errors from HCI_OP_REMOTE_NAME_REQ_CANCEL since it shouldn't interfere with the stopping of discovery and in certain conditions it seems to be failing. Link: https://github.com/bluez/bluez/issues/575 Fixes: d0b137062b2d ("Bluetooth: hci_sync: Rework init stages") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit f68f72d04b60d3af36b63b888fe084966bca07b9 Author: Luiz Augusto von Dentz Date: Fri Aug 30 17:29:27 2024 -0400 Bluetooth: hci_core: Fix sending MGMT_EV_CONNECT_FAILED [ Upstream commit d47da6bd4cfa982fe903f33423b9e2ec541e9496 ] If HCI_CONN_MGMT_CONNECTED has been set then the event shall be HCI_CONN_MGMT_DISCONNECTED. Fixes: b644ba336997 ("Bluetooth: Update device_connected and device_found events to latest API") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 4a7f9a2591a923bdde4bd7eac33490b6ae3b257c Author: Kuniyuki Iwashima Date: Thu Sep 5 12:32:40 2024 -0700 af_unix: Don't return OOB skb in manage_oob(). [ Upstream commit 5aa57d9f2d5311f19434d95b2a81610aa263e23b ] syzbot reported use-after-free in unix_stream_recv_urg(). [0] The scenario is 1. send(MSG_OOB) 2. recv(MSG_OOB) -> The consumed OOB remains in recv queue 3. send(MSG_OOB) 4. recv() -> manage_oob() returns the next skb of the consumed OOB -> This is also OOB, but unix_sk(sk)->oob_skb is not cleared 5. recv(MSG_OOB) -> unix_sk(sk)->oob_skb is used but already freed The recent commit 8594d9b85c07 ("af_unix: Don't call skb_get() for OOB skb.") uncovered the issue. If the OOB skb is consumed and the next skb is peeked in manage_oob(), we still need to check if the skb is OOB. Let's do so by falling back to the following checks in manage_oob() and add the test case in selftest. Note that we need to add a similar check for SIOCATMARK. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 Read of size 4 at addr ffff8880326abcc4 by task syz-executor178/5235 CPU: 0 UID: 0 PID: 5235 Comm: syz-executor178 Not tainted 6.11.0-rc5-syzkaller-00742-gfbdaffe41adc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 unix_stream_read_actor+0xa6/0xb0 net/unix/af_unix.c:2959 unix_stream_recv_urg+0x1df/0x320 net/unix/af_unix.c:2640 unix_stream_read_generic+0x2456/0x2520 net/unix/af_unix.c:2778 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2816 ___sys_recvmsg net/socket.c:2858 [inline] __sys_recvmsg+0x2f0/0x3e0 net/socket.c:2888 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5360d6b4e9 Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff29b3a458 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007fff29b3a638 RCX: 00007f5360d6b4e9 RDX: 0000000000002001 RSI: 0000000020000640 RDI: 0000000000000003 RBP: 00007f5360dde610 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007fff29b3a628 R14: 0000000000000001 R15: 0000000000000001 Allocated by task 5235: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:312 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:338 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slub.c:3988 [inline] slab_alloc_node mm/slub.c:4037 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4080 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667 alloc_skb include/linux/skbuff.h:1320 [inline] alloc_skb_with_frags+0xc3/0x770 net/core/skbuff.c:6528 sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2815 sock_alloc_send_skb include/net/sock.h:1778 [inline] queue_oob+0x108/0x680 net/unix/af_unix.c:2198 unix_stream_sendmsg+0xd24/0xf80 net/unix/af_unix.c:2351 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2680 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5235: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kmem_cache_free+0x145/0x350 mm/slub.c:4548 unix_stream_read_generic+0x1ef6/0x2520 net/unix/af_unix.c:2917 unix_stream_recvmsg+0x22b/0x2c0 net/unix/af_unix.c:2996 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x22f/0x280 net/socket.c:1068 __sys_recvfrom+0x256/0x3e0 net/socket.c:2255 __do_sys_recvfrom net/socket.c:2273 [inline] __se_sys_recvfrom net/socket.c:2269 [inline] __x64_sys_recvfrom+0xde/0x100 net/socket.c:2269 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880326abc80 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 68 bytes inside of freed 240-byte region [ffff8880326abc80, ffff8880326abd70) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x326ab ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: 0xfdffffff(slab) raw: 00fff00000000000 ffff88801eaee780 ffffea0000b7dc80 dead000000000003 raw: 0000000000000000 00000000800c000c 00000001fdffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4686, tgid 4686 (udevadm), ts 32357469485, free_ts 28829011109 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1493 prep_new_page mm/page_alloc.c:1501 [inline] get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3439 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4695 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline] alloc_pages_node_noprof include/linux/gfp.h:296 [inline] alloc_slab_page+0x5f/0x120 mm/slub.c:2321 allocate_slab+0x5a/0x2f0 mm/slub.c:2484 new_slab mm/slub.c:2537 [inline] ___slab_alloc+0xcd1/0x14b0 mm/slub.c:3723 __slab_alloc+0x58/0xa0 mm/slub.c:3813 __slab_alloc_node mm/slub.c:3866 [inline] slab_alloc_node mm/slub.c:4025 [inline] kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4080 __alloc_skb+0x1c3/0x440 net/core/skbuff.c:667 alloc_skb include/linux/skbuff.h:1320 [inline] alloc_uevent_skb+0x74/0x230 lib/kobject_uevent.c:289 uevent_net_broadcast_untagged lib/kobject_uevent.c:326 [inline] kobject_uevent_net_broadcast+0x2fd/0x580 lib/kobject_uevent.c:410 kobject_uevent_env+0x57d/0x8e0 lib/kobject_uevent.c:608 kobject_synth_uevent+0x4ef/0xae0 lib/kobject_uevent.c:207 uevent_store+0x4b/0x70 drivers/base/bus.c:633 kernfs_fop_write_iter+0x3a1/0x500 fs/kernfs/file.c:334 new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa72/0xc90 fs/read_write.c:590 page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1094 [inline] free_unref_page+0xd22/0xea0 mm/page_alloc.c:2612 kasan_depopulate_vmalloc_pte+0x74/0x90 mm/kasan/shadow.c:408 apply_to_pte_range mm/memory.c:2797 [inline] apply_to_pmd_range mm/memory.c:2841 [inline] apply_to_pud_range mm/memory.c:2877 [inline] apply_to_p4d_range mm/memory.c:2913 [inline] __apply_to_page_range+0x8a8/0xe50 mm/memory.c:2947 kasan_release_vmalloc+0x9a/0xb0 mm/kasan/shadow.c:525 purge_vmap_node+0x3e3/0x770 mm/vmalloc.c:2208 __purge_vmap_area_lazy+0x708/0xae0 mm/vmalloc.c:2290 _vm_unmap_aliases+0x79d/0x840 mm/vmalloc.c:2885 change_page_attr_set_clr+0x2fe/0xdb0 arch/x86/mm/pat/set_memory.c:1881 change_page_attr_set arch/x86/mm/pat/set_memory.c:1922 [inline] set_memory_nx+0xf2/0x130 arch/x86/mm/pat/set_memory.c:2110 free_init_pages arch/x86/mm/init.c:924 [inline] free_kernel_image_pages arch/x86/mm/init.c:943 [inline] free_initmem+0x79/0x110 arch/x86/mm/init.c:970 kernel_init+0x31/0x2b0 init/main.c:1476 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Memory state around the buggy address: ffff8880326abb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880326abc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc >ffff8880326abc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880326abd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff8880326abd80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb Fixes: 93c99f21db36 ("af_unix: Don't stop recv(MSG_DONTWAIT) if consumed OOB skb is at the head.") Reported-by: syzbot+8811381d455e3e9ec788@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=8811381d455e3e9ec788 Signed-off-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20240905193240.17565-5-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 78f2c49f991d8d76481435ebd0b5fc1442dd6842 Author: Kuniyuki Iwashima Date: Thu Sep 5 12:32:39 2024 -0700 af_unix: Move spin_lock() in manage_oob(). [ Upstream commit a0264a9f51fe0d196f22efd7538eb749e3448c2d ] When OOB skb has been already consumed, manage_oob() returns the next skb if exists. In such a case, we need to fall back to the else branch below. Then, we want to keep holding spin_lock(&sk->sk_receive_queue.lock). Let's move it out of if-else branch and add lightweight check before spin_lock() for major use cases without OOB skb. Signed-off-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20240905193240.17565-4-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().") Signed-off-by: Sasha Levin commit d7a1662143cf211a6d0c4cb5fb6f51657e60d0a9 Author: Kuniyuki Iwashima Date: Thu Sep 5 12:32:38 2024 -0700 af_unix: Rename unlinked_skb in manage_oob(). [ Upstream commit beb2c5f19b6ab033b187e770a659c730c3bd05ca ] When OOB skb has been already consumed, manage_oob() returns the next skb if exists. In such a case, we need to fall back to the else branch below. Then, we need to keep two skbs and free them later with consume_skb() and kfree_skb(). Let's rename unlinked_skb accordingly. Signed-off-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20240905193240.17565-3-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().") Signed-off-by: Sasha Levin commit 68347ffd3edcdbe00acc320fb42d35e98fdad6be Author: Kuniyuki Iwashima Date: Thu Sep 5 12:32:37 2024 -0700 af_unix: Remove single nest in manage_oob(). [ Upstream commit 579770dd89855915096db8364261543c37ed34ef ] This is a prep for the later fix. No functional change intended. Signed-off-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20240905193240.17565-2-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().") Signed-off-by: Sasha Levin commit f0f170d7b7ed9b824e8f2502dfba4ee1eb76dac4 Author: Kuniyuki Iwashima Date: Fri Aug 16 16:39:21 2024 -0700 af_unix: Don't call skb_get() for OOB skb. [ Upstream commit 8594d9b85c07f05e431bd07e895c2a3ad9b85d6f ] Since introduced, OOB skb holds an additional reference count with no special reason and caused many issues. Also, kfree_skb() and consume_skb() are used to decrement the count, which is confusing. Let's drop the unnecessary skb_get() in queue_oob() and corresponding kfree_skb(), consume_skb(), and skb_unref(). Now unix_sk(sk)->oob_skb is just a pointer to skb in the receive queue, so special handing is no longer needed in GC. Signed-off-by: Kuniyuki Iwashima Link: https://patch.msgid.link/20240816233921.57800-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski Stable-dep-of: 5aa57d9f2d53 ("af_unix: Don't return OOB skb in manage_oob().") Signed-off-by: Sasha Levin commit 79510414a7626317f13cc9073244ab7a8deb3192 Author: Jiawei Ye Date: Thu Aug 29 08:17:09 2024 +0000 wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param [ Upstream commit 6d7c6ae1efb1ff68bc01d79d94fdf0388f86cdd8 ] In the `wilc_parse_join_bss_param` function, the TSF field of the `ies` structure is accessed after the RCU read-side critical section is unlocked. According to RCU usage rules, this is illegal. Reusing this pointer can lead to unpredictable behavior, including accessing memory that has been updated or causing use-after-free issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the TSF value is now stored in a local variable `ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is then assigned using this local variable, ensuring that the TSF value is safely accessed. Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path") Signed-off-by: Jiawei Ye Reviewed-by: Alexis Lothoré Signed-off-by: Kalle Valo Link: https://patch.msgid.link/tencent_466225AA599BA49627FB26F707EE17BC5407@qq.com Signed-off-by: Sasha Levin commit ad4b7068b101fbbb4a9ca4b99b25eb051a9482ec Author: Dmitry Antipov Date: Fri Sep 6 15:31:51 2024 +0300 wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() [ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ] Since '__dev_queue_xmit()' should be called with interrupts enabled, the following backtrace: ieee80211_do_stop() ... spin_lock_irqsave(&local->queue_stop_reason_lock, flags) ... ieee80211_free_txskb() ieee80211_report_used_skb() ieee80211_report_ack_skb() cfg80211_mgmt_tx_status_ext() nl80211_frame_tx_status() genlmsg_multicast_netns() genlmsg_multicast_netns_filtered() nlmsg_multicast_filtered() netlink_broadcast_filtered() do_one_broadcast() netlink_broadcast_deliver() __netlink_sendskb() netlink_deliver_tap() __netlink_deliver_tap_skb() dev_queue_xmit() __dev_queue_xmit() ; with IRQS disabled ... spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags) issues the warning (as reported by syzbot reproducer): WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120 Fix this by implementing a two-phase skb reclamation in 'ieee80211_do_stop()', where actual work is performed outside of a section with interrupts disabled. Fixes: 5061b0c2b906 ("mac80211: cooperate more with network namespaces") Reported-by: syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 Signed-off-by: Dmitry Antipov Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit f569bbc9ecef2f89fc3e57784bc334ae6c1959bf Author: Dmitry Antipov Date: Mon Sep 9 12:08:06 2024 +0300 wifi: cfg80211: fix two more possible UBSAN-detected off-by-one errors [ Upstream commit 15ea13b1b1fbf6364d4cd568e65e4c8479632999 ] Although not reproduced in practice, these two cases may be considered by UBSAN as off-by-one errors. So fix them in the same way as in commit a26a5107bc52 ("wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()"). Fixes: 807f8a8c3004 ("cfg80211/nl80211: add support for scheduled scans") Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") Signed-off-by: Dmitry Antipov Link: https://patch.msgid.link/20240909090806.1091956-1-dmantipov@yandex.ru Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 5d68c647c0597ddc4b40141a45ece58d515b1ba6 Author: Felix Fietkau Date: Tue Aug 27 11:30:10 2024 +0200 wifi: mt76: mt7996: fix uninitialized TLV data [ Upstream commit 9e461f4a2329109571f4b10f9bcad28d07e6ebb3 ] Use skb_put_zero instead of skb_put Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Link: https://patch.msgid.link/20240827093011.18621-23-nbd@nbd.name Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 0137ca96e613b720898e812e7d9408deb4fa0fb9 Author: Howard Hsu Date: Tue Aug 27 11:30:08 2024 +0200 wifi: mt76: mt7915: fix rx filter setting for bfee functionality [ Upstream commit 6ac80fce713e875a316a58975b830720a3e27721 ] Fix rx filter setting to prevent dropping NDPA frames. Without this change, bfee functionality may behave abnormally. Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Howard Hsu Link: https://patch.msgid.link/20240827093011.18621-21-nbd@nbd.name Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 6591578d54b3e1cc815e00b628999bb4a844d7e5 Author: Dmitry Antipov Date: Thu Sep 5 18:04:00 2024 +0300 wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan() [ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ] Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819 and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the following: [ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25 [ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]' <...skipped...> [ T4985] Call Trace: [ T4985] [ T4985] dump_stack_lvl+0x1c2/0x2a0 [ T4985] ? __pfx_dump_stack_lvl+0x10/0x10 [ T4985] ? __pfx__printk+0x10/0x10 [ T4985] __ubsan_handle_out_of_bounds+0x127/0x150 [ T4985] cfg80211_wext_siwscan+0x11a4/0x1260 <...the rest is not too useful...> Even if we do 'creq->n_channels = n_channels' before 'creq->ssids = (void *)&creq->channels[n_channels]', UBSAN treats the latter as off-by-one error. Fix this by using pointer arithmetic rather than an expression with explicit array indexing and use convenient 'struct_size()' to simplify the math here and in 'kzalloc()' above. Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request") Signed-off-by: Dmitry Antipov Reviewed-by: Kees Cook Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru [fix coding style for multi-line calculation] Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 2b01aad3476bf6b0b8d75f4c80711e48572d9fd6 Author: Felix Fietkau Date: Tue Aug 27 11:29:48 2024 +0200 wifi: mt76: mt7603: fix mixed declarations and code [ Upstream commit 9b8d932053b8b45d650360b36f701cf0f9b6470e ] Move the qid variable declaration further up Fixes: b473c0e47f04 ("wifi: mt76: mt7603: fix tx queue of loopback packets") Link: https://patch.msgid.link/20240827093011.18621-1-nbd@nbd.name Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 834e646cb20ca3981c1f462231956f0ede4d6475 Author: Peter Chiu Date: Fri Aug 16 17:50:40 2024 +0800 wifi: mt76: connac: fix checksum offload fields of connac3 RXD [ Upstream commit a04b920fbc707deb699292cdae47006e8ea57d87 ] Fix incorrect RXD offset and bitfield related to RX checksum offload. Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Fixes: 4e9011fcdfc4 ("wifi: mt76: connac: move connac3 definitions in mt76_connac3_mac.h") Co-developed-by: Shayne Chen Signed-off-by: Shayne Chen Signed-off-by: Peter Chiu Link: https://patch.msgid.link/20240816095040.2574-1-shayne.chen@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 276ac2d69f5213680600d6dc96ee8579b639ea95 Author: Rex Lu Date: Fri Aug 16 17:46:33 2024 +0800 wifi: mt76: mt7996: fix handling mbss enable/disable [ Upstream commit ded1a6d9e13a32d4e8bef0c63accf49b9415ff5f ] When mbss was previously enabled, the TLV needs to be included when disabling it again, in order to clear the firmware state. Fixes: a7908d5b61e5 ("wifi: mt76: mt7996: fix non-main BSS no beacon issue for MBSS scenario") Signed-off-by: Rex Lu Signed-off-by: Shayne Chen Link: https://patch.msgid.link/20240816094635.2391-9-shayne.chen@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit c5f5b813e546f7fe133539c3d7a5086cc8dd2aa1 Author: Weili Qian Date: Sat Aug 31 19:48:31 2024 +0800 crypto: hisilicon/qm - inject error before stopping queue [ Upstream commit b04f06fc0243600665b3b50253869533b7938468 ] The master ooo cannot be completely closed when the accelerator core reports memory error. Therefore, the driver needs to inject the qm error to close the master ooo. Currently, the qm error is injected after stopping queue, memory may be released immediately after stopping queue, causing the device to access the released memory. Therefore, error is injected to close master ooo before stopping queue to ensure that the device does not access the released memory. Fixes: 6c6dd5802c2d ("crypto: hisilicon/qm - add controller reset interface") Signed-off-by: Weili Qian Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b032b42ae64786afa18420a73ef67b5c5d2dbb94 Author: Weili Qian Date: Sat Aug 31 19:48:29 2024 +0800 crypto: hisilicon/qm - reset device before enabling it [ Upstream commit 5d2d1ee0874c26b8010ddf7f57e2f246e848af38 ] Before the device is enabled again, the device may still store the previously processed data. If an error occurs in the previous task, the device may fail to be enabled again. Therefore, before enabling device, reset the device to restore the initial state. Signed-off-by: Weili Qian Signed-off-by: Herbert Xu Stable-dep-of: b04f06fc0243 ("crypto: hisilicon/qm - inject error before stopping queue") Signed-off-by: Sasha Levin commit 986481137018661a6adfa79ff6a0aa4ab4727977 Author: Weili Qian Date: Sat Aug 31 19:48:30 2024 +0800 crypto: hisilicon/hpre - mask cluster timeout error [ Upstream commit 145013f723947c83b1a5f76a0cf6e7237d59e973 ] The timeout threshold of the hpre cluster is 16ms. When the CPU and device share virtual address, page fault processing time may exceed the threshold. In the current test, there is a high probability that the cluster times out. However, the cluster is waiting for the completion of memory access, which is not an error, the device does not need to be reset. If an error occurs in the cluster, qm also reports the error. Therefore, the cluster timeout error of hpre can be masked. Fixes: d90fab0deb8e ("crypto: hisilicon/qm - get error type from hardware registers") Signed-off-by: Weili Qian Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 540a461853cf31fd8fca28d686a5ce274759dd45 Author: Amit Shah Date: Thu Aug 29 12:20:07 2024 +0200 crypto: ccp - do not request interrupt on cmd completion when irqs disabled [ Upstream commit 3401f63e72596dcb7d912a5b67b4291643cc1034 ] While sending a command to the PSP, we always requested an interrupt from the PSP after command completion. This worked for most cases. For the special case of irqs being disabled -- e.g. when running within crashdump or kexec contexts, we should not set the SEV_CMDRESP_IOC flag, so the PSP knows to not attempt interrupt delivery. Fixes: 8ef979584ea8 ("crypto: ccp: Add panic notifier for SEV/SNP firmware shutdown on kdump") Based-on-patch-by: Tom Lendacky Signed-off-by: Amit Shah Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0d429d4c54bca8ab23806a85a933d40fa15df000 Author: John B. Wyatt IV Date: Wed Sep 4 22:19:08 2024 -0400 pm:cpupower: Add missing powercap_set_enabled() stub function [ Upstream commit 4b80294fb53845dc5c98cca0c989da09150f2ca9 ] There was a symbol listed in the powercap.h file that was not implemented. Implement it with a stub return of 0. Programs like SWIG require that functions that are defined in the headers be implemented. Fixes: c2294c1496b7 ("cpupower: Introduce powercap intel-rapl library and powercap-info command") Suggested-by: Shuah Khan Signed-off-by: John B. Wyatt IV Signed-off-by: John B. Wyatt IV Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 8132510c915815e6b537ab937d94ed66893bc7b8 Author: Aaron Lu Date: Thu Sep 5 16:08:54 2024 +0800 x86/sgx: Fix deadlock in SGX NUMA node search [ Upstream commit 9c936844010466535bd46ea4ce4656ef17653644 ] When the current node doesn't have an EPC section configured by firmware and all other EPC sections are used up, CPU can get stuck inside the while loop that looks for an available EPC page from remote nodes indefinitely, leading to a soft lockup. Note how nid_of_current will never be equal to nid in that while loop because nid_of_current is not set in sgx_numa_mask. Also worth mentioning is that it's perfectly fine for the firmware not to setup an EPC section on a node. While setting up an EPC section on each node can enhance performance, it is not a requirement for functionality. Rework the loop to start and end on *a* node that has SGX memory. This avoids the deadlock looking for the current SGX-lacking node to show up in the loop when it never will. Fixes: 901ddbb9ecf5 ("x86/sgx: Add a basic NUMA allocation scheme to sgx_alloc_epc_page()") Reported-by: "Molina Sabido, Gerardo" Signed-off-by: Aaron Lu Signed-off-by: Dave Hansen Reviewed-by: Kai Huang Reviewed-by: Jarkko Sakkinen Acked-by: Dave Hansen Tested-by: Zhimin Luo Link: https://lore.kernel.org/all/20240905080855.1699814-2-aaron.lu%40intel.com Signed-off-by: Sasha Levin commit 84223cf7ca92be4a100b89a1df7f11b8d1c2a8a2 Author: Howard Hsu Date: Fri Aug 16 17:46:31 2024 +0800 wifi: mt76: mt7996: fix EHT beamforming capability check [ Upstream commit 9ca65757f0a5b393a7737d37f377d5daf91716af ] If a VIF acts as a beamformer, it should check peer's beamformee capability, and vice versa. Fixes: ba01944adee9 ("wifi: mt76: mt7996: add EHT beamforming support") Signed-off-by: Howard Hsu Signed-off-by: Shayne Chen Link: https://patch.msgid.link/20240816094635.2391-7-shayne.chen@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 8ba4f6ad3bedca1055c38c3e6df78de6da61522f Author: Howard Hsu Date: Fri Aug 16 17:46:29 2024 +0800 wifi: mt76: mt7996: fix HE and EHT beamforming capabilities [ Upstream commit e1f4847fdbdf5d44ae60e035c131920e5ab88598 ] Fix HE and EHT beamforming capabilities for different bands and interface types. Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Fixes: 348533eb968d ("wifi: mt76: mt7996: add EHT capability init") Signed-off-by: Howard Hsu Signed-off-by: Shayne Chen Link: https://patch.msgid.link/20240816094635.2391-5-shayne.chen@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 87f8dad2f35d75d58d3399d43a4e70c2f1b7a216 Author: Peter Chiu Date: Fri Aug 16 17:46:27 2024 +0800 wifi: mt76: mt7996: fix wmm set of station interface to 3 [ Upstream commit 9265397caacf5c0c2d10c40b2958a474664ebd9e ] According to connac3 HW design, the WMM index of AP and STA interface should be 0 and 3, respectively. Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Signed-off-by: Peter Chiu Signed-off-by: Shayne Chen Link: https://patch.msgid.link/20240816094635.2391-3-shayne.chen@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 7f6c01cfccf4cfe83584954d98a724145feb8caa Author: Peter Chiu Date: Fri Aug 16 17:46:26 2024 +0800 wifi: mt76: mt7996: fix traffic delay when switching back to working channel [ Upstream commit 376200f095d0c3a7096199b336204698d7086279 ] During scanning, UNI_CHANNEL_RX_PATH tag is necessary for the firmware to properly stop and resume MAC TX queue. Without this tag, HW needs more time to resume traffic when switching back to working channel. Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Signed-off-by: Peter Chiu Signed-off-by: Shayne Chen Link: https://patch.msgid.link/20240816094635.2391-2-shayne.chen@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 33954930870c18ec549e4bca0eeff43e252cb740 Author: Peter Chiu Date: Fri Aug 16 17:46:25 2024 +0800 wifi: mt76: mt7996: use hweight16 to get correct tx antenna [ Upstream commit f98c3de92bb05dac4a4969df8a4595ed380b4604 ] The chainmask is u16 so using hweight8 cannot get correct tx_ant. Without this patch, the tx_ant of band 2 would be -1 and lead to the following issue: BUG: KASAN: stack-out-of-bounds in mt7996_mcu_add_sta+0x12e0/0x16e0 [mt7996e] Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices") Signed-off-by: Peter Chiu Signed-off-by: Shayne Chen Link: https://patch.msgid.link/20240816094635.2391-1-shayne.chen@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 0181f72b2771657e6db9cfd032e19515b4a79365 Author: Ming Yen Hsieh Date: Tue Aug 6 09:34:08 2024 +0800 wifi: mt76: mt7921: fix wrong UNII-4 freq range check for the channel usage [ Upstream commit 723762a7a7e6fdb3cc6953f127a3fe9c5162beb7 ] The check should start from 5845 to 5925, which includes channels 169, 173, and 177. Fixes: 09382d8f8641 ("wifi: mt76: mt7921: update the channel usage when the regd domain changed") Signed-off-by: Ming Yen Hsieh Link: https://patch.msgid.link/20240806013408.17874-1-mingyen.hsieh@mediatek.com Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit a94d2bd111b39f0c2c7fcbfbf8276ab98c3b8353 Author: Bjørn Mork Date: Sat Jul 13 15:00:10 2024 +0200 wifi: mt76: mt7915: fix oops on non-dbdc mt7986 [ Upstream commit 862bf7cbd772c2bad570ef0c5b5556a1330656dd ] mt7915_band_config() sets band_idx = 1 on the main phy for mt7986 with MT7975_ONE_ADIE or MT7976_ONE_ADIE. Commit 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status") introduced a dereference of the phys array indirectly indexed by band_idx via wcid->phy_idx in mt76_wcid_cleanup(). This caused the following Oops on affected mt7986 devices: Unable to handle kernel read from unreadable memory at virtual address 0000000000000024 Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005 CM = 0, WnR = 0 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000042545000 [0000000000000024] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 Internal error: Oops: 0000000096000005 [#1] SMP Modules linked in: ... mt7915e mt76_connac_lib mt76 mac80211 cfg80211 ... CPU: 2 PID: 1631 Comm: hostapd Not tainted 5.15.150 #0 Hardware name: ZyXEL EX5700 (Telenor) (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mt76_wcid_cleanup+0x84/0x22c [mt76] lr : mt76_wcid_cleanup+0x64/0x22c [mt76] sp : ffffffc00a803700 x29: ffffffc00a803700 x28: ffffff80008f7300 x27: ffffff80003f3c00 x26: ffffff80000a7880 x25: ffffffc008c26e00 x24: 0000000000000001 x23: ffffffc000a68114 x22: 0000000000000000 x21: ffffff8004172cc8 x20: ffffffc00a803748 x19: ffffff8004152020 x18: 0000000000000000 x17: 00000000000017c0 x16: ffffffc008ef5000 x15: 0000000000000be0 x14: ffffff8004172e28 x13: ffffff8004172e28 x12: 0000000000000000 x11: 0000000000000000 x10: ffffff8004172e30 x9 : ffffff8004172e28 x8 : 0000000000000000 x7 : ffffff8004156020 x6 : 0000000000000000 x5 : 0000000000000031 x4 : 0000000000000000 x3 : 0000000000000001 x2 : 0000000000000000 x1 : ffffff80008f7300 x0 : 0000000000000024 Call trace: mt76_wcid_cleanup+0x84/0x22c [mt76] __mt76_sta_remove+0x70/0xbc [mt76] mt76_sta_state+0x8c/0x1a4 [mt76] mt7915_eeprom_get_power_delta+0x11e4/0x23a0 [mt7915e] drv_sta_state+0x144/0x274 [mac80211] sta_info_move_state+0x1cc/0x2a4 [mac80211] sta_set_sinfo+0xaf8/0xc24 [mac80211] sta_info_destroy_addr_bss+0x4c/0x6c [mac80211] ieee80211_color_change_finish+0x1c08/0x1e70 [mac80211] cfg80211_check_station_change+0x1360/0x4710 [cfg80211] genl_family_rcv_msg_doit+0xb4/0x110 genl_rcv_msg+0xd0/0x1bc netlink_rcv_skb+0x58/0x120 genl_rcv+0x34/0x50 netlink_unicast+0x1f0/0x2ec netlink_sendmsg+0x198/0x3d0 ____sys_sendmsg+0x1b0/0x210 ___sys_sendmsg+0x80/0xf0 __sys_sendmsg+0x44/0xa0 __arm64_sys_sendmsg+0x20/0x30 invoke_syscall.constprop.0+0x4c/0xe0 do_el0_svc+0x40/0xd0 el0_svc+0x14/0x4c el0t_64_sync_handler+0x100/0x110 el0t_64_sync+0x15c/0x160 Code: d2800002 910092c0 52800023 f9800011 (885f7c01) ---[ end trace 7e42dd9a39ed2281 ]--- Fix by using mt76_dev_phy() which will map band_idx to the correct phy for all hardware combinations. Fixes: 0335c034e726 ("wifi: mt76: fix race condition related to checking tx queue fill status") Link: https://github.com/openwrt/openwrt/issues/14548 Signed-off-by: Bjørn Mork Link: https://patch.msgid.link/20240713130010.516037-1-bjorn@mork.no Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 2dc4335b5369127095afc850c2abdd452daf54d9 Author: Rafael J. Wysocki Date: Mon Aug 26 18:23:49 2024 +0200 thermal: gov_bang_bang: Adjust states of all uninitialized instances [ Upstream commit 15cb56bd529868d9242b22812fc69bd144bfdc94 ] If a cooling device is registered after a thermal zone it should be bound to and the trip point it should be bound to has already been crossed by the zone temperature on the way up, the cooling device's state may need to be adjusted, but the Bang-bang governor will not do that because its .manage() callback only looks at thermal instances for trip points whose thresholds are below or at the zone temperature. Address this by updating bang_bang_manage() to look at all of the uninitialized thermal instances and setting their target states in accordance with the position of the zone temperature with respect to the threshold of the given trip point. Fixes: 5f64b4a1ab1b ("thermal: gov_bang_bang: Add .manage() callback") Signed-off-by: Rafael J. Wysocki Reviewed-by: Lukasz Luba Link: https://patch.msgid.link/6103874.lOV4Wx5bFT@rjwysocki.net Signed-off-by: Sasha Levin commit ecd3a3e557787df4020f9020488359668b6a17f3 Author: Nishanth Menon Date: Wed Aug 28 08:19:15 2024 -0500 cpufreq: ti-cpufreq: Introduce quirks to handle syscon fails appropriately [ Upstream commit abc00ffda43bd4ba85896713464c7510c39f8165 ] Commit b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx and omap36xx") introduced special handling for OMAP3 class devices where syscon node may not be present. However, this also creates a bug where the syscon node is present, however the offset used to read is beyond the syscon defined range. Fix this by providing a quirk option that is populated when such special handling is required. This allows proper failure for all other platforms when the syscon node and efuse offsets are mismatched. Fixes: b4bc9f9e27ed ("cpufreq: ti-cpufreq: add support for omap34xx and omap36xx") Signed-off-by: Nishanth Menon Tested-by: Dhruva Gole Reviewed-by: Kevin Hilman Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 478c8215a841d5261269826c3aac9079583eb922 Author: Robin Murphy Date: Mon Sep 2 18:51:59 2024 +0100 perf/arm-cmn: Ensure dtm_idx is big enough [ Upstream commit 359414b33e00bae91e4eabf3e4ef8e76024c7673 ] While CMN_MAX_DIMENSION was bumped to 12 for CMN-650, that only supports up to a 10x10 mesh, so bumping dtm_idx to 256 bits at the time worked out OK in practice. However CMN-700 did finally support up to 144 XPs, and thus needs a worst-case 288 bits of dtm_idx for an aggregated XP event on a maxed-out config. Oops. Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support") Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/e771b358526a0d7fc06efee2c3a2fdc0c9f51d44.1725296395.git.robin.murphy@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit ca166cdb3bff4c91c5097584717daa6b984f6f94 Author: Robin Murphy Date: Mon Sep 2 18:51:58 2024 +0100 perf/arm-cmn: Fix CCLA register offset [ Upstream commit 88b63a82c84ed9bbcbdefb10cb6f75dd1dd04887 ] Apparently pmu_event_sel is offset by 8 for all CCLA nodes, not just the CCLA_RNI combination type. Fixes: 23760a014417 ("perf/arm-cmn: Add CMN-700 support") Acked-by: Mark Rutland Reviewed-by: Ilkka Koskinen Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/6e7bb06fef6046f83e7647aad0e5be544139763f.1725296395.git.robin.murphy@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 8a8e35fc387d7a931d37426d185ca7e12f35d527 Author: Robin Murphy Date: Mon Sep 2 18:51:57 2024 +0100 perf/arm-cmn: Refactor node ID handling. Again. [ Upstream commit e79634b53e398966c49f803c49701bc74dc3ccf8 ] The scope of the "extra device ports" configuration is not made clear by the CMN documentation - so far we've assumed it applies globally, based on the sole example which suggests as much. However it transpires that this is incorrect, and the format does in fact vary based on each individual XP's port configuration. As a consequence, we're currenly liable to decode the port/device indices from a node ID incorrectly, thus program the wrong event source in the DTM leading to bogus event counts, and also show device topology on the wrong ports in debugfs. To put this right, rework node IDs yet again to carry around the additional data necessary to decode them properly per-XP. At this point the notion of fully decomposing an ID becomes more impractical than it's worth, so unabstracting the XY mesh coordinates (where 2/3 users were just debug anyway) ends up leaving things a bit simpler overall. Fixes: 60d1504070c2 ("perf/arm-cmn: Support new IP features") Acked-by: Mark Rutland Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/5195f990152fc37adba5fbf5929a6b11063d9f09.1725296395.git.robin.murphy@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 913ac842f1ffc91b5dbae5f1b040906fea189863 Author: Pablo Neira Ayuso Date: Tue Sep 3 01:08:49 2024 +0200 netfilter: nft_dynset: annotate data-races around set timeout [ Upstream commit c5ad8ed61fa8410b272c077ec167c593602b4542 ] set timeout can be read locklessly while being updated from control plane, add annotation. Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 842a43e53dbfee060f53d427fc563479a32141df Author: Pablo Neira Ayuso Date: Tue Sep 3 01:07:06 2024 +0200 netfilter: nf_tables: remove annotation to access set timeout while holding lock [ Upstream commit 15d8605c0cf4fc9cf4386cae658c68a0fd4bdb92 ] Mutex is held when adding an element, no need for READ_ONCE, remove it. Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 138be3092ee15d98dc13935f11f7c5ac16c678ce Author: Pablo Neira Ayuso Date: Tue Sep 3 01:06:58 2024 +0200 netfilter: nf_tables: reject expiration higher than timeout [ Upstream commit c0f38a8c60174368aed1d0f9965d733195f15033 ] Report ERANGE to userspace if user specifies an expiration larger than the timeout. Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 2b1911f188418977f867787535ffd309114681e0 Author: Pablo Neira Ayuso Date: Tue Sep 3 01:06:49 2024 +0200 netfilter: nf_tables: reject element expiration with no timeout [ Upstream commit d2dc429ecb4e79ad164028d965c00f689e6f6d06 ] If element timeout is unset and set provides no default timeout, the element expiration is silently ignored, reject this instead to let user know this is unsupported. Also prepare for supporting timeout that never expire, where zero timeout and expiration must be also rejected. Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit b9a5b74c1aaadb95d9febb27d0ac54d205db3dc6 Author: Pablo Neira Ayuso Date: Tue Sep 3 01:06:41 2024 +0200 netfilter: nf_tables: elements with timeout below CONFIG_HZ never expire [ Upstream commit e0c47281723f301894c14e6f5cd5884fdfb813f9 ] Element timeout that is below CONFIG_HZ never expires because the timeout extension is not allocated given that nf_msecs_to_jiffies64() returns 0. Set timeout to the minimum value to honor timeout. Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 20cde05aa8bcd7a5ff36a609d813189b7cdbe692 Author: Clément Léger Date: Mon Aug 26 12:16:44 2024 +0200 ACPI: CPPC: Fix MASK_VAL() usage [ Upstream commit 60949b7b805424f21326b450ca4f1806c06d982e ] MASK_VAL() was added as a way to handle bit_offset and bit_width for registers located in system memory address space. However, while suited for reading, it does not work for writing and result in corrupted registers when writing values with bit_offset > 0. Moreover, when a register is collocated with another one at the same address but with a different mask, the current code results in the other registers being overwritten with 0s. The write procedure for SYSTEM_MEMORY registers should actually read the value, mask it, update it and write it with the updated value. Moreover, since registers can be located in the same word, we must take care of locking the access before doing it. We should potentially use a global lock since we don't know in if register addresses aren't shared with another _CPC package but better not encourage vendors to do so. Assume that registers can use the same word inside a _CPC package and thus, use a per _CPC package lock. Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses") Signed-off-by: Clément Léger Link: https://patch.msgid.link/20240826101648.95654-1-cleger@rivosinc.com [ rjw: Dropped redundant semicolon ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit eb563bc1c441db59aed1a6dcc9ad961438dfacbd Author: Zong-Zhe Yang Date: Mon Aug 26 17:04:36 2024 +0800 wifi: rtw89: wow: fix wait condition for AOAC report request [ Upstream commit d9dd3ac77cf7cabd35732893f3aefba1daa1c2e1 ] Each condition binding to the same wait should be unique. AOAC code misused the wait of FW offload series and broke the above rule. It added another macro to generate wait condition of WoWLAN/AOAC, but the results conflict to the ones of FW offload series. It means that we might be completed wrongly in logic. We don't want things work/read like this and should have avoided this. Fix this by adding another wait which aims for WoWLAN functions. Fixes: ff53fce5c78b ("wifi: rtw89: wow: update latest PTK GTK info to mac80211 after resume") Signed-off-by: Zong-Zhe Yang Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20240826090439.17242-2-pkshih@realtek.com Signed-off-by: Sasha Levin commit 9a3333add2200e5253180d86cf5a358a10c06c12 Author: Zhang Changzhong Date: Thu Aug 29 20:48:23 2024 +0800 can: j1939: use correct function name in comment [ Upstream commit dc2ddcd136fe9b6196a7dd01f75f824beb02d43f ] The function j1939_cancel_all_active_sessions() was renamed to j1939_cancel_active_session() but name in comment wasn't updated. Signed-off-by: Zhang Changzhong Acked-by: Oleksij Rempel Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Link: https://patch.msgid.link/1724935703-44621-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 13efbd0cf866c1a0ddf40ce1ebbe2a1946a0ce0a Author: Mark Brown Date: Thu Aug 29 18:20:09 2024 +0100 kselftest/arm64: Actually test SME vector length changes via sigreturn [ Upstream commit 6f0315330af7a57c1c00587fdfb69c7778bf1c50 ] The test case for SME vector length changes via sigreturn use a bit too much cut'n'paste and only actually changed the SVE vector length in the test itself. Andre's recent factoring out of the initialisation code caused this to be exposed and the test to start failing. Fix the test to actually cover the thing it's supposed to test. Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests") Signed-off-by: Mark Brown Reviewed-by: Andre Przywara Tested-by: Andre Przywara Link: https://lore.kernel.org/r/20240829-arm64-sme-signal-vl-change-test-v1-1-42d7534cb818@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit c9900ee4641377ca6e617fc52b16a770d1ec3ce5 Author: Yicong Yang Date: Thu Aug 29 17:03:31 2024 +0800 drivers/perf: hisi_pcie: Fix TLP headers bandwidth counting [ Upstream commit 17bf68aeb3642221e3e770399b5a52f370747ac1 ] We make the initial value of event ctrl register as HISI_PCIE_INIT_SET and modify according to the user options. This will make TLP headers bandwidth only counting never take effect since HISI_PCIE_INIT_SET configures to count the TLP payloads bandwidth. Fix this by making the initial value of event ctrl register as 0. Fixes: 17d573984d4d ("drivers/perf: hisi: Add TLP filter support") Signed-off-by: Yicong Yang Acked-by: Jonathan Cameron Link: https://lore.kernel.org/r/20240829090332.28756-3-yangyicong@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 006d9e3df6395fe5af4d4700addc7ef56b47dd08 Author: Yicong Yang Date: Thu Aug 29 17:03:30 2024 +0800 drivers/perf: hisi_pcie: Record hardware counts correctly [ Upstream commit daecd3373a16a039ad241086e30a1ec46fc9d61f ] Currently we set the period and record it as the initial value of the counter without checking it's set to the hardware successfully or not. However the counter maybe unwritable if the target event is unsupported by the device. In such case we will pass user a wrong count: [start counts when setting the period] hwc->prev_count = 0x8000000000000000 device.counter_value = 0 // the counter is not set as the period [when user reads the counter] event->count = device.counter_value - hwc->prev_count = 0x8000000000000000 // wrong. should be 0. Fix this by record the hardware counter counts correctly when setting the period. Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") Signed-off-by: Yicong Yang Acked-by: Jonathan Cameron Link: https://lore.kernel.org/r/20240829090332.28756-2-yangyicong@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 72cadfa5f2bf3673b777a15e48b69281b73378d3 Author: Kamlesh Gurudasani Date: Thu Aug 22 02:32:52 2024 +0530 padata: Honor the caller's alignment in case of chunk_size 0 [ Upstream commit 24cc57d8faaa4060fd58adf810b858fcfb71a02f ] In the case where we are forcing the ps.chunk_size to be at least 1, we are ignoring the caller's alignment. Move the forcing of ps.chunk_size to be at least 1 before rounding it up to caller's alignment, so that caller's alignment is honored. While at it, use max() to force the ps.chunk_size to be at least 1 to improve readability. Fixes: 6d45e1c948a8 ("padata: Fix possible divide-by-0 panic in padata_mt_helper()") Signed-off-by: Kamlesh Gurudasani Acked-by:  Waiman Long Acked-by: Daniel Jordan Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ddcf3ab8f20be04239c6991ae543067d76f5ed85 Author: Vasily Khoruzhick Date: Tue Apr 2 21:12:40 2024 -0700 ACPICA: executer/exsystem: Don't nag user about every Stall() violating the spec [ Upstream commit c82c507126c9c9db350be28f14c83fad1c7969ae ] ACPICA commit 129b75516fc49fe1fd6b8c5798f86c13854630b3 Stop nagging user about every Stall() that violates the spec On my Dell XPS 15 7590 I get hundreds of these warnings after few hours of uptime: $ dmesg | grep "fix the firmware" | wc -l 261 I cannot fix the firmware and I doubt that Dell cares about 4 year old laptop either Fixes: ace8f1c54a02 ("ACPICA: executer/exsystem: Inform users about ACPI spec violation") Link: https://github.com/acpica/acpica/commit/129b7551 Signed-off-by: Vasily Khoruzhick Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 6f469bb6b07f16695d3cfbaac195d069de8610ab Author: Vasily Khoruzhick Date: Tue Apr 2 21:09:45 2024 -0700 ACPICA: Implement ACPI_WARNING_ONCE and ACPI_ERROR_ONCE [ Upstream commit 632b746b108e3c62e0795072d00ed597371c738a ] ACPICA commit 2ad4e6e7c4118f4cdfcad321c930b836cec77406 In some cases it is not practical nor useful to nag user about some firmware errors that they cannot fix. Add a macro that will print a warning or error only once to be used in these cases. Link: https://github.com/acpica/acpica/commit/2ad4e6e7 Signed-off-by: Vasily Khoruzhick Signed-off-by: Rafael J. Wysocki Stable-dep-of: c82c507126c9 ("ACPICA: executer/exsystem: Don't nag user about every Stall() violating the spec") Signed-off-by: Sasha Levin commit 3edc916692bedb277a3ff0a850205e999fc1a241 Author: Ilan Peer Date: Tue Aug 27 10:39:20 2024 +0200 wifi: mac80211: Check for missing VHT elements only for 5 GHz [ Upstream commit 67bb124cd9ae38870667e4f9c876ef8e0f82ec44 ] Check for missing VHT Capabilities and VHT Operation elements in association response frame only for 5 GHz links. Fixes: 310c8387c638 ("wifi: mac80211: clean up connection process") Signed-off-by: Ilan Peer Reviewed-by: Miriam Rachel Korenblit Link: https://patch.msgid.link/20240827103920.dd711282d543.Iaba245cebc52209b0499d5bab7d8a8ef1df9dd65@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit b7c840f7812ae2bc61f2624cd7da34c89b97b0e3 Author: Emmanuel Grumbach Date: Sun Aug 25 19:17:11 2024 +0300 wifi: iwlwifi: mvm: allow ESR when we the ROC expires [ Upstream commit 76364f3edfde60aa2fa20b578ba9b96797d7bff5 ] We forgot to release the ROC reason for ESR prevention when the remain on channel expires. Add this. Fixes: a1efeb823084 ("wifi: iwlwifi: mvm: Block EMLSR when a p2p/softAP vif is active") Signed-off-by: Emmanuel Grumbach Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20240825191257.8f8765f359cc.I16fcd6198072d422ff36dce68070aafaf011f4c1@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit ac8969696e01378efc5b336b8208fadab58e9a7c Author: Emmanuel Grumbach Date: Thu Aug 8 11:59:16 2024 +0300 wifi: mac80211: fix the comeback long retry times [ Upstream commit 1524173a3745899612c71d9e83ff8fe29dbb2cfb ] When we had a comeback, we will never use the default timeout values again because comeback is never cleared. Clear comeback if we send another association request which will allow to start a default timer after Tx status. The problem was seen with iwlwifi where the tx_status on the association request is handled before the association response frame (which is the usual case). 1) Tx assoc request 1/3 2) Rx assoc response (comeback, timeout = 1 second) 3) wait 1 second 4) Tx assoc request 2/3 5) Set timer to IEEE80211_ASSOC_TIMEOUT_LONG = 500ms (1 second after round_up) 6) tx_status on frame sent in 4) is ignored because comeback is still true 7) AP does not reply with assoc response 8) wait 1s <= This is where the bug is felt 9) Tx assoc request 3/3 With this fix, in step 6 we will reset the timer to IEEE80211_ASSOC_TIMEOUT_SHORT = 100ms and we will wait only 100ms in step 8. Fixes: b133fdf07db8 ("wifi: mac80211: Skip association timeout update after comeback rejection") Signed-off-by: Emmanuel Grumbach Link: https://patch.msgid.link/20240808085916.23519-1-emmanuel.grumbach@intel.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 93a416549be452f176a4f3beaffd91e9c645f219 Author: hhorace Date: Wed Aug 7 16:22:05 2024 +0800 wifi: cfg80211: fix bug of mapping AF3x to incorrect User Priority [ Upstream commit a68b22e2905b04f376e2fa116be5e48b948f81c8 ] According to RFC8325 4.3, Multimedia Streaming: AF31(011010, 26), AF32(011100, 28), AF33(011110, 30) maps to User Priority = 4 and AC_VI (Video). However, the original code remain the default three Most Significant Bits (MSBs) of the DSCP, which makes AF3x map to User Priority = 3 and AC_BE (Best Effort). Fixes: 6fdb8b8781d5 ("wifi: cfg80211: Update the default DSCP-to-UP mapping") Signed-off-by: hhorace Reviewed-by: Guillaume Nault Reviewed-by: Ido Schimmel Link: https://patch.msgid.link/20240807082205.1369-1-hhoracehsu@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 9afc109ced1389ea9ce16692c849fa8933ff8dde Author: Avraham Stern Date: Mon Jul 29 20:20:12 2024 +0300 wifi: iwlwifi: mvm: increase the time between ranging measurements [ Upstream commit 3a7ee94559dfd640604d0265739e86dec73b64e8 ] The algo running in fw may take a little longer than 5 milliseconds, (e.g. measurement on 80MHz while associated). Increase the minimum time between measurements to 7 milliseconds. Fixes: 830aa3e7d1ca ("iwlwifi: mvm: add support for range request command version 13") Signed-off-by: Avraham Stern Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20240729201718.d3f3c26e00d9.I09e951290e8a3d73f147b88166fd9a678d1d69ed@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit b3322a6d6aa9bc17b395c4b38d3b97578887aa8a Author: Avraham Stern Date: Mon Jul 29 20:20:11 2024 +0300 wifi: iwlwifi: mvm: set the cipher for secured NDP ranging [ Upstream commit a949075d4bbf1ca83ccdeaa6ef4ac2ce7526c5f4 ] The cipher pointer is not set, but is derefereced trying to set its content, which leads to a NULL pointer dereference. Fix it by pointing to the cipher parameter before dereferencing. Fixes: 626be4bf99f6 ("wifi: iwlwifi: mvm: modify iwl_mvm_ftm_set_secured_ranging() parameters") Signed-off-by: Avraham Stern Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20240729201718.24e83369f136.I80501ddcb82920561f450d00020d860e7a3f90c6@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 7688db0a4aaf982b5c6dbff49ae165bfb995225c Author: Johannes Berg Date: Mon Jul 29 20:20:07 2024 +0300 wifi: iwlwifi: config: label 'gl' devices as discrete [ Upstream commit 8131dd52810dfcdb49fcdc78f5e18e1538b6c441 ] The 'gl' devices are in the bz family, but they're not, integrated, so should have their own trans config struct. Fix that, also necessitating the removal of LTR config, and while at it remove 0x2727 and 0x272D IDs that were only used for test chips. Fixes: c30a2a64788b ("wifi: iwlwifi: add a new PCI device ID for BZ device")ticket=none Signed-off-by: Johannes Berg Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20240729201718.95aed0620080.Ib9129512c95aa57acc9876bdff8b99dd41e1562c@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 43897111481b679508711d3ca881c4c6593e9247 Author: Ping-Ke Shih Date: Mon Jul 29 15:48:16 2024 +0800 wifi: mac80211: don't use rate mask for offchannel TX either [ Upstream commit e7a7ef9a0742dbd0818d5b15fba2c5313ace765b ] Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for scanning"), ignore incorrect settings to avoid no supported rate warning reported by syzbot. The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band"), which however corrects bitmask of HE MCS and recognizes correctly settings of empty legacy rate plus HE MCS rate instead of returning -EINVAL. As suggestions [1], follow the change of SCAN TX to consider this case of offchannel TX as well. [1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024 Reported-by: syzbot+8dd98a9e98ee28dc484a@syzkaller.appspotmail.com Closes: https://lore.kernel.org/linux-wireless/000000000000fdef8706191a3f7b@google.com/ Fixes: 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band") Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20240729074816.20323-1-pkshih@realtek.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 48c20cecc48eb773cf4b22ee82a3336f48c0d59c Author: Zong-Zhe Yang Date: Fri Jul 12 15:49:38 2024 +0800 wifi: mac80211_hwsim: correct MODULE_PARM_DESC of multi_radio [ Upstream commit 7c24c5bdf489c8f3a9c701a950126da871ebdaca ] Correct the name field in multi_radio's MODULE_PARM_DESC. Fixes: d2601e34a102 ("wifi: mac80211_hwsim: add support for multi-radio wiphy") Signed-off-by: Zong-Zhe Yang Acked-by: Felix Fietkau Link: https://patch.msgid.link/20240712074938.26437-1-kevin_yang@realtek.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 1989feaa278c332c733a439772e902af3a1dc742 Author: Esther Shimanovich Date: Tue Aug 6 20:08:47 2024 +0000 ACPI: video: force native for Apple MacbookPro9,2 [ Upstream commit 7dc918daaf2994963690171584ba423f28724df5 ] It used to be that the MacbookPro9,2 used its native intel backlight device until the following commit was introduced: commit b1d36e73cc1c ("drm/i915: Don't register backlight when another backlight should be used (v2)") This commit forced this model to use its firmware acpi_video backlight device instead. That worked fine until an additional commit was added: commit 92714006eb4d ("drm/i915/backlight: Do not bump min brightness to max on enable") That commit uncovered a bug in the MacbookPro 9,2's acpi_video backlight firmware; the backlight does not come back up after resume. Add DMI quirk to select the working native intel interface instead so that the backlight successfully comes back up after resume. Fixes: 92714006eb4d ("drm/i915/backlight: Do not bump min brightness to max on enable") Signed-off-by: Esther Shimanovich Reviewed-by: Hans de Goede Link: https://patch.msgid.link/20240806-acpi-video-quirk-v1-1-369d8f7abc59@chromium.org [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit bff2b8119efdb099736d19ee5d9b3ea4fafe8160 Author: Svyatoslav Pankratov Date: Thu Aug 15 16:47:23 2024 +0100 crypto: qat - fix "Full Going True" macro definition [ Upstream commit 694a6f594817462942acbb1a35b1f7d61e2d49e7 ] The macro `ADF_RP_INT_SRC_SEL_F_RISE_MASK` is currently set to the value `0100b` which means "Empty Going False". This might cause an incorrect restore of the bank state during live migration. Fix the definition of the macro to properly represent the "Full Going True" state which is encoded as `0011b`. Fixes: bbfdde7d195f ("crypto: qat - add bank save and restore flows") Signed-off-by: Svyatoslav Pankratov Reviewed-by: Xin Zeng Signed-off-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c0af79bcb389b63d4ffbf20150b19684d6b72a8b Author: Krishna chaitanya chundru Date: Fri Aug 16 20:47:22 2024 +0530 perf/dwc_pcie: Always register for PCIe bus notifier [ Upstream commit b94b05478fb6a09033bf70c6edd03f8930a0fe24 ] When the PCIe devices are discovered late, the driver can't find the PCIe devices and returns in the init without registering with the bus notifier. Due to that the devices which are discovered late the driver can't register for this. Register for bus notifier & driver even if the device is not found as part of init. Fixes: af9597adc2f1 ("drivers/perf: add DesignWare PCIe PMU driver") Signed-off-by: Krishna chaitanya chundru Reviewed-by: Yicong Yang Link: https://lore.kernel.org/r/20240816-dwc_pmu_fix-v2-3-198b8ab1077c@quicinc.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 0667a7707861d5907384970786247149f38abd78 Author: Krishna chaitanya chundru Date: Fri Aug 16 20:47:20 2024 +0530 perf/dwc_pcie: Fix registration issue in multi PCIe controller instances [ Upstream commit e669388537c472142804eb5a0449cc23d5409694 ] When there are multiple of instances of PCIe controllers, registration to perf driver fails with this error. sysfs: cannot create duplicate filename '/devices/platform/dwc_pcie_pmu.0' CPU: 0 PID: 166 Comm: modprobe Not tainted 6.10.0-rc2-next-20240607-dirty Hardware name: Qualcomm SA8775P Ride (DT) Call trace: dump_backtrace.part.8+0x98/0xf0 show_stack+0x14/0x1c dump_stack_lvl+0x74/0x88 dump_stack+0x14/0x1c sysfs_warn_dup+0x60/0x78 sysfs_create_dir_ns+0xe8/0x100 kobject_add_internal+0x94/0x224 kobject_add+0xa8/0x118 device_add+0x298/0x7b4 platform_device_add+0x1a0/0x228 platform_device_register_full+0x11c/0x148 dwc_pcie_register_dev+0x74/0xf0 [dwc_pcie_pmu] dwc_pcie_pmu_init+0x7c/0x1000 [dwc_pcie_pmu] do_one_initcall+0x58/0x1c0 do_init_module+0x58/0x208 load_module+0x1804/0x188c __do_sys_init_module+0x18c/0x1f0 __arm64_sys_init_module+0x14/0x1c invoke_syscall+0x40/0xf8 el0_svc_common.constprop.1+0x70/0xf4 do_el0_svc+0x18/0x20 el0_svc+0x28/0xb0 el0t_64_sync_handler+0x9c/0xc0 el0t_64_sync+0x160/0x164 kobject: kobject_add_internal failed for dwc_pcie_pmu.0 with -EEXIST, don't try to register things with the same name in the same directory. This is because of having same bdf value for devices under two different controllers. Update the logic to use sbdf which is a unique number in case of multi instance also. Fixes: af9597adc2f1 ("drivers/perf: add DesignWare PCIe PMU driver") Signed-off-by: Krishna chaitanya chundru Reviewed-by: Yicong Yang Link: https://lore.kernel.org/r/20240816-dwc_pmu_fix-v2-1-198b8ab1077c@quicinc.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 85702fddba70d2b63f5646793d77de2ad4fc3784 Author: Jing Zhang Date: Thu Aug 22 11:33:31 2024 +0800 drivers/perf: Fix ali_drw_pmu driver interrupt status clearing [ Upstream commit a3dd920977dccc453c550260c4b7605b280b79c3 ] The alibaba_uncore_pmu driver forgot to clear all interrupt status in the interrupt processing function. After the PMU counter overflow interrupt occurred, an interrupt storm occurred, causing the system to hang. Therefore, clear the correct interrupt status in the interrupt handling function to fix it. Fixes: cf7b61073e45 ("drivers/perf: add DDR Sub-System Driveway PMU driver for Yitian 710 SoC") Signed-off-by: Jing Zhang Reviewed-by: Shuai Xue Acked-by: Mark Rutland Link: https://lore.kernel.org/r/1724297611-20686-1-git-send-email-renyu.zj@linux.alibaba.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 86aedfbc90407920f862955cf527e6cf8f867867 Author: Rafael J. Wysocki Date: Thu Aug 22 21:47:36 2024 +0200 thermal: core: Fix rounding of delay jiffies [ Upstream commit 8144dbe68c493baa412d78f41a57e90a6461f6c3 ] Using round_jiffies() in thermal_set_delay_jiffies() is invalid because its argument should be time in the future in absolute jiffies and it computes the result with respect to the current jiffies value at the invocation time. Fortunately, in the majority of cases it does not make any difference due to the time_is_after_jiffies() check in round_jiffies_common(). While using round_jiffies_relative() instead of round_jiffies() might reflect the intent a bit better, it still would not be defensible because that function should be called when the timer is about to be set and it is not suitable for pre-computation of delay values. Accordingly, drop thermal_set_delay_jiffies() altogether, simply convert polling_delay and passive_delay to jiffies during thermal zone initialization and make thermal_zone_device_set_polling() call round_jiffies_relative() on the delay if it is greather than 1 second. Fixes: 17d399cd9c89 ("thermal/core: Precompute the delays from msecs to jiffies") Fixes: e5f2cda61d06 ("thermal/core: Move thermal_set_delay_jiffies to static") Signed-off-by: Rafael J. Wysocki Reviewed-by: Daniel Lezcano Link: https://patch.msgid.link/1994438.PYKUYFuaPT@rjwysocki.net Signed-off-by: Sasha Levin commit 8f6f327a0d590b242407d8cd4d30c4c9c60706f4 Author: Rafael J. Wysocki Date: Mon Aug 19 17:50:30 2024 +0200 thermal: core: Fold two functions into their respective callers [ Upstream commit a8bbe6f10f78f85243ff821432c5d798a6d99ed4 ] Fold bind_cdev() into __thermal_cooling_device_register() and bind_tz() into thermal_zone_device_register_with_trips() to reduce code bloat and make it somewhat easier to follow the code flow. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Reviewed-by: Zhang Rui Reviewed-by: Daniel Lezcano Link: https://patch.msgid.link/2962184.e9J7NaK4W3@rjwysocki.net Stable-dep-of: 8144dbe68c49 ("thermal: core: Fix rounding of delay jiffies") Signed-off-by: Sasha Levin commit 04c5b762f348ffe8ced7d9af114096ae39ced5e4 Author: Douglas Anderson Date: Wed Aug 21 14:53:57 2024 -0700 arm64: smp: smp_send_stop() and crash_smp_send_stop() should try non-NMI first [ Upstream commit fdfa588124b6356cd08e5d3f0c3643c4ec3d6887 ] When testing hard lockup handling on my sc7180-trogdor-lazor device with pseudo-NMI enabled, with serial console enabled and with kgdb disabled, I found that the stack crawls printed to the serial console ended up as a jumbled mess. After rebooting, the pstore-based console looked fine though. Also, enabling kgdb to trap the panic made the console look fine and avoided the mess. After a bit of tracking down, I came to the conclusion that this was what was happening: 1. The panic path was stopping all other CPUs with panic_other_cpus_shutdown(). 2. At least one of those other CPUs was in the middle of printing to the serial console and holding the console port's lock, which is grabbed with "irqsave". ...but since we were stopping with an NMI we didn't care about the "irqsave" and interrupted anyway. 3. Since we stopped the CPU while it was holding the lock it would never release it. 4. All future calls to output to the console would end up failing to get the lock in qcom_geni_serial_console_write(). This isn't _totally_ unexpected at panic time but it's a code path that's not well tested, hard to get right, and apparently doesn't work terribly well on the Qualcomm geni serial driver. The Qualcomm geni serial driver was fixed to be a bit better in commit 9e957a155005 ("serial: qcom-geni: Don't cancel/abort if we can't get the port lock") but it's nice not to get into this situation in the first place. Taking a page from what x86 appears to do in native_stop_other_cpus(), do this: 1. First, try to stop other CPUs with a normal IPI and wait a second. This gives them a chance to leave critical sections. 2. If CPUs fail to stop then retry with an NMI, but give a much lower timeout since there's no good reason for a CPU not to react quickly to a NMI. This works well and avoids the corrupted console and (presumably) could help avoid other similar issues. In order to do this, we need to do a little re-organization of our IPIs since we don't have any more free IDs. Do what was suggested in previous conversations and combine "stop" and "crash stop". That frees up an IPI so now we can have a "stop" and "stop NMI". In order to do this we also need a slight change in the way we keep track of which CPUs still need to be stopped. We need to know specifically which CPUs haven't stopped yet when we fall back to NMI but in the "crash stop" case the "cpu_online_mask" isn't updated as CPUs go down. This is why that code path had an atomic of the number of CPUs left. Solve this by also updating the "cpu_online_mask" for crash stops. All of the above lets us combine the logic for "stop" and "crash stop" code, which appeared to have a bunch of arbitrary implementation differences. Aside from the above change where we try a normal IPI and then an NMI, the combined function has a few subtle differences: * In the normal smp_send_stop(), if we fail to stop one or more CPUs then we won't include the current CPU (the one running smp_send_stop()) in the error message. * In crash_smp_send_stop(), if we fail to stop some CPUs we'll print the CPUs that we failed to stop instead of printing all _but_ the current running CPU. * In crash_smp_send_stop(), we will now only print "SMP: stopping secondary CPUs" if (system_state <= SYSTEM_RUNNING). Fixes: d7402513c935 ("arm64: smp: IPI_CPU_STOP and IPI_CPU_CRASH_STOP should try for NMI") Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20240821145353.v3.1.Id4817adef610302554b8aa42b090d57270dc119c@changeid Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 2f2e67d8cac93b85b2633b129ddcfc611c90b193 Author: Andre Przywara Date: Wed Aug 21 17:44:01 2024 +0100 kselftest/arm64: signal: fix/refactor SVE vector length enumeration [ Upstream commit 5225b6562b9a7dc808d5a1e465aaf5e2ebb220cd ] Currently a number of SVE/SME related tests have almost identical functions to enumerate all supported vector lengths. However over time the copy&pasted code has diverged, allowing some bugs to creep in: - fake_sigreturn_sme_change_vl reports a failure, not a SKIP if only one vector length is supported (but the SVE version is fine) - fake_sigreturn_sme_change_vl tries to set the SVE vector length, not the SME one (but the other SME tests are fine) - za_no_regs keeps iterating forever if only one vector length is supported (but za_regs is correct) Since those bugs seem to be mostly copy&paste ones, let's consolidate the enumeration loop into one shared function, and just call that from each test. That should fix the above bugs, and prevent similar issues from happening again. Fixes: 4963aeb35a9e ("kselftest/arm64: signal: Add SME signal handling tests") Signed-off-by: Andre Przywara Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20240821164401.3598545-1-andre.przywara@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit cf888dc116e1f4c360954f79a8e6bd8c872a8063 Author: Chia-Yuan Li Date: Thu Aug 15 21:40:54 2024 +0800 wifi: rtw89: limit the PPDU length for VHT rate to 0x40000 [ Upstream commit 124410976bf807e76c45e36685ed8bf959229545 ] If the PPDU length for VHT rate exceeds 0x40000, calculating the PSDU length will overflow. TMAC will determine the length to be too small and as a result, all packets will be sent as ZLD (Zero Length Delimiter). Fixes: 5f7e92c59b8e ("wifi: rtw89: 8852b: set AMSDU limit to 5000") Signed-off-by: Chia-Yuan Li Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20240815134054.44649-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit 6a34f3b0d7f11fb6ed72da315fd2360abd9c0737 Author: Dan Carpenter Date: Tue Aug 20 11:41:34 2024 +0300 powercap: intel_rapl: Fix off by one in get_rpi() [ Upstream commit 95f6580352a7225e619551febb83595bcb77ab17 ] The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >= to prevent an off by one access. Fixes: 98ff639a7289 ("powercap: intel_rapl: Support per Interface primitive information") Signed-off-by: Dan Carpenter Acked-by: Zhang Rui Link: https://patch.msgid.link/86e3a059-504d-4795-a5ea-4a653f3b41f8@stanley.mountain Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 39caf610a63786b3b0ef3348ac015edc19827d6a Author: Calvin Owens Date: Mon Jul 29 17:05:51 2024 +0100 ARM: 9410/1: vfp: Use asm volatile in fmrx/fmxr macros [ Upstream commit 89a906dfa8c3b21b3e5360f73c49234ac1eb885b ] Floating point instructions in userspace can crash some arm kernels built with clang/LLD 17.0.6: BUG: unsupported FP instruction in kernel mode FPEXC == 0xc0000780 Internal error: Oops - undefined instruction: 0 [#1] ARM CPU: 0 PID: 196 Comm: vfp-reproducer Not tainted 6.10.0 #1 Hardware name: BCM2835 PC is at vfp_support_entry+0xc8/0x2cc LR is at do_undefinstr+0xa8/0x250 pc : [] lr : [] psr: a0000013 sp : dc8d1f68 ip : 60000013 fp : bedea19c r10: ec532b17 r9 : 00000010 r8 : 0044766c r7 : c0000780 r6 : ec532b17 r5 : c1c13800 r4 : dc8d1fb0 r3 : c10072c4 r2 : c0101c88 r1 : ec532b17 r0 : 0044766c Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 00c5387d Table: 0251c008 DAC: 00000051 Register r0 information: non-paged memory Register r1 information: vmalloc memory Register r2 information: non-slab/vmalloc memory Register r3 information: non-slab/vmalloc memory Register r4 information: 2-page vmalloc region Register r5 information: slab kmalloc-cg-2k Register r6 information: vmalloc memory Register r7 information: non-slab/vmalloc memory Register r8 information: non-paged memory Register r9 information: zero-size pointer Register r10 information: vmalloc memory Register r11 information: non-paged memory Register r12 information: non-paged memory Process vfp-reproducer (pid: 196, stack limit = 0x61aaaf8b) Stack: (0xdc8d1f68 to 0xdc8d2000) 1f60: 0000081f b6f69300 0000000f c10073f4 c10072c4 dc8d1fb0 1f80: ec532b17 0c532b17 0044766c b6f9ccd8 00000000 c010a80c 00447670 60000010 1fa0: ffffffff c1c13800 00c5387d c0100f10 b6f68af8 00448fc0 00000000 bedea188 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff 00000000 00000000 Call trace: [] (vfp_support_entry) from [] (do_undefinstr+0xa8/0x250) [] (do_undefinstr) from [] (__und_usr+0x70/0x80) Exception stack(0xdc8d1fb0 to 0xdc8d1ff8) 1fa0: b6f68af8 00448fc0 00000000 bedea188 1fc0: bedea314 00000001 00448ebc b6f9d000 00447608 b6f9ccd8 00000000 bedea19c 1fe0: bede9198 bedea188 b6e1061c 0044766c 60000010 ffffffff Code: 0a000061 e3877202 e594003c e3a09010 (eef16a10) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Fatal exception in interrupt ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- This is a minimal userspace reproducer on a Raspberry Pi Zero W: #include #include int main(void) { double v = 1.0; printf("%fn", NAN + *(volatile double *)&v); return 0; } Another way to consistently trigger the oops is: calvin@raspberry-pi-zero-w ~$ python -c "import json" The bug reproduces only when the kernel is built with DYNAMIC_DEBUG=n, because the pr_debug() calls act as barriers even when not activated. This is the output from the same kernel source built with the same compiler and DYNAMIC_DEBUG=y, where the userspace reproducer works as expected: VFP: bounce: trigger ec532b17 fpexc c0000780 VFP: emulate: INST=0xee377b06 SCR=0x00000000 VFP: bounce: trigger eef1fa10 fpexc c0000780 VFP: emulate: INST=0xeeb40b40 SCR=0x00000000 VFP: raising exceptions 30000000 calvin@raspberry-pi-zero-w ~$ ./vfp-reproducer nan Crudely grepping for vmsr/vmrs instructions in the otherwise nearly idential text for vfp_support_entry() makes the problem obvious: vmlinux.llvm.good [0xc0101cb8] <+48>: vmrs r7, fpexc vmlinux.llvm.good [0xc0101cd8] <+80>: vmsr fpexc, r0 vmlinux.llvm.good [0xc0101d20] <+152>: vmsr fpexc, r7 vmlinux.llvm.good [0xc0101d38] <+176>: vmrs r4, fpexc vmlinux.llvm.good [0xc0101d6c] <+228>: vmrs r0, fpscr vmlinux.llvm.good [0xc0101dc4] <+316>: vmsr fpexc, r0 vmlinux.llvm.good [0xc0101dc8] <+320>: vmrs r0, fpsid vmlinux.llvm.good [0xc0101dcc] <+324>: vmrs r6, fpscr vmlinux.llvm.good [0xc0101e10] <+392>: vmrs r10, fpinst vmlinux.llvm.good [0xc0101eb8] <+560>: vmrs r10, fpinst2 vmlinux.llvm.bad [0xc0101cb8] <+48>: vmrs r7, fpexc vmlinux.llvm.bad [0xc0101cd8] <+80>: vmsr fpexc, r0 vmlinux.llvm.bad [0xc0101d20] <+152>: vmsr fpexc, r7 vmlinux.llvm.bad [0xc0101d30] <+168>: vmrs r0, fpscr vmlinux.llvm.bad [0xc0101d50] <+200>: vmrs r6, fpscr <== BOOM! vmlinux.llvm.bad [0xc0101d6c] <+228>: vmsr fpexc, r0 vmlinux.llvm.bad [0xc0101d70] <+232>: vmrs r0, fpsid vmlinux.llvm.bad [0xc0101da4] <+284>: vmrs r10, fpinst vmlinux.llvm.bad [0xc0101df8] <+368>: vmrs r4, fpexc vmlinux.llvm.bad [0xc0101e5c] <+468>: vmrs r10, fpinst2 I think LLVM's reordering is valid as the code is currently written: the compiler doesn't know the instructions have side effects in hardware. Fix by using "asm volatile" in fmxr() and fmrx(), so they cannot be reordered with respect to each other. The original compiler now produces working kernels on my hardware with DYNAMIC_DEBUG=n. This is the relevant piece of the diff of the vfp_support_entry() text, from the original oopsing kernel to a working kernel with this patch: vmrs r0, fpscr tst r0, #4096 bne 0xc0101d48 tst r0, #458752 beq 0xc0101ecc orr r7, r7, #536870912 ldr r0, [r4, #0x3c] mov r9, #16 -vmrs r6, fpscr orr r9, r9, #251658240 add r0, r0, #4 str r0, [r4, #0x3c] mvn r0, #159 sub r0, r0, #-1207959552 and r0, r7, r0 vmsr fpexc, r0 vmrs r0, fpsid +vmrs r6, fpscr and r0, r0, #983040 cmp r0, #65536 bne 0xc0101d88 Fixes: 4708fb041346 ("ARM: vfp: Reimplement VFP exception entry in C code") Signed-off-by: Calvin Owens Signed-off-by: Russell King (Oracle) Signed-off-by: Sasha Levin commit c4d6be474a9ad58db0ae5618bf24e65c7851cbfe Author: Florian Westphal Date: Wed Jul 10 10:58:29 2024 +0200 netfilter: nf_tables: store new sets in dedicated list [ Upstream commit c1aa38866b9c58dc6cf7a5fc6a3e1ca75565169e ] nft_set_lookup_byid() is very slow when transaction becomes large, due to walk of the transaction list. Add a dedicated list that contains only the new sets. Before: nft -f ruleset 0.07s user 0.00s system 0% cpu 1:04.84 total After: nft -f ruleset 0.07s user 0.00s system 0% cpu 30.115 total .. where ruleset contains ~10 sets with ~100k elements. The above number is for a combined flush+reload of the ruleset. With previous flush, even the first NEWELEM has to walk through a few hundred thousands of DELSET(ELEM) transactions before the first NEWSET object. To cope with random-order-newset-newsetelem we'd need to replace commit_set_list with a hashtable. Expectation is that a NEWELEM operation refers to the most recently added set, so last entry of the dedicated list should be the set we want. NB: This is not a bug fix per se (functionality is fine), but with larger transaction batches list search takes forever, so it would be nice to speed this up for -stable too, hence adding a "fixes" tag. Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Reported-by: Nadia Pinaeva Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit eac1568213f40f853ce5b0324cb2c3dab95edfe6 Author: Aleksa Sarai Date: Wed Jul 31 23:10:27 2024 +1000 autofs: fix missing fput for FSCONFIG_SET_FD [ Upstream commit 6a64c5220c5df235448b846aeff3c0660d4cc83e ] If you pass an fd using FSCONFIG_SET_FD, autofs_parse_fd() "steals" the param->file and so the fs_context infrastructure will not do fput() for us. Fixes: e6ec453bd0f0 ("autofs: convert autofs to use the new mount api") Signed-off-by: Aleksa Sarai Link: https://lore.kernel.org/r/20240731-fsconfig-fsparam_fd-fixes-v2-1-e7c472224417@cyphar.com Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit d9e3a62e246c05203eb5bf1e21dcf50f026fc5da Author: Olaf Hering Date: Tue Jul 30 10:58:13 2024 +0200 mount: handle OOM on mnt_warn_timestamp_expiry [ Upstream commit 4bcda1eaf184e308f07f9c61d3a535f9ce477ce8 ] If no page could be allocated, an error pointer was used as format string in pr_warn. Rearrange the code to return early in case of OOM. Also add a check for the return value of d_path. Fixes: f8b92ba67c5d ("mount: Add mount warning for impending timestamp expiry") Signed-off-by: Olaf Hering Link: https://lore.kernel.org/r/20240730085856.32385-1-olaf@aepfle.de [brauner: rewrite commit and commit message] Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit 1754bc0240d345f5b1f3db35858c4576bebd02f1 Author: Atish Patra Date: Fri Aug 16 00:08:09 2024 -0700 RISC-V: KVM: Fix to allow hpmcounter31 from the guest [ Upstream commit 5aa09297a3dcc798d038bd7436f8c90f664045a6 ] The csr_fun defines a count parameter which defines the total number CSRs emulated in KVM starting from the base. This value should be equal to total number of counters possible for trap/emulation (32). Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters") Signed-off-by: Atish Patra Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-2-cdfce386dd93@rivosinc.com Signed-off-by: Anup Patel Signed-off-by: Sasha Levin commit 12e4ef8217a19a15c3545591236f69e1e229a881 Author: Atish Patra Date: Fri Aug 16 00:08:08 2024 -0700 RISC-V: KVM: Allow legacy PMU access from guest [ Upstream commit 7d1ffc8b087e97dbe1985912c7a2d00e53cea169 ] Currently, KVM traps & emulates PMU counter access only if SBI PMU is available as the guest can only configure/read PMU counters via SBI only. However, if SBI PMU is not enabled in the host, the guest will fallback to the legacy PMU which will try to access cycle/instret and result in an illegal instruction trap which is not desired. KVM can allow dummy emulation of cycle/instret only for the guest if SBI PMU is not enabled in the host. The dummy emulation will still return zero as we don't to expose the host counter values from a guest using legacy PMU. Fixes: a9ac6c37521f ("RISC-V: KVM: Implement trap & emulate for hpmcounters") Signed-off-by: Atish Patra Link: https://lore.kernel.org/r/20240816-kvm_pmu_fixes-v1-1-cdfce386dd93@rivosinc.com Signed-off-by: Anup Patel Signed-off-by: Sasha Levin commit 6d0a5dcfc78bd18f2abb9641f83380135494559b Author: Anup Patel Date: Thu Aug 15 22:39:07 2024 +0530 RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data [ Upstream commit 47d40d93292d9cff8dabb735bed83d930fa03950 ] With the latest Linux-6.11-rc3, the below NULL pointer crash is observed when SBI PMU snapshot is enabled for the guest and the guest is forcefully powered-off. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508 Oops [#1] Modules linked in: kvm CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3 Hardware name: riscv-virtio,qemu (DT) epc : __kvm_write_guest_page+0x94/0xa6 [kvm] ra : __kvm_write_guest_page+0x54/0xa6 [kvm] epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0 gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000 t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0 s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086 a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0 a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000 s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000 s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001 s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3 t5 : ffffffff814126e0 t6 : ffffffff81412700 status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d [] __kvm_write_guest_page+0x94/0xa6 [kvm] [] kvm_vcpu_write_guest+0x56/0x90 [kvm] [] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm] [] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm] [] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm] [] kvm_arch_vcpu_destroy+0x28/0x4c [kvm] [] kvm_destroy_vcpus+0x5a/0xda [kvm] [] kvm_arch_destroy_vm+0x14/0x28 [kvm] [] kvm_destroy_vm+0x168/0x2a0 [kvm] [] kvm_put_kvm+0x3c/0x58 [kvm] [] kvm_vm_release+0x22/0x2e [kvm] Clearly, the kvm_vcpu_write_guest() function is crashing because it is being called from kvm_pmu_clear_snapshot_area() upon guest tear down. To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because the guest is anyway being tore down. The kvm_pmu_clear_snapshot_area() is also called when guest changes PMU snapshot area of a VCPU but even in this case the previous PMU snaphsot area must not be zeroed-out because the guest might have reclaimed the pervious PMU snapshot area for some other purpose. Fixes: c2f41ddbcdd7 ("RISC-V: KVM: Implement SBI PMU Snapshot feature") Signed-off-by: Anup Patel Link: https://lore.kernel.org/r/20240815170907.2792229-1-apatel@ventanamicro.com Signed-off-by: Anup Patel Signed-off-by: Sasha Levin commit 4a52082760267391869f23c6599274ee1671cf37 Author: Andrew Jones Date: Wed Aug 7 17:49:44 2024 +0200 RISC-V: KVM: Fix sbiret init before forwarding to userspace [ Upstream commit 6b7b282e6baea06ba65b55ae7d38326ceb79cebf ] When forwarding SBI calls to userspace ensure sbiret.error is initialized to SBI_ERR_NOT_SUPPORTED first, in case userspace neglects to set it to anything. If userspace neglects it then we can't be sure it did anything else either, so we just report it didn't do or try anything. Just init sbiret.value to zero, which is the preferred value to return when nothing special is specified. KVM was already initializing both sbiret.error and sbiret.value, but the values used appear to come from a copy+paste of the __sbi_ecall() implementation, i.e. a0 and a1, which don't apply prior to the call being executed, nor at all when forwarding to userspace. Fixes: dea8ee31a039 ("RISC-V: KVM: Add SBI v0.1 support") Signed-off-by: Andrew Jones Link: https://lore.kernel.org/r/20240807154943.150540-2-ajones@ventanamicro.com Signed-off-by: Anup Patel Signed-off-by: Sasha Levin commit efb9eeef6458250193dec800d5c8406cd870c4c0 Author: Dmitry Kandybka Date: Fri Aug 9 11:53:10 2024 +0300 wifi: rtw88: remove CPT execution branch never used [ Upstream commit 77c977327dfaa9ae2e154964cdb89ceb5c7b7cf1 ] In 'rtw_coex_action_bt_a2dp_pan', 'wl_cpt_test' and 'bt_cpt_test' are hardcoded to false, so corresponding 'table_case' and 'tdma_case' assignments are never met. Also 'rtw_coex_set_rf_para(rtwdev, chip->wl_rf_para_rx[1])' is never executed. Assuming that CPT was never fully implemented, remove lookalike leftovers. Compile tested only. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 76f631cb401f ("rtw88: coex: update the mechanism for A2DP + PAN") Signed-off-by: Dmitry Kandybka Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20240809085310.10512-1-d.kandybka@gmail.com Signed-off-by: Sasha Levin commit 2c9c2d1a20916589497a7facbea3e82cabec4ab8 Author: Ping-Ke Shih Date: Fri Aug 9 15:20:09 2024 +0800 wifi: rtw89: remove unused C2H event ID RTW89_MAC_C2H_FUNC_READ_WOW_CAM to prevent out-of-bounds reading [ Upstream commit 56310ddb50b190b3390fdc974aec455d0a516bd2 ] The handler of firmware C2H event RTW89_MAC_C2H_FUNC_READ_WOW_CAM isn't implemented, but driver expects number of handlers is NUM_OF_RTW89_MAC_C2H_FUNC_WOW causing out-of-bounds access. Fix it by removing ID. Addresses-Coverity-ID: 1598775 ("Out-of-bounds read") Fixes: ff53fce5c78b ("wifi: rtw89: wow: update latest PTK GTK info to mac80211 after resume") Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20240809072012.84152-4-pkshih@realtek.com Signed-off-by: Sasha Levin commit d7afc3179d3c8a2a354f2d439512cdd6ec9d3b76 Author: Dave Martin Date: Mon Jul 29 16:20:05 2024 +0100 arm64: signal: Fix some under-bracketed UAPI macros [ Upstream commit fc2220c9b15828319b09384e68399b4afc6276d9 ] A few SME-related sigcontext UAPI macros leave an argument unprotected from misparsing during macro expansion. Add parentheses around references to macro arguments where appropriate. Signed-off-by: Dave Martin Fixes: ee072cf70804 ("arm64/sme: Implement signal handling for ZT") Fixes: 39782210eb7e ("arm64/sme: Implement ZA signal handling") Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20240729152005.289844-1-Dave.Martin@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit eae33a98b74666efd580e44d1d795bf448fb42da Author: Jason Wang Date: Wed Aug 14 13:22:28 2024 +0800 virtio-net: synchronize probe with ndo_set_features [ Upstream commit c392d6019398315526b0b508282f87c7b2318c72 ] We calculate guest offloads during probe without the protection of rtnl_lock. This lead to race between probe and ndo_set_features. Fix this by moving the calculation under the rtnl_lock. Fixes: 3f93522ffab2 ("virtio-net: switch off offloads on demand if possible on XDP set") Acked-by: Michael S. Tsirkin Signed-off-by: Jason Wang Link: https://patch.msgid.link/20240814052228.4654-5-jasowang@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit cb06b26bb2e6d2c6a32f65f7bb1b7dcbe033d675 Author: Jason Wang Date: Wed Aug 14 13:22:27 2024 +0800 virtio-net: synchronize operstate with admin state on up/down [ Upstream commit df28de7b00502761eba62490f413c65c9b175ed9 ] This patch synchronizes operstate with admin state per RFC2863. This is done by trying to toggle the carrier upon open/close and synchronize with the config change work. This allows to propagate status correctly to stacked devices like: ip link add link enp0s3 macvlan0 type macvlan ip link set link enp0s3 down ip link show Before this patch: 3: enp0s3: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 00:00:05:00:00:09 brd ff:ff:ff:ff:ff:ff ...... 5: macvlan0@enp0s3: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether b2:a9:c5:04:da:53 brd ff:ff:ff:ff:ff:ff After this patch: 3: enp0s3: mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000 link/ether 00:00:05:00:00:09 brd ff:ff:ff:ff:ff:ff ... 5: macvlan0@enp0s3: mtu 1500 qdisc noqueue state LOWERLAYERDOWN mode DEFAULT group default qlen 1000 link/ether b2:a9:c5:04:da:53 brd ff:ff:ff:ff:ff:ff Cc: Venkat Venkatsubra Cc: Gia-Khanh Nguyen Acked-by: Michael S. Tsirkin Signed-off-by: Jason Wang Link: https://patch.msgid.link/20240814052228.4654-4-jasowang@redhat.com Signed-off-by: Jakub Kicinski Stable-dep-of: c392d6019398 ("virtio-net: synchronize probe with ndo_set_features") Signed-off-by: Sasha Levin commit 3cc20be7d01090a52fe95f455e73accd76bdd019 Author: Jason Wang Date: Wed Aug 14 13:22:26 2024 +0800 virtio: allow driver to disable the configure change notification [ Upstream commit 224de6f886f8184fd448700a6d78f216694de948 ] Sometime, it would be useful to disable the configure change notification from the driver. So this patch allows this by introducing a variable config_change_driver_disabled and only allow the configure change notification callback to be triggered when it is allowed by both the virtio core and the driver. It is set to false by default to hold the current semantic so we don't need to change any drivers. The first user for this would be virtio-net. Cc: Venkat Venkatsubra Cc: Gia-Khanh Nguyen Acked-by: Michael S. Tsirkin Signed-off-by: Jason Wang Link: https://patch.msgid.link/20240814052228.4654-3-jasowang@redhat.com Signed-off-by: Jakub Kicinski Stable-dep-of: c392d6019398 ("virtio-net: synchronize probe with ndo_set_features") Signed-off-by: Sasha Levin commit d3cc22ddeb0a70150e71cae7adfaa6ed2d0f21b1 Author: Jason Wang Date: Wed Aug 14 13:22:25 2024 +0800 virtio: rename virtio_config_enabled to virtio_config_core_enabled [ Upstream commit 0cb70ee4a6ee6b0a4b0e0f70a64a094c6fe05944 ] Following patch will allow the config interrupt to be disabled by a specific driver via another boolean. So this patch renames virtio_config_enabled and relevant helpers to virtio_config_core_enabled. Cc: Venkat Venkatsubra Cc: Gia-Khanh Nguyen Acked-by: Michael S. Tsirkin Signed-off-by: Jason Wang Link: https://patch.msgid.link/20240814052228.4654-2-jasowang@redhat.com Signed-off-by: Jakub Kicinski Stable-dep-of: c392d6019398 ("virtio-net: synchronize probe with ndo_set_features") Signed-off-by: Sasha Levin commit 31c79c291c3717b00b8178f0acb2c760fa0e8cf4 Author: Yanteng Si Date: Wed Aug 7 21:48:02 2024 +0800 net: stmmac: dwmac-loongson: Init ref and PTP clocks rate [ Upstream commit c70f3163681381c15686bdd2fe56bf4af9b8aaaa ] Reference and PTP clocks rate of the Loongson GMAC devices is 125MHz. (So is in the GNET devices which support is about to be added.) Set the respective plat_stmmacenet_data field up in accordance with that so to have the coalesce command and timestamping work correctly. Fixes: 30bba69d7db4 ("stmmac: pci: Add dwmac support for Loongson") Signed-off-by: Feiyang Chen Signed-off-by: Yinggang Gu Reviewed-by: Serge Semin Acked-by: Huacai Chen Signed-off-by: Yanteng Si Tested-by: Serge Semin Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 5c42a3098cc382bea5b3d857f1ceb68c5e448183 Author: Eric Biggers Date: Mon Aug 5 11:27:13 2024 -0700 crypto: x86/aes-gcm - fix PREEMPT_RT issue in gcm_crypt() [ Upstream commit 001412493e74d89166d2441b622eeaea00511bdc ] On PREEMPT_RT, kfree() takes sleeping locks and must not be called with preemption disabled. Therefore, on PREEMPT_RT skcipher_walk_done() must not be called from within a kernel_fpu_{begin,end}() pair, even when it's the last call which is guaranteed to not allocate memory. Therefore, move the last skcipher_walk_done() in gcm_crypt() to the end of the function so that it goes after the kernel_fpu_end(). To make this work cleanly, rework the data processing loop to handle only non-last data segments. Fixes: b06affb1cb58 ("crypto: x86/aes-gcm - add VAES and AVX512 / AVX10 optimized AES-GCM") Reported-by: Sebastian Andrzej Siewior Closes: https://lore.kernel.org/linux-crypto/20240802102333.itejxOsJ@linutronix.de Signed-off-by: Eric Biggers Tested-by: Sebastian Andrzej Siewior Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f65c8aef4bc963bf54237c91b13318e188f978c5 Author: Francesco Dolcini Date: Mon Jul 29 13:36:40 2024 +0200 hwrng: cn10k - Enable by default CN10K driver if Thunder SoC is enabled [ Upstream commit 9d3a7ff2ce1781a77ad6f8896e1256875c17631e ] Before commit addea5858b66 ("hwrng: Kconfig - Do not enable by default CN10K driver") the Marvell CN10K Random Number Generator was always enabled when HW_RANDOM was enabled. This was changed with that commit to prevent having this driver being always enabled on arm64. To prevent introducing regression with some old defconfig enable the driver when ARCH_THUNDER is enabled. Fixes: addea5858b66 ("hwrng: Kconfig - Do not enable by default CN10K driver") Closes: https://lore.kernel.org/all/SN7PR18MB53144B37B82ADEEC5D35AE0CE3AC2@SN7PR18MB5314.namprd18.prod.outlook.com/ Signed-off-by: Francesco Dolcini Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 359b439a1b106b9dbd181498b776f4bc20d6adc2 Author: Baochen Qiang Date: Wed Jul 10 10:18:19 2024 +0800 wifi: ath12k: fix invalid AMPDU factor calculation in ath12k_peer_assoc_h_he() [ Upstream commit a66de2d0f22b1740f3f9777776ad98c4bee62dff ] Currently ampdu_factor is wrongly calculated in ath12k_peer_assoc_h_he(), fix it. This is found during code review. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: Baochen Qiang Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240710021819.87216-1-quic_bqiang@quicinc.com Signed-off-by: Sasha Levin commit ef103e5b063f824ae703de8b59bb963e836fdd2b Author: P Praneesh Date: Mon Apr 1 00:02:32 2024 +0530 wifi: ath12k: match WMI BSS chan info structure with firmware definition [ Upstream commit dd98d54db29fb553839f43ade5f547baa93392c8 ] struct wmi_pdev_bss_chan_info_event is not similar to the firmware struct definition, this will cause some random failures. Fix by matching the struct wmi_pdev_bss_chan_info_event with the firmware structure definition. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: P Praneesh Signed-off-by: Karthikeyan Kathirvel Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240331183232.2158756-3-quic_kathirve@quicinc.com Signed-off-by: Sasha Levin commit 7654aa155c48e9e96aec82671f354b931950fe63 Author: P Praneesh Date: Mon Apr 1 00:02:31 2024 +0530 wifi: ath12k: fix BSS chan info request WMI command [ Upstream commit 59529c982f85047650fd473db903b23006a796c6 ] Currently, the firmware returns incorrect pdev_id information in WMI_PDEV_BSS_CHAN_INFO_EVENTID, leading to incorrect filling of the pdev's survey information. To prevent this issue, when requesting BSS channel information through WMI_PDEV_BSS_CHAN_INFO_REQUEST_CMDID, firmware expects pdev_id as one of the arguments in this WMI command. Add pdev_id to the struct wmi_pdev_bss_chan_info_req_cmd and fill it during ath12k_wmi_pdev_bss_chan_info_request(). This resolves the issue of sending the correct pdev_id in WMI_PDEV_BSS_CHAN_INFO_EVENTID. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1 Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: P Praneesh Signed-off-by: Karthikeyan Kathirvel Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240331183232.2158756-2-quic_kathirve@quicinc.com Signed-off-by: Sasha Levin commit f9ac75e53af51daf44eba87961e8a9b0d4ad401d Author: Toke Høiland-Jørgensen Date: Mon Aug 5 13:02:22 2024 +0200 wifi: ath9k: Remove error checks when creating debugfs entries [ Upstream commit f6ffe7f0184792c2f99aca6ae5b916683973d7d3 ] We should not be checking the return values from debugfs creation at all: the debugfs functions are designed to handle errors of previously called functions and just transparently abort the creation of debugfs entries when debugfs is disabled. If we check the return value and abort driver initialisation, we break the driver if debugfs is disabled (such as when booting with debugfs=off). Earlier versions of ath9k accidentally did the right thing by checking the return value, but only for NULL, not for IS_ERR(). This was "fixed" by the two commits referenced below, breaking ath9k with debugfs=off starting from the 6.6 kernel (as reported in the Bugzilla linked below). Restore functionality by just getting rid of the return value check entirely. Link: https://bugzilla.kernel.org/show_bug.cgi?id=219122 Fixes: 1e4134610d93 ("wifi: ath9k: use IS_ERR() with debugfs_create_dir()") Fixes: 6edb4ba6fb5b ("wifi: ath9k: fix parameter check in ath9k_init_debug()") Reported-by: Daniel Tobias Tested-by: Daniel Tobias Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240805110225.19690-1-toke@toke.dk Signed-off-by: Sasha Levin commit 16508f75eab14eea4e127bccc9f49965ab65bb40 Author: Arend van Spriel Date: Sat Jul 27 20:56:17 2024 +0200 wifi: brcmfmac: introducing fwil query functions [ Upstream commit c6002b6c05f3edfa12fd25990cc637281f200442 ] When the firmware interface layer was refactored it provided various "get" and "set" functions. For the "get" in some cases a parameter needed to be passed down to firmware as a key indicating what to "get" turning the output parameter of the "get" function into an input parameter as well. To accommodate this the "get" function blindly copies the parameter which in some places resulted in an uninitialized warnings from the compiler. These have been fixed by initializing the input parameter in the past. Recently another batch of similar fixes were submitted to address clang static checker warnings [1]. Proposing another solution by introducing a "query" variant which is used when the (input) parameter is needed by firmware. The "get" variant will only fill the (output) parameter with the result received from firmware taking care of proper endianess conversion. [1] https://lore.kernel.org/all/20240702122450.2213833-1-suhui@nfschina.com/ Fixes: 81f5dcb80830 ("brcmfmac: refactor firmware interface layer.") Reported-by: Su Hui Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240727185617.253210-1-arend.vanspriel@broadcom.com Signed-off-by: Sasha Levin commit 5650cd4cd246ba3e6284e44f24237383f4aec6d0 Author: Simon Horman Date: Fri Aug 2 16:43:17 2024 +0100 eth: fbnic: select DEVLINK and PAGE_POOL [ Upstream commit 9a95b7a89dffae5f1e99dd73748f144fec820292 ] Build bot reports undefined references to devlink functions. And local testing revealed undefined references to page_pool functions. Based on a patch by Jakub Kicinski Fixes: 1a9d48892ea5 ("eth: fbnic: Allocate core device specific structures and devlink interface") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202408011219.hiPmwwAs-lkp@intel.com/ Signed-off-by: Simon Horman Link: https://patch.msgid.link/20240802-fbnic-select-v2-1-41f82a3e0178@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f1e46e74ac9a9b88125c28cfa7361981fc695f1c Author: Aleksandr Mishin Date: Wed Jul 31 01:53:39 2024 +0300 ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe() [ Upstream commit 07442c46abad1d50ac82af5e0f9c5de2732c4592 ] In tps68470_pmic_opregion_probe() pointer 'dev' is compared to NULL which is useless. Fix this issue by removing unneeded check. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e13452ac3790 ("ACPI / PMIC: Add TI PMIC TPS68470 operation region driver") Suggested-by: Andy Shevchenko Signed-off-by: Aleksandr Mishin Reviewed-by: Sakari Ailus Reviewed-by: Andy Shevchenko Link: https://patch.msgid.link/20240730225339.13165-1-amishin@t-argos.ru [ rjw: Subject edit ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit c66f0be993ba52410edab06124c54ecf143b05c1 Author: Dan Carpenter Date: Wed Jul 24 11:09:43 2024 -0500 crypto: iaa - Fix potential use after free bug [ Upstream commit e0d3b845a1b10b7b5abdad7ecc69d45b2aab3209 ] The free_device_compression_mode(iaa_device, device_mode) function frees "device_mode" but it iss passed to iaa_compression_modes[i]->free() a few lines later resulting in a use after free. The good news is that, so far as I can tell, nothing implements the ->free() function and the use after free happens in dead code. But, with this fix, when something does implement it, we'll be ready. :) Fixes: b190447e0fa3 ("crypto: iaa - Add compression mode management along with fixed mode") Signed-off-by: Dan Carpenter Reviewed-by: Tom Zanussi Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 70bae3641ff4e9c750a207627d920a3efcd6c131 Author: Michal Witwicki Date: Wed Jul 17 07:44:59 2024 -0400 crypto: qat - ensure correct order in VF restarting handler [ Upstream commit cd8d2d74292c199b433ef77762bb1d28a4821784 ] In the process of sending the ADF_PF2VF_MSGTYPE_RESTARTING message to Virtual Functions (VFs), the Physical Function (PF) should set the `vf->restarting` flag to true before dispatching the message. This change is necessary to prevent a race condition where the handling of the ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE message (which sets the `vf->restarting` flag to false) runs immediately after the message is sent, but before the flag is set to true. Set the `vf->restarting` to true before sending the message ADF_PF2VF_MSGTYPE_RESTARTING, if supported by the version of the protocol and if the VF is started. Fixes: ec26f8e6c784 ("crypto: qat - update PFVF protocol for recovery") Signed-off-by: Michal Witwicki Reviewed-by: Giovanni Cabiddu Reviewed-by: Przemek Kitszel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 18cc7feb11cba02c79037a5ffaeae7da267ba4a3 Author: Michal Witwicki Date: Wed Jul 17 07:44:58 2024 -0400 crypto: qat - fix recovery flow for VFs [ Upstream commit 6f1b5236348fced7e7691a933327694b4106bc39 ] When the PFVF protocol was updated to support version 5, i.e. ADF_PFVF_COMPAT_FALLBACK, the compatibility version for the VF was updated without supporting the message RESTARTING_COMPLETE required for such version. Add support for the ADF_VF2PF_MSGTYPE_RESTARTING_COMPLETE message in the VF drivers. This message is sent by the VF driver to the PF to notify the completion of the shutdown flow. Fixes: ec26f8e6c784 ("crypto: qat - update PFVF protocol for recovery") Signed-off-by: Michal Witwicki Reviewed-by: Giovanni Cabiddu Reviewed-by: Przemek Kitszel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c8bc71f2934fb73afbb775a993fb77cd1c0e9895 Author: Michal Witwicki Date: Wed Jul 17 07:44:57 2024 -0400 crypto: qat - disable IOV in adf_dev_stop() [ Upstream commit b6c7d36292d50627dbe6a57fa344f87c776971e6 ] Disabling IOV has the side effect of re-enabling the AEs that might attempt to do DMAs into the heartbeat buffers. Move the disable_iov() function in adf_dev_stop() before the AEs are stopped. Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV") Signed-off-by: Michal Witwicki Reviewed-by: Giovanni Cabiddu Reviewed-by: Przemek Kitszel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6691fbc88f72d7ebdab176b10175800044a26083 Author: Helge Deller Date: Mon Jul 8 14:24:52 2024 +0200 crypto: xor - fix template benchmarking [ Upstream commit ab9a244c396aae4aaa34b2399b82fc15ec2df8c1 ] Commit c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking") switched from using jiffies to ktime-based performance benchmarking. This works nicely on machines which have a fine-grained ktime() clocksource as e.g. x86 machines with TSC. But other machines, e.g. my 4-way HP PARISC server, don't have such fine-grained clocksources, which is why it seems that 800 xor loops take zero seconds, which then shows up in the logs as: xor: measuring software checksum speed 8regs : -1018167296 MB/sec 8regs_prefetch : -1018167296 MB/sec 32regs : -1018167296 MB/sec 32regs_prefetch : -1018167296 MB/sec Fix this with some small modifications to the existing code to improve the algorithm to always produce correct results without introducing major delays for architectures with a fine-grained ktime() clocksource: a) Delay start of the timing until ktime() just advanced. On machines with a fast ktime() this should be just one additional ktime() call. b) Count the number of loops. Run at minimum 800 loops and finish earliest when the ktime() counter has progressed. With that the throughput can now be calculated more accurately under all conditions. Fixes: c055e3eae0f1 ("crypto: xor - use ktime for template benchmarking") Signed-off-by: Helge Deller Tested-by: John David Anglin v2: - clean up coding style (noticed & suggested by Herbert Xu) - rephrased & fixed typo in commit message Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e9a78d9417e167410d6fb83c4e908b077ad8ba6d Author: Dmitry Antipov Date: Fri Jul 26 14:46:57 2024 +0300 wifi: rtw88: always wait for both firmware loading attempts [ Upstream commit 0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d ] In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN. Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported") Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3 Signed-off-by: Dmitry Antipov Signed-off-by: Ping-Ke Shih Link: https://patch.msgid.link/20240726114657.25396-1-dmantipov@yandex.ru Signed-off-by: Sasha Levin commit afd165b40e366cf3b44eaaa52267657b2109221c Author: Shubhrajyoti Datta Date: Thu Jul 11 15:36:56 2024 +0530 EDAC/synopsys: Fix error injection on Zynq UltraScale+ [ Upstream commit 35e6dbfe1846caeafabb49b7575adb36b0aa2269 ] The Zynq UltraScale+ MPSoC DDR has a disjoint memory from 2GB to 32GB. The DDR host interface has a contiguous memory so while injecting errors, the driver should remove the hole else the injection fails as the address translation is incorrect. Introduce a get_mem_info() function pointer and set it for Zynq UltraScale+ platform to return host address. Fixes: 1a81361f75d8 ("EDAC, synopsys: Add Error Injection support for ZynqMP DDR controller") Signed-off-by: Shubhrajyoti Datta Signed-off-by: Borislav Petkov (AMD) Link: https://lore.kernel.org/r/20240711100656.31376-1-shubhrajyoti.datta@amd.com Signed-off-by: Sasha Levin commit 6db232905e094e64abff1f18249905d068285e09 Author: Kang Yang Date: Wed Jul 3 17:40:49 2024 +0300 wifi: ath11k: use work queue to process beacon tx event [ Upstream commit 177b49dbf9c1d8f9f25a22ffafa416fc2c8aa6a3 ] Commit 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template") from Feb 28, 2024 (linux-next), leads to the following Smatch static checker warning: drivers/net/wireless/ath/ath11k/wmi.c:1742 ath11k_wmi_p2p_go_bcn_ie() warn: sleeping in atomic context The reason is that ath11k_bcn_tx_status_event() will directly call might sleep function ath11k_wmi_cmd_send() during RCU read-side critical sections. The call trace is like: ath11k_bcn_tx_status_event() -> rcu_read_lock() -> ath11k_mac_bcn_tx_event() -> ath11k_mac_setup_bcn_tmpl() …… -> ath11k_wmi_bcn_tmpl() -> ath11k_wmi_cmd_send() -> rcu_read_unlock() Commit 886433a98425 ("ath11k: add support for BSS color change") added the ath11k_mac_bcn_tx_event(), commit 01e782c89108 ("ath11k: fix warning of RCU usage for ath11k_mac_get_arvif_by_vdev_id()") added the RCU lock to avoid warning but also introduced this BUG. Use work queue to avoid directly calling ath11k_mac_bcn_tx_event() during RCU critical sections. No need to worry about the deletion of vif because cancel_work_sync() will drop the work if it doesn't start or block vif deletion until the running work is done. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Fixes: 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template") Reported-by: Dan Carpenter Closes: https://lore.kernel.org/all/2d277abd-5e7b-4da0-80e0-52bd96337f6e@moroto.mountain/ Signed-off-by: Kang Yang Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240626053543.1946-1-quic_kangyang@quicinc.com Signed-off-by: Sasha Levin